fix: move v2 pkgs (#1331)

* fix: move eventstore pkgs * fix: move eventstore pkgs * fix: remove v2 view * fix: remove v2 view
2025-08-11 19:17:32 +00:00 · 2021-02-23 15:13:04 +01:00
parent 57b277bc7c
commit d8e42744b4
797 changed files with 2116 additions and 2224 deletions
--- a/internal/repository/iam/aggregate.go
+++ b/internal/repository/iam/aggregate.go
@@ -0,0 +1,18 @@
+package iam
+
+import (
+	"github.com/caos/zitadel/internal/eventstore"
+)
+
+const (
+	iamEventTypePrefix = eventstore.EventType("iam.")
+)
+
+const (
+	AggregateType    = "iam"
+	AggregateVersion = "v1"
+)
+
+type Aggregate struct {
+	eventstore.Aggregate
+}
--- a/internal/repository/iam/event_iam_project_set.go
+++ b/internal/repository/iam/event_iam_project_set.go
@@ -0,0 +1,55 @@
+package iam
+
+import (
+	"context"
+	"encoding/json"
+	"github.com/caos/zitadel/internal/eventstore"
+
+	"github.com/caos/zitadel/internal/errors"
+	"github.com/caos/zitadel/internal/eventstore/repository"
+)
+
+const (
+	ProjectSetEventType eventstore.EventType = "iam.project.iam.set"
+)
+
+type ProjectSetEvent struct {
+	eventstore.BaseEvent `json:"-"`
+
+	ProjectID string `json:"iamProjectId"`
+}
+
+func (e *ProjectSetEvent) Data() interface{} {
+	return e
+}
+
+func (e *ProjectSetEvent) UniqueConstraints() []*eventstore.EventUniqueConstraint {
+	return nil
+}
+
+func NewIAMProjectSetEvent(
+	ctx context.Context,
+	aggregate *eventstore.Aggregate,
+	projectID string,
+) *ProjectSetEvent {
+	return &ProjectSetEvent{
+		BaseEvent: *eventstore.NewBaseEventForPush(
+			ctx,
+			aggregate,
+			ProjectSetEventType,
+		),
+		ProjectID: projectID,
+	}
+}
+
+func ProjectSetMapper(event *repository.Event) (eventstore.EventReader, error) {
+	e := &ProjectSetEvent{
+		BaseEvent: *eventstore.BaseEventFromRepo(event),
+	}
+	err := json.Unmarshal(event.Data, e)
+	if err != nil {
+		return nil, errors.ThrowInternal(err, "IAM-cdFZH", "unable to unmarshal global org set")
+	}
+
+	return e, nil
+}
--- a/internal/repository/iam/event_org_set.go
+++ b/internal/repository/iam/event_org_set.go
@@ -0,0 +1,55 @@
+package iam
+
+import (
+	"context"
+	"encoding/json"
+	"github.com/caos/zitadel/internal/eventstore"
+
+	"github.com/caos/zitadel/internal/errors"
+	"github.com/caos/zitadel/internal/eventstore/repository"
+)
+
+const (
+	GlobalOrgSetEventType eventstore.EventType = "iam.global.org.set"
+)
+
+type GlobalOrgSetEvent struct {
+	eventstore.BaseEvent `json:"-"`
+
+	OrgID string `json:"globalOrgId"`
+}
+
+func (e *GlobalOrgSetEvent) Data() interface{} {
+	return e
+}
+
+func (e *GlobalOrgSetEvent) UniqueConstraints() []*eventstore.EventUniqueConstraint {
+	return nil
+}
+
+func NewGlobalOrgSetEventEvent(
+	ctx context.Context,
+	aggregate *eventstore.Aggregate,
+	orgID string,
+) *GlobalOrgSetEvent {
+	return &GlobalOrgSetEvent{
+		BaseEvent: *eventstore.NewBaseEventForPush(
+			ctx,
+			aggregate,
+			GlobalOrgSetEventType,
+		),
+		OrgID: orgID,
+	}
+}
+
+func GlobalOrgSetMapper(event *repository.Event) (eventstore.EventReader, error) {
+	e := &GlobalOrgSetEvent{
+		BaseEvent: *eventstore.BaseEventFromRepo(event),
+	}
+	err := json.Unmarshal(event.Data, e)
+	if err != nil {
+		return nil, errors.ThrowInternal(err, "IAM-cdFZH", "unable to unmarshal global org set")
+	}
+
+	return e, nil
+}
--- a/internal/repository/iam/events_step.go
+++ b/internal/repository/iam/events_step.go
@@ -0,0 +1,76 @@
+package iam
+
+import (
+	"context"
+	"encoding/json"
+	"github.com/caos/zitadel/internal/eventstore"
+
+	"github.com/caos/zitadel/internal/domain"
+	"github.com/caos/zitadel/internal/errors"
+	"github.com/caos/zitadel/internal/eventstore/repository"
+)
+
+const (
+	SetupDoneEventType    eventstore.EventType = "iam.setup.done"
+	SetupStartedEventType eventstore.EventType = "iam.setup.started"
+)
+
+type SetupStepEvent struct {
+	eventstore.BaseEvent `json:"-"`
+
+	Step domain.Step `json:"Step"`
+	Done bool        `json:"-"`
+}
+
+func (e *SetupStepEvent) Data() interface{} {
+	return e
+}
+
+func (e *SetupStepEvent) UniqueConstraints() []*eventstore.EventUniqueConstraint {
+	return nil
+}
+
+func SetupStepMapper(event *repository.Event) (eventstore.EventReader, error) {
+	step := &SetupStepEvent{
+		BaseEvent: *eventstore.BaseEventFromRepo(event),
+		Done:      eventstore.EventType(event.Type) == SetupDoneEventType,
+	}
+	err := json.Unmarshal(event.Data, step)
+	if err != nil {
+		return nil, errors.ThrowInternal(err, "IAM-O6rVg", "unable to unmarshal step")
+	}
+
+	return step, nil
+}
+
+func NewSetupStepDoneEvent(
+	ctx context.Context,
+	aggregate *eventstore.Aggregate,
+	step domain.Step,
+) *SetupStepEvent {
+
+	return &SetupStepEvent{
+		BaseEvent: *eventstore.NewBaseEventForPush(
+			ctx,
+			aggregate,
+			SetupDoneEventType,
+		),
+		Step: step,
+	}
+}
+
+func NewSetupStepStartedEvent(
+	ctx context.Context,
+	aggregate *eventstore.Aggregate,
+	step domain.Step,
+) *SetupStepEvent {
+
+	return &SetupStepEvent{
+		BaseEvent: *eventstore.NewBaseEventForPush(
+			ctx,
+			aggregate,
+			SetupStartedEventType,
+		),
+		Step: step,
+	}
+}
--- a/internal/repository/iam/eventstore.go
+++ b/internal/repository/iam/eventstore.go
@@ -0,0 +1,45 @@
+package iam
+
+import (
+	"github.com/caos/zitadel/internal/eventstore"
+)
+
+func RegisterEventMappers(es *eventstore.Eventstore) {
+	es.RegisterFilterEventMapper(SetupStartedEventType, SetupStepMapper).
+		RegisterFilterEventMapper(SetupDoneEventType, SetupStepMapper).
+		RegisterFilterEventMapper(GlobalOrgSetEventType, GlobalOrgSetMapper).
+		RegisterFilterEventMapper(ProjectSetEventType, ProjectSetMapper).
+		RegisterFilterEventMapper(UniqueConstraintsMigratedEventType, MigrateUniqueConstraintEventMapper).
+		RegisterFilterEventMapper(LabelPolicyAddedEventType, LabelPolicyAddedEventMapper).
+		RegisterFilterEventMapper(LabelPolicyChangedEventType, LabelPolicyChangedEventMapper).
+		RegisterFilterEventMapper(LoginPolicyAddedEventType, LoginPolicyAddedEventMapper).
+		RegisterFilterEventMapper(LoginPolicyChangedEventType, LoginPolicyChangedEventMapper).
+		RegisterFilterEventMapper(OrgIAMPolicyAddedEventType, OrgIAMPolicyAddedEventMapper).
+		RegisterFilterEventMapper(PasswordAgePolicyAddedEventType, PasswordAgePolicyAddedEventMapper).
+		RegisterFilterEventMapper(PasswordAgePolicyChangedEventType, PasswordAgePolicyChangedEventMapper).
+		RegisterFilterEventMapper(PasswordComplexityPolicyAddedEventType, PasswordComplexityPolicyAddedEventMapper).
+		RegisterFilterEventMapper(PasswordComplexityPolicyChangedEventType, PasswordComplexityPolicyChangedEventMapper).
+		RegisterFilterEventMapper(PasswordLockoutPolicyAddedEventType, PasswordLockoutPolicyAddedEventMapper).
+		RegisterFilterEventMapper(PasswordLockoutPolicyChangedEventType, PasswordLockoutPolicyChangedEventMapper).
+		RegisterFilterEventMapper(MemberAddedEventType, MemberAddedEventMapper).
+		RegisterFilterEventMapper(MemberChangedEventType, MemberChangedEventMapper).
+		RegisterFilterEventMapper(MemberRemovedEventType, MemberRemovedEventMapper).
+		RegisterFilterEventMapper(IDPConfigAddedEventType, IDPConfigAddedEventMapper).
+		RegisterFilterEventMapper(IDPConfigChangedEventType, IDPConfigChangedEventMapper).
+		RegisterFilterEventMapper(IDPConfigRemovedEventType, IDPConfigRemovedEventMapper).
+		RegisterFilterEventMapper(IDPConfigDeactivatedEventType, IDPConfigDeactivatedEventMapper).
+		RegisterFilterEventMapper(IDPConfigReactivatedEventType, IDPConfigReactivatedEventMapper).
+		RegisterFilterEventMapper(IDPOIDCConfigAddedEventType, IDPOIDCConfigAddedEventMapper).
+		RegisterFilterEventMapper(IDPOIDCConfigChangedEventType, IDPOIDCConfigChangedEventMapper).
+		RegisterFilterEventMapper(LoginPolicyIDPProviderAddedEventType, IdentityProviderAddedEventMapper).
+		RegisterFilterEventMapper(LoginPolicyIDPProviderRemovedEventType, IdentityProviderRemovedEventMapper).
+		RegisterFilterEventMapper(LoginPolicyIDPProviderCascadeRemovedEventType, IdentityProviderCascadeRemovedEventMapper).
+		RegisterFilterEventMapper(LoginPolicySecondFactorAddedEventType, SecondFactorAddedEventMapper).
+		RegisterFilterEventMapper(LoginPolicySecondFactorRemovedEventType, SecondFactorRemovedEventMapper).
+		RegisterFilterEventMapper(LoginPolicyMultiFactorAddedEventType, MultiFactorAddedEventMapper).
+		RegisterFilterEventMapper(LoginPolicyMultiFactorRemovedEventType, MultiFactorRemovedEventMapper).
+		RegisterFilterEventMapper(MailTemplateAddedEventType, MailTemplateAddedEventMapper).
+		RegisterFilterEventMapper(MailTemplateChangedEventType, MailTemplateChangedEventMapper).
+		RegisterFilterEventMapper(MailTextAddedEventType, MailTextAddedEventMapper).
+		RegisterFilterEventMapper(MailTextChangedEventType, MailTextChangedEventMapper)
+}
--- a/internal/repository/iam/idp_config.go
+++ b/internal/repository/iam/idp_config.go
@@ -0,0 +1,184 @@
+package iam
+
+import (
+	"context"
+	"github.com/caos/zitadel/internal/eventstore"
+
+	"github.com/caos/zitadel/internal/domain"
+	"github.com/caos/zitadel/internal/eventstore/repository"
+	"github.com/caos/zitadel/internal/repository/idpconfig"
+)
+
+const (
+	IDPConfigAddedEventType       eventstore.EventType = "iam.idp.config.added"
+	IDPConfigChangedEventType     eventstore.EventType = "iam.idp.config.changed"
+	IDPConfigRemovedEventType     eventstore.EventType = "iam.idp.config.removed"
+	IDPConfigDeactivatedEventType eventstore.EventType = "iam.idp.config.deactivated"
+	IDPConfigReactivatedEventType eventstore.EventType = "iam.idp.config.reactivated"
+)
+
+type IDPConfigAddedEvent struct {
+	idpconfig.IDPConfigAddedEvent
+}
+
+func NewIDPConfigAddedEvent(
+	ctx context.Context,
+	aggregate *eventstore.Aggregate,
+	configID,
+	name string,
+	configType domain.IDPConfigType,
+	stylingType domain.IDPConfigStylingType,
+) *IDPConfigAddedEvent {
+
+	return &IDPConfigAddedEvent{
+		IDPConfigAddedEvent: *idpconfig.NewIDPConfigAddedEvent(
+			eventstore.NewBaseEventForPush(
+				ctx,
+				aggregate,
+				IDPConfigAddedEventType,
+			),
+			configID,
+			name,
+			configType,
+			stylingType,
+		),
+	}
+}
+
+func IDPConfigAddedEventMapper(event *repository.Event) (eventstore.EventReader, error) {
+	e, err := idpconfig.IDPConfigAddedEventMapper(event)
+	if err != nil {
+		return nil, err
+	}
+
+	return &IDPConfigAddedEvent{IDPConfigAddedEvent: *e.(*idpconfig.IDPConfigAddedEvent)}, nil
+}
+
+type IDPConfigChangedEvent struct {
+	idpconfig.IDPConfigChangedEvent
+}
+
+func NewIDPConfigChangedEvent(
+	ctx context.Context,
+	aggregate *eventstore.Aggregate,
+	configID,
+	oldName string,
+	changes []idpconfig.IDPConfigChanges,
+) (*IDPConfigChangedEvent, error) {
+	changeEvent, err := idpconfig.NewIDPConfigChangedEvent(
+		eventstore.NewBaseEventForPush(
+			ctx,
+			aggregate,
+			IDPConfigChangedEventType),
+		configID,
+		oldName,
+		changes,
+	)
+	if err != nil {
+		return nil, err
+	}
+	return &IDPConfigChangedEvent{IDPConfigChangedEvent: *changeEvent}, nil
+}
+
+func IDPConfigChangedEventMapper(event *repository.Event) (eventstore.EventReader, error) {
+	e, err := idpconfig.IDPConfigChangedEventMapper(event)
+	if err != nil {
+		return nil, err
+	}
+
+	return &IDPConfigChangedEvent{IDPConfigChangedEvent: *e.(*idpconfig.IDPConfigChangedEvent)}, nil
+}
+
+type IDPConfigRemovedEvent struct {
+	idpconfig.IDPConfigRemovedEvent
+}
+
+func NewIDPConfigRemovedEvent(
+	ctx context.Context,
+	aggregate *eventstore.Aggregate,
+	configID,
+	name string,
+) *IDPConfigRemovedEvent {
+	return &IDPConfigRemovedEvent{
+		IDPConfigRemovedEvent: *idpconfig.NewIDPConfigRemovedEvent(
+			eventstore.NewBaseEventForPush(
+				ctx,
+				aggregate,
+				IDPConfigRemovedEventType,
+			),
+			configID,
+			name,
+		),
+	}
+}
+
+func IDPConfigRemovedEventMapper(event *repository.Event) (eventstore.EventReader, error) {
+	e, err := idpconfig.IDPConfigRemovedEventMapper(event)
+	if err != nil {
+		return nil, err
+	}
+
+	return &IDPConfigRemovedEvent{IDPConfigRemovedEvent: *e.(*idpconfig.IDPConfigRemovedEvent)}, nil
+}
+
+type IDPConfigDeactivatedEvent struct {
+	idpconfig.IDPConfigDeactivatedEvent
+}
+
+func NewIDPConfigDeactivatedEvent(
+	ctx context.Context,
+	aggregate *eventstore.Aggregate,
+	configID string,
+) *IDPConfigDeactivatedEvent {
+
+	return &IDPConfigDeactivatedEvent{
+		IDPConfigDeactivatedEvent: *idpconfig.NewIDPConfigDeactivatedEvent(
+			eventstore.NewBaseEventForPush(
+				ctx,
+				aggregate,
+				IDPConfigDeactivatedEventType,
+			),
+			configID,
+		),
+	}
+}
+
+func IDPConfigDeactivatedEventMapper(event *repository.Event) (eventstore.EventReader, error) {
+	e, err := idpconfig.IDPConfigDeactivatedEventMapper(event)
+	if err != nil {
+		return nil, err
+	}
+
+	return &IDPConfigDeactivatedEvent{IDPConfigDeactivatedEvent: *e.(*idpconfig.IDPConfigDeactivatedEvent)}, nil
+}
+
+type IDPConfigReactivatedEvent struct {
+	idpconfig.IDPConfigReactivatedEvent
+}
+
+func NewIDPConfigReactivatedEvent(
+	ctx context.Context,
+	aggregate *eventstore.Aggregate,
+	configID string,
+) *IDPConfigReactivatedEvent {
+
+	return &IDPConfigReactivatedEvent{
+		IDPConfigReactivatedEvent: *idpconfig.NewIDPConfigReactivatedEvent(
+			eventstore.NewBaseEventForPush(
+				ctx,
+				aggregate,
+				IDPConfigReactivatedEventType,
+			),
+			configID,
+		),
+	}
+}
+
+func IDPConfigReactivatedEventMapper(event *repository.Event) (eventstore.EventReader, error) {
+	e, err := idpconfig.IDPConfigReactivatedEventMapper(event)
+	if err != nil {
+		return nil, err
+	}
+
+	return &IDPConfigReactivatedEvent{IDPConfigReactivatedEvent: *e.(*idpconfig.IDPConfigReactivatedEvent)}, nil
+}
--- a/internal/repository/iam/idp_oidc_config.go
+++ b/internal/repository/iam/idp_oidc_config.go
@@ -0,0 +1,92 @@
+package iam
+
+import (
+	"context"
+	"github.com/caos/zitadel/internal/eventstore"
+
+	"github.com/caos/zitadel/internal/crypto"
+	"github.com/caos/zitadel/internal/domain"
+	"github.com/caos/zitadel/internal/eventstore/repository"
+	"github.com/caos/zitadel/internal/repository/idpconfig"
+)
+
+const (
+	IDPOIDCConfigAddedEventType   eventstore.EventType = "iam.idp." + idpconfig.OIDCConfigAddedEventType
+	IDPOIDCConfigChangedEventType eventstore.EventType = "iam.idp." + idpconfig.ConfigChangedEventType
+)
+
+type IDPOIDCConfigAddedEvent struct {
+	idpconfig.OIDCConfigAddedEvent
+}
+
+func NewIDPOIDCConfigAddedEvent(
+	ctx context.Context,
+	aggregate *eventstore.Aggregate,
+	clientID,
+	idpConfigID,
+	issuer string,
+	clientSecret *crypto.CryptoValue,
+	idpDisplayNameMapping,
+	userNameMapping domain.OIDCMappingField,
+	scopes ...string,
+) *IDPOIDCConfigAddedEvent {
+
+	return &IDPOIDCConfigAddedEvent{
+		OIDCConfigAddedEvent: *idpconfig.NewOIDCConfigAddedEvent(
+			eventstore.NewBaseEventForPush(
+				ctx,
+				aggregate,
+				IDPOIDCConfigAddedEventType,
+			),
+			clientID,
+			idpConfigID,
+			issuer,
+			clientSecret,
+			idpDisplayNameMapping,
+			userNameMapping,
+			scopes...,
+		),
+	}
+}
+
+func IDPOIDCConfigAddedEventMapper(event *repository.Event) (eventstore.EventReader, error) {
+	e, err := idpconfig.OIDCConfigAddedEventMapper(event)
+	if err != nil {
+		return nil, err
+	}
+
+	return &IDPOIDCConfigAddedEvent{OIDCConfigAddedEvent: *e.(*idpconfig.OIDCConfigAddedEvent)}, nil
+}
+
+type IDPOIDCConfigChangedEvent struct {
+	idpconfig.OIDCConfigChangedEvent
+}
+
+func NewIDPOIDCConfigChangedEvent(
+	ctx context.Context,
+	aggregate *eventstore.Aggregate,
+	idpConfigID string,
+	changes []idpconfig.OIDCConfigChanges,
+) (*IDPOIDCConfigChangedEvent, error) {
+	changeEvent, err := idpconfig.NewOIDCConfigChangedEvent(
+		eventstore.NewBaseEventForPush(
+			ctx,
+			aggregate,
+			IDPOIDCConfigChangedEventType),
+		idpConfigID,
+		changes,
+	)
+	if err != nil {
+		return nil, err
+	}
+	return &IDPOIDCConfigChangedEvent{OIDCConfigChangedEvent: *changeEvent}, nil
+}
+
+func IDPOIDCConfigChangedEventMapper(event *repository.Event) (eventstore.EventReader, error) {
+	e, err := idpconfig.OIDCConfigChangedEventMapper(event)
+	if err != nil {
+		return nil, err
+	}
+
+	return &IDPOIDCConfigChangedEvent{OIDCConfigChangedEvent: *e.(*idpconfig.OIDCConfigChangedEvent)}, nil
+}
--- a/internal/repository/iam/member.go
+++ b/internal/repository/iam/member.go
@@ -0,0 +1,111 @@
+package iam
+
+import (
+	"context"
+	"github.com/caos/zitadel/internal/eventstore"
+
+	"github.com/caos/zitadel/internal/eventstore/repository"
+	"github.com/caos/zitadel/internal/repository/member"
+)
+
+var (
+	MemberAddedEventType   = iamEventTypePrefix + member.AddedEventType
+	MemberChangedEventType = iamEventTypePrefix + member.ChangedEventType
+	MemberRemovedEventType = iamEventTypePrefix + member.RemovedEventType
+)
+
+type MemberAddedEvent struct {
+	member.MemberAddedEvent
+}
+
+func NewMemberAddedEvent(
+	ctx context.Context,
+	aggregate *eventstore.Aggregate,
+	userID string,
+	roles ...string,
+) *MemberAddedEvent {
+
+	return &MemberAddedEvent{
+		MemberAddedEvent: *member.NewMemberAddedEvent(
+			eventstore.NewBaseEventForPush(
+				ctx,
+				aggregate,
+				MemberAddedEventType,
+			),
+			userID,
+			roles...,
+		),
+	}
+}
+
+func MemberAddedEventMapper(event *repository.Event) (eventstore.EventReader, error) {
+	e, err := member.MemberAddedEventMapper(event)
+	if err != nil {
+		return nil, err
+	}
+
+	return &MemberAddedEvent{MemberAddedEvent: *e.(*member.MemberAddedEvent)}, nil
+}
+
+type MemberChangedEvent struct {
+	member.MemberChangedEvent
+}
+
+func NewMemberChangedEvent(
+	ctx context.Context,
+	aggregate *eventstore.Aggregate,
+	userID string,
+	roles ...string,
+) *MemberChangedEvent {
+	return &MemberChangedEvent{
+		MemberChangedEvent: *member.NewMemberChangedEvent(
+			eventstore.NewBaseEventForPush(
+				ctx,
+				aggregate,
+				MemberChangedEventType,
+			),
+			userID,
+			roles...,
+		),
+	}
+}
+
+func MemberChangedEventMapper(event *repository.Event) (eventstore.EventReader, error) {
+	e, err := member.ChangedEventMapper(event)
+	if err != nil {
+		return nil, err
+	}
+
+	return &MemberChangedEvent{MemberChangedEvent: *e.(*member.MemberChangedEvent)}, nil
+}
+
+type MemberRemovedEvent struct {
+	member.MemberRemovedEvent
+}
+
+func NewMemberRemovedEvent(
+	ctx context.Context,
+	aggregate *eventstore.Aggregate,
+	userID string,
+) *MemberRemovedEvent {
+
+	return &MemberRemovedEvent{
+		MemberRemovedEvent: *member.NewRemovedEvent(
+			eventstore.NewBaseEventForPush(
+				ctx,
+				aggregate,
+				MemberRemovedEventType,
+			),
+			userID,
+		),
+	}
+}
+
+func MemberRemovedEventMapper(event *repository.Event) (eventstore.EventReader, error) {
+	e, err := member.RemovedEventMapper(event)
+	if err != nil {
+		return nil, err
+	}
+
+	return &MemberRemovedEvent{MemberRemovedEvent: *e.(*member.MemberRemovedEvent)}, nil
+}
--- a/internal/repository/iam/migrate_unique_constraints.go
+++ b/internal/repository/iam/migrate_unique_constraints.go
@@ -0,0 +1,58 @@
+package iam
+
+import (
+	"context"
+	"github.com/caos/zitadel/internal/domain"
+	"github.com/caos/zitadel/internal/eventstore"
+
+	"github.com/caos/zitadel/internal/eventstore/repository"
+)
+
+const (
+	UniqueConstraintsMigratedEventType eventstore.EventType = "iam.unique.constraints.migrated"
+)
+
+type MigrateUniqueConstraintEvent struct {
+	eventstore.BaseEvent `json:"-"`
+
+	uniqueConstraintMigrations []*domain.UniqueConstraintMigration `json:"-"`
+}
+
+func NewAddMigrateUniqueConstraint(uniqueMigration *domain.UniqueConstraintMigration) *eventstore.EventUniqueConstraint {
+	return eventstore.NewAddEventUniqueConstraint(
+		uniqueMigration.UniqueType,
+		uniqueMigration.UniqueField,
+		uniqueMigration.ErrorMessage)
+}
+
+func (e *MigrateUniqueConstraintEvent) Data() interface{} {
+	return nil
+}
+
+func (e *MigrateUniqueConstraintEvent) UniqueConstraints() []*eventstore.EventUniqueConstraint {
+	constraints := make([]*eventstore.EventUniqueConstraint, len(e.uniqueConstraintMigrations))
+	for i, uniqueMigration := range e.uniqueConstraintMigrations {
+		constraints[i] = NewAddMigrateUniqueConstraint(uniqueMigration)
+	}
+	return constraints
+}
+
+func NewMigrateUniqueConstraintEvent(
+	ctx context.Context,
+	aggregate *eventstore.Aggregate,
+	uniqueConstraintMigrations []*domain.UniqueConstraintMigration) *MigrateUniqueConstraintEvent {
+	return &MigrateUniqueConstraintEvent{
+		BaseEvent: *eventstore.NewBaseEventForPush(
+			ctx,
+			aggregate,
+			UniqueConstraintsMigratedEventType,
+		),
+		uniqueConstraintMigrations: uniqueConstraintMigrations,
+	}
+}
+
+func MigrateUniqueConstraintEventMapper(event *repository.Event) (eventstore.EventReader, error) {
+	return &MigrateUniqueConstraintEvent{
+		BaseEvent: *eventstore.BaseEventFromRepo(event),
+	}, nil
+}
--- a/internal/repository/iam/policy_label.go
+++ b/internal/repository/iam/policy_label.go
@@ -0,0 +1,75 @@
+package iam
+
+import (
+	"context"
+	"github.com/caos/zitadel/internal/eventstore"
+
+	"github.com/caos/zitadel/internal/eventstore/repository"
+	"github.com/caos/zitadel/internal/repository/policy"
+)
+
+var (
+	LabelPolicyAddedEventType   = iamEventTypePrefix + policy.LabelPolicyAddedEventType
+	LabelPolicyChangedEventType = iamEventTypePrefix + policy.LabelPolicyChangedEventType
+)
+
+type LabelPolicyAddedEvent struct {
+	policy.LabelPolicyAddedEvent
+}
+
+func NewLabelPolicyAddedEvent(
+	ctx context.Context,
+	aggregate *eventstore.Aggregate,
+	primaryColor,
+	secondaryColor string,
+) *LabelPolicyAddedEvent {
+	return &LabelPolicyAddedEvent{
+		LabelPolicyAddedEvent: *policy.NewLabelPolicyAddedEvent(
+			eventstore.NewBaseEventForPush(
+				ctx,
+				aggregate,
+				LabelPolicyAddedEventType),
+			primaryColor,
+			secondaryColor),
+	}
+}
+
+func LabelPolicyAddedEventMapper(event *repository.Event) (eventstore.EventReader, error) {
+	e, err := policy.LabelPolicyAddedEventMapper(event)
+	if err != nil {
+		return nil, err
+	}
+
+	return &LabelPolicyAddedEvent{LabelPolicyAddedEvent: *e.(*policy.LabelPolicyAddedEvent)}, nil
+}
+
+type LabelPolicyChangedEvent struct {
+	policy.LabelPolicyChangedEvent
+}
+
+func NewLabelPolicyChangedEvent(
+	ctx context.Context,
+	aggregate *eventstore.Aggregate,
+	changes []policy.LabelPolicyChanges,
+) (*LabelPolicyChangedEvent, error) {
+	changedEvent, err := policy.NewLabelPolicyChangedEvent(
+		eventstore.NewBaseEventForPush(
+			ctx,
+			aggregate,
+			LabelPolicyChangedEventType),
+		changes,
+	)
+	if err != nil {
+		return nil, err
+	}
+	return &LabelPolicyChangedEvent{LabelPolicyChangedEvent: *changedEvent}, nil
+}
+
+func LabelPolicyChangedEventMapper(event *repository.Event) (eventstore.EventReader, error) {
+	e, err := policy.LabelPolicyChangedEventMapper(event)
+	if err != nil {
+		return nil, err
+	}
+
+	return &LabelPolicyChangedEvent{LabelPolicyChangedEvent: *e.(*policy.LabelPolicyChangedEvent)}, nil
+}
--- a/internal/repository/iam/policy_login.go
+++ b/internal/repository/iam/policy_login.go
@@ -0,0 +1,82 @@
+package iam
+
+import (
+	"context"
+	"github.com/caos/zitadel/internal/eventstore"
+
+	"github.com/caos/zitadel/internal/domain"
+	"github.com/caos/zitadel/internal/eventstore/repository"
+	"github.com/caos/zitadel/internal/repository/policy"
+)
+
+var (
+	LoginPolicyAddedEventType   = iamEventTypePrefix + policy.LoginPolicyAddedEventType
+	LoginPolicyChangedEventType = iamEventTypePrefix + policy.LoginPolicyChangedEventType
+)
+
+type LoginPolicyAddedEvent struct {
+	policy.LoginPolicyAddedEvent
+}
+
+func NewLoginPolicyAddedEvent(
+	ctx context.Context,
+	aggregate *eventstore.Aggregate,
+	allowUsernamePassword,
+	allowRegister,
+	allowExternalIDP,
+	forceMFA bool,
+	passwordlessType domain.PasswordlessType,
+) *LoginPolicyAddedEvent {
+	return &LoginPolicyAddedEvent{
+		LoginPolicyAddedEvent: *policy.NewLoginPolicyAddedEvent(
+			eventstore.NewBaseEventForPush(
+				ctx,
+				aggregate,
+				LoginPolicyAddedEventType),
+			allowUsernamePassword,
+			allowRegister,
+			allowExternalIDP,
+			forceMFA,
+			passwordlessType),
+	}
+}
+
+func LoginPolicyAddedEventMapper(event *repository.Event) (eventstore.EventReader, error) {
+	e, err := policy.LoginPolicyAddedEventMapper(event)
+	if err != nil {
+		return nil, err
+	}
+
+	return &LoginPolicyAddedEvent{LoginPolicyAddedEvent: *e.(*policy.LoginPolicyAddedEvent)}, nil
+}
+
+type LoginPolicyChangedEvent struct {
+	policy.LoginPolicyChangedEvent
+}
+
+func NewLoginPolicyChangedEvent(
+	ctx context.Context,
+	aggregate *eventstore.Aggregate,
+	changes []policy.LoginPolicyChanges,
+) (*LoginPolicyChangedEvent, error) {
+	changedEvent, err := policy.NewLoginPolicyChangedEvent(
+		eventstore.NewBaseEventForPush(
+			ctx,
+			aggregate,
+			LoginPolicyChangedEventType),
+		changes,
+	)
+	if err != nil {
+		return nil, err
+	}
+	return &LoginPolicyChangedEvent{LoginPolicyChangedEvent: *changedEvent}, nil
+}
+
+func LoginPolicyChangedEventMapper(event *repository.Event) (eventstore.EventReader, error) {
+	e, err := policy.LoginPolicyChangedEventMapper(event)
+	if err != nil {
+		return nil, err
+	}
+
+	return &LoginPolicyChangedEvent{LoginPolicyChangedEvent: *e.(*policy.LoginPolicyChangedEvent)}, nil
+}
--- a/internal/repository/iam/policy_login_factors.go
+++ b/internal/repository/iam/policy_login_factors.go
@@ -0,0 +1,140 @@
+package iam
+
+import (
+	"context"
+	"github.com/caos/zitadel/internal/eventstore"
+
+	"github.com/caos/zitadel/internal/domain"
+	"github.com/caos/zitadel/internal/eventstore/repository"
+	"github.com/caos/zitadel/internal/repository/policy"
+)
+
+var (
+	LoginPolicySecondFactorAddedEventType   = iamEventTypePrefix + policy.LoginPolicySecondFactorAddedEventType
+	LoginPolicySecondFactorRemovedEventType = iamEventTypePrefix + policy.LoginPolicySecondFactorRemovedEventType
+
+	LoginPolicyMultiFactorAddedEventType   = iamEventTypePrefix + policy.LoginPolicyMultiFactorAddedEventType
+	LoginPolicyMultiFactorRemovedEventType = iamEventTypePrefix + policy.LoginPolicyMultiFactorRemovedEventType
+)
+
+type LoginPolicySecondFactorAddedEvent struct {
+	policy.SecondFactorAddedEvent
+}
+
+func NewLoginPolicySecondFactorAddedEvent(
+	ctx context.Context,
+	aggregate *eventstore.Aggregate,
+	mfaType domain.SecondFactorType,
+) *LoginPolicySecondFactorAddedEvent {
+	return &LoginPolicySecondFactorAddedEvent{
+		SecondFactorAddedEvent: *policy.NewSecondFactorAddedEvent(
+			eventstore.NewBaseEventForPush(
+				ctx,
+				aggregate,
+				LoginPolicySecondFactorAddedEventType),
+			mfaType),
+	}
+}
+
+func SecondFactorAddedEventMapper(event *repository.Event) (eventstore.EventReader, error) {
+	e, err := policy.SecondFactorAddedEventMapper(event)
+	if err != nil {
+		return nil, err
+	}
+
+	return &LoginPolicySecondFactorAddedEvent{
+		SecondFactorAddedEvent: *e.(*policy.SecondFactorAddedEvent),
+	}, nil
+}
+
+type LoginPolicySecondFactorRemovedEvent struct {
+	policy.SecondFactorRemovedEvent
+}
+
+func NewLoginPolicySecondFactorRemovedEvent(
+	ctx context.Context,
+	aggregate *eventstore.Aggregate,
+	mfaType domain.SecondFactorType,
+) *LoginPolicySecondFactorRemovedEvent {
+
+	return &LoginPolicySecondFactorRemovedEvent{
+		SecondFactorRemovedEvent: *policy.NewSecondFactorRemovedEvent(
+			eventstore.NewBaseEventForPush(
+				ctx,
+				aggregate,
+				LoginPolicySecondFactorRemovedEventType),
+			mfaType),
+	}
+}
+
+func SecondFactorRemovedEventMapper(event *repository.Event) (eventstore.EventReader, error) {
+	e, err := policy.SecondFactorRemovedEventMapper(event)
+	if err != nil {
+		return nil, err
+	}
+
+	return &LoginPolicySecondFactorRemovedEvent{
+		SecondFactorRemovedEvent: *e.(*policy.SecondFactorRemovedEvent),
+	}, nil
+}
+
+type LoginPolicyMultiFactorAddedEvent struct {
+	policy.MultiFactorAddedEvent
+}
+
+func NewLoginPolicyMultiFactorAddedEvent(
+	ctx context.Context,
+	aggregate *eventstore.Aggregate,
+	mfaType domain.MultiFactorType,
+) *LoginPolicyMultiFactorAddedEvent {
+	return &LoginPolicyMultiFactorAddedEvent{
+		MultiFactorAddedEvent: *policy.NewMultiFactorAddedEvent(
+			eventstore.NewBaseEventForPush(
+				ctx,
+				aggregate,
+				LoginPolicyMultiFactorAddedEventType),
+			mfaType),
+	}
+}
+
+func MultiFactorAddedEventMapper(event *repository.Event) (eventstore.EventReader, error) {
+	e, err := policy.MultiFactorAddedEventMapper(event)
+	if err != nil {
+		return nil, err
+	}
+
+	return &LoginPolicyMultiFactorAddedEvent{
+		MultiFactorAddedEvent: *e.(*policy.MultiFactorAddedEvent),
+	}, nil
+}
+
+type LoginPolicyMultiFactorRemovedEvent struct {
+	policy.MultiFactorRemovedEvent
+}
+
+func NewLoginPolicyMultiFactorRemovedEvent(
+	ctx context.Context,
+	aggregate *eventstore.Aggregate,
+	mfaType domain.MultiFactorType,
+) *LoginPolicyMultiFactorRemovedEvent {
+
+	return &LoginPolicyMultiFactorRemovedEvent{
+		MultiFactorRemovedEvent: *policy.NewMultiFactorRemovedEvent(
+			eventstore.NewBaseEventForPush(
+				ctx,
+				aggregate,
+				LoginPolicyMultiFactorRemovedEventType),
+			mfaType),
+	}
+}
+
+func MultiFactorRemovedEventMapper(event *repository.Event) (eventstore.EventReader, error) {
+	e, err := policy.MultiFactorRemovedEventMapper(event)
+	if err != nil {
+		return nil, err
+	}
+
+	return &LoginPolicyMultiFactorRemovedEvent{
+		MultiFactorRemovedEvent: *e.(*policy.MultiFactorRemovedEvent),
+	}, nil
+}
--- a/internal/repository/iam/policy_login_identity_provider.go
+++ b/internal/repository/iam/policy_login_identity_provider.go
@@ -0,0 +1,106 @@
+package iam
+
+import (
+	"context"
+	"github.com/caos/zitadel/internal/eventstore"
+
+	"github.com/caos/zitadel/internal/domain"
+	"github.com/caos/zitadel/internal/eventstore/repository"
+	"github.com/caos/zitadel/internal/repository/policy"
+)
+
+var (
+	LoginPolicyIDPProviderAddedEventType          = iamEventTypePrefix + policy.LoginPolicyIDPProviderAddedType
+	LoginPolicyIDPProviderRemovedEventType        = iamEventTypePrefix + policy.LoginPolicyIDPProviderRemovedType
+	LoginPolicyIDPProviderCascadeRemovedEventType = iamEventTypePrefix + policy.LoginPolicyIDPProviderCascadeRemovedType
+)
+
+type IdentityProviderAddedEvent struct {
+	policy.IdentityProviderAddedEvent
+}
+
+func NewIdentityProviderAddedEvent(
+	ctx context.Context,
+	aggregate *eventstore.Aggregate,
+	idpConfigID string,
+	idpProviderType domain.IdentityProviderType,
+) *IdentityProviderAddedEvent {
+
+	return &IdentityProviderAddedEvent{
+		IdentityProviderAddedEvent: *policy.NewIdentityProviderAddedEvent(
+			eventstore.NewBaseEventForPush(
+				ctx,
+				aggregate,
+				LoginPolicyIDPProviderAddedEventType),
+			idpConfigID,
+			idpProviderType),
+	}
+}
+
+func IdentityProviderAddedEventMapper(event *repository.Event) (eventstore.EventReader, error) {
+	e, err := policy.IdentityProviderAddedEventMapper(event)
+	if err != nil {
+		return nil, err
+	}
+
+	return &IdentityProviderAddedEvent{
+		IdentityProviderAddedEvent: *e.(*policy.IdentityProviderAddedEvent),
+	}, nil
+}
+
+type IdentityProviderRemovedEvent struct {
+	policy.IdentityProviderRemovedEvent
+}
+
+func NewIdentityProviderRemovedEvent(
+	ctx context.Context,
+	aggregate *eventstore.Aggregate,
+	idpConfigID string,
+) *IdentityProviderRemovedEvent {
+	return &IdentityProviderRemovedEvent{
+		IdentityProviderRemovedEvent: *policy.NewIdentityProviderRemovedEvent(
+			eventstore.NewBaseEventForPush(
+				ctx,
+				aggregate,
+				LoginPolicyIDPProviderRemovedEventType),
+			idpConfigID),
+	}
+}
+
+func IdentityProviderRemovedEventMapper(event *repository.Event) (eventstore.EventReader, error) {
+	e, err := policy.IdentityProviderRemovedEventMapper(event)
+	if err != nil {
+		return nil, err
+	}
+
+	return &IdentityProviderRemovedEvent{
+		IdentityProviderRemovedEvent: *e.(*policy.IdentityProviderRemovedEvent),
+	}, nil
+}
+
+type IdentityProviderCascadeRemovedEvent struct {
+	policy.IdentityProviderCascadeRemovedEvent
+}
+
+func NewIdentityProviderCascadeRemovedEvent(
+	ctx context.Context,
+	aggregate *eventstore.Aggregate,
+	idpConfigID string,
+) *IdentityProviderCascadeRemovedEvent {
+	return &IdentityProviderCascadeRemovedEvent{
+		IdentityProviderCascadeRemovedEvent: *policy.NewIdentityProviderCascadeRemovedEvent(
+			eventstore.NewBaseEventForPush(ctx, aggregate, LoginPolicyIDPProviderCascadeRemovedEventType),
+			idpConfigID),
+	}
+}
+
+func IdentityProviderCascadeRemovedEventMapper(event *repository.Event) (eventstore.EventReader, error) {
+	e, err := policy.IdentityProviderCascadeRemovedEventMapper(event)
+	if err != nil {
+		return nil, err
+	}
+
+	return &IdentityProviderCascadeRemovedEvent{
+		IdentityProviderCascadeRemovedEvent: *e.(*policy.IdentityProviderCascadeRemovedEvent),
+	}, nil
+}
--- a/internal/repository/iam/policy_mail_template.go
+++ b/internal/repository/iam/policy_mail_template.go
@@ -0,0 +1,66 @@
+package iam
+
+import (
+	"context"
+	"github.com/caos/zitadel/internal/eventstore"
+	"github.com/caos/zitadel/internal/eventstore/repository"
+	"github.com/caos/zitadel/internal/repository/policy"
+)
+
+var (
+	MailTemplateAddedEventType   = iamEventTypePrefix + policy.MailTemplatePolicyAddedEventType
+	MailTemplateChangedEventType = iamEventTypePrefix + policy.MailTemplatePolicyChangedEventType
+)
+
+type MailTemplateAddedEvent struct {
+	policy.MailTemplateAddedEvent
+}
+
+func NewMailTemplateAddedEvent(
+	ctx context.Context,
+	aggregate *eventstore.Aggregate,
+	template []byte,
+) *MailTemplateAddedEvent {
+	return &MailTemplateAddedEvent{
+		MailTemplateAddedEvent: *policy.NewMailTemplateAddedEvent(
+			eventstore.NewBaseEventForPush(ctx, aggregate, MailTemplateAddedEventType),
+			template),
+	}
+}
+
+func MailTemplateAddedEventMapper(event *repository.Event) (eventstore.EventReader, error) {
+	e, err := policy.MailTemplateAddedEventMapper(event)
+	if err != nil {
+		return nil, err
+	}
+
+	return &MailTemplateAddedEvent{MailTemplateAddedEvent: *e.(*policy.MailTemplateAddedEvent)}, nil
+}
+
+type MailTemplateChangedEvent struct {
+	policy.MailTemplateChangedEvent
+}
+
+func NewMailTemplateChangedEvent(
+	ctx context.Context,
+	aggregate *eventstore.Aggregate,
+	changes []policy.MailTemplateChanges,
+) (*MailTemplateChangedEvent, error) {
+	changedEvent, err := policy.NewMailTemplateChangedEvent(
+		eventstore.NewBaseEventForPush(ctx, aggregate, MailTemplateChangedEventType),
+		changes,
+	)
+	if err != nil {
+		return nil, err
+	}
+	return &MailTemplateChangedEvent{MailTemplateChangedEvent: *changedEvent}, nil
+}
+
+func MailTemplateChangedEventMapper(event *repository.Event) (eventstore.EventReader, error) {
+	e, err := policy.MailTemplateChangedEventMapper(event)
+	if err != nil {
+		return nil, err
+	}
+
+	return &MailTemplateChangedEvent{MailTemplateChangedEvent: *e.(*policy.MailTemplateChangedEvent)}, nil
+}
--- a/internal/repository/iam/policy_mail_text.go
+++ b/internal/repository/iam/policy_mail_text.go
@@ -0,0 +1,84 @@
+package iam
+
+import (
+	"context"
+	"github.com/caos/zitadel/internal/eventstore"
+	"github.com/caos/zitadel/internal/eventstore/repository"
+	"github.com/caos/zitadel/internal/repository/policy"
+)
+
+var (
+	MailTextAddedEventType   = iamEventTypePrefix + policy.MailTextPolicyAddedEventType
+	MailTextChangedEventType = iamEventTypePrefix + policy.MailTextPolicyChangedEventType
+)
+
+type MailTextAddedEvent struct {
+	policy.MailTextAddedEvent
+}
+
+func NewMailTextAddedEvent(
+	ctx context.Context,
+	aggregate *eventstore.Aggregate,
+	mailTextType,
+	language,
+	title,
+	preHeader,
+	subject,
+	greeting,
+	text,
+	buttonText string,
+) *MailTextAddedEvent {
+	return &MailTextAddedEvent{
+		MailTextAddedEvent: *policy.NewMailTextAddedEvent(
+			eventstore.NewBaseEventForPush(ctx, aggregate, MailTextAddedEventType),
+			mailTextType,
+			language,
+			title,
+			preHeader,
+			subject,
+			greeting,
+			text,
+			buttonText),
+	}
+}
+
+func MailTextAddedEventMapper(event *repository.Event) (eventstore.EventReader, error) {
+	e, err := policy.MailTextAddedEventMapper(event)
+	if err != nil {
+		return nil, err
+	}
+
+	return &MailTextAddedEvent{MailTextAddedEvent: *e.(*policy.MailTextAddedEvent)}, nil
+}
+
+type MailTextChangedEvent struct {
+	policy.MailTextChangedEvent
+}
+
+func NewMailTextChangedEvent(
+	ctx context.Context,
+	aggregate *eventstore.Aggregate,
+	mailTextType,
+	language string,
+	changes []policy.MailTextChanges,
+) (*MailTextChangedEvent, error) {
+	changedEvent, err := policy.NewMailTextChangedEvent(
+		eventstore.NewBaseEventForPush(ctx, aggregate, MailTextChangedEventType),
+		mailTextType,
+		language,
+		changes,
+	)
+	if err != nil {
+		return nil, err
+	}
+	return &MailTextChangedEvent{MailTextChangedEvent: *changedEvent}, nil
+}
+
+func MailTextChangedEventMapper(event *repository.Event) (eventstore.EventReader, error) {
+	e, err := policy.MailTextChangedEventMapper(event)
+	if err != nil {
+		return nil, err
+	}
+
+	return &MailTextChangedEvent{MailTextChangedEvent: *e.(*policy.MailTextChangedEvent)}, nil
+}
--- a/internal/repository/iam/policy_org_iam.go
+++ b/internal/repository/iam/policy_org_iam.go
@@ -0,0 +1,74 @@
+package iam
+
+import (
+	"context"
+	"github.com/caos/zitadel/internal/eventstore"
+
+	"github.com/caos/zitadel/internal/eventstore/repository"
+	"github.com/caos/zitadel/internal/repository/policy"
+)
+
+var (
+	OrgIAMPolicyAddedEventType   = iamEventTypePrefix + policy.OrgIAMPolicyAddedEventType
+	OrgIAMPolicyChangedEventType = iamEventTypePrefix + policy.OrgIAMPolicyChangedEventType
+)
+
+type OrgIAMPolicyAddedEvent struct {
+	policy.OrgIAMPolicyAddedEvent
+}
+
+func NewOrgIAMPolicyAddedEvent(
+	ctx context.Context,
+	aggregate *eventstore.Aggregate,
+	userLoginMustBeDomain bool,
+) *OrgIAMPolicyAddedEvent {
+	return &OrgIAMPolicyAddedEvent{
+		OrgIAMPolicyAddedEvent: *policy.NewOrgIAMPolicyAddedEvent(
+			eventstore.NewBaseEventForPush(
+				ctx,
+				aggregate,
+				OrgIAMPolicyAddedEventType),
+			userLoginMustBeDomain,
+		),
+	}
+}
+
+func OrgIAMPolicyAddedEventMapper(event *repository.Event) (eventstore.EventReader, error) {
+	e, err := policy.OrgIAMPolicyAddedEventMapper(event)
+	if err != nil {
+		return nil, err
+	}
+
+	return &OrgIAMPolicyAddedEvent{OrgIAMPolicyAddedEvent: *e.(*policy.OrgIAMPolicyAddedEvent)}, nil
+}
+
+type OrgIAMPolicyChangedEvent struct {
+	policy.OrgIAMPolicyChangedEvent
+}
+
+func NewOrgIAMPolicyChangedEvent(
+	ctx context.Context,
+	aggregate *eventstore.Aggregate,
+	changes []policy.OrgIAMPolicyChanges,
+) (*OrgIAMPolicyChangedEvent, error) {
+	changedEvent, err := policy.NewOrgIAMPolicyChangedEvent(
+		eventstore.NewBaseEventForPush(
+			ctx,
+			aggregate,
+			OrgIAMPolicyChangedEventType),
+		changes,
+	)
+	if err != nil {
+		return nil, err
+	}
+	return &OrgIAMPolicyChangedEvent{OrgIAMPolicyChangedEvent: *changedEvent}, nil
+}
+
+func OrgIAMPolicyChangedEventMapper(event *repository.Event) (eventstore.EventReader, error) {
+	e, err := policy.OrgIAMPolicyChangedEventMapper(event)
+	if err != nil {
+		return nil, err
+	}
+
+	return &OrgIAMPolicyChangedEvent{OrgIAMPolicyChangedEvent: *e.(*policy.OrgIAMPolicyChangedEvent)}, nil
+}
--- a/internal/repository/iam/policy_password_age.go
+++ b/internal/repository/iam/policy_password_age.go
@@ -0,0 +1,75 @@
+package iam
+
+import (
+	"context"
+	"github.com/caos/zitadel/internal/eventstore"
+
+	"github.com/caos/zitadel/internal/eventstore/repository"
+	"github.com/caos/zitadel/internal/repository/policy"
+)
+
+var (
+	PasswordAgePolicyAddedEventType   = iamEventTypePrefix + policy.PasswordAgePolicyAddedEventType
+	PasswordAgePolicyChangedEventType = iamEventTypePrefix + policy.PasswordAgePolicyChangedEventType
+)
+
+type PasswordAgePolicyAddedEvent struct {
+	policy.PasswordAgePolicyAddedEvent
+}
+
+func NewPasswordAgePolicyAddedEvent(
+	ctx context.Context,
+	aggregate *eventstore.Aggregate,
+	expireWarnDays,
+	maxAgeDays uint64,
+) *PasswordAgePolicyAddedEvent {
+	return &PasswordAgePolicyAddedEvent{
+		PasswordAgePolicyAddedEvent: *policy.NewPasswordAgePolicyAddedEvent(
+			eventstore.NewBaseEventForPush(
+				ctx,
+				aggregate,
+				PasswordAgePolicyAddedEventType),
+			expireWarnDays,
+			maxAgeDays),
+	}
+}
+
+func PasswordAgePolicyAddedEventMapper(event *repository.Event) (eventstore.EventReader, error) {
+	e, err := policy.PasswordAgePolicyAddedEventMapper(event)
+	if err != nil {
+		return nil, err
+	}
+
+	return &PasswordAgePolicyAddedEvent{PasswordAgePolicyAddedEvent: *e.(*policy.PasswordAgePolicyAddedEvent)}, nil
+}
+
+type PasswordAgePolicyChangedEvent struct {
+	policy.PasswordAgePolicyChangedEvent
+}
+
+func NewPasswordAgePolicyChangedEvent(
+	ctx context.Context,
+	aggregate *eventstore.Aggregate,
+	changes []policy.PasswordAgePolicyChanges,
+) (*PasswordAgePolicyChangedEvent, error) {
+	changedEvent, err := policy.NewPasswordAgePolicyChangedEvent(
+		eventstore.NewBaseEventForPush(
+			ctx,
+			aggregate,
+			PasswordAgePolicyChangedEventType),
+		changes,
+	)
+	if err != nil {
+		return nil, err
+	}
+	return &PasswordAgePolicyChangedEvent{PasswordAgePolicyChangedEvent: *changedEvent}, nil
+}
+
+func PasswordAgePolicyChangedEventMapper(event *repository.Event) (eventstore.EventReader, error) {
+	e, err := policy.PasswordAgePolicyChangedEventMapper(event)
+	if err != nil {
+		return nil, err
+	}
+
+	return &PasswordAgePolicyChangedEvent{PasswordAgePolicyChangedEvent: *e.(*policy.PasswordAgePolicyChangedEvent)}, nil
+}
--- a/internal/repository/iam/policy_password_complexity.go
+++ b/internal/repository/iam/policy_password_complexity.go
@@ -0,0 +1,81 @@
+package iam
+
+import (
+	"context"
+	"github.com/caos/zitadel/internal/eventstore"
+
+	"github.com/caos/zitadel/internal/eventstore/repository"
+	"github.com/caos/zitadel/internal/repository/policy"
+)
+
+const (
+	PasswordComplexityPolicyAddedEventType   = iamEventTypePrefix + policy.PasswordComplexityPolicyAddedEventType
+	PasswordComplexityPolicyChangedEventType = iamEventTypePrefix + policy.PasswordComplexityPolicyChangedEventType
+)
+
+type PasswordComplexityPolicyAddedEvent struct {
+	policy.PasswordComplexityPolicyAddedEvent
+}
+
+func NewPasswordComplexityPolicyAddedEvent(
+	ctx context.Context,
+	aggregate *eventstore.Aggregate,
+	minLength uint64,
+	hasLowercase,
+	hasUppercase,
+	hasNumber,
+	hasSymbol bool,
+) *PasswordComplexityPolicyAddedEvent {
+	return &PasswordComplexityPolicyAddedEvent{
+		PasswordComplexityPolicyAddedEvent: *policy.NewPasswordComplexityPolicyAddedEvent(
+			eventstore.NewBaseEventForPush(
+				ctx,
+				aggregate,
+				PasswordComplexityPolicyAddedEventType),
+			minLength,
+			hasLowercase,
+			hasUppercase,
+			hasNumber,
+			hasSymbol),
+	}
+}
+
+func PasswordComplexityPolicyAddedEventMapper(event *repository.Event) (eventstore.EventReader, error) {
+	e, err := policy.PasswordComplexityPolicyAddedEventMapper(event)
+	if err != nil {
+		return nil, err
+	}
+
+	return &PasswordComplexityPolicyAddedEvent{PasswordComplexityPolicyAddedEvent: *e.(*policy.PasswordComplexityPolicyAddedEvent)}, nil
+}
+
+type PasswordComplexityPolicyChangedEvent struct {
+	policy.PasswordComplexityPolicyChangedEvent
+}
+
+func NewPasswordComplexityPolicyChangedEvent(
+	ctx context.Context,
+	aggregate *eventstore.Aggregate,
+	changes []policy.PasswordComplexityPolicyChanges,
+) (*PasswordComplexityPolicyChangedEvent, error) {
+	changedEvent, err := policy.NewPasswordComplexityPolicyChangedEvent(
+		eventstore.NewBaseEventForPush(
+			ctx,
+			aggregate,
+			PasswordComplexityPolicyChangedEventType),
+		changes,
+	)
+	if err != nil {
+		return nil, err
+	}
+	return &PasswordComplexityPolicyChangedEvent{PasswordComplexityPolicyChangedEvent: *changedEvent}, nil
+}
+
+func PasswordComplexityPolicyChangedEventMapper(event *repository.Event) (eventstore.EventReader, error) {
+	e, err := policy.PasswordComplexityPolicyChangedEventMapper(event)
+	if err != nil {
+		return nil, err
+	}
+
+	return &PasswordComplexityPolicyChangedEvent{PasswordComplexityPolicyChangedEvent: *e.(*policy.PasswordComplexityPolicyChangedEvent)}, nil
+}
--- a/internal/repository/iam/policy_password_lockout.go
+++ b/internal/repository/iam/policy_password_lockout.go
@@ -0,0 +1,75 @@
+package iam
+
+import (
+	"context"
+	"github.com/caos/zitadel/internal/eventstore"
+
+	"github.com/caos/zitadel/internal/eventstore/repository"
+	"github.com/caos/zitadel/internal/repository/policy"
+)
+
+var (
+	PasswordLockoutPolicyAddedEventType   = iamEventTypePrefix + policy.PasswordLockoutPolicyAddedEventType
+	PasswordLockoutPolicyChangedEventType = iamEventTypePrefix + policy.PasswordLockoutPolicyChangedEventType
+)
+
+type PasswordLockoutPolicyAddedEvent struct {
+	policy.PasswordLockoutPolicyAddedEvent
+}
+
+func NewPasswordLockoutPolicyAddedEvent(
+	ctx context.Context,
+	aggregate *eventstore.Aggregate,
+	maxAttempts uint64,
+	showLockoutFailure bool,
+) *PasswordLockoutPolicyAddedEvent {
+	return &PasswordLockoutPolicyAddedEvent{
+		PasswordLockoutPolicyAddedEvent: *policy.NewPasswordLockoutPolicyAddedEvent(
+			eventstore.NewBaseEventForPush(
+				ctx,
+				aggregate,
+				PasswordLockoutPolicyAddedEventType),
+			maxAttempts,
+			showLockoutFailure),
+	}
+}
+
+func PasswordLockoutPolicyAddedEventMapper(event *repository.Event) (eventstore.EventReader, error) {
+	e, err := policy.PasswordLockoutPolicyAddedEventMapper(event)
+	if err != nil {
+		return nil, err
+	}
+
+	return &PasswordLockoutPolicyAddedEvent{PasswordLockoutPolicyAddedEvent: *e.(*policy.PasswordLockoutPolicyAddedEvent)}, nil
+}
+
+type PasswordLockoutPolicyChangedEvent struct {
+	policy.PasswordLockoutPolicyChangedEvent
+}
+
+func NewPasswordLockoutPolicyChangedEvent(
+	ctx context.Context,
+	aggregate *eventstore.Aggregate,
+	changes []policy.PasswordLockoutPolicyChanges,
+) (*PasswordLockoutPolicyChangedEvent, error) {
+	changedEvent, err := policy.NewPasswordLockoutPolicyChangedEvent(
+		eventstore.NewBaseEventForPush(
+			ctx,
+			aggregate,
+			PasswordLockoutPolicyChangedEventType),
+		changes,
+	)
+	if err != nil {
+		return nil, err
+	}
+	return &PasswordLockoutPolicyChangedEvent{PasswordLockoutPolicyChangedEvent: *changedEvent}, nil
+}
+
+func PasswordLockoutPolicyChangedEventMapper(event *repository.Event) (eventstore.EventReader, error) {
+	e, err := policy.PasswordLockoutPolicyChangedEventMapper(event)
+	if err != nil {
+		return nil, err
+	}
+
+	return &PasswordLockoutPolicyChangedEvent{PasswordLockoutPolicyChangedEvent: *e.(*policy.PasswordLockoutPolicyChangedEvent)}, nil
+}
--- a/internal/repository/idpconfig/idp_config.go
+++ b/internal/repository/idpconfig/idp_config.go
@@ -0,0 +1,260 @@
+package idpconfig
+
+import (
+	"encoding/json"
+	"github.com/caos/zitadel/internal/eventstore"
+
+	"github.com/caos/zitadel/internal/domain"
+	"github.com/caos/zitadel/internal/errors"
+	"github.com/caos/zitadel/internal/eventstore/repository"
+)
+
+const (
+	UniqueIDPConfigNameType = "idp_config_names"
+)
+
+func NewAddIDPConfigNameUniqueConstraint(idpConfigName, resourceOwner string) *eventstore.EventUniqueConstraint {
+	return eventstore.NewAddEventUniqueConstraint(
+		UniqueIDPConfigNameType,
+		idpConfigName+resourceOwner,
+		"Errors.IDPConfig.AlreadyExists")
+}
+
+func NewRemoveIDPConfigNameUniqueConstraint(idpConfigName, resourceOwner string) *eventstore.EventUniqueConstraint {
+	return eventstore.NewRemoveEventUniqueConstraint(
+		UniqueIDPConfigNameType,
+		idpConfigName+resourceOwner)
+}
+
+type IDPConfigAddedEvent struct {
+	eventstore.BaseEvent `json:"-"`
+
+	ConfigID    string                      `json:"idpConfigId"`
+	Name        string                      `json:"name,omitempty"`
+	Typ         domain.IDPConfigType        `json:"idpType,omitempty"`
+	StylingType domain.IDPConfigStylingType `json:"stylingType,omitempty"`
+}
+
+func NewIDPConfigAddedEvent(
+	base *eventstore.BaseEvent,
+	configID,
+	name string,
+	configType domain.IDPConfigType,
+	stylingType domain.IDPConfigStylingType,
+) *IDPConfigAddedEvent {
+	return &IDPConfigAddedEvent{
+		BaseEvent:   *base,
+		ConfigID:    configID,
+		Name:        name,
+		StylingType: stylingType,
+		Typ:         configType,
+	}
+}
+
+func (e *IDPConfigAddedEvent) Data() interface{} {
+	return e
+}
+
+func (e *IDPConfigAddedEvent) UniqueConstraints() []*eventstore.EventUniqueConstraint {
+	return []*eventstore.EventUniqueConstraint{NewAddIDPConfigNameUniqueConstraint(e.Name, e.Aggregate().ResourceOwner)}
+}
+
+func IDPConfigAddedEventMapper(event *repository.Event) (eventstore.EventReader, error) {
+	e := &IDPConfigAddedEvent{
+		BaseEvent: *eventstore.BaseEventFromRepo(event),
+	}
+
+	err := json.Unmarshal(event.Data, e)
+	if err != nil {
+		return nil, errors.ThrowInternal(err, "OIDC-plaBZ", "unable to unmarshal event")
+	}
+
+	return e, nil
+}
+
+type IDPConfigChangedEvent struct {
+	eventstore.BaseEvent `json:"-"`
+
+	ConfigID    string                       `json:"idpConfigId"`
+	Name        *string                      `json:"name,omitempty"`
+	StylingType *domain.IDPConfigStylingType `json:"stylingType,omitempty"`
+	oldName     string                       `json:"-"`
+}
+
+func (e *IDPConfigChangedEvent) Data() interface{} {
+	return e
+}
+
+func (e *IDPConfigChangedEvent) UniqueConstraints() []*eventstore.EventUniqueConstraint {
+	if e.oldName == "" {
+		return nil
+	}
+	return []*eventstore.EventUniqueConstraint{
+		NewRemoveIDPConfigNameUniqueConstraint(e.oldName, e.Aggregate().ResourceOwner),
+		NewAddIDPConfigNameUniqueConstraint(*e.Name, e.Aggregate().ResourceOwner),
+	}
+}
+
+func NewIDPConfigChangedEvent(
+	base *eventstore.BaseEvent,
+	configID,
+	oldName string,
+	changes []IDPConfigChanges,
+) (*IDPConfigChangedEvent, error) {
+	if len(changes) == 0 {
+		return nil, errors.ThrowPreconditionFailed(nil, "IDPCONFIG-Dsg21", "Errors.NoChangesFound")
+	}
+	changeEvent := &IDPConfigChangedEvent{
+		BaseEvent: *base,
+		ConfigID:  configID,
+		oldName:   oldName,
+	}
+	for _, change := range changes {
+		change(changeEvent)
+	}
+	return changeEvent, nil
+}
+
+type IDPConfigChanges func(*IDPConfigChangedEvent)
+
+func ChangeName(name string) func(*IDPConfigChangedEvent) {
+	return func(e *IDPConfigChangedEvent) {
+		e.Name = &name
+	}
+}
+
+func ChangeStyleType(styleType domain.IDPConfigStylingType) func(*IDPConfigChangedEvent) {
+	return func(e *IDPConfigChangedEvent) {
+		e.StylingType = &styleType
+	}
+}
+
+func IDPConfigChangedEventMapper(event *repository.Event) (eventstore.EventReader, error) {
+	e := &IDPConfigChangedEvent{
+		BaseEvent: *eventstore.BaseEventFromRepo(event),
+	}
+
+	err := json.Unmarshal(event.Data, e)
+	if err != nil {
+		return nil, errors.ThrowInternal(err, "OIDC-plaBZ", "unable to unmarshal event")
+	}
+
+	return e, nil
+}
+
+type IDPConfigDeactivatedEvent struct {
+	eventstore.BaseEvent `json:"-"`
+
+	ConfigID string `json:"idpConfigId"`
+}
+
+func NewIDPConfigDeactivatedEvent(
+	base *eventstore.BaseEvent,
+	configID string,
+) *IDPConfigDeactivatedEvent {
+
+	return &IDPConfigDeactivatedEvent{
+		BaseEvent: *base,
+		ConfigID:  configID,
+	}
+}
+
+func (e *IDPConfigDeactivatedEvent) Data() interface{} {
+	return e
+}
+
+func (e *IDPConfigDeactivatedEvent) UniqueConstraints() []*eventstore.EventUniqueConstraint {
+	return nil
+}
+
+func IDPConfigDeactivatedEventMapper(event *repository.Event) (eventstore.EventReader, error) {
+	e := &IDPConfigDeactivatedEvent{
+		BaseEvent: *eventstore.BaseEventFromRepo(event),
+	}
+
+	err := json.Unmarshal(event.Data, e)
+	if err != nil {
+		return nil, errors.ThrowInternal(err, "OIDC-plaBZ", "unable to unmarshal event")
+	}
+
+	return e, nil
+}
+
+type IDPConfigReactivatedEvent struct {
+	eventstore.BaseEvent `json:"-"`
+
+	ConfigID string `json:"idpConfigId"`
+}
+
+func NewIDPConfigReactivatedEvent(
+	base *eventstore.BaseEvent,
+	configID string,
+) *IDPConfigReactivatedEvent {
+
+	return &IDPConfigReactivatedEvent{
+		BaseEvent: *base,
+		ConfigID:  configID,
+	}
+}
+
+func (e *IDPConfigReactivatedEvent) Data() interface{} {
+	return e
+}
+
+func (e *IDPConfigReactivatedEvent) UniqueConstraints() []*eventstore.EventUniqueConstraint {
+	return nil
+}
+
+func IDPConfigReactivatedEventMapper(event *repository.Event) (eventstore.EventReader, error) {
+	e := &IDPConfigReactivatedEvent{
+		BaseEvent: *eventstore.BaseEventFromRepo(event),
+	}
+
+	err := json.Unmarshal(event.Data, e)
+	if err != nil {
+		return nil, errors.ThrowInternal(err, "OIDC-plaBZ", "unable to unmarshal event")
+	}
+
+	return e, nil
+}
+
+type IDPConfigRemovedEvent struct {
+	eventstore.BaseEvent `json:"-"`
+
+	ConfigID string `json:"idpConfigId"`
+	Name     string
+}
+
+func NewIDPConfigRemovedEvent(
+	base *eventstore.BaseEvent,
+	configID string,
+	name string,
+) *IDPConfigRemovedEvent {
+
+	return &IDPConfigRemovedEvent{
+		BaseEvent: *base,
+		ConfigID:  configID,
+		Name:      name,
+	}
+}
+
+func (e *IDPConfigRemovedEvent) Data() interface{} {
+	return e
+}
+
+func (e *IDPConfigRemovedEvent) UniqueConstraints() []*eventstore.EventUniqueConstraint {
+	return []*eventstore.EventUniqueConstraint{NewRemoveIDPConfigNameUniqueConstraint(e.Name, e.Aggregate().ResourceOwner)}
+}
+
+func IDPConfigRemovedEventMapper(event *repository.Event) (eventstore.EventReader, error) {
+	e := &IDPConfigRemovedEvent{
+		BaseEvent: *eventstore.BaseEventFromRepo(event),
+	}
+
+	err := json.Unmarshal(event.Data, e)
+	if err != nil {
+		return nil, errors.ThrowInternal(err, "OIDC-plaBZ", "unable to unmarshal event")
+	}
+
+	return e, nil
+}
--- a/internal/repository/idpconfig/oidc_config.go
+++ b/internal/repository/idpconfig/oidc_config.go
@@ -0,0 +1,164 @@
+package idpconfig
+
+import (
+	"encoding/json"
+	"github.com/caos/zitadel/internal/eventstore"
+
+	"github.com/caos/zitadel/internal/crypto"
+	"github.com/caos/zitadel/internal/domain"
+	"github.com/caos/zitadel/internal/errors"
+	"github.com/caos/zitadel/internal/eventstore/repository"
+)
+
+const (
+	OIDCConfigAddedEventType eventstore.EventType = "oidc.config.added"
+	ConfigChangedEventType   eventstore.EventType = "oidc.config.changed"
+)
+
+type OIDCConfigAddedEvent struct {
+	eventstore.BaseEvent `json:"-"`
+
+	IDPConfigID  string              `json:"idpConfigId"`
+	ClientID     string              `json:"clientId,omitempty"`
+	ClientSecret *crypto.CryptoValue `json:"clientSecret,omitempty"`
+	Issuer       string              `json:"issuer,omitempty"`
+	Scopes       []string            `json:"scopes,omitempty"`
+
+	IDPDisplayNameMapping domain.OIDCMappingField `json:"idpDisplayNameMapping,omitempty"`
+	UserNameMapping       domain.OIDCMappingField `json:"usernameMapping,omitempty"`
+}
+
+func (e *OIDCConfigAddedEvent) Data() interface{} {
+	return e
+}
+
+func (e *OIDCConfigAddedEvent) UniqueConstraints() []*eventstore.EventUniqueConstraint {
+	return nil
+}
+
+func NewOIDCConfigAddedEvent(
+	base *eventstore.BaseEvent,
+	clientID,
+	idpConfigID,
+	issuer string,
+	clientSecret *crypto.CryptoValue,
+	idpDisplayNameMapping,
+	userNameMapping domain.OIDCMappingField,
+	scopes ...string,
+) *OIDCConfigAddedEvent {
+
+	return &OIDCConfigAddedEvent{
+		BaseEvent:             *base,
+		IDPConfigID:           idpConfigID,
+		ClientID:              clientID,
+		ClientSecret:          clientSecret,
+		Issuer:                issuer,
+		Scopes:                scopes,
+		IDPDisplayNameMapping: idpDisplayNameMapping,
+		UserNameMapping:       userNameMapping,
+	}
+}
+
+func OIDCConfigAddedEventMapper(event *repository.Event) (eventstore.EventReader, error) {
+	e := &OIDCConfigAddedEvent{
+		BaseEvent: *eventstore.BaseEventFromRepo(event),
+	}
+
+	err := json.Unmarshal(event.Data, e)
+	if err != nil {
+		return nil, errors.ThrowInternal(err, "OIDC-plaBZ", "unable to unmarshal event")
+	}
+
+	return e, nil
+}
+
+type OIDCConfigChangedEvent struct {
+	eventstore.BaseEvent `json:"-"`
+
+	IDPConfigID string `json:"idpConfigId"`
+
+	ClientID     *string             `json:"clientId,omitempty"`
+	ClientSecret *crypto.CryptoValue `json:"clientSecret,omitempty"`
+	Issuer       *string             `json:"issuer,omitempty"`
+	Scopes       []string            `json:"scopes,omitempty"`
+
+	IDPDisplayNameMapping *domain.OIDCMappingField `json:"idpDisplayNameMapping,omitempty"`
+	UserNameMapping       *domain.OIDCMappingField `json:"usernameMapping,omitempty"`
+}
+
+func (e *OIDCConfigChangedEvent) Data() interface{} {
+	return e
+}
+
+func (e *OIDCConfigChangedEvent) UniqueConstraints() []*eventstore.EventUniqueConstraint {
+	return nil
+}
+
+func NewOIDCConfigChangedEvent(
+	base *eventstore.BaseEvent,
+	idpConfigID string,
+	changes []OIDCConfigChanges,
+) (*OIDCConfigChangedEvent, error) {
+	if len(changes) == 0 {
+		return nil, errors.ThrowPreconditionFailed(nil, "IDPCONFIG-ADzr5", "Errors.NoChangesFound")
+	}
+	changeEvent := &OIDCConfigChangedEvent{
+		BaseEvent:   *base,
+		IDPConfigID: idpConfigID,
+	}
+	for _, change := range changes {
+		change(changeEvent)
+	}
+	return changeEvent, nil
+}
+
+type OIDCConfigChanges func(*OIDCConfigChangedEvent)
+
+func ChangeClientID(clientID string) func(*OIDCConfigChangedEvent) {
+	return func(e *OIDCConfigChangedEvent) {
+		e.ClientID = &clientID
+	}
+}
+
+func ChangeClientSecret(secret *crypto.CryptoValue) func(*OIDCConfigChangedEvent) {
+	return func(e *OIDCConfigChangedEvent) {
+		e.ClientSecret = secret
+	}
+}
+
+func ChangeIssuer(issuer string) func(*OIDCConfigChangedEvent) {
+	return func(e *OIDCConfigChangedEvent) {
+		e.Issuer = &issuer
+	}
+}
+
+func ChangeIDPDisplayNameMapping(idpDisplayNameMapping domain.OIDCMappingField) func(*OIDCConfigChangedEvent) {
+	return func(e *OIDCConfigChangedEvent) {
+		e.IDPDisplayNameMapping = &idpDisplayNameMapping
+	}
+}
+
+func ChangeUserNameMapping(userNameMapping domain.OIDCMappingField) func(*OIDCConfigChangedEvent) {
+	return func(e *OIDCConfigChangedEvent) {
+		e.UserNameMapping = &userNameMapping
+	}
+}
+
+func ChangeScopes(scopes []string) func(*OIDCConfigChangedEvent) {
+	return func(e *OIDCConfigChangedEvent) {
+		e.Scopes = scopes
+	}
+}
+
+func OIDCConfigChangedEventMapper(event *repository.Event) (eventstore.EventReader, error) {
+	e := &OIDCConfigChangedEvent{
+		BaseEvent: *eventstore.BaseEventFromRepo(event),
+	}
+
+	err := json.Unmarshal(event.Data, e)
+	if err != nil {
+		return nil, errors.ThrowInternal(err, "OIDC-plaBZ", "unable to unmarshal event")
+	}
+
+	return e, nil
+}
--- a/internal/repository/keypair/aggregate.go
+++ b/internal/repository/keypair/aggregate.go
@@ -0,0 +1,14 @@
+package usergrant
+
+import (
+	"github.com/caos/zitadel/internal/eventstore"
+)
+
+const (
+	AggregateType    = "key_pair"
+	AggregateVersion = "v1"
+)
+
+type Aggregate struct {
+	eventstore.Aggregate
+}
--- a/internal/repository/keypair/eventstore.go
+++ b/internal/repository/keypair/eventstore.go
@@ -0,0 +1,9 @@
+package usergrant
+
+import (
+	"github.com/caos/zitadel/internal/eventstore"
+)
+
+func RegisterEventMappers(es *eventstore.Eventstore) {
+	es.RegisterFilterEventMapper(AddedEventType, AddedEventMapper)
+}
--- a/internal/repository/keypair/key_pair.go
+++ b/internal/repository/keypair/key_pair.go
@@ -0,0 +1,80 @@
+package usergrant
+
+import (
+	"context"
+	"encoding/json"
+	"github.com/caos/zitadel/internal/crypto"
+	"github.com/caos/zitadel/internal/domain"
+	"github.com/caos/zitadel/internal/errors"
+	"github.com/caos/zitadel/internal/eventstore"
+	"github.com/caos/zitadel/internal/eventstore/repository"
+	"time"
+)
+
+const (
+	eventTypePrefix = eventstore.EventType("key_pair.")
+	AddedEventType  = eventTypePrefix + "added"
+)
+
+type AddedEvent struct {
+	eventstore.BaseEvent `json:"-"`
+
+	Usage      domain.KeyUsage `json:"usage"`
+	Algorithm  string          `json:"algorithm"`
+	PrivateKey *Key            `json:"privateKey"`
+	PublicKey  *Key            `json:"publicKey"`
+}
+
+type Key struct {
+	Key    *crypto.CryptoValue `json:"key"`
+	Expiry time.Time           `json:"expiry"`
+}
+
+func (e *AddedEvent) Data() interface{} {
+	return e
+}
+
+func (e *AddedEvent) UniqueConstraints() []*eventstore.EventUniqueConstraint {
+	return nil
+}
+
+func NewAddedEvent(
+	ctx context.Context,
+	aggregate *eventstore.Aggregate,
+	usage domain.KeyUsage,
+	algorithm string,
+	privateCrypto,
+	publicCrypto *crypto.CryptoValue,
+	privateKeyExpiration,
+	publicKeyExpiration time.Time) *AddedEvent {
+	return &AddedEvent{
+		BaseEvent: *eventstore.NewBaseEventForPush(
+			ctx,
+			aggregate,
+			AddedEventType,
+		),
+		Usage:     usage,
+		Algorithm: algorithm,
+		PrivateKey: &Key{
+			Key:    privateCrypto,
+			Expiry: privateKeyExpiration,
+		},
+		PublicKey: &Key{
+			Key:    publicCrypto,
+			Expiry: publicKeyExpiration,
+		},
+	}
+}
+
+func AddedEventMapper(event *repository.Event) (eventstore.EventReader, error) {
+	e := &AddedEvent{
+		BaseEvent: *eventstore.BaseEventFromRepo(event),
+	}
+
+	err := json.Unmarshal(event.Data, e)
+	if err != nil {
+		return nil, errors.ThrowInternal(err, "KEY-4n8vs", "unable to unmarshal key pair added")
+	}
+
+	return e, nil
+}
--- a/internal/repository/member/events.go
+++ b/internal/repository/member/events.go
@@ -0,0 +1,149 @@
+package member
+
+import (
+	"encoding/json"
+	"fmt"
+	"github.com/caos/zitadel/internal/errors"
+	"github.com/caos/zitadel/internal/eventstore"
+	"github.com/caos/zitadel/internal/eventstore/repository"
+)
+
+const (
+	UniqueMember     = "member"
+	AddedEventType   = "member.added"
+	ChangedEventType = "member.changed"
+	RemovedEventType = "member.removed"
+)
+
+func NewAddMemberUniqueConstraint(aggregateID, userID string) *eventstore.EventUniqueConstraint {
+	return eventstore.NewAddEventUniqueConstraint(
+		UniqueMember,
+		fmt.Sprintf("%s:%s", aggregateID, userID),
+		"Errors.Member.AlreadyExists")
+}
+
+func NewRemoveMemberUniqueConstraint(aggregateID, userID string) *eventstore.EventUniqueConstraint {
+	return eventstore.NewRemoveEventUniqueConstraint(
+		UniqueMember,
+		fmt.Sprintf("%s:%s", aggregateID, userID),
+	)
+}
+
+type MemberAddedEvent struct {
+	eventstore.BaseEvent `json:"-"`
+
+	Roles  []string `json:"roles"`
+	UserID string   `json:"userId"`
+}
+
+func (e *MemberAddedEvent) Data() interface{} {
+	return e
+}
+
+func (e *MemberAddedEvent) UniqueConstraints() []*eventstore.EventUniqueConstraint {
+	return []*eventstore.EventUniqueConstraint{NewAddMemberUniqueConstraint(e.Aggregate().ID, e.UserID)}
+}
+
+func NewMemberAddedEvent(
+	base *eventstore.BaseEvent,
+	userID string,
+	roles ...string,
+) *MemberAddedEvent {
+
+	return &MemberAddedEvent{
+		BaseEvent: *base,
+		Roles:     roles,
+		UserID:    userID,
+	}
+}
+
+func MemberAddedEventMapper(event *repository.Event) (eventstore.EventReader, error) {
+	e := &MemberAddedEvent{
+		BaseEvent: *eventstore.BaseEventFromRepo(event),
+	}
+
+	err := json.Unmarshal(event.Data, e)
+	if err != nil {
+		return nil, errors.ThrowInternal(err, "POLIC-puqv4", "unable to unmarshal label policy")
+	}
+
+	return e, nil
+}
+
+type MemberChangedEvent struct {
+	eventstore.BaseEvent `json:"-"`
+
+	Roles  []string `json:"roles,omitempty"`
+	UserID string   `json:"userId,omitempty"`
+}
+
+func (e *MemberChangedEvent) Data() interface{} {
+	return e
+}
+
+func (e *MemberChangedEvent) UniqueConstraints() []*eventstore.EventUniqueConstraint {
+	return nil
+}
+
+func NewMemberChangedEvent(
+	base *eventstore.BaseEvent,
+	userID string,
+	roles ...string,
+) *MemberChangedEvent {
+	return &MemberChangedEvent{
+		BaseEvent: *base,
+		Roles:     roles,
+		UserID:    userID,
+	}
+}
+
+func ChangedEventMapper(event *repository.Event) (eventstore.EventReader, error) {
+	e := &MemberChangedEvent{
+		BaseEvent: *eventstore.BaseEventFromRepo(event),
+	}
+
+	err := json.Unmarshal(event.Data, e)
+	if err != nil {
+		return nil, errors.ThrowInternal(err, "POLIC-puqv4", "unable to unmarshal label policy")
+	}
+
+	return e, nil
+}
+
+type MemberRemovedEvent struct {
+	eventstore.BaseEvent `json:"-"`
+
+	UserID string `json:"userId"`
+}
+
+func (e *MemberRemovedEvent) Data() interface{} {
+	return e
+}
+
+func (e *MemberRemovedEvent) UniqueConstraints() []*eventstore.EventUniqueConstraint {
+	return []*eventstore.EventUniqueConstraint{NewRemoveMemberUniqueConstraint(e.Aggregate().ID, e.UserID)}
+}
+
+func NewRemovedEvent(
+	base *eventstore.BaseEvent,
+	userID string,
+) *MemberRemovedEvent {
+
+	return &MemberRemovedEvent{
+		BaseEvent: *base,
+		UserID:    userID,
+	}
+}
+
+func RemovedEventMapper(event *repository.Event) (eventstore.EventReader, error) {
+	e := &MemberRemovedEvent{
+		BaseEvent: *eventstore.BaseEventFromRepo(event),
+	}
+
+	err := json.Unmarshal(event.Data, e)
+	if err != nil {
+		return nil, errors.ThrowInternal(err, "POLIC-Ep4ip", "unable to unmarshal label policy")
+	}
+
+	return e, nil
+}
--- a/internal/repository/org/aggregate.go
+++ b/internal/repository/org/aggregate.go
@@ -0,0 +1,18 @@
+package org
+
+import (
+	"github.com/caos/zitadel/internal/eventstore"
+)
+
+const (
+	orgEventTypePrefix = eventstore.EventType("org.")
+)
+
+const (
+	AggregateType    = "org"
+	AggregateVersion = "v1"
+)
+
+type Aggregate struct {
+	eventstore.Aggregate
+}
--- a/internal/repository/org/domain.go
+++ b/internal/repository/org/domain.go
@@ -0,0 +1,271 @@
+package org
+
+import (
+	"context"
+	"encoding/json"
+	"github.com/caos/zitadel/internal/eventstore"
+
+	"github.com/caos/zitadel/internal/crypto"
+	"github.com/caos/zitadel/internal/domain"
+	"github.com/caos/zitadel/internal/errors"
+	"github.com/caos/zitadel/internal/eventstore/repository"
+)
+
+const (
+	UniqueOrgDomain                      = "org_domain"
+	domainEventPrefix                    = orgEventTypePrefix + "domain."
+	OrgDomainAddedEventType              = domainEventPrefix + "added"
+	OrgDomainVerificationAddedEventType  = domainEventPrefix + "verification.added"
+	OrgDomainVerificationFailedEventType = domainEventPrefix + "verification.failed"
+	OrgDomainVerifiedEventType           = domainEventPrefix + "verified"
+	OrgDomainPrimarySetEventType         = domainEventPrefix + "primary.set"
+	OrgDomainRemovedEventType            = domainEventPrefix + "removed"
+)
+
+func NewAddOrgDomainUniqueConstraint(orgDomain string) *eventstore.EventUniqueConstraint {
+	return eventstore.NewAddEventUniqueConstraint(
+		UniqueOrgDomain,
+		orgDomain,
+		"Errors.Org.Domain.AlreadyExists")
+}
+
+func NewRemoveOrgDomainUniqueConstraint(orgDomain string) *eventstore.EventUniqueConstraint {
+	return eventstore.NewRemoveEventUniqueConstraint(
+		UniqueOrgDomain,
+		orgDomain)
+}
+
+type DomainAddedEvent struct {
+	eventstore.BaseEvent `json:"-"`
+
+	Domain string `json:"domain,omitempty"`
+}
+
+func (e *DomainAddedEvent) Data() interface{} {
+	return e
+}
+
+func (e *DomainAddedEvent) UniqueConstraints() []*eventstore.EventUniqueConstraint {
+	return nil
+}
+
+func NewDomainAddedEvent(ctx context.Context, aggregate *eventstore.Aggregate, domain string) *DomainAddedEvent {
+	return &DomainAddedEvent{
+		BaseEvent: *eventstore.NewBaseEventForPush(
+			ctx,
+			aggregate,
+			OrgDomainAddedEventType,
+		),
+		Domain: domain,
+	}
+}
+
+func DomainAddedEventMapper(event *repository.Event) (eventstore.EventReader, error) {
+	orgDomainAdded := &DomainAddedEvent{
+		BaseEvent: *eventstore.BaseEventFromRepo(event),
+	}
+	err := json.Unmarshal(event.Data, orgDomainAdded)
+	if err != nil {
+		return nil, errors.ThrowInternal(err, "ORG-GBr52", "unable to unmarshal org domain added")
+	}
+
+	return orgDomainAdded, nil
+}
+
+type DomainVerificationAddedEvent struct {
+	eventstore.BaseEvent `json:"-"`
+
+	Domain         string                         `json:"domain,omitempty"`
+	ValidationType domain.OrgDomainValidationType `json:"validationType,omitempty"`
+	ValidationCode *crypto.CryptoValue            `json:"validationCode,omitempty"`
+}
+
+func (e *DomainVerificationAddedEvent) Data() interface{} {
+	return e
+}
+
+func (e *DomainVerificationAddedEvent) UniqueConstraints() []*eventstore.EventUniqueConstraint {
+	return nil
+}
+
+func NewDomainVerificationAddedEvent(
+	ctx context.Context,
+	aggregate *eventstore.Aggregate,
+	domain string,
+	validationType domain.OrgDomainValidationType,
+	validationCode *crypto.CryptoValue) *DomainVerificationAddedEvent {
+	return &DomainVerificationAddedEvent{
+		BaseEvent: *eventstore.NewBaseEventForPush(
+			ctx,
+			aggregate,
+			OrgDomainVerificationAddedEventType,
+		),
+		Domain:         domain,
+		ValidationType: validationType,
+		ValidationCode: validationCode,
+	}
+}
+
+func DomainVerificationAddedEventMapper(event *repository.Event) (eventstore.EventReader, error) {
+	orgDomainVerificationAdded := &DomainVerificationAddedEvent{
+		BaseEvent: *eventstore.BaseEventFromRepo(event),
+	}
+	err := json.Unmarshal(event.Data, orgDomainVerificationAdded)
+	if err != nil {
+		return nil, errors.ThrowInternal(err, "ORG-NRN32", "unable to unmarshal org domain verification added")
+	}
+
+	return orgDomainVerificationAdded, nil
+}
+
+type DomainVerificationFailedEvent struct {
+	eventstore.BaseEvent `json:"-"`
+
+	Domain string `json:"domain,omitempty"`
+}
+
+func (e *DomainVerificationFailedEvent) Data() interface{} {
+	return e
+}
+
+func (e *DomainVerificationFailedEvent) UniqueConstraints() []*eventstore.EventUniqueConstraint {
+	return nil
+}
+
+func NewDomainVerificationFailedEvent(ctx context.Context, aggregate *eventstore.Aggregate, domain string) *DomainVerificationFailedEvent {
+	return &DomainVerificationFailedEvent{
+		BaseEvent: *eventstore.NewBaseEventForPush(
+			ctx,
+			aggregate,
+			OrgDomainVerificationFailedEventType,
+		),
+		Domain: domain,
+	}
+}
+
+func DomainVerificationFailedEventMapper(event *repository.Event) (eventstore.EventReader, error) {
+	orgDomainVerificationFailed := &DomainVerificationFailedEvent{
+		BaseEvent: *eventstore.BaseEventFromRepo(event),
+	}
+	err := json.Unmarshal(event.Data, orgDomainVerificationFailed)
+	if err != nil {
+		return nil, errors.ThrowInternal(err, "ORG-Bhm37", "unable to unmarshal org domain verification failed")
+	}
+
+	return orgDomainVerificationFailed, nil
+}
+
+type DomainVerifiedEvent struct {
+	eventstore.BaseEvent `json:"-"`
+
+	Domain string `json:"domain,omitempty"`
+}
+
+func (e *DomainVerifiedEvent) Data() interface{} {
+	return e
+}
+
+func (e *DomainVerifiedEvent) UniqueConstraints() []*eventstore.EventUniqueConstraint {
+	return []*eventstore.EventUniqueConstraint{NewAddOrgDomainUniqueConstraint(e.Domain)}
+}
+
+func NewDomainVerifiedEvent(ctx context.Context, aggregate *eventstore.Aggregate, domain string) *DomainVerifiedEvent {
+	return &DomainVerifiedEvent{
+		BaseEvent: *eventstore.NewBaseEventForPush(
+			ctx,
+			aggregate,
+			OrgDomainVerifiedEventType,
+		),
+		Domain: domain,
+	}
+}
+
+func DomainVerifiedEventMapper(event *repository.Event) (eventstore.EventReader, error) {
+	orgDomainVerified := &DomainVerifiedEvent{
+		BaseEvent: *eventstore.BaseEventFromRepo(event),
+	}
+	err := json.Unmarshal(event.Data, orgDomainVerified)
+	if err != nil {
+		return nil, errors.ThrowInternal(err, "ORG-BFSwt", "unable to unmarshal org domain verified")
+	}
+
+	return orgDomainVerified, nil
+}
+
+type DomainPrimarySetEvent struct {
+	eventstore.BaseEvent `json:"-"`
+
+	Domain string `json:"domain,omitempty"`
+}
+
+func (e *DomainPrimarySetEvent) Data() interface{} {
+	return e
+}
+
+func (e *DomainPrimarySetEvent) UniqueConstraints() []*eventstore.EventUniqueConstraint {
+	return nil
+}
+
+func NewDomainPrimarySetEvent(ctx context.Context, aggregate *eventstore.Aggregate, domain string) *DomainPrimarySetEvent {
+	return &DomainPrimarySetEvent{
+		BaseEvent: *eventstore.NewBaseEventForPush(
+			ctx,
+			aggregate,
+			OrgDomainPrimarySetEventType,
+		),
+		Domain: domain,
+	}
+}
+
+func DomainPrimarySetEventMapper(event *repository.Event) (eventstore.EventReader, error) {
+	orgDomainPrimarySet := &DomainPrimarySetEvent{
+		BaseEvent: *eventstore.BaseEventFromRepo(event),
+	}
+	err := json.Unmarshal(event.Data, orgDomainPrimarySet)
+	if err != nil {
+		return nil, errors.ThrowInternal(err, "ORG-N5787", "unable to unmarshal org domain primary set")
+	}
+
+	return orgDomainPrimarySet, nil
+}
+
+type DomainRemovedEvent struct {
+	eventstore.BaseEvent `json:"-"`
+
+	Domain     string `json:"domain,omitempty"`
+	isVerified bool
+}
+
+func (e *DomainRemovedEvent) Data() interface{} {
+	return e
+}
+
+func (e *DomainRemovedEvent) UniqueConstraints() []*eventstore.EventUniqueConstraint {
+	if !e.isVerified {
+		return nil
+	}
+	return []*eventstore.EventUniqueConstraint{NewRemoveOrgDomainUniqueConstraint(e.Domain)}
+}
+
+func NewDomainRemovedEvent(ctx context.Context, aggregate *eventstore.Aggregate, domain string) *DomainRemovedEvent {
+	return &DomainRemovedEvent{
+		BaseEvent: *eventstore.NewBaseEventForPush(
+			ctx,
+			aggregate,
+			OrgDomainRemovedEventType,
+		),
+		Domain: domain,
+	}
+}
+
+func DomainRemovedEventMapper(event *repository.Event) (eventstore.EventReader, error) {
+	orgDomainRemoved := &DomainRemovedEvent{
+		BaseEvent: *eventstore.BaseEventFromRepo(event),
+	}
+	err := json.Unmarshal(event.Data, orgDomainRemoved)
+	if err != nil {
+		return nil, errors.ThrowInternal(err, "ORG-BngB2", "unable to unmarshal org domain removed")
+	}
+
+	return orgDomainRemoved, nil
+}
--- a/internal/repository/org/eventstore.go
+++ b/internal/repository/org/eventstore.go
@@ -0,0 +1,60 @@
+package org
+
+import (
+	"github.com/caos/zitadel/internal/eventstore"
+)
+
+func RegisterEventMappers(es *eventstore.Eventstore) {
+	es.RegisterFilterEventMapper(OrgAddedEventType, OrgAddedEventMapper).
+		RegisterFilterEventMapper(OrgChangedEventType, OrgChangedEventMapper).
+		RegisterFilterEventMapper(OrgDeactivatedEventType, OrgDeactivatedEventMapper).
+		RegisterFilterEventMapper(OrgReactivatedEventType, OrgReactivatedEventMapper).
+		//RegisterFilterEventMapper(OrgRemovedEventType, OrgRemovedEventMapper).  //TODO: implement
+		RegisterFilterEventMapper(OrgDomainAddedEventType, DomainAddedEventMapper).
+		RegisterFilterEventMapper(OrgDomainVerificationAddedEventType, DomainVerificationAddedEventMapper).
+		RegisterFilterEventMapper(OrgDomainVerificationFailedEventType, DomainVerificationFailedEventMapper).
+		RegisterFilterEventMapper(OrgDomainVerifiedEventType, DomainVerifiedEventMapper).
+		RegisterFilterEventMapper(OrgDomainPrimarySetEventType, DomainPrimarySetEventMapper).
+		RegisterFilterEventMapper(OrgDomainRemovedEventType, DomainRemovedEventMapper).
+		RegisterFilterEventMapper(MemberAddedEventType, MemberAddedEventMapper).
+		RegisterFilterEventMapper(MemberChangedEventType, MemberChangedEventMapper).
+		RegisterFilterEventMapper(MemberRemovedEventType, MemberRemovedEventMapper).
+		RegisterFilterEventMapper(LabelPolicyAddedEventType, LabelPolicyAddedEventMapper).
+		RegisterFilterEventMapper(LabelPolicyChangedEventType, LabelPolicyChangedEventMapper).
+		RegisterFilterEventMapper(LabelPolicyRemovedEventType, LabelPolicyRemovedEventMapper).
+		RegisterFilterEventMapper(LoginPolicyAddedEventType, LoginPolicyAddedEventMapper).
+		RegisterFilterEventMapper(LoginPolicyChangedEventType, LoginPolicyChangedEventMapper).
+		RegisterFilterEventMapper(LoginPolicyRemovedEventType, LoginPolicyRemovedEventMapper).
+		RegisterFilterEventMapper(LoginPolicySecondFactorAddedEventType, SecondFactorAddedEventEventMapper).
+		RegisterFilterEventMapper(LoginPolicySecondFactorRemovedEventType, SecondFactorRemovedEventEventMapper).
+		RegisterFilterEventMapper(LoginPolicyMultiFactorAddedEventType, MultiFactorAddedEventEventMapper).
+		RegisterFilterEventMapper(LoginPolicyMultiFactorRemovedEventType, MultiFactorRemovedEventEventMapper).
+		RegisterFilterEventMapper(LoginPolicyIDPProviderAddedEventType, IdentityProviderAddedEventMapper).
+		RegisterFilterEventMapper(LoginPolicyIDPProviderRemovedEventType, IdentityProviderRemovedEventMapper).
+		RegisterFilterEventMapper(LoginPolicyIDPProviderCascadeRemovedEventType, IdentityProviderCascadeRemovedEventMapper).
+		RegisterFilterEventMapper(OrgIAMPolicyAddedEventType, OrgIAMPolicyAddedEventMapper).
+		RegisterFilterEventMapper(OrgIAMPolicyChangedEventType, OrgIAMPolicyChangedEventMapper).
+		RegisterFilterEventMapper(OrgIAMPolicyRemovedEventType, OrgIAMPolicyRemovedEventMapper).
+		RegisterFilterEventMapper(PasswordAgePolicyAddedEventType, PasswordAgePolicyAddedEventMapper).
+		RegisterFilterEventMapper(PasswordAgePolicyChangedEventType, PasswordAgePolicyChangedEventMapper).
+		RegisterFilterEventMapper(PasswordAgePolicyRemovedEventType, PasswordAgePolicyRemovedEventMapper).
+		RegisterFilterEventMapper(PasswordComplexityPolicyAddedEventType, PasswordComplexityPolicyAddedEventMapper).
+		RegisterFilterEventMapper(PasswordComplexityPolicyChangedEventType, PasswordComplexityPolicyChangedEventMapper).
+		RegisterFilterEventMapper(PasswordComplexityPolicyRemovedEventType, PasswordComplexityPolicyRemovedEventMapper).
+		RegisterFilterEventMapper(PasswordLockoutPolicyAddedEventType, PasswordLockoutPolicyAddedEventMapper).
+		RegisterFilterEventMapper(PasswordLockoutPolicyChangedEventType, PasswordLockoutPolicyChangedEventMapper).
+		RegisterFilterEventMapper(PasswordLockoutPolicyRemovedEventType, PasswordLockoutPolicyRemovedEventMapper).
+		RegisterFilterEventMapper(MailTemplateAddedEventType, MailTemplateAddedEventMapper).
+		RegisterFilterEventMapper(MailTemplateChangedEventType, MailTemplateChangedEventMapper).
+		RegisterFilterEventMapper(MailTemplateRemovedEventType, MailTemplateRemovedEventMapper).
+		RegisterFilterEventMapper(MailTextAddedEventType, MailTextAddedEventMapper).
+		RegisterFilterEventMapper(MailTextChangedEventType, MailTextChangedEventMapper).
+		RegisterFilterEventMapper(MailTextRemovedEventType, MailTextRemovedEventMapper).
+		RegisterFilterEventMapper(IDPConfigAddedEventType, IDPConfigAddedEventMapper).
+		RegisterFilterEventMapper(IDPConfigChangedEventType, IDPConfigChangedEventMapper).
+		RegisterFilterEventMapper(IDPConfigRemovedEventType, IDPConfigRemovedEventMapper).
+		RegisterFilterEventMapper(IDPConfigDeactivatedEventType, IDPConfigDeactivatedEventMapper).
+		RegisterFilterEventMapper(IDPConfigReactivatedEventType, IDPConfigReactivatedEventMapper).
+		RegisterFilterEventMapper(IDPOIDCConfigAddedEventType, IDPOIDCConfigAddedEventMapper).
+		RegisterFilterEventMapper(IDPOIDCConfigChangedEventType, IDPOIDCConfigChangedEventMapper)
+}
--- a/internal/repository/org/idp_config.go
+++ b/internal/repository/org/idp_config.go
@@ -0,0 +1,184 @@
+package org
+
+import (
+	"context"
+	"github.com/caos/zitadel/internal/eventstore"
+
+	"github.com/caos/zitadel/internal/domain"
+	"github.com/caos/zitadel/internal/eventstore/repository"
+	"github.com/caos/zitadel/internal/repository/idpconfig"
+)
+
+const (
+	IDPConfigAddedEventType       eventstore.EventType = "org.idp.config.added"
+	IDPConfigChangedEventType     eventstore.EventType = "org.idp.config.changed"
+	IDPConfigRemovedEventType     eventstore.EventType = "org.idp.config.removed"
+	IDPConfigDeactivatedEventType eventstore.EventType = "org.idp.config.deactivated"
+	IDPConfigReactivatedEventType eventstore.EventType = "org.idp.config.reactivated"
+)
+
+type IDPConfigAddedEvent struct {
+	idpconfig.IDPConfigAddedEvent
+}
+
+func NewIDPConfigAddedEvent(
+	ctx context.Context,
+	aggregate *eventstore.Aggregate,
+	configID,
+	name string,
+	configType domain.IDPConfigType,
+	stylingType domain.IDPConfigStylingType,
+) *IDPConfigAddedEvent {
+
+	return &IDPConfigAddedEvent{
+		IDPConfigAddedEvent: *idpconfig.NewIDPConfigAddedEvent(
+			eventstore.NewBaseEventForPush(
+				ctx,
+				aggregate,
+				IDPConfigAddedEventType,
+			),
+			configID,
+			name,
+			configType,
+			stylingType,
+		),
+	}
+}
+
+func IDPConfigAddedEventMapper(event *repository.Event) (eventstore.EventReader, error) {
+	e, err := idpconfig.IDPConfigAddedEventMapper(event)
+	if err != nil {
+		return nil, err
+	}
+
+	return &IDPConfigAddedEvent{IDPConfigAddedEvent: *e.(*idpconfig.IDPConfigAddedEvent)}, nil
+}
+
+type IDPConfigChangedEvent struct {
+	idpconfig.IDPConfigChangedEvent
+}
+
+func NewIDPConfigChangedEvent(
+	ctx context.Context,
+	aggregate *eventstore.Aggregate,
+	configID,
+	oldName string,
+	changes []idpconfig.IDPConfigChanges,
+) (*IDPConfigChangedEvent, error) {
+	changeEvent, err := idpconfig.NewIDPConfigChangedEvent(
+		eventstore.NewBaseEventForPush(ctx,
+			aggregate,
+			IDPConfigChangedEventType),
+		configID,
+		oldName,
+		changes,
+	)
+	if err != nil {
+		return nil, err
+	}
+	return &IDPConfigChangedEvent{IDPConfigChangedEvent: *changeEvent}, nil
+}
+
+func IDPConfigChangedEventMapper(event *repository.Event) (eventstore.EventReader, error) {
+	e, err := idpconfig.IDPConfigChangedEventMapper(event)
+	if err != nil {
+		return nil, err
+	}
+
+	return &IDPConfigChangedEvent{IDPConfigChangedEvent: *e.(*idpconfig.IDPConfigChangedEvent)}, nil
+}
+
+type IDPConfigRemovedEvent struct {
+	idpconfig.IDPConfigRemovedEvent
+}
+
+func NewIDPConfigRemovedEvent(
+	ctx context.Context,
+	aggregate *eventstore.Aggregate,
+	configID,
+	name string,
+) *IDPConfigRemovedEvent {
+
+	return &IDPConfigRemovedEvent{
+		IDPConfigRemovedEvent: *idpconfig.NewIDPConfigRemovedEvent(
+			eventstore.NewBaseEventForPush(
+				ctx,
+				aggregate,
+				IDPConfigRemovedEventType,
+			),
+			configID,
+			name,
+		),
+	}
+}
+
+func IDPConfigRemovedEventMapper(event *repository.Event) (eventstore.EventReader, error) {
+	e, err := idpconfig.IDPConfigRemovedEventMapper(event)
+	if err != nil {
+		return nil, err
+	}
+
+	return &IDPConfigRemovedEvent{IDPConfigRemovedEvent: *e.(*idpconfig.IDPConfigRemovedEvent)}, nil
+}
+
+type IDPConfigDeactivatedEvent struct {
+	idpconfig.IDPConfigDeactivatedEvent
+}
+
+func NewIDPConfigDeactivatedEvent(
+	ctx context.Context,
+	aggregate *eventstore.Aggregate,
+	configID string,
+) *IDPConfigDeactivatedEvent {
+
+	return &IDPConfigDeactivatedEvent{
+		IDPConfigDeactivatedEvent: *idpconfig.NewIDPConfigDeactivatedEvent(
+			eventstore.NewBaseEventForPush(
+				ctx,
+				aggregate,
+				IDPConfigDeactivatedEventType,
+			),
+			configID,
+		),
+	}
+}
+
+func IDPConfigDeactivatedEventMapper(event *repository.Event) (eventstore.EventReader, error) {
+	e, err := idpconfig.IDPConfigDeactivatedEventMapper(event)
+	if err != nil {
+		return nil, err
+	}
+
+	return &IDPConfigDeactivatedEvent{IDPConfigDeactivatedEvent: *e.(*idpconfig.IDPConfigDeactivatedEvent)}, nil
+}
+
+type IDPConfigReactivatedEvent struct {
+	idpconfig.IDPConfigReactivatedEvent
+}
+
+func NewIDPConfigReactivatedEvent(
+	ctx context.Context,
+	aggregate *eventstore.Aggregate,
+	configID string,
+) *IDPConfigReactivatedEvent {
+
+	return &IDPConfigReactivatedEvent{
+		IDPConfigReactivatedEvent: *idpconfig.NewIDPConfigReactivatedEvent(
+			eventstore.NewBaseEventForPush(
+				ctx,
+				aggregate,
+				IDPConfigReactivatedEventType,
+			),
+			configID,
+		),
+	}
+}
+
+func IDPConfigReactivatedEventMapper(event *repository.Event) (eventstore.EventReader, error) {
+	e, err := idpconfig.IDPConfigReactivatedEventMapper(event)
+	if err != nil {
+		return nil, err
+	}
+
+	return &IDPConfigReactivatedEvent{IDPConfigReactivatedEvent: *e.(*idpconfig.IDPConfigReactivatedEvent)}, nil
+}
--- a/internal/repository/org/idp_oidc_config.go
+++ b/internal/repository/org/idp_oidc_config.go
@@ -0,0 +1,92 @@
+package org
+
+import (
+	"context"
+	"github.com/caos/zitadel/internal/eventstore"
+
+	"github.com/caos/zitadel/internal/crypto"
+	"github.com/caos/zitadel/internal/domain"
+	"github.com/caos/zitadel/internal/eventstore/repository"
+	"github.com/caos/zitadel/internal/repository/idpconfig"
+)
+
+const (
+	IDPOIDCConfigAddedEventType   eventstore.EventType = "org.idp." + idpconfig.OIDCConfigAddedEventType
+	IDPOIDCConfigChangedEventType eventstore.EventType = "org.idp." + idpconfig.ConfigChangedEventType
+)
+
+type IDPOIDCConfigAddedEvent struct {
+	idpconfig.OIDCConfigAddedEvent
+}
+
+func NewIDPOIDCConfigAddedEvent(
+	ctx context.Context,
+	aggregate *eventstore.Aggregate,
+	clientID,
+	idpConfigID,
+	issuer string,
+	clientSecret *crypto.CryptoValue,
+	idpDisplayNameMapping,
+	userNameMapping domain.OIDCMappingField,
+	scopes ...string,
+) *IDPOIDCConfigAddedEvent {
+
+	return &IDPOIDCConfigAddedEvent{
+		OIDCConfigAddedEvent: *idpconfig.NewOIDCConfigAddedEvent(
+			eventstore.NewBaseEventForPush(
+				ctx,
+				aggregate,
+				IDPOIDCConfigAddedEventType,
+			),
+			clientID,
+			idpConfigID,
+			issuer,
+			clientSecret,
+			idpDisplayNameMapping,
+			userNameMapping,
+			scopes...,
+		),
+	}
+}
+
+func IDPOIDCConfigAddedEventMapper(event *repository.Event) (eventstore.EventReader, error) {
+	e, err := idpconfig.OIDCConfigAddedEventMapper(event)
+	if err != nil {
+		return nil, err
+	}
+
+	return &IDPOIDCConfigAddedEvent{OIDCConfigAddedEvent: *e.(*idpconfig.OIDCConfigAddedEvent)}, nil
+}
+
+type IDPOIDCConfigChangedEvent struct {
+	idpconfig.OIDCConfigChangedEvent
+}
+
+func NewIDPOIDCConfigChangedEvent(
+	ctx context.Context,
+	aggregate *eventstore.Aggregate,
+	idpConfigID string,
+	changes []idpconfig.OIDCConfigChanges,
+) (*IDPOIDCConfigChangedEvent, error) {
+	changeEvent, err := idpconfig.NewOIDCConfigChangedEvent(
+		eventstore.NewBaseEventForPush(
+			ctx,
+			aggregate,
+			IDPOIDCConfigChangedEventType),
+		idpConfigID,
+		changes,
+	)
+	if err != nil {
+		return nil, err
+	}
+	return &IDPOIDCConfigChangedEvent{OIDCConfigChangedEvent: *changeEvent}, nil
+}
+
+func IDPOIDCConfigChangedEventMapper(event *repository.Event) (eventstore.EventReader, error) {
+	e, err := idpconfig.OIDCConfigChangedEventMapper(event)
+	if err != nil {
+		return nil, err
+	}
+
+	return &IDPOIDCConfigChangedEvent{OIDCConfigChangedEvent: *e.(*idpconfig.OIDCConfigChangedEvent)}, nil
+}
--- a/internal/repository/org/member.go
+++ b/internal/repository/org/member.go
@@ -0,0 +1,111 @@
+package org
+
+import (
+	"context"
+	"github.com/caos/zitadel/internal/eventstore"
+
+	"github.com/caos/zitadel/internal/eventstore/repository"
+	"github.com/caos/zitadel/internal/repository/member"
+)
+
+var (
+	MemberAddedEventType   = orgEventTypePrefix + member.AddedEventType
+	MemberChangedEventType = orgEventTypePrefix + member.ChangedEventType
+	MemberRemovedEventType = orgEventTypePrefix + member.RemovedEventType
+)
+
+type MemberAddedEvent struct {
+	member.MemberAddedEvent
+}
+
+func NewMemberAddedEvent(
+	ctx context.Context,
+	aggregate *eventstore.Aggregate,
+	userID string,
+	roles ...string,
+) *MemberAddedEvent {
+	return &MemberAddedEvent{
+		MemberAddedEvent: *member.NewMemberAddedEvent(
+			eventstore.NewBaseEventForPush(
+				ctx,
+				aggregate,
+				MemberAddedEventType,
+			),
+			userID,
+			roles...,
+		),
+	}
+}
+
+func MemberAddedEventMapper(event *repository.Event) (eventstore.EventReader, error) {
+	e, err := member.MemberAddedEventMapper(event)
+	if err != nil {
+		return nil, err
+	}
+
+	return &MemberAddedEvent{MemberAddedEvent: *e.(*member.MemberAddedEvent)}, nil
+}
+
+type MemberChangedEvent struct {
+	member.MemberChangedEvent
+}
+
+func NewMemberChangedEvent(
+	ctx context.Context,
+	aggregate *eventstore.Aggregate,
+	userID string,
+	roles ...string,
+) *MemberChangedEvent {
+
+	return &MemberChangedEvent{
+		MemberChangedEvent: *member.NewMemberChangedEvent(
+			eventstore.NewBaseEventForPush(
+				ctx,
+				aggregate,
+				MemberChangedEventType,
+			),
+			userID,
+			roles...,
+		),
+	}
+}
+
+func MemberChangedEventMapper(event *repository.Event) (eventstore.EventReader, error) {
+	e, err := member.ChangedEventMapper(event)
+	if err != nil {
+		return nil, err
+	}
+
+	return &MemberChangedEvent{MemberChangedEvent: *e.(*member.MemberChangedEvent)}, nil
+}
+
+type MemberRemovedEvent struct {
+	member.MemberRemovedEvent
+}
+
+func NewMemberRemovedEvent(
+	ctx context.Context,
+	aggregate *eventstore.Aggregate,
+	userID string,
+) *MemberRemovedEvent {
+
+	return &MemberRemovedEvent{
+		MemberRemovedEvent: *member.NewRemovedEvent(
+			eventstore.NewBaseEventForPush(
+				ctx,
+				aggregate,
+				MemberRemovedEventType,
+			),
+			userID,
+		),
+	}
+}
+
+func MemberRemovedEventMapper(event *repository.Event) (eventstore.EventReader, error) {
+	e, err := member.RemovedEventMapper(event)
+	if err != nil {
+		return nil, err
+	}
+
+	return &MemberRemovedEvent{MemberRemovedEvent: *e.(*member.MemberRemovedEvent)}, nil
+}
--- a/internal/repository/org/org.go
+++ b/internal/repository/org/org.go
@@ -0,0 +1,215 @@
+package org
+
+import (
+	"context"
+	"encoding/json"
+	"github.com/caos/zitadel/internal/eventstore"
+
+	"github.com/caos/zitadel/internal/errors"
+	"github.com/caos/zitadel/internal/eventstore/repository"
+)
+
+const (
+	uniqueOrgname           = "org_name"
+	OrgAddedEventType       = orgEventTypePrefix + "added"
+	OrgChangedEventType     = orgEventTypePrefix + "changed"
+	OrgDeactivatedEventType = orgEventTypePrefix + "deactivated"
+	OrgReactivatedEventType = orgEventTypePrefix + "reactivated"
+	OrgRemovedEventType     = orgEventTypePrefix + "removed"
+)
+
+func NewAddOrgNameUniqueConstraint(orgName string) *eventstore.EventUniqueConstraint {
+	return eventstore.NewAddEventUniqueConstraint(
+		uniqueOrgname,
+		orgName,
+		"Errors.Org.AlreadyExists")
+}
+
+func NewRemoveOrgNameUniqueConstraint(orgName string) *eventstore.EventUniqueConstraint {
+	return eventstore.NewRemoveEventUniqueConstraint(
+		uniqueOrgname,
+		orgName)
+}
+
+type OrgAddedEvent struct {
+	eventstore.BaseEvent `json:"-"`
+
+	Name string `json:"name,omitempty"`
+}
+
+func (e *OrgAddedEvent) Data() interface{} {
+	return e
+}
+
+func (e *OrgAddedEvent) UniqueConstraints() []*eventstore.EventUniqueConstraint {
+	return []*eventstore.EventUniqueConstraint{NewAddOrgNameUniqueConstraint(e.Name)}
+}
+
+func NewOrgAddedEvent(ctx context.Context, aggregate *eventstore.Aggregate, name string) *OrgAddedEvent {
+	return &OrgAddedEvent{
+		BaseEvent: *eventstore.NewBaseEventForPush(
+			ctx,
+			aggregate,
+			OrgAddedEventType,
+		),
+		Name: name,
+	}
+}
+
+func OrgAddedEventMapper(event *repository.Event) (eventstore.EventReader, error) {
+	orgAdded := &OrgAddedEvent{
+		BaseEvent: *eventstore.BaseEventFromRepo(event),
+	}
+	err := json.Unmarshal(event.Data, orgAdded)
+	if err != nil {
+		return nil, errors.ThrowInternal(err, "ORG-Bren2", "unable to unmarshal org added")
+	}
+
+	return orgAdded, nil
+}
+
+type OrgChangedEvent struct {
+	eventstore.BaseEvent `json:"-"`
+
+	Name    string `json:"name,omitempty"`
+	oldName string `json:"-"`
+}
+
+func (e *OrgChangedEvent) Data() interface{} {
+	return e
+}
+
+func (e *OrgChangedEvent) UniqueConstraints() []*eventstore.EventUniqueConstraint {
+	return []*eventstore.EventUniqueConstraint{
+		NewRemoveOrgNameUniqueConstraint(e.oldName),
+		NewAddOrgNameUniqueConstraint(e.Name),
+	}
+}
+
+func NewOrgChangedEvent(ctx context.Context, aggregate *eventstore.Aggregate, oldName, newName string) *OrgChangedEvent {
+	return &OrgChangedEvent{
+		BaseEvent: *eventstore.NewBaseEventForPush(
+			ctx,
+			aggregate,
+			OrgChangedEventType,
+		),
+		Name:    newName,
+		oldName: oldName,
+	}
+}
+
+func OrgChangedEventMapper(event *repository.Event) (eventstore.EventReader, error) {
+	orgChanged := &OrgChangedEvent{
+		BaseEvent: *eventstore.BaseEventFromRepo(event),
+	}
+	err := json.Unmarshal(event.Data, orgChanged)
+	if err != nil {
+		return nil, errors.ThrowInternal(err, "ORG-Bren2", "unable to unmarshal org added")
+	}
+
+	return orgChanged, nil
+}
+
+type OrgDeactivatedEvent struct {
+	eventstore.BaseEvent `json:"-"`
+}
+
+func (e *OrgDeactivatedEvent) Data() interface{} {
+	return e
+}
+
+func (e *OrgDeactivatedEvent) UniqueConstraints() []*eventstore.EventUniqueConstraint {
+	return nil
+}
+
+func NewOrgDeactivatedEvent(ctx context.Context, aggregate *eventstore.Aggregate) *OrgDeactivatedEvent {
+	return &OrgDeactivatedEvent{
+		BaseEvent: *eventstore.NewBaseEventForPush(
+			ctx,
+			aggregate,
+			OrgDeactivatedEventType,
+		),
+	}
+}
+
+func OrgDeactivatedEventMapper(event *repository.Event) (eventstore.EventReader, error) {
+	orgChanged := &OrgDeactivatedEvent{
+		BaseEvent: *eventstore.BaseEventFromRepo(event),
+	}
+	err := json.Unmarshal(event.Data, orgChanged)
+	if err != nil {
+		return nil, errors.ThrowInternal(err, "ORG-DAfbs", "unable to unmarshal org deactivated")
+	}
+
+	return orgChanged, nil
+}
+
+type OrgReactivatedEvent struct {
+	eventstore.BaseEvent `json:"-"`
+}
+
+func (e *OrgReactivatedEvent) Data() interface{} {
+	return e
+}
+
+func (e *OrgReactivatedEvent) UniqueConstraints() []*eventstore.EventUniqueConstraint {
+	return nil
+}
+
+func NewOrgReactivatedEvent(ctx context.Context, aggregate *eventstore.Aggregate) *OrgReactivatedEvent {
+	return &OrgReactivatedEvent{
+		BaseEvent: *eventstore.NewBaseEventForPush(
+			ctx,
+			aggregate,
+			OrgReactivatedEventType,
+		),
+	}
+}
+
+func OrgReactivatedEventMapper(event *repository.Event) (eventstore.EventReader, error) {
+	orgChanged := &OrgReactivatedEvent{
+		BaseEvent: *eventstore.BaseEventFromRepo(event),
+	}
+	err := json.Unmarshal(event.Data, orgChanged)
+	if err != nil {
+		return nil, errors.ThrowInternal(err, "ORG-DAfbs", "unable to unmarshal org deactivated")
+	}
+
+	return orgChanged, nil
+}
+
+type OrgRemovedEvent struct {
+	eventstore.BaseEvent `json:"-"`
+	name                 string
+}
+
+func (e *OrgRemovedEvent) Data() interface{} {
+	return e
+}
+
+func (e *OrgRemovedEvent) UniqueConstraints() []*eventstore.EventUniqueConstraint {
+	return []*eventstore.EventUniqueConstraint{NewRemoveOrgNameUniqueConstraint(e.name)}
+}
+
+func NewOrgRemovedEvent(ctx context.Context, aggregate *eventstore.Aggregate, name string) *OrgRemovedEvent {
+	return &OrgRemovedEvent{
+		BaseEvent: *eventstore.NewBaseEventForPush(
+			ctx,
+			aggregate,
+			OrgRemovedEventType,
+		),
+		name: name,
+	}
+}
+
+func OrgRemovedEventMapper(event *repository.Event) (eventstore.EventReader, error) {
+	orgChanged := &OrgRemovedEvent{
+		BaseEvent: *eventstore.BaseEventFromRepo(event),
+	}
+	err := json.Unmarshal(event.Data, orgChanged)
+	if err != nil {
+		return nil, errors.ThrowInternal(err, "ORG-DAfbs", "unable to unmarshal org deactivated")
+	}
+
+	return orgChanged, nil
+}
--- a/internal/repository/org/policy_label.go
+++ b/internal/repository/org/policy_label.go
@@ -0,0 +1,103 @@
+package org
+
+import (
+	"context"
+	"github.com/caos/zitadel/internal/eventstore"
+
+	"github.com/caos/zitadel/internal/eventstore/repository"
+	"github.com/caos/zitadel/internal/repository/policy"
+)
+
+var (
+	LabelPolicyAddedEventType   = orgEventTypePrefix + policy.LabelPolicyAddedEventType
+	LabelPolicyChangedEventType = orgEventTypePrefix + policy.LabelPolicyChangedEventType
+	LabelPolicyRemovedEventType = orgEventTypePrefix + policy.LabelPolicyRemovedEventType
+)
+
+type LabelPolicyAddedEvent struct {
+	policy.LabelPolicyAddedEvent
+}
+
+func NewLabelPolicyAddedEvent(
+	ctx context.Context,
+	aggregate *eventstore.Aggregate,
+	primaryColor,
+	secondaryColor string,
+) *LabelPolicyAddedEvent {
+	return &LabelPolicyAddedEvent{
+		LabelPolicyAddedEvent: *policy.NewLabelPolicyAddedEvent(
+			eventstore.NewBaseEventForPush(
+				ctx,
+				aggregate,
+				LabelPolicyAddedEventType),
+			primaryColor,
+			secondaryColor),
+	}
+}
+
+func LabelPolicyAddedEventMapper(event *repository.Event) (eventstore.EventReader, error) {
+	e, err := policy.LabelPolicyAddedEventMapper(event)
+	if err != nil {
+		return nil, err
+	}
+
+	return &LabelPolicyAddedEvent{LabelPolicyAddedEvent: *e.(*policy.LabelPolicyAddedEvent)}, nil
+}
+
+type LabelPolicyChangedEvent struct {
+	policy.LabelPolicyChangedEvent
+}
+
+func NewLabelPolicyChangedEvent(
+	ctx context.Context,
+	aggregate *eventstore.Aggregate,
+	changes []policy.LabelPolicyChanges,
+) (*LabelPolicyChangedEvent, error) {
+	changedEvent, err := policy.NewLabelPolicyChangedEvent(
+		eventstore.NewBaseEventForPush(
+			ctx,
+			aggregate,
+			LabelPolicyChangedEventType),
+		changes,
+	)
+	if err != nil {
+		return nil, err
+	}
+	return &LabelPolicyChangedEvent{LabelPolicyChangedEvent: *changedEvent}, nil
+}
+
+func LabelPolicyChangedEventMapper(event *repository.Event) (eventstore.EventReader, error) {
+	e, err := policy.LabelPolicyChangedEventMapper(event)
+	if err != nil {
+		return nil, err
+	}
+
+	return &LabelPolicyChangedEvent{LabelPolicyChangedEvent: *e.(*policy.LabelPolicyChangedEvent)}, nil
+}
+
+type LabelPolicyRemovedEvent struct {
+	policy.LabelPolicyRemovedEvent
+}
+
+func NewLabelPolicyRemovedEvent(
+	ctx context.Context,
+	aggregate *eventstore.Aggregate,
+) *LabelPolicyRemovedEvent {
+	return &LabelPolicyRemovedEvent{
+		LabelPolicyRemovedEvent: *policy.NewLabelPolicyRemovedEvent(
+			eventstore.NewBaseEventForPush(
+				ctx,
+				aggregate,
+				LabelPolicyRemovedEventType),
+		),
+	}
+}
+
+func LabelPolicyRemovedEventMapper(event *repository.Event) (eventstore.EventReader, error) {
+	e, err := policy.LabelPolicyRemovedEventMapper(event)
+	if err != nil {
+		return nil, err
+	}
+
+	return &LabelPolicyRemovedEvent{LabelPolicyRemovedEvent: *e.(*policy.LabelPolicyRemovedEvent)}, nil
+}
--- a/internal/repository/org/policy_login.go
+++ b/internal/repository/org/policy_login.go
@@ -0,0 +1,110 @@
+package org
+
+import (
+	"context"
+	"github.com/caos/zitadel/internal/eventstore"
+
+	"github.com/caos/zitadel/internal/domain"
+	"github.com/caos/zitadel/internal/eventstore/repository"
+	"github.com/caos/zitadel/internal/repository/policy"
+)
+
+var (
+	LoginPolicyAddedEventType   = orgEventTypePrefix + policy.LoginPolicyAddedEventType
+	LoginPolicyChangedEventType = orgEventTypePrefix + policy.LoginPolicyChangedEventType
+	LoginPolicyRemovedEventType = orgEventTypePrefix + policy.LoginPolicyRemovedEventType
+)
+
+type LoginPolicyAddedEvent struct {
+	policy.LoginPolicyAddedEvent
+}
+
+func NewLoginPolicyAddedEvent(
+	ctx context.Context,
+	aggregate *eventstore.Aggregate,
+	allowUsernamePassword,
+	allowRegister,
+	allowExternalIDP,
+	forceMFA bool,
+	passwordlessType domain.PasswordlessType,
+) *LoginPolicyAddedEvent {
+	return &LoginPolicyAddedEvent{
+		LoginPolicyAddedEvent: *policy.NewLoginPolicyAddedEvent(
+			eventstore.NewBaseEventForPush(
+				ctx,
+				aggregate,
+				LoginPolicyAddedEventType),
+			allowUsernamePassword,
+			allowRegister,
+			allowExternalIDP,
+			forceMFA,
+			passwordlessType),
+	}
+}
+
+func LoginPolicyAddedEventMapper(event *repository.Event) (eventstore.EventReader, error) {
+	e, err := policy.LoginPolicyAddedEventMapper(event)
+	if err != nil {
+		return nil, err
+	}
+
+	return &LoginPolicyAddedEvent{LoginPolicyAddedEvent: *e.(*policy.LoginPolicyAddedEvent)}, nil
+}
+
+type LoginPolicyChangedEvent struct {
+	policy.LoginPolicyChangedEvent
+}
+
+func NewLoginPolicyChangedEvent(
+	ctx context.Context,
+	aggregate *eventstore.Aggregate,
+	changes []policy.LoginPolicyChanges,
+) (*LoginPolicyChangedEvent, error) {
+	changedEvent, err := policy.NewLoginPolicyChangedEvent(
+		eventstore.NewBaseEventForPush(
+			ctx,
+			aggregate,
+			LoginPolicyChangedEventType),
+		changes,
+	)
+	if err != nil {
+		return nil, err
+	}
+	return &LoginPolicyChangedEvent{LoginPolicyChangedEvent: *changedEvent}, nil
+}
+
+func LoginPolicyChangedEventMapper(event *repository.Event) (eventstore.EventReader, error) {
+	e, err := policy.LoginPolicyChangedEventMapper(event)
+	if err != nil {
+		return nil, err
+	}
+
+	return &LoginPolicyChangedEvent{LoginPolicyChangedEvent: *e.(*policy.LoginPolicyChangedEvent)}, nil
+}
+
+type LoginPolicyRemovedEvent struct {
+	policy.LoginPolicyRemovedEvent
+}
+
+func NewLoginPolicyRemovedEvent(
+	ctx context.Context,
+	aggregate *eventstore.Aggregate,
+) *LoginPolicyRemovedEvent {
+	return &LoginPolicyRemovedEvent{
+		LoginPolicyRemovedEvent: *policy.NewLoginPolicyRemovedEvent(
+			eventstore.NewBaseEventForPush(
+				ctx,
+				aggregate,
+				LoginPolicyRemovedEventType),
+		),
+	}
+}
+
+func LoginPolicyRemovedEventMapper(event *repository.Event) (eventstore.EventReader, error) {
+	e, err := policy.LoginPolicyRemovedEventMapper(event)
+	if err != nil {
+		return nil, err
+	}
+
+	return &LoginPolicyRemovedEvent{LoginPolicyRemovedEvent: *e.(*policy.LoginPolicyRemovedEvent)}, nil
+}
--- a/internal/repository/org/policy_login_factors.go
+++ b/internal/repository/org/policy_login_factors.go
@@ -0,0 +1,140 @@
+package org
+
+import (
+	"context"
+	"github.com/caos/zitadel/internal/eventstore"
+
+	"github.com/caos/zitadel/internal/domain"
+	"github.com/caos/zitadel/internal/eventstore/repository"
+	"github.com/caos/zitadel/internal/repository/policy"
+)
+
+var (
+	LoginPolicySecondFactorAddedEventType   = orgEventTypePrefix + policy.LoginPolicySecondFactorAddedEventType
+	LoginPolicySecondFactorRemovedEventType = orgEventTypePrefix + policy.LoginPolicySecondFactorRemovedEventType
+
+	LoginPolicyMultiFactorAddedEventType   = orgEventTypePrefix + policy.LoginPolicyMultiFactorAddedEventType
+	LoginPolicyMultiFactorRemovedEventType = orgEventTypePrefix + policy.LoginPolicyMultiFactorRemovedEventType
+)
+
+type LoginPolicySecondFactorAddedEvent struct {
+	policy.SecondFactorAddedEvent
+}
+
+func NewLoginPolicySecondFactorAddedEvent(
+	ctx context.Context,
+	aggregate *eventstore.Aggregate,
+	mfaType domain.SecondFactorType,
+) *LoginPolicySecondFactorAddedEvent {
+	return &LoginPolicySecondFactorAddedEvent{
+		SecondFactorAddedEvent: *policy.NewSecondFactorAddedEvent(
+			eventstore.NewBaseEventForPush(
+				ctx,
+				aggregate,
+				LoginPolicySecondFactorAddedEventType),
+			mfaType),
+	}
+}
+
+func SecondFactorAddedEventEventMapper(event *repository.Event) (eventstore.EventReader, error) {
+	e, err := policy.SecondFactorAddedEventMapper(event)
+	if err != nil {
+		return nil, err
+	}
+
+	return &LoginPolicySecondFactorAddedEvent{
+		SecondFactorAddedEvent: *e.(*policy.SecondFactorAddedEvent),
+	}, nil
+}
+
+type LoginPolicySecondFactorRemovedEvent struct {
+	policy.SecondFactorRemovedEvent
+}
+
+func NewLoginPolicySecondFactorRemovedEvent(
+	ctx context.Context,
+	aggregate *eventstore.Aggregate,
+	mfaType domain.SecondFactorType,
+) *LoginPolicySecondFactorRemovedEvent {
+
+	return &LoginPolicySecondFactorRemovedEvent{
+		SecondFactorRemovedEvent: *policy.NewSecondFactorRemovedEvent(
+			eventstore.NewBaseEventForPush(
+				ctx,
+				aggregate,
+				LoginPolicySecondFactorRemovedEventType),
+			mfaType),
+	}
+}
+
+func SecondFactorRemovedEventEventMapper(event *repository.Event) (eventstore.EventReader, error) {
+	e, err := policy.SecondFactorRemovedEventMapper(event)
+	if err != nil {
+		return nil, err
+	}
+
+	return &LoginPolicySecondFactorRemovedEvent{
+		SecondFactorRemovedEvent: *e.(*policy.SecondFactorRemovedEvent),
+	}, nil
+}
+
+type LoginPolicyMultiFactorAddedEvent struct {
+	policy.MultiFactorAddedEvent
+}
+
+func NewLoginPolicyMultiFactorAddedEvent(
+	ctx context.Context,
+	aggregate *eventstore.Aggregate,
+	mfaType domain.MultiFactorType,
+) *LoginPolicyMultiFactorAddedEvent {
+	return &LoginPolicyMultiFactorAddedEvent{
+		MultiFactorAddedEvent: *policy.NewMultiFactorAddedEvent(
+			eventstore.NewBaseEventForPush(
+				ctx,
+				aggregate,
+				LoginPolicyMultiFactorAddedEventType),
+			mfaType),
+	}
+}
+
+func MultiFactorAddedEventEventMapper(event *repository.Event) (eventstore.EventReader, error) {
+	e, err := policy.MultiFactorAddedEventMapper(event)
+	if err != nil {
+		return nil, err
+	}
+
+	return &LoginPolicyMultiFactorAddedEvent{
+		MultiFactorAddedEvent: *e.(*policy.MultiFactorAddedEvent),
+	}, nil
+}
+
+type LoginPolicyMultiFactorRemovedEvent struct {
+	policy.MultiFactorRemovedEvent
+}
+
+func NewLoginPolicyMultiFactorRemovedEvent(
+	ctx context.Context,
+	aggregate *eventstore.Aggregate,
+	mfaType domain.MultiFactorType,
+) *LoginPolicyMultiFactorRemovedEvent {
+
+	return &LoginPolicyMultiFactorRemovedEvent{
+		MultiFactorRemovedEvent: *policy.NewMultiFactorRemovedEvent(
+			eventstore.NewBaseEventForPush(
+				ctx,
+				aggregate,
+				LoginPolicyMultiFactorRemovedEventType),
+			mfaType),
+	}
+}
+
+func MultiFactorRemovedEventEventMapper(event *repository.Event) (eventstore.EventReader, error) {
+	e, err := policy.MultiFactorRemovedEventMapper(event)
+	if err != nil {
+		return nil, err
+	}
+
+	return &LoginPolicyMultiFactorRemovedEvent{
+		MultiFactorRemovedEvent: *e.(*policy.MultiFactorRemovedEvent),
+	}, nil
+}
--- a/internal/repository/org/policy_login_identity_provider.go
+++ b/internal/repository/org/policy_login_identity_provider.go
@@ -0,0 +1,106 @@
+package org
+
+import (
+	"context"
+	"github.com/caos/zitadel/internal/eventstore"
+
+	"github.com/caos/zitadel/internal/domain"
+	"github.com/caos/zitadel/internal/eventstore/repository"
+	"github.com/caos/zitadel/internal/repository/policy"
+)
+
+var (
+	LoginPolicyIDPProviderAddedEventType          = orgEventTypePrefix + policy.LoginPolicyIDPProviderAddedType
+	LoginPolicyIDPProviderRemovedEventType        = orgEventTypePrefix + policy.LoginPolicyIDPProviderRemovedType
+	LoginPolicyIDPProviderCascadeRemovedEventType = orgEventTypePrefix + policy.LoginPolicyIDPProviderCascadeRemovedType
+)
+
+type IdentityProviderAddedEvent struct {
+	policy.IdentityProviderAddedEvent
+}
+
+func NewIdentityProviderAddedEvent(
+	ctx context.Context,
+	aggregate *eventstore.Aggregate,
+	idpConfigID string,
+	idpProviderType domain.IdentityProviderType,
+) *IdentityProviderAddedEvent {
+
+	return &IdentityProviderAddedEvent{
+		IdentityProviderAddedEvent: *policy.NewIdentityProviderAddedEvent(
+			eventstore.NewBaseEventForPush(
+				ctx,
+				aggregate,
+				LoginPolicyIDPProviderAddedEventType),
+			idpConfigID,
+			idpProviderType),
+	}
+}
+
+func IdentityProviderAddedEventMapper(event *repository.Event) (eventstore.EventReader, error) {
+	e, err := policy.IdentityProviderAddedEventMapper(event)
+	if err != nil {
+		return nil, err
+	}
+
+	return &IdentityProviderAddedEvent{
+		IdentityProviderAddedEvent: *e.(*policy.IdentityProviderAddedEvent),
+	}, nil
+}
+
+type IdentityProviderRemovedEvent struct {
+	policy.IdentityProviderRemovedEvent
+}
+
+func NewIdentityProviderRemovedEvent(
+	ctx context.Context,
+	aggregate *eventstore.Aggregate,
+	idpConfigID string,
+) *IdentityProviderRemovedEvent {
+	return &IdentityProviderRemovedEvent{
+		IdentityProviderRemovedEvent: *policy.NewIdentityProviderRemovedEvent(
+			eventstore.NewBaseEventForPush(
+				ctx,
+				aggregate,
+				LoginPolicyIDPProviderRemovedEventType),
+			idpConfigID),
+	}
+}
+
+func IdentityProviderRemovedEventMapper(event *repository.Event) (eventstore.EventReader, error) {
+	e, err := policy.IdentityProviderRemovedEventMapper(event)
+	if err != nil {
+		return nil, err
+	}
+
+	return &IdentityProviderRemovedEvent{
+		IdentityProviderRemovedEvent: *e.(*policy.IdentityProviderRemovedEvent),
+	}, nil
+}
+
+type IdentityProviderCascadeRemovedEvent struct {
+	policy.IdentityProviderCascadeRemovedEvent
+}
+
+func NewIdentityProviderCascadeRemovedEvent(
+	ctx context.Context,
+	aggregate *eventstore.Aggregate,
+	idpConfigID string,
+) *IdentityProviderCascadeRemovedEvent {
+	return &IdentityProviderCascadeRemovedEvent{
+		IdentityProviderCascadeRemovedEvent: *policy.NewIdentityProviderCascadeRemovedEvent(
+			eventstore.NewBaseEventForPush(ctx, aggregate, LoginPolicyIDPProviderRemovedEventType),
+			idpConfigID),
+	}
+}
+
+func IdentityProviderCascadeRemovedEventMapper(event *repository.Event) (eventstore.EventReader, error) {
+	e, err := policy.IdentityProviderCascadeRemovedEventMapper(event)
+	if err != nil {
+		return nil, err
+	}
+
+	return &IdentityProviderCascadeRemovedEvent{
+		IdentityProviderCascadeRemovedEvent: *e.(*policy.IdentityProviderCascadeRemovedEvent),
+	}, nil
+}
--- a/internal/repository/org/policy_mail_template.go
+++ b/internal/repository/org/policy_mail_template.go
@@ -0,0 +1,92 @@
+package org
+
+import (
+	"context"
+	"github.com/caos/zitadel/internal/eventstore"
+
+	"github.com/caos/zitadel/internal/eventstore/repository"
+	"github.com/caos/zitadel/internal/repository/policy"
+)
+
+var (
+	MailTemplateAddedEventType   = orgEventTypePrefix + policy.MailTemplatePolicyAddedEventType
+	MailTemplateChangedEventType = orgEventTypePrefix + policy.MailTemplatePolicyChangedEventType
+	MailTemplateRemovedEventType = orgEventTypePrefix + policy.MailTemplatePolicyRemovedEventType
+)
+
+type MailTemplateAddedEvent struct {
+	policy.MailTemplateAddedEvent
+}
+
+func NewMailTemplateAddedEvent(
+	ctx context.Context,
+	aggregate *eventstore.Aggregate,
+	template []byte,
+) *MailTemplateAddedEvent {
+	return &MailTemplateAddedEvent{
+		MailTemplateAddedEvent: *policy.NewMailTemplateAddedEvent(
+			eventstore.NewBaseEventForPush(ctx, aggregate, MailTemplateAddedEventType),
+			template),
+	}
+}
+
+func MailTemplateAddedEventMapper(event *repository.Event) (eventstore.EventReader, error) {
+	e, err := policy.MailTemplateAddedEventMapper(event)
+	if err != nil {
+		return nil, err
+	}
+
+	return &MailTemplateAddedEvent{MailTemplateAddedEvent: *e.(*policy.MailTemplateAddedEvent)}, nil
+}
+
+type MailTemplateChangedEvent struct {
+	policy.MailTemplateChangedEvent
+}
+
+func NewMailTemplateChangedEvent(
+	ctx context.Context,
+	aggregate *eventstore.Aggregate,
+	changes []policy.MailTemplateChanges,
+) (*MailTemplateChangedEvent, error) {
+	changedEvent, err := policy.NewMailTemplateChangedEvent(
+		eventstore.NewBaseEventForPush(ctx, aggregate, MailTemplateChangedEventType),
+		changes,
+	)
+	if err != nil {
+		return nil, err
+	}
+	return &MailTemplateChangedEvent{MailTemplateChangedEvent: *changedEvent}, nil
+}
+
+func MailTemplateChangedEventMapper(event *repository.Event) (eventstore.EventReader, error) {
+	e, err := policy.MailTemplateChangedEventMapper(event)
+	if err != nil {
+		return nil, err
+	}
+
+	return &MailTemplateChangedEvent{MailTemplateChangedEvent: *e.(*policy.MailTemplateChangedEvent)}, nil
+}
+
+type MailTemplateRemovedEvent struct {
+	policy.MailTemplateRemovedEvent
+}
+
+func NewMailTemplateRemovedEvent(
+	ctx context.Context,
+	aggregate *eventstore.Aggregate,
+) *MailTemplateRemovedEvent {
+	return &MailTemplateRemovedEvent{
+		MailTemplateRemovedEvent: *policy.NewMailTemplateRemovedEvent(
+			eventstore.NewBaseEventForPush(ctx, aggregate, MailTemplateRemovedEventType),
+		),
+	}
+}
+
+func MailTemplateRemovedEventMapper(event *repository.Event) (eventstore.EventReader, error) {
+	e, err := policy.MailTemplateRemovedEventMapper(event)
+	if err != nil {
+		return nil, err
+	}
+
+	return &MailTemplateRemovedEvent{MailTemplateRemovedEvent: *e.(*policy.MailTemplateRemovedEvent)}, nil
+}
--- a/internal/repository/org/policy_mail_text.go
+++ b/internal/repository/org/policy_mail_text.go
@@ -0,0 +1,114 @@
+package org
+
+import (
+	"context"
+	"github.com/caos/zitadel/internal/eventstore"
+
+	"github.com/caos/zitadel/internal/eventstore/repository"
+	"github.com/caos/zitadel/internal/repository/policy"
+)
+
+var (
+	MailTextAddedEventType   = orgEventTypePrefix + policy.MailTextPolicyAddedEventType
+	MailTextChangedEventType = orgEventTypePrefix + policy.MailTextPolicyChangedEventType
+	MailTextRemovedEventType = orgEventTypePrefix + policy.MailTextPolicyRemovedEventType
+)
+
+type MailTextAddedEvent struct {
+	policy.MailTextAddedEvent
+}
+
+func NewMailTextAddedEvent(
+	ctx context.Context,
+	aggregate *eventstore.Aggregate,
+	mailTextType,
+	language,
+	title,
+	preHeader,
+	subject,
+	greeting,
+	text,
+	buttonText string,
+) *MailTextAddedEvent {
+	return &MailTextAddedEvent{
+		MailTextAddedEvent: *policy.NewMailTextAddedEvent(
+			eventstore.NewBaseEventForPush(ctx, aggregate, MailTextAddedEventType),
+			mailTextType,
+			language,
+			title,
+			preHeader,
+			subject,
+			greeting,
+			text,
+			buttonText),
+	}
+}
+
+func MailTextAddedEventMapper(event *repository.Event) (eventstore.EventReader, error) {
+	e, err := policy.MailTextAddedEventMapper(event)
+	if err != nil {
+		return nil, err
+	}
+
+	return &MailTextAddedEvent{MailTextAddedEvent: *e.(*policy.MailTextAddedEvent)}, nil
+}
+
+type MailTextChangedEvent struct {
+	policy.MailTextChangedEvent
+}
+
+func NewMailTextChangedEvent(
+	ctx context.Context,
+	aggregate *eventstore.Aggregate,
+	mailTextType,
+	language string,
+	changes []policy.MailTextChanges,
+) (*MailTextChangedEvent, error) {
+	changedEvent, err := policy.NewMailTextChangedEvent(
+		eventstore.NewBaseEventForPush(ctx, aggregate, MailTextChangedEventType),
+		mailTextType,
+		language,
+		changes,
+	)
+	if err != nil {
+		return nil, err
+	}
+	return &MailTextChangedEvent{MailTextChangedEvent: *changedEvent}, nil
+}
+
+func MailTextChangedEventMapper(event *repository.Event) (eventstore.EventReader, error) {
+	e, err := policy.MailTextChangedEventMapper(event)
+	if err != nil {
+		return nil, err
+	}
+
+	return &MailTextChangedEvent{MailTextChangedEvent: *e.(*policy.MailTextChangedEvent)}, nil
+}
+
+type MailTextRemovedEvent struct {
+	policy.MailTextRemovedEvent
+}
+
+func NewMailTextRemovedEvent(
+	ctx context.Context,
+	aggregate *eventstore.Aggregate,
+	mailTextType,
+	language string,
+) *MailTextRemovedEvent {
+	return &MailTextRemovedEvent{
+		MailTextRemovedEvent: *policy.NewMailTextRemovedEvent(
+			eventstore.NewBaseEventForPush(ctx, aggregate, MailTextRemovedEventType),
+			mailTextType,
+			language,
+		),
+	}
+}
+
+func MailTextRemovedEventMapper(event *repository.Event) (eventstore.EventReader, error) {
+	e, err := policy.MailTextRemovedEventMapper(event)
+	if err != nil {
+		return nil, err
+	}
+
+	return &MailTextRemovedEvent{MailTextRemovedEvent: *e.(*policy.MailTextRemovedEvent)}, nil
+}
--- a/internal/repository/org/policy_org_iam.go
+++ b/internal/repository/org/policy_org_iam.go
@@ -0,0 +1,105 @@
+package org
+
+import (
+	"context"
+	"github.com/caos/zitadel/internal/eventstore"
+
+	"github.com/caos/zitadel/internal/eventstore/repository"
+	"github.com/caos/zitadel/internal/repository/policy"
+)
+
+var (
+	//TODO: enable when possible
+	//OrgIAMPolicyAddedEventType   = orgEventTypePrefix + policy.OrgIAMPolicyAddedEventType
+	//OrgIAMPolicyChangedEventType = orgEventTypePrefix + policy.OrgIAMPolicyChangedEventType
+	OrgIAMPolicyAddedEventType   = orgEventTypePrefix + "iam.policy.added"
+	OrgIAMPolicyChangedEventType = orgEventTypePrefix + "iam.policy.changed"
+	OrgIAMPolicyRemovedEventType = orgEventTypePrefix + "iam.policy.removed"
+)
+
+type OrgIAMPolicyAddedEvent struct {
+	policy.OrgIAMPolicyAddedEvent
+}
+
+func NewOrgIAMPolicyAddedEvent(
+	ctx context.Context,
+	aggregate *eventstore.Aggregate,
+	userLoginMustBeDomain bool,
+) *OrgIAMPolicyAddedEvent {
+	return &OrgIAMPolicyAddedEvent{
+		OrgIAMPolicyAddedEvent: *policy.NewOrgIAMPolicyAddedEvent(
+			eventstore.NewBaseEventForPush(
+				ctx,
+				aggregate,
+				OrgIAMPolicyAddedEventType),
+			userLoginMustBeDomain,
+		),
+	}
+}
+
+func OrgIAMPolicyAddedEventMapper(event *repository.Event) (eventstore.EventReader, error) {
+	e, err := policy.OrgIAMPolicyAddedEventMapper(event)
+	if err != nil {
+		return nil, err
+	}
+
+	return &OrgIAMPolicyAddedEvent{OrgIAMPolicyAddedEvent: *e.(*policy.OrgIAMPolicyAddedEvent)}, nil
+}
+
+type OrgIAMPolicyChangedEvent struct {
+	policy.OrgIAMPolicyChangedEvent
+}
+
+func NewOrgIAMPolicyChangedEvent(
+	ctx context.Context,
+	aggregate *eventstore.Aggregate,
+	changes []policy.OrgIAMPolicyChanges,
+) (*OrgIAMPolicyChangedEvent, error) {
+	changedEvent, err := policy.NewOrgIAMPolicyChangedEvent(
+		eventstore.NewBaseEventForPush(
+			ctx,
+			aggregate,
+			OrgIAMPolicyChangedEventType),
+		changes,
+	)
+	if err != nil {
+		return nil, err
+	}
+	return &OrgIAMPolicyChangedEvent{OrgIAMPolicyChangedEvent: *changedEvent}, nil
+}
+
+func OrgIAMPolicyChangedEventMapper(event *repository.Event) (eventstore.EventReader, error) {
+	e, err := policy.OrgIAMPolicyChangedEventMapper(event)
+	if err != nil {
+		return nil, err
+	}
+
+	return &OrgIAMPolicyChangedEvent{OrgIAMPolicyChangedEvent: *e.(*policy.OrgIAMPolicyChangedEvent)}, nil
+}
+
+type OrgIAMPolicyRemovedEvent struct {
+	policy.OrgIAMPolicyRemovedEvent
+}
+
+func NewOrgIAMPolicyRemovedEvent(
+	ctx context.Context,
+	aggregate *eventstore.Aggregate,
+) *OrgIAMPolicyRemovedEvent {
+	return &OrgIAMPolicyRemovedEvent{
+		OrgIAMPolicyRemovedEvent: *policy.NewOrgIAMPolicyRemovedEvent(
+			eventstore.NewBaseEventForPush(
+				ctx,
+				aggregate,
+				OrgIAMPolicyRemovedEventType),
+		),
+	}
+}
+
+func OrgIAMPolicyRemovedEventMapper(event *repository.Event) (eventstore.EventReader, error) {
+	e, err := policy.OrgIAMPolicyRemovedEventMapper(event)
+	if err != nil {
+		return nil, err
+	}
+
+	return &OrgIAMPolicyRemovedEvent{OrgIAMPolicyRemovedEvent: *e.(*policy.OrgIAMPolicyRemovedEvent)}, nil
+}
--- a/internal/repository/org/policy_password_age.go
+++ b/internal/repository/org/policy_password_age.go
@@ -0,0 +1,103 @@
+package org
+
+import (
+	"context"
+	"github.com/caos/zitadel/internal/eventstore"
+
+	"github.com/caos/zitadel/internal/eventstore/repository"
+	"github.com/caos/zitadel/internal/repository/policy"
+)
+
+var (
+	PasswordAgePolicyAddedEventType   = orgEventTypePrefix + policy.PasswordAgePolicyAddedEventType
+	PasswordAgePolicyChangedEventType = orgEventTypePrefix + policy.PasswordAgePolicyChangedEventType
+	PasswordAgePolicyRemovedEventType = orgEventTypePrefix + policy.PasswordAgePolicyRemovedEventType
+)
+
+type PasswordAgePolicyAddedEvent struct {
+	policy.PasswordAgePolicyAddedEvent
+}
+
+func NewPasswordAgePolicyAddedEvent(
+	ctx context.Context,
+	aggregate *eventstore.Aggregate,
+	expireWarnDays,
+	maxAgeDays uint64,
+) *PasswordAgePolicyAddedEvent {
+	return &PasswordAgePolicyAddedEvent{
+		PasswordAgePolicyAddedEvent: *policy.NewPasswordAgePolicyAddedEvent(
+			eventstore.NewBaseEventForPush(
+				ctx,
+				aggregate,
+				PasswordAgePolicyAddedEventType),
+			expireWarnDays,
+			maxAgeDays),
+	}
+}
+
+func PasswordAgePolicyAddedEventMapper(event *repository.Event) (eventstore.EventReader, error) {
+	e, err := policy.PasswordAgePolicyAddedEventMapper(event)
+	if err != nil {
+		return nil, err
+	}
+
+	return &PasswordAgePolicyAddedEvent{PasswordAgePolicyAddedEvent: *e.(*policy.PasswordAgePolicyAddedEvent)}, nil
+}
+
+type PasswordAgePolicyChangedEvent struct {
+	policy.PasswordAgePolicyChangedEvent
+}
+
+func NewPasswordAgePolicyChangedEvent(
+	ctx context.Context,
+	aggregate *eventstore.Aggregate,
+	changes []policy.PasswordAgePolicyChanges,
+) (*PasswordAgePolicyChangedEvent, error) {
+	changedEvent, err := policy.NewPasswordAgePolicyChangedEvent(
+		eventstore.NewBaseEventForPush(
+			ctx,
+			aggregate,
+			PasswordAgePolicyChangedEventType),
+		changes,
+	)
+	if err != nil {
+		return nil, err
+	}
+	return &PasswordAgePolicyChangedEvent{PasswordAgePolicyChangedEvent: *changedEvent}, nil
+}
+
+func PasswordAgePolicyChangedEventMapper(event *repository.Event) (eventstore.EventReader, error) {
+	e, err := policy.PasswordAgePolicyChangedEventMapper(event)
+	if err != nil {
+		return nil, err
+	}
+
+	return &PasswordAgePolicyChangedEvent{PasswordAgePolicyChangedEvent: *e.(*policy.PasswordAgePolicyChangedEvent)}, nil
+}
+
+type PasswordAgePolicyRemovedEvent struct {
+	policy.PasswordAgePolicyRemovedEvent
+}
+
+func NewPasswordAgePolicyRemovedEvent(
+	ctx context.Context,
+	aggregate *eventstore.Aggregate,
+) *PasswordAgePolicyRemovedEvent {
+	return &PasswordAgePolicyRemovedEvent{
+		PasswordAgePolicyRemovedEvent: *policy.NewPasswordAgePolicyRemovedEvent(
+			eventstore.NewBaseEventForPush(
+				ctx,
+				aggregate,
+				PasswordAgePolicyRemovedEventType),
+		),
+	}
+}
+
+func PasswordAgePolicyRemovedEventMapper(event *repository.Event) (eventstore.EventReader, error) {
+	e, err := policy.PasswordAgePolicyRemovedEventMapper(event)
+	if err != nil {
+		return nil, err
+	}
+
+	return &PasswordAgePolicyRemovedEvent{PasswordAgePolicyRemovedEvent: *e.(*policy.PasswordAgePolicyRemovedEvent)}, nil
+}
--- a/internal/repository/org/policy_password_complexity.go
+++ b/internal/repository/org/policy_password_complexity.go
@@ -0,0 +1,109 @@
+package org
+
+import (
+	"context"
+	"github.com/caos/zitadel/internal/eventstore"
+
+	"github.com/caos/zitadel/internal/eventstore/repository"
+	"github.com/caos/zitadel/internal/repository/policy"
+)
+
+var (
+	PasswordComplexityPolicyAddedEventType   = orgEventTypePrefix + policy.PasswordComplexityPolicyAddedEventType
+	PasswordComplexityPolicyChangedEventType = orgEventTypePrefix + policy.PasswordComplexityPolicyChangedEventType
+	PasswordComplexityPolicyRemovedEventType = orgEventTypePrefix + policy.PasswordComplexityPolicyRemovedEventType
+)
+
+type PasswordComplexityPolicyAddedEvent struct {
+	policy.PasswordComplexityPolicyAddedEvent
+}
+
+func NewPasswordComplexityPolicyAddedEvent(
+	ctx context.Context,
+	aggregate *eventstore.Aggregate,
+	minLength uint64,
+	hasLowercase,
+	hasUppercase,
+	hasNumber,
+	hasSymbol bool,
+) *PasswordComplexityPolicyAddedEvent {
+	return &PasswordComplexityPolicyAddedEvent{
+		PasswordComplexityPolicyAddedEvent: *policy.NewPasswordComplexityPolicyAddedEvent(
+			eventstore.NewBaseEventForPush(
+				ctx,
+				aggregate,
+				PasswordComplexityPolicyAddedEventType),
+			minLength,
+			hasLowercase,
+			hasUppercase,
+			hasNumber,
+			hasSymbol),
+	}
+}
+
+func PasswordComplexityPolicyAddedEventMapper(event *repository.Event) (eventstore.EventReader, error) {
+	e, err := policy.PasswordComplexityPolicyAddedEventMapper(event)
+	if err != nil {
+		return nil, err
+	}
+
+	return &PasswordComplexityPolicyAddedEvent{PasswordComplexityPolicyAddedEvent: *e.(*policy.PasswordComplexityPolicyAddedEvent)}, nil
+}
+
+type PasswordComplexityPolicyChangedEvent struct {
+	policy.PasswordComplexityPolicyChangedEvent
+}
+
+func NewPasswordComplexityPolicyChangedEvent(
+	ctx context.Context,
+	aggregate *eventstore.Aggregate,
+	changes []policy.PasswordComplexityPolicyChanges,
+) (*PasswordComplexityPolicyChangedEvent, error) {
+	changedEvent, err := policy.NewPasswordComplexityPolicyChangedEvent(
+		eventstore.NewBaseEventForPush(
+			ctx,
+			aggregate,
+			PasswordComplexityPolicyChangedEventType),
+		changes,
+	)
+	if err != nil {
+		return nil, err
+	}
+	return &PasswordComplexityPolicyChangedEvent{PasswordComplexityPolicyChangedEvent: *changedEvent}, nil
+}
+
+func PasswordComplexityPolicyChangedEventMapper(event *repository.Event) (eventstore.EventReader, error) {
+	e, err := policy.PasswordComplexityPolicyChangedEventMapper(event)
+	if err != nil {
+		return nil, err
+	}
+
+	return &PasswordComplexityPolicyChangedEvent{PasswordComplexityPolicyChangedEvent: *e.(*policy.PasswordComplexityPolicyChangedEvent)}, nil
+}
+
+type PasswordComplexityPolicyRemovedEvent struct {
+	policy.PasswordComplexityPolicyRemovedEvent
+}
+
+func NewPasswordComplexityPolicyRemovedEvent(
+	ctx context.Context,
+	aggregate *eventstore.Aggregate,
+) *PasswordComplexityPolicyRemovedEvent {
+	return &PasswordComplexityPolicyRemovedEvent{
+		PasswordComplexityPolicyRemovedEvent: *policy.NewPasswordComplexityPolicyRemovedEvent(
+			eventstore.NewBaseEventForPush(
+				ctx,
+				aggregate,
+				PasswordComplexityPolicyRemovedEventType),
+		),
+	}
+}
+
+func PasswordComplexityPolicyRemovedEventMapper(event *repository.Event) (eventstore.EventReader, error) {
+	e, err := policy.PasswordComplexityPolicyRemovedEventMapper(event)
+	if err != nil {
+		return nil, err
+	}
+
+	return &PasswordComplexityPolicyRemovedEvent{PasswordComplexityPolicyRemovedEvent: *e.(*policy.PasswordComplexityPolicyRemovedEvent)}, nil
+}
--- a/internal/repository/org/policy_password_lockout.go
+++ b/internal/repository/org/policy_password_lockout.go
@@ -0,0 +1,103 @@
+package org
+
+import (
+	"context"
+	"github.com/caos/zitadel/internal/eventstore"
+
+	"github.com/caos/zitadel/internal/eventstore/repository"
+	"github.com/caos/zitadel/internal/repository/policy"
+)
+
+var (
+	PasswordLockoutPolicyAddedEventType   = orgEventTypePrefix + policy.PasswordLockoutPolicyAddedEventType
+	PasswordLockoutPolicyChangedEventType = orgEventTypePrefix + policy.PasswordLockoutPolicyChangedEventType
+	PasswordLockoutPolicyRemovedEventType = orgEventTypePrefix + policy.PasswordLockoutPolicyRemovedEventType
+)
+
+type PasswordLockoutPolicyAddedEvent struct {
+	policy.PasswordLockoutPolicyAddedEvent
+}
+
+func NewPasswordLockoutPolicyAddedEvent(
+	ctx context.Context,
+	aggregate *eventstore.Aggregate,
+	maxAttempts uint64,
+	showLockoutFailure bool,
+) *PasswordLockoutPolicyAddedEvent {
+	return &PasswordLockoutPolicyAddedEvent{
+		PasswordLockoutPolicyAddedEvent: *policy.NewPasswordLockoutPolicyAddedEvent(
+			eventstore.NewBaseEventForPush(
+				ctx,
+				aggregate,
+				PasswordLockoutPolicyAddedEventType),
+			maxAttempts,
+			showLockoutFailure),
+	}
+}
+
+func PasswordLockoutPolicyAddedEventMapper(event *repository.Event) (eventstore.EventReader, error) {
+	e, err := policy.PasswordLockoutPolicyAddedEventMapper(event)
+	if err != nil {
+		return nil, err
+	}
+
+	return &PasswordLockoutPolicyAddedEvent{PasswordLockoutPolicyAddedEvent: *e.(*policy.PasswordLockoutPolicyAddedEvent)}, nil
+}
+
+type PasswordLockoutPolicyChangedEvent struct {
+	policy.PasswordLockoutPolicyChangedEvent
+}
+
+func NewPasswordLockoutPolicyChangedEvent(
+	ctx context.Context,
+	aggregate *eventstore.Aggregate,
+	changes []policy.PasswordLockoutPolicyChanges,
+) (*PasswordLockoutPolicyChangedEvent, error) {
+	changedEvent, err := policy.NewPasswordLockoutPolicyChangedEvent(
+		eventstore.NewBaseEventForPush(
+			ctx,
+			aggregate,
+			PasswordLockoutPolicyChangedEventType),
+		changes,
+	)
+	if err != nil {
+		return nil, err
+	}
+	return &PasswordLockoutPolicyChangedEvent{PasswordLockoutPolicyChangedEvent: *changedEvent}, nil
+}
+
+func PasswordLockoutPolicyChangedEventMapper(event *repository.Event) (eventstore.EventReader, error) {
+	e, err := policy.PasswordLockoutPolicyChangedEventMapper(event)
+	if err != nil {
+		return nil, err
+	}
+
+	return &PasswordLockoutPolicyChangedEvent{PasswordLockoutPolicyChangedEvent: *e.(*policy.PasswordLockoutPolicyChangedEvent)}, nil
+}
+
+type PasswordLockoutPolicyRemovedEvent struct {
+	policy.PasswordLockoutPolicyRemovedEvent
+}
+
+func NewPasswordLockoutPolicyRemovedEvent(
+	ctx context.Context,
+	aggregate *eventstore.Aggregate,
+) *PasswordLockoutPolicyRemovedEvent {
+	return &PasswordLockoutPolicyRemovedEvent{
+		PasswordLockoutPolicyRemovedEvent: *policy.NewPasswordLockoutPolicyRemovedEvent(
+			eventstore.NewBaseEventForPush(
+				ctx,
+				aggregate,
+				PasswordLockoutPolicyRemovedEventType),
+		),
+	}
+}
+
+func PasswordLockoutPolicyRemovedEventMapper(event *repository.Event) (eventstore.EventReader, error) {
+	e, err := policy.PasswordLockoutPolicyRemovedEventMapper(event)
+	if err != nil {
+		return nil, err
+	}
+
+	return &PasswordLockoutPolicyRemovedEvent{PasswordLockoutPolicyRemovedEvent: *e.(*policy.PasswordLockoutPolicyRemovedEvent)}, nil
+}
--- a/internal/repository/policy/label.go
+++ b/internal/repository/policy/label.go
@@ -0,0 +1,137 @@
+package policy
+
+import (
+	"encoding/json"
+	"github.com/caos/zitadel/internal/errors"
+	"github.com/caos/zitadel/internal/eventstore"
+	"github.com/caos/zitadel/internal/eventstore/repository"
+)
+
+const (
+	LabelPolicyAddedEventType   = "policy.label.added"
+	LabelPolicyChangedEventType = "policy.label.changed"
+	LabelPolicyRemovedEventType = "policy.label.removed"
+)
+
+type LabelPolicyAddedEvent struct {
+	eventstore.BaseEvent `json:"-"`
+
+	PrimaryColor   string `json:"primaryColor,omitempty"`
+	SecondaryColor string `json:"secondaryColor,omitempty"`
+}
+
+func (e *LabelPolicyAddedEvent) Data() interface{} {
+	return e
+}
+
+func (e *LabelPolicyAddedEvent) UniqueConstraints() []*eventstore.EventUniqueConstraint {
+	return nil
+}
+
+func NewLabelPolicyAddedEvent(
+	base *eventstore.BaseEvent,
+	primaryColor,
+	secondaryColor string,
+) *LabelPolicyAddedEvent {
+
+	return &LabelPolicyAddedEvent{
+		BaseEvent:      *base,
+		PrimaryColor:   primaryColor,
+		SecondaryColor: secondaryColor,
+	}
+}
+
+func LabelPolicyAddedEventMapper(event *repository.Event) (eventstore.EventReader, error) {
+	e := &LabelPolicyAddedEvent{
+		BaseEvent: *eventstore.BaseEventFromRepo(event),
+	}
+
+	err := json.Unmarshal(event.Data, e)
+	if err != nil {
+		return nil, errors.ThrowInternal(err, "POLIC-puqv4", "unable to unmarshal label policy")
+	}
+
+	return e, nil
+}
+
+type LabelPolicyChangedEvent struct {
+	eventstore.BaseEvent `json:"-"`
+
+	PrimaryColor   *string `json:"primaryColor,omitempty"`
+	SecondaryColor *string `json:"secondaryColor,omitempty"`
+}
+
+func (e *LabelPolicyChangedEvent) Data() interface{} {
+	return e
+}
+
+func (e *LabelPolicyChangedEvent) UniqueConstraints() []*eventstore.EventUniqueConstraint {
+	return nil
+}
+
+func NewLabelPolicyChangedEvent(
+	base *eventstore.BaseEvent,
+	changes []LabelPolicyChanges,
+) (*LabelPolicyChangedEvent, error) {
+	if len(changes) == 0 {
+		return nil, errors.ThrowPreconditionFailed(nil, "POLICY-Asfd3", "Errors.NoChangesFound")
+	}
+	changeEvent := &LabelPolicyChangedEvent{
+		BaseEvent: *base,
+	}
+	for _, change := range changes {
+		change(changeEvent)
+	}
+	return changeEvent, nil
+}
+
+type LabelPolicyChanges func(*LabelPolicyChangedEvent)
+
+func ChangePrimaryColor(primaryColor string) func(*LabelPolicyChangedEvent) {
+	return func(e *LabelPolicyChangedEvent) {
+		e.PrimaryColor = &primaryColor
+	}
+}
+
+func ChangeSecondaryColor(secondaryColor string) func(*LabelPolicyChangedEvent) {
+	return func(e *LabelPolicyChangedEvent) {
+		e.SecondaryColor = &secondaryColor
+	}
+}
+
+func LabelPolicyChangedEventMapper(event *repository.Event) (eventstore.EventReader, error) {
+	e := &LabelPolicyChangedEvent{
+		BaseEvent: *eventstore.BaseEventFromRepo(event),
+	}
+
+	err := json.Unmarshal(event.Data, e)
+	if err != nil {
+		return nil, errors.ThrowInternal(err, "POLIC-qhfFb", "unable to unmarshal label policy")
+	}
+
+	return e, nil
+}
+
+type LabelPolicyRemovedEvent struct {
+	eventstore.BaseEvent `json:"-"`
+}
+
+func (e *LabelPolicyRemovedEvent) Data() interface{} {
+	return nil
+}
+
+func (e *LabelPolicyRemovedEvent) UniqueConstraints() []*eventstore.EventUniqueConstraint {
+	return nil
+}
+
+func NewLabelPolicyRemovedEvent(base *eventstore.BaseEvent) *LabelPolicyRemovedEvent {
+	return &LabelPolicyRemovedEvent{
+		BaseEvent: *base,
+	}
+}
+
+func LabelPolicyRemovedEventMapper(event *repository.Event) (eventstore.EventReader, error) {
+	return &LabelPolicyRemovedEvent{
+		BaseEvent: *eventstore.BaseEventFromRepo(event),
+	}, nil
+}
--- a/internal/repository/policy/login.go
+++ b/internal/repository/policy/login.go
@@ -0,0 +1,171 @@
+package policy
+
+import (
+	"encoding/json"
+	"github.com/caos/zitadel/internal/domain"
+	"github.com/caos/zitadel/internal/errors"
+	"github.com/caos/zitadel/internal/eventstore"
+	"github.com/caos/zitadel/internal/eventstore/repository"
+)
+
+const (
+	loginPolicyPrefix           = "policy.login."
+	LoginPolicyAddedEventType   = loginPolicyPrefix + "added"
+	LoginPolicyChangedEventType = loginPolicyPrefix + "changed"
+	LoginPolicyRemovedEventType = loginPolicyPrefix + "removed"
+)
+
+type LoginPolicyAddedEvent struct {
+	eventstore.BaseEvent `json:"-"`
+
+	AllowUserNamePassword bool                    `json:"allowUsernamePassword,omitempty"`
+	AllowRegister         bool                    `json:"allowRegister,omitempty"`
+	AllowExternalIDP      bool                    `json:"allowExternalIdp,omitempty"`
+	ForceMFA              bool                    `json:"forceMFA,omitempty"`
+	PasswordlessType      domain.PasswordlessType `json:"passwordlessType,omitempty"`
+}
+
+func (e *LoginPolicyAddedEvent) Data() interface{} {
+	return e
+}
+
+func (e *LoginPolicyAddedEvent) UniqueConstraints() []*eventstore.EventUniqueConstraint {
+	return nil
+}
+
+func NewLoginPolicyAddedEvent(
+	base *eventstore.BaseEvent,
+	allowUserNamePassword,
+	allowRegister,
+	allowExternalIDP,
+	forceMFA bool,
+	passwordlessType domain.PasswordlessType,
+) *LoginPolicyAddedEvent {
+	return &LoginPolicyAddedEvent{
+		BaseEvent:             *base,
+		AllowExternalIDP:      allowExternalIDP,
+		AllowRegister:         allowRegister,
+		AllowUserNamePassword: allowUserNamePassword,
+		ForceMFA:              forceMFA,
+		PasswordlessType:      passwordlessType,
+	}
+}
+
+func LoginPolicyAddedEventMapper(event *repository.Event) (eventstore.EventReader, error) {
+	e := &LoginPolicyAddedEvent{
+		BaseEvent: *eventstore.BaseEventFromRepo(event),
+	}
+
+	err := json.Unmarshal(event.Data, e)
+	if err != nil {
+		return nil, errors.ThrowInternal(err, "POLIC-nWndT", "unable to unmarshal policy")
+	}
+
+	return e, nil
+}
+
+type LoginPolicyChangedEvent struct {
+	eventstore.BaseEvent `json:"-"`
+
+	AllowUserNamePassword *bool                    `json:"allowUsernamePassword,omitempty"`
+	AllowRegister         *bool                    `json:"allowRegister,omitempty"`
+	AllowExternalIDP      *bool                    `json:"allowExternalIdp,omitempty"`
+	ForceMFA              *bool                    `json:"forceMFA,omitempty"`
+	PasswordlessType      *domain.PasswordlessType `json:"passwordlessType,omitempty"`
+}
+
+type LoginPolicyEventData struct {
+}
+
+func (e *LoginPolicyChangedEvent) Data() interface{} {
+	return e
+}
+
+func (e *LoginPolicyChangedEvent) UniqueConstraints() []*eventstore.EventUniqueConstraint {
+	return nil
+}
+
+func NewLoginPolicyChangedEvent(
+	base *eventstore.BaseEvent,
+	changes []LoginPolicyChanges,
+) (*LoginPolicyChangedEvent, error) {
+	if len(changes) == 0 {
+		return nil, errors.ThrowPreconditionFailed(nil, "POLICY-ADg34", "Errors.NoChangesFound")
+	}
+	changeEvent := &LoginPolicyChangedEvent{
+		BaseEvent: *base,
+	}
+	for _, change := range changes {
+		change(changeEvent)
+	}
+	return changeEvent, nil
+}
+
+type LoginPolicyChanges func(*LoginPolicyChangedEvent)
+
+func ChangeAllowUserNamePassword(allowUserNamePassword bool) func(*LoginPolicyChangedEvent) {
+	return func(e *LoginPolicyChangedEvent) {
+		e.AllowUserNamePassword = &allowUserNamePassword
+	}
+}
+
+func ChangeAllowRegister(allowRegister bool) func(*LoginPolicyChangedEvent) {
+	return func(e *LoginPolicyChangedEvent) {
+		e.AllowRegister = &allowRegister
+	}
+}
+
+func ChangeAllowExternalIDP(allowExternalIDP bool) func(*LoginPolicyChangedEvent) {
+	return func(e *LoginPolicyChangedEvent) {
+		e.AllowExternalIDP = &allowExternalIDP
+	}
+}
+
+func ChangeForceMFA(forceMFA bool) func(*LoginPolicyChangedEvent) {
+	return func(e *LoginPolicyChangedEvent) {
+		e.ForceMFA = &forceMFA
+	}
+}
+
+func ChangePasswordlessType(passwordlessType domain.PasswordlessType) func(*LoginPolicyChangedEvent) {
+	return func(e *LoginPolicyChangedEvent) {
+		e.PasswordlessType = &passwordlessType
+	}
+}
+
+func LoginPolicyChangedEventMapper(event *repository.Event) (eventstore.EventReader, error) {
+	e := &LoginPolicyChangedEvent{
+		BaseEvent: *eventstore.BaseEventFromRepo(event),
+	}
+
+	err := json.Unmarshal(event.Data, e)
+	if err != nil {
+		return nil, errors.ThrowInternal(err, "POLIC-ehssl", "unable to unmarshal policy")
+	}
+
+	return e, nil
+}
+
+type LoginPolicyRemovedEvent struct {
+	eventstore.BaseEvent `json:"-"`
+}
+
+func (e *LoginPolicyRemovedEvent) Data() interface{} {
+	return nil
+}
+
+func (e *LoginPolicyRemovedEvent) UniqueConstraints() []*eventstore.EventUniqueConstraint {
+	return nil
+}
+
+func NewLoginPolicyRemovedEvent(base *eventstore.BaseEvent) *LoginPolicyRemovedEvent {
+	return &LoginPolicyRemovedEvent{
+		BaseEvent: *base,
+	}
+}
+
+func LoginPolicyRemovedEventMapper(event *repository.Event) (eventstore.EventReader, error) {
+	return &LoginPolicyRemovedEvent{
+		BaseEvent: *eventstore.BaseEventFromRepo(event),
+	}, nil
+}
--- a/internal/repository/policy/mail_template.go
+++ b/internal/repository/policy/mail_template.go
@@ -0,0 +1,128 @@
+package policy
+
+import (
+	"encoding/json"
+	"github.com/caos/zitadel/internal/errors"
+	"github.com/caos/zitadel/internal/eventstore"
+	"github.com/caos/zitadel/internal/eventstore/repository"
+)
+
+const (
+	mailPolicyPrefix                   = "mail."
+	mailTemplatePolicyPrefix           = mailPolicyPrefix + "template."
+	MailTemplatePolicyAddedEventType   = mailTemplatePolicyPrefix + "added"
+	MailTemplatePolicyChangedEventType = mailTemplatePolicyPrefix + "changed"
+	MailTemplatePolicyRemovedEventType = mailTemplatePolicyPrefix + "removed"
+)
+
+type MailTemplateAddedEvent struct {
+	eventstore.BaseEvent `json:"-"`
+
+	Template []byte `json:"template,omitempty"`
+}
+
+func (e *MailTemplateAddedEvent) Data() interface{} {
+	return e
+}
+
+func (e *MailTemplateAddedEvent) UniqueConstraints() []*eventstore.EventUniqueConstraint {
+	return nil
+}
+
+func NewMailTemplateAddedEvent(
+	base *eventstore.BaseEvent,
+	template []byte,
+) *MailTemplateAddedEvent {
+	return &MailTemplateAddedEvent{
+		BaseEvent: *base,
+		Template:  template,
+	}
+}
+
+func MailTemplateAddedEventMapper(event *repository.Event) (eventstore.EventReader, error) {
+	e := &MailTemplateAddedEvent{
+		BaseEvent: *eventstore.BaseEventFromRepo(event),
+	}
+
+	err := json.Unmarshal(event.Data, e)
+	if err != nil {
+		return nil, errors.ThrowInternal(err, "POLIC-5m9if", "unable to unmarshal mail template")
+	}
+
+	return e, nil
+}
+
+type MailTemplateChangedEvent struct {
+	eventstore.BaseEvent `json:"-"`
+
+	Template *[]byte `json:"template,omitempty"`
+}
+
+func (e *MailTemplateChangedEvent) Data() interface{} {
+	return e
+}
+
+func (e *MailTemplateChangedEvent) UniqueConstraints() []*eventstore.EventUniqueConstraint {
+	return nil
+}
+
+func NewMailTemplateChangedEvent(
+	base *eventstore.BaseEvent,
+	changes []MailTemplateChanges,
+) (*MailTemplateChangedEvent, error) {
+	if len(changes) == 0 {
+		return nil, errors.ThrowPreconditionFailed(nil, "POLICY-m9osd", "Errors.NoChangesFound")
+	}
+	changeEvent := &MailTemplateChangedEvent{
+		BaseEvent: *base,
+	}
+	for _, change := range changes {
+		change(changeEvent)
+	}
+	return changeEvent, nil
+}
+
+type MailTemplateChanges func(*MailTemplateChangedEvent)
+
+func ChangeTemplate(template []byte) func(*MailTemplateChangedEvent) {
+	return func(e *MailTemplateChangedEvent) {
+		e.Template = &template
+	}
+}
+
+func MailTemplateChangedEventMapper(event *repository.Event) (eventstore.EventReader, error) {
+	e := &MailTemplateChangedEvent{
+		BaseEvent: *eventstore.BaseEventFromRepo(event),
+	}
+
+	err := json.Unmarshal(event.Data, e)
+	if err != nil {
+		return nil, errors.ThrowInternal(err, "POLIC-3uu8K", "unable to unmarshal mail template policy")
+	}
+
+	return e, nil
+}
+
+type MailTemplateRemovedEvent struct {
+	eventstore.BaseEvent `json:"-"`
+}
+
+func (e *MailTemplateRemovedEvent) Data() interface{} {
+	return nil
+}
+
+func (e *MailTemplateRemovedEvent) UniqueConstraints() []*eventstore.EventUniqueConstraint {
+	return nil
+}
+
+func NewMailTemplateRemovedEvent(base *eventstore.BaseEvent) *MailTemplateRemovedEvent {
+	return &MailTemplateRemovedEvent{
+		BaseEvent: *base,
+	}
+}
+
+func MailTemplateRemovedEventMapper(event *repository.Event) (eventstore.EventReader, error) {
+	return &MailTemplateRemovedEvent{
+		BaseEvent: *eventstore.BaseEventFromRepo(event),
+	}, nil
+}
--- a/internal/repository/policy/mail_text.go
+++ b/internal/repository/policy/mail_text.go
@@ -0,0 +1,209 @@
+package policy
+
+import (
+	"encoding/json"
+	"fmt"
+	"github.com/caos/zitadel/internal/errors"
+	"github.com/caos/zitadel/internal/eventstore"
+	"github.com/caos/zitadel/internal/eventstore/repository"
+)
+
+const (
+	UniqueMailText                 = "mail_text"
+	mailTextPolicyPrefix           = mailPolicyPrefix + "text."
+	MailTextPolicyAddedEventType   = mailTextPolicyPrefix + "added"
+	MailTextPolicyChangedEventType = mailTextPolicyPrefix + "changed"
+	MailTextPolicyRemovedEventType = mailTextPolicyPrefix + "removed"
+)
+
+func NewAddMailTextUniqueConstraint(aggregateID, mailTextType, langugage string) *eventstore.EventUniqueConstraint {
+	return eventstore.NewAddEventUniqueConstraint(
+		UniqueMailText,
+		fmt.Sprintf("%v:%v:%v", aggregateID, mailTextType, langugage),
+		"Errors.Org.AlreadyExists")
+}
+
+func NewRemoveMailTextUniqueConstraint(aggregateID, mailTextType, langugage string) *eventstore.EventUniqueConstraint {
+	return eventstore.NewRemoveEventUniqueConstraint(
+		UniqueMailText,
+		fmt.Sprintf("%v:%v:%v", aggregateID, mailTextType, langugage))
+}
+
+type MailTextAddedEvent struct {
+	eventstore.BaseEvent `json:"-"`
+
+	MailTextType string `json:"mailTextType,omitempty"`
+	Language     string `json:"language,omitempty"`
+	Title        string `json:"title,omitempty"`
+	PreHeader    string `json:"preHeader,omitempty"`
+	Subject      string `json:"subject,omitempty"`
+	Greeting     string `json:"greeting,omitempty"`
+	Text         string `json:"text,omitempty"`
+	ButtonText   string `json:"buttonText,omitempty"`
+}
+
+func (e *MailTextAddedEvent) Data() interface{} {
+	return e
+}
+
+func (e *MailTextAddedEvent) UniqueConstraints() []*eventstore.EventUniqueConstraint {
+	return []*eventstore.EventUniqueConstraint{NewAddMailTextUniqueConstraint(e.Aggregate().ResourceOwner, e.MailTextType, e.Language)}
+}
+
+func NewMailTextAddedEvent(
+	base *eventstore.BaseEvent,
+	mailTextType,
+	language,
+	title,
+	preHeader,
+	subject,
+	greeting,
+	text,
+	buttonText string,
+) *MailTextAddedEvent {
+	return &MailTextAddedEvent{
+		BaseEvent:    *base,
+		MailTextType: mailTextType,
+		Language:     language,
+		Title:        title,
+		PreHeader:    preHeader,
+		Subject:      subject,
+		Greeting:     greeting,
+		Text:         text,
+		ButtonText:   buttonText,
+	}
+}
+
+func MailTextAddedEventMapper(event *repository.Event) (eventstore.EventReader, error) {
+	e := &MailTextAddedEvent{
+		BaseEvent: *eventstore.BaseEventFromRepo(event),
+	}
+
+	err := json.Unmarshal(event.Data, e)
+	if err != nil {
+		return nil, errors.ThrowInternal(err, "POLIC-5m9if", "unable to unmarshal mail text policy")
+	}
+
+	return e, nil
+}
+
+type MailTextChangedEvent struct {
+	eventstore.BaseEvent `json:"-"`
+
+	MailTextType string  `json:"mailTextType,omitempty"`
+	Language     string  `json:"language,omitempty"`
+	Title        *string `json:"title,omitempty"`
+	PreHeader    *string `json:"preHeader,omitempty"`
+	Subject      *string `json:"subject,omitempty"`
+	Greeting     *string `json:"greeting,omitempty"`
+	Text         *string `json:"text,omitempty"`
+	ButtonText   *string `json:"buttonText,omitempty"`
+}
+
+func (e *MailTextChangedEvent) Data() interface{} {
+	return e
+}
+
+func (e *MailTextChangedEvent) UniqueConstraints() []*eventstore.EventUniqueConstraint {
+	return nil
+}
+
+func NewMailTextChangedEvent(
+	base *eventstore.BaseEvent,
+	mailTextType,
+	language string,
+	changes []MailTextChanges,
+) (*MailTextChangedEvent, error) {
+	if len(changes) == 0 {
+		return nil, errors.ThrowPreconditionFailed(nil, "POLICY-m9osd", "Errors.NoChangesFound")
+	}
+	changeEvent := &MailTextChangedEvent{
+		BaseEvent:    *base,
+		MailTextType: mailTextType,
+		Language:     language,
+	}
+	for _, change := range changes {
+		change(changeEvent)
+	}
+	return changeEvent, nil
+}
+
+type MailTextChanges func(*MailTextChangedEvent)
+
+func ChangeTitle(title string) func(*MailTextChangedEvent) {
+	return func(e *MailTextChangedEvent) {
+		e.Title = &title
+	}
+}
+
+func ChangePreHeader(preHeader string) func(*MailTextChangedEvent) {
+	return func(e *MailTextChangedEvent) {
+		e.PreHeader = &preHeader
+	}
+}
+
+func ChangeSubject(greeting string) func(*MailTextChangedEvent) {
+	return func(e *MailTextChangedEvent) {
+		e.Subject = &greeting
+	}
+}
+
+func ChangeGreeting(greeting string) func(*MailTextChangedEvent) {
+	return func(e *MailTextChangedEvent) {
+		e.Greeting = &greeting
+	}
+}
+
+func ChangeText(text string) func(*MailTextChangedEvent) {
+	return func(e *MailTextChangedEvent) {
+		e.Text = &text
+	}
+}
+
+func ChangeButtonText(buttonText string) func(*MailTextChangedEvent) {
+	return func(e *MailTextChangedEvent) {
+		e.ButtonText = &buttonText
+	}
+}
+
+func MailTextChangedEventMapper(event *repository.Event) (eventstore.EventReader, error) {
+	e := &MailTextChangedEvent{
+		BaseEvent: *eventstore.BaseEventFromRepo(event),
+	}
+
+	err := json.Unmarshal(event.Data, e)
+	if err != nil {
+		return nil, errors.ThrowInternal(err, "POLIC-bn88u", "unable to unmarshal mail text policy")
+	}
+
+	return e, nil
+}
+
+type MailTextRemovedEvent struct {
+	eventstore.BaseEvent `json:"-"`
+
+	MailTextType string `json:"mailTextType,omitempty"`
+	Language     string `json:"language,omitempty"`
+}
+
+func (e *MailTextRemovedEvent) Data() interface{} {
+	return nil
+}
+
+func (e *MailTextRemovedEvent) UniqueConstraints() []*eventstore.EventUniqueConstraint {
+	return []*eventstore.EventUniqueConstraint{NewRemoveMailTextUniqueConstraint(e.Aggregate().ResourceOwner, e.MailTextType, e.Language)}
+}
+
+func NewMailTextRemovedEvent(base *eventstore.BaseEvent, mailTextType, language string) *MailTextRemovedEvent {
+	return &MailTextRemovedEvent{
+		BaseEvent:    *base,
+		MailTextType: mailTextType,
+		Language:     language,
+	}
+}
+
+func MailTextRemovedEventMapper(event *repository.Event) (eventstore.EventReader, error) {
+	return &MailTextRemovedEvent{
+		BaseEvent: *eventstore.BaseEventFromRepo(event),
+	}, nil
+}
--- a/internal/repository/policy/policy_login_factors.go
+++ b/internal/repository/policy/policy_login_factors.go
@@ -0,0 +1,165 @@
+package policy
+
+import (
+	"encoding/json"
+	"github.com/caos/zitadel/internal/domain"
+	"github.com/caos/zitadel/internal/errors"
+	"github.com/caos/zitadel/internal/eventstore"
+	"github.com/caos/zitadel/internal/eventstore/repository"
+)
+
+const (
+	loginPolicySecondFactorPrefix           = loginPolicyPrefix + "secondfactor."
+	LoginPolicySecondFactorAddedEventType   = loginPolicySecondFactorPrefix + "added"
+	LoginPolicySecondFactorRemovedEventType = loginPolicySecondFactorPrefix + "removed"
+
+	loginPolicyMultiFactorPrefix           = "policy.login.multifactor."
+	LoginPolicyMultiFactorAddedEventType   = loginPolicyMultiFactorPrefix + "added"
+	LoginPolicyMultiFactorRemovedEventType = loginPolicyMultiFactorPrefix + "removed"
+)
+
+type SecondFactorAddedEvent struct {
+	eventstore.BaseEvent `json:"-"`
+
+	MFAType domain.SecondFactorType `json:"mfaType,omitempty"`
+}
+
+func NewSecondFactorAddedEvent(
+	base *eventstore.BaseEvent,
+	mfaType domain.SecondFactorType,
+) *SecondFactorAddedEvent {
+	return &SecondFactorAddedEvent{
+		BaseEvent: *base,
+		MFAType:   mfaType,
+	}
+}
+
+func SecondFactorAddedEventMapper(event *repository.Event) (eventstore.EventReader, error) {
+	e := &SecondFactorAddedEvent{
+		BaseEvent: *eventstore.BaseEventFromRepo(event),
+	}
+
+	err := json.Unmarshal(event.Data, e)
+	if err != nil {
+		return nil, errors.ThrowInternal(err, "POLIC-Lp0dE", "unable to unmarshal policy")
+	}
+
+	return e, nil
+}
+
+func (e *SecondFactorAddedEvent) Data() interface{} {
+	return e
+}
+
+func (e *SecondFactorAddedEvent) UniqueConstraints() []*eventstore.EventUniqueConstraint {
+	return nil
+}
+
+type SecondFactorRemovedEvent struct {
+	eventstore.BaseEvent `json:"-"`
+	MFAType              domain.SecondFactorType `json:"mfaType"`
+}
+
+func NewSecondFactorRemovedEvent(
+	base *eventstore.BaseEvent,
+	mfaType domain.SecondFactorType,
+) *SecondFactorRemovedEvent {
+	return &SecondFactorRemovedEvent{
+		BaseEvent: *base,
+		MFAType:   mfaType,
+	}
+}
+
+func SecondFactorRemovedEventMapper(event *repository.Event) (eventstore.EventReader, error) {
+	e := &SecondFactorRemovedEvent{
+		BaseEvent: *eventstore.BaseEventFromRepo(event),
+	}
+
+	err := json.Unmarshal(event.Data, e)
+	if err != nil {
+		return nil, errors.ThrowInternal(err, "POLIC-5M9gd", "unable to unmarshal policy")
+	}
+
+	return e, nil
+}
+
+func (e *SecondFactorRemovedEvent) Data() interface{} {
+	return e
+}
+
+func (e *SecondFactorRemovedEvent) UniqueConstraints() []*eventstore.EventUniqueConstraint {
+	return nil
+}
+
+type MultiFactorAddedEvent struct {
+	eventstore.BaseEvent `json:"-"`
+
+	MFAType domain.MultiFactorType `json:"mfaType"`
+}
+
+func NewMultiFactorAddedEvent(
+	base *eventstore.BaseEvent,
+	mfaType domain.MultiFactorType,
+) *MultiFactorAddedEvent {
+	return &MultiFactorAddedEvent{
+		BaseEvent: *base,
+		MFAType:   mfaType,
+	}
+}
+
+func MultiFactorAddedEventMapper(event *repository.Event) (eventstore.EventReader, error) {
+	e := &MultiFactorAddedEvent{
+		BaseEvent: *eventstore.BaseEventFromRepo(event),
+	}
+
+	err := json.Unmarshal(event.Data, e)
+	if err != nil {
+		return nil, errors.ThrowInternal(err, "POLIC-5Ms90", "unable to unmarshal policy")
+	}
+
+	return e, nil
+}
+
+func (e *MultiFactorAddedEvent) Data() interface{} {
+	return e
+}
+
+func (e *MultiFactorAddedEvent) UniqueConstraints() []*eventstore.EventUniqueConstraint {
+	return nil
+}
+
+type MultiFactorRemovedEvent struct {
+	eventstore.BaseEvent `json:"-"`
+	MFAType              domain.MultiFactorType `json:"mfaType"`
+}
+
+func NewMultiFactorRemovedEvent(
+	base *eventstore.BaseEvent,
+	mfaType domain.MultiFactorType,
+) *MultiFactorRemovedEvent {
+	return &MultiFactorRemovedEvent{
+		BaseEvent: *base,
+		MFAType:   mfaType,
+	}
+}
+
+func MultiFactorRemovedEventMapper(event *repository.Event) (eventstore.EventReader, error) {
+	e := &MultiFactorRemovedEvent{
+		BaseEvent: *eventstore.BaseEventFromRepo(event),
+	}
+
+	err := json.Unmarshal(event.Data, e)
+	if err != nil {
+		return nil, errors.ThrowInternal(err, "POLIC-1N8sd", "unable to unmarshal policy")
+	}
+
+	return e, nil
+}
+
+func (e *MultiFactorRemovedEvent) Data() interface{} {
+	return e
+}
+
+func (e *MultiFactorRemovedEvent) UniqueConstraints() []*eventstore.EventUniqueConstraint {
+	return nil
+}
--- a/internal/repository/policy/policy_login_identity_provider.go
+++ b/internal/repository/policy/policy_login_identity_provider.go
@@ -0,0 +1,131 @@
+package policy
+
+import (
+	"encoding/json"
+	"github.com/caos/zitadel/internal/domain"
+	"github.com/caos/zitadel/internal/errors"
+	"github.com/caos/zitadel/internal/eventstore"
+	"github.com/caos/zitadel/internal/eventstore/repository"
+)
+
+const (
+	loginPolicyIDPProviderPrevix             = loginPolicyPrefix + "idpprovider."
+	LoginPolicyIDPProviderAddedType          = loginPolicyIDPProviderPrevix + "added"
+	LoginPolicyIDPProviderRemovedType        = loginPolicyIDPProviderPrevix + "removed"
+	LoginPolicyIDPProviderCascadeRemovedType = loginPolicyIDPProviderPrevix + "cascade.removed"
+)
+
+type IdentityProviderAddedEvent struct {
+	eventstore.BaseEvent
+
+	IDPConfigID     string                      `json:"idpConfigId,omitempty"`
+	IDPProviderType domain.IdentityProviderType `json:"idpProviderType,omitempty"`
+}
+
+func (e *IdentityProviderAddedEvent) Data() interface{} {
+	return e
+}
+
+func (e *IdentityProviderAddedEvent) UniqueConstraints() []*eventstore.EventUniqueConstraint {
+	return nil
+}
+
+func NewIdentityProviderAddedEvent(
+	base *eventstore.BaseEvent,
+	idpConfigID string,
+	idpProviderType domain.IdentityProviderType,
+) *IdentityProviderAddedEvent {
+
+	return &IdentityProviderAddedEvent{
+		*base,
+		idpConfigID,
+		idpProviderType,
+	}
+}
+
+func IdentityProviderAddedEventMapper(event *repository.Event) (eventstore.EventReader, error) {
+	e := &IdentityProviderAddedEvent{
+		BaseEvent: *eventstore.BaseEventFromRepo(event),
+	}
+
+	err := json.Unmarshal(event.Data, e)
+	if err != nil {
+		return nil, errors.ThrowInternal(err, "PROVI-bfNnp", "Errors.Internal")
+	}
+
+	return e, nil
+}
+
+type IdentityProviderRemovedEvent struct {
+	eventstore.BaseEvent
+
+	IDPConfigID string `json:"idpConfigId"`
+}
+
+func (e *IdentityProviderRemovedEvent) Data() interface{} {
+	return e
+}
+
+func (e *IdentityProviderRemovedEvent) UniqueConstraints() []*eventstore.EventUniqueConstraint {
+	return nil
+}
+
+func NewIdentityProviderRemovedEvent(
+	base *eventstore.BaseEvent,
+	idpConfigID string,
+) *IdentityProviderRemovedEvent {
+	return &IdentityProviderRemovedEvent{
+		BaseEvent:   *base,
+		IDPConfigID: idpConfigID,
+	}
+}
+
+func IdentityProviderRemovedEventMapper(event *repository.Event) (eventstore.EventReader, error) {
+	e := &IdentityProviderRemovedEvent{
+		BaseEvent: *eventstore.BaseEventFromRepo(event),
+	}
+
+	err := json.Unmarshal(event.Data, e)
+	if err != nil {
+		return nil, errors.ThrowInternal(err, "PROVI-6H0KQ", "Errors.Internal")
+	}
+
+	return e, nil
+}
+
+type IdentityProviderCascadeRemovedEvent struct {
+	eventstore.BaseEvent
+
+	IDPConfigID string `json:"idpConfigId"`
+}
+
+func (e *IdentityProviderCascadeRemovedEvent) Data() interface{} {
+	return e
+}
+
+func (e *IdentityProviderCascadeRemovedEvent) UniqueConstraints() []*eventstore.EventUniqueConstraint {
+	return nil
+}
+
+func NewIdentityProviderCascadeRemovedEvent(
+	base *eventstore.BaseEvent,
+	idpConfigID string,
+) *IdentityProviderCascadeRemovedEvent {
+	return &IdentityProviderCascadeRemovedEvent{
+		BaseEvent:   *base,
+		IDPConfigID: idpConfigID,
+	}
+}
+
+func IdentityProviderCascadeRemovedEventMapper(event *repository.Event) (eventstore.EventReader, error) {
+	e := &IdentityProviderCascadeRemovedEvent{
+		BaseEvent: *eventstore.BaseEventFromRepo(event),
+	}
+
+	err := json.Unmarshal(event.Data, e)
+	if err != nil {
+		return nil, errors.ThrowInternal(err, "PROVI-7M9fs", "Errors.Internal")
+	}
+
+	return e, nil
+}
--- a/internal/repository/policy/policy_org_iam.go
+++ b/internal/repository/policy/policy_org_iam.go
@@ -0,0 +1,128 @@
+package policy
+
+import (
+	"encoding/json"
+	"github.com/caos/zitadel/internal/eventstore"
+
+	"github.com/caos/zitadel/internal/errors"
+	"github.com/caos/zitadel/internal/eventstore/repository"
+)
+
+const (
+	//TODO: use for org events as suffix (when possible)
+	OrgIAMPolicyAddedEventType   = "policy.org.iam.added"
+	OrgIAMPolicyChangedEventType = "policy.org.iam.changed"
+)
+
+type OrgIAMPolicyAddedEvent struct {
+	eventstore.BaseEvent `json:"-"`
+
+	UserLoginMustBeDomain bool `json:"userLoginMustBeDomain,omitempty"`
+}
+
+func (e *OrgIAMPolicyAddedEvent) Data() interface{} {
+	return e
+}
+
+func (e *OrgIAMPolicyAddedEvent) UniqueConstraints() []*eventstore.EventUniqueConstraint {
+	return nil
+}
+
+func NewOrgIAMPolicyAddedEvent(
+	base *eventstore.BaseEvent,
+	userLoginMustBeDomain bool,
+) *OrgIAMPolicyAddedEvent {
+
+	return &OrgIAMPolicyAddedEvent{
+		BaseEvent:             *base,
+		UserLoginMustBeDomain: userLoginMustBeDomain,
+	}
+}
+
+func OrgIAMPolicyAddedEventMapper(event *repository.Event) (eventstore.EventReader, error) {
+	e := &OrgIAMPolicyAddedEvent{
+		BaseEvent: *eventstore.BaseEventFromRepo(event),
+	}
+
+	err := json.Unmarshal(event.Data, e)
+	if err != nil {
+		return nil, errors.ThrowInternal(err, "POLIC-TvSmA", "unable to unmarshal policy")
+	}
+
+	return e, nil
+}
+
+type OrgIAMPolicyChangedEvent struct {
+	eventstore.BaseEvent `json:"-"`
+
+	UserLoginMustBeDomain *bool `json:"userLoginMustBeDomain,omitempty"`
+}
+
+func (e *OrgIAMPolicyChangedEvent) Data() interface{} {
+	return e
+}
+
+func (e *OrgIAMPolicyChangedEvent) UniqueConstraints() []*eventstore.EventUniqueConstraint {
+	return nil
+}
+
+func NewOrgIAMPolicyChangedEvent(
+	base *eventstore.BaseEvent,
+	changes []OrgIAMPolicyChanges,
+) (*OrgIAMPolicyChangedEvent, error) {
+	if len(changes) == 0 {
+		return nil, errors.ThrowPreconditionFailed(nil, "POLICY-DAf3h", "Errors.NoChangesFound")
+	}
+	changeEvent := &OrgIAMPolicyChangedEvent{
+		BaseEvent: *base,
+	}
+	for _, change := range changes {
+		change(changeEvent)
+	}
+	return changeEvent, nil
+}
+
+type OrgIAMPolicyChanges func(*OrgIAMPolicyChangedEvent)
+
+func ChangeUserLoginMustBeDomain(userLoginMustBeDomain bool) func(*OrgIAMPolicyChangedEvent) {
+	return func(e *OrgIAMPolicyChangedEvent) {
+		e.UserLoginMustBeDomain = &userLoginMustBeDomain
+	}
+}
+
+func OrgIAMPolicyChangedEventMapper(event *repository.Event) (eventstore.EventReader, error) {
+	e := &OrgIAMPolicyChangedEvent{
+		BaseEvent: *eventstore.BaseEventFromRepo(event),
+	}
+
+	err := json.Unmarshal(event.Data, e)
+	if err != nil {
+		return nil, errors.ThrowInternal(err, "POLIC-0Pl9d", "unable to unmarshal policy")
+	}
+
+	return e, nil
+}
+
+type OrgIAMPolicyRemovedEvent struct {
+	eventstore.BaseEvent `json:"-"`
+}
+
+func (e *OrgIAMPolicyRemovedEvent) Data() interface{} {
+	return nil
+}
+
+func (e *OrgIAMPolicyRemovedEvent) UniqueConstraints() []*eventstore.EventUniqueConstraint {
+	return nil
+}
+
+func NewOrgIAMPolicyRemovedEvent(base *eventstore.BaseEvent) *OrgIAMPolicyRemovedEvent {
+	return &OrgIAMPolicyRemovedEvent{
+		BaseEvent: *base,
+	}
+}
+
+func OrgIAMPolicyRemovedEventMapper(event *repository.Event) (eventstore.EventReader, error) {
+	return &OrgIAMPolicyRemovedEvent{
+		BaseEvent: *eventstore.BaseEventFromRepo(event),
+	}, nil
+}
--- a/internal/repository/policy/policy_password_age.go
+++ b/internal/repository/policy/policy_password_age.go
@@ -0,0 +1,137 @@
+package policy
+
+import (
+	"encoding/json"
+	"github.com/caos/zitadel/internal/errors"
+	"github.com/caos/zitadel/internal/eventstore"
+	"github.com/caos/zitadel/internal/eventstore/repository"
+)
+
+const (
+	PasswordAgePolicyAddedEventType   = "policy.password.age.added"
+	PasswordAgePolicyChangedEventType = "policy.password.age.changed"
+	PasswordAgePolicyRemovedEventType = "policy.password.age.removed"
+)
+
+type PasswordAgePolicyAddedEvent struct {
+	eventstore.BaseEvent `json:"-"`
+
+	ExpireWarnDays uint64 `json:"expireWarnDays,omitempty"`
+	MaxAgeDays     uint64 `json:"maxAgeDays,omitempty"`
+}
+
+func (e *PasswordAgePolicyAddedEvent) Data() interface{} {
+	return e
+}
+
+func (e *PasswordAgePolicyAddedEvent) UniqueConstraints() []*eventstore.EventUniqueConstraint {
+	return nil
+}
+
+func NewPasswordAgePolicyAddedEvent(
+	base *eventstore.BaseEvent,
+	expireWarnDays,
+	maxAgeDays uint64,
+) *PasswordAgePolicyAddedEvent {
+
+	return &PasswordAgePolicyAddedEvent{
+		BaseEvent:      *base,
+		ExpireWarnDays: expireWarnDays,
+		MaxAgeDays:     maxAgeDays,
+	}
+}
+
+func PasswordAgePolicyAddedEventMapper(event *repository.Event) (eventstore.EventReader, error) {
+	e := &PasswordAgePolicyAddedEvent{
+		BaseEvent: *eventstore.BaseEventFromRepo(event),
+	}
+
+	err := json.Unmarshal(event.Data, e)
+	if err != nil {
+		return nil, errors.ThrowInternal(err, "POLIC-T3mGp", "unable to unmarshal policy")
+	}
+
+	return e, nil
+}
+
+type PasswordAgePolicyChangedEvent struct {
+	eventstore.BaseEvent `json:"-"`
+
+	ExpireWarnDays *uint64 `json:"expireWarnDays,omitempty"`
+	MaxAgeDays     *uint64 `json:"maxAgeDays,omitempty"`
+}
+
+func (e *PasswordAgePolicyChangedEvent) Data() interface{} {
+	return e
+}
+
+func (e *PasswordAgePolicyChangedEvent) UniqueConstraints() []*eventstore.EventUniqueConstraint {
+	return nil
+}
+
+func NewPasswordAgePolicyChangedEvent(
+	base *eventstore.BaseEvent,
+	changes []PasswordAgePolicyChanges,
+) (*PasswordAgePolicyChangedEvent, error) {
+	if len(changes) == 0 {
+		return nil, errors.ThrowPreconditionFailed(nil, "POLICY-DAgt5", "Errors.NoChangesFound")
+	}
+	changeEvent := &PasswordAgePolicyChangedEvent{
+		BaseEvent: *base,
+	}
+	for _, change := range changes {
+		change(changeEvent)
+	}
+	return changeEvent, nil
+}
+
+type PasswordAgePolicyChanges func(*PasswordAgePolicyChangedEvent)
+
+func ChangeExpireWarnDays(expireWarnDay uint64) func(*PasswordAgePolicyChangedEvent) {
+	return func(e *PasswordAgePolicyChangedEvent) {
+		e.ExpireWarnDays = &expireWarnDay
+	}
+}
+
+func ChangeMaxAgeDays(maxAgeDays uint64) func(*PasswordAgePolicyChangedEvent) {
+	return func(e *PasswordAgePolicyChangedEvent) {
+		e.MaxAgeDays = &maxAgeDays
+	}
+}
+
+func PasswordAgePolicyChangedEventMapper(event *repository.Event) (eventstore.EventReader, error) {
+	e := &PasswordAgePolicyChangedEvent{
+		BaseEvent: *eventstore.BaseEventFromRepo(event),
+	}
+
+	err := json.Unmarshal(event.Data, e)
+	if err != nil {
+		return nil, errors.ThrowInternal(err, "POLIC-PqaVq", "unable to unmarshal policy")
+	}
+
+	return e, nil
+}
+
+type PasswordAgePolicyRemovedEvent struct {
+	eventstore.BaseEvent `json:"-"`
+}
+
+func (e *PasswordAgePolicyRemovedEvent) Data() interface{} {
+	return nil
+}
+
+func (e *PasswordAgePolicyRemovedEvent) UniqueConstraints() []*eventstore.EventUniqueConstraint {
+	return nil
+}
+
+func NewPasswordAgePolicyRemovedEvent(base *eventstore.BaseEvent) *PasswordAgePolicyRemovedEvent {
+	return &PasswordAgePolicyRemovedEvent{
+		BaseEvent: *base,
+	}
+}
+
+func PasswordAgePolicyRemovedEventMapper(event *repository.Event) (eventstore.EventReader, error) {
+	return &PasswordAgePolicyRemovedEvent{
+		BaseEvent: *eventstore.BaseEventFromRepo(event),
+	}, nil
+}
--- a/internal/repository/policy/policy_password_complexity.go
+++ b/internal/repository/policy/policy_password_complexity.go
@@ -0,0 +1,167 @@
+package policy
+
+import (
+	"encoding/json"
+	"github.com/caos/zitadel/internal/eventstore"
+
+	"github.com/caos/zitadel/internal/errors"
+	"github.com/caos/zitadel/internal/eventstore/repository"
+)
+
+const (
+	PasswordComplexityPolicyAddedEventType   = "policy.password.complexity.added"
+	PasswordComplexityPolicyChangedEventType = "policy.password.complexity.changed"
+	PasswordComplexityPolicyRemovedEventType = "policy.password.complexity.removed"
+)
+
+type PasswordComplexityPolicyAddedEvent struct {
+	eventstore.BaseEvent `json:"-"`
+
+	MinLength    uint64 `json:"minLength,omitempty"`
+	HasLowercase bool   `json:"hasLowercase,omitempty"`
+	HasUppercase bool   `json:"hasUppercase,omitempty"`
+	HasNumber    bool   `json:"hasNumber,omitempty"`
+	HasSymbol    bool   `json:"hasSymbol,omitempty"`
+}
+
+func (e *PasswordComplexityPolicyAddedEvent) Data() interface{} {
+	return e
+}
+
+func (e *PasswordComplexityPolicyAddedEvent) UniqueConstraints() []*eventstore.EventUniqueConstraint {
+	return nil
+}
+
+func NewPasswordComplexityPolicyAddedEvent(
+	base *eventstore.BaseEvent,
+	minLength uint64,
+	hasLowerCase,
+	hasUpperCase,
+	hasNumber,
+	hasSymbol bool,
+) *PasswordComplexityPolicyAddedEvent {
+	return &PasswordComplexityPolicyAddedEvent{
+		BaseEvent:    *base,
+		MinLength:    minLength,
+		HasLowercase: hasLowerCase,
+		HasUppercase: hasUpperCase,
+		HasNumber:    hasNumber,
+		HasSymbol:    hasSymbol,
+	}
+}
+
+func PasswordComplexityPolicyAddedEventMapper(event *repository.Event) (eventstore.EventReader, error) {
+	e := &PasswordComplexityPolicyAddedEvent{
+		BaseEvent: *eventstore.BaseEventFromRepo(event),
+	}
+
+	err := json.Unmarshal(event.Data, e)
+	if err != nil {
+		return nil, errors.ThrowInternal(err, "POLIC-wYxlM", "unable to unmarshal policy")
+	}
+
+	return e, nil
+}
+
+type PasswordComplexityPolicyChangedEvent struct {
+	eventstore.BaseEvent `json:"-"`
+
+	MinLength    *uint64 `json:"minLength,omitempty"`
+	HasLowercase *bool   `json:"hasLowercase,omitempty"`
+	HasUppercase *bool   `json:"hasUppercase,omitempty"`
+	HasNumber    *bool   `json:"hasNumber,omitempty"`
+	HasSymbol    *bool   `json:"hasSymbol,omitempty"`
+}
+
+func (e *PasswordComplexityPolicyChangedEvent) Data() interface{} {
+	return e
+}
+
+func (e *PasswordComplexityPolicyChangedEvent) UniqueConstraints() []*eventstore.EventUniqueConstraint {
+	return nil
+}
+
+func NewPasswordComplexityPolicyChangedEvent(
+	base *eventstore.BaseEvent,
+	changes []PasswordComplexityPolicyChanges,
+) (*PasswordComplexityPolicyChangedEvent, error) {
+	if len(changes) == 0 {
+		return nil, errors.ThrowPreconditionFailed(nil, "POLICY-Rdhu3", "Errors.NoChangesFound")
+	}
+	changeEvent := &PasswordComplexityPolicyChangedEvent{
+		BaseEvent: *base,
+	}
+	for _, change := range changes {
+		change(changeEvent)
+	}
+	return changeEvent, nil
+}
+
+type PasswordComplexityPolicyChanges func(*PasswordComplexityPolicyChangedEvent)
+
+func ChangeMinLength(minLength uint64) func(*PasswordComplexityPolicyChangedEvent) {
+	return func(e *PasswordComplexityPolicyChangedEvent) {
+		e.MinLength = &minLength
+	}
+}
+
+func ChangeHasLowercase(hasLowercase bool) func(*PasswordComplexityPolicyChangedEvent) {
+	return func(e *PasswordComplexityPolicyChangedEvent) {
+		e.HasLowercase = &hasLowercase
+	}
+}
+
+func ChangeHasUppercase(hasUppercase bool) func(*PasswordComplexityPolicyChangedEvent) {
+	return func(e *PasswordComplexityPolicyChangedEvent) {
+		e.HasUppercase = &hasUppercase
+	}
+}
+
+func ChangeHasNumber(hasNumber bool) func(*PasswordComplexityPolicyChangedEvent) {
+	return func(e *PasswordComplexityPolicyChangedEvent) {
+		e.HasNumber = &hasNumber
+	}
+}
+
+func ChangeHasSymbol(hasSymbol bool) func(*PasswordComplexityPolicyChangedEvent) {
+	return func(e *PasswordComplexityPolicyChangedEvent) {
+		e.HasSymbol = &hasSymbol
+	}
+}
+
+func PasswordComplexityPolicyChangedEventMapper(event *repository.Event) (eventstore.EventReader, error) {
+	e := &PasswordComplexityPolicyChangedEvent{
+		BaseEvent: *eventstore.BaseEventFromRepo(event),
+	}
+
+	err := json.Unmarshal(event.Data, e)
+	if err != nil {
+		return nil, errors.ThrowInternal(err, "POLIC-zBGB0", "unable to unmarshal policy")
+	}
+
+	return e, nil
+}
+
+type PasswordComplexityPolicyRemovedEvent struct {
+	eventstore.BaseEvent `json:"-"`
+}
+
+func (e *PasswordComplexityPolicyRemovedEvent) Data() interface{} {
+	return nil
+}
+
+func (e *PasswordComplexityPolicyRemovedEvent) UniqueConstraints() []*eventstore.EventUniqueConstraint {
+	return nil
+}
+
+func NewPasswordComplexityPolicyRemovedEvent(base *eventstore.BaseEvent) *PasswordComplexityPolicyRemovedEvent {
+	return &PasswordComplexityPolicyRemovedEvent{
+		BaseEvent: *base,
+	}
+}
+
+func PasswordComplexityPolicyRemovedEventMapper(event *repository.Event) (eventstore.EventReader, error) {
+	return &PasswordComplexityPolicyRemovedEvent{
+		BaseEvent: *eventstore.BaseEventFromRepo(event),
+	}, nil
+}
--- a/internal/repository/policy/policy_password_lockout.go
+++ b/internal/repository/policy/policy_password_lockout.go
@@ -0,0 +1,138 @@
+package policy
+
+import (
+	"encoding/json"
+	"github.com/caos/zitadel/internal/eventstore"
+
+	"github.com/caos/zitadel/internal/errors"
+	"github.com/caos/zitadel/internal/eventstore/repository"
+)
+
+const (
+	PasswordLockoutPolicyAddedEventType   = "policy.password.lockout.added"
+	PasswordLockoutPolicyChangedEventType = "policy.password.lockout.changed"
+	PasswordLockoutPolicyRemovedEventType = "policy.password.lockout.removed"
+)
+
+type PasswordLockoutPolicyAddedEvent struct {
+	eventstore.BaseEvent `json:"-"`
+
+	MaxAttempts         uint64 `json:"maxAttempts,omitempty"`
+	ShowLockOutFailures bool   `json:"showLockOutFailures,omitempty"`
+}
+
+func (e *PasswordLockoutPolicyAddedEvent) Data() interface{} {
+	return e
+}
+
+func (e *PasswordLockoutPolicyAddedEvent) UniqueConstraints() []*eventstore.EventUniqueConstraint {
+	return nil
+}
+
+func NewPasswordLockoutPolicyAddedEvent(
+	base *eventstore.BaseEvent,
+	maxAttempts uint64,
+	showLockOutFailures bool,
+) *PasswordLockoutPolicyAddedEvent {
+
+	return &PasswordLockoutPolicyAddedEvent{
+		BaseEvent:           *base,
+		MaxAttempts:         maxAttempts,
+		ShowLockOutFailures: showLockOutFailures,
+	}
+}
+
+func PasswordLockoutPolicyAddedEventMapper(event *repository.Event) (eventstore.EventReader, error) {
+	e := &PasswordLockoutPolicyAddedEvent{
+		BaseEvent: *eventstore.BaseEventFromRepo(event),
+	}
+
+	err := json.Unmarshal(event.Data, e)
+	if err != nil {
+		return nil, errors.ThrowInternal(err, "POLIC-8XiVd", "unable to unmarshal policy")
+	}
+
+	return e, nil
+}
+
+type PasswordLockoutPolicyChangedEvent struct {
+	eventstore.BaseEvent `json:"-"`
+
+	MaxAttempts         *uint64 `json:"maxAttempts,omitempty"`
+	ShowLockOutFailures *bool   `json:"showLockOutFailures,omitempty"`
+}
+
+func (e *PasswordLockoutPolicyChangedEvent) Data() interface{} {
+	return e
+}
+
+func (e *PasswordLockoutPolicyChangedEvent) UniqueConstraints() []*eventstore.EventUniqueConstraint {
+	return nil
+}
+
+func NewPasswordLockoutPolicyChangedEvent(
+	base *eventstore.BaseEvent,
+	changes []PasswordLockoutPolicyChanges,
+) (*PasswordLockoutPolicyChangedEvent, error) {
+	if len(changes) == 0 {
+		return nil, errors.ThrowPreconditionFailed(nil, "POLICY-sdgh6", "Errors.NoChangesFound")
+	}
+	changeEvent := &PasswordLockoutPolicyChangedEvent{
+		BaseEvent: *base,
+	}
+	for _, change := range changes {
+		change(changeEvent)
+	}
+	return changeEvent, nil
+}
+
+type PasswordLockoutPolicyChanges func(*PasswordLockoutPolicyChangedEvent)
+
+func ChangeMaxAttempts(maxAttempts uint64) func(*PasswordLockoutPolicyChangedEvent) {
+	return func(e *PasswordLockoutPolicyChangedEvent) {
+		e.MaxAttempts = &maxAttempts
+	}
+}
+
+func ChangeShowLockOutFailures(showLockOutFailures bool) func(*PasswordLockoutPolicyChangedEvent) {
+	return func(e *PasswordLockoutPolicyChangedEvent) {
+		e.ShowLockOutFailures = &showLockOutFailures
+	}
+}
+
+func PasswordLockoutPolicyChangedEventMapper(event *repository.Event) (eventstore.EventReader, error) {
+	e := &PasswordLockoutPolicyChangedEvent{
+		BaseEvent: *eventstore.BaseEventFromRepo(event),
+	}
+
+	err := json.Unmarshal(event.Data, e)
+	if err != nil {
+		return nil, errors.ThrowInternal(err, "POLIC-lWGRc", "unable to unmarshal policy")
+	}
+
+	return e, nil
+}
+
+type PasswordLockoutPolicyRemovedEvent struct {
+	eventstore.BaseEvent `json:"-"`
+}
+
+func (e *PasswordLockoutPolicyRemovedEvent) Data() interface{} {
+	return nil
+}
+
+func (e *PasswordLockoutPolicyRemovedEvent) UniqueConstraints() []*eventstore.EventUniqueConstraint {
+	return nil
+}
+
+func NewPasswordLockoutPolicyRemovedEvent(base *eventstore.BaseEvent) *PasswordLockoutPolicyRemovedEvent {
+	return &PasswordLockoutPolicyRemovedEvent{
+		BaseEvent: *base,
+	}
+}
+
+func PasswordLockoutPolicyRemovedEventMapper(event *repository.Event) (eventstore.EventReader, error) {
+	return &PasswordLockoutPolicyRemovedEvent{
+		BaseEvent: *eventstore.BaseEventFromRepo(event),
+	}, nil
+}
--- a/internal/repository/project/aggregate.go
+++ b/internal/repository/project/aggregate.go
@@ -0,0 +1,14 @@
+package project
+
+import (
+	"github.com/caos/zitadel/internal/eventstore"
+)
+
+const (
+	AggregateType    = "project"
+	AggregateVersion = "v1"
+)
+
+type Aggregate struct {
+	eventstore.Aggregate
+}
--- a/internal/repository/project/api_config.go
+++ b/internal/repository/project/api_config.go
@@ -0,0 +1,261 @@
+package project
+
+import (
+	"context"
+	"encoding/json"
+	"github.com/caos/zitadel/internal/eventstore"
+
+	"github.com/caos/zitadel/internal/crypto"
+	"github.com/caos/zitadel/internal/domain"
+	"github.com/caos/zitadel/internal/errors"
+	"github.com/caos/zitadel/internal/eventstore/repository"
+)
+
+const (
+	APIConfigAddedType                = applicationEventTypePrefix + "config.api.added"
+	APIConfigChangedType              = applicationEventTypePrefix + "config.api.changed"
+	APIConfigSecretChangedType        = applicationEventTypePrefix + "config.api.secret.changed"
+	APIClientSecretCheckSucceededType = applicationEventTypePrefix + "api.secret.check.succeeded"
+	APIClientSecretCheckFailedType    = applicationEventTypePrefix + "api.secret.check.failed"
+)
+
+type APIConfigAddedEvent struct {
+	eventstore.BaseEvent `json:"-"`
+
+	AppID          string                   `json:"appId"`
+	ClientID       string                   `json:"clientId,omitempty"`
+	ClientSecret   *crypto.CryptoValue      `json:"clientSecret,omitempty"`
+	AuthMethodType domain.APIAuthMethodType `json:"authMethodType,omitempty"`
+}
+
+func (e *APIConfigAddedEvent) Data() interface{} {
+	return e
+}
+
+func (e *APIConfigAddedEvent) UniqueConstraints() []*eventstore.EventUniqueConstraint {
+	return nil
+}
+
+func NewAPIConfigAddedEvent(
+	ctx context.Context,
+	aggregate *eventstore.Aggregate,
+	appID,
+	clientID string,
+	clientSecret *crypto.CryptoValue,
+	authMethodType domain.APIAuthMethodType,
+) *APIConfigAddedEvent {
+	return &APIConfigAddedEvent{
+		BaseEvent: *eventstore.NewBaseEventForPush(
+			ctx,
+			aggregate,
+			APIConfigAddedType,
+		),
+		AppID:          appID,
+		ClientID:       clientID,
+		ClientSecret:   clientSecret,
+		AuthMethodType: authMethodType,
+	}
+}
+
+func APIConfigAddedEventMapper(event *repository.Event) (eventstore.EventReader, error) {
+	e := &APIConfigAddedEvent{
+		BaseEvent: *eventstore.BaseEventFromRepo(event),
+	}
+
+	err := json.Unmarshal(event.Data, e)
+	if err != nil {
+		return nil, errors.ThrowInternal(err, "API-BFd15", "unable to unmarshal api config")
+	}
+
+	return e, nil
+}
+
+type APIConfigChangedEvent struct {
+	eventstore.BaseEvent `json:"-"`
+
+	AppID          string                    `json:"appId"`
+	ClientSecret   *crypto.CryptoValue       `json:"clientSecret,omitempty"`
+	AuthMethodType *domain.APIAuthMethodType `json:"authMethodType,omitempty"`
+}
+
+func (e *APIConfigChangedEvent) Data() interface{} {
+	return e
+}
+
+func (e *APIConfigChangedEvent) UniqueConstraints() []*eventstore.EventUniqueConstraint {
+	return nil
+}
+
+func NewAPIConfigChangedEvent(
+	ctx context.Context,
+	aggregate *eventstore.Aggregate,
+	appID string,
+	changes []APIConfigChanges,
+) (*APIConfigChangedEvent, error) {
+	if len(changes) == 0 {
+		return nil, errors.ThrowPreconditionFailed(nil, "API-i8idç", "Errors.NoChangesFound")
+	}
+
+	changeEvent := &APIConfigChangedEvent{
+		BaseEvent: *eventstore.NewBaseEventForPush(
+			ctx,
+			aggregate,
+			APIConfigChangedType,
+		),
+		AppID: appID,
+	}
+	for _, change := range changes {
+		change(changeEvent)
+	}
+	return changeEvent, nil
+}
+
+type APIConfigChanges func(event *APIConfigChangedEvent)
+
+func ChangeAPIAuthMethodType(authMethodType domain.APIAuthMethodType) func(event *APIConfigChangedEvent) {
+	return func(e *APIConfigChangedEvent) {
+		e.AuthMethodType = &authMethodType
+	}
+}
+
+func APIConfigChangedEventMapper(event *repository.Event) (eventstore.EventReader, error) {
+	e := &APIConfigChangedEvent{
+		BaseEvent: *eventstore.BaseEventFromRepo(event),
+	}
+
+	err := json.Unmarshal(event.Data, e)
+	if err != nil {
+		return nil, errors.ThrowInternal(err, "API-BFd15", "unable to unmarshal api config")
+	}
+
+	return e, nil
+}
+
+type APIConfigSecretChangedEvent struct {
+	eventstore.BaseEvent `json:"-"`
+
+	AppID        string              `json:"appId"`
+	ClientSecret *crypto.CryptoValue `json:"clientSecret,omitempty"`
+}
+
+func (e *APIConfigSecretChangedEvent) Data() interface{} {
+	return e
+}
+
+func (e *APIConfigSecretChangedEvent) UniqueConstraints() []*eventstore.EventUniqueConstraint {
+	return nil
+}
+
+func NewAPIConfigSecretChangedEvent(
+	ctx context.Context,
+	aggregate *eventstore.Aggregate,
+	appID string,
+	clientSecret *crypto.CryptoValue,
+) *APIConfigSecretChangedEvent {
+	return &APIConfigSecretChangedEvent{
+		BaseEvent: *eventstore.NewBaseEventForPush(
+			ctx,
+			aggregate,
+			APIConfigSecretChangedType,
+		),
+		AppID:        appID,
+		ClientSecret: clientSecret,
+	}
+}
+
+func APIConfigSecretChangedEventMapper(event *repository.Event) (eventstore.EventReader, error) {
+	e := &APIConfigSecretChangedEvent{
+		BaseEvent: *eventstore.BaseEventFromRepo(event),
+	}
+
+	err := json.Unmarshal(event.Data, e)
+	if err != nil {
+		return nil, errors.ThrowInternal(err, "API-M893d", "unable to unmarshal api config")
+	}
+
+	return e, nil
+}
+
+type APIConfigSecretCheckSucceededEvent struct {
+	eventstore.BaseEvent `json:"-"`
+
+	AppID string `json:"appId"`
+}
+
+func (e *APIConfigSecretCheckSucceededEvent) Data() interface{} {
+	return e
+}
+
+func (e *APIConfigSecretCheckSucceededEvent) UniqueConstraints() []*eventstore.EventUniqueConstraint {
+	return nil
+}
+
+func NewAPIConfigSecretCheckSucceededEvent(
+	ctx context.Context,
+	aggregate *eventstore.Aggregate,
+	appID string,
+) *APIConfigSecretCheckSucceededEvent {
+	return &APIConfigSecretCheckSucceededEvent{
+		BaseEvent: *eventstore.NewBaseEventForPush(
+			ctx,
+			aggregate,
+			APIClientSecretCheckSucceededType,
+		),
+		AppID: appID,
+	}
+}
+
+func APIConfigSecretCheckSucceededEventMapper(event *repository.Event) (eventstore.EventReader, error) {
+	e := &APIConfigSecretCheckSucceededEvent{
+		BaseEvent: *eventstore.BaseEventFromRepo(event),
+	}
+
+	err := json.Unmarshal(event.Data, e)
+	if err != nil {
+		return nil, errors.ThrowInternal(err, "API-837gV", "unable to unmarshal api config")
+	}
+
+	return e, nil
+}
+
+type APIConfigSecretCheckFailedEvent struct {
+	eventstore.BaseEvent `json:"-"`
+
+	AppID string `json:"appId"`
+}
+
+func (e *APIConfigSecretCheckFailedEvent) Data() interface{} {
+	return e
+}
+
+func (e *APIConfigSecretCheckFailedEvent) UniqueConstraints() []*eventstore.EventUniqueConstraint {
+	return nil
+}
+
+func NewAPIConfigSecretCheckFailedEvent(
+	ctx context.Context,
+	aggregate *eventstore.Aggregate,
+	appID string,
+) *APIConfigSecretCheckFailedEvent {
+	return &APIConfigSecretCheckFailedEvent{
+		BaseEvent: *eventstore.NewBaseEventForPush(
+			ctx,
+			aggregate,
+			APIClientSecretCheckFailedType,
+		),
+		AppID: appID,
+	}
+}
+
+func APIConfigSecretCheckFailedEventMapper(event *repository.Event) (eventstore.EventReader, error) {
+	e := &APIConfigSecretCheckFailedEvent{
+		BaseEvent: *eventstore.BaseEventFromRepo(event),
+	}
+
+	err := json.Unmarshal(event.Data, e)
+	if err != nil {
+		return nil, errors.ThrowInternal(err, "API-987g%", "unable to unmarshal api config")
+	}
+
+	return e, nil
+}
--- a/internal/repository/project/application.go
+++ b/internal/repository/project/application.go
@@ -0,0 +1,268 @@
+package project
+
+import (
+	"context"
+	"encoding/json"
+	"fmt"
+	"github.com/caos/zitadel/internal/eventstore"
+
+	"github.com/caos/zitadel/internal/errors"
+	"github.com/caos/zitadel/internal/eventstore/repository"
+)
+
+const (
+	UniqueAppNameType          = "appname"
+	applicationEventTypePrefix = projectEventTypePrefix + "application."
+	ApplicationAddedType       = applicationEventTypePrefix + "added"
+	ApplicationChangedType     = applicationEventTypePrefix + "changed"
+	ApplicationDeactivatedType = applicationEventTypePrefix + "deactivated"
+	ApplicationReactivatedType = applicationEventTypePrefix + "reactivated"
+	ApplicationRemovedType     = applicationEventTypePrefix + "removed"
+)
+
+func NewAddApplicationUniqueConstraint(name, projectID string) *eventstore.EventUniqueConstraint {
+	return eventstore.NewAddEventUniqueConstraint(
+		UniqueAppNameType,
+		fmt.Sprintf("%s:%s", name, projectID),
+		"Errors.Project.App.AlreadyExists")
+}
+
+func NewRemoveApplicationUniqueConstraint(name, projectID string) *eventstore.EventUniqueConstraint {
+	return eventstore.NewRemoveEventUniqueConstraint(
+		UniqueAppNameType,
+		fmt.Sprintf("%s:%s", name, projectID))
+}
+
+type ApplicationAddedEvent struct {
+	eventstore.BaseEvent `json:"-"`
+
+	AppID     string `json:"appId,omitempty"`
+	Name      string `json:"name,omitempty"`
+	projectID string
+}
+
+func (e *ApplicationAddedEvent) Data() interface{} {
+	return e
+}
+
+func (e *ApplicationAddedEvent) UniqueConstraints() []*eventstore.EventUniqueConstraint {
+	return []*eventstore.EventUniqueConstraint{NewAddApplicationUniqueConstraint(e.Name, e.projectID)}
+}
+
+func NewApplicationAddedEvent(
+	ctx context.Context,
+	aggregate *eventstore.Aggregate,
+	appID,
+	name,
+	projectID string,
+) *ApplicationAddedEvent {
+	return &ApplicationAddedEvent{
+		BaseEvent: *eventstore.NewBaseEventForPush(
+			ctx,
+			aggregate,
+			ApplicationAddedType,
+		),
+		AppID:     appID,
+		Name:      name,
+		projectID: projectID,
+	}
+}
+
+func ApplicationAddedEventMapper(event *repository.Event) (eventstore.EventReader, error) {
+	e := &ApplicationAddedEvent{
+		BaseEvent: *eventstore.BaseEventFromRepo(event),
+	}
+
+	err := json.Unmarshal(event.Data, e)
+	if err != nil {
+		return nil, errors.ThrowInternal(err, "APPLICATION-Nffg2", "unable to unmarshal application")
+	}
+
+	return e, nil
+}
+
+type ApplicationChangedEvent struct {
+	eventstore.BaseEvent `json:"-"`
+
+	AppID     string `json:"appId,omitempty"`
+	Name      string `json:"name,omitempty"`
+	oldName   string
+	projectID string
+}
+
+func (e *ApplicationChangedEvent) Data() interface{} {
+	return e
+}
+
+func (e *ApplicationChangedEvent) UniqueConstraints() []*eventstore.EventUniqueConstraint {
+	return []*eventstore.EventUniqueConstraint{
+		NewRemoveApplicationUniqueConstraint(e.oldName, e.projectID),
+		NewAddApplicationUniqueConstraint(e.Name, e.projectID),
+	}
+}
+
+func NewApplicationChangedEvent(
+	ctx context.Context,
+	aggregate *eventstore.Aggregate,
+	appID,
+	oldName,
+	newName,
+	projectID string,
+) *ApplicationChangedEvent {
+	return &ApplicationChangedEvent{
+		BaseEvent: *eventstore.NewBaseEventForPush(
+			ctx,
+			aggregate,
+			ApplicationChangedType,
+		),
+		AppID:     appID,
+		Name:      newName,
+		oldName:   oldName,
+		projectID: projectID,
+	}
+}
+
+func ApplicationChangedEventMapper(event *repository.Event) (eventstore.EventReader, error) {
+	e := &ApplicationChangedEvent{
+		BaseEvent: *eventstore.BaseEventFromRepo(event),
+	}
+
+	err := json.Unmarshal(event.Data, e)
+	if err != nil {
+		return nil, errors.ThrowInternal(err, "APPLICATION-9l0cs", "unable to unmarshal application")
+	}
+
+	return e, nil
+}
+
+type ApplicationDeactivatedEvent struct {
+	eventstore.BaseEvent `json:"-"`
+
+	AppID string `json:"appId,omitempty"`
+}
+
+func (e *ApplicationDeactivatedEvent) Data() interface{} {
+	return e
+}
+
+func (e *ApplicationDeactivatedEvent) UniqueConstraints() []*eventstore.EventUniqueConstraint {
+	return nil
+}
+
+func NewApplicationDeactivatedEvent(
+	ctx context.Context,
+	aggregate *eventstore.Aggregate,
+	appID string,
+) *ApplicationDeactivatedEvent {
+	return &ApplicationDeactivatedEvent{
+		BaseEvent: *eventstore.NewBaseEventForPush(
+			ctx,
+			aggregate,
+			ApplicationDeactivatedType,
+		),
+		AppID: appID,
+	}
+}
+
+func ApplicationDeactivatedEventMapper(event *repository.Event) (eventstore.EventReader, error) {
+	e := &ApplicationDeactivatedEvent{
+		BaseEvent: *eventstore.BaseEventFromRepo(event),
+	}
+
+	err := json.Unmarshal(event.Data, e)
+	if err != nil {
+		return nil, errors.ThrowInternal(err, "APPLICATION-0p9fB", "unable to unmarshal application")
+	}
+
+	return e, nil
+}
+
+type ApplicationReactivatedEvent struct {
+	eventstore.BaseEvent `json:"-"`
+
+	AppID string `json:"appId,omitempty"`
+}
+
+func (e *ApplicationReactivatedEvent) Data() interface{} {
+	return e
+}
+
+func (e *ApplicationReactivatedEvent) UniqueConstraints() []*eventstore.EventUniqueConstraint {
+	return nil
+}
+
+func NewApplicationReactivatedEvent(
+	ctx context.Context,
+	aggregate *eventstore.Aggregate,
+	appID string,
+) *ApplicationReactivatedEvent {
+	return &ApplicationReactivatedEvent{
+		BaseEvent: *eventstore.NewBaseEventForPush(
+			ctx,
+			aggregate,
+			ApplicationReactivatedType,
+		),
+		AppID: appID,
+	}
+}
+
+func ApplicationReactivatedEventMapper(event *repository.Event) (eventstore.EventReader, error) {
+	e := &ApplicationReactivatedEvent{
+		BaseEvent: *eventstore.BaseEventFromRepo(event),
+	}
+
+	err := json.Unmarshal(event.Data, e)
+	if err != nil {
+		return nil, errors.ThrowInternal(err, "APPLICATION-1m9e3", "unable to unmarshal application")
+	}
+
+	return e, nil
+}
+
+type ApplicationRemovedEvent struct {
+	eventstore.BaseEvent `json:"-"`
+
+	AppID     string `json:"appId,omitempty"`
+	name      string
+	projectID string
+}
+
+func (e *ApplicationRemovedEvent) Data() interface{} {
+	return e
+}
+
+func (e *ApplicationRemovedEvent) UniqueConstraints() []*eventstore.EventUniqueConstraint {
+	return []*eventstore.EventUniqueConstraint{NewRemoveApplicationUniqueConstraint(e.name, e.projectID)}
+}
+
+func NewApplicationRemovedEvent(
+	ctx context.Context,
+	aggregate *eventstore.Aggregate,
+	appID,
+	name,
+	projectID string,
+) *ApplicationRemovedEvent {
+	return &ApplicationRemovedEvent{
+		BaseEvent: *eventstore.NewBaseEventForPush(
+			ctx,
+			aggregate,
+			ApplicationRemovedType,
+		),
+		AppID:     appID,
+		name:      name,
+		projectID: projectID,
+	}
+}
+
+func ApplicationRemovedEventMapper(event *repository.Event) (eventstore.EventReader, error) {
+	e := &ApplicationRemovedEvent{
+		BaseEvent: *eventstore.BaseEventFromRepo(event),
+	}
+
+	err := json.Unmarshal(event.Data, e)
+	if err != nil {
+		return nil, errors.ThrowInternal(err, "APPLICATION-1m9e3", "unable to unmarshal application")
+	}
+
+	return e, nil
+}
--- a/internal/repository/project/eventstore.go
+++ b/internal/repository/project/eventstore.go
@@ -0,0 +1,43 @@
+package project
+
+import (
+	"github.com/caos/zitadel/internal/eventstore"
+)
+
+func RegisterEventMappers(es *eventstore.Eventstore) {
+	es.RegisterFilterEventMapper(ProjectAddedType, ProjectAddedEventMapper).
+		RegisterFilterEventMapper(ProjectChangedType, ProjectChangeEventMapper).
+		RegisterFilterEventMapper(ProjectDeactivatedType, ProjectDeactivatedEventMapper).
+		RegisterFilterEventMapper(ProjectReactivatedType, ProjectReactivatedEventMapper).
+		RegisterFilterEventMapper(ProjectRemovedType, ProjectRemovedEventMapper).
+		RegisterFilterEventMapper(MemberAddedType, MemberAddedEventMapper).
+		RegisterFilterEventMapper(MemberChangedType, MemberChangedEventMapper).
+		RegisterFilterEventMapper(MemberRemovedType, MemberRemovedEventMapper).
+		RegisterFilterEventMapper(RoleAddedType, RoleAddedEventMapper).
+		RegisterFilterEventMapper(RoleChangedType, RoleChangedEventMapper).
+		RegisterFilterEventMapper(RoleRemovedType, RoleRemovedEventMapper).
+		RegisterFilterEventMapper(GrantAddedType, GrantAddedEventMapper).
+		RegisterFilterEventMapper(GrantChangedType, GrantChangedEventMapper).
+		RegisterFilterEventMapper(GrantCascadeChangedType, GrantCascadeChangedEventMapper).
+		RegisterFilterEventMapper(GrantDeactivatedType, GrantDeactivateEventMapper).
+		RegisterFilterEventMapper(GrantReactivatedType, GrantReactivatedEventMapper).
+		RegisterFilterEventMapper(GrantRemovedType, GrantRemovedEventMapper).
+		RegisterFilterEventMapper(GrantMemberAddedType, GrantMemberAddedEventMapper).
+		RegisterFilterEventMapper(GrantMemberChangedType, GrantMemberChangedEventMapper).
+		RegisterFilterEventMapper(GrantMemberRemovedType, GrantMemberRemovedEventMapper).
+		RegisterFilterEventMapper(ApplicationAddedType, ApplicationAddedEventMapper).
+		RegisterFilterEventMapper(ApplicationChangedType, ApplicationChangedEventMapper).
+		RegisterFilterEventMapper(ApplicationRemovedType, ApplicationRemovedEventMapper).
+		RegisterFilterEventMapper(ApplicationDeactivatedType, ApplicationDeactivatedEventMapper).
+		RegisterFilterEventMapper(ApplicationReactivatedType, ApplicationReactivatedEventMapper).
+		RegisterFilterEventMapper(OIDCConfigAddedType, OIDCConfigAddedEventMapper).
+		RegisterFilterEventMapper(OIDCConfigChangedType, OIDCConfigChangedEventMapper).
+		RegisterFilterEventMapper(OIDCConfigSecretChangedType, OIDCConfigSecretChangedEventMapper).
+		RegisterFilterEventMapper(OIDCClientSecretCheckSucceededType, OIDCConfigSecretCheckSucceededEventMapper).
+		RegisterFilterEventMapper(OIDCClientSecretCheckFailedType, OIDCConfigSecretCheckFailedEventMapper).
+		RegisterFilterEventMapper(APIConfigAddedType, APIConfigAddedEventMapper).
+		RegisterFilterEventMapper(APIConfigChangedType, APIConfigChangedEventMapper).
+		RegisterFilterEventMapper(APIConfigSecretChangedType, APIConfigSecretChangedEventMapper).
+		RegisterFilterEventMapper(ApplicationKeyAddedEventType, ApplicationKeyAddedEventMapper).
+		RegisterFilterEventMapper(ApplicationKeyRemovedEventType, ApplicationKeyRemovedEventMapper)
+}
--- a/internal/repository/project/grant.go
+++ b/internal/repository/project/grant.go
@@ -0,0 +1,308 @@
+package project
+
+import (
+	"context"
+	"encoding/json"
+	"fmt"
+	"github.com/caos/zitadel/internal/eventstore"
+
+	"github.com/caos/zitadel/internal/errors"
+	"github.com/caos/zitadel/internal/eventstore/repository"
+)
+
+var (
+	UniqueGrantType         = "project_grant"
+	grantEventTypePrefix    = projectEventTypePrefix + "grant."
+	GrantAddedType          = grantEventTypePrefix + "added"
+	GrantChangedType        = grantEventTypePrefix + "changed"
+	GrantCascadeChangedType = grantEventTypePrefix + "cascade.changed"
+	GrantDeactivatedType    = grantEventTypePrefix + "deactivated"
+	GrantReactivatedType    = grantEventTypePrefix + "reactivated"
+	GrantRemovedType        = grantEventTypePrefix + "removed"
+)
+
+func NewAddProjectGrantUniqueConstraint(grantedOrgID, projectID string) *eventstore.EventUniqueConstraint {
+	return eventstore.NewAddEventUniqueConstraint(
+		UniqueRoleType,
+		fmt.Sprintf("%s:%s", grantedOrgID, projectID),
+		"Errors.Project.Grant.AlreadyExists")
+}
+
+func NewRemoveProjectGrantUniqueConstraint(grantedOrgID, projectID string) *eventstore.EventUniqueConstraint {
+	return eventstore.NewRemoveEventUniqueConstraint(
+		UniqueRoleType,
+		fmt.Sprintf("%s:%s", grantedOrgID, projectID))
+}
+
+type GrantAddedEvent struct {
+	eventstore.BaseEvent `json:"-"`
+
+	GrantID      string   `json:"grantId,omitempty"`
+	GrantedOrgID string   `json:"grantedOrgId,omitempty"`
+	RoleKeys     []string `json:"roleKeys,omitempty"`
+	projectID    string
+}
+
+func (e *GrantAddedEvent) Data() interface{} {
+	return e
+}
+
+func (e *GrantAddedEvent) UniqueConstraints() []*eventstore.EventUniqueConstraint {
+	return []*eventstore.EventUniqueConstraint{NewAddProjectGrantUniqueConstraint(e.GrantedOrgID, e.projectID)}
+}
+
+func NewGrantAddedEvent(
+	ctx context.Context,
+	aggregate *eventstore.Aggregate,
+	grantID,
+	grantedOrgID,
+	projectID string,
+	roleKeys []string,
+) *GrantAddedEvent {
+	return &GrantAddedEvent{
+		BaseEvent: *eventstore.NewBaseEventForPush(
+			ctx,
+			aggregate,
+			GrantAddedType,
+		),
+		GrantID:      grantID,
+		GrantedOrgID: grantedOrgID,
+		RoleKeys:     roleKeys,
+		projectID:    projectID,
+	}
+}
+
+func GrantAddedEventMapper(event *repository.Event) (eventstore.EventReader, error) {
+	e := &GrantAddedEvent{
+		BaseEvent: *eventstore.BaseEventFromRepo(event),
+	}
+
+	err := json.Unmarshal(event.Data, e)
+	if err != nil {
+		return nil, errors.ThrowInternal(err, "PROJECT-mL0vs", "unable to unmarshal project grant")
+	}
+
+	return e, nil
+}
+
+type GrantChangedEvent struct {
+	eventstore.BaseEvent `json:"-"`
+
+	GrantID  string   `json:"grantId,omitempty"`
+	RoleKeys []string `json:"roleKeys,omitempty"`
+}
+
+func (e *GrantChangedEvent) Data() interface{} {
+	return e
+}
+
+func (e *GrantChangedEvent) UniqueConstraints() []*eventstore.EventUniqueConstraint {
+	return nil
+}
+
+func NewGrantChangedEvent(
+	ctx context.Context,
+	aggregate *eventstore.Aggregate,
+	grantID string,
+	roleKeys []string,
+) *GrantChangedEvent {
+	return &GrantChangedEvent{
+		BaseEvent: *eventstore.NewBaseEventForPush(
+			ctx,
+			aggregate,
+			GrantChangedType,
+		),
+		GrantID:  grantID,
+		RoleKeys: roleKeys,
+	}
+}
+
+func GrantChangedEventMapper(event *repository.Event) (eventstore.EventReader, error) {
+	e := &GrantChangedEvent{
+		BaseEvent: *eventstore.BaseEventFromRepo(event),
+	}
+
+	err := json.Unmarshal(event.Data, e)
+	if err != nil {
+		return nil, errors.ThrowInternal(err, "PROJECT-mL0vs", "unable to unmarshal project grant")
+	}
+
+	return e, nil
+}
+
+type GrantCascadeChangedEvent struct {
+	eventstore.BaseEvent `json:"-"`
+
+	GrantID  string   `json:"grantId,omitempty"`
+	RoleKeys []string `json:"roleKeys,omitempty"`
+}
+
+func (e *GrantCascadeChangedEvent) Data() interface{} {
+	return e
+}
+
+func (e *GrantCascadeChangedEvent) UniqueConstraints() []*eventstore.EventUniqueConstraint {
+	return nil
+}
+
+func NewGrantCascadeChangedEvent(
+	ctx context.Context,
+	aggregate *eventstore.Aggregate,
+	grantID string,
+	roleKeys []string,
+) *GrantCascadeChangedEvent {
+	return &GrantCascadeChangedEvent{
+		BaseEvent: *eventstore.NewBaseEventForPush(
+			ctx,
+			aggregate,
+			GrantCascadeChangedType,
+		),
+		GrantID:  grantID,
+		RoleKeys: roleKeys,
+	}
+}
+
+func GrantCascadeChangedEventMapper(event *repository.Event) (eventstore.EventReader, error) {
+	e := &GrantCascadeChangedEvent{
+		BaseEvent: *eventstore.BaseEventFromRepo(event),
+	}
+
+	err := json.Unmarshal(event.Data, e)
+	if err != nil {
+		return nil, errors.ThrowInternal(err, "PROJECT-9o0se", "unable to unmarshal project grant")
+	}
+
+	return e, nil
+}
+
+type GrantDeactivateEvent struct {
+	eventstore.BaseEvent `json:"-"`
+
+	GrantID string `json:"grantId,omitempty"`
+}
+
+func (e *GrantDeactivateEvent) Data() interface{} {
+	return e
+}
+
+func (e *GrantDeactivateEvent) UniqueConstraints() []*eventstore.EventUniqueConstraint {
+	return nil
+}
+
+func NewGrantDeactivateEvent(
+	ctx context.Context,
+	aggregate *eventstore.Aggregate,
+	grantID string,
+) *GrantDeactivateEvent {
+	return &GrantDeactivateEvent{
+		BaseEvent: *eventstore.NewBaseEventForPush(
+			ctx,
+			aggregate,
+			GrantDeactivatedType,
+		),
+		GrantID: grantID,
+	}
+}
+
+func GrantDeactivateEventMapper(event *repository.Event) (eventstore.EventReader, error) {
+	e := &GrantDeactivateEvent{
+		BaseEvent: *eventstore.BaseEventFromRepo(event),
+	}
+
+	err := json.Unmarshal(event.Data, e)
+	if err != nil {
+		return nil, errors.ThrowInternal(err, "PROJECT-9o0se", "unable to unmarshal project grant")
+	}
+
+	return e, nil
+}
+
+type GrantReactivatedEvent struct {
+	eventstore.BaseEvent `json:"-"`
+
+	GrantID string `json:"grantId,omitempty"`
+}
+
+func (e *GrantReactivatedEvent) Data() interface{} {
+	return e
+}
+
+func (e *GrantReactivatedEvent) UniqueConstraints() []*eventstore.EventUniqueConstraint {
+	return nil
+}
+
+func NewGrantReactivatedEvent(
+	ctx context.Context,
+	aggregate *eventstore.Aggregate,
+	grantID string,
+) *GrantReactivatedEvent {
+	return &GrantReactivatedEvent{
+		BaseEvent: *eventstore.NewBaseEventForPush(
+			ctx,
+			aggregate,
+			GrantReactivatedType,
+		),
+		GrantID: grantID,
+	}
+}
+
+func GrantReactivatedEventMapper(event *repository.Event) (eventstore.EventReader, error) {
+	e := &GrantReactivatedEvent{
+		BaseEvent: *eventstore.BaseEventFromRepo(event),
+	}
+
+	err := json.Unmarshal(event.Data, e)
+	if err != nil {
+		return nil, errors.ThrowInternal(err, "PROJECT-78f7D", "unable to unmarshal project grant")
+	}
+
+	return e, nil
+}
+
+type GrantRemovedEvent struct {
+	eventstore.BaseEvent `json:"-"`
+
+	GrantID      string `json:"grantId,omitempty"`
+	grantedOrgID string
+	projectID    string
+}
+
+func (e *GrantRemovedEvent) Data() interface{} {
+	return e
+}
+
+func (e *GrantRemovedEvent) UniqueConstraints() []*eventstore.EventUniqueConstraint {
+	return []*eventstore.EventUniqueConstraint{NewRemoveProjectGrantUniqueConstraint(e.grantedOrgID, e.projectID)}
+}
+
+func NewGrantRemovedEvent(
+	ctx context.Context,
+	aggregate *eventstore.Aggregate,
+	grantID,
+	grantedOrgID,
+	projectID string,
+) *GrantRemovedEvent {
+	return &GrantRemovedEvent{
+		BaseEvent: *eventstore.NewBaseEventForPush(
+			ctx,
+			aggregate,
+			GrantRemovedType,
+		),
+		GrantID:      grantID,
+		projectID:    projectID,
+		grantedOrgID: grantedOrgID,
+	}
+}
+
+func GrantRemovedEventMapper(event *repository.Event) (eventstore.EventReader, error) {
+	e := &GrantRemovedEvent{
+		BaseEvent: *eventstore.BaseEventFromRepo(event),
+	}
+
+	err := json.Unmarshal(event.Data, e)
+	if err != nil {
+		return nil, errors.ThrowInternal(err, "PROJECT-28jM8", "unable to unmarshal project grant")
+	}
+
+	return e, nil
+}
--- a/internal/repository/project/grant_member.go
+++ b/internal/repository/project/grant_member.go
@@ -0,0 +1,180 @@
+package project
+
+import (
+	"context"
+	"encoding/json"
+	"fmt"
+	"github.com/caos/zitadel/internal/eventstore"
+
+	"github.com/caos/zitadel/internal/errors"
+	"github.com/caos/zitadel/internal/eventstore/repository"
+	"github.com/caos/zitadel/internal/repository/member"
+)
+
+var (
+	UniqueProjectGrantMemberType = "project_grant_member"
+	GrantMemberAddedType         = grantEventTypePrefix + member.AddedEventType
+	GrantMemberChangedType       = grantEventTypePrefix + member.ChangedEventType
+	GrantMemberRemovedType       = grantEventTypePrefix + member.RemovedEventType
+)
+
+func NewAddProjectGrantMemberUniqueConstraint(projectID, userID, grantID string) *eventstore.EventUniqueConstraint {
+	return eventstore.NewAddEventUniqueConstraint(
+		UniqueProjectGrantMemberType,
+		fmt.Sprintf("%s:%s:%s", projectID, userID, grantID),
+		"Errors.Project.Member.AlreadyExists")
+}
+
+func NewRemoveProjectGrantMemberUniqueConstraint(projectID, userID, grantID string) *eventstore.EventUniqueConstraint {
+	return eventstore.NewRemoveEventUniqueConstraint(
+		UniqueProjectGrantMemberType,
+		fmt.Sprintf("%s:%s:%s", projectID, userID, grantID),
+	)
+}
+
+type GrantMemberAddedEvent struct {
+	eventstore.BaseEvent `json:"-"`
+
+	Roles     []string `json:"roles"`
+	UserID    string   `json:"userId"`
+	GrantID   string   `json:"grantId"`
+	projectID string
+}
+
+func (e *GrantMemberAddedEvent) Data() interface{} {
+	return e
+}
+
+func (e *GrantMemberAddedEvent) UniqueConstraints() []*eventstore.EventUniqueConstraint {
+	return []*eventstore.EventUniqueConstraint{NewAddProjectGrantMemberUniqueConstraint(e.projectID, e.UserID, e.GrantID)}
+}
+
+func NewProjectGrantMemberAddedEvent(
+	ctx context.Context,
+	aggregate *eventstore.Aggregate,
+	projectID,
+	userID,
+	grantID string,
+	roles ...string,
+) *GrantMemberAddedEvent {
+	return &GrantMemberAddedEvent{
+		BaseEvent: *eventstore.NewBaseEventForPush(
+			ctx,
+			aggregate,
+			GrantMemberAddedType,
+		),
+		projectID: projectID,
+		UserID:    userID,
+		GrantID:   grantID,
+		Roles:     roles,
+	}
+}
+
+func GrantMemberAddedEventMapper(event *repository.Event) (eventstore.EventReader, error) {
+	e := &GrantMemberAddedEvent{
+		BaseEvent: *eventstore.BaseEventFromRepo(event),
+	}
+
+	err := json.Unmarshal(event.Data, e)
+	if err != nil {
+		return nil, errors.ThrowInternal(err, "PROJECT-9f0sf", "unable to unmarshal label policy")
+	}
+
+	return e, nil
+}
+
+type GrantMemberChangedEvent struct {
+	eventstore.BaseEvent `json:"-"`
+
+	Roles   []string `json:"roles"`
+	GrantID string   `json:"grantId"`
+	UserID  string   `json:"userId"`
+}
+
+func (e *GrantMemberChangedEvent) Data() interface{} {
+	return e
+}
+
+func (e *GrantMemberChangedEvent) UniqueConstraints() []*eventstore.EventUniqueConstraint {
+	return nil
+}
+
+func NewProjectGrantMemberChangedEvent(
+	ctx context.Context,
+	aggregate *eventstore.Aggregate,
+	userID,
+	grantID string,
+	roles ...string,
+) *GrantMemberChangedEvent {
+	return &GrantMemberChangedEvent{
+		BaseEvent: *eventstore.NewBaseEventForPush(
+			ctx,
+			aggregate,
+			GrantMemberAddedType,
+		),
+		UserID:  userID,
+		GrantID: grantID,
+		Roles:   roles,
+	}
+}
+
+func GrantMemberChangedEventMapper(event *repository.Event) (eventstore.EventReader, error) {
+	e := &GrantMemberChangedEvent{
+		BaseEvent: *eventstore.BaseEventFromRepo(event),
+	}
+
+	err := json.Unmarshal(event.Data, e)
+	if err != nil {
+		return nil, errors.ThrowInternal(err, "PROJECT-39fi8", "unable to unmarshal label policy")
+	}
+
+	return e, nil
+}
+
+type GrantMemberRemovedEvent struct {
+	eventstore.BaseEvent `json:"-"`
+
+	UserID    string `json:"userId"`
+	GrantID   string `json:"grantId"`
+	projectID string
+}
+
+func (e *GrantMemberRemovedEvent) Data() interface{} {
+	return e
+}
+
+func (e *GrantMemberRemovedEvent) UniqueConstraints() []*eventstore.EventUniqueConstraint {
+	return []*eventstore.EventUniqueConstraint{NewRemoveProjectGrantMemberUniqueConstraint(e.projectID, e.UserID, e.GrantID)}
+}
+
+func NewProjectGrantMemberRemovedEvent(
+	ctx context.Context,
+	aggregate *eventstore.Aggregate,
+	projectID,
+	userID,
+	grantID string,
+) *GrantMemberRemovedEvent {
+	return &GrantMemberRemovedEvent{
+		BaseEvent: *eventstore.NewBaseEventForPush(
+			ctx,
+			aggregate,
+			GrantMemberRemovedType,
+		),
+		UserID:    userID,
+		GrantID:   grantID,
+		projectID: projectID,
+	}
+}
+
+func GrantMemberRemovedEventMapper(event *repository.Event) (eventstore.EventReader, error) {
+	e := &GrantMemberRemovedEvent{
+		BaseEvent: *eventstore.BaseEventFromRepo(event),
+	}
+
+	err := json.Unmarshal(event.Data, e)
+	if err != nil {
+		return nil, errors.ThrowInternal(err, "PROJECT-173fM", "unable to unmarshal label policy")
+	}
+
+	return e, nil
+}
--- a/internal/repository/project/key.go
+++ b/internal/repository/project/key.go
@@ -0,0 +1,116 @@
+package project
+
+import (
+	"context"
+	"encoding/json"
+	"github.com/caos/zitadel/internal/eventstore"
+	"time"
+
+	"github.com/caos/zitadel/internal/domain"
+	"github.com/caos/zitadel/internal/errors"
+	"github.com/caos/zitadel/internal/eventstore/repository"
+)
+
+const (
+	applicationKeyEventPrefix      = applicationEventTypePrefix + "oidc.key."
+	ApplicationKeyAddedEventType   = applicationKeyEventPrefix + "added"
+	ApplicationKeyRemovedEventType = applicationKeyEventPrefix + "removed"
+)
+
+type ApplicationKeyAddedEvent struct {
+	eventstore.BaseEvent `json:"-"`
+
+	AppID          string              `json:"applicationId"`
+	ClientID       string              `json:"clientId,omitempty"`
+	KeyID          string              `json:"keyId,omitempty"`
+	KeyType        domain.AuthNKeyType `json:"type,omitempty"`
+	ExpirationDate time.Time           `json:"expirationDate,omitempty"`
+	PublicKey      []byte              `json:"publicKey,omitempty"`
+}
+
+func (e *ApplicationKeyAddedEvent) Data() interface{} {
+	return e
+}
+
+func (e *ApplicationKeyAddedEvent) UniqueConstraints() []*eventstore.EventUniqueConstraint {
+	return nil
+}
+
+func NewApplicationKeyAddedEvent(
+	ctx context.Context,
+	aggregate *eventstore.Aggregate,
+	appID,
+	clientID,
+	keyID string,
+	keyType domain.AuthNKeyType,
+	expirationDate time.Time,
+	publicKey []byte,
+) *ApplicationKeyAddedEvent {
+	return &ApplicationKeyAddedEvent{
+		BaseEvent: *eventstore.NewBaseEventForPush(
+			ctx,
+			aggregate,
+			ApplicationKeyAddedEventType,
+		),
+		AppID:          appID,
+		ClientID:       clientID,
+		KeyID:          keyID,
+		KeyType:        keyType,
+		ExpirationDate: expirationDate,
+		PublicKey:      publicKey,
+	}
+}
+
+func ApplicationKeyAddedEventMapper(event *repository.Event) (eventstore.EventReader, error) {
+	e := &ApplicationKeyAddedEvent{
+		BaseEvent: *eventstore.BaseEventFromRepo(event),
+	}
+
+	err := json.Unmarshal(event.Data, e)
+	if err != nil {
+		return nil, errors.ThrowInternal(err, "API-BFd15", "unable to unmarshal api config")
+	}
+
+	return e, nil
+}
+
+type ApplicationKeyRemovedEvent struct {
+	eventstore.BaseEvent `json:"-"`
+
+	KeyID string `json:"keyId,omitempty"`
+}
+
+func (e *ApplicationKeyRemovedEvent) Data() interface{} {
+	return e
+}
+
+func (e *ApplicationKeyRemovedEvent) UniqueConstraints() []*eventstore.EventUniqueConstraint {
+	return nil
+}
+
+func NewApplicationKeyRemovedEvent(
+	ctx context.Context,
+	aggregate *eventstore.Aggregate,
+	keyID string,
+) *ApplicationKeyRemovedEvent {
+	return &ApplicationKeyRemovedEvent{
+		BaseEvent: *eventstore.NewBaseEventForPush(
+			ctx,
+			aggregate,
+			ApplicationKeyRemovedEventType,
+		),
+		KeyID: keyID,
+	}
+}
+
+func ApplicationKeyRemovedEventMapper(event *repository.Event) (eventstore.EventReader, error) {
+	applicationKeyRemoved := &ApplicationKeyRemovedEvent{
+		BaseEvent: *eventstore.BaseEventFromRepo(event),
+	}
+	err := json.Unmarshal(event.Data, applicationKeyRemoved)
+	if err != nil {
+		return nil, errors.ThrowInternal(err, "USER-5Gm9s", "unable to unmarshal application key removed")
+	}
+
+	return applicationKeyRemoved, nil
+}
--- a/internal/repository/project/member.go
+++ b/internal/repository/project/member.go
@@ -0,0 +1,111 @@
+package project
+
+import (
+	"context"
+	"github.com/caos/zitadel/internal/eventstore"
+
+	"github.com/caos/zitadel/internal/eventstore/repository"
+	"github.com/caos/zitadel/internal/repository/member"
+)
+
+var (
+	MemberAddedType   = projectEventTypePrefix + member.AddedEventType
+	MemberChangedType = projectEventTypePrefix + member.ChangedEventType
+	MemberRemovedType = projectEventTypePrefix + member.RemovedEventType
+)
+
+type MemberAddedEvent struct {
+	member.MemberAddedEvent
+}
+
+func NewProjectMemberAddedEvent(
+	ctx context.Context,
+	aggregate *eventstore.Aggregate,
+	userID string,
+	roles ...string,
+) *MemberAddedEvent {
+	return &MemberAddedEvent{
+		MemberAddedEvent: *member.NewMemberAddedEvent(
+			eventstore.NewBaseEventForPush(
+				ctx,
+				aggregate,
+				MemberAddedType,
+			),
+			userID,
+			roles...,
+		),
+	}
+}
+
+func MemberAddedEventMapper(event *repository.Event) (eventstore.EventReader, error) {
+	e, err := member.MemberAddedEventMapper(event)
+	if err != nil {
+		return nil, err
+	}
+
+	return &MemberAddedEvent{MemberAddedEvent: *e.(*member.MemberAddedEvent)}, nil
+}
+
+type MemberChangedEvent struct {
+	member.MemberChangedEvent
+}
+
+func NewProjectMemberChangedEvent(
+	ctx context.Context,
+	aggregate *eventstore.Aggregate,
+	userID string,
+	roles ...string,
+) *MemberChangedEvent {
+
+	return &MemberChangedEvent{
+		MemberChangedEvent: *member.NewMemberChangedEvent(
+			eventstore.NewBaseEventForPush(
+				ctx,
+				aggregate,
+				MemberChangedType,
+			),
+			userID,
+			roles...,
+		),
+	}
+}
+
+func MemberChangedEventMapper(event *repository.Event) (eventstore.EventReader, error) {
+	e, err := member.ChangedEventMapper(event)
+	if err != nil {
+		return nil, err
+	}
+
+	return &MemberChangedEvent{MemberChangedEvent: *e.(*member.MemberChangedEvent)}, nil
+}
+
+type MemberRemovedEvent struct {
+	member.MemberRemovedEvent
+}
+
+func NewProjectMemberRemovedEvent(
+	ctx context.Context,
+	aggregate *eventstore.Aggregate,
+	userID string,
+) *MemberRemovedEvent {
+
+	return &MemberRemovedEvent{
+		MemberRemovedEvent: *member.NewRemovedEvent(
+			eventstore.NewBaseEventForPush(
+				ctx,
+				aggregate,
+				MemberRemovedType,
+			),
+			userID,
+		),
+	}
+}
+
+func MemberRemovedEventMapper(event *repository.Event) (eventstore.EventReader, error) {
+	e, err := member.RemovedEventMapper(event)
+	if err != nil {
+		return nil, err
+	}
+
+	return &MemberRemovedEvent{MemberRemovedEvent: *e.(*member.MemberRemovedEvent)}, nil
+}
--- a/internal/repository/project/oidc_config.go
+++ b/internal/repository/project/oidc_config.go
@@ -0,0 +1,381 @@
+package project
+
+import (
+	"context"
+	"encoding/json"
+	"github.com/caos/zitadel/internal/eventstore"
+	"time"
+
+	"github.com/caos/zitadel/internal/crypto"
+	"github.com/caos/zitadel/internal/domain"
+	"github.com/caos/zitadel/internal/errors"
+	"github.com/caos/zitadel/internal/eventstore/repository"
+)
+
+const (
+	OIDCConfigAddedType                = applicationEventTypePrefix + "config.oidc.added"
+	OIDCConfigChangedType              = applicationEventTypePrefix + "config.oidc.changed"
+	OIDCConfigSecretChangedType        = applicationEventTypePrefix + "config.oidc.secret.changed"
+	OIDCClientSecretCheckSucceededType = applicationEventTypePrefix + "oidc.secret.check.succeeded"
+	OIDCClientSecretCheckFailedType    = applicationEventTypePrefix + "oidc.secret.check.failed"
+)
+
+type OIDCConfigAddedEvent struct {
+	eventstore.BaseEvent `json:"-"`
+
+	Version                  domain.OIDCVersion         `json:"oidcVersion,omitempty"`
+	AppID                    string                     `json:"appId"`
+	ClientID                 string                     `json:"clientId,omitempty"`
+	ClientSecret             *crypto.CryptoValue        `json:"clientSecret,omitempty"`
+	RedirectUris             []string                   `json:"redirectUris,omitempty"`
+	ResponseTypes            []domain.OIDCResponseType  `json:"responseTypes,omitempty"`
+	GrantTypes               []domain.OIDCGrantType     `json:"grantTypes,omitempty"`
+	ApplicationType          domain.OIDCApplicationType `json:"applicationType,omitempty"`
+	AuthMethodType           domain.OIDCAuthMethodType  `json:"authMethodType,omitempty"`
+	PostLogoutRedirectUris   []string                   `json:"postLogoutRedirectUris,omitempty"`
+	DevMode                  bool                       `json:"devMode,omitempty"`
+	AccessTokenType          domain.OIDCTokenType       `json:"accessTokenType,omitempty"`
+	AccessTokenRoleAssertion bool                       `json:"accessTokenRoleAssertion,omitempty"`
+	IDTokenRoleAssertion     bool                       `json:"idTokenRoleAssertion,omitempty"`
+	IDTokenUserinfoAssertion bool                       `json:"idTokenUserinfoAssertion,omitempty"`
+	ClockSkew                time.Duration              `json:"clockSkew,omitempty"`
+}
+
+func (e *OIDCConfigAddedEvent) Data() interface{} {
+	return e
+}
+
+func (e *OIDCConfigAddedEvent) UniqueConstraints() []*eventstore.EventUniqueConstraint {
+	return nil
+}
+
+func NewOIDCConfigAddedEvent(
+	ctx context.Context,
+	aggregate *eventstore.Aggregate,
+	version domain.OIDCVersion,
+	appID string,
+	clientID string,
+	clientSecret *crypto.CryptoValue,
+	redirectUris []string,
+	responseTypes []domain.OIDCResponseType,
+	grantTypes []domain.OIDCGrantType,
+	applicationType domain.OIDCApplicationType,
+	authMethodType domain.OIDCAuthMethodType,
+	postLogoutRedirectUris []string,
+	devMode bool,
+	accessTokenType domain.OIDCTokenType,
+	accessTokenRoleAssertion bool,
+	idTokenRoleAssertion bool,
+	idTokenUserinfoAssertion bool,
+	clockSkew time.Duration,
+) *OIDCConfigAddedEvent {
+	return &OIDCConfigAddedEvent{
+		BaseEvent: *eventstore.NewBaseEventForPush(
+			ctx,
+			aggregate,
+			OIDCConfigAddedType,
+		),
+		Version:                  version,
+		AppID:                    appID,
+		ClientID:                 clientID,
+		ClientSecret:             clientSecret,
+		RedirectUris:             redirectUris,
+		ResponseTypes:            responseTypes,
+		GrantTypes:               grantTypes,
+		ApplicationType:          applicationType,
+		AuthMethodType:           authMethodType,
+		PostLogoutRedirectUris:   postLogoutRedirectUris,
+		DevMode:                  devMode,
+		AccessTokenType:          accessTokenType,
+		AccessTokenRoleAssertion: accessTokenRoleAssertion,
+		IDTokenRoleAssertion:     idTokenRoleAssertion,
+		IDTokenUserinfoAssertion: idTokenUserinfoAssertion,
+		ClockSkew:                clockSkew,
+	}
+}
+
+func OIDCConfigAddedEventMapper(event *repository.Event) (eventstore.EventReader, error) {
+	e := &OIDCConfigAddedEvent{
+		BaseEvent: *eventstore.BaseEventFromRepo(event),
+	}
+
+	err := json.Unmarshal(event.Data, e)
+	if err != nil {
+		return nil, errors.ThrowInternal(err, "OIDC-BFd15", "unable to unmarshal oidc config")
+	}
+
+	return e, nil
+}
+
+type OIDCConfigChangedEvent struct {
+	eventstore.BaseEvent `json:"-"`
+
+	Version                  *domain.OIDCVersion         `json:"oidcVersion,omitempty"`
+	AppID                    string                      `json:"appId"`
+	RedirectUris             *[]string                   `json:"redirectUris,omitempty"`
+	ResponseTypes            *[]domain.OIDCResponseType  `json:"responseTypes,omitempty"`
+	GrantTypes               *[]domain.OIDCGrantType     `json:"grantTypes,omitempty"`
+	ApplicationType          *domain.OIDCApplicationType `json:"applicationType,omitempty"`
+	AuthMethodType           *domain.OIDCAuthMethodType  `json:"authMethodType,omitempty"`
+	PostLogoutRedirectUris   *[]string                   `json:"postLogoutRedirectUris,omitempty"`
+	DevMode                  *bool                       `json:"devMode,omitempty"`
+	AccessTokenType          *domain.OIDCTokenType       `json:"accessTokenType,omitempty"`
+	AccessTokenRoleAssertion *bool                       `json:"accessTokenRoleAssertion,omitempty"`
+	IDTokenRoleAssertion     *bool                       `json:"idTokenRoleAssertion,omitempty"`
+	IDTokenUserinfoAssertion *bool                       `json:"idTokenUserinfoAssertion,omitempty"`
+	ClockSkew                *time.Duration              `json:"clockSkew,omitempty"`
+}
+
+func (e *OIDCConfigChangedEvent) Data() interface{} {
+	return e
+}
+
+func (e *OIDCConfigChangedEvent) UniqueConstraints() []*eventstore.EventUniqueConstraint {
+	return nil
+}
+
+func NewOIDCConfigChangedEvent(
+	ctx context.Context,
+	aggregate *eventstore.Aggregate,
+	appID string,
+	changes []OIDCConfigChanges,
+) (*OIDCConfigChangedEvent, error) {
+	if len(changes) == 0 {
+		return nil, errors.ThrowPreconditionFailed(nil, "OIDC-i8idç", "Errors.NoChangesFound")
+	}
+
+	changeEvent := &OIDCConfigChangedEvent{
+		BaseEvent: *eventstore.NewBaseEventForPush(
+			ctx,
+			aggregate,
+			OIDCConfigChangedType,
+		),
+		AppID: appID,
+	}
+	for _, change := range changes {
+		change(changeEvent)
+	}
+	return changeEvent, nil
+}
+
+type OIDCConfigChanges func(event *OIDCConfigChangedEvent)
+
+func ChangeVersion(version domain.OIDCVersion) func(event *OIDCConfigChangedEvent) {
+	return func(e *OIDCConfigChangedEvent) {
+		e.Version = &version
+	}
+}
+
+func ChangeRedirectURIs(uris []string) func(event *OIDCConfigChangedEvent) {
+	return func(e *OIDCConfigChangedEvent) {
+		e.RedirectUris = &uris
+	}
+}
+
+func ChangeResponseTypes(responseTypes []domain.OIDCResponseType) func(event *OIDCConfigChangedEvent) {
+	return func(e *OIDCConfigChangedEvent) {
+		e.ResponseTypes = &responseTypes
+	}
+}
+
+func ChangeGrantTypes(grantTypes []domain.OIDCGrantType) func(event *OIDCConfigChangedEvent) {
+	return func(e *OIDCConfigChangedEvent) {
+		e.GrantTypes = &grantTypes
+	}
+}
+
+func ChangeApplicationType(appType domain.OIDCApplicationType) func(event *OIDCConfigChangedEvent) {
+	return func(e *OIDCConfigChangedEvent) {
+		e.ApplicationType = &appType
+	}
+}
+
+func ChangeAuthMethodType(authMethodType domain.OIDCAuthMethodType) func(event *OIDCConfigChangedEvent) {
+	return func(e *OIDCConfigChangedEvent) {
+		e.AuthMethodType = &authMethodType
+	}
+}
+
+func ChangePostLogoutRedirectURIs(logoutRedirects []string) func(event *OIDCConfigChangedEvent) {
+	return func(e *OIDCConfigChangedEvent) {
+		e.PostLogoutRedirectUris = &logoutRedirects
+	}
+}
+
+func ChangeDevMode(devMode bool) func(event *OIDCConfigChangedEvent) {
+	return func(e *OIDCConfigChangedEvent) {
+		e.DevMode = &devMode
+	}
+}
+
+func ChangeAccessTokenType(accessTokenType domain.OIDCTokenType) func(event *OIDCConfigChangedEvent) {
+	return func(e *OIDCConfigChangedEvent) {
+		e.AccessTokenType = &accessTokenType
+	}
+}
+
+func ChangeAccessTokenRoleAssertion(accessTokenRoleAssertion bool) func(event *OIDCConfigChangedEvent) {
+	return func(e *OIDCConfigChangedEvent) {
+		e.AccessTokenRoleAssertion = &accessTokenRoleAssertion
+	}
+}
+
+func ChangeIDTokenRoleAssertion(idTokenRoleAssertion bool) func(event *OIDCConfigChangedEvent) {
+	return func(e *OIDCConfigChangedEvent) {
+		e.IDTokenRoleAssertion = &idTokenRoleAssertion
+	}
+}
+
+func ChangeIDTokenUserinfoAssertion(idTokenUserinfoAssertion bool) func(event *OIDCConfigChangedEvent) {
+	return func(e *OIDCConfigChangedEvent) {
+		e.IDTokenUserinfoAssertion = &idTokenUserinfoAssertion
+	}
+}
+
+func ChangeClockSkew(clockSkew time.Duration) func(event *OIDCConfigChangedEvent) {
+	return func(e *OIDCConfigChangedEvent) {
+		e.ClockSkew = &clockSkew
+	}
+}
+
+func OIDCConfigChangedEventMapper(event *repository.Event) (eventstore.EventReader, error) {
+	e := &OIDCConfigChangedEvent{
+		BaseEvent: *eventstore.BaseEventFromRepo(event),
+	}
+
+	err := json.Unmarshal(event.Data, e)
+	if err != nil {
+		return nil, errors.ThrowInternal(err, "OIDC-BFd15", "unable to unmarshal oidc config")
+	}
+
+	return e, nil
+}
+
+type OIDCConfigSecretChangedEvent struct {
+	eventstore.BaseEvent `json:"-"`
+
+	AppID        string              `json:"appId"`
+	ClientSecret *crypto.CryptoValue `json:"clientSecret,omitempty"`
+}
+
+func (e *OIDCConfigSecretChangedEvent) Data() interface{} {
+	return e
+}
+
+func (e *OIDCConfigSecretChangedEvent) UniqueConstraints() []*eventstore.EventUniqueConstraint {
+	return nil
+}
+
+func NewOIDCConfigSecretChangedEvent(
+	ctx context.Context,
+	aggregate *eventstore.Aggregate,
+	appID string,
+	clientSecret *crypto.CryptoValue,
+) *OIDCConfigSecretChangedEvent {
+	return &OIDCConfigSecretChangedEvent{
+		BaseEvent: *eventstore.NewBaseEventForPush(
+			ctx,
+			aggregate,
+			OIDCConfigSecretChangedType,
+		),
+		AppID:        appID,
+		ClientSecret: clientSecret,
+	}
+}
+
+func OIDCConfigSecretChangedEventMapper(event *repository.Event) (eventstore.EventReader, error) {
+	e := &OIDCConfigSecretChangedEvent{
+		BaseEvent: *eventstore.BaseEventFromRepo(event),
+	}
+
+	err := json.Unmarshal(event.Data, e)
+	if err != nil {
+		return nil, errors.ThrowInternal(err, "OIDC-M893d", "unable to unmarshal oidc config")
+	}
+
+	return e, nil
+}
+
+type OIDCConfigSecretCheckSucceededEvent struct {
+	eventstore.BaseEvent `json:"-"`
+
+	AppID string `json:"appId"`
+}
+
+func (e *OIDCConfigSecretCheckSucceededEvent) Data() interface{} {
+	return e
+}
+
+func (e *OIDCConfigSecretCheckSucceededEvent) UniqueConstraints() []*eventstore.EventUniqueConstraint {
+	return nil
+}
+
+func NewOIDCConfigSecretCheckSucceededEvent(
+	ctx context.Context,
+	aggregate *eventstore.Aggregate,
+	appID string,
+) *OIDCConfigSecretCheckSucceededEvent {
+	return &OIDCConfigSecretCheckSucceededEvent{
+		BaseEvent: *eventstore.NewBaseEventForPush(
+			ctx,
+			aggregate,
+			OIDCClientSecretCheckSucceededType,
+		),
+		AppID: appID,
+	}
+}
+
+func OIDCConfigSecretCheckSucceededEventMapper(event *repository.Event) (eventstore.EventReader, error) {
+	e := &OIDCConfigSecretCheckSucceededEvent{
+		BaseEvent: *eventstore.BaseEventFromRepo(event),
+	}
+
+	err := json.Unmarshal(event.Data, e)
+	if err != nil {
+		return nil, errors.ThrowInternal(err, "OIDC-837gV", "unable to unmarshal oidc config")
+	}
+
+	return e, nil
+}
+
+type OIDCConfigSecretCheckFailedEvent struct {
+	eventstore.BaseEvent `json:"-"`
+
+	AppID string `json:"appId"`
+}
+
+func (e *OIDCConfigSecretCheckFailedEvent) Data() interface{} {
+	return e
+}
+
+func (e *OIDCConfigSecretCheckFailedEvent) UniqueConstraints() []*eventstore.EventUniqueConstraint {
+	return nil
+}
+
+func NewOIDCConfigSecretCheckFailedEvent(
+	ctx context.Context,
+	aggregate *eventstore.Aggregate,
+	appID string,
+) *OIDCConfigSecretCheckFailedEvent {
+	return &OIDCConfigSecretCheckFailedEvent{
+		BaseEvent: *eventstore.NewBaseEventForPush(
+			ctx,
+			aggregate,
+			OIDCClientSecretCheckFailedType,
+		),
+		AppID: appID,
+	}
+}
+
+func OIDCConfigSecretCheckFailedEventMapper(event *repository.Event) (eventstore.EventReader, error) {
+	e := &OIDCConfigSecretCheckFailedEvent{
+		BaseEvent: *eventstore.BaseEventFromRepo(event),
+	}
+
+	err := json.Unmarshal(event.Data, e)
+	if err != nil {
+		return nil, errors.ThrowInternal(err, "OIDC-987g%", "unable to unmarshal oidc config")
+	}
+
+	return e, nil
+}
--- a/internal/repository/project/project.go
+++ b/internal/repository/project/project.go
@@ -0,0 +1,247 @@
+package project
+
+import (
+	"context"
+	"encoding/json"
+	"github.com/caos/zitadel/internal/eventstore"
+
+	"github.com/caos/zitadel/internal/errors"
+	"github.com/caos/zitadel/internal/eventstore/repository"
+)
+
+const (
+	UniqueProjectnameType  = "project_names"
+	projectEventTypePrefix = eventstore.EventType("project.")
+	ProjectAddedType       = projectEventTypePrefix + "added"
+	ProjectChangedType     = projectEventTypePrefix + "changed"
+	ProjectDeactivatedType = projectEventTypePrefix + "deactivated"
+	ProjectReactivatedType = projectEventTypePrefix + "reactivated"
+	ProjectRemovedType     = projectEventTypePrefix + "removed"
+)
+
+func NewAddProjectNameUniqueConstraint(projectName, resourceOwner string) *eventstore.EventUniqueConstraint {
+	return eventstore.NewAddEventUniqueConstraint(
+		UniqueProjectnameType,
+		projectName+resourceOwner,
+		"Errors.Project.AlreadyExists")
+}
+
+func NewRemoveProjectNameUniqueConstraint(projectName, resourceOwner string) *eventstore.EventUniqueConstraint {
+	return eventstore.NewRemoveEventUniqueConstraint(
+		UniqueProjectnameType,
+		projectName+resourceOwner)
+}
+
+type ProjectAddedEvent struct {
+	eventstore.BaseEvent `json:"-"`
+
+	Name                 string `json:"name,omitempty"`
+	ProjectRoleAssertion bool   `json:"projectRoleAssertion,omitempty"`
+	ProjectRoleCheck     bool   `json:"projectRoleCheck,omitempty"`
+}
+
+func (e *ProjectAddedEvent) Data() interface{} {
+	return e
+}
+
+func (e *ProjectAddedEvent) UniqueConstraints() []*eventstore.EventUniqueConstraint {
+	return []*eventstore.EventUniqueConstraint{NewAddProjectNameUniqueConstraint(e.Name, e.Aggregate().ResourceOwner)}
+}
+
+func NewProjectAddedEvent(
+	ctx context.Context,
+	aggregate *eventstore.Aggregate,
+	name string,
+) *ProjectAddedEvent {
+	return &ProjectAddedEvent{
+		BaseEvent: *eventstore.NewBaseEventForPush(
+			ctx,
+			aggregate,
+			ProjectAddedType,
+		),
+		Name: name,
+	}
+}
+
+func ProjectAddedEventMapper(event *repository.Event) (eventstore.EventReader, error) {
+	e := &ProjectAddedEvent{
+		BaseEvent: *eventstore.BaseEventFromRepo(event),
+	}
+
+	err := json.Unmarshal(event.Data, e)
+	if err != nil {
+		return nil, errors.ThrowInternal(err, "PROJECT-Bfg2f", "unable to unmarshal project")
+	}
+
+	return e, nil
+}
+
+type ProjectChangeEvent struct {
+	eventstore.BaseEvent `json:"-"`
+
+	Name                 *string `json:"name,omitempty"`
+	ProjectRoleAssertion *bool   `json:"projectRoleAssertion,omitempty"`
+	ProjectRoleCheck     *bool   `json:"projectRoleCheck,omitempty"`
+	oldName              string
+}
+
+func (e *ProjectChangeEvent) Data() interface{} {
+	return e
+}
+
+func (e *ProjectChangeEvent) UniqueConstraints() []*eventstore.EventUniqueConstraint {
+	if e.oldName != "" {
+		return []*eventstore.EventUniqueConstraint{
+			NewRemoveProjectNameUniqueConstraint(e.oldName, e.Aggregate().ResourceOwner),
+			NewAddProjectNameUniqueConstraint(*e.Name, e.Aggregate().ResourceOwner),
+		}
+	}
+	return nil
+}
+
+func NewProjectChangeEvent(
+	ctx context.Context,
+	aggregate *eventstore.Aggregate,
+	oldName string,
+	changes []ProjectChanges,
+) (*ProjectChangeEvent, error) {
+	if len(changes) == 0 {
+		return nil, errors.ThrowPreconditionFailed(nil, "PROJECT-mV9xc", "Errors.NoChangesFound")
+	}
+	changeEvent := &ProjectChangeEvent{
+		BaseEvent: *eventstore.NewBaseEventForPush(
+			ctx,
+			aggregate,
+			ProjectChangedType,
+		),
+		oldName: oldName,
+	}
+	for _, change := range changes {
+		change(changeEvent)
+	}
+	return changeEvent, nil
+}
+
+type ProjectChanges func(event *ProjectChangeEvent)
+
+func ChangeName(name string) func(event *ProjectChangeEvent) {
+	return func(e *ProjectChangeEvent) {
+		e.Name = &name
+	}
+}
+
+func ChangeProjectRoleAssertion(projectRoleAssertion bool) func(event *ProjectChangeEvent) {
+	return func(e *ProjectChangeEvent) {
+		e.ProjectRoleAssertion = &projectRoleAssertion
+	}
+}
+
+func ChangeProjectRoleCheck(projectRoleCheck bool) func(event *ProjectChangeEvent) {
+	return func(e *ProjectChangeEvent) {
+		e.ProjectRoleCheck = &projectRoleCheck
+	}
+}
+
+func ProjectChangeEventMapper(event *repository.Event) (eventstore.EventReader, error) {
+	e := &ProjectChangeEvent{
+		BaseEvent: *eventstore.BaseEventFromRepo(event),
+	}
+
+	err := json.Unmarshal(event.Data, e)
+	if err != nil {
+		return nil, errors.ThrowInternal(err, "PROJECT-M9osd", "unable to unmarshal project")
+	}
+
+	return e, nil
+}
+
+type ProjectDeactivatedEvent struct {
+	eventstore.BaseEvent `json:"-"`
+}
+
+func (e *ProjectDeactivatedEvent) Data() interface{} {
+	return nil
+}
+
+func (e *ProjectDeactivatedEvent) UniqueConstraints() []*eventstore.EventUniqueConstraint {
+	return nil
+}
+
+func NewProjectDeactivatedEvent(ctx context.Context, aggregate *eventstore.Aggregate) *ProjectDeactivatedEvent {
+	return &ProjectDeactivatedEvent{
+		BaseEvent: *eventstore.NewBaseEventForPush(
+			ctx,
+			aggregate,
+			ProjectDeactivatedType,
+		),
+	}
+}
+
+func ProjectDeactivatedEventMapper(event *repository.Event) (eventstore.EventReader, error) {
+	return &ProjectDeactivatedEvent{
+		BaseEvent: *eventstore.BaseEventFromRepo(event),
+	}, nil
+}
+
+type ProjectReactivatedEvent struct {
+	eventstore.BaseEvent `json:"-"`
+}
+
+func (e *ProjectReactivatedEvent) Data() interface{} {
+	return nil
+}
+
+func (e *ProjectReactivatedEvent) UniqueConstraints() []*eventstore.EventUniqueConstraint {
+	return nil
+}
+
+func NewProjectReactivatedEvent(ctx context.Context, aggregate *eventstore.Aggregate) *ProjectReactivatedEvent {
+	return &ProjectReactivatedEvent{
+		BaseEvent: *eventstore.NewBaseEventForPush(
+			ctx,
+			aggregate,
+			ProjectReactivatedType,
+		),
+	}
+}
+
+func ProjectReactivatedEventMapper(event *repository.Event) (eventstore.EventReader, error) {
+	return &ProjectReactivatedEvent{
+		BaseEvent: *eventstore.BaseEventFromRepo(event),
+	}, nil
+}
+
+type ProjectRemovedEvent struct {
+	eventstore.BaseEvent `json:"-"`
+
+	Name string
+}
+
+func (e *ProjectRemovedEvent) Data() interface{} {
+	return nil
+}
+
+func (e *ProjectRemovedEvent) UniqueConstraints() []*eventstore.EventUniqueConstraint {
+	return []*eventstore.EventUniqueConstraint{NewRemoveProjectNameUniqueConstraint(e.Name, e.Aggregate().ResourceOwner)}
+}
+
+func NewProjectRemovedEvent(
+	ctx context.Context,
+	aggregate *eventstore.Aggregate,
+	name string,
+) *ProjectRemovedEvent {
+	return &ProjectRemovedEvent{
+		BaseEvent: *eventstore.NewBaseEventForPush(
+			ctx,
+			aggregate,
+			ProjectRemovedType,
+		),
+		Name: name,
+	}
+}
+
+func ProjectRemovedEventMapper(event *repository.Event) (eventstore.EventReader, error) {
+	return &ProjectRemovedEvent{
+		BaseEvent: *eventstore.BaseEventFromRepo(event),
+	}, nil
+}
--- a/internal/repository/project/role.go
+++ b/internal/repository/project/role.go
@@ -0,0 +1,196 @@
+package project
+
+import (
+	"context"
+	"encoding/json"
+	"fmt"
+	"github.com/caos/zitadel/internal/eventstore"
+
+	"github.com/caos/zitadel/internal/errors"
+	"github.com/caos/zitadel/internal/eventstore/repository"
+)
+
+var (
+	UniqueRoleType      = "project_role"
+	roleEventTypePrefix = projectEventTypePrefix + "role."
+	RoleAddedType       = roleEventTypePrefix + "added"
+	RoleChangedType     = roleEventTypePrefix + "changed"
+	RoleRemovedType     = roleEventTypePrefix + "removed"
+)
+
+func NewAddProjectRoleUniqueConstraint(roleKey, projectID string) *eventstore.EventUniqueConstraint {
+	return eventstore.NewAddEventUniqueConstraint(
+		UniqueRoleType,
+		fmt.Sprintf("%s:%s", roleKey, projectID),
+		"Errors.Project.Role.AlreadyExists")
+}
+
+func NewRemoveProjectRoleUniqueConstraint(roleKey, projectID string) *eventstore.EventUniqueConstraint {
+	return eventstore.NewRemoveEventUniqueConstraint(
+		UniqueRoleType,
+		fmt.Sprintf("%s:%s", roleKey, projectID))
+}
+
+type RoleAddedEvent struct {
+	eventstore.BaseEvent `json:"-"`
+
+	Key         string `json:"key,omitempty"`
+	DisplayName string `json:"displayName,omitempty"`
+	Group       string `json:"group,omitempty"`
+	projectID   string
+}
+
+func (e *RoleAddedEvent) Data() interface{} {
+	return e
+}
+
+func (e *RoleAddedEvent) UniqueConstraints() []*eventstore.EventUniqueConstraint {
+	return []*eventstore.EventUniqueConstraint{NewAddProjectRoleUniqueConstraint(e.Key, e.projectID)}
+}
+
+func NewRoleAddedEvent(
+	ctx context.Context,
+	aggregate *eventstore.Aggregate,
+	key,
+	displayName,
+	group,
+	projectID string,
+) *RoleAddedEvent {
+	return &RoleAddedEvent{
+		BaseEvent: *eventstore.NewBaseEventForPush(
+			ctx,
+			aggregate,
+			RoleAddedType,
+		),
+		Key:         key,
+		DisplayName: displayName,
+		Group:       group,
+		projectID:   projectID,
+	}
+}
+
+func RoleAddedEventMapper(event *repository.Event) (eventstore.EventReader, error) {
+	e := &RoleAddedEvent{
+		BaseEvent: *eventstore.BaseEventFromRepo(event),
+	}
+
+	err := json.Unmarshal(event.Data, e)
+	if err != nil {
+		return nil, errors.ThrowInternal(err, "PROJECT-2M0xy", "unable to unmarshal project role")
+	}
+
+	return e, nil
+}
+
+type RoleChangedEvent struct {
+	eventstore.BaseEvent `json:"-"`
+
+	Key         string  `json:"key,omitempty"`
+	DisplayName *string `json:"displayName,omitempty"`
+	Group       *string `json:"group,omitempty"`
+}
+
+func (e *RoleChangedEvent) Data() interface{} {
+	return e
+}
+
+func (e *RoleChangedEvent) UniqueConstraints() []*eventstore.EventUniqueConstraint {
+	return nil
+}
+
+func NewRoleChangedEvent(
+	ctx context.Context,
+	aggregate *eventstore.Aggregate,
+	changes []RoleChanges,
+) (*RoleChangedEvent, error) {
+	if len(changes) == 0 {
+		return nil, errors.ThrowPreconditionFailed(nil, "PROJECT-eR9vx", "Errors.NoChangesFound")
+	}
+	changeEvent := &RoleChangedEvent{
+		BaseEvent: *eventstore.NewBaseEventForPush(
+			ctx,
+			aggregate,
+			RoleChangedType,
+		),
+	}
+	for _, change := range changes {
+		change(changeEvent)
+	}
+	return changeEvent, nil
+}
+
+type RoleChanges func(event *RoleChangedEvent)
+
+func ChangeKey(key string) func(event *RoleChangedEvent) {
+	return func(e *RoleChangedEvent) {
+		e.Key = key
+	}
+}
+
+func ChangeDisplayName(displayName string) func(event *RoleChangedEvent) {
+	return func(e *RoleChangedEvent) {
+		e.DisplayName = &displayName
+	}
+}
+
+func ChangeGroup(group string) func(event *RoleChangedEvent) {
+	return func(e *RoleChangedEvent) {
+		e.Group = &group
+	}
+}
+func RoleChangedEventMapper(event *repository.Event) (eventstore.EventReader, error) {
+	e := &RoleChangedEvent{
+		BaseEvent: *eventstore.BaseEventFromRepo(event),
+	}
+
+	err := json.Unmarshal(event.Data, e)
+	if err != nil {
+		return nil, errors.ThrowInternal(err, "PROJECT-3M0vx", "unable to unmarshal project role")
+	}
+
+	return e, nil
+}
+
+type RoleRemovedEvent struct {
+	eventstore.BaseEvent `json:"-"`
+
+	Key       string `json:"key,omitempty"`
+	projectID string `json:"-"`
+}
+
+func (e *RoleRemovedEvent) Data() interface{} {
+	return e
+}
+
+func (e *RoleRemovedEvent) UniqueConstraints() []*eventstore.EventUniqueConstraint {
+	return []*eventstore.EventUniqueConstraint{NewRemoveProjectRoleUniqueConstraint(e.Key, e.projectID)}
+}
+
+func NewRoleRemovedEvent(
+	ctx context.Context,
+	aggregate *eventstore.Aggregate,
+	key,
+	projectID string) *RoleRemovedEvent {
+	return &RoleRemovedEvent{
+		BaseEvent: *eventstore.NewBaseEventForPush(
+			ctx,
+			aggregate,
+			RoleRemovedType,
+		),
+		Key:       key,
+		projectID: projectID,
+	}
+}
+
+func RoleRemovedEventMapper(event *repository.Event) (eventstore.EventReader, error) {
+	e := &RoleRemovedEvent{
+		BaseEvent: *eventstore.BaseEventFromRepo(event),
+	}
+
+	err := json.Unmarshal(event.Data, e)
+	if err != nil {
+		return nil, errors.ThrowInternal(err, "PROJECT-1M0xs", "unable to unmarshal project role")
+	}
+
+	return e, nil
+}
--- a/internal/repository/user/aggregate.go
+++ b/internal/repository/user/aggregate.go
@@ -0,0 +1,14 @@
+package user
+
+import (
+	"github.com/caos/zitadel/internal/eventstore"
+)
+
+const (
+	AggregateType    = "user"
+	AggregateVersion = "v2"
+)
+
+type Aggregate struct {
+	eventstore.Aggregate
+}
--- a/internal/repository/user/auth_request_info.go
+++ b/internal/repository/user/auth_request_info.go
@@ -0,0 +1,16 @@
+package user
+
+import "net"
+
+type AuthRequestInfo struct {
+	ID                  string `json:"id,omitempty"`
+	UserAgentID         string `json:"userAgentID,omitempty"`
+	SelectedIDPConfigID string `json:"selectedIDPConfigID,omitempty"`
+	*BrowserInfo
+}
+
+type BrowserInfo struct {
+	UserAgent      string `json:"userAgent,omitempty"`
+	AcceptLanguage string `json:"acceptLanguage,omitempty"`
+	RemoteIP       net.IP `json:"remoteIP,omitempty"`
+}
--- a/internal/repository/user/eventstore.go
+++ b/internal/repository/user/eventstore.go
@@ -0,0 +1,101 @@
+package user
+
+import (
+	"github.com/caos/zitadel/internal/eventstore"
+)
+
+func RegisterEventMappers(es *eventstore.Eventstore) {
+	es.RegisterFilterEventMapper(UserV1AddedType, HumanAddedEventMapper).
+		RegisterFilterEventMapper(UserV1RegisteredType, HumanRegisteredEventMapper).
+		RegisterFilterEventMapper(UserV1InitialCodeAddedType, HumanInitialCodeAddedEventMapper).
+		RegisterFilterEventMapper(UserV1InitialCodeSentType, HumanInitialCodeSentEventMapper).
+		RegisterFilterEventMapper(UserV1InitializedCheckSucceededType, HumanInitializedCheckSucceededEventMapper).
+		RegisterFilterEventMapper(UserV1InitializedCheckFailedType, HumanInitializedCheckFailedEventMapper).
+		RegisterFilterEventMapper(UserV1SignedOutType, HumanSignedOutEventMapper).
+		RegisterFilterEventMapper(UserV1PasswordChangedType, HumanPasswordChangedEventMapper).
+		RegisterFilterEventMapper(UserV1PasswordCodeAddedType, HumanPasswordCodeAddedEventMapper).
+		RegisterFilterEventMapper(UserV1PasswordCodeSentType, HumanPasswordCodeSentEventMapper).
+		RegisterFilterEventMapper(UserV1PasswordCheckSucceededType, HumanPasswordCheckSucceededEventMapper).
+		RegisterFilterEventMapper(UserV1PasswordCheckFailedType, HumanPasswordCheckFailedEventMapper).
+		RegisterFilterEventMapper(UserV1EmailChangedType, HumanEmailChangedEventMapper).
+		RegisterFilterEventMapper(UserV1EmailVerifiedType, HumanEmailVerifiedEventMapper).
+		RegisterFilterEventMapper(UserV1EmailVerificationFailedType, HumanEmailVerificationFailedEventMapper).
+		RegisterFilterEventMapper(UserV1EmailCodeAddedType, HumanEmailCodeAddedEventMapper).
+		RegisterFilterEventMapper(UserV1EmailCodeSentType, HumanEmailCodeSentEventMapper).
+		RegisterFilterEventMapper(UserV1PhoneChangedType, HumanPhoneChangedEventMapper).
+		RegisterFilterEventMapper(UserV1PhoneRemovedType, HumanPhoneRemovedEventMapper).
+		RegisterFilterEventMapper(UserV1PhoneVerifiedType, HumanPhoneVerifiedEventMapper).
+		RegisterFilterEventMapper(UserV1PhoneVerificationFailedType, HumanPhoneVerificationFailedEventMapper).
+		RegisterFilterEventMapper(UserV1PhoneCodeAddedType, HumanPhoneCodeAddedEventMapper).
+		RegisterFilterEventMapper(UserV1PhoneCodeSentType, HumanPhoneCodeSentEventMapper).
+		RegisterFilterEventMapper(UserV1ProfileChangedType, HumanProfileChangedEventMapper).
+		RegisterFilterEventMapper(UserV1AddressChangedType, HumanAddressChangedEventMapper).
+		RegisterFilterEventMapper(UserV1MFAInitSkippedType, HumanMFAInitSkippedEventMapper).
+		RegisterFilterEventMapper(UserV1MFAOTPAddedType, HumanOTPAddedEventMapper).
+		RegisterFilterEventMapper(UserV1MFAOTPVerifiedType, HumanOTPVerifiedEventMapper).
+		RegisterFilterEventMapper(UserV1MFAOTPRemovedType, HumanOTPRemovedEventMapper).
+		RegisterFilterEventMapper(UserV1MFAOTPCheckSucceededType, HumanOTPCheckSucceededEventMapper).
+		RegisterFilterEventMapper(UserV1MFAOTPCheckFailedType, HumanOTPCheckFailedEventMapper).
+		RegisterFilterEventMapper(UserLockedType, UserLockedEventMapper).
+		RegisterFilterEventMapper(UserUnlockedType, UserUnlockedEventMapper).
+		RegisterFilterEventMapper(UserDeactivatedType, UserDeactivatedEventMapper).
+		RegisterFilterEventMapper(UserReactivatedType, UserReactivatedEventMapper).
+		RegisterFilterEventMapper(UserRemovedType, UserRemovedEventMapper).
+		RegisterFilterEventMapper(UserTokenAddedType, UserTokenAddedEventMapper).
+		RegisterFilterEventMapper(UserDomainClaimedType, DomainClaimedEventMapper).
+		RegisterFilterEventMapper(UserDomainClaimedSentType, DomainClaimedSentEventMapper).
+		RegisterFilterEventMapper(UserUserNameChangedType, UsernameChangedEventMapper).
+		RegisterFilterEventMapper(HumanAddedType, HumanAddedEventMapper).
+		RegisterFilterEventMapper(HumanRegisteredType, HumanRegisteredEventMapper).
+		RegisterFilterEventMapper(HumanInitialCodeAddedType, HumanInitialCodeAddedEventMapper).
+		RegisterFilterEventMapper(HumanInitialCodeSentType, HumanInitialCodeSentEventMapper).
+		RegisterFilterEventMapper(HumanInitializedCheckSucceededType, HumanInitializedCheckSucceededEventMapper).
+		RegisterFilterEventMapper(HumanInitializedCheckFailedType, HumanInitializedCheckFailedEventMapper).
+		RegisterFilterEventMapper(HumanSignedOutType, HumanSignedOutEventMapper).
+		RegisterFilterEventMapper(HumanPasswordChangedType, HumanPasswordChangedEventMapper).
+		RegisterFilterEventMapper(HumanPasswordCodeAddedType, HumanPasswordCodeAddedEventMapper).
+		RegisterFilterEventMapper(HumanPasswordCodeSentType, HumanPasswordCodeSentEventMapper).
+		RegisterFilterEventMapper(HumanPasswordCheckSucceededType, HumanPasswordCheckSucceededEventMapper).
+		RegisterFilterEventMapper(HumanPasswordCheckFailedType, HumanPasswordCheckFailedEventMapper).
+		RegisterFilterEventMapper(HumanExternalIDPAddedType, HumanExternalIDPAddedEventMapper).
+		RegisterFilterEventMapper(HumanExternalIDPRemovedType, HumanExternalIDPRemovedEventMapper).
+		RegisterFilterEventMapper(HumanExternalIDPCascadeRemovedType, HumanExternalIDPCascadeRemovedEventMapper).
+		RegisterFilterEventMapper(HumanExternalLoginCheckSucceededType, HumanExternalIDPCheckSucceededEventMapper).
+		RegisterFilterEventMapper(HumanEmailChangedType, HumanEmailChangedEventMapper).
+		RegisterFilterEventMapper(HumanEmailVerifiedType, HumanEmailVerifiedEventMapper).
+		RegisterFilterEventMapper(HumanEmailVerificationFailedType, HumanEmailVerificationFailedEventMapper).
+		RegisterFilterEventMapper(HumanEmailCodeAddedType, HumanEmailCodeAddedEventMapper).
+		RegisterFilterEventMapper(HumanEmailCodeSentType, HumanEmailCodeSentEventMapper).
+		RegisterFilterEventMapper(HumanPhoneChangedType, HumanPhoneChangedEventMapper).
+		RegisterFilterEventMapper(HumanPhoneRemovedType, HumanPhoneRemovedEventMapper).
+		RegisterFilterEventMapper(HumanPhoneVerifiedType, HumanPhoneVerifiedEventMapper).
+		RegisterFilterEventMapper(HumanPhoneVerificationFailedType, HumanPhoneVerificationFailedEventMapper).
+		RegisterFilterEventMapper(HumanPhoneCodeAddedType, HumanPhoneCodeAddedEventMapper).
+		RegisterFilterEventMapper(HumanPhoneCodeSentType, HumanPhoneCodeSentEventMapper).
+		RegisterFilterEventMapper(HumanProfileChangedType, HumanProfileChangedEventMapper).
+		RegisterFilterEventMapper(HumanAddressChangedType, HumanAddressChangedEventMapper).
+		RegisterFilterEventMapper(HumanMFAInitSkippedType, HumanMFAInitSkippedEventMapper).
+		RegisterFilterEventMapper(HumanMFAOTPAddedType, HumanOTPAddedEventMapper).
+		RegisterFilterEventMapper(HumanMFAOTPVerifiedType, HumanOTPVerifiedEventMapper).
+		RegisterFilterEventMapper(HumanMFAOTPRemovedType, HumanOTPRemovedEventMapper).
+		RegisterFilterEventMapper(HumanMFAOTPCheckSucceededType, HumanOTPCheckSucceededEventMapper).
+		RegisterFilterEventMapper(HumanMFAOTPCheckFailedType, HumanOTPCheckFailedEventMapper).
+		RegisterFilterEventMapper(HumanU2FTokenAddedType, HumanU2FAddedEventMapper).
+		RegisterFilterEventMapper(HumanU2FTokenVerifiedType, HumanU2FVerifiedEventMapper).
+		RegisterFilterEventMapper(HumanU2FTokenSignCountChangedType, HumanU2FSignCountChangedEventMapper).
+		RegisterFilterEventMapper(HumanU2FTokenRemovedType, HumanU2FRemovedEventMapper).
+		RegisterFilterEventMapper(HumanU2FTokenBeginLoginType, HumanU2FBeginLoginEventMapper).
+		RegisterFilterEventMapper(HumanU2FTokenCheckSucceededType, HumanU2FCheckSucceededEventMapper).
+		RegisterFilterEventMapper(HumanU2FTokenCheckFailedType, HumanU2FCheckFailedEventMapper).
+		RegisterFilterEventMapper(HumanPasswordlessTokenAddedType, HumanPasswordlessAddedEventMapper).
+		RegisterFilterEventMapper(HumanPasswordlessTokenVerifiedType, HumanPasswordlessVerifiedEventMapper).
+		RegisterFilterEventMapper(HumanPasswordlessTokenSignCountChangedType, HumanPasswordlessSignCountChangedEventMapper).
+		RegisterFilterEventMapper(HumanPasswordlessTokenRemovedType, HumanPasswordlessRemovedEventMapper).
+		RegisterFilterEventMapper(HumanPasswordlessTokenBeginLoginType, HumanPasswordlessBeginLoginEventMapper).
+		RegisterFilterEventMapper(HumanPasswordlessTokenCheckSucceededType, HumanPasswordlessCheckSucceededEventMapper).
+		RegisterFilterEventMapper(HumanPasswordlessTokenCheckFailedType, HumanPasswordlessCheckFailedEventMapper).
+		RegisterFilterEventMapper(MachineAddedEventType, MachineAddedEventMapper).
+		RegisterFilterEventMapper(MachineChangedEventType, MachineChangedEventMapper).
+		RegisterFilterEventMapper(MachineKeyAddedEventType, MachineKeyAddedEventMapper).
+		RegisterFilterEventMapper(MachineKeyRemovedEventType, MachineKeyRemovedEventMapper)
+}
--- a/internal/repository/user/human.go
+++ b/internal/repository/user/human.go
@@ -0,0 +1,401 @@
+package user
+
+import (
+	"context"
+	"encoding/json"
+	"github.com/caos/zitadel/internal/eventstore"
+	"time"
+
+	"github.com/caos/zitadel/internal/crypto"
+	"github.com/caos/zitadel/internal/domain"
+	"github.com/caos/zitadel/internal/errors"
+	"github.com/caos/zitadel/internal/eventstore/repository"
+	"golang.org/x/text/language"
+)
+
+const (
+	humanEventPrefix                   = userEventTypePrefix + "human."
+	HumanAddedType                     = humanEventPrefix + "added"
+	HumanRegisteredType                = humanEventPrefix + "selfregistered"
+	HumanInitialCodeAddedType          = humanEventPrefix + "initialization.code.added"
+	HumanInitialCodeSentType           = humanEventPrefix + "initialization.code.sent"
+	HumanInitializedCheckSucceededType = humanEventPrefix + "initialization.check.succeeded"
+	HumanInitializedCheckFailedType    = humanEventPrefix + "initialization.check.failed"
+	HumanSignedOutType                 = humanEventPrefix + "signed.out"
+)
+
+type HumanAddedEvent struct {
+	eventstore.BaseEvent `json:"-"`
+
+	UserName              string `json:"userName"`
+	userLoginMustBeDomain bool
+
+	FirstName         string        `json:"firstName,omitempty"`
+	LastName          string        `json:"lastName,omitempty"`
+	NickName          string        `json:"nickName,omitempty"`
+	DisplayName       string        `json:"displayName,omitempty"`
+	PreferredLanguage language.Tag  `json:"preferredLanguage,omitempty"`
+	Gender            domain.Gender `json:"gender,omitempty"`
+
+	EmailAddress string `json:"email,omitempty"`
+
+	PhoneNumber string `json:"phone,omitempty"`
+
+	Country       string `json:"country,omitempty"`
+	Locality      string `json:"locality,omitempty"`
+	PostalCode    string `json:"postalCode,omitempty"`
+	Region        string `json:"region,omitempty"`
+	StreetAddress string `json:"streetAddress,omitempty"`
+
+	Secret         *crypto.CryptoValue `json:"secret,omitempty"`
+	ChangeRequired bool                `json:"changeRequired,omitempty"`
+}
+
+func (e *HumanAddedEvent) Data() interface{} {
+	return e
+}
+
+func (e *HumanAddedEvent) UniqueConstraints() []*eventstore.EventUniqueConstraint {
+	return []*eventstore.EventUniqueConstraint{NewAddUsernameUniqueConstraint(e.UserName, e.Aggregate().ResourceOwner, e.userLoginMustBeDomain)}
+}
+
+func (e *HumanAddedEvent) AddAddressData(
+	country,
+	locality,
+	postalCode,
+	region,
+	streetAddress string,
+) {
+	e.Country = country
+	e.Locality = locality
+	e.PostalCode = postalCode
+	e.Region = region
+	e.StreetAddress = streetAddress
+}
+
+func (e *HumanAddedEvent) AddPhoneData(
+	phoneNumber string,
+) {
+	e.PhoneNumber = phoneNumber
+}
+
+func (e *HumanAddedEvent) AddPasswordData(
+	secret *crypto.CryptoValue,
+	changeRequired bool,
+) {
+	e.Secret = secret
+	e.ChangeRequired = changeRequired
+}
+
+func NewHumanAddedEvent(
+	ctx context.Context,
+	aggregate *eventstore.Aggregate,
+
+	userName,
+	firstName,
+	lastName,
+	nickName,
+	displayName string,
+	preferredLanguage language.Tag,
+	gender domain.Gender,
+	emailAddress string,
+	userLoginMustBeDomain bool,
+) *HumanAddedEvent {
+	return &HumanAddedEvent{
+		BaseEvent: *eventstore.NewBaseEventForPush(
+			ctx,
+			aggregate,
+			HumanAddedType,
+		),
+		UserName:              userName,
+		FirstName:             firstName,
+		LastName:              lastName,
+		NickName:              nickName,
+		DisplayName:           displayName,
+		PreferredLanguage:     preferredLanguage,
+		Gender:                gender,
+		EmailAddress:          emailAddress,
+		userLoginMustBeDomain: userLoginMustBeDomain,
+	}
+}
+
+func HumanAddedEventMapper(event *repository.Event) (eventstore.EventReader, error) {
+	humanAdded := &HumanAddedEvent{
+		BaseEvent: *eventstore.BaseEventFromRepo(event),
+	}
+	err := json.Unmarshal(event.Data, humanAdded)
+	if err != nil {
+		return nil, errors.ThrowInternal(err, "USER-5Gm9s", "unable to unmarshal human added")
+	}
+
+	return humanAdded, nil
+}
+
+type HumanRegisteredEvent struct {
+	eventstore.BaseEvent `json:"-"`
+
+	UserName              string `json:"userName"`
+	userLoginMustBeDomain bool
+
+	FirstName         string        `json:"firstName,omitempty"`
+	LastName          string        `json:"lastName,omitempty"`
+	NickName          string        `json:"nickName,omitempty"`
+	DisplayName       string        `json:"displayName,omitempty"`
+	PreferredLanguage language.Tag  `json:"preferredLanguage,omitempty"`
+	Gender            domain.Gender `json:"gender,omitempty"`
+
+	EmailAddress string `json:"email,omitempty"`
+
+	PhoneNumber string `json:"phone,omitempty"`
+
+	Country       string `json:"country,omitempty"`
+	Locality      string `json:"locality,omitempty"`
+	PostalCode    string `json:"postalCode,omitempty"`
+	Region        string `json:"region,omitempty"`
+	StreetAddress string `json:"streetAddress,omitempty"`
+
+	Secret         *crypto.CryptoValue `json:"secret,omitempty"`
+	ChangeRequired bool                `json:"changeRequired,omitempty"`
+}
+
+func (e *HumanRegisteredEvent) Data() interface{} {
+	return e
+}
+
+func (e *HumanRegisteredEvent) UniqueConstraints() []*eventstore.EventUniqueConstraint {
+	return []*eventstore.EventUniqueConstraint{NewAddUsernameUniqueConstraint(e.UserName, e.Aggregate().ResourceOwner, e.userLoginMustBeDomain)}
+}
+
+func (e *HumanRegisteredEvent) AddAddressData(
+	country,
+	locality,
+	postalCode,
+	region,
+	streetAddress string,
+) {
+	e.Country = country
+	e.Locality = locality
+	e.PostalCode = postalCode
+	e.Region = region
+	e.StreetAddress = streetAddress
+}
+
+func (e *HumanRegisteredEvent) AddPhoneData(
+	phoneNumber string,
+) {
+	e.PhoneNumber = phoneNumber
+}
+
+func (e *HumanRegisteredEvent) AddPasswordData(
+	secret *crypto.CryptoValue,
+	changeRequired bool,
+) {
+	e.Secret = secret
+	e.ChangeRequired = changeRequired
+}
+
+func NewHumanRegisteredEvent(
+	ctx context.Context,
+	aggregate *eventstore.Aggregate,
+
+	userName,
+	firstName,
+	lastName,
+	nickName,
+	displayName string,
+	preferredLanguage language.Tag,
+	gender domain.Gender,
+	emailAddress string,
+	userLoginMustBeDomain bool,
+) *HumanRegisteredEvent {
+	return &HumanRegisteredEvent{
+		BaseEvent: *eventstore.NewBaseEventForPush(
+			ctx,
+			aggregate,
+			HumanRegisteredType,
+		),
+		UserName:              userName,
+		FirstName:             firstName,
+		LastName:              lastName,
+		NickName:              nickName,
+		DisplayName:           displayName,
+		PreferredLanguage:     preferredLanguage,
+		Gender:                gender,
+		EmailAddress:          emailAddress,
+		userLoginMustBeDomain: userLoginMustBeDomain,
+	}
+}
+
+func HumanRegisteredEventMapper(event *repository.Event) (eventstore.EventReader, error) {
+	humanRegistered := &HumanRegisteredEvent{
+		BaseEvent: *eventstore.BaseEventFromRepo(event),
+	}
+	err := json.Unmarshal(event.Data, humanRegistered)
+	if err != nil {
+		return nil, errors.ThrowInternal(err, "USER-3Vm9s", "unable to unmarshal human registered")
+	}
+
+	return humanRegistered, nil
+}
+
+type HumanInitialCodeAddedEvent struct {
+	eventstore.BaseEvent `json:"-"`
+	Code                 *crypto.CryptoValue `json:"code,omitempty"`
+	Expiry               time.Duration       `json:"expiry,omitempty"`
+}
+
+func (e *HumanInitialCodeAddedEvent) Data() interface{} {
+	return e
+}
+
+func (e *HumanInitialCodeAddedEvent) UniqueConstraints() []*eventstore.EventUniqueConstraint {
+	return nil
+}
+
+func NewHumanInitialCodeAddedEvent(
+	ctx context.Context,
+	aggregate *eventstore.Aggregate,
+	code *crypto.CryptoValue,
+	expiry time.Duration,
+) *HumanInitialCodeAddedEvent {
+	return &HumanInitialCodeAddedEvent{
+		BaseEvent: *eventstore.NewBaseEventForPush(
+			ctx,
+			aggregate,
+			HumanInitialCodeAddedType,
+		),
+		Code:   code,
+		Expiry: expiry,
+	}
+}
+
+func HumanInitialCodeAddedEventMapper(event *repository.Event) (eventstore.EventReader, error) {
+	humanRegistered := &HumanInitialCodeAddedEvent{
+		BaseEvent: *eventstore.BaseEventFromRepo(event),
+	}
+	err := json.Unmarshal(event.Data, humanRegistered)
+	if err != nil {
+		return nil, errors.ThrowInternal(err, "USER-bM9se", "unable to unmarshal human initial code added")
+	}
+
+	return humanRegistered, nil
+}
+
+type HumanInitialCodeSentEvent struct {
+	eventstore.BaseEvent `json:"-"`
+}
+
+func (e *HumanInitialCodeSentEvent) Data() interface{} {
+	return nil
+}
+
+func (e *HumanInitialCodeSentEvent) UniqueConstraints() []*eventstore.EventUniqueConstraint {
+	return nil
+}
+
+func NewHumanInitialCodeSentEvent(ctx context.Context, aggregate *eventstore.Aggregate) *HumanInitialCodeSentEvent {
+	return &HumanInitialCodeSentEvent{
+		BaseEvent: *eventstore.NewBaseEventForPush(
+			ctx,
+			aggregate,
+			HumanInitialCodeSentType,
+		),
+	}
+}
+
+func HumanInitialCodeSentEventMapper(event *repository.Event) (eventstore.EventReader, error) {
+	return &HumanInitialCodeSentEvent{
+		BaseEvent: *eventstore.BaseEventFromRepo(event),
+	}, nil
+}
+
+type HumanInitializedCheckSucceededEvent struct {
+	eventstore.BaseEvent `json:"-"`
+}
+
+func (e *HumanInitializedCheckSucceededEvent) Data() interface{} {
+	return nil
+}
+
+func (e *HumanInitializedCheckSucceededEvent) UniqueConstraints() []*eventstore.EventUniqueConstraint {
+	return nil
+}
+
+func NewHumanInitializedCheckSucceededEvent(ctx context.Context, aggregate *eventstore.Aggregate) *HumanInitializedCheckSucceededEvent {
+	return &HumanInitializedCheckSucceededEvent{
+		BaseEvent: *eventstore.NewBaseEventForPush(
+			ctx,
+			aggregate,
+			HumanInitializedCheckSucceededType,
+		),
+	}
+}
+
+func HumanInitializedCheckSucceededEventMapper(event *repository.Event) (eventstore.EventReader, error) {
+	return &HumanInitializedCheckSucceededEvent{
+		BaseEvent: *eventstore.BaseEventFromRepo(event),
+	}, nil
+}
+
+type HumanInitializedCheckFailedEvent struct {
+	eventstore.BaseEvent `json:"-"`
+}
+
+func (e *HumanInitializedCheckFailedEvent) Data() interface{} {
+	return nil
+}
+
+func (e *HumanInitializedCheckFailedEvent) UniqueConstraints() []*eventstore.EventUniqueConstraint {
+	return nil
+}
+
+func NewHumanInitializedCheckFailedEvent(ctx context.Context, aggregate *eventstore.Aggregate) *HumanInitializedCheckFailedEvent {
+	return &HumanInitializedCheckFailedEvent{
+		BaseEvent: *eventstore.NewBaseEventForPush(
+			ctx,
+			aggregate,
+			HumanInitializedCheckFailedType,
+		),
+	}
+}
+
+func HumanInitializedCheckFailedEventMapper(event *repository.Event) (eventstore.EventReader, error) {
+	return &HumanInitializedCheckFailedEvent{
+		BaseEvent: *eventstore.BaseEventFromRepo(event),
+	}, nil
+}
+
+type HumanSignedOutEvent struct {
+	eventstore.BaseEvent `json:"-"`
+
+	UserAgentID string `json:"userAgentID"`
+}
+
+func (e *HumanSignedOutEvent) Data() interface{} {
+	return nil
+}
+
+func (e *HumanSignedOutEvent) UniqueConstraints() []*eventstore.EventUniqueConstraint {
+	return nil
+}
+
+func NewHumanSignedOutEvent(
+	ctx context.Context,
+	aggregate *eventstore.Aggregate,
+	userAgentID string,
+) *HumanSignedOutEvent {
+	return &HumanSignedOutEvent{
+		BaseEvent: *eventstore.NewBaseEventForPush(
+			ctx,
+			aggregate,
+			HumanSignedOutType,
+		),
+		UserAgentID: userAgentID,
+	}
+}
+
+func HumanSignedOutEventMapper(event *repository.Event) (eventstore.EventReader, error) {
+	return &HumanSignedOutEvent{
+		BaseEvent: *eventstore.BaseEventFromRepo(event),
+	}, nil
+}
--- a/internal/repository/user/human_address.go
+++ b/internal/repository/user/human_address.go
@@ -0,0 +1,55 @@
+package user
+
+import (
+	"context"
+	"encoding/json"
+	"github.com/caos/zitadel/internal/eventstore"
+
+	"github.com/caos/zitadel/internal/errors"
+	"github.com/caos/zitadel/internal/eventstore/repository"
+)
+
+const (
+	addressEventPrefix      = humanEventPrefix + "address."
+	HumanAddressChangedType = addressEventPrefix + "changed"
+)
+
+type HumanAddressChangedEvent struct {
+	eventstore.BaseEvent `json:"-"`
+
+	Country       *string `json:"country,omitempty"`
+	Locality      *string `json:"locality,omitempty"`
+	PostalCode    *string `json:"postalCode,omitempty"`
+	Region        *string `json:"region,omitempty"`
+	StreetAddress *string `json:"streetAddress,omitempty"`
+}
+
+func (e *HumanAddressChangedEvent) Data() interface{} {
+	return e
+}
+
+func (e *HumanAddressChangedEvent) UniqueConstraints() []*eventstore.EventUniqueConstraint {
+	return nil
+}
+
+func NewHumanAddressChangedEvent(ctx context.Context, aggregate *eventstore.Aggregate) *HumanAddressChangedEvent {
+	return &HumanAddressChangedEvent{
+		BaseEvent: *eventstore.NewBaseEventForPush(
+			ctx,
+			aggregate,
+			HumanAddressChangedType,
+		),
+	}
+}
+
+func HumanAddressChangedEventMapper(event *repository.Event) (eventstore.EventReader, error) {
+	addressChanged := &HumanAddressChangedEvent{
+		BaseEvent: *eventstore.BaseEventFromRepo(event),
+	}
+	err := json.Unmarshal(event.Data, addressChanged)
+	if err != nil {
+		return nil, errors.ThrowInternal(err, "USER-5M0pd", "unable to unmarshal human address changed")
+	}
+
+	return addressChanged, nil
+}
--- a/internal/repository/user/human_email.go
+++ b/internal/repository/user/human_email.go
@@ -0,0 +1,188 @@
+package user
+
+import (
+	"context"
+	"encoding/json"
+	"github.com/caos/zitadel/internal/eventstore"
+	"time"
+
+	"github.com/caos/zitadel/internal/crypto"
+	"github.com/caos/zitadel/internal/errors"
+	"github.com/caos/zitadel/internal/eventstore/repository"
+)
+
+const (
+	emailEventPrefix                 = humanEventPrefix + "email."
+	HumanEmailChangedType            = emailEventPrefix + "changed"
+	HumanEmailVerifiedType           = emailEventPrefix + "verified"
+	HumanEmailVerificationFailedType = emailEventPrefix + "verification.failed"
+	HumanEmailCodeAddedType          = emailEventPrefix + "code.added"
+	HumanEmailCodeSentType           = emailEventPrefix + "code.sent"
+)
+
+type HumanEmailChangedEvent struct {
+	eventstore.BaseEvent `json:"-"`
+
+	EmailAddress string `json:"email,omitempty"`
+}
+
+func (e *HumanEmailChangedEvent) Data() interface{} {
+	return e
+}
+
+func (e *HumanEmailChangedEvent) UniqueConstraints() []*eventstore.EventUniqueConstraint {
+	return nil
+}
+
+func NewHumanEmailChangedEvent(ctx context.Context, aggregate *eventstore.Aggregate) *HumanEmailChangedEvent {
+	return &HumanEmailChangedEvent{
+		BaseEvent: *eventstore.NewBaseEventForPush(
+			ctx,
+			aggregate,
+			HumanEmailChangedType,
+		),
+	}
+}
+
+func HumanEmailChangedEventMapper(event *repository.Event) (eventstore.EventReader, error) {
+	emailChangedEvent := &HumanEmailChangedEvent{
+		BaseEvent: *eventstore.BaseEventFromRepo(event),
+	}
+	err := json.Unmarshal(event.Data, emailChangedEvent)
+	if err != nil {
+		return nil, errors.ThrowInternal(err, "USER-4M0sd", "unable to unmarshal human password changed")
+	}
+
+	return emailChangedEvent, nil
+}
+
+type HumanEmailVerifiedEvent struct {
+	eventstore.BaseEvent `json:"-"`
+
+	IsEmailVerified bool `json:"-"`
+}
+
+func (e *HumanEmailVerifiedEvent) Data() interface{} {
+	return nil
+}
+
+func (e *HumanEmailVerifiedEvent) UniqueConstraints() []*eventstore.EventUniqueConstraint {
+	return nil
+}
+
+func NewHumanEmailVerifiedEvent(ctx context.Context, aggregate *eventstore.Aggregate) *HumanEmailVerifiedEvent {
+	return &HumanEmailVerifiedEvent{
+		BaseEvent: *eventstore.NewBaseEventForPush(
+			ctx,
+			aggregate,
+			HumanEmailVerifiedType,
+		),
+	}
+}
+
+func HumanEmailVerifiedEventMapper(event *repository.Event) (eventstore.EventReader, error) {
+	emailVerified := &HumanEmailVerifiedEvent{
+		BaseEvent:       *eventstore.BaseEventFromRepo(event),
+		IsEmailVerified: true,
+	}
+	return emailVerified, nil
+}
+
+type HumanEmailVerificationFailedEvent struct {
+	eventstore.BaseEvent `json:"-"`
+}
+
+func (e *HumanEmailVerificationFailedEvent) Data() interface{} {
+	return nil
+}
+
+func (e *HumanEmailVerificationFailedEvent) UniqueConstraints() []*eventstore.EventUniqueConstraint {
+	return nil
+}
+
+func NewHumanEmailVerificationFailedEvent(ctx context.Context, aggregate *eventstore.Aggregate) *HumanEmailVerificationFailedEvent {
+	return &HumanEmailVerificationFailedEvent{
+		BaseEvent: *eventstore.NewBaseEventForPush(
+			ctx,
+			aggregate,
+			HumanEmailVerificationFailedType,
+		),
+	}
+}
+
+func HumanEmailVerificationFailedEventMapper(event *repository.Event) (eventstore.EventReader, error) {
+	return &HumanEmailVerificationFailedEvent{
+		BaseEvent: *eventstore.BaseEventFromRepo(event),
+	}, nil
+}
+
+type HumanEmailCodeAddedEvent struct {
+	eventstore.BaseEvent `json:"-"`
+
+	Code   *crypto.CryptoValue `json:"code,omitempty"`
+	Expiry time.Duration       `json:"expiry,omitempty"`
+}
+
+func (e *HumanEmailCodeAddedEvent) Data() interface{} {
+	return e
+}
+
+func (e *HumanEmailCodeAddedEvent) UniqueConstraints() []*eventstore.EventUniqueConstraint {
+	return nil
+}
+
+func NewHumanEmailCodeAddedEvent(
+	ctx context.Context,
+	aggregate *eventstore.Aggregate,
+	code *crypto.CryptoValue,
+	expiry time.Duration) *HumanEmailCodeAddedEvent {
+	return &HumanEmailCodeAddedEvent{
+		BaseEvent: *eventstore.NewBaseEventForPush(
+			ctx,
+			aggregate,
+			HumanEmailCodeAddedType,
+		),
+		Code:   code,
+		Expiry: expiry,
+	}
+}
+
+func HumanEmailCodeAddedEventMapper(event *repository.Event) (eventstore.EventReader, error) {
+	codeAdded := &HumanEmailCodeAddedEvent{
+		BaseEvent: *eventstore.BaseEventFromRepo(event),
+	}
+	err := json.Unmarshal(event.Data, codeAdded)
+	if err != nil {
+		return nil, errors.ThrowInternal(err, "USER-3M0sd", "unable to unmarshal human email code added")
+	}
+
+	return codeAdded, nil
+}
+
+type HumanEmailCodeSentEvent struct {
+	eventstore.BaseEvent `json:"-"`
+}
+
+func (e *HumanEmailCodeSentEvent) Data() interface{} {
+	return nil
+}
+
+func (e *HumanEmailCodeSentEvent) UniqueConstraints() []*eventstore.EventUniqueConstraint {
+	return nil
+}
+
+func NewHumanEmailCodeSentEvent(ctx context.Context, aggregate *eventstore.Aggregate) *HumanEmailCodeSentEvent {
+	return &HumanEmailCodeSentEvent{
+		BaseEvent: *eventstore.NewBaseEventForPush(
+			ctx,
+			aggregate,
+			HumanEmailCodeSentType,
+		),
+	}
+}
+
+func HumanEmailCodeSentEventMapper(event *repository.Event) (eventstore.EventReader, error) {
+	return &HumanEmailCodeSentEvent{
+		BaseEvent: *eventstore.BaseEventFromRepo(event),
+	}, nil
+}
--- a/internal/repository/user/human_external_idp.go
+++ b/internal/repository/user/human_external_idp.go
@@ -0,0 +1,213 @@
+package user
+
+import (
+	"context"
+	"encoding/json"
+	"github.com/caos/zitadel/internal/eventstore"
+
+	"github.com/caos/zitadel/internal/errors"
+	"github.com/caos/zitadel/internal/eventstore/repository"
+)
+
+const (
+	UniqueExternalIDPType    = "external_idps"
+	externalIDPEventPrefix   = humanEventPrefix + "externalidp."
+	externalLoginEventPrefix = humanEventPrefix + "externallogin."
+
+	HumanExternalIDPAddedType          = externalIDPEventPrefix + "added"
+	HumanExternalIDPRemovedType        = externalIDPEventPrefix + "removed"
+	HumanExternalIDPCascadeRemovedType = externalIDPEventPrefix + "cascade.removed"
+
+	HumanExternalLoginCheckSucceededType = externalLoginEventPrefix + "check.succeeded"
+)
+
+func NewAddExternalIDPUniqueConstraint(idpConfigID, externalUserID string) *eventstore.EventUniqueConstraint {
+	return eventstore.NewAddEventUniqueConstraint(
+		UniqueExternalIDPType,
+		idpConfigID+externalUserID,
+		"Errors.User.ExternalIDP.AlreadyExists")
+}
+
+func NewRemoveExternalIDPUniqueConstraint(idpConfigID, externalUserID string) *eventstore.EventUniqueConstraint {
+	return eventstore.NewRemoveEventUniqueConstraint(
+		UniqueExternalIDPType,
+		idpConfigID+externalUserID)
+}
+
+type HumanExternalIDPAddedEvent struct {
+	eventstore.BaseEvent `json:"-"`
+
+	IDPConfigID    string `json:"idpConfigId,omitempty"`
+	ExternalUserID string `json:"userId,omitempty"`
+	DisplayName    string `json:"displayName,omitempty"`
+}
+
+func (e *HumanExternalIDPAddedEvent) Data() interface{} {
+	return e
+}
+
+func (e *HumanExternalIDPAddedEvent) UniqueConstraints() []*eventstore.EventUniqueConstraint {
+	return []*eventstore.EventUniqueConstraint{NewAddExternalIDPUniqueConstraint(e.IDPConfigID, e.ExternalUserID)}
+}
+
+func NewHumanExternalIDPAddedEvent(
+	ctx context.Context,
+	aggregate *eventstore.Aggregate,
+	idpConfigID,
+	displayName,
+	externalUserID string,
+) *HumanExternalIDPAddedEvent {
+	return &HumanExternalIDPAddedEvent{
+		BaseEvent: *eventstore.NewBaseEventForPush(
+			ctx,
+			aggregate,
+			HumanExternalIDPAddedType,
+		),
+		IDPConfigID:    idpConfigID,
+		DisplayName:    displayName,
+		ExternalUserID: externalUserID,
+	}
+}
+
+func HumanExternalIDPAddedEventMapper(event *repository.Event) (eventstore.EventReader, error) {
+	e := &HumanExternalIDPAddedEvent{
+		BaseEvent: *eventstore.BaseEventFromRepo(event),
+	}
+
+	err := json.Unmarshal(event.Data, e)
+	if err != nil {
+		return nil, errors.ThrowInternal(err, "USER-6M9sd", "unable to unmarshal user external idp added")
+	}
+
+	return e, nil
+}
+
+type HumanExternalIDPRemovedEvent struct {
+	eventstore.BaseEvent `json:"-"`
+
+	IDPConfigID    string `json:"idpConfigId"`
+	ExternalUserID string `json:"userId,omitempty"`
+}
+
+func (e *HumanExternalIDPRemovedEvent) Data() interface{} {
+	return e
+}
+
+func (e *HumanExternalIDPRemovedEvent) UniqueConstraints() []*eventstore.EventUniqueConstraint {
+	return []*eventstore.EventUniqueConstraint{NewRemoveExternalIDPUniqueConstraint(e.IDPConfigID, e.ExternalUserID)}
+}
+
+func NewHumanExternalIDPRemovedEvent(
+	ctx context.Context,
+	aggregate *eventstore.Aggregate,
+	idpConfigID,
+	externalUserID string,
+) *HumanExternalIDPRemovedEvent {
+	return &HumanExternalIDPRemovedEvent{
+		BaseEvent: *eventstore.NewBaseEventForPush(
+			ctx,
+			aggregate,
+			HumanExternalIDPRemovedType,
+		),
+		IDPConfigID:    idpConfigID,
+		ExternalUserID: externalUserID,
+	}
+}
+
+func HumanExternalIDPRemovedEventMapper(event *repository.Event) (eventstore.EventReader, error) {
+	e := &HumanExternalIDPRemovedEvent{
+		BaseEvent: *eventstore.BaseEventFromRepo(event),
+	}
+
+	err := json.Unmarshal(event.Data, e)
+	if err != nil {
+		return nil, errors.ThrowInternal(err, "USER-5Gm9s", "unable to unmarshal user external idp removed")
+	}
+
+	return e, nil
+}
+
+type HumanExternalIDPCascadeRemovedEvent struct {
+	eventstore.BaseEvent `json:"-"`
+
+	IDPConfigID    string `json:"idpConfigId"`
+	ExternalUserID string `json:"userId,omitempty"`
+}
+
+func (e *HumanExternalIDPCascadeRemovedEvent) Data() interface{} {
+	return e
+}
+
+func (e *HumanExternalIDPCascadeRemovedEvent) UniqueConstraints() []*eventstore.EventUniqueConstraint {
+	return []*eventstore.EventUniqueConstraint{NewRemoveExternalIDPUniqueConstraint(e.IDPConfigID, e.ExternalUserID)}
+}
+
+func NewHumanExternalIDPCascadeRemovedEvent(
+	ctx context.Context,
+	aggregate *eventstore.Aggregate,
+	idpConfigID,
+	externalUserID string,
+) *HumanExternalIDPCascadeRemovedEvent {
+	return &HumanExternalIDPCascadeRemovedEvent{
+		BaseEvent: *eventstore.NewBaseEventForPush(
+			ctx,
+			aggregate,
+			HumanExternalIDPCascadeRemovedType,
+		),
+		IDPConfigID:    idpConfigID,
+		ExternalUserID: externalUserID,
+	}
+}
+
+func HumanExternalIDPCascadeRemovedEventMapper(event *repository.Event) (eventstore.EventReader, error) {
+	e := &HumanExternalIDPCascadeRemovedEvent{
+		BaseEvent: *eventstore.BaseEventFromRepo(event),
+	}
+
+	err := json.Unmarshal(event.Data, e)
+	if err != nil {
+		return nil, errors.ThrowInternal(err, "USER-2M0sd", "unable to unmarshal user external idp cascade removed")
+	}
+
+	return e, nil
+}
+
+type HumanExternalIDPCheckSucceededEvent struct {
+	eventstore.BaseEvent `json:"-"`
+	*AuthRequestInfo
+}
+
+func (e *HumanExternalIDPCheckSucceededEvent) Data() interface{} {
+	return e
+}
+
+func (e *HumanExternalIDPCheckSucceededEvent) UniqueConstraints() []*eventstore.EventUniqueConstraint {
+	return nil
+}
+
+func NewHumanExternalIDPCheckSucceededEvent(
+	ctx context.Context,
+	aggregate *eventstore.Aggregate,
+	info *AuthRequestInfo) *HumanExternalIDPCheckSucceededEvent {
+	return &HumanExternalIDPCheckSucceededEvent{
+		BaseEvent: *eventstore.NewBaseEventForPush(
+			ctx,
+			aggregate,
+			HumanExternalLoginCheckSucceededType,
+		),
+		AuthRequestInfo: info,
+	}
+}
+
+func HumanExternalIDPCheckSucceededEventMapper(event *repository.Event) (eventstore.EventReader, error) {
+	e := &HumanExternalIDPCheckSucceededEvent{
+		BaseEvent: *eventstore.BaseEventFromRepo(event),
+	}
+
+	err := json.Unmarshal(event.Data, e)
+	if err != nil {
+		return nil, errors.ThrowInternal(err, "USER-2M0sd", "unable to unmarshal user external idp check succeeded")
+	}
+
+	return e, nil
+}
--- a/internal/repository/user/human_mfa_events.go
+++ b/internal/repository/user/human_mfa_events.go
@@ -0,0 +1,41 @@
+package user
+
+import (
+	"context"
+	"github.com/caos/zitadel/internal/eventstore"
+
+	"github.com/caos/zitadel/internal/eventstore/repository"
+)
+
+const (
+	mfaEventPrefix          = humanEventPrefix + "mfa."
+	HumanMFAInitSkippedType = mfaEventPrefix + "init.skipped"
+)
+
+type HumanMFAInitSkippedEvent struct {
+	eventstore.BaseEvent `json:"-"`
+}
+
+func (e *HumanMFAInitSkippedEvent) Data() interface{} {
+	return e
+}
+
+func (e *HumanMFAInitSkippedEvent) UniqueConstraints() []*eventstore.EventUniqueConstraint {
+	return nil
+}
+
+func NewHumanMFAInitSkippedEvent(ctx context.Context, aggregate *eventstore.Aggregate) *HumanMFAInitSkippedEvent {
+	return &HumanMFAInitSkippedEvent{
+		BaseEvent: *eventstore.NewBaseEventForPush(
+			ctx,
+			aggregate,
+			HumanMFAInitSkippedType,
+		),
+	}
+}
+
+func HumanMFAInitSkippedEventMapper(event *repository.Event) (eventstore.EventReader, error) {
+	return &HumanMFAInitSkippedEvent{
+		BaseEvent: *eventstore.BaseEventFromRepo(event),
+	}, nil
+}
--- a/internal/repository/user/human_mfa_otp.go
+++ b/internal/repository/user/human_mfa_otp.go
@@ -0,0 +1,203 @@
+package user
+
+import (
+	"context"
+	"encoding/json"
+	"github.com/caos/zitadel/internal/eventstore"
+
+	"github.com/caos/zitadel/internal/crypto"
+	"github.com/caos/zitadel/internal/errors"
+	"github.com/caos/zitadel/internal/eventstore/repository"
+)
+
+const (
+	otpEventPrefix                = mfaEventPrefix + "otp."
+	HumanMFAOTPAddedType          = otpEventPrefix + "added"
+	HumanMFAOTPVerifiedType       = otpEventPrefix + "verified"
+	HumanMFAOTPRemovedType        = otpEventPrefix + "removed"
+	HumanMFAOTPCheckSucceededType = otpEventPrefix + "check.succeeded"
+	HumanMFAOTPCheckFailedType    = otpEventPrefix + "check.failed"
+)
+
+type HumanOTPAddedEvent struct {
+	eventstore.BaseEvent `json:"-"`
+
+	Secret *crypto.CryptoValue `json:"otpSecret,omitempty"`
+}
+
+func (e *HumanOTPAddedEvent) Data() interface{} {
+	return e
+}
+
+func (e *HumanOTPAddedEvent) UniqueConstraints() []*eventstore.EventUniqueConstraint {
+	return nil
+}
+
+func NewHumanOTPAddedEvent(
+	ctx context.Context,
+	aggregate *eventstore.Aggregate,
+	secret *crypto.CryptoValue,
+) *HumanOTPAddedEvent {
+	return &HumanOTPAddedEvent{
+		BaseEvent: *eventstore.NewBaseEventForPush(
+			ctx,
+			aggregate,
+			HumanMFAOTPAddedType,
+		),
+		Secret: secret,
+	}
+}
+
+func HumanOTPAddedEventMapper(event *repository.Event) (eventstore.EventReader, error) {
+	otpAdded := &HumanOTPAddedEvent{
+		BaseEvent: *eventstore.BaseEventFromRepo(event),
+	}
+	err := json.Unmarshal(event.Data, otpAdded)
+	if err != nil {
+		return nil, errors.ThrowInternal(err, "USER-Ns9df", "unable to unmarshal human otp added")
+	}
+	return otpAdded, nil
+}
+
+type HumanOTPVerifiedEvent struct {
+	eventstore.BaseEvent `json:"-"`
+	UserAgentID          string `json:"userAgentID,omitempty"`
+}
+
+func (e *HumanOTPVerifiedEvent) Data() interface{} {
+	return nil
+}
+
+func (e *HumanOTPVerifiedEvent) UniqueConstraints() []*eventstore.EventUniqueConstraint {
+	return nil
+}
+
+func NewHumanOTPVerifiedEvent(
+	ctx context.Context,
+	aggregate *eventstore.Aggregate,
+	userAgentID string,
+) *HumanOTPVerifiedEvent {
+	return &HumanOTPVerifiedEvent{
+		BaseEvent: *eventstore.NewBaseEventForPush(
+			ctx,
+			aggregate,
+			HumanMFAOTPVerifiedType,
+		),
+		UserAgentID: userAgentID,
+	}
+}
+
+func HumanOTPVerifiedEventMapper(event *repository.Event) (eventstore.EventReader, error) {
+	return &HumanOTPVerifiedEvent{
+		BaseEvent: *eventstore.BaseEventFromRepo(event),
+	}, nil
+}
+
+type HumanOTPRemovedEvent struct {
+	eventstore.BaseEvent `json:"-"`
+}
+
+func (e *HumanOTPRemovedEvent) Data() interface{} {
+	return nil
+}
+
+func (e *HumanOTPRemovedEvent) UniqueConstraints() []*eventstore.EventUniqueConstraint {
+	return nil
+}
+
+func NewHumanOTPRemovedEvent(
+	ctx context.Context,
+	aggregate *eventstore.Aggregate,
+) *HumanOTPRemovedEvent {
+	return &HumanOTPRemovedEvent{
+		BaseEvent: *eventstore.NewBaseEventForPush(
+			ctx,
+			aggregate,
+			HumanMFAOTPRemovedType,
+		),
+	}
+}
+
+func HumanOTPRemovedEventMapper(event *repository.Event) (eventstore.EventReader, error) {
+	return &HumanOTPRemovedEvent{
+		BaseEvent: *eventstore.BaseEventFromRepo(event),
+	}, nil
+}
+
+type HumanOTPCheckSucceededEvent struct {
+	eventstore.BaseEvent `json:"-"`
+	*AuthRequestInfo
+}
+
+func (e *HumanOTPCheckSucceededEvent) Data() interface{} {
+	return e
+}
+
+func (e *HumanOTPCheckSucceededEvent) UniqueConstraints() []*eventstore.EventUniqueConstraint {
+	return nil
+}
+
+func NewHumanOTPCheckSucceededEvent(
+	ctx context.Context,
+	aggregate *eventstore.Aggregate,
+	info *AuthRequestInfo,
+) *HumanOTPCheckSucceededEvent {
+	return &HumanOTPCheckSucceededEvent{
+		BaseEvent: *eventstore.NewBaseEventForPush(
+			ctx,
+			aggregate,
+			HumanMFAOTPCheckSucceededType,
+		),
+		AuthRequestInfo: info,
+	}
+}
+
+func HumanOTPCheckSucceededEventMapper(event *repository.Event) (eventstore.EventReader, error) {
+	otpAdded := &HumanOTPCheckSucceededEvent{
+		BaseEvent: *eventstore.BaseEventFromRepo(event),
+	}
+	err := json.Unmarshal(event.Data, otpAdded)
+	if err != nil {
+		return nil, errors.ThrowInternal(err, "USER-Ns9df", "unable to unmarshal human otp check succeeded")
+	}
+	return otpAdded, nil
+}
+
+type HumanOTPCheckFailedEvent struct {
+	eventstore.BaseEvent `json:"-"`
+	*AuthRequestInfo
+}
+
+func (e *HumanOTPCheckFailedEvent) Data() interface{} {
+	return e
+}
+
+func (e *HumanOTPCheckFailedEvent) UniqueConstraints() []*eventstore.EventUniqueConstraint {
+	return nil
+}
+
+func NewHumanOTPCheckFailedEvent(
+	ctx context.Context,
+	aggregate *eventstore.Aggregate,
+	info *AuthRequestInfo,
+) *HumanOTPCheckFailedEvent {
+	return &HumanOTPCheckFailedEvent{
+		BaseEvent: *eventstore.NewBaseEventForPush(
+			ctx,
+			aggregate,
+			HumanMFAOTPCheckFailedType,
+		),
+		AuthRequestInfo: info,
+	}
+}
+
+func HumanOTPCheckFailedEventMapper(event *repository.Event) (eventstore.EventReader, error) {
+	otpAdded := &HumanOTPCheckFailedEvent{
+		BaseEvent: *eventstore.BaseEventFromRepo(event),
+	}
+	err := json.Unmarshal(event.Data, otpAdded)
+	if err != nil {
+		return nil, errors.ThrowInternal(err, "USER-Ns9df", "unable to unmarshal human otp check failed")
+	}
+	return otpAdded, nil
+}
--- a/internal/repository/user/human_mfa_passwordless.go
+++ b/internal/repository/user/human_mfa_passwordless.go
@@ -0,0 +1,243 @@
+package user
+
+import (
+	"context"
+	"github.com/caos/zitadel/internal/eventstore"
+
+	"github.com/caos/zitadel/internal/eventstore/repository"
+)
+
+const (
+	passwordlessEventPrefix                    = humanEventPrefix + "passwordless.token."
+	HumanPasswordlessTokenAddedType            = passwordlessEventPrefix + "added"
+	HumanPasswordlessTokenVerifiedType         = passwordlessEventPrefix + "verified"
+	HumanPasswordlessTokenSignCountChangedType = passwordlessEventPrefix + "signcount.changed"
+	HumanPasswordlessTokenRemovedType          = passwordlessEventPrefix + "removed"
+	HumanPasswordlessTokenBeginLoginType       = passwordlessEventPrefix + "begin.login"
+	HumanPasswordlessTokenCheckSucceededType   = passwordlessEventPrefix + "check.succeeded"
+	HumanPasswordlessTokenCheckFailedType      = passwordlessEventPrefix + "check.failed"
+)
+
+type HumanPasswordlessAddedEvent struct {
+	HumanWebAuthNAddedEvent
+}
+
+func NewHumanPasswordlessAddedEvent(
+	ctx context.Context,
+	aggregate *eventstore.Aggregate,
+	webAuthNTokenID,
+	challenge string,
+) *HumanPasswordlessAddedEvent {
+	return &HumanPasswordlessAddedEvent{
+		HumanWebAuthNAddedEvent: *NewHumanWebAuthNAddedEvent(
+			eventstore.NewBaseEventForPush(
+				ctx,
+				aggregate,
+				HumanPasswordlessTokenAddedType,
+			),
+			webAuthNTokenID,
+			challenge,
+		),
+	}
+}
+
+func HumanPasswordlessAddedEventMapper(event *repository.Event) (eventstore.EventReader, error) {
+	e, err := HumanWebAuthNAddedEventMapper(event)
+	if err != nil {
+		return nil, err
+	}
+
+	return &HumanPasswordlessAddedEvent{HumanWebAuthNAddedEvent: *e.(*HumanWebAuthNAddedEvent)}, nil
+}
+
+type HumanPasswordlessVerifiedEvent struct {
+	HumanWebAuthNVerifiedEvent
+}
+
+func NewHumanPasswordlessVerifiedEvent(
+	ctx context.Context,
+	aggregate *eventstore.Aggregate,
+	webAuthNTokenID,
+	webAuthNTokenName,
+	attestationType string,
+	keyID,
+	publicKey,
+	aaguid []byte,
+	signCount uint32,
+) *HumanPasswordlessVerifiedEvent {
+	return &HumanPasswordlessVerifiedEvent{
+		HumanWebAuthNVerifiedEvent: *NewHumanWebAuthNVerifiedEvent(
+			eventstore.NewBaseEventForPush(
+				ctx,
+				aggregate,
+				HumanPasswordlessTokenVerifiedType,
+			),
+			webAuthNTokenID,
+			webAuthNTokenName,
+			attestationType,
+			keyID,
+			publicKey,
+			aaguid,
+			signCount,
+		),
+	}
+}
+
+func HumanPasswordlessVerifiedEventMapper(event *repository.Event) (eventstore.EventReader, error) {
+	e, err := HumanWebAuthNVerifiedEventMapper(event)
+	if err != nil {
+		return nil, err
+	}
+
+	return &HumanPasswordlessVerifiedEvent{HumanWebAuthNVerifiedEvent: *e.(*HumanWebAuthNVerifiedEvent)}, nil
+}
+
+type HumanPasswordlessSignCountChangedEvent struct {
+	HumanWebAuthNSignCountChangedEvent
+}
+
+func NewHumanPasswordlessSignCountChangedEvent(
+	ctx context.Context,
+	aggregate *eventstore.Aggregate,
+	webAuthNTokenID string,
+	signCount uint32,
+) *HumanPasswordlessSignCountChangedEvent {
+	return &HumanPasswordlessSignCountChangedEvent{
+		HumanWebAuthNSignCountChangedEvent: *NewHumanWebAuthNSignCountChangedEvent(
+			eventstore.NewBaseEventForPush(
+				ctx,
+				aggregate,
+				HumanPasswordlessTokenSignCountChangedType,
+			),
+			webAuthNTokenID,
+			signCount,
+		),
+	}
+}
+
+func HumanPasswordlessSignCountChangedEventMapper(event *repository.Event) (eventstore.EventReader, error) {
+	e, err := HumanWebAuthNSignCountChangedEventMapper(event)
+	if err != nil {
+		return nil, err
+	}
+
+	return &HumanPasswordlessSignCountChangedEvent{HumanWebAuthNSignCountChangedEvent: *e.(*HumanWebAuthNSignCountChangedEvent)}, nil
+}
+
+type HumanPasswordlessRemovedEvent struct {
+	HumanWebAuthNRemovedEvent
+}
+
+func PrepareHumanPasswordlessRemovedEvent(ctx context.Context, webAuthNTokenID string) func(*eventstore.Aggregate) eventstore.EventPusher {
+	return func(a *eventstore.Aggregate) eventstore.EventPusher {
+		return NewHumanPasswordlessRemovedEvent(ctx, a, webAuthNTokenID)
+	}
+}
+
+func NewHumanPasswordlessRemovedEvent(
+	ctx context.Context,
+	aggregate *eventstore.Aggregate,
+	webAuthNTokenID string,
+) *HumanPasswordlessRemovedEvent {
+	return &HumanPasswordlessRemovedEvent{
+		HumanWebAuthNRemovedEvent: *NewHumanWebAuthNRemovedEvent(
+			eventstore.NewBaseEventForPush(
+				ctx,
+				aggregate,
+				HumanPasswordlessTokenRemovedType,
+			),
+			webAuthNTokenID,
+		),
+	}
+}
+
+func HumanPasswordlessRemovedEventMapper(event *repository.Event) (eventstore.EventReader, error) {
+	e, err := HumanWebAuthNRemovedEventMapper(event)
+	if err != nil {
+		return nil, err
+	}
+
+	return &HumanPasswordlessRemovedEvent{HumanWebAuthNRemovedEvent: *e.(*HumanWebAuthNRemovedEvent)}, nil
+}
+
+type HumanPasswordlessBeginLoginEvent struct {
+	HumanWebAuthNBeginLoginEvent
+}
+
+func NewHumanPasswordlessBeginLoginEvent(
+	ctx context.Context,
+	aggregate *eventstore.Aggregate,
+	challenge string,
+	info *AuthRequestInfo,
+) *HumanPasswordlessBeginLoginEvent {
+	return &HumanPasswordlessBeginLoginEvent{
+		HumanWebAuthNBeginLoginEvent: *NewHumanWebAuthNBeginLoginEvent(
+			eventstore.NewBaseEventForPush(
+				ctx,
+				aggregate,
+				HumanPasswordlessTokenVerifiedType,
+			),
+			challenge,
+			info,
+		),
+	}
+}
+
+func HumanPasswordlessBeginLoginEventMapper(event *repository.Event) (eventstore.EventReader, error) {
+	e, err := HumanWebAuthNBeginLoginEventMapper(event)
+	if err != nil {
+		return nil, err
+	}
+
+	return &HumanPasswordlessBeginLoginEvent{HumanWebAuthNBeginLoginEvent: *e.(*HumanWebAuthNBeginLoginEvent)}, nil
+}
+
+type HumanPasswordlessCheckSucceededEvent struct {
+	HumanWebAuthNCheckSucceededEvent
+}
+
+func NewHumanPasswordlessCheckSucceededEvent(ctx context.Context, aggregate *eventstore.Aggregate) *HumanPasswordlessCheckSucceededEvent {
+	return &HumanPasswordlessCheckSucceededEvent{
+		HumanWebAuthNCheckSucceededEvent: *NewHumanWebAuthNCheckSucceededEvent(
+			eventstore.NewBaseEventForPush(
+				ctx,
+				aggregate,
+				HumanPasswordlessTokenCheckSucceededType,
+			),
+		),
+	}
+}
+
+func HumanPasswordlessCheckSucceededEventMapper(event *repository.Event) (eventstore.EventReader, error) {
+	e, err := HumanWebAuthNCheckSucceededEventMapper(event)
+	if err != nil {
+		return nil, err
+	}
+
+	return &HumanPasswordlessCheckSucceededEvent{HumanWebAuthNCheckSucceededEvent: *e.(*HumanWebAuthNCheckSucceededEvent)}, nil
+}
+
+type HumanPasswordlessCheckFailedEvent struct {
+	HumanWebAuthNCheckFailedEvent
+}
+
+func NewHumanPasswordlessCheckFailedEvent(ctx context.Context, aggregate *eventstore.Aggregate) *HumanPasswordlessCheckFailedEvent {
+	return &HumanPasswordlessCheckFailedEvent{
+		HumanWebAuthNCheckFailedEvent: *NewHumanWebAuthNCheckFailedEvent(
+			eventstore.NewBaseEventForPush(
+				ctx,
+				aggregate,
+				HumanPasswordlessTokenCheckFailedType,
+			),
+		),
+	}
+}
+
+func HumanPasswordlessCheckFailedEventMapper(event *repository.Event) (eventstore.EventReader, error) {
+	e, err := HumanWebAuthNCheckFailedEventMapper(event)
+	if err != nil {
+		return nil, err
+	}
+
+	return &HumanPasswordlessCheckFailedEvent{HumanWebAuthNCheckFailedEvent: *e.(*HumanWebAuthNCheckFailedEvent)}, nil
+}
--- a/internal/repository/user/human_mfa_u2f.go
+++ b/internal/repository/user/human_mfa_u2f.go
@@ -0,0 +1,243 @@
+package user
+
+import (
+	"context"
+	"github.com/caos/zitadel/internal/eventstore"
+
+	"github.com/caos/zitadel/internal/eventstore/repository"
+)
+
+const (
+	u2fEventPrefix                    = mfaEventPrefix + "u2f.token."
+	HumanU2FTokenAddedType            = u2fEventPrefix + "added"
+	HumanU2FTokenVerifiedType         = u2fEventPrefix + "verified"
+	HumanU2FTokenSignCountChangedType = u2fEventPrefix + "signcount.changed"
+	HumanU2FTokenRemovedType          = u2fEventPrefix + "removed"
+	HumanU2FTokenBeginLoginType       = u2fEventPrefix + "begin.login"
+	HumanU2FTokenCheckSucceededType   = u2fEventPrefix + "check.succeeded"
+	HumanU2FTokenCheckFailedType      = u2fEventPrefix + "check.failed"
+)
+
+type HumanU2FAddedEvent struct {
+	HumanWebAuthNAddedEvent
+}
+
+func NewHumanU2FAddedEvent(
+	ctx context.Context,
+	aggregate *eventstore.Aggregate,
+	webAuthNTokenID,
+	challenge string,
+) *HumanU2FAddedEvent {
+	return &HumanU2FAddedEvent{
+		HumanWebAuthNAddedEvent: *NewHumanWebAuthNAddedEvent(
+			eventstore.NewBaseEventForPush(
+				ctx,
+				aggregate,
+				HumanU2FTokenAddedType,
+			),
+			webAuthNTokenID,
+			challenge,
+		),
+	}
+}
+
+func HumanU2FAddedEventMapper(event *repository.Event) (eventstore.EventReader, error) {
+	e, err := HumanWebAuthNAddedEventMapper(event)
+	if err != nil {
+		return nil, err
+	}
+
+	return &HumanU2FAddedEvent{HumanWebAuthNAddedEvent: *e.(*HumanWebAuthNAddedEvent)}, nil
+}
+
+type HumanU2FVerifiedEvent struct {
+	HumanWebAuthNVerifiedEvent
+}
+
+func NewHumanU2FVerifiedEvent(
+	ctx context.Context,
+	aggregate *eventstore.Aggregate,
+	webAuthNTokenID,
+	webAuthNTokenName,
+	attestationType string,
+	keyID,
+	publicKey,
+	aaguid []byte,
+	signCount uint32,
+) *HumanU2FVerifiedEvent {
+	return &HumanU2FVerifiedEvent{
+		HumanWebAuthNVerifiedEvent: *NewHumanWebAuthNVerifiedEvent(
+			eventstore.NewBaseEventForPush(
+				ctx,
+				aggregate,
+				HumanU2FTokenVerifiedType,
+			),
+			webAuthNTokenID,
+			webAuthNTokenName,
+			attestationType,
+			keyID,
+			publicKey,
+			aaguid,
+			signCount,
+		),
+	}
+}
+
+func HumanU2FVerifiedEventMapper(event *repository.Event) (eventstore.EventReader, error) {
+	e, err := HumanWebAuthNVerifiedEventMapper(event)
+	if err != nil {
+		return nil, err
+	}
+
+	return &HumanU2FVerifiedEvent{HumanWebAuthNVerifiedEvent: *e.(*HumanWebAuthNVerifiedEvent)}, nil
+}
+
+type HumanU2FSignCountChangedEvent struct {
+	HumanWebAuthNSignCountChangedEvent
+}
+
+func NewHumanU2FSignCountChangedEvent(
+	ctx context.Context,
+	aggregate *eventstore.Aggregate,
+	webAuthNTokenID string,
+	signCount uint32,
+) *HumanU2FSignCountChangedEvent {
+	return &HumanU2FSignCountChangedEvent{
+		HumanWebAuthNSignCountChangedEvent: *NewHumanWebAuthNSignCountChangedEvent(
+			eventstore.NewBaseEventForPush(
+				ctx,
+				aggregate,
+				HumanU2FTokenSignCountChangedType,
+			),
+			webAuthNTokenID,
+			signCount,
+		),
+	}
+}
+
+func HumanU2FSignCountChangedEventMapper(event *repository.Event) (eventstore.EventReader, error) {
+	e, err := HumanWebAuthNSignCountChangedEventMapper(event)
+	if err != nil {
+		return nil, err
+	}
+
+	return &HumanU2FSignCountChangedEvent{HumanWebAuthNSignCountChangedEvent: *e.(*HumanWebAuthNSignCountChangedEvent)}, nil
+}
+
+type HumanU2FRemovedEvent struct {
+	HumanWebAuthNRemovedEvent
+}
+
+func PrepareHumanU2FRemovedEvent(ctx context.Context, webAuthNTokenID string) func(*eventstore.Aggregate) eventstore.EventPusher {
+	return func(a *eventstore.Aggregate) eventstore.EventPusher {
+		return NewHumanU2FRemovedEvent(ctx, a, webAuthNTokenID)
+	}
+}
+
+func NewHumanU2FRemovedEvent(
+	ctx context.Context,
+	aggregate *eventstore.Aggregate,
+	webAuthNTokenID string,
+) *HumanU2FRemovedEvent {
+	return &HumanU2FRemovedEvent{
+		HumanWebAuthNRemovedEvent: *NewHumanWebAuthNRemovedEvent(
+			eventstore.NewBaseEventForPush(
+				ctx,
+				aggregate,
+				HumanU2FTokenRemovedType,
+			),
+			webAuthNTokenID,
+		),
+	}
+}
+
+func HumanU2FRemovedEventMapper(event *repository.Event) (eventstore.EventReader, error) {
+	e, err := HumanWebAuthNRemovedEventMapper(event)
+	if err != nil {
+		return nil, err
+	}
+
+	return &HumanU2FRemovedEvent{HumanWebAuthNRemovedEvent: *e.(*HumanWebAuthNRemovedEvent)}, nil
+}
+
+type HumanU2FBeginLoginEvent struct {
+	HumanWebAuthNBeginLoginEvent
+}
+
+func NewHumanU2FBeginLoginEvent(
+	ctx context.Context,
+	aggregate *eventstore.Aggregate,
+	challenge string,
+	info *AuthRequestInfo,
+) *HumanU2FBeginLoginEvent {
+	return &HumanU2FBeginLoginEvent{
+		HumanWebAuthNBeginLoginEvent: *NewHumanWebAuthNBeginLoginEvent(
+			eventstore.NewBaseEventForPush(
+				ctx,
+				aggregate,
+				HumanU2FTokenVerifiedType,
+			),
+			challenge,
+			info,
+		),
+	}
+}
+
+func HumanU2FBeginLoginEventMapper(event *repository.Event) (eventstore.EventReader, error) {
+	e, err := HumanWebAuthNBeginLoginEventMapper(event)
+	if err != nil {
+		return nil, err
+	}
+
+	return &HumanU2FBeginLoginEvent{HumanWebAuthNBeginLoginEvent: *e.(*HumanWebAuthNBeginLoginEvent)}, nil
+}
+
+type HumanU2FCheckSucceededEvent struct {
+	HumanWebAuthNCheckSucceededEvent
+}
+
+func NewHumanU2FCheckSucceededEvent(ctx context.Context, aggregate *eventstore.Aggregate) *HumanU2FCheckSucceededEvent {
+	return &HumanU2FCheckSucceededEvent{
+		HumanWebAuthNCheckSucceededEvent: *NewHumanWebAuthNCheckSucceededEvent(
+			eventstore.NewBaseEventForPush(
+				ctx,
+				aggregate,
+				HumanU2FTokenCheckSucceededType,
+			),
+		),
+	}
+}
+
+func HumanU2FCheckSucceededEventMapper(event *repository.Event) (eventstore.EventReader, error) {
+	e, err := HumanWebAuthNCheckSucceededEventMapper(event)
+	if err != nil {
+		return nil, err
+	}
+
+	return &HumanU2FCheckSucceededEvent{HumanWebAuthNCheckSucceededEvent: *e.(*HumanWebAuthNCheckSucceededEvent)}, nil
+}
+
+type HumanU2FCheckFailedEvent struct {
+	HumanWebAuthNCheckFailedEvent
+}
+
+func NewHumanU2FCheckFailedEvent(ctx context.Context, aggregate *eventstore.Aggregate) *HumanU2FCheckFailedEvent {
+	return &HumanU2FCheckFailedEvent{
+		HumanWebAuthNCheckFailedEvent: *NewHumanWebAuthNCheckFailedEvent(
+			eventstore.NewBaseEventForPush(
+				ctx,
+				aggregate,
+				HumanU2FTokenCheckFailedType,
+			),
+		),
+	}
+}
+
+func HumanU2FCheckFailedEventMapper(event *repository.Event) (eventstore.EventReader, error) {
+	e, err := HumanWebAuthNCheckFailedEventMapper(event)
+	if err != nil {
+		return nil, err
+	}
+
+	return &HumanU2FCheckFailedEvent{HumanWebAuthNCheckFailedEvent: *e.(*HumanWebAuthNCheckFailedEvent)}, nil
+}
--- a/internal/repository/user/human_mfa_web_auth_n.go
+++ b/internal/repository/user/human_mfa_web_auth_n.go
@@ -0,0 +1,276 @@
+package user
+
+import (
+	"encoding/json"
+	"github.com/caos/zitadel/internal/domain"
+	"github.com/caos/zitadel/internal/errors"
+	"github.com/caos/zitadel/internal/eventstore"
+	"github.com/caos/zitadel/internal/eventstore/repository"
+)
+
+type HumanWebAuthNAddedEvent struct {
+	eventstore.BaseEvent `json:"-"`
+
+	WebAuthNTokenID string `json:"webAuthNTokenId"`
+	Challenge       string `json:"challenge"`
+}
+
+func (e *HumanWebAuthNAddedEvent) Data() interface{} {
+	return e
+}
+
+func (e *HumanWebAuthNAddedEvent) UniqueConstraints() []*eventstore.EventUniqueConstraint {
+	return nil
+}
+
+func NewHumanWebAuthNAddedEvent(
+	base *eventstore.BaseEvent,
+	webAuthNTokenID,
+	challenge string,
+) *HumanWebAuthNAddedEvent {
+	return &HumanWebAuthNAddedEvent{
+		BaseEvent:       *base,
+		WebAuthNTokenID: webAuthNTokenID,
+		Challenge:       challenge,
+	}
+}
+
+func HumanWebAuthNAddedEventMapper(event *repository.Event) (eventstore.EventReader, error) {
+	webAuthNAdded := &HumanWebAuthNAddedEvent{
+		BaseEvent: *eventstore.BaseEventFromRepo(event),
+	}
+	err := json.Unmarshal(event.Data, webAuthNAdded)
+	if err != nil {
+		return nil, errors.ThrowInternal(err, "USER-tB8sf", "unable to unmarshal human webAuthN added")
+	}
+	return webAuthNAdded, nil
+}
+
+type HumanWebAuthNVerifiedEvent struct {
+	eventstore.BaseEvent `json:"-"`
+
+	WebAuthNTokenID   string `json:"webAuthNTokenId"`
+	KeyID             []byte `json:"keyId"`
+	PublicKey         []byte `json:"publicKey"`
+	AttestationType   string `json:"attestationType"`
+	AAGUID            []byte `json:"aaguid"`
+	SignCount         uint32 `json:"signCount"`
+	WebAuthNTokenName string `json:"webAuthNTokenName"`
+}
+
+func (e *HumanWebAuthNVerifiedEvent) Data() interface{} {
+	return e
+}
+
+func (e *HumanWebAuthNVerifiedEvent) UniqueConstraints() []*eventstore.EventUniqueConstraint {
+	return nil
+}
+
+func NewHumanWebAuthNVerifiedEvent(
+	base *eventstore.BaseEvent,
+	webAuthNTokenID,
+	webAuthNTokenName,
+	attestationType string,
+	keyID,
+	publicKey,
+	aaguid []byte,
+	signCount uint32,
+) *HumanWebAuthNVerifiedEvent {
+	return &HumanWebAuthNVerifiedEvent{
+		BaseEvent:         *base,
+		WebAuthNTokenID:   webAuthNTokenID,
+		KeyID:             keyID,
+		PublicKey:         publicKey,
+		AttestationType:   attestationType,
+		AAGUID:            aaguid,
+		SignCount:         signCount,
+		WebAuthNTokenName: webAuthNTokenName,
+	}
+}
+
+func HumanWebAuthNVerifiedEventMapper(event *repository.Event) (eventstore.EventReader, error) {
+	webauthNVerified := &HumanWebAuthNVerifiedEvent{
+		BaseEvent: *eventstore.BaseEventFromRepo(event),
+	}
+	err := json.Unmarshal(event.Data, webauthNVerified)
+	if err != nil {
+		return nil, errors.ThrowInternal(err, "USER-B0zDs", "unable to unmarshal human webAuthN verified")
+	}
+	return webauthNVerified, nil
+}
+
+type HumanWebAuthNSignCountChangedEvent struct {
+	eventstore.BaseEvent `json:"-"`
+
+	WebAuthNTokenID string `json:"webAuthNTokenId"`
+	SignCount       uint32 `json:"signCount"`
+}
+
+func (e *HumanWebAuthNSignCountChangedEvent) Data() interface{} {
+	return e
+}
+
+func (e *HumanWebAuthNSignCountChangedEvent) UniqueConstraints() []*eventstore.EventUniqueConstraint {
+	return nil
+}
+
+func NewHumanWebAuthNSignCountChangedEvent(
+	base *eventstore.BaseEvent,
+	webAuthNTokenID string,
+	signCount uint32,
+) *HumanWebAuthNSignCountChangedEvent {
+	return &HumanWebAuthNSignCountChangedEvent{
+		BaseEvent:       *base,
+		WebAuthNTokenID: webAuthNTokenID,
+		SignCount:       signCount,
+	}
+}
+
+func HumanWebAuthNSignCountChangedEventMapper(event *repository.Event) (eventstore.EventReader, error) {
+	webauthNVerified := &HumanWebAuthNSignCountChangedEvent{
+		BaseEvent: *eventstore.BaseEventFromRepo(event),
+	}
+	err := json.Unmarshal(event.Data, webauthNVerified)
+	if err != nil {
+		return nil, errors.ThrowInternal(err, "USER-5Gm0s", "unable to unmarshal human webAuthN sign count")
+	}
+	return webauthNVerified, nil
+}
+
+type HumanWebAuthNRemovedEvent struct {
+	eventstore.BaseEvent `json:"-"`
+
+	WebAuthNTokenID string          `json:"webAuthNTokenId"`
+	State           domain.MFAState `json:"-"`
+}
+
+func (e *HumanWebAuthNRemovedEvent) Data() interface{} {
+	return e
+}
+
+func (e *HumanWebAuthNRemovedEvent) UniqueConstraints() []*eventstore.EventUniqueConstraint {
+	return nil
+}
+
+func NewHumanWebAuthNRemovedEvent(
+	base *eventstore.BaseEvent,
+	webAuthNTokenID string,
+) *HumanWebAuthNRemovedEvent {
+	return &HumanWebAuthNRemovedEvent{
+		BaseEvent:       *base,
+		WebAuthNTokenID: webAuthNTokenID,
+	}
+}
+
+func HumanWebAuthNRemovedEventMapper(event *repository.Event) (eventstore.EventReader, error) {
+	webauthNVerified := &HumanWebAuthNRemovedEvent{
+		BaseEvent: *eventstore.BaseEventFromRepo(event),
+	}
+	err := json.Unmarshal(event.Data, webauthNVerified)
+	if err != nil {
+		return nil, errors.ThrowInternal(err, "USER-gM9sd", "unable to unmarshal human webAuthN token removed")
+	}
+	return webauthNVerified, nil
+}
+
+type HumanWebAuthNBeginLoginEvent struct {
+	eventstore.BaseEvent `json:"-"`
+
+	Challenge string `json:"challenge"`
+	*AuthRequestInfo
+}
+
+func (e *HumanWebAuthNBeginLoginEvent) Data() interface{} {
+	return e
+}
+
+func (e *HumanWebAuthNBeginLoginEvent) UniqueConstraints() []*eventstore.EventUniqueConstraint {
+	return nil
+}
+
+func NewHumanWebAuthNBeginLoginEvent(
+	base *eventstore.BaseEvent,
+	challenge string,
+	info *AuthRequestInfo,
+) *HumanWebAuthNBeginLoginEvent {
+	return &HumanWebAuthNBeginLoginEvent{
+		BaseEvent:       *base,
+		Challenge:       challenge,
+		AuthRequestInfo: info,
+	}
+}
+
+func HumanWebAuthNBeginLoginEventMapper(event *repository.Event) (eventstore.EventReader, error) {
+	webAuthNAdded := &HumanWebAuthNBeginLoginEvent{
+		BaseEvent: *eventstore.BaseEventFromRepo(event),
+	}
+	err := json.Unmarshal(event.Data, webAuthNAdded)
+	if err != nil {
+		return nil, errors.ThrowInternal(err, "USER-rMb8x", "unable to unmarshal human webAuthN begin login")
+	}
+	return webAuthNAdded, nil
+}
+
+type HumanWebAuthNCheckSucceededEvent struct {
+	eventstore.BaseEvent `json:"-"`
+
+	//TODO: Handle Auth Req??
+	//*AuthRequest
+}
+
+func (e *HumanWebAuthNCheckSucceededEvent) Data() interface{} {
+	return e
+}
+
+func (e *HumanWebAuthNCheckSucceededEvent) UniqueConstraints() []*eventstore.EventUniqueConstraint {
+	return nil
+}
+
+func NewHumanWebAuthNCheckSucceededEvent(base *eventstore.BaseEvent) *HumanWebAuthNCheckSucceededEvent {
+	return &HumanWebAuthNCheckSucceededEvent{
+		BaseEvent: *base,
+	}
+}
+
+func HumanWebAuthNCheckSucceededEventMapper(event *repository.Event) (eventstore.EventReader, error) {
+	webAuthNAdded := &HumanWebAuthNCheckSucceededEvent{
+		BaseEvent: *eventstore.BaseEventFromRepo(event),
+	}
+	err := json.Unmarshal(event.Data, webAuthNAdded)
+	if err != nil {
+		return nil, errors.ThrowInternal(err, "USER-2M0fg", "unable to unmarshal human webAuthN check succeeded")
+	}
+	return webAuthNAdded, nil
+}
+
+type HumanWebAuthNCheckFailedEvent struct {
+	eventstore.BaseEvent `json:"-"`
+
+	//TODO: Handle Auth Req??
+	//*AuthRequest
+}
+
+func (e *HumanWebAuthNCheckFailedEvent) Data() interface{} {
+	return e
+}
+
+func (e *HumanWebAuthNCheckFailedEvent) UniqueConstraints() []*eventstore.EventUniqueConstraint {
+	return nil
+}
+
+func NewHumanWebAuthNCheckFailedEvent(base *eventstore.BaseEvent) *HumanWebAuthNCheckFailedEvent {
+	return &HumanWebAuthNCheckFailedEvent{
+		BaseEvent: *base,
+	}
+}
+
+func HumanWebAuthNCheckFailedEventMapper(event *repository.Event) (eventstore.EventReader, error) {
+	webAuthNAdded := &HumanWebAuthNCheckFailedEvent{
+		BaseEvent: *eventstore.BaseEventFromRepo(event),
+	}
+	err := json.Unmarshal(event.Data, webAuthNAdded)
+	if err != nil {
+		return nil, errors.ThrowInternal(err, "USER-O0dse", "unable to unmarshal human webAuthN check failed")
+	}
+	return webAuthNAdded, nil
+}
--- a/internal/repository/user/human_password.go
+++ b/internal/repository/user/human_password.go
@@ -0,0 +1,224 @@
+package user
+
+import (
+	"context"
+	"encoding/json"
+	"github.com/caos/zitadel/internal/eventstore"
+	"time"
+
+	"github.com/caos/zitadel/internal/crypto"
+	"github.com/caos/zitadel/internal/domain"
+	"github.com/caos/zitadel/internal/errors"
+	"github.com/caos/zitadel/internal/eventstore/repository"
+)
+
+const (
+	passwordEventPrefix             = humanEventPrefix + "password."
+	HumanPasswordChangedType        = passwordEventPrefix + "changed"
+	HumanPasswordCodeAddedType      = passwordEventPrefix + "code.added"
+	HumanPasswordCodeSentType       = passwordEventPrefix + "code.sent"
+	HumanPasswordCheckSucceededType = passwordEventPrefix + "check.succeeded"
+	HumanPasswordCheckFailedType    = passwordEventPrefix + "check.failed"
+)
+
+type HumanPasswordChangedEvent struct {
+	eventstore.BaseEvent `json:"-"`
+
+	Secret         *crypto.CryptoValue `json:"secret,omitempty"`
+	ChangeRequired bool                `json:"changeRequired"`
+	UserAgentID    string              `json:"userAgentID,omitempty"`
+}
+
+func (e *HumanPasswordChangedEvent) Data() interface{} {
+	return e
+}
+
+func (e *HumanPasswordChangedEvent) UniqueConstraints() []*eventstore.EventUniqueConstraint {
+	return nil
+}
+
+func NewHumanPasswordChangedEvent(
+	ctx context.Context,
+	aggregate *eventstore.Aggregate,
+	secret *crypto.CryptoValue,
+	changeRequired bool,
+	userAgentID string,
+) *HumanPasswordChangedEvent {
+	return &HumanPasswordChangedEvent{
+		BaseEvent: *eventstore.NewBaseEventForPush(
+			ctx,
+			aggregate,
+			HumanPasswordChangedType,
+		),
+		Secret:         secret,
+		ChangeRequired: changeRequired,
+		UserAgentID:    userAgentID,
+	}
+}
+
+func HumanPasswordChangedEventMapper(event *repository.Event) (eventstore.EventReader, error) {
+	humanAdded := &HumanPasswordChangedEvent{
+		BaseEvent: *eventstore.BaseEventFromRepo(event),
+	}
+	err := json.Unmarshal(event.Data, humanAdded)
+	if err != nil {
+		return nil, errors.ThrowInternal(err, "USER-4M0sd", "unable to unmarshal human password changed")
+	}
+
+	return humanAdded, nil
+}
+
+type HumanPasswordCodeAddedEvent struct {
+	eventstore.BaseEvent `json:"-"`
+
+	Code             *crypto.CryptoValue     `json:"code,omitempty"`
+	Expiry           time.Duration           `json:"expiry,omitempty"`
+	NotificationType domain.NotificationType `json:"notificationType,omitempty"`
+}
+
+func (e *HumanPasswordCodeAddedEvent) Data() interface{} {
+	return e
+}
+
+func (e *HumanPasswordCodeAddedEvent) UniqueConstraints() []*eventstore.EventUniqueConstraint {
+	return nil
+}
+
+func NewHumanPasswordCodeAddedEvent(
+	ctx context.Context,
+	aggregate *eventstore.Aggregate,
+	code *crypto.CryptoValue,
+	expiry time.Duration,
+	notificationType domain.NotificationType,
+) *HumanPasswordCodeAddedEvent {
+	return &HumanPasswordCodeAddedEvent{
+		BaseEvent: *eventstore.NewBaseEventForPush(
+			ctx,
+			aggregate,
+			HumanPasswordCodeAddedType,
+		),
+		Code:             code,
+		Expiry:           expiry,
+		NotificationType: notificationType,
+	}
+}
+
+func HumanPasswordCodeAddedEventMapper(event *repository.Event) (eventstore.EventReader, error) {
+	humanAdded := &HumanPasswordCodeAddedEvent{
+		BaseEvent: *eventstore.BaseEventFromRepo(event),
+	}
+	err := json.Unmarshal(event.Data, humanAdded)
+	if err != nil {
+		return nil, errors.ThrowInternal(err, "USER-Ms90d", "unable to unmarshal human password code added")
+	}
+
+	return humanAdded, nil
+}
+
+type HumanPasswordCodeSentEvent struct {
+	eventstore.BaseEvent `json:"-"`
+}
+
+func (e *HumanPasswordCodeSentEvent) Data() interface{} {
+	return nil
+}
+
+func (e *HumanPasswordCodeSentEvent) UniqueConstraints() []*eventstore.EventUniqueConstraint {
+	return nil
+}
+
+func NewHumanPasswordCodeSentEvent(ctx context.Context, aggregate *eventstore.Aggregate) *HumanPasswordCodeSentEvent {
+	return &HumanPasswordCodeSentEvent{
+		BaseEvent: *eventstore.NewBaseEventForPush(
+			ctx,
+			aggregate,
+			HumanPasswordCodeSentType,
+		),
+	}
+}
+
+func HumanPasswordCodeSentEventMapper(event *repository.Event) (eventstore.EventReader, error) {
+	return &HumanPasswordCodeSentEvent{
+		BaseEvent: *eventstore.BaseEventFromRepo(event),
+	}, nil
+}
+
+type HumanPasswordCheckSucceededEvent struct {
+	eventstore.BaseEvent `json:"-"`
+	*AuthRequestInfo
+}
+
+func (e *HumanPasswordCheckSucceededEvent) Data() interface{} {
+	return e
+}
+
+func (e *HumanPasswordCheckSucceededEvent) UniqueConstraints() []*eventstore.EventUniqueConstraint {
+	return nil
+}
+
+func NewHumanPasswordCheckSucceededEvent(
+	ctx context.Context,
+	aggregate *eventstore.Aggregate,
+	info *AuthRequestInfo,
+) *HumanPasswordCheckSucceededEvent {
+	return &HumanPasswordCheckSucceededEvent{
+		BaseEvent: *eventstore.NewBaseEventForPush(
+			ctx,
+			aggregate,
+			HumanPasswordCheckSucceededType,
+		),
+		AuthRequestInfo: info,
+	}
+}
+
+func HumanPasswordCheckSucceededEventMapper(event *repository.Event) (eventstore.EventReader, error) {
+	humanAdded := &HumanPasswordCheckSucceededEvent{
+		BaseEvent: *eventstore.BaseEventFromRepo(event),
+	}
+	err := json.Unmarshal(event.Data, humanAdded)
+	if err != nil {
+		return nil, errors.ThrowInternal(err, "USER-5M9sd", "unable to unmarshal human password check succeeded")
+	}
+
+	return humanAdded, nil
+}
+
+type HumanPasswordCheckFailedEvent struct {
+	eventstore.BaseEvent `json:"-"`
+	*AuthRequestInfo
+}
+
+func (e *HumanPasswordCheckFailedEvent) Data() interface{} {
+	return e
+}
+
+func (e *HumanPasswordCheckFailedEvent) UniqueConstraints() []*eventstore.EventUniqueConstraint {
+	return nil
+}
+
+func NewHumanPasswordCheckFailedEvent(
+	ctx context.Context,
+	aggregate *eventstore.Aggregate,
+	info *AuthRequestInfo,
+) *HumanPasswordCheckFailedEvent {
+	return &HumanPasswordCheckFailedEvent{
+		BaseEvent: *eventstore.NewBaseEventForPush(
+			ctx,
+			aggregate,
+			HumanPasswordCheckFailedType,
+		),
+		AuthRequestInfo: info,
+	}
+}
+
+func HumanPasswordCheckFailedEventMapper(event *repository.Event) (eventstore.EventReader, error) {
+	humanAdded := &HumanPasswordCheckFailedEvent{
+		BaseEvent: *eventstore.BaseEventFromRepo(event),
+	}
+	err := json.Unmarshal(event.Data, humanAdded)
+	if err != nil {
+		return nil, errors.ThrowInternal(err, "USER-4m9fs", "unable to unmarshal human password check failed")
+	}
+
+	return humanAdded, nil
+}
--- a/internal/repository/user/human_phone.go
+++ b/internal/repository/user/human_phone.go
@@ -0,0 +1,217 @@
+package user
+
+import (
+	"context"
+	"encoding/json"
+	"github.com/caos/zitadel/internal/eventstore"
+	"time"
+
+	"github.com/caos/zitadel/internal/crypto"
+	"github.com/caos/zitadel/internal/errors"
+	"github.com/caos/zitadel/internal/eventstore/repository"
+)
+
+const (
+	phoneEventPrefix                 = humanEventPrefix + "phone."
+	HumanPhoneChangedType            = phoneEventPrefix + "changed"
+	HumanPhoneRemovedType            = phoneEventPrefix + "removed"
+	HumanPhoneVerifiedType           = phoneEventPrefix + "verified"
+	HumanPhoneVerificationFailedType = phoneEventPrefix + "verification.failed"
+	HumanPhoneCodeAddedType          = phoneEventPrefix + "code.added"
+	HumanPhoneCodeSentType           = phoneEventPrefix + "code.sent"
+)
+
+type HumanPhoneChangedEvent struct {
+	eventstore.BaseEvent `json:"-"`
+
+	PhoneNumber string `json:"phone,omitempty"`
+}
+
+func (e *HumanPhoneChangedEvent) Data() interface{} {
+	return e
+}
+
+func (e *HumanPhoneChangedEvent) UniqueConstraints() []*eventstore.EventUniqueConstraint {
+	return nil
+}
+
+func NewHumanPhoneChangedEvent(ctx context.Context, aggregate *eventstore.Aggregate) *HumanPhoneChangedEvent {
+	return &HumanPhoneChangedEvent{
+		BaseEvent: *eventstore.NewBaseEventForPush(
+			ctx,
+			aggregate,
+			HumanPhoneChangedType,
+		),
+	}
+}
+
+func HumanPhoneChangedEventMapper(event *repository.Event) (eventstore.EventReader, error) {
+	phoneChangedEvent := &HumanPhoneChangedEvent{
+		BaseEvent: *eventstore.BaseEventFromRepo(event),
+	}
+	err := json.Unmarshal(event.Data, phoneChangedEvent)
+	if err != nil {
+		return nil, errors.ThrowInternal(err, "USER-5M0pd", "unable to unmarshal human phone changed")
+	}
+
+	return phoneChangedEvent, nil
+}
+
+type HumanPhoneRemovedEvent struct {
+	eventstore.BaseEvent `json:"-"`
+}
+
+func (e *HumanPhoneRemovedEvent) Data() interface{} {
+	return nil
+}
+
+func (e *HumanPhoneRemovedEvent) UniqueConstraints() []*eventstore.EventUniqueConstraint {
+	return nil
+}
+
+func NewHumanPhoneRemovedEvent(ctx context.Context, aggregate *eventstore.Aggregate) *HumanPhoneRemovedEvent {
+	return &HumanPhoneRemovedEvent{
+		BaseEvent: *eventstore.NewBaseEventForPush(
+			ctx,
+			aggregate,
+			HumanPhoneRemovedType,
+		),
+	}
+}
+
+func HumanPhoneRemovedEventMapper(event *repository.Event) (eventstore.EventReader, error) {
+	return &HumanPhoneChangedEvent{
+		BaseEvent: *eventstore.BaseEventFromRepo(event),
+	}, nil
+}
+
+type HumanPhoneVerifiedEvent struct {
+	eventstore.BaseEvent `json:"-"`
+
+	IsPhoneVerified bool `json:"-"`
+}
+
+func (e *HumanPhoneVerifiedEvent) Data() interface{} {
+	return nil
+}
+
+func (e *HumanPhoneVerifiedEvent) UniqueConstraints() []*eventstore.EventUniqueConstraint {
+	return nil
+}
+
+func NewHumanPhoneVerifiedEvent(ctx context.Context, aggregate *eventstore.Aggregate) *HumanPhoneVerifiedEvent {
+	return &HumanPhoneVerifiedEvent{
+		BaseEvent: *eventstore.NewBaseEventForPush(
+			ctx,
+			aggregate,
+			HumanPhoneVerifiedType,
+		),
+	}
+}
+
+func HumanPhoneVerifiedEventMapper(event *repository.Event) (eventstore.EventReader, error) {
+	return &HumanPhoneVerifiedEvent{
+		BaseEvent:       *eventstore.BaseEventFromRepo(event),
+		IsPhoneVerified: true,
+	}, nil
+}
+
+type HumanPhoneVerificationFailedEvent struct {
+	eventstore.BaseEvent `json:"-"`
+}
+
+func (e *HumanPhoneVerificationFailedEvent) Data() interface{} {
+	return nil
+}
+
+func (e *HumanPhoneVerificationFailedEvent) UniqueConstraints() []*eventstore.EventUniqueConstraint {
+	return nil
+}
+
+func NewHumanPhoneVerificationFailedEvent(ctx context.Context, aggregate *eventstore.Aggregate) *HumanPhoneVerificationFailedEvent {
+	return &HumanPhoneVerificationFailedEvent{
+		BaseEvent: *eventstore.NewBaseEventForPush(
+			ctx,
+			aggregate,
+			HumanPhoneVerificationFailedType,
+		),
+	}
+}
+
+func HumanPhoneVerificationFailedEventMapper(event *repository.Event) (eventstore.EventReader, error) {
+	return &HumanPhoneVerificationFailedEvent{
+		BaseEvent: *eventstore.BaseEventFromRepo(event),
+	}, nil
+}
+
+type HumanPhoneCodeAddedEvent struct {
+	eventstore.BaseEvent `json:"-"`
+
+	Code   *crypto.CryptoValue `json:"code,omitempty"`
+	Expiry time.Duration       `json:"expiry,omitempty"`
+}
+
+func (e *HumanPhoneCodeAddedEvent) Data() interface{} {
+	return e
+}
+
+func (e *HumanPhoneCodeAddedEvent) UniqueConstraints() []*eventstore.EventUniqueConstraint {
+	return nil
+}
+
+func NewHumanPhoneCodeAddedEvent(
+	ctx context.Context,
+	aggregate *eventstore.Aggregate,
+	code *crypto.CryptoValue,
+	expiry time.Duration,
+) *HumanPhoneCodeAddedEvent {
+	return &HumanPhoneCodeAddedEvent{
+		BaseEvent: *eventstore.NewBaseEventForPush(
+			ctx,
+			aggregate,
+			HumanPhoneCodeAddedType,
+		),
+		Code:   code,
+		Expiry: expiry,
+	}
+}
+
+func HumanPhoneCodeAddedEventMapper(event *repository.Event) (eventstore.EventReader, error) {
+	codeAdded := &HumanPhoneCodeAddedEvent{
+		BaseEvent: *eventstore.BaseEventFromRepo(event),
+	}
+	err := json.Unmarshal(event.Data, codeAdded)
+	if err != nil {
+		return nil, errors.ThrowInternal(err, "USER-6Ms9d", "unable to unmarshal human phone code added")
+	}
+
+	return codeAdded, nil
+}
+
+type HumanPhoneCodeSentEvent struct {
+	eventstore.BaseEvent `json:"-"`
+}
+
+func (e *HumanPhoneCodeSentEvent) Data() interface{} {
+	return e
+}
+
+func (e *HumanPhoneCodeSentEvent) UniqueConstraints() []*eventstore.EventUniqueConstraint {
+	return nil
+}
+
+func NewHumanPhoneCodeSentEvent(ctx context.Context, aggregate *eventstore.Aggregate) *HumanPhoneCodeSentEvent {
+	return &HumanPhoneCodeSentEvent{
+		BaseEvent: *eventstore.NewBaseEventForPush(
+			ctx,
+			aggregate,
+			HumanPhoneCodeSentType,
+		),
+	}
+}
+
+func HumanPhoneCodeSentEventMapper(event *repository.Event) (eventstore.EventReader, error) {
+	return &HumanPhoneCodeSentEvent{
+		BaseEvent: *eventstore.BaseEventFromRepo(event),
+	}, nil
+}
--- a/internal/repository/user/human_profile.go
+++ b/internal/repository/user/human_profile.go
@@ -0,0 +1,58 @@
+package user
+
+import (
+	"context"
+	"encoding/json"
+	"github.com/caos/zitadel/internal/eventstore"
+
+	"github.com/caos/zitadel/internal/domain"
+	"github.com/caos/zitadel/internal/errors"
+	"github.com/caos/zitadel/internal/eventstore/repository"
+	"golang.org/x/text/language"
+)
+
+const (
+	profileEventPrefix      = humanEventPrefix + "profile."
+	HumanProfileChangedType = profileEventPrefix + "changed"
+)
+
+type HumanProfileChangedEvent struct {
+	eventstore.BaseEvent `json:"-"`
+
+	FirstName         string         `json:"firstName,omitempty"`
+	LastName          string         `json:"lastName,omitempty"`
+	NickName          *string        `json:"nickName,omitempty"`
+	DisplayName       *string        `json:"displayName,omitempty"`
+	PreferredLanguage *language.Tag  `json:"preferredLanguage,omitempty"`
+	Gender            *domain.Gender `json:"gender,omitempty"`
+}
+
+func (e *HumanProfileChangedEvent) Data() interface{} {
+	return e
+}
+
+func (e *HumanProfileChangedEvent) UniqueConstraints() []*eventstore.EventUniqueConstraint {
+	return nil
+}
+
+func NewHumanProfileChangedEvent(ctx context.Context, aggregate *eventstore.Aggregate) *HumanProfileChangedEvent {
+	return &HumanProfileChangedEvent{
+		BaseEvent: *eventstore.NewBaseEventForPush(
+			ctx,
+			aggregate,
+			HumanProfileChangedType,
+		),
+	}
+}
+
+func HumanProfileChangedEventMapper(event *repository.Event) (eventstore.EventReader, error) {
+	profileChanged := &HumanProfileChangedEvent{
+		BaseEvent: *eventstore.BaseEventFromRepo(event),
+	}
+	err := json.Unmarshal(event.Data, profileChanged)
+	if err != nil {
+		return nil, errors.ThrowInternal(err, "USER-5M0pd", "unable to unmarshal human profile changed")
+	}
+
+	return profileChanged, nil
+}
--- a/internal/repository/user/machine.go
+++ b/internal/repository/user/machine.go
@@ -0,0 +1,109 @@
+package user
+
+import (
+	"context"
+	"encoding/json"
+	"github.com/caos/zitadel/internal/eventstore"
+
+	"github.com/caos/zitadel/internal/errors"
+	"github.com/caos/zitadel/internal/eventstore/repository"
+)
+
+const (
+	machineEventPrefix      = userEventTypePrefix + "machine."
+	MachineAddedEventType   = machineEventPrefix + "added"
+	MachineChangedEventType = machineEventPrefix + "changed"
+)
+
+type MachineAddedEvent struct {
+	eventstore.BaseEvent `json:"-"`
+
+	UserName              string `json:"userName"`
+	UserLoginMustBeDomain bool
+
+	Name        string `json:"name,omitempty"`
+	Description string `json:"description,omitempty"`
+}
+
+func (e *MachineAddedEvent) Data() interface{} {
+	return e
+}
+
+func (e *MachineAddedEvent) UniqueConstraints() []*eventstore.EventUniqueConstraint {
+	return []*eventstore.EventUniqueConstraint{NewAddUsernameUniqueConstraint(e.UserName, e.Aggregate().ResourceOwner, e.UserLoginMustBeDomain)}
+}
+
+func NewMachineAddedEvent(
+	ctx context.Context,
+	aggregate *eventstore.Aggregate,
+	userName,
+	name,
+	description string,
+	userLoginMustBeDomain bool,
+) *MachineAddedEvent {
+	return &MachineAddedEvent{
+		BaseEvent: *eventstore.NewBaseEventForPush(
+			ctx,
+			aggregate,
+			MachineAddedEventType,
+		),
+		UserName:              userName,
+		Name:                  name,
+		Description:           description,
+		UserLoginMustBeDomain: userLoginMustBeDomain,
+	}
+}
+
+func MachineAddedEventMapper(event *repository.Event) (eventstore.EventReader, error) {
+	machineAdded := &MachineAddedEvent{
+		BaseEvent: *eventstore.BaseEventFromRepo(event),
+	}
+	err := json.Unmarshal(event.Data, machineAdded)
+	if err != nil {
+		return nil, errors.ThrowInternal(err, "USER-tMv9s", "unable to unmarshal machine added")
+	}
+
+	return machineAdded, nil
+}
+
+type MachineChangedEvent struct {
+	eventstore.BaseEvent `json:"-"`
+
+	UserName string `json:"userName"`
+
+	Name        *string `json:"name,omitempty"`
+	Description *string `json:"description,omitempty"`
+}
+
+func (e *MachineChangedEvent) Data() interface{} {
+	return e
+}
+
+func (e *MachineChangedEvent) UniqueConstraints() []*eventstore.EventUniqueConstraint {
+	return nil
+}
+
+func NewMachineChangedEvent(
+	ctx context.Context,
+	aggregate *eventstore.Aggregate,
+) *MachineChangedEvent {
+	return &MachineChangedEvent{
+		BaseEvent: *eventstore.NewBaseEventForPush(
+			ctx,
+			aggregate,
+			MachineChangedEventType,
+		),
+	}
+}
+
+func MachineChangedEventMapper(event *repository.Event) (eventstore.EventReader, error) {
+	machineChanged := &MachineChangedEvent{
+		BaseEvent: *eventstore.BaseEventFromRepo(event),
+	}
+	err := json.Unmarshal(event.Data, machineChanged)
+	if err != nil {
+		return nil, errors.ThrowInternal(err, "USER-4M9ds", "unable to unmarshal machine changed")
+	}
+
+	return machineChanged, nil
+}
--- a/internal/repository/user/machine_key.go
+++ b/internal/repository/user/machine_key.go
@@ -0,0 +1,109 @@
+package user
+
+import (
+	"context"
+	"encoding/json"
+	"github.com/caos/zitadel/internal/eventstore"
+	"time"
+
+	"github.com/caos/zitadel/internal/domain"
+	"github.com/caos/zitadel/internal/errors"
+	"github.com/caos/zitadel/internal/eventstore/repository"
+)
+
+const (
+	machineKeyEventPrefix      = machineEventPrefix + "key."
+	MachineKeyAddedEventType   = machineKeyEventPrefix + "added"
+	MachineKeyRemovedEventType = machineKeyEventPrefix + "removed"
+)
+
+type MachineKeyAddedEvent struct {
+	eventstore.BaseEvent `json:"-"`
+
+	KeyID          string              `json:"keyId,omitempty"`
+	KeyType        domain.AuthNKeyType `json:"type,omitempty"`
+	ExpirationDate time.Time           `json:"expirationDate,omitempty"`
+	PublicKey      []byte              `json:"publicKey,omitempty"`
+}
+
+func (e *MachineKeyAddedEvent) Data() interface{} {
+	return e
+}
+
+func (e *MachineKeyAddedEvent) UniqueConstraints() []*eventstore.EventUniqueConstraint {
+	return nil
+}
+
+func NewMachineKeyAddedEvent(
+	ctx context.Context,
+	aggregate *eventstore.Aggregate,
+	keyID string,
+	keyType domain.AuthNKeyType,
+	expirationDate time.Time,
+	publicKey []byte,
+) *MachineKeyAddedEvent {
+	return &MachineKeyAddedEvent{
+		BaseEvent: *eventstore.NewBaseEventForPush(
+			ctx,
+			aggregate,
+			MachineKeyAddedEventType,
+		),
+		KeyID:          keyID,
+		KeyType:        keyType,
+		ExpirationDate: expirationDate,
+		PublicKey:      publicKey,
+	}
+}
+
+func MachineKeyAddedEventMapper(event *repository.Event) (eventstore.EventReader, error) {
+	machineKeyAdded := &MachineKeyAddedEvent{
+		BaseEvent: *eventstore.BaseEventFromRepo(event),
+	}
+	err := json.Unmarshal(event.Data, machineKeyAdded)
+	if err != nil {
+		return nil, errors.ThrowInternal(err, "USER-p0ovS", "unable to unmarshal machine key removed")
+	}
+
+	return machineKeyAdded, nil
+}
+
+type MachineKeyRemovedEvent struct {
+	eventstore.BaseEvent `json:"-"`
+
+	KeyID string `json:"keyId,omitempty"`
+}
+
+func (e *MachineKeyRemovedEvent) Data() interface{} {
+	return e
+}
+
+func (e *MachineKeyRemovedEvent) UniqueConstraints() []*eventstore.EventUniqueConstraint {
+	return nil
+}
+
+func NewMachineKeyRemovedEvent(
+	ctx context.Context,
+	aggregate *eventstore.Aggregate,
+	keyID string,
+) *MachineKeyRemovedEvent {
+	return &MachineKeyRemovedEvent{
+		BaseEvent: *eventstore.NewBaseEventForPush(
+			ctx,
+			aggregate,
+			MachineKeyRemovedEventType,
+		),
+		KeyID: keyID,
+	}
+}
+
+func MachineKeyRemovedEventMapper(event *repository.Event) (eventstore.EventReader, error) {
+	machineRemoved := &MachineKeyRemovedEvent{
+		BaseEvent: *eventstore.BaseEventFromRepo(event),
+	}
+	err := json.Unmarshal(event.Data, machineRemoved)
+	if err != nil {
+		return nil, errors.ThrowInternal(err, "USER-5Gm9s", "unable to unmarshal machine key removed")
+	}
+
+	return machineRemoved, nil
+}
--- a/internal/repository/user/user.go
+++ b/internal/repository/user/user.go
@@ -0,0 +1,386 @@
+package user
+
+import (
+	"context"
+	"encoding/json"
+	"github.com/caos/zitadel/internal/eventstore"
+	"time"
+
+	"github.com/caos/zitadel/internal/errors"
+	"github.com/caos/zitadel/internal/eventstore/repository"
+)
+
+const (
+	UniqueUsername            = "usernames"
+	userEventTypePrefix       = eventstore.EventType("user.")
+	UserLockedType            = userEventTypePrefix + "locked"
+	UserUnlockedType          = userEventTypePrefix + "unlocked"
+	UserDeactivatedType       = userEventTypePrefix + "deactivated"
+	UserReactivatedType       = userEventTypePrefix + "reactivated"
+	UserRemovedType           = userEventTypePrefix + "removed"
+	UserTokenAddedType        = userEventTypePrefix + "token.added"
+	UserDomainClaimedType     = userEventTypePrefix + "domain.claimed"
+	UserDomainClaimedSentType = userEventTypePrefix + "domain.claimed.sent"
+	UserUserNameChangedType   = userEventTypePrefix + "username.changed"
+)
+
+func NewAddUsernameUniqueConstraint(userName, resourceOwner string, userLoginMustBeDomain bool) *eventstore.EventUniqueConstraint {
+	uniqueUserName := userName
+	if userLoginMustBeDomain {
+		uniqueUserName = userName + resourceOwner
+	}
+	return eventstore.NewAddEventUniqueConstraint(
+		UniqueUsername,
+		uniqueUserName,
+		"Errors.User.AlreadyExists")
+}
+
+func NewRemoveUsernameUniqueConstraint(userName, resourceOwner string, userLoginMustBeDomain bool) *eventstore.EventUniqueConstraint {
+	uniqueUserName := userName
+	if userLoginMustBeDomain {
+		uniqueUserName = userName + resourceOwner
+	}
+	return eventstore.NewRemoveEventUniqueConstraint(
+		UniqueUsername,
+		uniqueUserName)
+}
+
+type UserLockedEvent struct {
+	eventstore.BaseEvent `json:"-"`
+}
+
+func (e *UserLockedEvent) Data() interface{} {
+	return nil
+}
+
+func (e *UserLockedEvent) UniqueConstraints() []*eventstore.EventUniqueConstraint {
+	return nil
+}
+
+func NewUserLockedEvent(ctx context.Context, aggregate *eventstore.Aggregate) *UserLockedEvent {
+	return &UserLockedEvent{
+		BaseEvent: *eventstore.NewBaseEventForPush(
+			ctx,
+			aggregate,
+			UserLockedType,
+		),
+	}
+}
+
+func UserLockedEventMapper(event *repository.Event) (eventstore.EventReader, error) {
+	return &UserLockedEvent{
+		BaseEvent: *eventstore.BaseEventFromRepo(event),
+	}, nil
+}
+
+type UserUnlockedEvent struct {
+	eventstore.BaseEvent `json:"-"`
+}
+
+func (e *UserUnlockedEvent) Data() interface{} {
+	return nil
+}
+
+func (e *UserUnlockedEvent) UniqueConstraints() []*eventstore.EventUniqueConstraint {
+	return nil
+}
+
+func NewUserUnlockedEvent(ctx context.Context, aggregate *eventstore.Aggregate) *UserUnlockedEvent {
+	return &UserUnlockedEvent{
+		BaseEvent: *eventstore.NewBaseEventForPush(
+			ctx,
+			aggregate,
+			UserUnlockedType,
+		),
+	}
+}
+
+func UserUnlockedEventMapper(event *repository.Event) (eventstore.EventReader, error) {
+	return &UserUnlockedEvent{
+		BaseEvent: *eventstore.BaseEventFromRepo(event),
+	}, nil
+}
+
+type UserDeactivatedEvent struct {
+	eventstore.BaseEvent `json:"-"`
+}
+
+func (e *UserDeactivatedEvent) Data() interface{} {
+	return nil
+}
+
+func (e *UserDeactivatedEvent) UniqueConstraints() []*eventstore.EventUniqueConstraint {
+	return nil
+}
+
+func NewUserDeactivatedEvent(ctx context.Context, aggregate *eventstore.Aggregate) *UserDeactivatedEvent {
+	return &UserDeactivatedEvent{
+		BaseEvent: *eventstore.NewBaseEventForPush(
+			ctx,
+			aggregate,
+			UserDeactivatedType,
+		),
+	}
+}
+
+func UserDeactivatedEventMapper(event *repository.Event) (eventstore.EventReader, error) {
+	return &UserDeactivatedEvent{
+		BaseEvent: *eventstore.BaseEventFromRepo(event),
+	}, nil
+}
+
+type UserReactivatedEvent struct {
+	eventstore.BaseEvent `json:"-"`
+}
+
+func (e *UserReactivatedEvent) Data() interface{} {
+	return nil
+}
+
+func (e *UserReactivatedEvent) UniqueConstraints() []*eventstore.EventUniqueConstraint {
+	return nil
+}
+
+func NewUserReactivatedEvent(ctx context.Context, aggregate *eventstore.Aggregate) *UserReactivatedEvent {
+	return &UserReactivatedEvent{
+		BaseEvent: *eventstore.NewBaseEventForPush(
+			ctx,
+			aggregate,
+			UserReactivatedType,
+		),
+	}
+}
+
+func UserReactivatedEventMapper(event *repository.Event) (eventstore.EventReader, error) {
+	return &UserReactivatedEvent{
+		BaseEvent: *eventstore.BaseEventFromRepo(event),
+	}, nil
+}
+
+type UserRemovedEvent struct {
+	eventstore.BaseEvent `json:"-"`
+
+	userName          string
+	loginMustBeDomain bool
+}
+
+func (e *UserRemovedEvent) Data() interface{} {
+	return nil
+}
+
+func (e *UserRemovedEvent) UniqueConstraints() []*eventstore.EventUniqueConstraint {
+	return []*eventstore.EventUniqueConstraint{NewRemoveUsernameUniqueConstraint(e.userName, e.Aggregate().ResourceOwner, e.loginMustBeDomain)}
+}
+
+func NewUserRemovedEvent(
+	ctx context.Context,
+	aggregate *eventstore.Aggregate,
+	userName string,
+	userLoginMustBeDomain bool,
+) *UserRemovedEvent {
+	return &UserRemovedEvent{
+		BaseEvent: *eventstore.NewBaseEventForPush(
+			ctx,
+			aggregate,
+			UserRemovedType,
+		),
+		userName:          userName,
+		loginMustBeDomain: userLoginMustBeDomain,
+	}
+}
+
+func UserRemovedEventMapper(event *repository.Event) (eventstore.EventReader, error) {
+	return &UserRemovedEvent{
+		BaseEvent: *eventstore.BaseEventFromRepo(event),
+	}, nil
+}
+
+type UserTokenAddedEvent struct {
+	eventstore.BaseEvent `json:"-"`
+
+	TokenID           string    `json:"tokenId"`
+	ApplicationID     string    `json:"applicationId"`
+	UserAgentID       string    `json:"userAgentId"`
+	Audience          []string  `json:"audience"`
+	Scopes            []string  `json:"scopes""`
+	Expiration        time.Time `json:"expiration"`
+	PreferredLanguage string    `json:"preferredLanguage"`
+}
+
+func (e *UserTokenAddedEvent) Data() interface{} {
+	return e
+}
+
+func (e *UserTokenAddedEvent) UniqueConstraints() []*eventstore.EventUniqueConstraint {
+	return nil
+}
+
+func NewUserTokenAddedEvent(
+	ctx context.Context,
+	aggregate *eventstore.Aggregate,
+	tokenID,
+	applicationID,
+	userAgentID,
+	preferredLanguage string,
+	audience,
+	scopes []string,
+	expiration time.Time,
+) *UserTokenAddedEvent {
+	return &UserTokenAddedEvent{
+		BaseEvent: *eventstore.NewBaseEventForPush(
+			ctx,
+			aggregate,
+			UserTokenAddedType,
+		),
+		TokenID:           tokenID,
+		ApplicationID:     applicationID,
+		UserAgentID:       userAgentID,
+		Audience:          audience,
+		Scopes:            scopes,
+		Expiration:        expiration,
+		PreferredLanguage: preferredLanguage,
+	}
+}
+
+func UserTokenAddedEventMapper(event *repository.Event) (eventstore.EventReader, error) {
+	tokenAdded := &UserTokenAddedEvent{
+		BaseEvent: *eventstore.BaseEventFromRepo(event),
+	}
+	err := json.Unmarshal(event.Data, tokenAdded)
+	if err != nil {
+		return nil, errors.ThrowInternal(err, "USER-7M9sd", "unable to unmarshal token added")
+	}
+
+	return tokenAdded, nil
+}
+
+type DomainClaimedEvent struct {
+	eventstore.BaseEvent `json:"-"`
+
+	UserName              string `json:"userName"`
+	oldUserName           string `json:"-"`
+	userLoginMustBeDomain bool   `json:"-"`
+}
+
+func (e *DomainClaimedEvent) Data() interface{} {
+	return e
+}
+
+func (e *DomainClaimedEvent) UniqueConstraints() []*eventstore.EventUniqueConstraint {
+	return []*eventstore.EventUniqueConstraint{
+		NewRemoveUsernameUniqueConstraint(e.oldUserName, e.Aggregate().ResourceOwner, e.userLoginMustBeDomain),
+		NewAddUsernameUniqueConstraint(e.UserName, e.Aggregate().ResourceOwner, e.userLoginMustBeDomain),
+	}
+}
+
+func NewDomainClaimedEvent(
+	ctx context.Context,
+	aggregate *eventstore.Aggregate,
+	userName,
+	oldUserName string,
+	userLoginMustBeDomain bool,
+) *DomainClaimedEvent {
+	return &DomainClaimedEvent{
+		BaseEvent: *eventstore.NewBaseEventForPush(
+			ctx,
+			aggregate,
+			UserDomainClaimedType,
+		),
+		UserName:              userName,
+		oldUserName:           oldUserName,
+		userLoginMustBeDomain: userLoginMustBeDomain,
+	}
+}
+
+func DomainClaimedEventMapper(event *repository.Event) (eventstore.EventReader, error) {
+	domainClaimed := &DomainClaimedEvent{
+		BaseEvent: *eventstore.BaseEventFromRepo(event),
+	}
+	err := json.Unmarshal(event.Data, domainClaimed)
+	if err != nil {
+		return nil, errors.ThrowInternal(err, "USER-aR8jc", "unable to unmarshal domain claimed")
+	}
+
+	return domainClaimed, nil
+}
+
+type DomainClaimedSentEvent struct {
+	eventstore.BaseEvent `json:"-"`
+}
+
+func (e *DomainClaimedSentEvent) Data() interface{} {
+	return nil
+}
+
+func (e *DomainClaimedSentEvent) UniqueConstraints() []*eventstore.EventUniqueConstraint {
+	return nil
+}
+
+func NewDomainClaimedSentEvent(
+	ctx context.Context,
+	aggregate *eventstore.Aggregate,
+) *DomainClaimedSentEvent {
+	return &DomainClaimedSentEvent{
+		BaseEvent: *eventstore.NewBaseEventForPush(
+			ctx,
+			aggregate,
+			UserDomainClaimedSentType,
+		),
+	}
+}
+
+func DomainClaimedSentEventMapper(event *repository.Event) (eventstore.EventReader, error) {
+	return &DomainClaimedSentEvent{
+		BaseEvent: *eventstore.BaseEventFromRepo(event),
+	}, nil
+}
+
+type UsernameChangedEvent struct {
+	eventstore.BaseEvent `json:"-"`
+
+	UserName              string `json:"userName"`
+	oldUserName           string `json:"-"`
+	userLoginMustBeDomain bool   `json:"-"`
+}
+
+func (e *UsernameChangedEvent) Data() interface{} {
+	return e
+}
+
+func (e *UsernameChangedEvent) UniqueConstraints() []*eventstore.EventUniqueConstraint {
+	return []*eventstore.EventUniqueConstraint{
+		NewRemoveUsernameUniqueConstraint(e.oldUserName, e.Aggregate().ResourceOwner, e.userLoginMustBeDomain),
+		NewAddUsernameUniqueConstraint(e.UserName, e.Aggregate().ResourceOwner, e.userLoginMustBeDomain),
+	}
+}
+
+func NewUsernameChangedEvent(
+	ctx context.Context,
+	aggregate *eventstore.Aggregate,
+	oldUserName,
+	newUserName string,
+	userLoginMustBeDomain bool,
+) *UsernameChangedEvent {
+	return &UsernameChangedEvent{
+		BaseEvent: *eventstore.NewBaseEventForPush(
+			ctx,
+			aggregate,
+			UserUserNameChangedType,
+		),
+		UserName:              newUserName,
+		oldUserName:           oldUserName,
+		userLoginMustBeDomain: userLoginMustBeDomain,
+	}
+}
+
+func UsernameChangedEventMapper(event *repository.Event) (eventstore.EventReader, error) {
+	domainClaimed := &UsernameChangedEvent{
+		BaseEvent: *eventstore.BaseEventFromRepo(event),
+	}
+	err := json.Unmarshal(event.Data, domainClaimed)
+	if err != nil {
+		return nil, errors.ThrowInternal(err, "USER-4Bm9s", "unable to unmarshal username changed")
+	}
+
+	return domainClaimed, nil
+}
--- a/internal/repository/user/v1.go
+++ b/internal/repository/user/v1.go
@@ -0,0 +1,496 @@
+package user
+
+import (
+	"context"
+	"github.com/caos/zitadel/internal/eventstore"
+	"time"
+
+	"github.com/caos/zitadel/internal/crypto"
+	"github.com/caos/zitadel/internal/domain"
+	"golang.org/x/text/language"
+)
+
+const (
+	UserV1AddedType                     = userEventTypePrefix + "added"
+	UserV1RegisteredType                = userEventTypePrefix + "selfregistered"
+	UserV1InitialCodeAddedType          = userEventTypePrefix + "initialization.code.added"
+	UserV1InitialCodeSentType           = userEventTypePrefix + "initialization.code.sent"
+	UserV1InitializedCheckSucceededType = userEventTypePrefix + "initialization.check.succeeded"
+	UserV1InitializedCheckFailedType    = userEventTypePrefix + "initialization.check.failed"
+	UserV1SignedOutType                 = userEventTypePrefix + "signed.out"
+
+	userV1PasswordEventTypePrefix    = userEventTypePrefix + "password."
+	UserV1PasswordChangedType        = userV1PasswordEventTypePrefix + "changed"
+	UserV1PasswordCodeAddedType      = userV1PasswordEventTypePrefix + "code.added"
+	UserV1PasswordCodeSentType       = userV1PasswordEventTypePrefix + "code.sent"
+	UserV1PasswordCheckSucceededType = userV1PasswordEventTypePrefix + "check.succeeded"
+	UserV1PasswordCheckFailedType    = userV1PasswordEventTypePrefix + "check.failed"
+
+	userV1EmailEventTypePrefix        = userEventTypePrefix + "email."
+	UserV1EmailChangedType            = userV1EmailEventTypePrefix + "changed"
+	UserV1EmailVerifiedType           = userV1EmailEventTypePrefix + "verified"
+	UserV1EmailVerificationFailedType = userV1EmailEventTypePrefix + "verification.failed"
+	UserV1EmailCodeAddedType          = userV1EmailEventTypePrefix + "code.added"
+	UserV1EmailCodeSentType           = userV1EmailEventTypePrefix + "code.sent"
+
+	userV1PhoneEventTypePrefix        = userEventTypePrefix + "phone."
+	UserV1PhoneChangedType            = userV1PhoneEventTypePrefix + "changed"
+	UserV1PhoneRemovedType            = userV1PhoneEventTypePrefix + "removed"
+	UserV1PhoneVerifiedType           = userV1PhoneEventTypePrefix + "verified"
+	UserV1PhoneVerificationFailedType = userV1PhoneEventTypePrefix + "verification.failed"
+	UserV1PhoneCodeAddedType          = userV1PhoneEventTypePrefix + "code.added"
+	UserV1PhoneCodeSentType           = userV1PhoneEventTypePrefix + "code.sent"
+
+	userV1ProfileEventTypePrefix = userEventTypePrefix + "profile."
+	UserV1ProfileChangedType     = userV1ProfileEventTypePrefix + "changed"
+
+	userV1AddressEventTypePrefix = userEventTypePrefix + "address."
+	UserV1AddressChangedType     = userV1AddressEventTypePrefix + "changed"
+
+	userV1MFAEventTypePrefix = userEventTypePrefix + "mfa."
+	UserV1MFAInitSkippedType = userV1MFAOTPEventTypePrefix + "init.skipped"
+
+	userV1MFAOTPEventTypePrefix    = userV1MFAEventTypePrefix + "otp."
+	UserV1MFAOTPAddedType          = userV1MFAOTPEventTypePrefix + "added"
+	UserV1MFAOTPRemovedType        = userV1MFAOTPEventTypePrefix + "removed"
+	UserV1MFAOTPVerifiedType       = userV1MFAOTPEventTypePrefix + "verified"
+	UserV1MFAOTPCheckSucceededType = userV1MFAOTPEventTypePrefix + "check.succeeded"
+	UserV1MFAOTPCheckFailedType    = userV1MFAOTPEventTypePrefix + "check.failed"
+)
+
+func NewUserV1AddedEvent(
+	ctx context.Context,
+	aggregate *eventstore.Aggregate,
+
+	userName,
+	firstName,
+	lastName,
+	nickName,
+	displayName string,
+	preferredLanguage language.Tag,
+	gender domain.Gender,
+	emailAddress,
+	phoneNumber,
+	country,
+	locality,
+	postalCode,
+	region,
+	streetAddress string,
+) *HumanAddedEvent {
+	return &HumanAddedEvent{
+		BaseEvent: *eventstore.NewBaseEventForPush(
+			ctx,
+			aggregate,
+			UserV1AddedType,
+		),
+		UserName:          userName,
+		FirstName:         firstName,
+		LastName:          lastName,
+		NickName:          nickName,
+		DisplayName:       displayName,
+		PreferredLanguage: preferredLanguage,
+		Gender:            gender,
+		EmailAddress:      emailAddress,
+		PhoneNumber:       phoneNumber,
+		Country:           country,
+		Locality:          locality,
+		PostalCode:        postalCode,
+		Region:            region,
+		StreetAddress:     streetAddress,
+	}
+}
+
+func NewUserV1RegisteredEvent(
+	ctx context.Context,
+	aggregate *eventstore.Aggregate,
+
+	userName,
+	firstName,
+	lastName,
+	nickName,
+	displayName string,
+	preferredLanguage language.Tag,
+	gender domain.Gender,
+	emailAddress,
+	phoneNumber,
+	country,
+	locality,
+	postalCode,
+	region,
+	streetAddress string,
+) *HumanRegisteredEvent {
+	return &HumanRegisteredEvent{
+		BaseEvent: *eventstore.NewBaseEventForPush(
+			ctx,
+			aggregate,
+			UserV1RegisteredType,
+		),
+		UserName:          userName,
+		FirstName:         firstName,
+		LastName:          lastName,
+		NickName:          nickName,
+		DisplayName:       displayName,
+		PreferredLanguage: preferredLanguage,
+		Gender:            gender,
+		EmailAddress:      emailAddress,
+		PhoneNumber:       phoneNumber,
+		Country:           country,
+		Locality:          locality,
+		PostalCode:        postalCode,
+		Region:            region,
+		StreetAddress:     streetAddress,
+	}
+}
+
+func NewUserV1InitialCodeAddedEvent(
+	ctx context.Context,
+	aggregate *eventstore.Aggregate,
+	code *crypto.CryptoValue,
+	expiry time.Duration,
+) *HumanInitialCodeAddedEvent {
+	return &HumanInitialCodeAddedEvent{
+		BaseEvent: *eventstore.NewBaseEventForPush(
+			ctx,
+			aggregate,
+			UserV1InitialCodeAddedType,
+		),
+		Code:   code,
+		Expiry: expiry,
+	}
+}
+
+func NewUserV1InitialCodeSentEvent(ctx context.Context, aggregate *eventstore.Aggregate) *HumanInitialCodeSentEvent {
+	return &HumanInitialCodeSentEvent{
+		BaseEvent: *eventstore.NewBaseEventForPush(
+			ctx,
+			aggregate,
+			UserV1InitialCodeSentType,
+		),
+	}
+}
+
+func NewUserV1InitializedCheckSucceededEvent(ctx context.Context, aggregate *eventstore.Aggregate) *HumanInitializedCheckSucceededEvent {
+	return &HumanInitializedCheckSucceededEvent{
+		BaseEvent: *eventstore.NewBaseEventForPush(
+			ctx,
+			aggregate,
+			UserV1InitializedCheckSucceededType,
+		),
+	}
+}
+
+func NewUserV1InitializedCheckFailedEvent(ctx context.Context, aggregate *eventstore.Aggregate) *HumanInitializedCheckFailedEvent {
+	return &HumanInitializedCheckFailedEvent{
+		BaseEvent: *eventstore.NewBaseEventForPush(
+			ctx,
+			aggregate,
+			UserV1InitializedCheckFailedType,
+		),
+	}
+}
+
+func NewUserV1SignedOutEvent(ctx context.Context, aggregate *eventstore.Aggregate) *HumanSignedOutEvent {
+	return &HumanSignedOutEvent{
+		BaseEvent: *eventstore.NewBaseEventForPush(
+			ctx,
+			aggregate,
+			UserV1SignedOutType,
+		),
+	}
+}
+
+func NewUserV1PasswordChangedEvent(
+	ctx context.Context,
+	aggregate *eventstore.Aggregate,
+	secret *crypto.CryptoValue,
+	changeRequired bool,
+) *HumanPasswordChangedEvent {
+	return &HumanPasswordChangedEvent{
+		BaseEvent: *eventstore.NewBaseEventForPush(
+			ctx,
+			aggregate,
+			UserV1PasswordChangedType,
+		),
+		Secret:         secret,
+		ChangeRequired: changeRequired,
+	}
+}
+
+func NewUserV1PasswordCodeAddedEvent(
+	ctx context.Context,
+	aggregate *eventstore.Aggregate,
+	code *crypto.CryptoValue,
+	expiry time.Duration,
+	notificationType domain.NotificationType,
+) *HumanPasswordCodeAddedEvent {
+	return &HumanPasswordCodeAddedEvent{
+		BaseEvent: *eventstore.NewBaseEventForPush(
+			ctx,
+			aggregate,
+			UserV1PasswordCodeAddedType,
+		),
+		Code:             code,
+		Expiry:           expiry,
+		NotificationType: notificationType,
+	}
+}
+
+func NewUserV1PasswordCodeSentEvent(ctx context.Context, aggregate *eventstore.Aggregate) *HumanPasswordCodeSentEvent {
+	return &HumanPasswordCodeSentEvent{
+		BaseEvent: *eventstore.NewBaseEventForPush(
+			ctx,
+			aggregate,
+			UserV1PasswordCodeSentType,
+		),
+	}
+}
+
+func NewUserV1PasswordCheckSucceededEvent(ctx context.Context, aggregate *eventstore.Aggregate) *HumanPasswordCheckSucceededEvent {
+	return &HumanPasswordCheckSucceededEvent{
+		BaseEvent: *eventstore.NewBaseEventForPush(
+			ctx,
+			aggregate,
+			UserV1PasswordCheckSucceededType,
+		),
+	}
+}
+
+func NewUserV1PasswordCheckFailedEvent(ctx context.Context, aggregate *eventstore.Aggregate) *HumanPasswordCheckFailedEvent {
+	return &HumanPasswordCheckFailedEvent{
+		BaseEvent: *eventstore.NewBaseEventForPush(
+			ctx,
+			aggregate,
+			UserV1PasswordCheckFailedType,
+		),
+	}
+}
+
+func NewUserV1EmailChangedEvent(
+	ctx context.Context,
+	aggregate *eventstore.Aggregate,
+	emailAddress string,
+) *HumanEmailChangedEvent {
+	return &HumanEmailChangedEvent{
+		BaseEvent: *eventstore.NewBaseEventForPush(
+			ctx,
+			aggregate,
+			UserV1EmailChangedType,
+		),
+		EmailAddress: emailAddress,
+	}
+}
+
+func NewUserV1EmailVerifiedEvent(ctx context.Context, aggregate *eventstore.Aggregate) *HumanEmailVerifiedEvent {
+	return &HumanEmailVerifiedEvent{
+		BaseEvent: *eventstore.NewBaseEventForPush(
+			ctx,
+			aggregate,
+			UserV1EmailVerifiedType,
+		),
+	}
+}
+
+func NewUserV1EmailVerificationFailedEvent(ctx context.Context, aggregate *eventstore.Aggregate) *HumanEmailVerificationFailedEvent {
+	return &HumanEmailVerificationFailedEvent{
+		BaseEvent: *eventstore.NewBaseEventForPush(
+			ctx,
+			aggregate,
+			UserV1EmailVerificationFailedType,
+		),
+	}
+}
+
+func NewUserV1EmailCodeAddedEvent(
+	ctx context.Context,
+	aggregate *eventstore.Aggregate,
+	code *crypto.CryptoValue,
+	expiry time.Duration,
+) *HumanEmailCodeAddedEvent {
+	return &HumanEmailCodeAddedEvent{
+		BaseEvent: *eventstore.NewBaseEventForPush(
+			ctx,
+			aggregate,
+			UserV1EmailCodeAddedType,
+		),
+		Code:   code,
+		Expiry: expiry,
+	}
+}
+
+func NewUserV1EmailCodeSentEvent(ctx context.Context, aggregate *eventstore.Aggregate) *HumanEmailCodeSentEvent {
+	return &HumanEmailCodeSentEvent{
+		BaseEvent: *eventstore.NewBaseEventForPush(
+			ctx,
+			aggregate,
+			UserV1EmailCodeSentType,
+		),
+	}
+}
+
+func NewUserV1PhoneChangedEvent(
+	ctx context.Context,
+	aggregate *eventstore.Aggregate,
+	phone string,
+) *HumanPhoneChangedEvent {
+	return &HumanPhoneChangedEvent{
+		BaseEvent: *eventstore.NewBaseEventForPush(
+			ctx,
+			aggregate,
+			UserV1PhoneChangedType,
+		),
+		PhoneNumber: phone,
+	}
+}
+
+func NewUserV1PhoneRemovedEvent(ctx context.Context, aggregate *eventstore.Aggregate) *HumanPhoneRemovedEvent {
+	return &HumanPhoneRemovedEvent{
+		BaseEvent: *eventstore.NewBaseEventForPush(
+			ctx,
+			aggregate,
+			UserV1PhoneRemovedType,
+		),
+	}
+}
+
+func NewUserV1PhoneVerifiedEvent(ctx context.Context, aggregate *eventstore.Aggregate) *HumanPhoneVerifiedEvent {
+	return &HumanPhoneVerifiedEvent{
+		BaseEvent: *eventstore.NewBaseEventForPush(
+			ctx,
+			aggregate,
+			UserV1PhoneVerifiedType,
+		),
+	}
+}
+
+func NewUserV1PhoneVerificationFailedEvent(ctx context.Context, aggregate *eventstore.Aggregate) *HumanPhoneVerificationFailedEvent {
+	return &HumanPhoneVerificationFailedEvent{
+		BaseEvent: *eventstore.NewBaseEventForPush(
+			ctx,
+			aggregate,
+			UserV1PhoneVerificationFailedType,
+		),
+	}
+}
+
+func NewUserV1PhoneCodeAddedEvent(
+	ctx context.Context,
+	aggregate *eventstore.Aggregate,
+	code *crypto.CryptoValue,
+	expiry time.Duration,
+) *HumanPhoneCodeAddedEvent {
+	return &HumanPhoneCodeAddedEvent{
+		BaseEvent: *eventstore.NewBaseEventForPush(
+			ctx,
+			aggregate,
+			UserV1PhoneCodeAddedType,
+		),
+		Code:   code,
+		Expiry: expiry,
+	}
+}
+
+func NewUserV1PhoneCodeSentEvent(ctx context.Context, aggregate *eventstore.Aggregate) *HumanPhoneCodeSentEvent {
+	return &HumanPhoneCodeSentEvent{
+		BaseEvent: *eventstore.NewBaseEventForPush(
+			ctx,
+			aggregate,
+			UserV1PhoneCodeSentType,
+		),
+	}
+}
+
+func NewUserV1ProfileChangedEvent(
+	ctx context.Context,
+	aggregate *eventstore.Aggregate,
+) *HumanProfileChangedEvent {
+	return &HumanProfileChangedEvent{
+		BaseEvent: *eventstore.NewBaseEventForPush(
+			ctx,
+			aggregate,
+			UserV1ProfileChangedType,
+		),
+	}
+}
+
+func NewUserV1AddressChangedEvent(
+	ctx context.Context,
+	aggregate *eventstore.Aggregate,
+	country,
+	locality,
+	postalCode,
+	region,
+	streetAddress string,
+) *HumanAddressChangedEvent {
+	return &HumanAddressChangedEvent{
+		BaseEvent: *eventstore.NewBaseEventForPush(
+			ctx,
+			aggregate,
+			UserV1AddressChangedType,
+		),
+	}
+}
+
+func NewUserV1MFAInitSkippedEvent(ctx context.Context, aggregate *eventstore.Aggregate) *HumanMFAInitSkippedEvent {
+	return &HumanMFAInitSkippedEvent{
+		BaseEvent: *eventstore.NewBaseEventForPush(
+			ctx,
+			aggregate,
+			UserV1MFAInitSkippedType,
+		),
+	}
+}
+
+func NewUserV1MFAOTPAddedEvent(
+	ctx context.Context,
+	aggregate *eventstore.Aggregate,
+	secret *crypto.CryptoValue,
+) *HumanOTPAddedEvent {
+	return &HumanOTPAddedEvent{
+		BaseEvent: *eventstore.NewBaseEventForPush(
+			ctx,
+			aggregate,
+			UserV1MFAOTPAddedType,
+		),
+		Secret: secret,
+	}
+}
+
+func NewUserV1MFAOTPVerifiedEvent(ctx context.Context, aggregate *eventstore.Aggregate) *HumanOTPVerifiedEvent {
+	return &HumanOTPVerifiedEvent{
+		BaseEvent: *eventstore.NewBaseEventForPush(
+			ctx,
+			aggregate,
+			UserV1MFAOTPVerifiedType,
+		),
+	}
+}
+
+func NewUserV1MFAOTPRemovedEvent(ctx context.Context, aggregate *eventstore.Aggregate) *HumanOTPRemovedEvent {
+	return &HumanOTPRemovedEvent{
+		BaseEvent: *eventstore.NewBaseEventForPush(
+			ctx,
+			aggregate,
+			UserV1MFAOTPRemovedType,
+		),
+	}
+}
+
+func NewUserV1MFAOTPCheckSucceededEvent(ctx context.Context, aggregate *eventstore.Aggregate) *HumanOTPCheckSucceededEvent {
+	return &HumanOTPCheckSucceededEvent{
+		BaseEvent: *eventstore.NewBaseEventForPush(
+			ctx,
+			aggregate,
+			UserV1MFAOTPCheckSucceededType,
+		),
+	}
+}
+
+func NewUserV1MFAOTPCheckFailedEvent(ctx context.Context, aggregate *eventstore.Aggregate) *HumanOTPCheckFailedEvent {
+	return &HumanOTPCheckFailedEvent{
+		BaseEvent: *eventstore.NewBaseEventForPush(
+			ctx,
+			aggregate,
+			UserV1MFAOTPCheckFailedType,
+		),
+	}
+}
--- a/internal/repository/usergrant/aggregate.go
+++ b/internal/repository/usergrant/aggregate.go
@@ -0,0 +1,14 @@
+package usergrant
+
+import (
+	"github.com/caos/zitadel/internal/eventstore"
+)
+
+const (
+	AggregateType    = "usergrant"
+	AggregateVersion = "v1"
+)
+
+type Aggregate struct {
+	eventstore.Aggregate
+}
--- a/internal/repository/usergrant/eventstore.go
+++ b/internal/repository/usergrant/eventstore.go
@@ -0,0 +1,15 @@
+package usergrant
+
+import (
+	"github.com/caos/zitadel/internal/eventstore"
+)
+
+func RegisterEventMappers(es *eventstore.Eventstore) {
+	es.RegisterFilterEventMapper(UserGrantAddedType, UserGrantAddedEventMapper).
+		RegisterFilterEventMapper(UserGrantChangedType, UserGrantChangedEventMapper).
+		RegisterFilterEventMapper(UserGrantCascadeChangedType, UserGrantCascadeChangedEventMapper).
+		RegisterFilterEventMapper(UserGrantRemovedType, UserGrantRemovedEventMapper).
+		RegisterFilterEventMapper(UserGrantCascadeRemovedType, UserGrantCascadeRemovedEventMapper).
+		RegisterFilterEventMapper(UserGrantDeactivatedType, UserGrantDeactivatedEventMapper).
+		RegisterFilterEventMapper(UserGrantReactivatedType, UserGrantReactivatedEventMapper)
+}
--- a/internal/repository/usergrant/user_grant.go
+++ b/internal/repository/usergrant/user_grant.go
@@ -0,0 +1,302 @@
+package usergrant
+
+import (
+	"context"
+	"encoding/json"
+	"fmt"
+	"github.com/caos/zitadel/internal/eventstore"
+
+	"github.com/caos/zitadel/internal/errors"
+	"github.com/caos/zitadel/internal/eventstore/repository"
+)
+
+const (
+	UniqueUserGrant             = "user_grant"
+	userGrantEventTypePrefix    = eventstore.EventType("user.grant.")
+	UserGrantAddedType          = userGrantEventTypePrefix + "added"
+	UserGrantChangedType        = userGrantEventTypePrefix + "changed"
+	UserGrantCascadeChangedType = userGrantEventTypePrefix + "cascade.changed"
+	UserGrantRemovedType        = userGrantEventTypePrefix + "removed"
+	UserGrantCascadeRemovedType = userGrantEventTypePrefix + "cascade.removed"
+	UserGrantDeactivatedType    = userGrantEventTypePrefix + "deactivated"
+	UserGrantReactivatedType    = userGrantEventTypePrefix + "reactivated"
+)
+
+func NewAddUserGrantUniqueConstraint(resourceOwner, userID, projectID, projectGrantID string) *eventstore.EventUniqueConstraint {
+	return eventstore.NewAddEventUniqueConstraint(
+		UniqueUserGrant,
+		fmt.Sprintf("%s:%s:%s:%v", resourceOwner, userID, projectID, projectGrantID),
+		"Errors.UserGrant.AlreadyExists")
+}
+
+func NewRemoveUserGrantUniqueConstraint(resourceOwner, userID, projectID, projectGrantID string) *eventstore.EventUniqueConstraint {
+	return eventstore.NewRemoveEventUniqueConstraint(
+		UniqueUserGrant,
+		fmt.Sprintf("%s:%s:%s:%s", resourceOwner, userID, projectID, projectGrantID))
+}
+
+type UserGrantAddedEvent struct {
+	eventstore.BaseEvent `json:"-"`
+
+	UserID         string   `json:"userId,omitempty"`
+	ProjectID      string   `json:"projectId,omitempty"`
+	ProjectGrantID string   `json:"grantId,omitempty"`
+	RoleKeys       []string `json:"roleKeys,omitempty"`
+}
+
+func (e *UserGrantAddedEvent) Data() interface{} {
+	return e
+}
+
+func (e *UserGrantAddedEvent) UniqueConstraints() []*eventstore.EventUniqueConstraint {
+	return []*eventstore.EventUniqueConstraint{NewAddUserGrantUniqueConstraint(e.Aggregate().ResourceOwner, e.UserID, e.ProjectID, e.ProjectGrantID)}
+}
+
+func NewUserGrantAddedEvent(
+	ctx context.Context,
+	aggregate *eventstore.Aggregate,
+	userID,
+	projectID,
+	projectGrantID string,
+	roleKeys []string) *UserGrantAddedEvent {
+	return &UserGrantAddedEvent{
+		BaseEvent: *eventstore.NewBaseEventForPush(
+			ctx,
+			aggregate,
+			UserGrantAddedType,
+		),
+		UserID:         userID,
+		ProjectID:      projectID,
+		ProjectGrantID: projectGrantID,
+		RoleKeys:       roleKeys,
+	}
+}
+
+func UserGrantAddedEventMapper(event *repository.Event) (eventstore.EventReader, error) {
+	e := &UserGrantAddedEvent{
+		BaseEvent: *eventstore.BaseEventFromRepo(event),
+	}
+
+	err := json.Unmarshal(event.Data, e)
+	if err != nil {
+		return nil, errors.ThrowInternal(err, "UGRANT-0p9ol", "unable to unmarshal user grant")
+	}
+
+	return e, nil
+}
+
+type UserGrantChangedEvent struct {
+	eventstore.BaseEvent `json:"-"`
+	RoleKeys             []string `json:"roleKeys,omitempty"`
+}
+
+func (e *UserGrantChangedEvent) Data() interface{} {
+	return e
+}
+
+func (e *UserGrantChangedEvent) UniqueConstraints() []*eventstore.EventUniqueConstraint {
+	return nil
+}
+
+func NewUserGrantChangedEvent(
+	ctx context.Context,
+	aggregate *eventstore.Aggregate,
+	roleKeys []string) *UserGrantChangedEvent {
+	return &UserGrantChangedEvent{
+		BaseEvent: *eventstore.NewBaseEventForPush(
+			ctx,
+			aggregate,
+			UserGrantChangedType,
+		),
+		RoleKeys: roleKeys,
+	}
+}
+
+func UserGrantChangedEventMapper(event *repository.Event) (eventstore.EventReader, error) {
+	e := &UserGrantChangedEvent{
+		BaseEvent: *eventstore.BaseEventFromRepo(event),
+	}
+
+	err := json.Unmarshal(event.Data, e)
+	if err != nil {
+		return nil, errors.ThrowInternal(err, "UGRANT-4M0sd", "unable to unmarshal user grant")
+	}
+
+	return e, nil
+}
+
+type UserGrantCascadeChangedEvent struct {
+	eventstore.BaseEvent `json:"-"`
+	RoleKeys             []string `json:"roleKeys,omitempty"`
+}
+
+func (e *UserGrantCascadeChangedEvent) Data() interface{} {
+	return e
+}
+
+func (e *UserGrantCascadeChangedEvent) UniqueConstraints() []*eventstore.EventUniqueConstraint {
+	return nil
+}
+
+func NewUserGrantCascadeChangedEvent(
+	ctx context.Context,
+	aggregate *eventstore.Aggregate,
+	roleKeys []string) *UserGrantCascadeChangedEvent {
+	return &UserGrantCascadeChangedEvent{
+		BaseEvent: *eventstore.NewBaseEventForPush(
+			ctx,
+			aggregate,
+			UserGrantCascadeChangedType,
+		),
+		RoleKeys: roleKeys,
+	}
+}
+
+func UserGrantCascadeChangedEventMapper(event *repository.Event) (eventstore.EventReader, error) {
+	e := &UserGrantChangedEvent{
+		BaseEvent: *eventstore.BaseEventFromRepo(event),
+	}
+
+	err := json.Unmarshal(event.Data, e)
+	if err != nil {
+		return nil, errors.ThrowInternal(err, "UGRANT-Gs9df", "unable to unmarshal user grant")
+	}
+
+	return e, nil
+}
+
+type UserGrantRemovedEvent struct {
+	eventstore.BaseEvent `json:"-"`
+	userID               string `json:"-"`
+	projectID            string `json:"-"`
+	projectGrantID       string `json:"-"`
+}
+
+func (e *UserGrantRemovedEvent) Data() interface{} {
+	return nil
+}
+
+func (e *UserGrantRemovedEvent) UniqueConstraints() []*eventstore.EventUniqueConstraint {
+	return []*eventstore.EventUniqueConstraint{NewRemoveUserGrantUniqueConstraint(e.Aggregate().ResourceOwner, e.userID, e.projectID, e.projectGrantID)}
+}
+
+func NewUserGrantRemovedEvent(
+	ctx context.Context,
+	aggregate *eventstore.Aggregate,
+	userID,
+	projectID,
+	projectGrantID string,
+) *UserGrantRemovedEvent {
+	return &UserGrantRemovedEvent{
+		BaseEvent: *eventstore.NewBaseEventForPush(
+			ctx,
+			aggregate,
+			UserGrantRemovedType,
+		),
+		userID:         userID,
+		projectID:      projectID,
+		projectGrantID: projectGrantID,
+	}
+}
+
+func UserGrantRemovedEventMapper(event *repository.Event) (eventstore.EventReader, error) {
+	return &UserGrantRemovedEvent{
+		BaseEvent: *eventstore.BaseEventFromRepo(event),
+	}, nil
+}
+
+type UserGrantCascadeRemovedEvent struct {
+	eventstore.BaseEvent `json:"-"`
+	userID               string `json:"-"`
+	projectID            string `json:"-"`
+	projectGrantID       string `json:"-"`
+}
+
+func (e *UserGrantCascadeRemovedEvent) Data() interface{} {
+	return nil
+}
+
+func (e *UserGrantCascadeRemovedEvent) UniqueConstraints() []*eventstore.EventUniqueConstraint {
+	return []*eventstore.EventUniqueConstraint{NewRemoveUserGrantUniqueConstraint(e.Aggregate().ResourceOwner, e.userID, e.projectID, e.projectGrantID)}
+}
+
+func NewUserGrantCascadeRemovedEvent(
+	ctx context.Context,
+	aggregate *eventstore.Aggregate,
+	userID,
+	projectID,
+	projectGrantID string,
+) *UserGrantCascadeRemovedEvent {
+	return &UserGrantCascadeRemovedEvent{
+		BaseEvent: *eventstore.NewBaseEventForPush(
+			ctx,
+			aggregate,
+			UserGrantCascadeRemovedType,
+		),
+		userID:         userID,
+		projectID:      projectID,
+		projectGrantID: projectGrantID,
+	}
+}
+
+func UserGrantCascadeRemovedEventMapper(event *repository.Event) (eventstore.EventReader, error) {
+	return &UserGrantCascadeRemovedEvent{
+		BaseEvent: *eventstore.BaseEventFromRepo(event),
+	}, nil
+}
+
+type UserGrantDeactivatedEvent struct {
+	eventstore.BaseEvent `json:"-"`
+}
+
+func (e *UserGrantDeactivatedEvent) Data() interface{} {
+	return nil
+}
+
+func (e *UserGrantDeactivatedEvent) UniqueConstraints() []*eventstore.EventUniqueConstraint {
+	return nil
+}
+
+func NewUserGrantDeactivatedEvent(ctx context.Context, aggregate *eventstore.Aggregate) *UserGrantDeactivatedEvent {
+	return &UserGrantDeactivatedEvent{
+		BaseEvent: *eventstore.NewBaseEventForPush(
+			ctx,
+			aggregate,
+			UserGrantDeactivatedType,
+		),
+	}
+}
+
+func UserGrantDeactivatedEventMapper(event *repository.Event) (eventstore.EventReader, error) {
+	return &UserGrantDeactivatedEvent{
+		BaseEvent: *eventstore.BaseEventFromRepo(event),
+	}, nil
+}
+
+type UserGrantReactivatedEvent struct {
+	eventstore.BaseEvent `json:"-"`
+}
+
+func (e *UserGrantReactivatedEvent) Data() interface{} {
+	return nil
+}
+
+func (e *UserGrantReactivatedEvent) UniqueConstraints() []*eventstore.EventUniqueConstraint {
+	return nil
+}
+
+func NewUserGrantReactivatedEvent(ctx context.Context, aggregate *eventstore.Aggregate) *UserGrantReactivatedEvent {
+	return &UserGrantReactivatedEvent{
+		BaseEvent: *eventstore.NewBaseEventForPush(
+			ctx,
+			aggregate,
+			UserGrantReactivatedType,
+		),
+	}
+}
+
+func UserGrantReactivatedEventMapper(event *repository.Event) (eventstore.EventReader, error) {
+	return &UserGrantReactivatedEvent{
+		BaseEvent: *eventstore.BaseEventFromRepo(event),
+	}, nil
+}