diff --git a/.gitignore b/.gitignore
index 47249c59eb..06ff93c837 100644
--- a/.gitignore
+++ b/.gitignore
@@ -46,6 +46,11 @@ zitadelctl
 tmp/
 console/src/app/proto/generated/
 
-pkg/grpc/*/*.pb.*
+#generated filed
+pkg/grpc/*/*.pb*.*
 pkg/grpc/*/*.swagger.json
 pkg/grpc/*/mock/*.mock.go
+**.pb.go
+**.proto.mock.go
+**.pb.*.go
+**.gen.go 
\ No newline at end of file
diff --git a/build/README.md b/build/README.md
index 66e46bef66..cacda8f44f 100644
--- a/build/README.md
+++ b/build/README.md
@@ -12,15 +12,15 @@
 This command generates the grpc stub for angular into the folder console/src/app/proto/generated for local development
 
 ```Bash
-DOCKER_BUILDKIT=1 docker build -f build/dockerfile . -t zitadel:local --target npm-copy -o console/src/app/proto/generated
+DOCKER_BUILDKIT=1 docker build -f build/dockerfile . -t zitadel:local --target npm-copy -o .
 ```
 
 ### Go
 
-With this command you can generate the stub for golang into the correct dir pkg/
+With this command you can generate the stub for golang into the zitadel dir 
 
 ```Bash
-DOCKER_BUILDKIT=1 docker build -f build/dockerfile . -t zitadel:local --target go-copy -o pkg
+DOCKER_BUILDKIT=1 docker build -f build/dockerfile . -t zitadel:local --target go-copy -o .
 ```
 
 ## Run
diff --git a/build/console/generate-grpc.sh b/build/console/generate-grpc.sh
index 12e7d30270..618531c052 100755
--- a/build/console/generate-grpc.sh
+++ b/build/console/generate-grpc.sh
@@ -10,33 +10,8 @@ mkdir -p $GEN_PATH
 echo "Generate grpc"
 
 protoc \
-  -I=.tmp/protos/message \
-  -I=.tmp/protos/admin/proto \
-  -I=.tmp/protos/management/proto \
-  -I=.tmp/protos/auth/proto \
+  -I=/proto/include \
   -I=node_modules/google-proto-files \
-  -I=.tmp/protos \
   --js_out=import_style=commonjs,binary:$GEN_PATH \
-  --grpc-web_out=import_style=commonjs+dts,mode=grpcweb:$GEN_PATH \
-  .tmp/protos/message/proto/*.proto \
-  .tmp/protos/admin/proto/*.proto \
-  .tmp/protos/auth/proto/*.proto \
-  .tmp/protos/management/proto/*.proto
-
-echo "Generate annotations js file (compatibility)"
-
-mkdir -p $GEN_PATH/google/api/
-touch $GEN_PATH/google/api/annotations_pb.js
-echo "export {}" > $GEN_PATH/google/api/annotations_pb.d.ts
-
-mkdir -p $GEN_PATH/validate
-touch $GEN_PATH/validate/validate_pb.js
-echo "export {}" > $GEN_PATH/validate/validate_pb.d.ts
-
-mkdir -p $GEN_PATH/protoc-gen-swagger/options
-touch $GEN_PATH/protoc-gen-swagger/options/annotations_pb.js
-echo "export {}" > $GEN_PATH/protoc-gen-swagger/options/annotations_pb.d.ts
-
-mkdir -p $GEN_PATH/authoption
-touch $GEN_PATH/authoption/options_pb.js
-echo "export {}" > $GEN_PATH/authoption/options_pb.d.ts
\ No newline at end of file
+  --grpc-web_out=import_style=typescript,mode=grpcweb:$GEN_PATH \
+  $(find /proto/include -iname "*.proto")
\ No newline at end of file
diff --git a/build/dockerfile b/build/dockerfile
index 038b6e0450..4cc57d9337 100644
--- a/build/dockerfile
+++ b/build/dockerfile
@@ -1,105 +1,137 @@
-#######################
-## By default we build the prod enviroment
+ARG GO_VERSION=1.15.8
+ARG NODE_VERSION=15.8.0
 ARG ENV=prod
 
 #######################
-## This step downloads the protofiles, protoc and protoc-gen-grpc-web for later use
+## This step sets up the folder structure,
+## initalices go mods,
+## downloads the protofiles, 
+## protoc and protoc-gen-grpc-web for later use
 #######################
-FROM alpine as base
-RUN apk add tar curl
-WORKDIR /.tmp
-RUN wget -O protoc https://github.com/protocolbuffers/protobuf/releases/download/v3.13.0/protoc-3.13.0-linux-x86_64.zip \
-    && unzip protoc \
-    && wget -O bin/protoc-gen-grpc-web https://github.com/grpc/grpc-web/releases/download/1.2.0/protoc-gen-grpc-web-1.2.0-linux-x86_64 \
-    && chmod +x bin/protoc-gen-grpc-web
-RUN curl https://raw.githubusercontent.com/envoyproxy/protoc-gen-validate/v0.4.1/validate/validate.proto --create-dirs -o validate/validate.proto  \
-    && curl https://raw.githubusercontent.com/grpc-ecosystem/grpc-gateway/v1.14.6/protoc-gen-swagger/options/annotations.proto --create-dirs -o protoc-gen-swagger/options/annotations.proto \
-    && curl https://raw.githubusercontent.com/grpc-ecosystem/grpc-gateway/v1.14.6/protoc-gen-swagger/options/openapiv2.proto --create-dirs -o protoc-gen-swagger/options/openapiv2.proto \
-    && curl https://raw.githubusercontent.com/googleapis/googleapis/master/google/api/annotations.proto --create-dirs -o google/api/annotations.proto \
-    && curl https://raw.githubusercontent.com/googleapis/googleapis/master/google/api/http.proto --create-dirs -o google/api/http.proto \
-    && curl https://raw.githubusercontent.com/protocolbuffers/protobuf/master/src/google/protobuf/empty.proto --create-dirs -o google/protobuf/empty.proto \
-    && curl https://raw.githubusercontent.com/protocolbuffers/protobuf/master/src/google/protobuf/timestamp.proto --create-dirs -o google/protobuf/timestamp.proto \
-    && curl https://raw.githubusercontent.com/protocolbuffers/protobuf/master/src/google/protobuf/descriptor.proto --create-dirs -o google/protobuf/descriptor.proto \
-    && curl https://raw.githubusercontent.com/protocolbuffers/protobuf/master/src/google/protobuf/duration.proto --create-dirs -o google/protobuf/duration.proto \
-    && curl https://raw.githubusercontent.com/protocolbuffers/protobuf/master/src/google/protobuf/any.proto --create-dirs -o google/protobuf/any.proto \
-    && curl https://raw.githubusercontent.com/protocolbuffers/protobuf/master/src/google/protobuf/struct.proto --create-dirs -o google/protobuf/struct.proto
+FROM alpine AS base
+ARG PROTOC_VERSION=3.14.0
+ARG PROTOC_ZIP=protoc-${PROTOC_VERSION}-linux-x86_64.zip
+ARG GRPC_WEB_VERSION=1.2.1
+ARG GRPC_WEB=protoc-gen-grpc-web-${GRPC_WEB_VERSION}-linux-x86_64
+
+
+RUN apk add tar curl
+WORKDIR /proto
+
+#protoc
+RUN curl -OL https://github.com/protocolbuffers/protobuf/releases/download/v${PROTOC_VERSION}/$PROTOC_ZIP \
+    && unzip -o $PROTOC_ZIP -d /usr/local bin/protoc \
+    && unzip -o $PROTOC_ZIP -d /proto include/* \
+    && rm -f $PROTOC_ZIP
+
+#grpc web
+RUN curl -OL https://github.com/grpc/grpc-web/releases/download/${GRPC_WEB_VERSION}/${GRPC_WEB} \
+    && mv ${GRPC_WEB} /usr/local/bin/protoc-gen-grpc-web \
+    && chmod +x /usr/local/bin/protoc-gen-grpc-web
+
+#proto dependencies
+RUN curl https://raw.githubusercontent.com/envoyproxy/protoc-gen-validate/v0.4.1/validate/validate.proto --create-dirs -o include/validate/validate.proto  \
+    && curl https://raw.githubusercontent.com/grpc-ecosystem/grpc-gateway/v2.2.0/protoc-gen-openapiv2/options/annotations.proto --create-dirs -o include/protoc-gen-openapiv2/options/annotations.proto \
+    && curl https://raw.githubusercontent.com/grpc-ecosystem/grpc-gateway/v2.2.0/protoc-gen-openapiv2/options/openapiv2.proto --create-dirs -o include/protoc-gen-openapiv2/options/openapiv2.proto \
+    && curl https://raw.githubusercontent.com/googleapis/googleapis/master/google/api/annotations.proto --create-dirs -o include/google/api/annotations.proto \
+    && curl https://raw.githubusercontent.com/googleapis/googleapis/master/google/api/http.proto --create-dirs -o include/google/api/http.proto \
+    && curl https://raw.githubusercontent.com/googleapis/googleapis/master/google/api/field_behavior.proto --create-dirs -o include/google/api/field_behavior.proto
+
+#zitadel protos
+COPY /proto/ include/.
 
-COPY pkg/grpc/admin/proto/admin.proto admin/proto/admin.proto
-COPY pkg/grpc/auth/proto/auth.proto auth/proto/auth.proto
-COPY pkg/grpc/management/proto/management.proto management/proto/management.proto
-COPY pkg/grpc/message/proto/message.proto message/proto/message.proto
-COPY internal/protoc/protoc-gen-authoption/authoption/options.proto authoption/options.proto
 
 #######################
 ## With this step we prepare all node_modules, this helps caching the build
 ## Speed up this step by mounting your local node_modules directory
 #######################
-FROM node:15 as npm-base
-WORKDIR console
+FROM node:${NODE_VERSION} as npm-base
+WORKDIR /console
+
 COPY console/package.json console/package-lock.json ./
-RUN npm install \
-    && mkdir .tmp
+RUN npm install
+
 COPY console .
-COPY --from=base /.tmp/bin /usr/local/bin/
-COPY --from=base /.tmp .tmp/protos/
+COPY --from=base /proto /proto
+COPY --from=base /usr/local/bin /usr/local/bin/.
 COPY build/console build/console/
 RUN build/console/generate-grpc.sh
 
-FROM scratch as npm-copy
-COPY --from=npm-base /console/src/app/proto/generated .
 
+#######################
+## copy for local dev
+#######################
+FROM scratch as npm-copy
+COPY --from=npm-base /console/src/app/proto/generated ./console/src/app/proto/generated
+
+
+#######################
 ## anular dev build
+#######################
 FROM npm-base as dev-angular-build
 RUN npm install -g @angular/cli
 
+
+#######################
 ## anular prod build
+#######################
 FROM npm-base as prod-angular-build
 RUN npm run prodbuild
 
+
 #######################
-## Go base build
+## Go dependencies
 ## Speed up this step by mounting your local go mod pkg directory
 #######################
-FROM golang:1.15 as go-base
-WORKDIR src/github.com/caos/zitadel/
-COPY go.mod go.sum ./
+FROM golang:${GO_VERSION} as go-dep
+RUN mkdir -p src/github.com/caos/zitadel
+COPY . src/github.com/caos/zitadel/
+WORKDIR /go/src/github.com/caos/zitadel/
+
 RUN go mod download
-COPY --from=base /.tmp .tmp/protos/
-COPY --from=base /.tmp/bin /usr/local/bin/
-COPY internal/protoc/protoc-base internal/protoc/protoc-base/
-COPY internal/protoc/protoc-gen-authoption internal/protoc/protoc-gen-authoption/
+RUN ./tools/install.sh
 
-RUN go install \
-    github.com/grpc-ecosystem/grpc-gateway/protoc-gen-grpc-gateway \
-    github.com/grpc-ecosystem/grpc-gateway/protoc-gen-swagger \
-    github.com/golang/protobuf/protoc-gen-go \
-    github.com/envoyproxy/protoc-gen-validate
-
-RUN go get -u github.com/go-bindata/go-bindata/...
-
-RUN go-bindata ./internal/protoc/protoc-gen-authoption/templates \
-    && go install ./internal/protoc/protoc-gen-authoption
-    
-COPY build/zitadel build/zitadel/
+#######################
+## Go base build
+#######################
+FROM go-dep as go-base
+COPY --from=base /proto /proto
+COPY --from=base /usr/local/bin /usr/local/bin/.
 RUN build/zitadel/generate-grpc.sh
 
-FROM scratch as go-copy
-COPY --from=go-base /go/src/github.com/caos/zitadel/pkg/ .
 
+#######################
+## copy for local dev
+#######################
+FROM scratch as go-copy
+COPY --from=go-base /go/src/github.com/caos/zitadel/pkg/grpc ./pkg/grpc
+COPY --from=go-base /go/src/github.com/caos/zitadel/internal/protoc/protoc-gen-authoption/templates.gen.go ./internal/protoc/protoc-gen-authoption/templates.gen.go
+COPY --from=go-base /go/src/github.com/caos/zitadel/internal/protoc/protoc-gen-authoption/authoption/options.pb.go ./internal/protoc/protoc-gen-authoption/authoption/options.pb.go
+
+
+#######################
 ## Go test
+#######################
 FROM go-base as go-test
 COPY . .
-#Migrations for cockroach-secure
+
+# Migrations for cockroach-secure
 RUN go install github.com/rakyll/statik
 RUN ./build/operator/prebuild.sh ./migrations
 
 RUN go test -race -v -coverprofile=profile.cov $(go list ./... | grep -v /operator/)
 
-## Go test
+
+#######################
+## Go test results
+#######################
 FROM scratch as go-codecov
 COPY --from=go-test /go/src/github.com/caos/zitadel/profile.cov profile.cov
 
+
+#######################
 ## Go prod build
+#######################
 FROM go-test as prod-go-build
 COPY --from=prod-angular-build console/dist/console console/dist/console/
 RUN go get github.com/rakyll/statik \
@@ -109,10 +141,14 @@ RUN go get github.com/rakyll/statik \
     && ./build/zitadel/generate-static.sh
 RUN CGO_ENABLED=0 GOOS=linux GOARCH=amd64 go build -a -installsuffix cgo -ldflags '-extldflags "-static"' -o zitadel-linux-amd64 cmd/zitadel/main.go
 
+
+#######################
 ## Go dev build
+#######################
 FROM go-base as dev-go-build
 RUN go get github.com/go-delve/delve/cmd/dlv
 
+
 #######################
 ## Final Production Image
 #######################
@@ -123,11 +159,14 @@ COPY --from=prod-go-build /go/src/github.com/caos/zitadel/zitadel-linux-amd64 /a
 RUN chmod a+x /app/zitadel
 RUN ls -la /
 
+
+#######################
 ## Scratch Image
+#######################
 FROM  scratch as final
 COPY --from=artifact /etc/passwd /etc/passwd
 COPY --from=artifact /etc/ssl/certs /etc/ssl/certs
 COPY --from=artifact /app /
 USER zitadel
 HEALTHCHECK NONE
-ENTRYPOINT ["/zitadel"]
+ENTRYPOINT ["/zitadel"]
\ No newline at end of file
diff --git a/build/zitadel/generate-grpc.sh b/build/zitadel/generate-grpc.sh
index 79cd1edb1f..d6e8c11345 100755
--- a/build/zitadel/generate-grpc.sh
+++ b/build/zitadel/generate-grpc.sh
@@ -4,62 +4,70 @@ set -eux
 
 echo "Generate grpc"
 
-protoc \
-  -I=.tmp/protos/message \
-  -I=.tmp/protos/admin/proto \
-  -I=.tmp/protos/management/proto \
-  -I=.tmp/protos/auth/proto \
-  -I=.tmp/protos \
-  -I=${GOPATH}/src \
-  --go_out=plugins=grpc:$GOPATH/src \
-  .tmp/protos/message/proto/message.proto
+OPENAPI_PATH=${GOPATH}/src/github.com/caos/zitadel/openapi/v2
+ZITADEL_PATH=${GOPATH}/src/github.com/caos/zitadel
+GRPC_PATH=${ZITADEL_PATH}/pkg/grpc
+PROTO_PATH=/proto/include/zitadel
 
 protoc \
-  -I=.tmp/protos/message \
-  -I=.tmp/protos/admin/proto \
-  -I=.tmp/protos/management/proto \
-  -I=.tmp/protos/auth/proto \
-  -I=.tmp/protos \
-  -I=${GOPATH}/src \
-  --go_out=plugins=grpc:$GOPATH/src \
-  --grpc-gateway_out=logtostderr=true:$GOPATH/src \
-  --swagger_out=logtostderr=true:. \
-  --authoption_out=. \
+  -I=/proto/include/ \
+  --go_out $GOPATH/src \
+  --go-grpc_out $GOPATH/src \
+  $(find ${PROTO_PATH} -iname *.proto | grep -v "management|admin|auth")
+
+go-bindata \
+  -pkg main \
+  -prefix internal/protoc/protoc-gen-authoption \
+  -o ${ZITADEL_PATH}/internal/protoc/protoc-gen-authoption/templates.gen.go \
+  ${ZITADEL_PATH}/internal/protoc/protoc-gen-authoption/templates
+
+go install ${ZITADEL_PATH}/internal/protoc/protoc-gen-authoption
+
+# output folder for openapi v2
+mkdir -p ${OPENAPI_PATH}
+
+protoc \
+  -I=/proto/include \
+  --go_out ${GOPATH}/src \
+  --go-grpc_out ${GOPATH}/src \
+  --grpc-gateway_out ${GOPATH}/src \
+  --grpc-gateway_opt logtostderr=true \
+  --openapiv2_out ${OPENAPI_PATH} \
+  --openapiv2_opt logtostderr=true \
+  --authoption_out ${GRPC_PATH}/admin \
   --validate_out=lang=go:${GOPATH}/src \
-  .tmp/protos/admin/proto/admin.proto
-
-mv admin* $GOPATH/src/github.com/caos/zitadel/pkg/grpc/admin/
+  ${PROTO_PATH}/admin.proto
+mv ${ZITADEL_PATH}/pkg/grpc/admin/zitadel/* ${ZITADEL_PATH}/pkg/grpc/admin
+rm -r ${ZITADEL_PATH}/pkg/grpc/admin/zitadel
 
 protoc \
-  -I=.tmp/protos/message \
-  -I=.tmp/protos/admin/proto \
-  -I=.tmp/protos/management/proto \
-  -I=.tmp/protos/auth/proto \
-  -I=.tmp/protos \
-  -I=${GOPATH}/src \
-  --go_out=plugins=grpc:$GOPATH/src \
-  --grpc-gateway_out=logtostderr=true,allow_delete_body=true:${GOPATH}/src \
-  --swagger_out=logtostderr=true,allow_delete_body=true:. \
-  --authoption_out=. \
+  -I=/proto/include \
+  --go_out $GOPATH/src \
+  --go-grpc_out $GOPATH/src \
+  --grpc-gateway_out ${GOPATH}/src \
+  --grpc-gateway_opt logtostderr=true \
+  --grpc-gateway_opt allow_delete_body=true \
+  --openapiv2_out ${OPENAPI_PATH} \
+  --openapiv2_opt logtostderr=true \
+  --openapiv2_opt allow_delete_body=true \
+  --authoption_out ${GRPC_PATH}/management \
   --validate_out=lang=go:${GOPATH}/src \
-  .tmp/protos/management/proto/management.proto
-
-mv management* $GOPATH/src/github.com/caos/zitadel/pkg/grpc/management/
+  ${PROTO_PATH}/management.proto
+mv ${ZITADEL_PATH}/pkg/grpc/management/zitadel/* ${ZITADEL_PATH}/pkg/grpc/management
+rm -r ${ZITADEL_PATH}/pkg/grpc/management/zitadel
 
 protoc \
-  -I=.tmp/protos/message \
-  -I=.tmp/protos/admin/proto \
-  -I=.tmp/protos/management/proto \
-  -I=.tmp/protos/auth/proto \
-  -I=.tmp/protos \
-  -I=${GOPATH}/src \
-  --go_out=plugins=grpc:$GOPATH/src \
-  --grpc-gateway_out=logtostderr=true:$GOPATH/src \
-  --swagger_out=logtostderr=true:. \
-  --authoption_out=. \
+  -I=/proto/include \
+  --go_out $GOPATH/src \
+  --go-grpc_out $GOPATH/src \
+  --grpc-gateway_out ${GOPATH}/src \
+  --grpc-gateway_opt logtostderr=true \
+  --openapiv2_out ${OPENAPI_PATH} \
+  --openapiv2_opt logtostderr=true \
+  --authoption_out=${GRPC_PATH}/auth \
   --validate_out=lang=go:${GOPATH}/src \
-  .tmp/protos/auth/proto/auth.proto
+  ${PROTO_PATH}/auth.proto
+mv ${ZITADEL_PATH}/pkg/grpc/auth/zitadel/* ${ZITADEL_PATH}/pkg/grpc/auth
+rm -r ${ZITADEL_PATH}/pkg/grpc/auth/zitadel
 
-mv auth* $GOPATH/src/github.com/caos/zitadel/pkg/grpc/auth/
-
-echo "done generating"
+echo "done generating grpc"
\ No newline at end of file
diff --git a/cmd/zitadel/setup.yaml b/cmd/zitadel/setup.yaml
index c562dc6642..896865616d 100644
--- a/cmd/zitadel/setup.yaml
+++ b/cmd/zitadel/setup.yaml
@@ -4,19 +4,16 @@ Log:
     Format: text
 
 Eventstore:
-  ServiceName: 'Admin'
-  Repository:
-    SQL:
-      Host: $ZITADEL_EVENTSTORE_HOST
-      Port: $ZITADEL_EVENTSTORE_PORT
-      User: 'eventstore'
-      Database: 'eventstore'
-      Password: $CR_EVENTSTORE_PASSWORD
-      SSL:
-        Mode: $CR_SSL_MODE
-        RootCert: $CR_ROOT_CERT
-        Cert: $CR_EVENTSTORE_CERT
-        Key: $CR_EVENTSTORE_KEY
+  Host: $ZITADEL_EVENTSTORE_HOST
+  Port: $ZITADEL_EVENTSTORE_PORT
+  User: 'eventstore'
+  Database: 'eventstore'
+  Password: $CR_EVENTSTORE_PASSWORD
+  SSL:
+    Mode: $CR_SSL_MODE
+    RootCert: $CR_ROOT_CERT
+    Cert: $CR_EVENTSTORE_CERT
+    Key: $CR_EVENTSTORE_KEY
 
 SetUp:
   Step1:
diff --git a/cmd/zitadel/startup.yaml b/cmd/zitadel/startup.yaml
index 4d78af0226..2ce3e6c7fa 100644
--- a/cmd/zitadel/startup.yaml
+++ b/cmd/zitadel/startup.yaml
@@ -36,9 +36,9 @@ Queries:
   Eventstore:
     User: 'queries'
     Password: $CR_QUERIES_PASSWORD
-      SSL:
-        Cert: $CR_QUERIES_CERT
-        Key: $CR_QUERIES_KEY
+    SSL:
+      Cert: $CR_QUERIES_CERT
+      Key: $CR_QUERIES_KEY
 
 AuthZ:
   Repository:
diff --git a/console/src/app/app.component.html b/console/src/app/app.component.html
index d6178a4a97..749c75e71e 100644
--- a/console/src/app/app.component.html
+++ b/console/src/app/app.component.html
@@ -18,8 +18,8 @@
                 <path d="M16.88 3.549L7.12 20.451"></path>
             </svg>
 
-            <button class="org-button" (click)="loadOrgs()" *ngIf="profile?.id && org" mat-button
-                [matMenuTriggerFor]="menu" (menuOpened)="focusFilter()">{{org?.name ? org.name : 'NO NAME'}}
+            <button class="org-button" (click)="loadOrgs()" *ngIf="user && org" mat-button [matMenuTriggerFor]="menu"
+                (menuOpened)="focusFilter()">{{org?.name ? org.name : 'NO NAME'}}
                 <mat-icon>
                     arrow_drop_down</mat-icon>
             </button>
@@ -63,7 +63,7 @@
                     [name]="user.displayName ? user.displayName : (user.firstName + ' '+ user.lastName)" [size]="38">
                 </app-avatar>
                 <app-accounts-card @accounts class="a_card  mat-elevation-z1" *ngIf="showAccount"
-                    (close)="showAccount = false" [profile]="profile" [iamuser]="iamuser$ | async">
+                    (close)="showAccount = false" [user]="user" [iamuser]="iamuser$ | async">
                 </app-accounts-card>
             </div>
         </mat-toolbar>
diff --git a/console/src/app/app.component.ts b/console/src/app/app.component.ts
index 664dd36d12..860cf7327a 100644
--- a/console/src/app/app.component.ts
+++ b/console/src/app/app.component.ts
@@ -12,13 +12,9 @@ import { BehaviorSubject, from, Observable, of, Subscription } from 'rxjs';
 import { catchError, debounceTime, finalize, map, take } from 'rxjs/operators';
 
 import { accountCard, adminLineAnimation, navAnimations, routeAnimations, toolbarAnimation } from './animations';
-import {
-    MyProjectOrgSearchKey,
-    MyProjectOrgSearchQuery,
-    Org,
-    SearchMethod,
-    UserProfileView,
-} from './proto/generated/auth_pb';
+import { TextQueryMethod } from './proto/generated/zitadel/object_pb';
+import { Org, OrgNameQuery, OrgQuery } from './proto/generated/zitadel/org_pb';
+import { User } from './proto/generated/zitadel/user_pb';
 import { AuthenticationService } from './services/authentication.service';
 import { GrpcAuthService } from './services/grpc-auth.service';
 import { ManagementService } from './services/mgmt.service';
@@ -50,7 +46,7 @@ export class AppComponent implements OnDestroy {
     public showAccount: boolean = false;
     public org!: Org.AsObject;
     public orgs$: Observable<Org.AsObject[]> = of([]);
-    public profile!: UserProfileView.AsObject;
+    public user!: User.AsObject;
     public isDarkTheme: Observable<boolean> = of(true);
 
     public orgLoading$: BehaviorSubject<any> = new BehaviorSubject(false);
@@ -183,7 +179,7 @@ export class AppComponent implements OnDestroy {
 
         this.authSub = this.authenticationService.authenticationChanged.subscribe((authenticated) => {
             if (authenticated) {
-                this.authService.GetActiveOrg().then(org => {
+                this.authService.getActiveOrg().then(org => {
                     this.org = org;
                 });
             }
@@ -224,16 +220,17 @@ export class AppComponent implements OnDestroy {
     public loadOrgs(filter?: string): void {
         let query;
         if (filter) {
-            query = new MyProjectOrgSearchQuery();
-            query.setMethod(SearchMethod.SEARCHMETHOD_CONTAINS_IGNORE_CASE);
-            query.setKey(MyProjectOrgSearchKey.MYPROJECTORGSEARCHKEY_ORG_NAME);
-            query.setValue(filter);
+            query = new OrgQuery();
+            const orgNameQuery = new OrgNameQuery();
+            orgNameQuery.setName(filter);
+            orgNameQuery.setMethod(TextQueryMethod.TEXT_QUERY_METHOD_CONTAINS_IGNORE_CASE);
+            query.setNameQuery(orgNameQuery);
         }
 
         this.orgLoading$.next(true);
-        this.orgs$ = from(this.authService.SearchMyProjectOrgs(10, 0, query ? [query] : undefined)).pipe(
+        this.orgs$ = from(this.authService.listMyProjectOrgs(10, 0, query ? [query] : undefined)).pipe(
             map(resp => {
-                return resp.toObject().resultList;
+                return resp.resultList;
             }),
             catchError(() => of([])),
             finalize(() => {
@@ -264,12 +261,15 @@ export class AppComponent implements OnDestroy {
         this.translate.setDefaultLang('en');
 
         this.authService.user.subscribe(userprofile => {
-            this.profile = userprofile;
-            const cropped = navigator.language.split('-')[0] ?? 'en';
-            const fallbackLang = cropped.match(/en|de/) ? cropped : 'en';
-            const lang = userprofile.preferredLanguage.match(/en|de/) ? userprofile.preferredLanguage : fallbackLang;
-            this.translate.use(lang);
-            this.document.documentElement.lang = lang;
+            if (userprofile) {
+                this.user = userprofile;
+                const cropped = navigator.language.split('-')[0] ?? 'en';
+                const fallbackLang = cropped.match(/en|de/) ? cropped : 'en';
+
+                const lang = userprofile?.human?.profile?.preferredLanguage.match(/en|de/) ? userprofile.human.profile?.preferredLanguage : fallbackLang;
+                this.translate.use(lang);
+                this.document.documentElement.lang = lang;
+            }
         });
     }
 
@@ -284,9 +284,8 @@ export class AppComponent implements OnDestroy {
     private getProjectCount(): void {
         this.authService.isAllowed(['project.read']).subscribe((allowed) => {
             if (allowed) {
-                this.mgmtService.SearchProjects(0, 0);
-
-                this.mgmtService.SearchGrantedProjects(0, 0);
+                this.mgmtService.listProjects(0, 0);
+                this.mgmtService.listGrantedProjects(0, 0);
             }
         });
     }
diff --git a/console/src/app/guards/user.guard.ts b/console/src/app/guards/user.guard.ts
index f0cdb66c0f..f7e239413c 100644
--- a/console/src/app/guards/user.guard.ts
+++ b/console/src/app/guards/user.guard.ts
@@ -17,7 +17,7 @@ export class UserGuard implements CanActivate {
         state: RouterStateSnapshot,
     ): Observable<boolean> | Promise<boolean> | boolean {
         return this.authService.user.pipe(
-            map(user => user.id !== route.params.id),
+            map(user => user?.id !== route.params.id),
             tap((isNotMe) => {
                 if (!isNotMe) {
                     this.router.navigate(['/users', 'me']);
diff --git a/console/src/app/modules/accounts-card/accounts-card.component.html b/console/src/app/modules/accounts-card/accounts-card.component.html
index 4a8b6cdd2d..436486ad8f 100644
--- a/console/src/app/modules/accounts-card/accounts-card.component.html
+++ b/console/src/app/modules/accounts-card/accounts-card.component.html
@@ -1,24 +1,27 @@
 <div class="card" appOutsideClick (clickOutside)="closeCard($event)">
-    <app-avatar *ngIf="profile && (profile.displayName || (profile.firstName && profile.lastName))" class="avatar"
-        [name]="profile.displayName ? profile.displayName : (profile.firstName + ' '+ profile.lastName)" [size]="80">
+    <app-avatar
+        *ngIf="user.human?.profile && (user.human?.profile?.displayName || (user.human?.profile?.firstName && user.human?.profile?.lastName))"
+        class="avatar"
+        [name]="user.human?.profile?.displayName ? user.human?.profile?.displayName : (user.human?.profile?.firstName + ' '+ user.human?.profile?.lastName)"
+        [size]="80">
     </app-avatar>
 
-    <span class="u-name">{{profile.displayName ? profile.displayName : profile.preferredLoginName}}</span>
-    <span class="u-email">{{profile?.preferredLoginName}}</span>
+    <span class="u-name">{{user.human?.profile?.displayName ? user.human?.profile?.displayName : 'A'}}</span>
+    <span class="u-email">{{user.human?.profile?.preferredLoginName}}</span>
     <span class="iamuser" *ngIf="iamuser">IAM USER</span>
 
     <button color="primary" (click)="editUserProfile()" mat-stroked-button>{{'USER.EDITACCOUNT' | translate}}</button>
     <div class="l-accounts">
         <mat-progress-bar *ngIf="loadingUsers" color="primary" mode="indeterminate"></mat-progress-bar>
-        <a class="row" *ngFor="let user of users" (click)="selectAccount(user.loginName)">
-            <app-avatar *ngIf="user && user.displayName" class="small-avatar"
-                [name]="user.displayName ? user.displayName : ''" [size]="32">
+        <a class="row" *ngFor="let session of sessions" (click)="selectAccount(session.loginName)">
+            <app-avatar *ngIf="session && session.displayName" class="small-avatar"
+                [name]="session.displayName ? session.displayName : ''" [size]="32">
             </app-avatar>
 
             <div class="col">
-                <span class="user-title">{{user.displayName ? user.displayName : user.userName}} </span>
-                <span class="loginname">{{user.loginName}}</span>
-                <span class="email">{{'USER.STATE.'+user.authState | translate}}</span>
+                <span class="user-title">{{session.displayName ? session.displayName : session.userName}} </span>
+                <span class="loginname">{{session.loginName}}</span>
+                <span class="email">{{'USER.STATE.'+session.authState | translate}}</span>
             </div>
             <span class="fill-space"></span>
             <mat-icon>keyboard_arrow_right</mat-icon>
diff --git a/console/src/app/modules/accounts-card/accounts-card.component.ts b/console/src/app/modules/accounts-card/accounts-card.component.ts
index eb5728de5c..de99512b26 100644
--- a/console/src/app/modules/accounts-card/accounts-card.component.ts
+++ b/console/src/app/modules/accounts-card/accounts-card.component.ts
@@ -1,7 +1,7 @@
 import { Component, EventEmitter, Input, OnInit, Output } from '@angular/core';
 import { Router } from '@angular/router';
 import { AuthConfig } from 'angular-oauth2-oidc';
-import { UserProfileView, UserSessionView } from 'src/app/proto/generated/auth_pb';
+import { Session, User } from 'src/app/proto/generated/zitadel/user_pb';
 import { AuthenticationService } from 'src/app/services/authentication.service';
 import { GrpcAuthService } from 'src/app/services/grpc-auth.service';
 
@@ -11,18 +11,18 @@ import { GrpcAuthService } from 'src/app/services/grpc-auth.service';
     styleUrls: ['./accounts-card.component.scss'],
 })
 export class AccountsCardComponent implements OnInit {
-    @Input() public profile!: UserProfileView.AsObject;
+    @Input() public user!: User.AsObject;
     @Input() public iamuser: boolean = false;
 
     @Output() public close: EventEmitter<void> = new EventEmitter();
-    public users: UserSessionView.AsObject[] = [];
+    public sessions: Session.AsObject[] = [];
     public loadingUsers: boolean = false;
     constructor(public authService: AuthenticationService, private router: Router, private userService: GrpcAuthService) {
-        this.userService.getMyUserSessions().then(sessions => {
-            this.users = sessions.toObject().userSessionsList;
-            const index = this.users.findIndex(user => user.loginName === this.profile.preferredLoginName);
+        this.userService.listMyUserSessions().then(sessions => {
+            this.sessions = sessions.resultList;
+            const index = this.sessions.findIndex(user => user.loginName === this.user.preferredLoginName);
             if (index > -1) {
-                this.users.splice(index, 1);
+                this.sessions.splice(index, 1);
             }
 
             this.loadingUsers = false;
diff --git a/console/src/app/modules/add-key-dialog/add-key-dialog.component.ts b/console/src/app/modules/add-key-dialog/add-key-dialog.component.ts
index f02ada00f2..ae3bf7a567 100644
--- a/console/src/app/modules/add-key-dialog/add-key-dialog.component.ts
+++ b/console/src/app/modules/add-key-dialog/add-key-dialog.component.ts
@@ -1,7 +1,7 @@
 import { Component, Inject } from '@angular/core';
 import { FormControl } from '@angular/forms';
 import { MAT_DIALOG_DATA, MatDialogRef } from '@angular/material/dialog';
-import { AuthNKeyType, MachineKeyType } from 'src/app/proto/generated/management_pb';
+import { KeyType } from 'src/app/proto/generated/zitadel/auth_n_key_pb';
 
 export enum AddKeyDialogType {
     MACHINE = "MACHINE",
@@ -15,21 +15,16 @@ export enum AddKeyDialogType {
 })
 export class AddKeyDialogComponent {
     public startDate: Date = new Date();
-    types: MachineKeyType[] | AuthNKeyType[] = [];
-    public type!: MachineKeyType | AuthNKeyType;
+    types: KeyType[] = [];
+    public type!: KeyType;
     public dateControl: FormControl = new FormControl('', []);
 
     constructor(
         public dialogRef: MatDialogRef<AddKeyDialogComponent>,
         @Inject(MAT_DIALOG_DATA) public data: any,
     ) {
-        if (data.type = AddKeyDialogType.MACHINE) {
-            this.types = [MachineKeyType.MACHINEKEY_JSON];
-            this.type = MachineKeyType.MACHINEKEY_JSON;
-        } else if (data.type = AddKeyDialogType.AUTHNKEY) {
-            this.types = [AuthNKeyType.AUTHNKEY_JSON];
-            this.type = AuthNKeyType.AUTHNKEY_JSON;
-        }
+        this.types = [KeyType.KEY_TYPE_JSON];
+        this.type = KeyType.KEY_TYPE_JSON;
         const today = new Date();
         this.startDate.setDate(today.getDate() + 1);
     }
diff --git a/console/src/app/modules/add-member-dialog/member-create-dialog.component.ts b/console/src/app/modules/add-member-dialog/member-create-dialog.component.ts
index 5d41429284..a3b6deecda 100644
--- a/console/src/app/modules/add-member-dialog/member-create-dialog.component.ts
+++ b/console/src/app/modules/add-member-dialog/member-create-dialog.component.ts
@@ -1,7 +1,8 @@
 import { Component, Inject } from '@angular/core';
 import { MAT_DIALOG_DATA, MatDialogRef } from '@angular/material/dialog';
 import { Observable } from 'rxjs';
-import { ProjectGrantView, ProjectRole, ProjectView, UserView } from 'src/app/proto/generated/management_pb';
+import { GrantedProject, Project, Role } from 'src/app/proto/generated/zitadel/project_pb';
+import { User } from 'src/app/proto/generated/zitadel/user_pb';
 import { AdminService } from 'src/app/services/admin.service';
 import { GrpcAuthService } from 'src/app/services/grpc-auth.service';
 import { ManagementService } from 'src/app/services/mgmt.service';
@@ -23,7 +24,7 @@ export enum CreationType {
 export class MemberCreateDialogComponent {
     private projectId: string = '';
     private grantId: string = '';
-    public preselectedUsers: Array<UserView.AsObject> = [];
+    public preselectedUsers: Array<User.AsObject> = [];
 
     public creationType!: CreationType;
 
@@ -38,8 +39,8 @@ export class MemberCreateDialogComponent {
         { type: CreationType.PROJECT_OWNED, disabled$: this.authService.isAllowed(['project.member.write']) },
         { type: CreationType.PROJECT_GRANTED, disabled$: this.authService.isAllowed(['project.grant.member.write']) },
     ];
-    public users: Array<UserView.AsObject> = [];
-    public roles: Array<ProjectRole.AsObject> | string[] = [];
+    public users: Array<User.AsObject> = [];
+    public roles: Array<Role.AsObject> | string[] = [];
     public CreationType: any = CreationType;
     public ProjectAutocompleteType: any = ProjectAutocompleteType;
     public memberRoleOptions: string[] = [];
@@ -72,22 +73,22 @@ export class MemberCreateDialogComponent {
     public loadRoles(): void {
         switch (this.creationType) {
             case CreationType.PROJECT_GRANTED:
-                this.mgmtService.GetProjectGrantMemberRoles().then(resp => {
-                    this.memberRoleOptions = resp.toObject().rolesList;
+                this.mgmtService.listProjectGrantMemberRoles().then(resp => {
+                    this.memberRoleOptions = resp.resultList;
                 }).catch(error => {
                     this.toastService.showError(error);
                 });
                 break;
             case CreationType.PROJECT_OWNED:
-                this.mgmtService.GetProjectMemberRoles().then(resp => {
-                    this.memberRoleOptions = resp.toObject().rolesList;
+                this.mgmtService.listProjectMemberRoles().then(resp => {
+                    this.memberRoleOptions = resp.resultList;
                 }).catch(error => {
                     this.toastService.showError(error);
                 });
                 break;
             case CreationType.IAM:
-                this.adminService.GetIamMemberRoles().then(resp => {
-                    this.memberRoleOptions = resp.toObject().rolesList;
+                this.adminService.listIAMMemberRoles().then(resp => {
+                    this.memberRoleOptions = resp.rolesList;
                 }).catch(error => {
                     this.toastService.showError(error);
                 });
@@ -95,7 +96,7 @@ export class MemberCreateDialogComponent {
         }
     }
 
-    public selectProject(project: ProjectView.AsObject | ProjectGrantView.AsObject | any): void {
+    public selectProject(project: Project.AsObject | GrantedProject.AsObject | any): void {
         this.projectId = project.projectId;
         if (project.id) {
             this.grantId = project.id;
diff --git a/console/src/app/modules/app-card/app-card.component.ts b/console/src/app/modules/app-card/app-card.component.ts
index 98e88c2084..1e5012d7ee 100644
--- a/console/src/app/modules/app-card/app-card.component.ts
+++ b/console/src/app/modules/app-card/app-card.component.ts
@@ -1,5 +1,5 @@
 import { Component, Input } from '@angular/core';
-import { OIDCApplicationType } from 'src/app/proto/generated/management_pb';
+import { OIDCAppType } from 'src/app/proto/generated/zitadel/app_pb';
 
 @Component({
     selector: 'cnsl-app-card',
@@ -8,7 +8,7 @@ import { OIDCApplicationType } from 'src/app/proto/generated/management_pb';
 })
 export class AppCardComponent {
     @Input() public outline: boolean = false;
-    @Input() public type!: OIDCApplicationType;
+    @Input() public type!: OIDCAppType;
     @Input() public isApiApp: boolean = false;
-    public OIDCApplicationType: any = OIDCApplicationType;
+    public OIDCApplicationType: any = OIDCAppType;
 }
diff --git a/console/src/app/modules/app-radio/app-auth-method-radio/app-auth-method-radio.component.ts b/console/src/app/modules/app-radio/app-auth-method-radio/app-auth-method-radio.component.ts
index cfc36c1704..314e54767f 100644
--- a/console/src/app/modules/app-radio/app-auth-method-radio/app-auth-method-radio.component.ts
+++ b/console/src/app/modules/app-radio/app-auth-method-radio/app-auth-method-radio.component.ts
@@ -1,5 +1,10 @@
-import { Component, EventEmitter, Input, OnInit, Output } from '@angular/core';
-import { APIAuthMethodType, OIDCAuthMethodType, OIDCGrantType, OIDCResponseType } from 'src/app/proto/generated/management_pb';
+import { Component, EventEmitter, Input, Output } from '@angular/core';
+import {
+    APIAuthMethodType,
+    OIDCAuthMethodType,
+    OIDCGrantType,
+    OIDCResponseType,
+} from 'src/app/proto/generated/zitadel/app_pb';
 
 export interface RadioItemAuthType {
     key: string;
diff --git a/console/src/app/modules/changes/changes.component.html b/console/src/app/modules/changes/changes.component.html
index b7cd76a48e..b75f382d45 100644
--- a/console/src/app/modules/changes/changes.component.html
+++ b/console/src/app/modules/changes/changes.component.html
@@ -11,8 +11,9 @@
             hist.values[0]?.dates[0]| timestampToDate | localizedDate: 'dd. MMMM YYYY' }}</span>
         <div class="item" *ngFor="let dayelement of hist.values; index as i">
             <div class="row">
-                <app-avatar matTooltip="{{ dayelement.editorName }}" *ngIf="dayelement.editorName; else spacer"
-                    class="avatar" [name]="dayelement.editorName" [size]="32">
+                <app-avatar matTooltip="{{ dayelement.editorDisplayName }}"
+                    *ngIf="dayelement.editorDisplayName; else spacer" class="avatar"
+                    [name]="dayelement.editorDisplayName" [size]="32">
                 </app-avatar>
                 <ng-template #spacer>
                     <div class="spacer"></div>
diff --git a/console/src/app/modules/changes/changes.component.ts b/console/src/app/modules/changes/changes.component.ts
index c3fba97f57..d5ecaf58fa 100644
--- a/console/src/app/modules/changes/changes.component.ts
+++ b/console/src/app/modules/changes/changes.component.ts
@@ -1,11 +1,18 @@
+import { KeyValue } from '@angular/common';
 import { Component, Input, OnDestroy, OnInit } from '@angular/core';
+import { Timestamp } from 'google-protobuf/google/protobuf/timestamp_pb';
 import { BehaviorSubject, from, Observable, of, Subject } from 'rxjs';
 import { catchError, debounceTime, scan, take, takeUntil, tap } from 'rxjs/operators';
-import { Change, Changes } from 'src/app/proto/generated/management_pb';
+import { ListMyUserChangesResponse } from 'src/app/proto/generated/zitadel/auth_pb';
+import { Change } from 'src/app/proto/generated/zitadel/change_pb';
+import {
+    ListAppChangesResponse,
+    ListOrgChangesResponse,
+    ListProjectChangesResponse,
+    ListUserChangesResponse,
+} from 'src/app/proto/generated/zitadel/management_pb';
 import { GrpcAuthService } from 'src/app/services/grpc-auth.service';
 import { ManagementService } from 'src/app/services/mgmt.service';
-import { Timestamp } from 'google-protobuf/google/protobuf/timestamp_pb';
-import { KeyValue } from '@angular/common';
 
 export enum ChangeType {
     MYUSER = 'myuser',
@@ -27,6 +34,8 @@ export interface MappedChange {
     }>;
 }
 
+type ListChanges = ListMyUserChangesResponse.AsObject | ListUserChangesResponse.AsObject | ListProjectChangesResponse.AsObject | ListOrgChangesResponse.AsObject | ListAppChangesResponse.AsObject;
+
 @Component({
     selector: 'app-changes',
     templateUrl: './changes.component.html',
@@ -46,7 +55,7 @@ export class ChangesComponent implements OnInit, OnDestroy {
 
     loading: Observable<boolean> = this._loading.asObservable();
     public data!: Observable<MappedChange[]>;
-    public changes!: Changes.AsObject;
+    public changes!: ListChanges;
     private destroyed$: Subject<void> = new Subject();
     constructor(private mgmtUserService: ManagementService, private authUserService: GrpcAuthService) {
 
@@ -73,17 +82,17 @@ export class ChangesComponent implements OnInit, OnDestroy {
     }
 
     public init(): void {
-        let first: Promise<Changes>;
+        let first: Promise<ListChanges>;
         switch (this.changeType) {
-            case ChangeType.MYUSER: first = this.authUserService.GetMyUserChanges(20, 0);
+            case ChangeType.MYUSER: first = this.authUserService.listMyUserChanges(20, 0);
                 break;
-            case ChangeType.USER: first = this.mgmtUserService.UserChanges(this.id, 20, 0);
+            case ChangeType.USER: first = this.mgmtUserService.listUserChanges(this.id, 20, 0);
                 break;
-            case ChangeType.PROJECT: first = this.mgmtUserService.ProjectChanges(this.id, 20, 0);
+            case ChangeType.PROJECT: first = this.mgmtUserService.listProjectChanges(this.id, 20, 0);
                 break;
-            case ChangeType.ORG: first = this.mgmtUserService.OrgChanges(this.id, 20, 0);
+            case ChangeType.ORG: first = this.mgmtUserService.listOrgChanges(20, 0);
                 break;
-            case ChangeType.APP: first = this.mgmtUserService.ApplicationChanges(this.id, this.secId, 20, 0);
+            case ChangeType.APP: first = this.mgmtUserService.listAppChanges(this.id, this.secId, 20, 0);
                 break;
         }
 
@@ -100,18 +109,18 @@ export class ChangesComponent implements OnInit, OnDestroy {
         const cursor = this.getCursor();
         console.log('cursor' + cursor);
 
-        let more: Promise<Changes>;
+        let more: Promise<ListChanges>;
 
         switch (this.changeType) {
-            case ChangeType.MYUSER: more = this.authUserService.GetMyUserChanges(20, cursor);
+            case ChangeType.MYUSER: more = this.authUserService.listMyUserChanges(20, cursor);
                 break;
-            case ChangeType.USER: more = this.mgmtUserService.UserChanges(this.id, 20, cursor);
+            case ChangeType.USER: more = this.mgmtUserService.listUserChanges(this.id, 20, cursor);
                 break;
-            case ChangeType.PROJECT: more = this.mgmtUserService.ProjectChanges(this.id, 20, cursor);
+            case ChangeType.PROJECT: more = this.mgmtUserService.listProjectChanges(this.id, 20, cursor);
                 break;
-            case ChangeType.ORG: more = this.mgmtUserService.OrgChanges(this.id, 20, cursor);
+            case ChangeType.ORG: more = this.mgmtUserService.listOrgChanges(20, cursor);
                 break;
-            case ChangeType.APP: more = this.mgmtUserService.ApplicationChanges(this.id, this.secId, 20, cursor);
+            case ChangeType.APP: more = this.mgmtUserService.listAppChanges(this.id, this.secId, 20, cursor);
                 break;
         }
 
@@ -131,7 +140,7 @@ export class ChangesComponent implements OnInit, OnDestroy {
     }
 
     // Maps the snapshot to usable format the updates source
-    private mapAndUpdate(col: Promise<Changes>): any {
+    private mapAndUpdate(col: Promise<ListChanges>): any {
         if (this._done.value || this._loading.value) { return; }
 
         // Map snapshot with doc ref (needed for cursor)
@@ -141,8 +150,8 @@ export class ChangesComponent implements OnInit, OnDestroy {
 
             return from(col).pipe(
                 take(1),
-                tap((res: Changes) => {
-                    const values = res.toObject().changesList;
+                tap((res: ListChanges) => {
+                    const values = res.resultList;
                     const mapped = this.mapChanges(values);
                     // update source with new values, done loading
                     // this._data.next(values);
@@ -173,19 +182,19 @@ export class ChangesComponent implements OnInit, OnDestroy {
                 if (index) {
                     if (splitted[index]) {
                         const userData: any = {
-                            editor: change.editor,
+                            editor: change.editorDisplayName,
                             editorId: change.editorId,
-                            editorName: change.editor,
+                            editorName: change.editorDisplayName,
 
                             dates: [change.changeDate],
-                            data: [change.data],
+                            // data: [change.data],
                             eventTypes: [change.eventType],
                             sequences: [change.sequence],
                         };
                         const lastIndex = splitted[index].length - 1;
-                        if (lastIndex > -1 && splitted[index][lastIndex].editor === change.editor) {
+                        if (lastIndex > -1 && splitted[index][lastIndex].editor === change.editorDisplayName) {
                             splitted[index][lastIndex].dates.push(change.changeDate);
-                            splitted[index][lastIndex].data.push(change.data);
+                            // splitted[index][lastIndex].data.push(change.data);
                             splitted[index][lastIndex].eventTypes.push(change.eventType);
                             splitted[index][lastIndex].sequences.push(change.sequence);
                         } else {
@@ -194,12 +203,12 @@ export class ChangesComponent implements OnInit, OnDestroy {
                     } else {
                         splitted[index] = [
                             {
-                                editor: change.editor,
+                                editor: change.editorDisplayName,
                                 editorId: change.editorId,
-                                editorName: change.editor,
+                                editorName: change.editorDisplayName,
 
                                 dates: [change.changeDate],
-                                data: [change.data],
+                                // data: [change.data],
                                 eventTypes: [change.eventType],
                                 sequences: [change.sequence],
                             }
diff --git a/console/src/app/modules/client-keys/client-keys.component.html b/console/src/app/modules/client-keys/client-keys.component.html
index da53785d5a..94e069899a 100644
--- a/console/src/app/modules/client-keys/client-keys.component.html
+++ b/console/src/app/modules/client-keys/client-keys.component.html
@@ -1,5 +1,5 @@
 <app-refresh-table [loading]="loading$ | async" (refreshed)="refreshPage()" [dataSize]="dataSource.data.length"
-    [timestamp]="keyResult?.viewTimestamp" [selection]="selection">
+    [timestamp]="keyResult?.details?.viewTimestamp" [selection]="selection">
     <div actions>
         <button color="warn"
             [disabled]="([('project.app.write:' + projectId), 'project.app.write'] | hasRole | async) == false"
@@ -60,7 +60,7 @@
             </tr>
 
         </table>
-        <mat-paginator #paginator class="paginator" [length]="keyResult?.totalResult || 0" [pageSize]="10"
+        <mat-paginator #paginator class="paginator" [length]="keyResult?.details?.totalResult || 0" [pageSize]="10"
             [pageSizeOptions]="[5, 10, 20]" (page)="changePage($event)"></mat-paginator>
     </div>
 </app-refresh-table>
\ No newline at end of file
diff --git a/console/src/app/modules/client-keys/client-keys.component.ts b/console/src/app/modules/client-keys/client-keys.component.ts
index e159257a84..d163c5f85d 100644
--- a/console/src/app/modules/client-keys/client-keys.component.ts
+++ b/console/src/app/modules/client-keys/client-keys.component.ts
@@ -7,12 +7,12 @@ import { TranslateService } from '@ngx-translate/core';
 import { Timestamp } from 'google-protobuf/google/protobuf/timestamp_pb';
 import { Moment } from 'moment';
 import { BehaviorSubject, Observable } from 'rxjs';
-import { AuthNKeyType, ClientKeySearchResponse, ClientKeyView, MachineKeySearchResponse, MachineKeyType, MachineKeyView } from 'src/app/proto/generated/management_pb';
-import { ManagementService } from 'src/app/services/mgmt.service';
-import { ToastService } from 'src/app/services/toast.service';
-
 import { AddKeyDialogComponent, AddKeyDialogType } from 'src/app/modules/add-key-dialog/add-key-dialog.component';
 import { ShowKeyDialogComponent } from 'src/app/modules/show-key-dialog/show-key-dialog.component';
+import { Key, KeyType } from 'src/app/proto/generated/zitadel/auth_n_key_pb';
+import { ListAppKeysResponse } from 'src/app/proto/generated/zitadel/management_pb';
+import { ManagementService } from 'src/app/services/mgmt.service';
+import { ToastService } from 'src/app/services/toast.service';
 
 @Component({
     selector: 'app-client-keys',
@@ -24,14 +24,14 @@ export class ClientKeysComponent implements OnInit {
     @Input() appId!: string;
 
     @ViewChild(MatPaginator) public paginator!: MatPaginator;
-    public dataSource: MatTableDataSource<ClientKeyView.AsObject> = new MatTableDataSource<ClientKeyView.AsObject>();
-    public selection: SelectionModel<ClientKeyView.AsObject> = new SelectionModel<ClientKeyView.AsObject>(true, []);
-    public keyResult!: MachineKeySearchResponse.AsObject | ClientKeySearchResponse.AsObject;
+    public dataSource: MatTableDataSource<Key.AsObject> = new MatTableDataSource<Key.AsObject>();
+    public selection: SelectionModel<Key.AsObject> = new SelectionModel<Key.AsObject>(true, []);
+    public keyResult!: ListAppKeysResponse.AsObject;
     private loadingSubject: BehaviorSubject<boolean> = new BehaviorSubject<boolean>(false);
     public loading$: Observable<boolean> = this.loadingSubject.asObservable();
     @Input() public displayedColumns: string[] = ['select', 'id', 'type', 'creationDate', 'expirationDate'];
 
-    @Output() public changedSelection: EventEmitter<Array<ClientKeyView.AsObject>> = new EventEmitter();
+    @Output() public changedSelection: EventEmitter<Array<Key.AsObject>> = new EventEmitter();
 
     constructor(public translate: TranslateService, private mgmtService: ManagementService, private dialog: MatDialog,
         private toast: ToastService) {
@@ -64,7 +64,7 @@ export class ClientKeysComponent implements OnInit {
 
     public deleteSelectedKeys(): void {
         const mappedDeletions = this.selection.selected.map(value => {
-            return this.mgmtService.DeleteClientKey(value.id, this.projectId, this.appId);
+            return this.mgmtService.removeAppKey(this.projectId, this.appId, value.id);
         });
         Promise.all(mappedDeletions).then(() => {
             this.selection.clear();
@@ -83,7 +83,7 @@ export class ClientKeysComponent implements OnInit {
 
         dialogRef.afterClosed().subscribe(resp => {
             if (resp) {
-                const type: AuthNKeyType = resp.type;
+                const type: KeyType = resp.type;
 
                 let date: Timestamp | undefined;
 
@@ -99,7 +99,7 @@ export class ClientKeysComponent implements OnInit {
                 }
 
                 if (type) {
-                    return this.mgmtService.addClientKey(this.projectId, this.appId, type, date).then((response) => {
+                    return this.mgmtService.addAppKey(this.projectId, this.appId, type, date ? date : undefined).then((response) => {
                         if (response) {
                             setTimeout(() => {
                                 this.refreshPage();
@@ -107,7 +107,7 @@ export class ClientKeysComponent implements OnInit {
 
                             this.dialog.open(ShowKeyDialogComponent, {
                                 data: {
-                                    key: response.toObject(),
+                                    key: response,
                                     type: AddKeyDialogType.AUTHNKEY
                                 },
                                 width: '400px',
@@ -124,8 +124,8 @@ export class ClientKeysComponent implements OnInit {
     private async getData(limit: number, offset: number): Promise<void> {
         this.loadingSubject.next(true);
         if (this.projectId && this.appId) {
-            this.mgmtService.SearchClientKeys(this.projectId, this.appId, limit, offset).then(resp => {
-                this.keyResult = resp.toObject();
+            this.mgmtService.listAppKeys(this.projectId, this.appId, limit, offset).then(resp => {
+                this.keyResult = resp;
                 this.dataSource.data = this.keyResult.resultList;
                 this.loadingSubject.next(false);
             }).catch((error: any) => {
diff --git a/console/src/app/modules/idp-create/idp-create.component.ts b/console/src/app/modules/idp-create/idp-create.component.ts
index 4cd6bf2302..341acb8860 100644
--- a/console/src/app/modules/idp-create/idp-create.component.ts
+++ b/console/src/app/modules/idp-create/idp-create.component.ts
@@ -6,18 +6,13 @@ import { MatChipInputEvent } from '@angular/material/chips';
 import { ActivatedRoute, Params, Router } from '@angular/router';
 import { Subscription } from 'rxjs';
 import { take } from 'rxjs/operators';
-import {
-    OidcIdpConfigCreate as AdminOidcIdpConfigCreate,
-    OIDCMappingField as authMappingFields,
-} from 'src/app/proto/generated/admin_pb';
+import { AddOIDCIDPRequest } from 'src/app/proto/generated/zitadel/admin_pb';
+import { OIDCMappingField } from 'src/app/proto/generated/zitadel/idp_pb';
+import { AddOrgOIDCIDPRequest } from 'src/app/proto/generated/zitadel/management_pb';
 import { AdminService } from 'src/app/services/admin.service';
 import { ManagementService } from 'src/app/services/mgmt.service';
 import { ToastService } from 'src/app/services/toast.service';
 
-import {
-    OidcIdpConfigCreate as MgmtOidcIdpConfigCreate,
-    OIDCMappingField as mgmtMappingFields,
-} from '../../proto/generated/management_pb';
 import { PolicyComponentServiceType } from '../policies/policy-component-types.enum';
 
 @Component({
@@ -29,7 +24,7 @@ export class IdpCreateComponent implements OnInit, OnDestroy {
     public serviceType: PolicyComponentServiceType = PolicyComponentServiceType.MGMT;
     private service!: ManagementService | AdminService;
     public readonly separatorKeysCodes: number[] = [ENTER, COMMA, SPACE];
-    public mappingFields: mgmtMappingFields[] | authMappingFields[] = [];
+    public mappingFields: OIDCMappingField[] = [];
 
     private subscription?: Subscription;
     public projectId: string = '';
@@ -61,14 +56,14 @@ export class IdpCreateComponent implements OnInit, OnDestroy {
                 case PolicyComponentServiceType.MGMT:
                     this.service = this.injector.get(ManagementService as Type<ManagementService>);
                     this.mappingFields = [
-                        mgmtMappingFields.OIDCMAPPINGFIELD_PREFERRED_USERNAME,
-                        mgmtMappingFields.OIDCMAPPINGFIELD_EMAIL];
+                        OIDCMappingField.OIDC_MAPPING_FIELD_PREFERRED_USERNAME,
+                        OIDCMappingField.OIDC_MAPPING_FIELD_EMAIL];
                     break;
                 case PolicyComponentServiceType.ADMIN:
                     this.service = this.injector.get(AdminService as Type<AdminService>);
                     this.mappingFields = [
-                        authMappingFields.OIDCMAPPINGFIELD_PREFERRED_USERNAME,
-                        authMappingFields.OIDCMAPPINGFIELD_EMAIL];
+                        OIDCMappingField.OIDC_MAPPING_FIELD_PREFERRED_USERNAME,
+                        OIDCMappingField.OIDC_MAPPING_FIELD_EMAIL];
                     break;
             }
         });
@@ -87,36 +82,50 @@ export class IdpCreateComponent implements OnInit, OnDestroy {
     }
 
     public addIdp(): void {
-        let req: AdminOidcIdpConfigCreate | MgmtOidcIdpConfigCreate;
+        if (this.serviceType == PolicyComponentServiceType.MGMT) {
+            const req = new AddOrgOIDCIDPRequest();
 
-        switch (this.serviceType) {
-            case PolicyComponentServiceType.MGMT:
-                req = new MgmtOidcIdpConfigCreate();
-                break;
-            case PolicyComponentServiceType.ADMIN:
-                req = new AdminOidcIdpConfigCreate();
-                break;
+            req.setName(this.name?.value);
+            req.setClientId(this.clientId?.value);
+            req.setClientSecret(this.clientSecret?.value);
+            req.setIssuer(this.issuer?.value);
+            req.setScopesList(this.scopesList?.value);
+            req.setDisplayNameMapping(this.idpDisplayNameMapping?.value);
+            req.setUsernameMapping(this.usernameMapping?.value);
+            this.loading = true;
+            (this.service as ManagementService).addOrgOIDCIDP(req).then((idp) => {
+                setTimeout(() => {
+                    this.loading = false;
+                    this.router.navigate([
+                        (this.serviceType === PolicyComponentServiceType.MGMT ? 'org' :
+                            this.serviceType === PolicyComponentServiceType.ADMIN ? 'iam' : ''),
+                        'policy', 'login']);
+                }, 2000);
+            }).catch(error => {
+                this.toast.showError(error);
+            });
+        } else if (PolicyComponentServiceType.ADMIN) {
+            const req = new AddOIDCIDPRequest();
+            req.setName(this.name?.value);
+            req.setClientId(this.clientId?.value);
+            req.setClientSecret(this.clientSecret?.value);
+            req.setIssuer(this.issuer?.value);
+            req.setScopesList(this.scopesList?.value);
+            req.setDisplayNameMapping(this.idpDisplayNameMapping?.value);
+            req.setUsernameMapping(this.usernameMapping?.value);
+            this.loading = true;
+            (this.service as AdminService).addOIDCIDP(req).then((idp) => {
+                setTimeout(() => {
+                    this.loading = false;
+                    this.router.navigate([
+                        (this.serviceType === PolicyComponentServiceType.MGMT ? 'org' :
+                            this.serviceType === PolicyComponentServiceType.ADMIN ? 'iam' : ''),
+                        'policy', 'login']);
+                }, 2000);
+            }).catch(error => {
+                this.toast.showError(error);
+            });
         }
-
-        req.setName(this.name?.value);
-        req.setClientId(this.clientId?.value);
-        req.setClientSecret(this.clientSecret?.value);
-        req.setIssuer(this.issuer?.value);
-        req.setScopesList(this.scopesList?.value);
-        req.setIdpDisplayNameMapping(this.idpDisplayNameMapping?.value);
-        req.setUsernameMapping(this.usernameMapping?.value);
-        this.loading = true;
-        this.service.CreateOidcIdp(req).then((idp) => {
-            setTimeout(() => {
-                this.loading = false;
-                this.router.navigate([
-                    (this.serviceType === PolicyComponentServiceType.MGMT ? 'org' :
-                        this.serviceType === PolicyComponentServiceType.ADMIN ? 'iam' : ''),
-                    'policy', 'login']);
-            }, 2000);
-        }).catch(error => {
-            this.toast.showError(error);
-        });
     }
 
     public close(): void {
diff --git a/console/src/app/modules/idp-table/idp-table.component.html b/console/src/app/modules/idp-table/idp-table.component.html
index 9e48ce4f35..04058b1e62 100644
--- a/console/src/app/modules/idp-table/idp-table.component.html
+++ b/console/src/app/modules/idp-table/idp-table.component.html
@@ -1,5 +1,6 @@
 <app-refresh-table [loading]="loading$ | async" (refreshed)="refreshPage()" [dataSize]="dataSource.data.length"
-    [emitRefreshOnPreviousRoutes]="['/iam/idp/create']" [timestamp]="idpResult?.viewTimestamp" [selection]="selection">
+    [emitRefreshOnPreviousRoutes]="['/iam/idp/create']" [timestamp]="idpResult?.details?.viewTimestamp"
+    [selection]="selection">
     <div actions>
         <button (click)="deactivateSelectedIdps()" matTooltip="{{'IDP.DEACTIVATE' | translate}}" class="icon-button"
             mat-icon-button *ngIf="selection.hasValue()" [disabled]="disabled">
@@ -30,7 +31,7 @@
                 </th>
                 <td mat-cell *matCellDef="let idp">
                     <mat-checkbox color="primary" (click)="$event.stopPropagation()" class="chbox"
-                        [disabled]="serviceType==PolicyComponentServiceType.MGMT && idp?.providerType == IdpProviderType.IDPPROVIDERTYPE_SYSTEM"
+                        [disabled]="serviceType==PolicyComponentServiceType.MGMT && idp?.providerType == IDPOwnerType.IDPPROVIDERTYPE_SYSTEM"
                         (change)="$event ? selection.toggle(idp) : null" [checked]="selection.isSelected(idp)">
                         <img src="../../../assets/images/google.png"
                             *ngIf="idp.stylingType == IdpStylingType.IDPSTYLINGTYPE_GOOGLE" alt="google" />
@@ -58,7 +59,7 @@
                 <th mat-header-cell *matHeaderCellDef> {{ 'IDP.STATE' | translate }} </th>
                 <td [routerLink]="routerLinkForRow(idp)" mat-cell *matCellDef="let idp">
                     <span class="state"
-                        [ngClass]="{'active': idp.state === IdpState.IDPCONFIGSTATE_ACTIVE, 'inactive': idp.state === IdpState.IDPCONFIGSTATE_INACTIVE}">{{
+                        [ngClass]="{'active': idp.state === IDPState.IDP_STATE_ACTIVE, 'inactive': idp.state === IDPState.IDP_STATE_INACTIVE}">{{
                         'IDP.STATES.'+idp.state | translate }}</span>
                 </td>
             </ng-container>
@@ -87,7 +88,7 @@
                 <th mat-header-cell *matHeaderCellDef></th>
                 <td mat-cell *matCellDef="let idp">
                     <button
-                        [disabled]="serviceType==PolicyComponentServiceType.MGMT && idp?.providerType == IdpProviderType.IDPPROVIDERTYPE_SYSTEM"
+                        [disabled]="serviceType==PolicyComponentServiceType.MGMT && idp?.providerType == IDPOwnerType.IDP_OWNER_TYPE_ORG"
                         mat-icon-button color="warn" matTooltip="{{'IAM.VIEWS.CLEAR' | translate}}"
                         (click)="removeIdp(idp)">
                         <i class="las la-trash"></i>
@@ -97,11 +98,11 @@
 
             <tr mat-header-row *matHeaderRowDef="displayedColumns"></tr>
             <tr class="highlight"
-                [ngClass]="{'disabled': serviceType==PolicyComponentServiceType.MGMT && row?.providerType == IdpProviderType.IDPPROVIDERTYPE_SYSTEM}"
+                [ngClass]="{'disabled': serviceType==PolicyComponentServiceType.MGMT && row?.providerType == IDPOwnerType.IDP_OWNER_TYPE_SYSTEM}"
                 mat-row *matRowDef="let row; columns: displayedColumns;">
             </tr>
         </table>
     </div>
-    <mat-paginator #paginator class="paginator" [length]="idpResult?.totalResult || 0" [pageSize]="10"
+    <mat-paginator #paginator class="paginator" [length]="idpResult?.details?.totalResult || 0" [pageSize]="10"
         [pageSizeOptions]="[5, 10, 20]" (page)="changePage($event)"></mat-paginator>
 </app-refresh-table>
\ No newline at end of file
diff --git a/console/src/app/modules/idp-table/idp-table.component.ts b/console/src/app/modules/idp-table/idp-table.component.ts
index c7fed50beb..1e27357bba 100644
--- a/console/src/app/modules/idp-table/idp-table.component.ts
+++ b/console/src/app/modules/idp-table/idp-table.component.ts
@@ -5,10 +5,10 @@ import { MatPaginator, PageEvent } from '@angular/material/paginator';
 import { MatTableDataSource } from '@angular/material/table';
 import { RouterLink } from '@angular/router';
 import { TranslateService } from '@ngx-translate/core';
-import { Empty } from 'google-protobuf/google/protobuf/empty_pb';
 import { BehaviorSubject, Observable } from 'rxjs';
-import { IdpSearchResponse as AdminIdpSearchResponse, IdpState, IdpStylingType, IdpView as AdminIdpView } from 'src/app/proto/generated/admin_pb';
-import { IdpProviderType, IdpView as MgmtIdpView } from 'src/app/proto/generated/management_pb';
+import { ListIDPsResponse } from 'src/app/proto/generated/zitadel/admin_pb';
+import { IDP, IDPOwnerType, IDPState, IDPStylingType } from 'src/app/proto/generated/zitadel/idp_pb';
+import { ListOrgIDPsResponse } from 'src/app/proto/generated/zitadel/management_pb';
 import { AdminService } from 'src/app/services/admin.service';
 import { ManagementService } from 'src/app/services/mgmt.service';
 import { ToastService } from 'src/app/services/toast.service';
@@ -26,20 +26,20 @@ export class IdpTableComponent implements OnInit {
     @Input() service!: AdminService | ManagementService;
     @Input() disabled: boolean = false;
     @ViewChild(MatPaginator) public paginator!: MatPaginator;
-    public dataSource: MatTableDataSource<AdminIdpView.AsObject | MgmtIdpView.AsObject>
-        = new MatTableDataSource<AdminIdpView.AsObject | MgmtIdpView.AsObject>();
-    public selection: SelectionModel<AdminIdpView.AsObject | MgmtIdpView.AsObject>
-        = new SelectionModel<AdminIdpView.AsObject | MgmtIdpView.AsObject>(true, []);
-    public idpResult!: AdminIdpSearchResponse.AsObject;
+    public dataSource: MatTableDataSource<IDP.AsObject>
+        = new MatTableDataSource<IDP.AsObject>();
+    public selection: SelectionModel<IDP.AsObject>
+        = new SelectionModel<IDP.AsObject>(true, []);
+    public idpResult!: ListIDPsResponse.AsObject | ListOrgIDPsResponse.AsObject;
     private loadingSubject: BehaviorSubject<boolean> = new BehaviorSubject<boolean>(false);
     public loading$: Observable<boolean> = this.loadingSubject.asObservable();
     public PolicyComponentServiceType: any = PolicyComponentServiceType;
-    public IdpProviderType: any = IdpProviderType;
-    public IdpState: any = IdpState;
-    public IdpStylingType: any = IdpStylingType;
+    public IDPOwnerType: any = IDPOwnerType;
+    public IDPState: any = IDPState;
+    public IdpStylingType: any = IDPStylingType;
     @Input() public displayedColumns: string[] = ['select', 'name', 'config', 'dates', 'state'];
 
-    @Output() public changedSelection: EventEmitter<Array<AdminIdpView.AsObject | MgmtIdpView.AsObject>>
+    @Output() public changedSelection: EventEmitter<Array<IDP.AsObject>>
         = new EventEmitter();
 
     constructor(public translate: TranslateService, private toast: ToastService, private dialog: MatDialog) {
@@ -77,8 +77,12 @@ export class IdpTableComponent implements OnInit {
     }
 
     public deactivateSelectedIdps(): void {
-        const map: Promise<Empty>[] = this.selection.selected.map(value => {
-            return this.service.DeactivateIdpConfig(value.id);
+        const map: Promise<any>[] = this.selection.selected.map(value => {
+            if (this.serviceType === PolicyComponentServiceType.MGMT) {
+                return (this.service as ManagementService).deactivateOrgIDP(value.id);
+            } else {
+                return (this.service as AdminService).deactivateIDP(value.id);
+            }
         });
         Promise.all(map).then(() => {
             this.selection.clear();
@@ -90,8 +94,12 @@ export class IdpTableComponent implements OnInit {
     }
 
     public reactivateSelectedIdps(): void {
-        const map: Promise<Empty>[] = this.selection.selected.map(value => {
-            return this.service.ReactivateIdpConfig(value.id);
+        const map: Promise<any>[] = this.selection.selected.map(value => {
+            if (this.serviceType === PolicyComponentServiceType.MGMT) {
+                return (this.service as ManagementService).reactivateOrgIDP(value.id);
+            } else {
+                return (this.service as AdminService).reactivateIDP(value.id);
+            }
         });
         Promise.all(map).then(() => {
             this.selection.clear();
@@ -116,9 +124,12 @@ export class IdpTableComponent implements OnInit {
         dialogRef.afterClosed().subscribe(resp => {
             if (resp) {
                 this.selection.clear();
-
                 Promise.all(this.selection.selected.map(value => {
-                    return this.service.RemoveIdpConfig(value.id);
+                    if (this.serviceType === PolicyComponentServiceType.MGMT) {
+                        return (this.service as ManagementService).removeOrgIDP(value.id);
+                    } else {
+                        return (this.service as AdminService).removeIDP(value.id);
+                    }
                 })).then(() => {
                     this.toast.showInfo('IDP.TOAST.SELECTEDDEACTIVATED', true);
                     this.refreshPage();
@@ -127,7 +138,7 @@ export class IdpTableComponent implements OnInit {
         });
     }
 
-    public removeIdp(idp: AdminIdpView.AsObject | MgmtIdpView.AsObject): void {
+    public removeIdp(idp: IDP.AsObject): void {
         const dialogRef = this.dialog.open(WarnDialogComponent, {
             data: {
                 confirmKey: 'ACTIONS.DELETE',
@@ -140,12 +151,21 @@ export class IdpTableComponent implements OnInit {
 
         dialogRef.afterClosed().subscribe(resp => {
             if (resp) {
-                this.service.RemoveIdpConfig(idp.id).then(() => {
-                    this.toast.showInfo('IDP.TOAST.REMOVED', true);
-                    setTimeout(() => {
-                        this.refreshPage();
-                    }, 1000);
-                });
+                if (this.serviceType === PolicyComponentServiceType.MGMT) {
+                    (this.service as ManagementService).removeOrgIDP(idp.id).then(() => {
+                        this.toast.showInfo('IDP.TOAST.REMOVED', true);
+                        setTimeout(() => {
+                            this.refreshPage();
+                        }, 1000);
+                    });
+                } else {
+                    (this.service as AdminService).removeIDP(idp.id).then(() => {
+                        this.toast.showInfo('IDP.TOAST.REMOVED', true);
+                        setTimeout(() => {
+                            this.refreshPage();
+                        }, 1000);
+                    });
+                }
             }
         });
     }
@@ -153,14 +173,26 @@ export class IdpTableComponent implements OnInit {
     private async getData(limit: number, offset: number): Promise<void> {
         this.loadingSubject.next(true);
 
-        this.service.SearchIdps(limit, offset).then(resp => {
-            this.idpResult = resp.toObject();
-            this.dataSource.data = this.idpResult.resultList;
-            this.loadingSubject.next(false);
-        }).catch(error => {
-            this.toast.showError(error);
-            this.loadingSubject.next(false);
-        });
+        if (this.serviceType === PolicyComponentServiceType.MGMT) {
+            (this.service as ManagementService).listOrgIDPs(limit, offset).then(resp => {
+                this.idpResult = resp;
+                this.dataSource.data = resp.resultList;
+                this.loadingSubject.next(false);
+            }).catch(error => {
+                this.toast.showError(error);
+                this.loadingSubject.next(false);
+            });
+        } else {
+            (this.service as AdminService).listIDPs(limit, offset).then(resp => {
+                this.idpResult = resp;
+                this.dataSource.data = resp.resultList;
+                this.loadingSubject.next(false);
+            }).catch(error => {
+                this.toast.showError(error);
+                this.loadingSubject.next(false);
+            });
+        }
+
     }
 
     public refreshPage(): void {
@@ -175,14 +207,14 @@ export class IdpTableComponent implements OnInit {
         }
     }
 
-    public routerLinkForRow(row: MgmtIdpView.AsObject | AdminIdpView.AsObject): any {
+    public routerLinkForRow(row: IDP.AsObject): any {
         if (row.id) {
             switch (this.serviceType) {
                 case PolicyComponentServiceType.MGMT:
-                    switch ((row as MgmtIdpView.AsObject).providerType) {
-                        case IdpProviderType.IDPPROVIDERTYPE_SYSTEM:
+                    switch (row.owner) {
+                        case IDPOwnerType.IDP_OWNER_TYPE_SYSTEM:
                             return ['/iam', 'idp', row.id];
-                        case IdpProviderType.IDPPROVIDERTYPE_ORG:
+                        case IDPOwnerType.IDP_OWNER_TYPE_ORG:
                             return ['/org', 'idp', row.id];
                     }
                     break;
diff --git a/console/src/app/modules/idp/idp.component.ts b/console/src/app/modules/idp/idp.component.ts
index 64d550ebe7..b1de5a8618 100644
--- a/console/src/app/modules/idp/idp.component.ts
+++ b/console/src/app/modules/idp/idp.component.ts
@@ -6,18 +6,9 @@ import { MatChipInputEvent } from '@angular/material/chips';
 import { ActivatedRoute, Params } from '@angular/router';
 import { Subscription } from 'rxjs';
 import { switchMap, take } from 'rxjs/operators';
-import {
-    IdpStylingType as adminIdpStylingType,
-    IdpUpdate as AdminIdpConfigUpdate,
-    OidcIdpConfigUpdate as AdminOidcIdpConfigUpdate,
-    OIDCMappingField as adminMappingFields,
-} from 'src/app/proto/generated/admin_pb';
-import {
-    IdpStylingType as mgmtIdpStylingType,
-    IdpUpdate as MgmtIdpConfigUpdate,
-    OidcIdpConfigUpdate as MgmtOidcIdpConfigUpdate,
-    OIDCMappingField as mgmtMappingFields,
-} from 'src/app/proto/generated/management_pb';
+import { UpdateIDPOIDCConfigRequest, UpdateIDPRequest } from 'src/app/proto/generated/zitadel/admin_pb';
+import { IDPStylingType, OIDCMappingField } from 'src/app/proto/generated/zitadel/idp_pb';
+import { UpdateOrgIDPOIDCConfigRequest, UpdateOrgIDPRequest } from 'src/app/proto/generated/zitadel/management_pb';
 import { AdminService } from 'src/app/services/admin.service';
 import { ManagementService } from 'src/app/services/mgmt.service';
 import { ToastService } from 'src/app/services/toast.service';
@@ -30,8 +21,8 @@ import { PolicyComponentServiceType } from '../policies/policy-component-types.e
     styleUrls: ['./idp.component.scss'],
 })
 export class IdpComponent implements OnInit, OnDestroy {
-    public mappingFields: mgmtMappingFields[] | adminMappingFields[] = [];
-    public styleFields: mgmtIdpStylingType[] | adminIdpStylingType[] = [];
+    public mappingFields: OIDCMappingField[] = [];
+    public styleFields: IDPStylingType[] = [];
 
     public showIdSecretSection: boolean = false;
     public serviceType: PolicyComponentServiceType = PolicyComponentServiceType.MGMT;
@@ -70,35 +61,46 @@ export class IdpComponent implements OnInit, OnDestroy {
             switch (this.serviceType) {
                 case PolicyComponentServiceType.MGMT:
                     this.service = this.injector.get(ManagementService as Type<ManagementService>);
-                    this.mappingFields = [
-                        mgmtMappingFields.OIDCMAPPINGFIELD_PREFERRED_USERNAME,
-                        mgmtMappingFields.OIDCMAPPINGFIELD_EMAIL];
-                    this.styleFields = [
-                        mgmtIdpStylingType.IDPSTYLINGTYPE_UNSPECIFIED,
-                        mgmtIdpStylingType.IDPSTYLINGTYPE_GOOGLE];
+
                     break;
                 case PolicyComponentServiceType.ADMIN:
                     this.service = this.injector.get(AdminService as Type<AdminService>);
-                    this.mappingFields = [
-                        adminMappingFields.OIDCMAPPINGFIELD_PREFERRED_USERNAME,
-                        adminMappingFields.OIDCMAPPINGFIELD_EMAIL];
-                    this.styleFields = [
-                        adminIdpStylingType.IDPSTYLINGTYPE_UNSPECIFIED,
-                        adminIdpStylingType.IDPSTYLINGTYPE_GOOGLE];
+
                     break;
             }
 
+            this.mappingFields = [
+                OIDCMappingField.OIDC_MAPPING_FIELD_PREFERRED_USERNAME,
+                OIDCMappingField.OIDC_MAPPING_FIELD_EMAIL];
+            this.styleFields = [
+                IDPStylingType.STYLING_TYPE_UNSPECIFIED,
+                IDPStylingType.STYLING_TYPE_GOOGLE];
+
             return this.route.params.pipe(take(1));
         })).subscribe((params) => {
             const { id } = params;
             if (id) {
-                this.service.IdpByID(id).then(idp => {
-                    const idpObject = idp.toObject();
-                    this.idpForm.patchValue(idpObject);
-                    if (idpObject.oidcConfig) {
-                        this.oidcConfigForm.patchValue(idpObject.oidcConfig);
-                    }
-                });
+                if (this.serviceType == PolicyComponentServiceType.MGMT) {
+                    (this.service as ManagementService).getOrgIDPByID(id).then(resp => {
+                        if (resp.idp) {
+                            const idpObject = resp.idp;
+                            this.idpForm.patchValue(idpObject);
+                            if (idpObject.oidcConfig) {
+                                this.oidcConfigForm.patchValue(idpObject.oidcConfig);
+                            }
+                        }
+                    });
+                } else if (this.serviceType == PolicyComponentServiceType.ADMIN) {
+                    (this.service as AdminService).getIDPByID(id).then(resp => {
+                        if (resp.idp) {
+                            const idpObject = resp.idp;
+                            this.idpForm.patchValue(idpObject);
+                            if (idpObject.oidcConfig) {
+                                this.oidcConfigForm.patchValue(idpObject.oidcConfig);
+                            }
+                        }
+                    });
+                }
             }
         });
     }
@@ -116,55 +118,71 @@ export class IdpComponent implements OnInit, OnDestroy {
     }
 
     public updateIdp(): void {
-        let req: AdminIdpConfigUpdate | MgmtIdpConfigUpdate;
+        if (this.serviceType == PolicyComponentServiceType.MGMT) {
+            const req = new UpdateOrgIDPRequest();
 
-        switch (this.serviceType) {
-            case PolicyComponentServiceType.MGMT:
-                req = new MgmtIdpConfigUpdate();
-                break;
-            case PolicyComponentServiceType.ADMIN:
-                req = new AdminIdpConfigUpdate();
-                break;
+            req.setIdpId(this.id?.value);
+            req.setName(this.name?.value);
+            req.setStylingType(this.stylingType?.value);
+
+            (this.service as ManagementService).updateOrgIDP(req).then(() => {
+                this.toast.showInfo('IDP.TOAST.SAVED', true);
+                // this.router.navigate(['idp', ]);
+            }).catch(error => {
+                this.toast.showError(error);
+            });
+        } else if (this.serviceType == PolicyComponentServiceType.ADMIN) {
+            const req = new UpdateIDPRequest();
+
+            req.setIdpId(this.id?.value);
+            req.setName(this.name?.value);
+            req.setStylingType(this.stylingType?.value);
+
+            (this.service as AdminService).updateIDP(req).then(() => {
+                this.toast.showInfo('IDP.TOAST.SAVED', true);
+                // this.router.navigate(['idp', ]);
+            }).catch(error => {
+                this.toast.showError(error);
+            });
         }
-
-        req.setId(this.id?.value);
-        req.setName(this.name?.value);
-        req.setStylingType(this.stylingType?.value);
-
-        this.service.UpdateIdp(req).then((idp) => {
-            this.toast.showInfo('IDP.TOAST.SAVED', true);
-            // this.router.navigate(['idp', ]);
-        }).catch(error => {
-            this.toast.showError(error);
-        });
     }
 
     public updateOidcConfig(): void {
-        let req: AdminOidcIdpConfigUpdate | MgmtOidcIdpConfigUpdate;
+        if (this.serviceType == PolicyComponentServiceType.MGMT) {
+            const req = new UpdateOrgIDPOIDCConfigRequest();
 
-        switch (this.serviceType) {
-            case PolicyComponentServiceType.MGMT:
-                req = new MgmtOidcIdpConfigUpdate();
-                break;
-            case PolicyComponentServiceType.ADMIN:
-                req = new AdminOidcIdpConfigUpdate();
-                break;
+            req.setIdpId(this.id?.value);
+            req.setClientId(this.clientId?.value);
+            req.setClientSecret(this.clientSecret?.value);
+            req.setIssuer(this.issuer?.value);
+            req.setScopesList(this.scopesList?.value);
+            req.setUsernameMapping(this.usernameMapping?.value);
+            req.setDisplayNameMapping(this.idpDisplayNameMapping?.value);
+
+            (this.service as ManagementService).updateOrgIDPOIDCConfig(req).then((oidcConfig) => {
+                this.toast.showInfo('IDP.TOAST.SAVED', true);
+                // this.router.navigate(['idp', ]);
+            }).catch(error => {
+                this.toast.showError(error);
+            });
+        } else if (this.serviceType == PolicyComponentServiceType.ADMIN) {
+            const req = new UpdateIDPOIDCConfigRequest();
+
+            req.setIdpId(this.id?.value);
+            req.setClientId(this.clientId?.value);
+            req.setClientSecret(this.clientSecret?.value);
+            req.setIssuer(this.issuer?.value);
+            req.setScopesList(this.scopesList?.value);
+            req.setUsernameMapping(this.usernameMapping?.value);
+            req.setDisplayNameMapping(this.idpDisplayNameMapping?.value);
+
+            (this.service as AdminService).updateIDPOIDCConfig(req).then((oidcConfig) => {
+                this.toast.showInfo('IDP.TOAST.SAVED', true);
+                // this.router.navigate(['idp', ]);
+            }).catch(error => {
+                this.toast.showError(error);
+            });
         }
-
-        req.setIdpId(this.id?.value);
-        req.setClientId(this.clientId?.value);
-        req.setClientSecret(this.clientSecret?.value);
-        req.setIssuer(this.issuer?.value);
-        req.setScopesList(this.scopesList?.value);
-        req.setUsernameMapping(this.usernameMapping?.value);
-        req.setIdpDisplayNameMapping(this.idpDisplayNameMapping?.value);
-
-        this.service.UpdateOidcIdpConfig(req).then((oidcConfig) => {
-            this.toast.showInfo('IDP.TOAST.SAVED', true);
-            // this.router.navigate(['idp', ]);
-        }).catch(error => {
-            this.toast.showError(error);
-        });
     }
 
     public close(): void {
diff --git a/console/src/app/modules/machine-keys/machine-keys.component.html b/console/src/app/modules/machine-keys/machine-keys.component.html
index 7f1497effd..1850ddade4 100644
--- a/console/src/app/modules/machine-keys/machine-keys.component.html
+++ b/console/src/app/modules/machine-keys/machine-keys.component.html
@@ -1,5 +1,5 @@
 <app-refresh-table [loading]="loading$ | async" (refreshed)="refreshPage()" [dataSize]="dataSource.data.length"
-    [timestamp]="keyResult?.viewTimestamp" [selection]="selection">
+    [timestamp]="keyResult?.details?.viewTimestamp" [selection]="selection">
     <div actions>
         <button color="warn" [disabled]="([('user.write:' + userId), 'user.write'] | hasRole | async) == false"
             (click)="deleteSelectedKeys()" matTooltip="{{'ACTIONS.DELETE' | translate}}" class="icon-button"
@@ -58,7 +58,7 @@
             </tr>
 
         </table>
-        <mat-paginator #paginator class="paginator" [length]="keyResult?.totalResult || 0" [pageSize]="10"
+        <mat-paginator #paginator class="paginator" [length]="keyResult?.details?.totalResult || 0" [pageSize]="10"
             [pageSizeOptions]="[5, 10, 20]" (page)="changePage($event)"></mat-paginator>
     </div>
 </app-refresh-table>
\ No newline at end of file
diff --git a/console/src/app/modules/machine-keys/machine-keys.component.ts b/console/src/app/modules/machine-keys/machine-keys.component.ts
index c7fe2312fd..8b662ccc3d 100644
--- a/console/src/app/modules/machine-keys/machine-keys.component.ts
+++ b/console/src/app/modules/machine-keys/machine-keys.component.ts
@@ -7,12 +7,12 @@ import { TranslateService } from '@ngx-translate/core';
 import { Timestamp } from 'google-protobuf/google/protobuf/timestamp_pb';
 import { Moment } from 'moment';
 import { BehaviorSubject, Observable } from 'rxjs';
-import { ClientKeySearchResponse, MachineKeySearchResponse, MachineKeyType, MachineKeyView } from 'src/app/proto/generated/management_pb';
-import { ManagementService } from 'src/app/services/mgmt.service';
-import { ToastService } from 'src/app/services/toast.service';
-
 import { AddKeyDialogComponent, AddKeyDialogType } from 'src/app/modules/add-key-dialog/add-key-dialog.component';
 import { ShowKeyDialogComponent } from 'src/app/modules/show-key-dialog/show-key-dialog.component';
+import { Key, KeyType } from 'src/app/proto/generated/zitadel/auth_n_key_pb';
+import { ListMachineKeysResponse } from 'src/app/proto/generated/zitadel/management_pb';
+import { ManagementService } from 'src/app/services/mgmt.service';
+import { ToastService } from 'src/app/services/toast.service';
 
 @Component({
     selector: 'app-machine-keys',
@@ -23,14 +23,14 @@ export class MachineKeysComponent implements OnInit {
     @Input() userId!: string;
 
     @ViewChild(MatPaginator) public paginator!: MatPaginator;
-    public dataSource: MatTableDataSource<MachineKeyView.AsObject> = new MatTableDataSource<MachineKeyView.AsObject>();
-    public selection: SelectionModel<MachineKeyView.AsObject> = new SelectionModel<MachineKeyView.AsObject>(true, []);
-    public keyResult!: MachineKeySearchResponse.AsObject | ClientKeySearchResponse.AsObject;
+    public dataSource: MatTableDataSource<Key.AsObject> = new MatTableDataSource<Key.AsObject>();
+    public selection: SelectionModel<Key.AsObject> = new SelectionModel<Key.AsObject>(true, []);
+    public keyResult!: ListMachineKeysResponse.AsObject;
     private loadingSubject: BehaviorSubject<boolean> = new BehaviorSubject<boolean>(false);
     public loading$: Observable<boolean> = this.loadingSubject.asObservable();
     @Input() public displayedColumns: string[] = ['select', 'id', 'type', 'creationDate', 'expirationDate'];
 
-    @Output() public changedSelection: EventEmitter<Array<MachineKeyView.AsObject>> = new EventEmitter();
+    @Output() public changedSelection: EventEmitter<Array<Key.AsObject>> = new EventEmitter();
 
     constructor(public translate: TranslateService, private mgmtService: ManagementService, private dialog: MatDialog,
         private toast: ToastService) {
@@ -63,7 +63,7 @@ export class MachineKeysComponent implements OnInit {
 
     public deleteSelectedKeys(): void {
         const mappedDeletions = this.selection.selected.map(value => {
-            return this.mgmtService.DeleteMachineKey(value.id, this.userId);
+            return this.mgmtService.removeMachineKey(value.id, this.userId);
         });
         Promise.all(mappedDeletions).then(() => {
             this.selection.clear();
@@ -82,7 +82,7 @@ export class MachineKeysComponent implements OnInit {
 
         dialogRef.afterClosed().subscribe(resp => {
             if (resp) {
-                const type: MachineKeyType = resp.type;
+                const type: KeyType = resp.type;
 
                 let date: Timestamp | undefined;
 
@@ -98,7 +98,7 @@ export class MachineKeysComponent implements OnInit {
                 }
 
                 if (type) {
-                    return this.mgmtService.AddMachineKey(this.userId, type, date).then((response) => {
+                    return this.mgmtService.addMachineKey(this.userId, type, date).then((response) => {
                         if (response) {
                             setTimeout(() => {
                                 this.refreshPage();
@@ -106,7 +106,7 @@ export class MachineKeysComponent implements OnInit {
 
                             this.dialog.open(ShowKeyDialogComponent, {
                                 data: {
-                                    key: response.toObject(),
+                                    key: response,
                                     type: AddKeyDialogType.MACHINE
                                 },
                                 width: '400px',
@@ -124,9 +124,11 @@ export class MachineKeysComponent implements OnInit {
         this.loadingSubject.next(true);
 
         if (this.userId) {
-            this.mgmtService.SearchMachineKeys(this.userId, limit, offset).then(resp => {
-                this.keyResult = resp.toObject();
-                this.dataSource.data = this.keyResult.resultList;
+            this.mgmtService.listMachineKeys(this.userId, limit, offset).then(resp => {
+                this.keyResult = resp;
+                if (resp.resultList) {
+                    this.dataSource.data = resp.resultList;
+                }
                 this.loadingSubject.next(false);
             }).catch((error: any) => {
                 this.toast.showError(error);
diff --git a/console/src/app/modules/members-table/members-table.component.ts b/console/src/app/modules/members-table/members-table.component.ts
index 1e70dd3a0f..7627538eaf 100644
--- a/console/src/app/modules/members-table/members-table.component.ts
+++ b/console/src/app/modules/members-table/members-table.component.ts
@@ -7,12 +7,10 @@ import { Observable, Subject } from 'rxjs';
 import { takeUntil } from 'rxjs/operators';
 import { IamMembersDataSource } from 'src/app/pages/iam/iam-members/iam-members-datasource';
 import { OrgMembersDataSource } from 'src/app/pages/orgs/org-members/org-members-datasource';
-import { IamMemberView } from 'src/app/proto/generated/admin_pb';
-import { OrgMemberView, ProjectMemberView } from 'src/app/proto/generated/management_pb';
+import { Member } from 'src/app/proto/generated/zitadel/member_pb';
 
 import { ProjectMembersDataSource } from '../project-members/project-members-datasource';
 
-type View = OrgMemberView.AsObject | ProjectMemberView.AsObject | IamMemberView.AsObject;
 type MemberDatasource = OrgMembersDataSource | ProjectMembersDataSource | IamMembersDataSource;
 
 @Component({
@@ -25,15 +23,15 @@ export class MembersTableComponent implements OnInit, OnDestroy {
     @Input() public canDelete: boolean = false;
     @Input() public canWrite: boolean = false;
     @ViewChild(MatPaginator) public paginator!: MatPaginator;
-    @ViewChild(MatTable) public table!: MatTable<View>;
+    @ViewChild(MatTable) public table!: MatTable<Member>;
     @Input() public dataSource!: MemberDatasource;
     public selection: SelectionModel<any> = new SelectionModel<any>(true, []);
     @Input() public memberRoleOptions: string[] = [];
     @Input() public factoryLoadFunc!: Function;
     @Input() public refreshTrigger!: Observable<void>;
-    @Output() public updateRoles: EventEmitter<{ member: View, change: MatSelectChange; }> = new EventEmitter();
+    @Output() public updateRoles: EventEmitter<{ member: Member, change: MatSelectChange; }> = new EventEmitter();
     @Output() public changedSelection: EventEmitter<any[]> = new EventEmitter();
-    @Output() public deleteMember: EventEmitter<View> = new EventEmitter();
+    @Output() public deleteMember: EventEmitter<Member> = new EventEmitter();
 
     private destroyed: Subject<void> = new Subject();
 
diff --git a/console/src/app/modules/mfa-table/dialog-add-type/dialog-add-type.component.html b/console/src/app/modules/mfa-table/dialog-add-type/dialog-add-type.component.html
index 8d56ad9489..485c9e1987 100644
--- a/console/src/app/modules/mfa-table/dialog-add-type/dialog-add-type.component.html
+++ b/console/src/app/modules/mfa-table/dialog-add-type/dialog-add-type.component.html
@@ -2,18 +2,18 @@
 <div mat-dialog-content>
     <p class="desc">{{data.desc | translate}}</p>
 
-    <cnsl-form-field class="form-field" label="Access Code" required="true">
+    <!-- <cnsl-form-field class="form-field" label="Access Code" required="true">
         <cnsl-label>{{'MFA.TYPE' | translate}}</cnsl-label>
         <mat-select [(ngModel)]="newMfaType">
-            <mat-option *ngFor="let mfa of availableMfaTypes" [value]="mfa">
+            <mat-option *ngFor="let mfa of []" [value]="mfa">
                 {{(data.componentType == LoginMethodComponentType.SecondFactor ? 'MFA.SECONDFACTORTYPES.': LoginMethodComponentType.MultiFactor ? 'MFA.MULTIFACTORTYPES.': '')+mfa | translate}}
             </mat-option>
         </mat-select>
-    </cnsl-form-field>
+    </cnsl-form-field> -->
 </div>
 <div mat-dialog-actions class="action">
     <button mat-button (click)="closeDialog()"><span>{{'ACTIONS.CLOSE' | translate}}</span></button>
-    <button [disabled]="newMfaType == undefined" mat-raised-button class="ok-button" color="primary"
+    <button [disabled]="false" mat-raised-button class="ok-button" color="primary"
         (click)="closeDialogWithCode()"><span>{{'ACTIONS.OK' | translate}}</span>
     </button>
 </div>
\ No newline at end of file
diff --git a/console/src/app/modules/mfa-table/dialog-add-type/dialog-add-type.component.ts b/console/src/app/modules/mfa-table/dialog-add-type/dialog-add-type.component.ts
index befb157abf..3044bae64f 100644
--- a/console/src/app/modules/mfa-table/dialog-add-type/dialog-add-type.component.ts
+++ b/console/src/app/modules/mfa-table/dialog-add-type/dialog-add-type.component.ts
@@ -1,9 +1,6 @@
 import { Component, Inject } from '@angular/core';
 import { MAT_DIALOG_DATA, MatDialogRef } from '@angular/material/dialog';
 
-import { MultiFactorType as AdminMultiFactorType } from 'src/app/proto/generated/admin_pb';
-import { MultiFactorType as MgmtMultiFactorType } from 'src/app/proto/generated/management_pb';
-
 enum LoginMethodComponentType {
     MultiFactor = 1,
     SecondFactor = 2,
@@ -16,11 +13,10 @@ enum LoginMethodComponentType {
 })
 export class DialogAddTypeComponent {
     public LoginMethodComponentType: any = LoginMethodComponentType;
-    public newMfaType!: AdminMultiFactorType | MgmtMultiFactorType;
-    public availableMfaTypes: Array<AdminMultiFactorType | MgmtMultiFactorType> = [];
+    // public availableMfaTypes: Array<AdminMultiFactorType | MgmtMultiFactorType> = [];
     constructor(public dialogRef: MatDialogRef<DialogAddTypeComponent>,
         @Inject(MAT_DIALOG_DATA) public data: any) {
-        this.availableMfaTypes = data.types;
+        // this.availableMfaTypes = data.types;
     }
 
     public closeDialog(): void {
@@ -28,6 +24,6 @@ export class DialogAddTypeComponent {
     }
 
     public closeDialogWithCode(): void {
-        this.dialogRef.close(this.newMfaType);
+        // this.dialogRef.close(this.newMfaType);
     }
 }
diff --git a/console/src/app/modules/mfa-table/mfa-table.component.ts b/console/src/app/modules/mfa-table/mfa-table.component.ts
index a8c425b705..842ce97eed 100644
--- a/console/src/app/modules/mfa-table/mfa-table.component.ts
+++ b/console/src/app/modules/mfa-table/mfa-table.component.ts
@@ -4,24 +4,20 @@ import { MatPaginator } from '@angular/material/paginator';
 import { TranslateService } from '@ngx-translate/core';
 import { BehaviorSubject, Observable } from 'rxjs';
 import {
-    MultiFactor as AdminMultiFactor,
-    MultiFactorType as AdminMultiFactorType,
-    SecondFactor as AdminSecondFactor,
-    SecondFactorType as AdminSecondFactorType,
-} from 'src/app/proto/generated/admin_pb';
+    RemoveMultiFactorFromLoginPolicyRequest as AdminRemoveMultiFactorFromLoginPolicyRequest,
+    RemoveSecondFactorFromLoginPolicyRequest as AdminRemoveSecondFactorFromLoginPolicyRequest,
+} from 'src/app/proto/generated/zitadel/admin_pb';
 import {
-    MultiFactor as MgmtMultiFactor,
-    MultiFactorType as MgmtMultiFactorType,
-    SecondFactor as MgmtSecondFactor,
-    SecondFactorType as MgmtSecondFactorType,
-} from 'src/app/proto/generated/management_pb';
+    RemoveMultiFactorFromLoginPolicyRequest as MgmtRemoveMultiFactorFromLoginPolicyRequest,
+    RemoveSecondFactorFromLoginPolicyRequest as MgmtRemoveSecondFactorFromLoginPolicyRequest,
+} from 'src/app/proto/generated/zitadel/management_pb';
+import { MultiFactorType, SecondFactorType } from 'src/app/proto/generated/zitadel/policy_pb';
 import { AdminService } from 'src/app/services/admin.service';
 import { ManagementService } from 'src/app/services/mgmt.service';
 import { ToastService } from 'src/app/services/toast.service';
 
 import { PolicyComponentServiceType } from '../policies/policy-component-types.enum';
 import { WarnDialogComponent } from '../warn-dialog/warn-dialog.component';
-import { DialogAddTypeComponent } from './dialog-add-type/dialog-add-type.component';
 
 export enum LoginMethodComponentType {
     MultiFactor = 1,
@@ -40,7 +36,7 @@ export class MfaTableComponent implements OnInit {
     @Input() service!: AdminService | ManagementService;
     @Input() disabled: boolean = false;
     @ViewChild(MatPaginator) public paginator!: MatPaginator;
-    public mfas: Array<AdminMultiFactorType | MgmtMultiFactorType | MgmtSecondFactorType | AdminSecondFactorType> = [];
+    public mfas: Array<MultiFactorType | SecondFactorType> = [];
 
     private loadingSubject: BehaviorSubject<boolean> = new BehaviorSubject<boolean>(false);
     public loading$: Observable<boolean> = this.loadingSubject.asObservable();
@@ -53,7 +49,7 @@ export class MfaTableComponent implements OnInit {
         this.getData();
     }
 
-    public removeMfa(type: MgmtMultiFactorType | AdminMultiFactorType | MgmtSecondFactorType | AdminSecondFactorType): void {
+    public removeMfa(type: MultiFactorType | SecondFactorType): void {
         const dialogRef = this.dialog.open(WarnDialogComponent, {
             data: {
                 confirmKey: 'ACTIONS.DELETE',
@@ -68,32 +64,32 @@ export class MfaTableComponent implements OnInit {
             if (resp) {
                 if (this.serviceType === PolicyComponentServiceType.MGMT) {
                     if (this.componentType === LoginMethodComponentType.MultiFactor) {
-                        const req = new MgmtMultiFactor();
-                        req.setMultiFactor(type as MgmtMultiFactorType);
-                        (this.service as ManagementService).RemoveMultiFactorFromLoginPolicy(req).then(() => {
+                        const req = new MgmtRemoveMultiFactorFromLoginPolicyRequest();
+                        req.setType(type as MultiFactorType);
+                        (this.service as ManagementService).removeMultiFactorFromLoginPolicy(req).then(() => {
                             this.toast.showInfo('MFA.TOAST.DELETED', true);
                             this.refreshPageAfterTimout(2000);
                         });
                     } else if (this.componentType === LoginMethodComponentType.SecondFactor) {
-                        const req = new MgmtSecondFactor();
-                        req.setSecondFactor(type as MgmtSecondFactorType);
-                        (this.service as ManagementService).RemoveSecondFactorFromLoginPolicy(req).then(() => {
+                        const req = new MgmtRemoveSecondFactorFromLoginPolicyRequest();
+                        req.setType(type as SecondFactorType);
+                        (this.service as ManagementService).removeSecondFactorFromLoginPolicy(req).then(() => {
                             this.toast.showInfo('MFA.TOAST.DELETED', true);
                             this.refreshPageAfterTimout(2000);
                         });
                     }
                 } else if (this.serviceType === PolicyComponentServiceType.ADMIN) {
                     if (this.componentType === LoginMethodComponentType.MultiFactor) {
-                        const req = new AdminMultiFactor();
-                        req.setMultiFactor(type as AdminMultiFactorType);
-                        (this.service as AdminService).RemoveMultiFactorFromDefaultLoginPolicy(req).then(() => {
+                        const req = new AdminRemoveMultiFactorFromLoginPolicyRequest();
+                        req.setType(type as MultiFactorType);
+                        (this.service as AdminService).removeMultiFactorFromLoginPolicy(req).then(() => {
                             this.toast.showInfo('MFA.TOAST.DELETED', true);
                             this.refreshPageAfterTimout(2000);
                         });
                     } else if (this.componentType === LoginMethodComponentType.SecondFactor) {
-                        const req = new AdminSecondFactor();
-                        req.setSecondFactor(type as AdminSecondFactorType);
-                        (this.service as AdminService).RemoveSecondFactorFromDefaultLoginPolicy(req).then(() => {
+                        const req = new AdminRemoveSecondFactorFromLoginPolicyRequest();
+                        req.setType(type as SecondFactorType);
+                        (this.service as AdminService).removeSecondFactorFromLoginPolicy(req).then(() => {
                             this.toast.showInfo('MFA.TOAST.DELETED', true);
                             this.refreshPageAfterTimout(2000);
                         });
@@ -108,17 +104,9 @@ export class MfaTableComponent implements OnInit {
         let selection: any[] = [];
 
         if (this.componentType === LoginMethodComponentType.MultiFactor) {
-            selection = this.serviceType === PolicyComponentServiceType.MGMT ?
-                [MgmtMultiFactorType.MULTIFACTORTYPE_U2F_WITH_PIN] :
-                this.serviceType === PolicyComponentServiceType.ADMIN ?
-                    [AdminMultiFactorType.MULTIFACTORTYPE_U2F_WITH_PIN] :
-                    [];
+            selection = [MultiFactorType.MULTI_FACTOR_TYPE_U2F_WITH_VERIFICATION];
         } else if (this.componentType === LoginMethodComponentType.SecondFactor) {
-            selection = this.serviceType === PolicyComponentServiceType.MGMT ?
-                [MgmtSecondFactorType.SECONDFACTORTYPE_U2F, MgmtSecondFactorType.SECONDFACTORTYPE_OTP] :
-                this.serviceType === PolicyComponentServiceType.ADMIN ?
-                    [AdminSecondFactorType.SECONDFACTORTYPE_OTP, AdminSecondFactorType.SECONDFACTORTYPE_U2F] :
-                    [];
+            selection = [SecondFactorType.SECOND_FACTOR_TYPE_U2F, SecondFactorType.SECOND_FACTOR_TYPE_OTP];
         }
 
         this.mfas.forEach(mfa => {
@@ -128,58 +116,57 @@ export class MfaTableComponent implements OnInit {
             }
         });
 
-        const dialogRef = this.dialog.open(DialogAddTypeComponent, {
-            data: {
-                title: 'MFA.CREATE.TITLE',
-                desc: 'MFA.CREATE.DESCRIPTION',
-                componentType: this.componentType,
-                types: selection,
-            },
-            width: '400px',
-        });
+        // const dialogRef = this.dialog.open(DialogAddTypeComponent, {
+        //     data: {
+        //         title: 'MFA.CREATE.TITLE',
+        //         desc: 'MFA.CREATE.DESCRIPTION',
+        //         componentType: this.componentType,
+        //         types: selection,
+        //     },
+        //     width: '400px',
+        // });
 
-        dialogRef.afterClosed().subscribe((mfaType: AdminMultiFactorType | MgmtMultiFactorType |
-            AdminSecondFactorType | MgmtSecondFactorType) => {
-            if (mfaType) {
-                if (this.serviceType === PolicyComponentServiceType.MGMT) {
-                    if (this.componentType === LoginMethodComponentType.MultiFactor) {
-                        const req = new MgmtMultiFactor();
-                        req.setMultiFactor(mfaType as MgmtMultiFactorType);
-                        (this.service as ManagementService).AddMultiFactorToLoginPolicy(req).then(() => {
-                            this.refreshPageAfterTimout(2000);
-                        }).catch(error => {
-                            this.toast.showError(error);
-                        });
-                    } else if (this.componentType === LoginMethodComponentType.SecondFactor) {
-                        const req = new MgmtSecondFactor();
-                        req.setSecondFactor(mfaType as MgmtSecondFactorType);
-                        (this.service as ManagementService).AddSecondFactorToLoginPolicy(req).then(() => {
-                            this.refreshPageAfterTimout(2000);
-                        }).catch(error => {
-                            this.toast.showError(error);
-                        });
-                    }
-                } else if (this.serviceType === PolicyComponentServiceType.ADMIN) {
-                    if (this.componentType === LoginMethodComponentType.MultiFactor) {
-                        const req = new AdminMultiFactor();
-                        req.setMultiFactor(mfaType as AdminMultiFactorType);
-                        (this.service as AdminService).addMultiFactorToDefaultLoginPolicy(req).then(() => {
-                            this.refreshPageAfterTimout(2000);
-                        }).catch(error => {
-                            this.toast.showError(error);
-                        });
-                    } else if (this.componentType === LoginMethodComponentType.SecondFactor) {
-                        const req = new AdminSecondFactor();
-                        req.setSecondFactor(mfaType as AdminSecondFactorType);
-                        (this.service as AdminService).AddSecondFactorToDefaultLoginPolicy(req).then(() => {
-                            this.refreshPageAfterTimout(2000);
-                        }).catch(error => {
-                            this.toast.showError(error);
-                        });
-                    }
-                }
-            }
-        });
+        // dialogRef.afterClosed().subscribe((mfaType: ) => {
+        //     if (mfaType) {
+        //         if (this.serviceType === PolicyComponentServiceType.MGMT) {
+        //             if (this.componentType === LoginMethodComponentType.MultiFactor) {
+        //                 const req = new MgmtAddMultiFactorToLoginPolicyRequest();
+        //                 req.setType(mfaType as MultiFactorType);
+        //                 (this.service as ManagementService).addMultiFactorToLoginPolicy(req).then(() => {
+        //                     this.refreshPageAfterTimout(2000);
+        //                 }).catch(error => {
+        //                     this.toast.showError(error);
+        //                 });
+        //             } else if (this.componentType === LoginMethodComponentType.SecondFactor) {
+        //                 const req = new MgmtAddSecondFactorToLoginPolicyRequest();
+        //                 req.setType(mfaType as SecondFactorType);
+        //                 (this.service as ManagementService).addSecondFactorToLoginPolicy(req).then(() => {
+        //                     this.refreshPageAfterTimout(2000);
+        //                 }).catch(error => {
+        //                     this.toast.showError(error);
+        //                 });
+        //             }
+        //         } else if (this.serviceType === PolicyComponentServiceType.ADMIN) {
+        //             if (this.componentType === LoginMethodComponentType.MultiFactor) {
+        //                 const req = new AdminAddMultiFactorToLoginPolicyRequest();
+        //                 req.setType(mfaType as MultiFactorType);
+        //                 (this.service as AdminService).addMultiFactorToLoginPolicy(req).then(() => {
+        //                     this.refreshPageAfterTimout(2000);
+        //                 }).catch(error => {
+        //                     this.toast.showError(error);
+        //                 });
+        //             } else if (this.componentType === LoginMethodComponentType.SecondFactor) {
+        //                 const req = new AdminAddSecondFactorToLoginPolicyRequest();
+        //                 req.setType(mfaType as SecondFactorType);
+        //                 (this.service as AdminService).addSecondFactorToLoginPolicy(req).then(() => {
+        //                     this.refreshPageAfterTimout(2000);
+        //                 }).catch(error => {
+        //                     this.toast.showError(error);
+        //                 });
+        //             }
+        //         }
+        //     }
+        // });
     }
 
     private async getData(): Promise<void> {
@@ -187,16 +174,16 @@ export class MfaTableComponent implements OnInit {
 
         if (this.serviceType === PolicyComponentServiceType.MGMT) {
             if (this.componentType === LoginMethodComponentType.MultiFactor) {
-                (this.service as ManagementService).GetLoginPolicyMultiFactors().then(resp => {
-                    this.mfas = resp.toObject().multiFactorsList;
+                (this.service as ManagementService).listLoginPolicyMultiFactors().then(resp => {
+                    this.mfas = resp.resultList;
                     this.loadingSubject.next(false);
                 }).catch(error => {
                     this.toast.showError(error);
                     this.loadingSubject.next(false);
                 });
             } else if (this.componentType === LoginMethodComponentType.SecondFactor) {
-                (this.service as ManagementService).GetLoginPolicySecondFactors().then(resp => {
-                    this.mfas = resp.toObject().secondFactorsList;
+                (this.service as ManagementService).listLoginPolicySecondFactors().then(resp => {
+                    this.mfas = resp.resultList;
                     this.loadingSubject.next(false);
                 }).catch(error => {
                     this.toast.showError(error);
@@ -205,16 +192,16 @@ export class MfaTableComponent implements OnInit {
             }
         } else if (this.serviceType === PolicyComponentServiceType.ADMIN) {
             if (this.componentType === LoginMethodComponentType.MultiFactor) {
-                (this.service as AdminService).getDefaultLoginPolicyMultiFactors().then(resp => {
-                    this.mfas = resp.toObject().multiFactorsList;
+                (this.service as AdminService).listLoginPolicyMultiFactors().then(resp => {
+                    this.mfas = resp.resultList;
                     this.loadingSubject.next(false);
                 }).catch(error => {
                     this.toast.showError(error);
                     this.loadingSubject.next(false);
                 });
             } else if (this.componentType === LoginMethodComponentType.SecondFactor) {
-                (this.service as AdminService).GetDefaultLoginPolicySecondFactors().then(resp => {
-                    this.mfas = resp.toObject().secondFactorsList;
+                (this.service as AdminService).listLoginPolicySecondFactors().then(resp => {
+                    this.mfas = resp.resultList;
                     this.loadingSubject.next(false);
                 }).catch(error => {
                     this.toast.showError(error);
diff --git a/console/src/app/modules/password-complexity-view/password-complexity-view.component.ts b/console/src/app/modules/password-complexity-view/password-complexity-view.component.ts
index 16731cf7cc..0c3a29114b 100644
--- a/console/src/app/modules/password-complexity-view/password-complexity-view.component.ts
+++ b/console/src/app/modules/password-complexity-view/password-complexity-view.component.ts
@@ -1,6 +1,6 @@
 import { Component, Input, OnInit } from '@angular/core';
 import { FormControl } from '@angular/forms';
-import { PasswordComplexityPolicy } from 'src/app/proto/generated/management_pb';
+import { PasswordComplexityPolicy } from 'src/app/proto/generated/zitadel/policy_pb';
 
 @Component({
     selector: 'app-password-complexity-view',
diff --git a/console/src/app/modules/policies/label-policy/label-policy.component.ts b/console/src/app/modules/policies/label-policy/label-policy.component.ts
index ad75709317..77efe4234d 100644
--- a/console/src/app/modules/policies/label-policy/label-policy.component.ts
+++ b/console/src/app/modules/policies/label-policy/label-policy.component.ts
@@ -1,12 +1,13 @@
 import { Component, OnDestroy } from '@angular/core';
 import { ActivatedRoute } from '@angular/router';
 import { Subscription } from 'rxjs';
-import { DefaultLabelPolicyUpdate, DefaultLabelPolicyView } from 'src/app/proto/generated/admin_pb';
+import { GetLabelPolicyResponse, UpdateLabelPolicyRequest } from 'src/app/proto/generated/zitadel/admin_pb';
+import { LabelPolicy } from 'src/app/proto/generated/zitadel/policy_pb';
 import { AdminService } from 'src/app/services/admin.service';
 import { ToastService } from 'src/app/services/toast.service';
-import { CnslLinks } from '../../links/links.component';
-import { IAM_COMPLEXITY_LINK, IAM_LABEL_LINK, IAM_LOGIN_POLICY_LINK, IAM_POLICY_LINK } from '../../policy-grid/policy-links';
 
+import { CnslLinks } from '../../links/links.component';
+import { IAM_COMPLEXITY_LINK, IAM_LOGIN_POLICY_LINK, IAM_POLICY_LINK } from '../../policy-grid/policy-links';
 import { PolicyComponentServiceType } from '../policy-component-types.enum';
 
 
@@ -16,7 +17,7 @@ import { PolicyComponentServiceType } from '../policy-component-types.enum';
     styleUrls: ['./label-policy.component.scss'],
 })
 export class LabelPolicyComponent implements OnDestroy {
-    public labelData!: DefaultLabelPolicyView.AsObject;
+    public labelData!: LabelPolicy.AsObject;
 
     private sub: Subscription = new Subscription();
 
@@ -33,8 +34,8 @@ export class LabelPolicyComponent implements OnDestroy {
     ) {
         this.route.params.subscribe(() => {
             this.getData().then(data => {
-                if (data) {
-                    this.labelData = data.toObject();
+                if (data?.policy) {
+                    this.labelData = data.policy;
                 }
             });
         });
@@ -44,15 +45,15 @@ export class LabelPolicyComponent implements OnDestroy {
         this.sub.unsubscribe();
     }
 
-    private async getData(): Promise<DefaultLabelPolicyView> {
-        return this.adminService.GetDefaultLabelPolicy();
+    private async getData(): Promise<GetLabelPolicyResponse.AsObject> {
+        return this.adminService.getLabelPolicy();
     }
 
     public savePolicy(): void {
-        const req = new DefaultLabelPolicyUpdate();
+        const req = new UpdateLabelPolicyRequest();
         req.setPrimaryColor(this.labelData.primaryColor);
         req.setSecondaryColor(this.labelData.secondaryColor);
-        this.adminService.UpdateDefaultLabelPolicy(req).then(() => {
+        this.adminService.updateLabelPolicy(req).then(() => {
             this.toast.showInfo('POLICY.TOAST.SET', true);
         }).catch(error => {
             this.toast.showError(error);
diff --git a/console/src/app/modules/policies/login-policy/add-idp-dialog/add-idp-dialog.component.ts b/console/src/app/modules/policies/login-policy/add-idp-dialog/add-idp-dialog.component.ts
index ec48829508..42080808fa 100644
--- a/console/src/app/modules/policies/login-policy/add-idp-dialog/add-idp-dialog.component.ts
+++ b/console/src/app/modules/policies/login-policy/add-idp-dialog/add-idp-dialog.component.ts
@@ -1,14 +1,7 @@
 import { Component, Inject } from '@angular/core';
 import { MAT_DIALOG_DATA, MatDialogRef } from '@angular/material/dialog';
-import { IdpView as AdminIdpView } from 'src/app/proto/generated/admin_pb';
-import {
-    Idp,
-    IdpProviderType,
-    IdpSearchKey,
-    IdpSearchQuery,
-    IdpView as MgmtIdpView,
-    SearchMethod,
-} from 'src/app/proto/generated/management_pb';
+import { IDP, IDPOwnerType, IDPOwnerTypeQuery } from 'src/app/proto/generated/zitadel/idp_pb';
+import { IDPQuery } from 'src/app/proto/generated/zitadel/management_pb';
 import { AdminService } from 'src/app/services/admin.service';
 import { ManagementService } from 'src/app/services/mgmt.service';
 
@@ -23,15 +16,15 @@ export class AddIdpDialogComponent {
     public PolicyComponentServiceType: any = PolicyComponentServiceType;
     public serviceType: PolicyComponentServiceType = PolicyComponentServiceType.MGMT;
 
-    public idpType!: IdpProviderType;
-    public idpTypes: IdpProviderType[] = [
-        IdpProviderType.IDPPROVIDERTYPE_SYSTEM,
-        IdpProviderType.IDPPROVIDERTYPE_ORG,
+    public idpType!: IDPOwnerType;
+    public idpTypes: IDPOwnerType[] = [
+        IDPOwnerType.IDP_OWNER_TYPE_SYSTEM,
+        IDPOwnerType.IDP_OWNER_TYPE_ORG,
     ];
 
-    public idp: Idp.AsObject | undefined = undefined;
-    public availableIdps: Array<AdminIdpView.AsObject | MgmtIdpView.AsObject> | string[] = [];
-    public IdpProviderType: any = IdpProviderType;
+    public idp: IDP.AsObject | undefined = undefined;
+    public availableIdps: Array<IDP.AsObject[] | IDP.AsObject> | string[] = [];
+    public IdpProviderType: any = IDPOwnerType;
 
     constructor(
         private mgmtService: ManagementService,
@@ -43,10 +36,10 @@ export class AddIdpDialogComponent {
             this.serviceType = data.serviceType;
             switch (this.serviceType) {
                 case PolicyComponentServiceType.MGMT:
-                    this.idpType = IdpProviderType.IDPPROVIDERTYPE_ORG;
+                    this.idpType = IDPOwnerType.IDP_OWNER_TYPE_ORG;
                     break;
                 case PolicyComponentServiceType.ADMIN:
-                    this.idpType = IdpProviderType.IDPPROVIDERTYPE_SYSTEM;
+                    this.idpType = IDPOwnerType.IDP_OWNER_TYPE_SYSTEM;
                     break;
             }
         }
@@ -57,17 +50,17 @@ export class AddIdpDialogComponent {
     public loadIdps(): void {
         this.idp = undefined;
         if (this.serviceType === PolicyComponentServiceType.MGMT) {
-            const query: IdpSearchQuery = new IdpSearchQuery();
-            query.setKey(IdpSearchKey.IDPSEARCHKEY_PROVIDER_TYPE);
-            query.setMethod(SearchMethod.SEARCHMETHOD_EQUALS);
-            query.setValue(this.idpType.toString());
+            const query: IDPQuery = new IDPQuery();
+            const idpOTQ: IDPOwnerTypeQuery = new IDPOwnerTypeQuery();
+            idpOTQ.setOwnerType(this.idpType);
+            query.setOwnerTypeQuery(idpOTQ);
 
-            this.mgmtService.SearchIdps(undefined, undefined, [query]).then(idps => {
-                this.availableIdps = idps.toObject().resultList;
+            this.mgmtService.listOrgIDPs(undefined, undefined, [query]).then(resp => {
+                this.availableIdps = resp.resultList;
             });
         } else if (this.serviceType === PolicyComponentServiceType.ADMIN) {
-            this.adminService.SearchIdps().then(idps => {
-                this.availableIdps = idps.toObject().resultList;
+            this.adminService.listIDPs().then(resp => {
+                this.availableIdps = resp.resultList;
             });
         }
     }
diff --git a/console/src/app/modules/policies/login-policy/login-policy.component.html b/console/src/app/modules/policies/login-policy/login-policy.component.html
index 996c9ffcc0..e3b3c94473 100644
--- a/console/src/app/modules/policies/login-policy/login-policy.component.html
+++ b/console/src/app/modules/policies/login-policy/login-policy.component.html
@@ -102,7 +102,7 @@
             </button>
             <div class="line">
                 <img src="../../../assets/images/google.png"
-                    *ngIf="idp.stylingType == IdpStylingType.IDPSTYLINGTYPE_GOOGLE" alt="google" />
+                    *ngIf="idp.stylingType == IDPStylingType.STYLING_TYPE_GOOGLE" alt="google" />
                 <div>
                     <span class="name">{{idp.name}}</span>
                     <span class="meta-info">{{ 'IDP.TYPE' | translate }}: {{ 'IDP.TYPES.'+idp.type | translate }}</span>
diff --git a/console/src/app/modules/policies/login-policy/login-policy.component.ts b/console/src/app/modules/policies/login-policy/login-policy.component.ts
index 32f1ee3ac5..28e99e89c8 100644
--- a/console/src/app/modules/policies/login-policy/login-policy.component.ts
+++ b/console/src/app/modules/policies/login-policy/login-policy.component.ts
@@ -5,29 +5,28 @@ import { Subscription } from 'rxjs';
 import { switchMap } from 'rxjs/operators';
 import { LoginMethodComponentType } from 'src/app/modules/mfa-table/mfa-table.component';
 import {
-    DefaultLoginPolicy,
-    DefaultLoginPolicyRequest,
-    DefaultLoginPolicyView,
-    IdpProviderView as AdminIdpProviderView,
-    IdpStylingType,
-    IdpView as AdminIdpView,
-    PasswordlessType as AdminPasswordlessType,
-} from 'src/app/proto/generated/admin_pb';
+    GetLoginPolicyResponse as AdminGetLoginPolicyResponse,
+    UpdateLoginPolicyRequest,
+    UpdateLoginPolicyResponse,
+} from 'src/app/proto/generated/zitadel/admin_pb';
+import { IDP, IDPLoginPolicyLink, IDPStylingType } from 'src/app/proto/generated/zitadel/idp_pb';
 import {
-    IdpProviderType,
-    IdpProviderView as MgmtIdpProviderView,
-    IdpView as MgmtIdpView,
-    LoginPolicy,
-    LoginPolicyRequest,
-    LoginPolicyView,
-    PasswordlessType as MgmtPasswordlessType,
-} from 'src/app/proto/generated/management_pb';
+    AddCustomLoginPolicyRequest,
+    GetLoginPolicyResponse as MgmtGetLoginPolicyResponse,
+} from 'src/app/proto/generated/zitadel/management_pb';
+import { LoginPolicy, PasswordlessType } from 'src/app/proto/generated/zitadel/policy_pb';
 import { AdminService } from 'src/app/services/admin.service';
 import { ManagementService } from 'src/app/services/mgmt.service';
 import { ToastService } from 'src/app/services/toast.service';
-import { CnslLinks } from '../../links/links.component';
-import { IAM_COMPLEXITY_LINK, IAM_LABEL_LINK, IAM_LOGIN_POLICY_LINK, IAM_POLICY_LINK, ORG_COMPLEXITY_LINK, ORG_IAM_POLICY_LINK } from '../../policy-grid/policy-links';
 
+import { CnslLinks } from '../../links/links.component';
+import {
+    IAM_COMPLEXITY_LINK,
+    IAM_LABEL_LINK,
+    IAM_POLICY_LINK,
+    ORG_COMPLEXITY_LINK,
+    ORG_IAM_POLICY_LINK,
+} from '../../policy-grid/policy-links';
 import { PolicyComponentServiceType } from '../policy-component-types.enum';
 import { AddIdpDialogComponent } from './add-idp-dialog/add-idp-dialog.component';
 
@@ -38,19 +37,19 @@ import { AddIdpDialogComponent } from './add-idp-dialog/add-idp-dialog.component
 })
 export class LoginPolicyComponent implements OnDestroy {
     public LoginMethodComponentType: any = LoginMethodComponentType;
-    public passwordlessTypes: Array<AdminPasswordlessType | MgmtPasswordlessType> = [];
-    public loginData!: LoginPolicyView.AsObject | DefaultLoginPolicyView.AsObject;
+    public passwordlessTypes: Array<PasswordlessType> = [];
+    public loginData!: LoginPolicy.AsObject;
 
     private sub: Subscription = new Subscription();
     public service!: ManagementService | AdminService;
     public PolicyComponentServiceType: any = PolicyComponentServiceType;
     public serviceType: PolicyComponentServiceType = PolicyComponentServiceType.MGMT;
-    public idps: MgmtIdpProviderView.AsObject[] | AdminIdpProviderView.AsObject[] = [];
+    public idps: IDPLoginPolicyLink.AsObject[] = [];
 
     public loading: boolean = false;
     public disabled: boolean = true;
 
-    public IdpStylingType: any = IdpStylingType;
+    public IDPStylingType: any = IDPStylingType;
     public nextLinks: CnslLinks[] = [];
     constructor(
         private route: ActivatedRoute,
@@ -63,8 +62,10 @@ export class LoginPolicyComponent implements OnDestroy {
             switch (this.serviceType) {
                 case PolicyComponentServiceType.MGMT:
                     this.service = this.injector.get(ManagementService as Type<ManagementService>);
-                    this.passwordlessTypes = [MgmtPasswordlessType.PASSWORDLESSTYPE_ALLOWED,
-                    MgmtPasswordlessType.PASSWORDLESSTYPE_NOT_ALLOWED];
+                    this.passwordlessTypes = [
+                        PasswordlessType.PASSWORDLESS_TYPE_ALLOWED,
+                        PasswordlessType.PASSWORDLESS_TYPE_NOT_ALLOWED,
+                    ];
                     this.nextLinks = [
                         ORG_COMPLEXITY_LINK,
                         ORG_IAM_POLICY_LINK,
@@ -72,8 +73,10 @@ export class LoginPolicyComponent implements OnDestroy {
                     break;
                 case PolicyComponentServiceType.ADMIN:
                     this.service = this.injector.get(AdminService as Type<AdminService>);
-                    this.passwordlessTypes = [AdminPasswordlessType.PASSWORDLESSTYPE_ALLOWED,
-                    AdminPasswordlessType.PASSWORDLESSTYPE_NOT_ALLOWED];
+                    this.passwordlessTypes = [
+                        PasswordlessType.PASSWORDLESS_TYPE_ALLOWED,
+                        PasswordlessType.PASSWORDLESS_TYPE_NOT_ALLOWED,
+                    ];
                     this.nextLinks = [
                         IAM_COMPLEXITY_LINK,
                         IAM_POLICY_LINK,
@@ -89,15 +92,15 @@ export class LoginPolicyComponent implements OnDestroy {
     }
 
     private fetchData(): void {
-        this.getData().then(data => {
-            if (data) {
-                this.loginData = data.toObject();
+        this.getData().then(resp => {
+            if (resp.policy) {
+                this.loginData = resp.policy;
                 this.loading = false;
-                this.disabled = ((this.loginData as LoginPolicyView.AsObject)?.pb_default) ?? false;
+                this.disabled = ((this.loginData as LoginPolicy.AsObject)?.isDefault) ?? false;
             }
         });
-        this.getIdps().then(idps => {
-            this.idps = idps;
+        this.getIdps().then(resp => {
+            this.idps = resp;
         });
     }
 
@@ -106,48 +109,48 @@ export class LoginPolicyComponent implements OnDestroy {
     }
 
     private async getData():
-        Promise<LoginPolicyView | DefaultLoginPolicyView> {
+        Promise<AdminGetLoginPolicyResponse.AsObject | MgmtGetLoginPolicyResponse.AsObject> {
         switch (this.serviceType) {
             case PolicyComponentServiceType.MGMT:
-                return (this.service as ManagementService).GetLoginPolicy();
+                return (this.service as ManagementService).getLoginPolicy();
             case PolicyComponentServiceType.ADMIN:
-                return (this.service as AdminService).GetDefaultLoginPolicy();
+                return (this.service as AdminService).getLoginPolicy();
         }
     }
 
-    private async getIdps(): Promise<MgmtIdpProviderView.AsObject[] | AdminIdpProviderView.AsObject[]> {
+    private async getIdps(): Promise<IDPLoginPolicyLink.AsObject[]> {
         switch (this.serviceType) {
             case PolicyComponentServiceType.MGMT:
-                return (this.service as ManagementService).GetLoginPolicyIdpProviders()
-                    .then((providers) => {
-                        return providers.toObject().resultList;
+                return (this.service as ManagementService).listLoginPolicyIDPs()
+                    .then((resp) => {
+                        return resp.resultList;
                     });
             case PolicyComponentServiceType.ADMIN:
-                return (this.service as AdminService).GetDefaultLoginPolicyIdpProviders()
+                return (this.service as AdminService).listLoginPolicyIDPs()
                     .then((providers) => {
-                        return providers.toObject().resultList;
+                        return providers.resultList;
                     });
         }
     }
 
     private async updateData():
-        Promise<LoginPolicy | DefaultLoginPolicy> {
+        Promise<UpdateLoginPolicyResponse.AsObject> {
         switch (this.serviceType) {
             case PolicyComponentServiceType.MGMT:
-                const mgmtreq = new LoginPolicyRequest();
+                const mgmtreq = new AddCustomLoginPolicyRequest();
                 mgmtreq.setAllowExternalIdp(this.loginData.allowExternalIdp);
                 mgmtreq.setAllowRegister(this.loginData.allowRegister);
                 mgmtreq.setAllowUsernamePassword(this.loginData.allowUsernamePassword);
                 mgmtreq.setForceMfa(this.loginData.forceMfa);
                 mgmtreq.setPasswordlessType(this.loginData.passwordlessType);
                 // console.log(mgmtreq.toObject());
-                if ((this.loginData as LoginPolicyView.AsObject).pb_default) {
-                    return (this.service as ManagementService).CreateLoginPolicy(mgmtreq);
+                if ((this.loginData as LoginPolicy.AsObject).isDefault) {
+                    return (this.service as ManagementService).addCustomLoginPolicy(mgmtreq);
                 } else {
-                    return (this.service as ManagementService).UpdateLoginPolicy(mgmtreq);
+                    return (this.service as ManagementService).updateCustomLoginPolicy(mgmtreq);
                 }
             case PolicyComponentServiceType.ADMIN:
-                const adminreq = new DefaultLoginPolicyRequest();
+                const adminreq = new UpdateLoginPolicyRequest();
                 adminreq.setAllowExternalIdp(this.loginData.allowExternalIdp);
                 adminreq.setAllowRegister(this.loginData.allowRegister);
                 adminreq.setAllowUsernamePassword(this.loginData.allowUsernamePassword);
@@ -156,7 +159,7 @@ export class LoginPolicyComponent implements OnDestroy {
 
                 // console.log(adminreq.toObject());
 
-                return (this.service as AdminService).UpdateDefaultLoginPolicy(adminreq);
+                return (this.service as AdminService).updateLoginPolicy(adminreq);
         }
     }
 
@@ -174,7 +177,7 @@ export class LoginPolicyComponent implements OnDestroy {
 
     public removePolicy(): void {
         if (this.serviceType === PolicyComponentServiceType.MGMT) {
-            (this.service as ManagementService).RemoveLoginPolicy().then(() => {
+            (this.service as ManagementService).resetLoginPolicyToDefault().then(() => {
                 this.toast.showInfo('POLICY.TOAST.RESETSUCCESS', true);
                 this.loading = true;
                 setTimeout(() => {
@@ -195,8 +198,8 @@ export class LoginPolicyComponent implements OnDestroy {
         });
 
         dialogRef.afterClosed().subscribe(resp => {
-            if (resp && resp.idp && resp.type) {
-                this.addIdp(resp.idp, resp.type).then(() => {
+            if (resp && resp.idp) {
+                this.addIdp(resp.idp).then(() => {
                     this.loading = true;
                     setTimeout(() => {
                         this.fetchData();
@@ -208,29 +211,28 @@ export class LoginPolicyComponent implements OnDestroy {
         });
     }
 
-    private addIdp(idp: AdminIdpView.AsObject | MgmtIdpView.AsObject,
-        type: IdpProviderType = IdpProviderType.IDPPROVIDERTYPE_SYSTEM): Promise<any> {
+    private addIdp(idp: IDP.AsObject | IDP.AsObject): Promise<any> {
         switch (this.serviceType) {
             case PolicyComponentServiceType.MGMT:
-                return (this.service as ManagementService).addIdpProviderToLoginPolicy(idp.id, type);
+                return (this.service as ManagementService).addIDPToLoginPolicy(idp.id);
             case PolicyComponentServiceType.ADMIN:
-                return (this.service as AdminService).AddIdpProviderToDefaultLoginPolicy(idp.id);
+                return (this.service as AdminService).addIDPToLoginPolicy(idp.id);
         }
     }
 
-    public removeIdp(idp: AdminIdpProviderView.AsObject | MgmtIdpProviderView.AsObject): void {
+    public removeIdp(idp: IDPLoginPolicyLink.AsObject): void {
         switch (this.serviceType) {
             case PolicyComponentServiceType.MGMT:
-                (this.service as ManagementService).RemoveIdpProviderFromLoginPolicy(idp.idpConfigId).then(() => {
-                    const index = (this.idps as MgmtIdpProviderView.AsObject[]).findIndex(temp => temp === idp);
+                (this.service as ManagementService).removeIDPFromLoginPolicy(idp.idpId).then(() => {
+                    const index = this.idps.findIndex(temp => temp === idp);
                     if (index > -1) {
                         this.idps.splice(index, 1);
                     }
                 });
                 break;
             case PolicyComponentServiceType.ADMIN:
-                (this.service as AdminService).RemoveIdpProviderFromDefaultLoginPolicy(idp.idpConfigId).then(() => {
-                    const index = (this.idps as AdminIdpProviderView.AsObject[]).findIndex(temp => temp === idp);
+                (this.service as AdminService).removeIDPFromLoginPolicy(idp.idpId).then(() => {
+                    const index = this.idps.findIndex(temp => temp === idp);
                     if (index > -1) {
                         this.idps.splice(index, 1);
                     }
@@ -241,7 +243,7 @@ export class LoginPolicyComponent implements OnDestroy {
 
     public get isDefault(): boolean {
         if (this.loginData && this.serviceType === PolicyComponentServiceType.MGMT) {
-            return (this.loginData as LoginPolicyView.AsObject).pb_default;
+            return (this.loginData as LoginPolicy.AsObject).isDefault;
         } else {
             return false;
         }
diff --git a/console/src/app/modules/policies/org-iam-policy/org-iam-policy.component.ts b/console/src/app/modules/policies/org-iam-policy/org-iam-policy.component.ts
index 408866a560..98e5d883db 100644
--- a/console/src/app/modules/policies/org-iam-policy/org-iam-policy.component.ts
+++ b/console/src/app/modules/policies/org-iam-policy/org-iam-policy.component.ts
@@ -2,16 +2,23 @@ import { Component, Injector, Input, OnDestroy, Type } from '@angular/core';
 import { ActivatedRoute } from '@angular/router';
 import { Subscription } from 'rxjs';
 import { switchMap } from 'rxjs/operators';
-import { OrgIamPolicyView as AdminOrgIamPolicyView } from 'src/app/proto/generated/admin_pb';
-import { Org } from 'src/app/proto/generated/auth_pb';
-import { OrgIamPolicyView as MgmtOrgIamPolicyView } from 'src/app/proto/generated/management_pb';
+import { GetCustomOrgIAMPolicyResponse } from 'src/app/proto/generated/zitadel/admin_pb';
+import { GetOrgIAMPolicyResponse } from 'src/app/proto/generated/zitadel/management_pb';
+import { Org } from 'src/app/proto/generated/zitadel/org_pb';
+import { OrgIAMPolicy } from 'src/app/proto/generated/zitadel/policy_pb';
 import { AdminService } from 'src/app/services/admin.service';
 import { ManagementService } from 'src/app/services/mgmt.service';
 import { StorageService } from 'src/app/services/storage.service';
 import { ToastService } from 'src/app/services/toast.service';
-import { CnslLinks } from '../../links/links.component';
-import { IAM_COMPLEXITY_LINK, IAM_LABEL_LINK, IAM_LOGIN_POLICY_LINK, ORG_LOGIN_POLICY_LINK, ORG_COMPLEXITY_LINK } from '../../policy-grid/policy-links';
 
+import { CnslLinks } from '../../links/links.component';
+import {
+    IAM_COMPLEXITY_LINK,
+    IAM_LABEL_LINK,
+    IAM_LOGIN_POLICY_LINK,
+    ORG_COMPLEXITY_LINK,
+    ORG_LOGIN_POLICY_LINK,
+} from '../../policy-grid/policy-links';
 import { PolicyComponentServiceType } from '../policy-component-types.enum';
 
 @Component({
@@ -24,7 +31,7 @@ export class OrgIamPolicyComponent implements OnDestroy {
     private managementService!: ManagementService;
     public serviceType!: PolicyComponentServiceType;
 
-    public iamData!: AdminOrgIamPolicyView.AsObject | MgmtOrgIamPolicyView.AsObject;
+    public iamData!: OrgIAMPolicy.AsObject;
 
     private sub: Subscription = new Subscription();
     private org!: Org.AsObject;
@@ -68,20 +75,20 @@ export class OrgIamPolicyComponent implements OnDestroy {
     }
 
     public fetchData(): void {
-        this.getData().then(data => {
-            if (data) {
-                this.iamData = data.toObject();
+        this.getData().then(resp => {
+            if (resp?.policy) {
+                this.iamData = resp.policy;
             }
         });
     }
 
-    private async getData(): Promise<AdminOrgIamPolicyView | MgmtOrgIamPolicyView | undefined> {
+    private async getData(): Promise<GetCustomOrgIAMPolicyResponse.AsObject | GetOrgIAMPolicyResponse.AsObject | undefined> {
         switch (this.serviceType) {
             case PolicyComponentServiceType.MGMT:
-                return this.managementService.GetMyOrgIamPolicy();
+                return this.managementService.getOrgIAMPolicy();
             case PolicyComponentServiceType.ADMIN:
                 if (this.org?.id) {
-                    return this.adminService.GetOrgIamPolicy(this.org.id);
+                    return this.adminService.getCustomOrgIAMPolicy(this.org.id);
                 }
                 break;
         }
@@ -90,8 +97,8 @@ export class OrgIamPolicyComponent implements OnDestroy {
     public savePolicy(): void {
         switch (this.serviceType) {
             case PolicyComponentServiceType.MGMT:
-                if ((this.iamData as MgmtOrgIamPolicyView.AsObject).pb_default) {
-                    this.adminService.CreateOrgIamPolicy(
+                if ((this.iamData as OrgIAMPolicy.AsObject).isDefault) {
+                    this.adminService.addCustomOrgIAMPolicy(
                         this.org.id,
                         this.iamData.userLoginMustBeDomain,
                     ).then(() => {
@@ -101,7 +108,7 @@ export class OrgIamPolicyComponent implements OnDestroy {
                     });
                     break;
                 } else {
-                    this.adminService.UpdateOrgIamPolicy(
+                    this.adminService.updateCustomOrgIAMPolicy(
                         this.org.id,
                         this.iamData.userLoginMustBeDomain,
                     ).then(() => {
@@ -113,8 +120,7 @@ export class OrgIamPolicyComponent implements OnDestroy {
                 }
             case PolicyComponentServiceType.ADMIN:
                 // update Default org iam policy?
-                this.adminService.UpdateOrgIamPolicy(
-                    this.org.id,
+                this.adminService.updateOrgIAMPolicy(
                     this.iamData.userLoginMustBeDomain,
                 ).then(() => {
                     this.toast.showInfo('POLICY.TOAST.SET', true);
@@ -127,7 +133,7 @@ export class OrgIamPolicyComponent implements OnDestroy {
 
     public removePolicy(): void {
         if (this.serviceType === PolicyComponentServiceType.MGMT) {
-            this.adminService.RemoveOrgIamPolicy(this.org.id).then(() => {
+            this.adminService.resetCustomOrgIAMPolicyToDefault(this.org.id).then(() => {
                 this.toast.showInfo('POLICY.TOAST.RESETSUCCESS', true);
                 setTimeout(() => {
                     this.fetchData();
@@ -140,7 +146,7 @@ export class OrgIamPolicyComponent implements OnDestroy {
 
     public get isDefault(): boolean {
         if (this.iamData && this.serviceType === PolicyComponentServiceType.MGMT) {
-            return (this.iamData as MgmtOrgIamPolicyView.AsObject).pb_default;
+            return (this.iamData as OrgIAMPolicy.AsObject).isDefault;
         } else {
             return false;
         }
diff --git a/console/src/app/modules/policies/password-age-policy/password-age-policy.component.ts b/console/src/app/modules/policies/password-age-policy/password-age-policy.component.ts
index 86fca53382..c3cb43d630 100644
--- a/console/src/app/modules/policies/password-age-policy/password-age-policy.component.ts
+++ b/console/src/app/modules/policies/password-age-policy/password-age-policy.component.ts
@@ -2,8 +2,11 @@ import { Component, Injector, OnDestroy, Type } from '@angular/core';
 import { ActivatedRoute } from '@angular/router';
 import { Subscription } from 'rxjs';
 import { switchMap } from 'rxjs/operators';
-import { DefaultPasswordAgePolicyView } from 'src/app/proto/generated/admin_pb';
-import { PasswordAgePolicyView } from 'src/app/proto/generated/management_pb';
+import { GetPasswordAgePolicyResponse as AdminGetPasswordAgePolicyResponse } from 'src/app/proto/generated/zitadel/admin_pb';
+import {
+    GetPasswordAgePolicyResponse as MgmtGetPasswordAgePolicyResponse,
+} from 'src/app/proto/generated/zitadel/management_pb';
+import { PasswordAgePolicy } from 'src/app/proto/generated/zitadel/policy_pb';
 import { AdminService } from 'src/app/services/admin.service';
 import { ManagementService } from 'src/app/services/mgmt.service';
 import { ToastService } from 'src/app/services/toast.service';
@@ -20,7 +23,7 @@ export class PasswordAgePolicyComponent implements OnDestroy {
     public serviceType: PolicyComponentServiceType = PolicyComponentServiceType.MGMT;
     public service!: AdminService | ManagementService;
 
-    public ageData!: PasswordAgePolicyView.AsObject | DefaultPasswordAgePolicyView.AsObject;
+    public ageData!: PasswordAgePolicy.AsObject | PasswordAgePolicy.AsObject;
 
     private sub: Subscription = new Subscription();
 
@@ -43,9 +46,9 @@ export class PasswordAgePolicyComponent implements OnDestroy {
 
             return this.route.params;
         })).subscribe(() => {
-            this.getData().then(data => {
-                if (data) {
-                    this.ageData = data.toObject();
+            this.getData().then(resp => {
+                if (resp.policy) {
+                    this.ageData = resp.policy;
                 }
             });
         });
@@ -56,19 +59,19 @@ export class PasswordAgePolicyComponent implements OnDestroy {
     }
 
     private async getData():
-        Promise<PasswordAgePolicyView | DefaultPasswordAgePolicyView> {
+        Promise<MgmtGetPasswordAgePolicyResponse.AsObject | AdminGetPasswordAgePolicyResponse.AsObject> {
 
         switch (this.serviceType) {
             case PolicyComponentServiceType.MGMT:
-                return (this.service as ManagementService).GetPasswordAgePolicy();
+                return (this.service as ManagementService).getPasswordAgePolicy();
             case PolicyComponentServiceType.ADMIN:
-                return (this.service as AdminService).GetDefaultPasswordAgePolicy();
+                return (this.service as AdminService).getPasswordAgePolicy();
         }
     }
 
     public removePolicy(): void {
         if (this.serviceType === PolicyComponentServiceType.MGMT) {
-            (this.service as ManagementService).RemovePasswordAgePolicy().then(() => {
+            (this.service as ManagementService).resetPasswordAgePolicyToDefault().then(() => {
                 this.toast.showInfo('POLICY.TOAST.RESETSUCCESS', true);
                 setTimeout(() => {
                     this.getData();
@@ -106,8 +109,8 @@ export class PasswordAgePolicyComponent implements OnDestroy {
     public savePolicy(): void {
         switch (this.serviceType) {
             case PolicyComponentServiceType.MGMT:
-                if ((this.ageData as PasswordAgePolicyView.AsObject).pb_default) {
-                    (this.service as ManagementService).CreatePasswordAgePolicy(
+                if (this.ageData.isDefault) {
+                    (this.service as ManagementService).addCustomPasswordAgePolicy(
                         this.ageData.maxAgeDays,
                         this.ageData.expireWarnDays,
                     ).then(() => {
@@ -116,7 +119,7 @@ export class PasswordAgePolicyComponent implements OnDestroy {
                         this.toast.showError(error);
                     });
                 } else {
-                    (this.service as ManagementService).UpdatePasswordAgePolicy(
+                    (this.service as ManagementService).updateCustomPasswordAgePolicy(
                         this.ageData.maxAgeDays,
                         this.ageData.expireWarnDays,
                     ).then(() => {
@@ -127,7 +130,7 @@ export class PasswordAgePolicyComponent implements OnDestroy {
                 }
                 break;
             case PolicyComponentServiceType.ADMIN:
-                (this.service as AdminService).UpdateDefaultPasswordAgePolicy(
+                (this.service as AdminService).updatePasswordAgePolicy(
                     this.ageData.maxAgeDays,
                     this.ageData.expireWarnDays,
                 ).then(() => {
@@ -141,7 +144,7 @@ export class PasswordAgePolicyComponent implements OnDestroy {
 
     public get isDefault(): boolean {
         if (this.ageData && this.serviceType === PolicyComponentServiceType.MGMT) {
-            return (this.ageData as PasswordAgePolicyView.AsObject).pb_default;
+            return (this.ageData as PasswordAgePolicy.AsObject).isDefault;
         } else {
             return false;
         }
diff --git a/console/src/app/modules/policies/password-complexity-policy/password-complexity-policy.component.ts b/console/src/app/modules/policies/password-complexity-policy/password-complexity-policy.component.ts
index eeab223485..0fedeb4890 100644
--- a/console/src/app/modules/policies/password-complexity-policy/password-complexity-policy.component.ts
+++ b/console/src/app/modules/policies/password-complexity-policy/password-complexity-policy.component.ts
@@ -2,14 +2,25 @@ import { Component, Injector, OnDestroy, Type } from '@angular/core';
 import { ActivatedRoute } from '@angular/router';
 import { Subscription } from 'rxjs';
 import { switchMap } from 'rxjs/operators';
-import { DefaultPasswordComplexityPolicy } from 'src/app/proto/generated/admin_pb';
-import { PasswordComplexityPolicyView } from 'src/app/proto/generated/management_pb';
+import {
+    GetPasswordComplexityPolicyResponse as AdminGetPasswordComplexityPolicyResponse,
+} from 'src/app/proto/generated/zitadel/admin_pb';
+import {
+    GetPasswordComplexityPolicyResponse as MgmtGetPasswordComplexityPolicyResponse,
+} from 'src/app/proto/generated/zitadel/management_pb';
+import { PasswordComplexityPolicy } from 'src/app/proto/generated/zitadel/policy_pb';
 import { AdminService } from 'src/app/services/admin.service';
 import { ManagementService } from 'src/app/services/mgmt.service';
 import { ToastService } from 'src/app/services/toast.service';
-import { CnslLinks } from '../../links/links.component';
-import { IAM_LABEL_LINK, IAM_LOGIN_POLICY_LINK, IAM_POLICY_LINK, ORG_IAM_POLICY_LINK, ORG_LOGIN_POLICY_LINK } from '../../policy-grid/policy-links';
 
+import { CnslLinks } from '../../links/links.component';
+import {
+    IAM_LABEL_LINK,
+    IAM_LOGIN_POLICY_LINK,
+    IAM_POLICY_LINK,
+    ORG_IAM_POLICY_LINK,
+    ORG_LOGIN_POLICY_LINK,
+} from '../../policy-grid/policy-links';
 import { PolicyComponentServiceType } from '../policy-component-types.enum';
 
 @Component({
@@ -21,7 +32,7 @@ export class PasswordComplexityPolicyComponent implements OnDestroy {
     public serviceType: PolicyComponentServiceType = PolicyComponentServiceType.MGMT;
     public service!: ManagementService | AdminService;
 
-    public complexityData!: PasswordComplexityPolicyView.AsObject | DefaultPasswordComplexityPolicy.AsObject;
+    public complexityData!: PasswordComplexityPolicy.AsObject;
 
     private sub: Subscription = new Subscription();
     public PolicyComponentServiceType: any = PolicyComponentServiceType;
@@ -64,8 +75,8 @@ export class PasswordComplexityPolicyComponent implements OnDestroy {
         this.loading = true;
 
         this.getData().then(data => {
-            if (data) {
-                this.complexityData = data.toObject();
+            if (data.policy) {
+                this.complexityData = data.policy;
                 this.loading = false;
             }
         });
@@ -76,18 +87,18 @@ export class PasswordComplexityPolicyComponent implements OnDestroy {
     }
 
     private async getData():
-        Promise<PasswordComplexityPolicyView | DefaultPasswordComplexityPolicy> {
+        Promise<MgmtGetPasswordComplexityPolicyResponse.AsObject | AdminGetPasswordComplexityPolicyResponse.AsObject> {
         switch (this.serviceType) {
             case PolicyComponentServiceType.MGMT:
-                return (this.service as ManagementService).GetPasswordComplexityPolicy();
+                return (this.service as ManagementService).getPasswordComplexityPolicy();
             case PolicyComponentServiceType.ADMIN:
-                return (this.service as AdminService).GetDefaultPasswordComplexityPolicy();
+                return (this.service as AdminService).getPasswordComplexityPolicy();
         }
     }
 
     public removePolicy(): void {
         if (this.service instanceof ManagementService) {
-            this.service.removePasswordComplexityPolicy().then(() => {
+            this.service.resetPasswordComplexityPolicyToDefault().then(() => {
                 this.toast.showInfo('POLICY.TOAST.RESETSUCCESS', true);
                 setTimeout(() => {
                     this.fetchData();
@@ -113,8 +124,8 @@ export class PasswordComplexityPolicyComponent implements OnDestroy {
     public savePolicy(): void {
         switch (this.serviceType) {
             case PolicyComponentServiceType.MGMT:
-                if ((this.complexityData as PasswordComplexityPolicyView.AsObject).pb_default) {
-                    (this.service as ManagementService).CreatePasswordComplexityPolicy(
+                if ((this.complexityData as PasswordComplexityPolicy.AsObject).isDefault) {
+                    (this.service as ManagementService).addCustomPasswordComplexityPolicy(
 
                         this.complexityData.hasLowercase,
                         this.complexityData.hasUppercase,
@@ -127,7 +138,7 @@ export class PasswordComplexityPolicyComponent implements OnDestroy {
                         this.toast.showError(error);
                     });
                 } else {
-                    (this.service as ManagementService).UpdatePasswordComplexityPolicy(
+                    (this.service as ManagementService).updateCustomPasswordComplexityPolicy(
                         this.complexityData.hasLowercase,
                         this.complexityData.hasUppercase,
                         this.complexityData.hasNumber,
@@ -141,7 +152,7 @@ export class PasswordComplexityPolicyComponent implements OnDestroy {
                 }
                 break;
             case PolicyComponentServiceType.ADMIN:
-                (this.service as AdminService).UpdateDefaultPasswordComplexityPolicy(
+                (this.service as AdminService).updatePasswordComplexityPolicy(
                     this.complexityData.hasLowercase,
                     this.complexityData.hasUppercase,
                     this.complexityData.hasNumber,
@@ -158,7 +169,7 @@ export class PasswordComplexityPolicyComponent implements OnDestroy {
 
     public get isDefault(): boolean {
         if (this.complexityData && this.serviceType === PolicyComponentServiceType.MGMT) {
-            return (this.complexityData as PasswordComplexityPolicyView.AsObject).pb_default;
+            return (this.complexityData as PasswordComplexityPolicy.AsObject).isDefault;
         } else {
             return false;
         }
diff --git a/console/src/app/modules/policies/password-lockout-policy/password-lockout-policy.component.ts b/console/src/app/modules/policies/password-lockout-policy/password-lockout-policy.component.ts
index a01cb8eda6..0a96506f1b 100644
--- a/console/src/app/modules/policies/password-lockout-policy/password-lockout-policy.component.ts
+++ b/console/src/app/modules/policies/password-lockout-policy/password-lockout-policy.component.ts
@@ -3,8 +3,13 @@ import { FormGroup } from '@angular/forms';
 import { ActivatedRoute } from '@angular/router';
 import { Subscription } from 'rxjs';
 import { switchMap } from 'rxjs/operators';
-import { DefaultPasswordLockoutPolicyView } from 'src/app/proto/generated/admin_pb';
-import { PasswordLockoutPolicyView } from 'src/app/proto/generated/management_pb';
+import {
+    GetPasswordLockoutPolicyResponse as AdminGetPasswordLockoutPolicyResponse,
+} from 'src/app/proto/generated/zitadel/admin_pb';
+import {
+    GetPasswordLockoutPolicyResponse as MgmtGetPasswordLockoutPolicyResponse,
+} from 'src/app/proto/generated/zitadel/management_pb';
+import { PasswordLockoutPolicy } from 'src/app/proto/generated/zitadel/policy_pb';
 import { AdminService } from 'src/app/services/admin.service';
 import { ManagementService } from 'src/app/services/mgmt.service';
 import { ToastService } from 'src/app/services/toast.service';
@@ -22,7 +27,7 @@ export class PasswordLockoutPolicyComponent implements OnDestroy {
 
 
     public lockoutForm!: FormGroup;
-    public lockoutData!: PasswordLockoutPolicyView.AsObject;
+    public lockoutData!: PasswordLockoutPolicy.AsObject;
     private sub: Subscription = new Subscription();
     public PolicyComponentServiceType: any = PolicyComponentServiceType;
 
@@ -54,25 +59,25 @@ export class PasswordLockoutPolicyComponent implements OnDestroy {
     }
 
     private fetchData(): void {
-        this.getData().then(data => {
-            if (data) {
-                this.lockoutData = data.toObject() as PasswordLockoutPolicyView.AsObject;
+        this.getData().then(resp => {
+            if (resp.policy) {
+                this.lockoutData = resp.policy;
             }
         });
     }
 
-    private getData(): Promise<PasswordLockoutPolicyView | DefaultPasswordLockoutPolicyView> {
+    private getData(): Promise<AdminGetPasswordLockoutPolicyResponse.AsObject | MgmtGetPasswordLockoutPolicyResponse.AsObject> {
         switch (this.serviceType) {
             case PolicyComponentServiceType.MGMT:
-                return (this.service as ManagementService).GetPasswordLockoutPolicy();
+                return (this.service as ManagementService).getPasswordLockoutPolicy();
             case PolicyComponentServiceType.ADMIN:
-                return (this.service as AdminService).GetDefaultPasswordLockoutPolicy();
+                return (this.service as AdminService).getPasswordLockoutPolicy();
         }
     }
 
     public removePolicy(): void {
         if (this.service instanceof ManagementService) {
-            this.service.RemovePasswordLockoutPolicy().then(() => {
+            this.service.resetPasswordLockoutPolicyToDefault().then(() => {
                 this.toast.showInfo('POLICY.TOAST.RESETSUCCESS', true);
                 this.fetchData();
             }).catch(error => {
@@ -96,7 +101,7 @@ export class PasswordLockoutPolicyComponent implements OnDestroy {
     public savePolicy(): void {
         let promise: Promise<any>;
         if (this.service instanceof AdminService) {
-            promise = this.service.UpdateDefaultPasswordLockoutPolicy(
+            promise = this.service.updatePasswordLockoutPolicy(
                 this.lockoutData.maxAttempts,
                 this.lockoutData.showLockoutFailure,
             ).then(() => {
@@ -105,8 +110,8 @@ export class PasswordLockoutPolicyComponent implements OnDestroy {
                 this.toast.showError(error);
             });
         } else {
-            if ((this.lockoutData as PasswordLockoutPolicyView.AsObject).pb_default) {
-                promise = this.service.CreatePasswordLockoutPolicy(
+            if ((this.lockoutData as PasswordLockoutPolicy.AsObject).isDefault) {
+                promise = this.service.addCustomPasswordLockoutPolicy(
                     this.lockoutData.maxAttempts,
                     this.lockoutData.showLockoutFailure,
                 ).then(() => {
@@ -115,7 +120,7 @@ export class PasswordLockoutPolicyComponent implements OnDestroy {
                     this.toast.showError(error);
                 });
             } else {
-                promise = this.service.UpdatePasswordLockoutPolicy(
+                promise = this.service.updateCustomPasswordLockoutPolicy(
                     this.lockoutData.maxAttempts,
                     this.lockoutData.showLockoutFailure,
                 ).then(() => {
@@ -129,7 +134,7 @@ export class PasswordLockoutPolicyComponent implements OnDestroy {
 
     public get isDefault(): boolean {
         if (this.lockoutData && this.serviceType === PolicyComponentServiceType.MGMT) {
-            return (this.lockoutData as PasswordLockoutPolicyView.AsObject).pb_default;
+            return (this.lockoutData as PasswordLockoutPolicy.AsObject).isDefault;
         } else {
             return false;
         }
diff --git a/console/src/app/modules/policy-grid/policy-grid.component.ts b/console/src/app/modules/policy-grid/policy-grid.component.ts
index ba66e493dc..3f8fbf1b97 100644
--- a/console/src/app/modules/policy-grid/policy-grid.component.ts
+++ b/console/src/app/modules/policy-grid/policy-grid.component.ts
@@ -1,9 +1,8 @@
 import { Component, Input, OnInit } from '@angular/core';
 import { PolicyComponentType } from 'src/app/modules/policies/policy-component-types.enum';
-import { PasswordComplexityPolicyView as MgmtPasswordComplexityPolicyView } from 'src/app/proto/generated/management_pb';
-import { DefaultPasswordComplexityPolicyView as AdminPasswordComplexityPolicyView } from 'src/app/proto/generated/admin_pb';
-import { ManagementService } from 'src/app/services/mgmt.service';
+import { PasswordComplexityPolicy } from 'src/app/proto/generated/zitadel/policy_pb';
 import { AdminService } from 'src/app/services/admin.service';
+import { ManagementService } from 'src/app/services/mgmt.service';
 
 export enum PolicyGridType {
     ORG,
@@ -20,18 +19,22 @@ export class PolicyGridComponent implements OnInit {
     public PolicyComponentType: any = PolicyComponentType;
     public PolicyGridType: any = PolicyGridType;
 
-    public complexityPolicy!: MgmtPasswordComplexityPolicyView.AsObject | AdminPasswordComplexityPolicyView.AsObject | any;
+    public complexityPolicy!: PasswordComplexityPolicy.AsObject;
 
     constructor(private mgmtService: ManagementService, private adminService: AdminService) { }
 
     public ngOnInit(): void {
         if (this.type == PolicyGridType.ORG) {
-            this.mgmtService.GetDefaultPasswordComplexityPolicy().then((policy) => {
-                this.complexityPolicy = policy.toObject();
+            this.mgmtService.getPasswordComplexityPolicy().then((resp) => {
+                if (resp.policy) {
+                    this.complexityPolicy = resp.policy;
+                }
             });
         } else if (this.type == PolicyGridType.IAM) {
-            this.adminService.GetDefaultPasswordComplexityPolicy().then((policy) => {
-                this.complexityPolicy = policy.toObject();
+            this.adminService.getPasswordComplexityPolicy().then((resp) => {
+                if (resp.policy) {
+                    this.complexityPolicy = resp.policy;
+                }
             });
         }
     }
diff --git a/console/src/app/modules/project-members/project-members-datasource.ts b/console/src/app/modules/project-members/project-members-datasource.ts
index 43a0f0b637..9f37e8c97f 100644
--- a/console/src/app/modules/project-members/project-members-datasource.ts
+++ b/console/src/app/modules/project-members/project-members-datasource.ts
@@ -2,19 +2,22 @@ import { DataSource } from '@angular/cdk/collections';
 import { Timestamp } from 'google-protobuf/google/protobuf/timestamp_pb';
 import { BehaviorSubject, from, Observable, of } from 'rxjs';
 import { catchError, finalize, map } from 'rxjs/operators';
-import { ProjectMember, ProjectMemberSearchResponse, ProjectType } from 'src/app/proto/generated/management_pb';
+import { ListProjectGrantMembersResponse, ListProjectMembersResponse } from 'src/app/proto/generated/zitadel/management_pb';
+import { Member } from 'src/app/proto/generated/zitadel/member_pb';
 import { ManagementService } from 'src/app/services/mgmt.service';
 
+import { ProjectType } from './project-members.component';
+
 /**
  * Data source for the ProjectMembers view. This class should
  * encapsulate all logic for fetching and manipulating the displayed data
  * (including sorting, pagination, and filtering).
  */
-export class ProjectMembersDataSource extends DataSource<ProjectMember.AsObject> {
+export class ProjectMembersDataSource extends DataSource<Member.AsObject> {
     public totalResult: number = 0;
     public viewTimestamp!: Timestamp.AsObject;
 
-    public membersSubject: BehaviorSubject<ProjectMember.AsObject[]> = new BehaviorSubject<ProjectMember.AsObject[]>([]);
+    public membersSubject: BehaviorSubject<Member.AsObject[]> = new BehaviorSubject<Member.AsObject[]>([]);
     private loadingSubject: BehaviorSubject<boolean> = new BehaviorSubject<boolean>(false);
     public loading$: Observable<boolean> = this.loadingSubject.asObservable();
 
@@ -29,21 +32,22 @@ export class ProjectMembersDataSource extends DataSource<ProjectMember.AsObject>
 
         this.loadingSubject.next(true);
 
-        const promise: Promise<ProjectMemberSearchResponse> | undefined =
+        const promise: Promise<ListProjectMembersResponse.AsObject> | Promise<ListProjectGrantMembersResponse.AsObject> | undefined =
             projectType === ProjectType.PROJECTTYPE_OWNED ?
-                this.mgmtService.SearchProjectMembers(projectId, pageSize, offset) :
+                this.mgmtService.listProjectMembers(projectId, pageSize, offset) :
                 projectType === ProjectType.PROJECTTYPE_GRANTED && grantId ?
-                    this.mgmtService.SearchProjectGrantMembers(projectId,
+                    this.mgmtService.listProjectGrantMembers(projectId,
                         grantId, pageSize, offset) : undefined;
         if (promise) {
             from(promise).pipe(
                 map(resp => {
-                    const response = resp.toObject();
-                    this.totalResult = response.totalResult;
-                    if (response.viewTimestamp) {
-                        this.viewTimestamp = response.viewTimestamp;
+                    if (resp.details?.totalResult) {
+                        this.totalResult = resp.details?.totalResult;
                     }
-                    return response.resultList;
+                    if (resp.details?.viewTimestamp) {
+                        this.viewTimestamp = resp.details.viewTimestamp;
+                    }
+                    return resp.resultList;
                 }),
                 catchError(() => of([])),
                 finalize(() => this.loadingSubject.next(false)),
@@ -59,7 +63,7 @@ export class ProjectMembersDataSource extends DataSource<ProjectMember.AsObject>
      * the returned stream emits new items.
      * @returns A stream of the items to be rendered.
      */
-    public connect(): Observable<ProjectMember.AsObject[]> {
+    public connect(): Observable<Member.AsObject[]> {
         return this.membersSubject.asObservable();
     }
 
diff --git a/console/src/app/modules/project-members/project-members.component.html b/console/src/app/modules/project-members/project-members.component.html
index 7d845b04fb..09e87d1c22 100644
--- a/console/src/app/modules/project-members/project-members.component.html
+++ b/console/src/app/modules/project-members/project-members.component.html
@@ -1,14 +1,14 @@
-<app-detail-layout *ngIf="project" [backRouterLink]="[ '/projects', project?.projectId]"
+<app-detail-layout *ngIf="project" [backRouterLink]="[ '/projects', (projectType === ProjectType.PROJECTTYPE_OWNED) ? $any(project)?.id : (projectType === ProjectType.PROJECTTYPE_GRANTED) ? $any(project)?.projectId: '']"
     title="{{projectName}} {{ 'PROJECT.MEMBER.TITLE' | translate }}"
     description="{{ 'PROJECT.MEMBER.DESCRIPTION' | translate }}">
     <app-members-table *ngIf="project" [dataSource]="dataSource" [memberRoleOptions]="memberRoleOptions"
         (updateRoles)="updateRoles($event.member, $event.change)" [factoryLoadFunc]="changePageFactory"
         (changedSelection)="selection = $event" [refreshTrigger]="changePage"
-        [canWrite]="['project.member.write$', 'project.member.write:'+ project.projectId] | hasRole | async"
-        [canDelete]="['project.member.delete$', 'project.member.delete:'+project.projectId] | hasRole | async"
+        [canWrite]="['project.member.write$', 'project.member.write:'+ (projectType === ProjectType.PROJECTTYPE_OWNED) ? $any(project)?.id : (projectType === ProjectType.PROJECTTYPE_GRANTED) ? $any(project)?.projectId: ''] | hasRole | async"
+        [canDelete]="['project.member.delete$', 'project.member.delete:'+(projectType === ProjectType.PROJECTTYPE_OWNED) ? $any(project)?.id : (projectType === ProjectType.PROJECTTYPE_GRANTED) ? $any(project)?.projectId: ''] | hasRole | async"
         (deleteMember)="removeProjectMember($event)">
         <ng-template appHasRole selectactions
-            [appHasRole]="['project.member.delete:' + project.projectId, 'project.member.delete']">
+            [appHasRole]="['project.member.delete:' + (projectType === ProjectType.PROJECTTYPE_OWNED) ? $any(project)?.id : (projectType === ProjectType.PROJECTTYPE_GRANTED) ? $any(project)?.projectId: '', 'project.member.delete']">
             <button (click)="removeProjectMemberSelection()" color="warn"
                 matTooltip="{{'ORG_DETAIL.TABLE.DELETE' | translate}}" class="del-button" mat-raised-button>
                 <i class="las la-trash"></i>
@@ -16,7 +16,7 @@
             </button>
         </ng-template>
         <ng-template appHasRole writeactions
-            [appHasRole]="['project.member.write:'+project.projectId,'project.member.write']">
+            [appHasRole]="['project.member.write:'+(projectType === ProjectType.PROJECTTYPE_OWNED) ? $any(project)?.id : (projectType === ProjectType.PROJECTTYPE_GRANTED) ? $any(project)?.projectId: '','project.member.write']">
             <a color="primary" (click)="openAddMember()" color="primary" mat-raised-button>
                 <mat-icon class="icon">add</mat-icon>{{ 'ACTIONS.NEW' | translate }}
             </a>
diff --git a/console/src/app/modules/project-members/project-members.component.ts b/console/src/app/modules/project-members/project-members.component.ts
index 5cde0de798..d39153ae7a 100644
--- a/console/src/app/modules/project-members/project-members.component.ts
+++ b/console/src/app/modules/project-members/project-members.component.ts
@@ -4,21 +4,19 @@ import { PageEvent } from '@angular/material/paginator';
 import { MatSelectChange } from '@angular/material/select';
 import { ActivatedRoute } from '@angular/router';
 import { take } from 'rxjs/operators';
-import {
-    ProjectGrantMemberView,
-    ProjectGrantView,
-    ProjectMember,
-    ProjectMemberView,
-    ProjectType,
-    ProjectView,
-    UserView,
-} from 'src/app/proto/generated/management_pb';
+import { Member } from 'src/app/proto/generated/zitadel/member_pb';
+import { GrantedProject, Project } from 'src/app/proto/generated/zitadel/project_pb';
+import { User } from 'src/app/proto/generated/zitadel/user_pb';
 import { ManagementService } from 'src/app/services/mgmt.service';
 import { ToastService } from 'src/app/services/toast.service';
 
 import { CreationType, MemberCreateDialogComponent } from '../add-member-dialog/member-create-dialog.component';
 import { ProjectMembersDataSource } from './project-members-datasource';
 
+export enum ProjectType {
+    PROJECTTYPE_OWNED = "OWNED",
+    PROJECTTYPE_GRANTED = "GRANTED"
+}
 
 @Component({
     selector: 'app-project-members',
@@ -27,7 +25,7 @@ import { ProjectMembersDataSource } from './project-members-datasource';
 })
 export class ProjectMembersComponent {
     public INITIALPAGESIZE: number = 25;
-    public project!: ProjectView.AsObject | ProjectGrantView.AsObject;
+    public project!: Project.AsObject | GrantedProject.AsObject;
     public projectType: ProjectType = ProjectType.PROJECTTYPE_OWNED;
     public grantId: string = '';
     public projectName: string = '';
@@ -36,7 +34,9 @@ export class ProjectMembersComponent {
 
     public changePageFactory!: Function;
     public changePage: EventEmitter<void> = new EventEmitter();
-    public selection: Array<ProjectMemberView.AsObject | ProjectGrantMemberView.AsObject> = [];
+    public selection: Array<Member.AsObject> = [];
+
+    public ProjectType: any = ProjectType;
     constructor(
         private mgmtService: ManagementService,
         private dialog: MatDialog,
@@ -50,43 +50,47 @@ export class ProjectMembersComponent {
             this.route.params.subscribe(params => {
                 this.grantId = params.grantid;
                 if (this.projectType === ProjectType.PROJECTTYPE_OWNED) {
-                    this.mgmtService.GetProjectById(params.projectid).then(project => {
-                        this.project = project.toObject();
-                        this.projectName = this.project.name;
-                        this.dataSource = new ProjectMembersDataSource(this.mgmtService);
-                        this.dataSource.loadMembers(this.project.projectId, this.projectType, 0, this.INITIALPAGESIZE);
+                    this.mgmtService.getProjectByID(params.projectid).then(resp => {
+                        if (resp.project) {
+                            this.project = resp.project;
+                            this.projectName = this.project.name;
+                            this.dataSource = new ProjectMembersDataSource(this.mgmtService);
+                            this.dataSource.loadMembers(this.project.id, this.projectType, 0, this.INITIALPAGESIZE);
 
-                        this.changePageFactory = (event?: PageEvent) => {
-                            return this.dataSource.loadMembers(
-                                this.project.projectId,
-                                this.projectType,
-                                event?.pageIndex ?? 0,
-                                event?.pageSize ?? this.INITIALPAGESIZE,
-                                this.grantId,
-                            );
-                        };
+                            this.changePageFactory = (event?: PageEvent) => {
+                                return this.dataSource.loadMembers(
+                                    (this.project as Project.AsObject).id,
+                                    this.projectType,
+                                    event?.pageIndex ?? 0,
+                                    event?.pageSize ?? this.INITIALPAGESIZE,
+                                    this.grantId,
+                                );
+                            };
+                        }
                     });
                 } else if (this.projectType === ProjectType.PROJECTTYPE_GRANTED) {
-                    this.mgmtService.GetGrantedProjectByID(params.projectid, params.grantid).then(project => {
-                        this.project = project.toObject();
-                        this.projectName = this.project.projectName;
-                        this.dataSource = new ProjectMembersDataSource(this.mgmtService);
-                        this.dataSource.loadMembers(this.project.projectId,
-                            this.projectType,
-                            0,
-                            this.INITIALPAGESIZE,
-                            this.grantId,
-                        );
-
-                        this.changePageFactory = (event?: PageEvent) => {
-                            return this.dataSource.loadMembers(
-                                this.project.projectId,
+                    this.mgmtService.getGrantedProjectByID(params.projectid, params.grantid).then(resp => {
+                        if (resp.grantedProject) {
+                            this.project = resp.grantedProject;
+                            this.projectName = this.project.projectName;
+                            this.dataSource = new ProjectMembersDataSource(this.mgmtService);
+                            this.dataSource.loadMembers(this.project.projectId,
                                 this.projectType,
-                                event?.pageIndex ?? 0,
-                                event?.pageSize ?? this.INITIALPAGESIZE,
+                                0,
+                                this.INITIALPAGESIZE,
                                 this.grantId,
                             );
-                        };
+
+                            this.changePageFactory = (event?: PageEvent) => {
+                                return this.dataSource.loadMembers(
+                                    (this.project as GrantedProject.AsObject).projectId,
+                                    this.projectType,
+                                    event?.pageIndex ?? 0,
+                                    event?.pageSize ?? this.INITIALPAGESIZE,
+                                    this.grantId,
+                                );
+                            };
+                        }
                     });
                 }
             });
@@ -95,14 +99,14 @@ export class ProjectMembersComponent {
 
     public getRoleOptions(): void {
         if (this.projectType === ProjectType.PROJECTTYPE_GRANTED) {
-            this.mgmtService.GetProjectGrantMemberRoles().then(resp => {
-                this.memberRoleOptions = resp.toObject().rolesList;
+            this.mgmtService.listProjectGrantMemberRoles().then(resp => {
+                this.memberRoleOptions = resp.resultList;
             }).catch(error => {
                 this.toast.showError(error);
             });
         } else if (this.projectType === ProjectType.PROJECTTYPE_OWNED) {
-            this.mgmtService.GetProjectMemberRoles().then(resp => {
-                this.memberRoleOptions = resp.toObject().rolesList;
+            this.mgmtService.listProjectMemberRoles().then(resp => {
+                this.memberRoleOptions = resp.resultList;
             }).catch(error => {
                 this.toast.showError(error);
             });
@@ -112,13 +116,13 @@ export class ProjectMembersComponent {
     public removeProjectMemberSelection(): void {
         Promise.all(this.selection.map(member => {
             if (this.projectType === ProjectType.PROJECTTYPE_OWNED) {
-                return this.mgmtService.RemoveProjectMember(this.project.projectId, member.userId).then(() => {
+                return this.mgmtService.removeProjectMember((this.project as Project.AsObject).id, member.userId).then(() => {
                     this.toast.showInfo('PROJECT.TOAST.MEMBERREMOVED', true);
                 }).catch(error => {
                     this.toast.showError(error);
                 });
             } else if (this.projectType === ProjectType.PROJECTTYPE_GRANTED) {
-                return this.mgmtService.RemoveProjectGrantMember(this.project.projectId, this.grantId,
+                return this.mgmtService.removeProjectGrantMember((this.project as GrantedProject.AsObject).projectId, this.grantId,
                     member.userId).then(() => {
                         this.toast.showInfo('PROJECT.TOAST.MEMBERREMOVED', true);
                     }).catch(error => {
@@ -132,9 +136,9 @@ export class ProjectMembersComponent {
         });
     }
 
-    public removeProjectMember(member: ProjectMemberView.AsObject | ProjectGrantMemberView.AsObject): void {
+    public removeProjectMember(member: Member.AsObject | Member.AsObject): void {
         if (this.projectType === ProjectType.PROJECTTYPE_OWNED) {
-            this.mgmtService.RemoveProjectMember(this.project.projectId, member.userId).then(() => {
+            this.mgmtService.removeProjectMember((this.project as Project.AsObject).id, member.userId).then(() => {
                 setTimeout(() => {
                     this.changePage.emit();
                 }, 1000);
@@ -143,7 +147,7 @@ export class ProjectMembersComponent {
                 this.toast.showError(error);
             });
         } else if (this.projectType === ProjectType.PROJECTTYPE_GRANTED) {
-            this.mgmtService.RemoveProjectGrantMember(this.project.projectId, this.grantId,
+            this.mgmtService.removeProjectGrantMember((this.project as GrantedProject.AsObject).projectId, this.grantId,
                 member.userId).then(() => {
                     setTimeout(() => {
                         this.changePage.emit();
@@ -165,16 +169,16 @@ export class ProjectMembersComponent {
 
         dialogRef.afterClosed().subscribe(resp => {
             if (resp) {
-                const users: UserView.AsObject[] = resp.users;
+                const users: User.AsObject[] = resp.users;
                 const roles: string[] = resp.roles;
 
                 if (users && users.length && roles && roles.length) {
                     Promise.all(users.map(user => {
                         if (this.projectType === ProjectType.PROJECTTYPE_OWNED) {
-                            return this.mgmtService.AddProjectMember(this.project.projectId, user.id, roles);
+                            return this.mgmtService.addProjectMember((this.project as Project.AsObject).id, user.id, roles);
 
                         } else if (this.projectType === ProjectType.PROJECTTYPE_GRANTED) {
-                            return this.mgmtService.AddProjectGrantMember(this.project.projectId, this.grantId,
+                            return this.mgmtService.addProjectGrantMember((this.project as GrantedProject.AsObject).projectId, this.grantId,
                                 user.id, roles);
                         }
                     })).then(() => {
@@ -190,18 +194,18 @@ export class ProjectMembersComponent {
         });
     }
 
-    updateRoles(member: ProjectMember.AsObject, selectionChange: MatSelectChange): void {
+    updateRoles(member: Member.AsObject, selectionChange: MatSelectChange): void {
         if (this.projectType === ProjectType.PROJECTTYPE_OWNED) {
-            this.mgmtService.ChangeProjectMember(this.project.projectId, member.userId, selectionChange.value)
-                .then((_: ProjectMember) => {
+            this.mgmtService.updateProjectMember((this.project as Project.AsObject).id, member.userId, selectionChange.value)
+                .then(() => {
                     this.toast.showInfo('PROJECT.TOAST.MEMBERCHANGED', true);
                 }).catch(error => {
                     this.toast.showError(error);
                 });
         } else if (this.projectType === ProjectType.PROJECTTYPE_GRANTED) {
-            this.mgmtService.ChangeProjectGrantMember(this.project.projectId,
+            this.mgmtService.updateProjectGrantMember((this.project as GrantedProject.AsObject).projectId,
                 this.grantId, member.userId, selectionChange.value)
-                .then((_: ProjectMember) => {
+                .then(() => {
                     this.toast.showInfo('PROJECT.TOAST.MEMBERCHANGED', true);
                 }).catch(error => {
                     this.toast.showError(error);
diff --git a/console/src/app/modules/project-roles/project-role-detail/project-role-detail.component.ts b/console/src/app/modules/project-roles/project-role-detail/project-role-detail.component.ts
index cb6fa62a65..e876445e94 100644
--- a/console/src/app/modules/project-roles/project-role-detail/project-role-detail.component.ts
+++ b/console/src/app/modules/project-roles/project-role-detail/project-role-detail.component.ts
@@ -29,7 +29,7 @@ export class ProjectRoleDetailComponent {
 
     submitForm(): void {
         if (this.formGroup.valid && this.key?.value && this.group?.value && this.displayName?.value) {
-            this.mgmtService.ChangeProjectRole(this.projectId, this.key.value, this.displayName.value, this.group.value)
+            this.mgmtService.updateProjectRole(this.projectId, this.key.value, this.displayName.value, this.group.value)
                 .then(() => {
                     this.toast.showInfo('PROJECT.TOAST.ROLECHANGED', true);
                     this.dialogRef.close(true);
diff --git a/console/src/app/modules/project-roles/project-roles-datasource.ts b/console/src/app/modules/project-roles/project-roles-datasource.ts
index 3418a256fc..1c027fb82c 100644
--- a/console/src/app/modules/project-roles/project-roles-datasource.ts
+++ b/console/src/app/modules/project-roles/project-roles-datasource.ts
@@ -2,7 +2,7 @@ import { DataSource } from '@angular/cdk/collections';
 import { Timestamp } from 'google-protobuf/google/protobuf/timestamp_pb';
 import { BehaviorSubject, from, Observable, of } from 'rxjs';
 import { catchError, finalize, map } from 'rxjs/operators';
-import { ProjectRole } from 'src/app/proto/generated/management_pb';
+import { Role } from 'src/app/proto/generated/zitadel/project_pb';
 import { ManagementService } from 'src/app/services/mgmt.service';
 
 /**
@@ -10,11 +10,11 @@ import { ManagementService } from 'src/app/services/mgmt.service';
  * encapsulate all logic for fetching and manipulating the displayed data
  * (including sorting, pagination, and filtering).
  */
-export class ProjectRolesDataSource extends DataSource<ProjectRole.AsObject> {
+export class ProjectRolesDataSource extends DataSource<Role.AsObject> {
     public totalResult: number = 0;
     public viewTimestamp!: Timestamp.AsObject;
 
-    public rolesSubject: BehaviorSubject<ProjectRole.AsObject[]> = new BehaviorSubject<ProjectRole.AsObject[]>([]);
+    public rolesSubject: BehaviorSubject<Role.AsObject[]> = new BehaviorSubject<Role.AsObject[]>([]);
     private loadingSubject: BehaviorSubject<boolean> = new BehaviorSubject<boolean>(false);
     public loading$: Observable<boolean> = this.loadingSubject.asObservable();
 
@@ -26,14 +26,15 @@ export class ProjectRolesDataSource extends DataSource<ProjectRole.AsObject> {
         const offset = pageIndex * pageSize;
 
         this.loadingSubject.next(true);
-        from(this.mgmtService.SearchProjectRoles(projectId, pageSize, offset)).pipe(
+        from(this.mgmtService.listProjectRoles(projectId, pageSize, offset)).pipe(
             map(resp => {
-                const response = resp.toObject();
-                this.totalResult = response.totalResult;
-                if (response.viewTimestamp) {
-                    this.viewTimestamp = response.viewTimestamp;
+                if (resp.details?.totalResult !== undefined) {
+                    this.totalResult = resp.details.totalResult;
                 }
-                return resp.toObject().resultList;
+                if (resp.details?.viewTimestamp) {
+                    this.viewTimestamp = resp.details.viewTimestamp;
+                }
+                return resp.resultList;
             }),
             catchError(() => of([])),
             finalize(() => this.loadingSubject.next(false)),
@@ -48,7 +49,7 @@ export class ProjectRolesDataSource extends DataSource<ProjectRole.AsObject> {
      * the returned stream emits new items.
      * @returns A stream of the items to be rendered.
      */
-    public connect(): Observable<ProjectRole.AsObject[]> {
+    public connect(): Observable<Role.AsObject[]> {
         return this.rolesSubject.asObservable();
     }
 
diff --git a/console/src/app/modules/project-roles/project-roles.component.ts b/console/src/app/modules/project-roles/project-roles.component.ts
index ff08a20d06..f5dee5c2de 100644
--- a/console/src/app/modules/project-roles/project-roles.component.ts
+++ b/console/src/app/modules/project-roles/project-roles.component.ts
@@ -4,7 +4,7 @@ import { MatDialog } from '@angular/material/dialog';
 import { MatPaginator } from '@angular/material/paginator';
 import { MatTable } from '@angular/material/table';
 import { tap } from 'rxjs/operators';
-import { ProjectRole } from 'src/app/proto/generated/management_pb';
+import { Role } from 'src/app/proto/generated/zitadel/project_pb';
 import { ManagementService } from 'src/app/services/mgmt.service';
 import { ToastService } from 'src/app/services/toast.service';
 
@@ -22,10 +22,10 @@ export class ProjectRolesComponent implements AfterViewInit, OnInit {
     @Input() public disabled: boolean = false;
     @Input() public actionsVisible: boolean = false;
     @ViewChild(MatPaginator) public paginator!: MatPaginator;
-    @ViewChild(MatTable) public table!: MatTable<ProjectRole.AsObject>;
+    @ViewChild(MatTable) public table!: MatTable<Role.AsObject>;
     public dataSource!: ProjectRolesDataSource;
-    public selection: SelectionModel<ProjectRole.AsObject> = new SelectionModel<ProjectRole.AsObject>(true, []);
-    @Output() public changedSelection: EventEmitter<Array<ProjectRole.AsObject>> = new EventEmitter();
+    public selection: SelectionModel<Role.AsObject> = new SelectionModel<Role.AsObject>(true, []);
+    @Output() public changedSelection: EventEmitter<Array<Role.AsObject>> = new EventEmitter();
 
     /** Columns displayed in the table. Columns IDs can be added, removed, or reordered. */
     public displayedColumns: string[] = ['select', 'key', 'displayname', 'group', 'creationDate'];
@@ -51,7 +51,7 @@ export class ProjectRolesComponent implements AfterViewInit, OnInit {
     }
 
     public selectAllOfGroup(group: string): void {
-        const groupRoles: ProjectRole.AsObject[] = this.dataSource.rolesSubject.getValue()
+        const groupRoles: Role.AsObject[] = this.dataSource.rolesSubject.getValue()
             .filter(role => role.group === group);
         this.selection.select(...groupRoles);
     }
@@ -73,7 +73,7 @@ export class ProjectRolesComponent implements AfterViewInit, OnInit {
     public masterToggle(): void {
         this.isAllSelected() ?
             this.selection.clear() :
-            this.dataSource.rolesSubject.value.forEach((row: ProjectRole.AsObject) => this.selection.select(row));
+            this.dataSource.rolesSubject.value.forEach((row: Role.AsObject) => this.selection.select(row));
     }
 
     public deleteSelectedRoles(): Promise<any> {
@@ -83,7 +83,7 @@ export class ProjectRolesComponent implements AfterViewInit, OnInit {
         });
 
         return Promise.all(this.selection.selected.map(role => {
-            return this.mgmtService.RemoveProjectRole(role.projectId, role.key);
+            return this.mgmtService.removeProjectRole(this.projectId, role.key);
         })).then(() => {
             this.toast.showInfo('PROJECT.TOAST.ROLEREMOVED', true);
             indexes.forEach(index => {
@@ -98,9 +98,9 @@ export class ProjectRolesComponent implements AfterViewInit, OnInit {
         });
     }
 
-    public removeRole(role: ProjectRole.AsObject, index: number): void {
+    public removeRole(role: Role.AsObject, index: number): void {
         this.mgmtService
-            .RemoveProjectRole(role.projectId, role.key)
+            .removeProjectRole(this.projectId, role.key)
             .then(() => {
                 this.toast.showInfo('PROJECT.TOAST.ROLEREMOVED', true);
                 this.dataSource.rolesSubject.value.splice(index, 1);
@@ -111,7 +111,7 @@ export class ProjectRolesComponent implements AfterViewInit, OnInit {
             });
     }
 
-    public openDetailDialog(role: ProjectRole.AsObject): void {
+    public openDetailDialog(role: Role.AsObject): void {
         this.dialog.open(ProjectRoleDetailComponent, {
             data: {
                 role,
diff --git a/console/src/app/modules/search-project-autocomplete/search-project-autocomplete.component.ts b/console/src/app/modules/search-project-autocomplete/search-project-autocomplete.component.ts
index 6847950379..c5c3632d11 100644
--- a/console/src/app/modules/search-project-autocomplete/search-project-autocomplete.component.ts
+++ b/console/src/app/modules/search-project-autocomplete/search-project-autocomplete.component.ts
@@ -5,15 +5,8 @@ import { MatAutocomplete, MatAutocompleteSelectedEvent } from '@angular/material
 import { MatChipInputEvent } from '@angular/material/chips';
 import { forkJoin, from, Subject } from 'rxjs';
 import { debounceTime, switchMap, takeUntil, tap } from 'rxjs/operators';
-import {
-    ProjectGrantSearchResponse,
-    ProjectGrantView,
-    ProjectSearchKey,
-    ProjectSearchQuery,
-    ProjectSearchResponse,
-    ProjectView,
-    SearchMethod,
-} from 'src/app/proto/generated/management_pb';
+import { ListProjectGrantsResponse, ListProjectsResponse } from 'src/app/proto/generated/zitadel/management_pb';
+import { GrantedProject, Project, ProjectNameQuery, ProjectQuery } from 'src/app/proto/generated/zitadel/project_pb';
 import { ManagementService } from 'src/app/services/mgmt.service';
 
 
@@ -34,18 +27,18 @@ export class SearchProjectAutocompleteComponent implements OnDestroy {
     public separatorKeysCodes: number[] = [ENTER, COMMA];
     public myControl: FormControl = new FormControl();
     public names: string[] = [];
-    public projects: Array<ProjectGrantView.AsObject | ProjectView.AsObject | any> = [];
-    public filteredProjects: Array<ProjectGrantView.AsObject | ProjectView.AsObject | any> = [];
+    public projects: Array<GrantedProject.AsObject | Project.AsObject | any> = [];
+    public filteredProjects: Array<GrantedProject.AsObject | Project.AsObject | any> = [];
     public isLoading: boolean = false;
     @ViewChild('nameInput') public nameInput!: ElementRef<HTMLInputElement>;
     @ViewChild('auto') public matAutocomplete!: MatAutocomplete;
     @Input() public singleOutput: boolean = false;
     @Input() public autocompleteType!: ProjectAutocompleteType;
     @Output() public selectionChanged: EventEmitter<
-        ProjectGrantView.AsObject[]
-        | ProjectGrantView.AsObject
-        | ProjectView.AsObject
-        | ProjectView.AsObject[]
+        GrantedProject.AsObject[]
+        | GrantedProject.AsObject
+        | Project.AsObject
+        | Project.AsObject[]
     > = new EventEmitter();
 
     private unsubscribed$: Subject<void> = new Subject();
@@ -56,20 +49,20 @@ export class SearchProjectAutocompleteComponent implements OnDestroy {
                 debounceTime(200),
                 tap(() => this.isLoading = true),
                 switchMap(value => {
-                    const query = new ProjectSearchQuery();
-                    query.setKey(ProjectSearchKey.PROJECTSEARCHKEY_PROJECT_NAME);
-                    query.setValue(value);
-                    query.setMethod(SearchMethod.SEARCHMETHOD_CONTAINS_IGNORE_CASE);
+                    const query = new ProjectQuery();
+                    const nameQuery = new ProjectNameQuery();
+                    nameQuery.setName(value);
+                    query.setNameQuery(nameQuery);
 
                     switch (this.autocompleteType) {
                         case ProjectAutocompleteType.PROJECT_GRANTED:
-                            return from(this.mgmtService.SearchGrantedProjects(10, 0, [query]));
+                            return from(this.mgmtService.listGrantedProjects(10, 0, [query]));
                         case ProjectAutocompleteType.PROJECT_OWNED:
-                            return from(this.mgmtService.SearchProjects(10, 0, [query]));
+                            return from(this.mgmtService.listProjects(10, 0, [query]));
                         default:
                             return forkJoin([
-                                from(this.mgmtService.SearchGrantedProjects(10, 0, [query])),
-                                from(this.mgmtService.SearchProjects(10, 0, [query])),
+                                from(this.mgmtService.listGrantedProjects(10, 0, [query])),
+                                from(this.mgmtService.listProjects(10, 0, [query])),
                             ]);
                     }
                 }),
@@ -77,19 +70,19 @@ export class SearchProjectAutocompleteComponent implements OnDestroy {
                 switch (this.autocompleteType) {
                     case ProjectAutocompleteType.PROJECT_GRANTED:
                         this.isLoading = false;
-                        this.filteredProjects = [...(returnValue as ProjectGrantSearchResponse).toObject().resultList];
+                        this.filteredProjects = [...(returnValue as ListProjectGrantsResponse.AsObject).resultList];
                         break;
                     case ProjectAutocompleteType.PROJECT_OWNED:
                         this.isLoading = false;
-                        this.filteredProjects = [...(returnValue as ProjectSearchResponse).toObject().resultList];
+                        this.filteredProjects = [...(returnValue as ListProjectsResponse.AsObject).resultList];
                         break;
                     default:
                         this.isLoading = false;
                         this.filteredProjects = [
-                            ...(returnValue as (ProjectSearchResponse | ProjectGrantSearchResponse)[])[0]
-                                .toObject().resultList,
-                            ...(returnValue as (ProjectSearchResponse | ProjectGrantSearchResponse)[])[1]
-                                .toObject().resultList,
+                            ...(returnValue as (ListProjectsResponse.AsObject | ListProjectGrantsResponse.AsObject)[])[0]
+                                .resultList,
+                            ...(returnValue as (ListProjectsResponse.AsObject | ListProjectGrantsResponse.AsObject)[])[1]
+                                .resultList,
                         ];
                         break;
                 }
@@ -133,7 +126,7 @@ export class SearchProjectAutocompleteComponent implements OnDestroy {
         }
     }
 
-    public remove(project: ProjectGrantView.AsObject): void {
+    public remove(project: GrantedProject.AsObject): void {
         const index = this.projects.indexOf(project);
 
         if (index >= 0) {
diff --git a/console/src/app/modules/search-roles-autocomplete/search-roles-autocomplete.component.ts b/console/src/app/modules/search-roles-autocomplete/search-roles-autocomplete.component.ts
index f97568a0aa..ec69459ca5 100644
--- a/console/src/app/modules/search-roles-autocomplete/search-roles-autocomplete.component.ts
+++ b/console/src/app/modules/search-roles-autocomplete/search-roles-autocomplete.component.ts
@@ -5,12 +5,7 @@ import { MatAutocomplete, MatAutocompleteSelectedEvent } from '@angular/material
 import { MatChipInputEvent } from '@angular/material/chips';
 import { from, Subject } from 'rxjs';
 import { debounceTime, switchMap, takeUntil, tap } from 'rxjs/operators';
-import {
-    ProjectRole,
-    ProjectRoleSearchKey,
-    ProjectRoleSearchQuery,
-    SearchMethod,
-} from 'src/app/proto/generated/management_pb';
+import { Role, RoleDisplayNameQuery, RoleQuery } from 'src/app/proto/generated/zitadel/project_pb';
 import { ManagementService } from 'src/app/services/mgmt.service';
 
 
@@ -26,14 +21,14 @@ export class SearchRolesAutocompleteComponent implements OnDestroy {
     public separatorKeysCodes: number[] = [ENTER, COMMA];
     public myControl: FormControl = new FormControl();
     public names: string[] = [];
-    public roles: Array<ProjectRole.AsObject> = [];
-    public filteredRoles: Array<ProjectRole.AsObject> = [];
+    public roles: Array<Role.AsObject> = [];
+    public filteredRoles: Array<Role.AsObject> = [];
     public isLoading: boolean = false;
     @ViewChild('nameInput') public nameInput!: ElementRef<HTMLInputElement>;
     @ViewChild('auto') public matAutocomplete!: MatAutocomplete;
     @Input() public projectId: string = '';
     @Input() public singleOutput: boolean = false;
-    @Output() public selectionChanged: EventEmitter<ProjectRole.AsObject[] | ProjectRole.AsObject> = new EventEmitter();
+    @Output() public selectionChanged: EventEmitter<Role.AsObject[] | Role.AsObject> = new EventEmitter();
 
     private unsubscribed$: Subject<void> = new Subject();
     constructor(private mgmtService: ManagementService) {
@@ -43,15 +38,21 @@ export class SearchRolesAutocompleteComponent implements OnDestroy {
                 debounceTime(200),
                 tap(() => this.isLoading = true),
                 switchMap(value => {
-                    const query = new ProjectRoleSearchQuery();
-                    query.setKey(ProjectRoleSearchKey.PROJECTROLESEARCHKEY_DISPLAY_NAME);
-                    query.setMethod(SearchMethod.SEARCHMETHOD_CONTAINS_IGNORE_CASE);
-                    query.setValue(value);
-                    return from(this.mgmtService.SearchProjectRoles(this.projectId, 10, 0, [query]));
+                    const query = new RoleQuery();
+
+                    // const key = new RoleKeyQuery();
+                    // key.setKey(key)
+                    // query.setKey(key)
+
+                    const dQuery = new RoleDisplayNameQuery();
+                    dQuery.setDisplayName(value);
+                    query.setDisplayNameQuery(dQuery);
+
+                    return from(this.mgmtService.listProjectRoles(this.projectId, 10, 0, [query]));
                 }),
-            ).subscribe((roles) => {
+            ).subscribe((resp) => {
                 this.isLoading = false;
-                this.filteredRoles = roles.toObject().resultList;
+                this.filteredRoles = resp.resultList;
             }, error => {
                 this.isLoading = false;
             });
@@ -61,7 +62,7 @@ export class SearchRolesAutocompleteComponent implements OnDestroy {
         this.unsubscribed$.next();
     }
 
-    public displayFn(project?: ProjectRole.AsObject): string | undefined {
+    public displayFn(project?: Role.AsObject): string | undefined {
         return project ? `${project.displayName}` : undefined;
     }
 
@@ -91,7 +92,7 @@ export class SearchRolesAutocompleteComponent implements OnDestroy {
         }
     }
 
-    public remove(role: ProjectRole.AsObject): void {
+    public remove(role: Role.AsObject): void {
         const index = this.roles.indexOf(role);
 
         if (index >= 0) {
diff --git a/console/src/app/modules/search-user-autocomplete/search-user-autocomplete.component.ts b/console/src/app/modules/search-user-autocomplete/search-user-autocomplete.component.ts
index d4809db3e4..524acad866 100644
--- a/console/src/app/modules/search-user-autocomplete/search-user-autocomplete.component.ts
+++ b/console/src/app/modules/search-user-autocomplete/search-user-autocomplete.component.ts
@@ -15,7 +15,8 @@ import { MatAutocomplete, MatAutocompleteSelectedEvent } from '@angular/material
 import { MatChipInputEvent } from '@angular/material/chips';
 import { from, of, Subject } from 'rxjs';
 import { debounceTime, switchMap, takeUntil, tap } from 'rxjs/operators';
-import { SearchMethod, UserSearchKey, UserSearchQuery, UserView } from 'src/app/proto/generated/management_pb';
+import { TextQueryMethod } from 'src/app/proto/generated/zitadel/object_pb';
+import { SearchQuery, User, UserNameQuery } from 'src/app/proto/generated/zitadel/user_pb';
 import { ManagementService } from 'src/app/services/mgmt.service';
 import { ToastService } from 'src/app/services/toast.service';
 
@@ -39,15 +40,15 @@ export class SearchUserAutocompleteComponent implements OnInit, AfterContentChec
     public globalLoginNameControl: FormControl = new FormControl();
 
     public loginNames: string[] = [];
-    @Input() public users: Array<UserView.AsObject> = [];
-    public filteredUsers: Array<UserView.AsObject> = [];
+    @Input() public users: Array<User.AsObject> = [];
+    public filteredUsers: Array<User.AsObject> = [];
     public isLoading: boolean = false;
     @Input() public target: UserTarget = UserTarget.SELF;
     public hint: string = '';
     public UserTarget: any = UserTarget;
     @ViewChild('usernameInput') public usernameInput!: ElementRef<HTMLInputElement>;
     @ViewChild('auto') public matAutocomplete!: MatAutocomplete;
-    @Output() public selectionChanged: EventEmitter<UserView.AsObject | UserView.AsObject[]> = new EventEmitter();
+    @Output() public selectionChanged: EventEmitter<User.AsObject | User.AsObject[]> = new EventEmitter();
     @Input() public singleOutput: boolean = false;
 
     private unsubscribed$: Subject<void> = new Subject();
@@ -71,14 +72,15 @@ export class SearchUserAutocompleteComponent implements OnInit, AfterContentChec
             takeUntil(this.unsubscribed$),
             tap(() => this.isLoading = true),
             switchMap(value => {
-                const query = new UserSearchQuery();
-                query.setKey(UserSearchKey.USERSEARCHKEY_USER_NAME);
-                query.setValue(value);
-                query.setMethod(SearchMethod.SEARCHMETHOD_CONTAINS_IGNORE_CASE);
+                const query = new SearchQuery();
+                const unQuery = new UserNameQuery();
+                unQuery.setMethod(TextQueryMethod.TEXT_QUERY_METHOD_CONTAINS_IGNORE_CASE);
+                query.setUserNameQuery(value);
+
                 if (this.target === UserTarget.SELF) {
-                    return from(this.userService.SearchUsers(10, 0, [query]));
+                    return from(this.userService.listUsers(10, 0, [query]));
                 } else {
-                    return of(); // from(this.userService.GetUserByEmailGlobal(value));
+                    return of();
                 }
             }),
         ).subscribe((userresp: any) => {
@@ -89,7 +91,7 @@ export class SearchUserAutocompleteComponent implements OnInit, AfterContentChec
         });
     }
 
-    public displayFn(user?: UserView.AsObject): string | undefined {
+    public displayFn(user?: User.AsObject): string | undefined {
         return user ? `${user.preferredLoginName}` : undefined;
     }
 
@@ -119,7 +121,7 @@ export class SearchUserAutocompleteComponent implements OnInit, AfterContentChec
         }
     }
 
-    public remove(user: UserView.AsObject): void {
+    public remove(user: User.AsObject): void {
         const index = this.users.indexOf(user);
 
         if (index >= 0) {
@@ -163,12 +165,12 @@ export class SearchUserAutocompleteComponent implements OnInit, AfterContentChec
     }
 
     public getGlobalUser(): void {
-        this.userService.GetUserByLoginNameGlobal(this.globalLoginNameControl.value).then(user => {
-            if (this.singleOutput) {
-                this.users = [user.toObject()];
+        this.userService.getUserByLoginNameGlobal(this.globalLoginNameControl.value).then(resp => {
+            if (this.singleOutput && resp.user) {
+                this.users = [resp.user];
                 this.selectionChanged.emit(this.users[0]);
-            } else {
-                this.users.push(user.toObject());
+            } else if (resp.user) {
+                this.users.push(resp.user);
                 this.selectionChanged.emit(this.users);
             }
         }).catch(error => {
diff --git a/console/src/app/modules/show-key-dialog/show-key-dialog.component.html b/console/src/app/modules/show-key-dialog/show-key-dialog.component.html
index bf0bdde670..0064ae1c3b 100644
--- a/console/src/app/modules/show-key-dialog/show-key-dialog.component.html
+++ b/console/src/app/modules/show-key-dialog/show-key-dialog.component.html
@@ -1,23 +1,22 @@
 <span class="title" mat-dialog-title>{{'USER.MACHINE.ADDED.TITLE' | translate}}</span>
 <div mat-dialog-content>
     <p class="desc"> {{'USER.MACHINE.ADDED.DESCRIPTION' | translate}}</p>
-    <ng-container *ngIf="addedKey">
+    <ng-container *ngIf="keyResponse">
         <div class="row">
             <p class="left">{{'USER.MACHINE.ID' | translate}}</p>
-            <p class="right">{{addedKey?.id}}</p>
-        </div>
-        <div class="row">
-            <p class="left">{{'USER.MACHINE.TYPE' | translate}}</p>
-            <p class="right">{{'USER.MACHINE.KEYTYPES.'+addedKey?.type | translate}}</p>
+            <p class="right">{{keyResponse?.keyId}}</p>
         </div>
+
         <div class="row">
             <p class="left">{{'USER.MACHINE.CREATIONDATE' | translate}}</p>
-            <p class="right">{{addedKey?.creationDate | timestampToDate | localizedDate: 'EEE dd. MMM YYYY, HH:mm' }}
+            <p class="right">{{keyResponse?.details?.creationDate | timestampToDate | localizedDate: 'EEE dd. MMM YYYY,
+                HH:mm' }}
             </p>
         </div>
         <div class="row">
             <p class="left">{{'USER.MACHINE.EXPIRATIONDATE' | translate}}</p>
-            <p class="right">{{addedKey?.expirationDate | timestampToDate | localizedDate: 'EEE dd. MMM YYYY, HH:mm'}}
+            <p class="right">{{keyResponse?.details.expirationDate | timestampToDate | localizedDate: 'EEE dd. MMM YYYY,
+                HH:mm'}}
             </p>
         </div>
         <button class="download-button" mat-stroked-button color="primary" (click)="saveFile()">Download</button>
diff --git a/console/src/app/modules/show-key-dialog/show-key-dialog.component.ts b/console/src/app/modules/show-key-dialog/show-key-dialog.component.ts
index cc45b76c7a..531f8de6aa 100644
--- a/console/src/app/modules/show-key-dialog/show-key-dialog.component.ts
+++ b/console/src/app/modules/show-key-dialog/show-key-dialog.component.ts
@@ -1,7 +1,7 @@
 import { Component, Inject } from '@angular/core';
 import { MAT_DIALOG_DATA, MatDialogRef } from '@angular/material/dialog';
 import { saveAs } from 'file-saver';
-import { AddMachineKeyResponse } from 'src/app/proto/generated/management_pb';
+import { AddMachineKeyResponse } from 'src/app/proto/generated/zitadel/management_pb';
 
 @Component({
     selector: 'app-show-key-dialog',
@@ -9,19 +9,19 @@ import { AddMachineKeyResponse } from 'src/app/proto/generated/management_pb';
     styleUrls: ['./show-key-dialog.component.scss'],
 })
 export class ShowKeyDialogComponent {
-    public addedKey!: AddMachineKeyResponse.AsObject;
+    public keyResponse!: AddMachineKeyResponse.AsObject;
 
     constructor(
         public dialogRef: MatDialogRef<ShowKeyDialogComponent>,
         @Inject(MAT_DIALOG_DATA) public data: any,
     ) {
-        this.addedKey = data.key;
+        this.keyResponse = data.key;
     }
 
     public saveFile(): void {
-        const json = atob(this.addedKey.keyDetails.toString());
+        const json = atob(this.keyResponse.keyDetails.toString());
         const blob = new Blob([json], { type: 'text/plain;charset=utf-8' });
-        saveAs(blob, `${this.addedKey.id}.json`);
+        saveAs(blob, `${this.keyResponse.keyId}.json`);
     }
 
     public closeDialog(): void {
diff --git a/console/src/app/modules/user-grants/user-grants-datasource.ts b/console/src/app/modules/user-grants/user-grants-datasource.ts
index c01cbcb2ca..ddb4a3ad6c 100644
--- a/console/src/app/modules/user-grants/user-grants-datasource.ts
+++ b/console/src/app/modules/user-grants/user-grants-datasource.ts
@@ -2,14 +2,14 @@ import { DataSource } from '@angular/cdk/collections';
 import { Timestamp } from 'google-protobuf/google/protobuf/timestamp_pb';
 import { BehaviorSubject, from, Observable, of } from 'rxjs';
 import { catchError, finalize, map } from 'rxjs/operators';
+import { ListUserGrantResponse } from 'src/app/proto/generated/zitadel/management_pb';
 import {
-    SearchMethod,
     UserGrant,
-    UserGrantSearchKey,
-    UserGrantSearchQuery,
-    UserGrantSearchResponse,
-    UserGrantView,
-} from 'src/app/proto/generated/management_pb';
+    UserGrantProjectGrantIDQuery,
+    UserGrantProjectIDQuery,
+    UserGrantQuery,
+    UserGrantUserIDQuery,
+} from 'src/app/proto/generated/zitadel/user_pb';
 import { ManagementService } from 'src/app/services/mgmt.service';
 
 export enum UserGrantContext {
@@ -23,7 +23,7 @@ export class UserGrantsDataSource extends DataSource<UserGrant.AsObject> {
     public totalResult: number = 0;
     public viewTimestamp!: Timestamp.AsObject;
 
-    public grantsSubject: BehaviorSubject<UserGrantView.AsObject[]> = new BehaviorSubject<UserGrantView.AsObject[]>([]);
+    public grantsSubject: BehaviorSubject<UserGrant.AsObject[]> = new BehaviorSubject<UserGrant.AsObject[]>([]);
     private loadingSubject: BehaviorSubject<boolean> = new BehaviorSubject<boolean>(false);
     public loading$: Observable<boolean> = this.loadingSubject.asObservable();
 
@@ -40,40 +40,44 @@ export class UserGrantsDataSource extends DataSource<UserGrant.AsObject> {
             grantId?: string;
             userId?: string;
         },
-        queries?: UserGrantSearchQuery[],
+        queries?: UserGrantQuery[],
     ): void {
         switch (context) {
             case UserGrantContext.USER:
                 if (data && data.userId) {
                     this.loadingSubject.next(true);
-                    const userfilter = new UserGrantSearchQuery();
-                    userfilter.setKey(UserGrantSearchKey.USERGRANTSEARCHKEY_USER_ID);
-                    userfilter.setMethod(SearchMethod.SEARCHMETHOD_EQUALS);
-                    userfilter.setValue(data.userId);
+
+                    const userfilter = new UserGrantQuery();
+                    const ugUiq = new UserGrantUserIDQuery();
+                    ugUiq.setUserId(data.userId);
+                    userfilter.setUserIdQuery(ugUiq);
+
                     if (queries) {
                         queries.push(userfilter);
                     } else {
                         queries = [userfilter];
                     }
 
-                    const promise = this.userService.SearchUserGrants(pageSize, pageSize * pageIndex, queries);
+                    const promise = this.userService.listUserGrants(pageSize, pageSize * pageIndex, queries);
                     this.loadResponse(promise);
                 }
                 break;
             case UserGrantContext.OWNED_PROJECT:
                 if (data && data.projectId) {
                     this.loadingSubject.next(true);
-                    const projectfilter = new UserGrantSearchQuery();
-                    projectfilter.setKey(UserGrantSearchKey.USERGRANTSEARCHKEY_PROJECT_ID);
-                    projectfilter.setMethod(SearchMethod.SEARCHMETHOD_EQUALS);
-                    projectfilter.setValue(data.projectId);
+
+                    const projectfilter = new UserGrantQuery();
+                    const ugPfq = new UserGrantProjectIDQuery();
+                    ugPfq.setProjectId(data.projectId);
+                    projectfilter.setProjectIdQuery(ugPfq);
+
                     if (queries) {
                         queries.push(projectfilter);
                     } else {
                         queries = [projectfilter];
                     }
 
-                    const promise1 = this.userService.SearchUserGrants(pageSize, pageSize * pageIndex, queries);
+                    const promise1 = this.userService.listUserGrants(pageSize, pageSize * pageIndex, queries);
                     this.loadResponse(promise1);
                 }
                 break;
@@ -81,43 +85,45 @@ export class UserGrantsDataSource extends DataSource<UserGrant.AsObject> {
                 if (data && data.grantId && data.projectId) {
                     this.loadingSubject.next(true);
 
-                    const grantquery: UserGrantSearchQuery = new UserGrantSearchQuery();
-                    grantquery.setKey(UserGrantSearchKey.USERGRANTSEARCHKEY_GRANT_ID);
-                    grantquery.setMethod(SearchMethod.SEARCHMETHOD_EQUALS);
-                    grantquery.setValue(data.grantId);
+                    const grantfilter = new UserGrantQuery();
 
-                    const projectfilter = new UserGrantSearchQuery();
-                    projectfilter.setKey(UserGrantSearchKey.USERGRANTSEARCHKEY_PROJECT_ID);
-                    projectfilter.setValue(data.projectId);
+                    const uggiq = new UserGrantProjectGrantIDQuery();
+                    uggiq.setProjectGrantId(data.grantId);
+                    grantfilter.setProjectGrantIdQuery(uggiq);
+
+                    const projectfilter = new UserGrantQuery();
+                    const ugPfq = new UserGrantProjectIDQuery();
+                    ugPfq.setProjectId(data.projectId);
+                    projectfilter.setProjectIdQuery(ugPfq);
 
                     if (queries) {
-                        queries.push(projectfilter);
-                        queries.push(grantquery);
+                        queries.push(grantfilter);
                     } else {
-                        queries = [projectfilter, grantquery];
+                        queries = [grantfilter];
                     }
 
-                    const promise2 = this.userService.SearchUserGrants(pageSize, pageSize * pageIndex, queries);
+                    const promise2 = this.userService.listUserGrants(pageSize, pageSize * pageIndex, queries);
                     this.loadResponse(promise2);
                 }
                 break;
             default:
                 this.loadingSubject.next(true);
-                const promise3 = this.userService.SearchUserGrants(pageSize, pageSize * pageIndex, queries ?? []);
+                const promise3 = this.userService.listUserGrants(pageSize, pageSize * pageIndex, queries ?? []);
                 this.loadResponse(promise3);
                 break;
         }
     }
 
-    private loadResponse(promise: Promise<UserGrantSearchResponse>): void {
+    private loadResponse(promise: Promise<ListUserGrantResponse.AsObject>): void {
         from(promise).pipe(
             map(resp => {
-                const response = resp.toObject();
-                this.totalResult = response.totalResult;
-                if (response.viewTimestamp) {
-                    this.viewTimestamp = response.viewTimestamp;
+                if (resp.details?.totalResult) {
+                    this.totalResult = resp.details.totalResult;
                 }
-                return response.resultList;
+                if (resp.details?.viewTimestamp) {
+                    this.viewTimestamp = resp.details.viewTimestamp;
+                }
+                return resp.resultList;
             }),
             catchError(() => of([])),
             finalize(() => this.loadingSubject.next(false)),
@@ -132,7 +138,7 @@ export class UserGrantsDataSource extends DataSource<UserGrant.AsObject> {
      * the returned stream emits new items.
      * @returns A stream of the items to be rendered.
      */
-    public connect(): Observable<UserGrantView.AsObject[]> {
+    public connect(): Observable<UserGrant.AsObject[]> {
         return this.grantsSubject.asObservable();
     }
 
diff --git a/console/src/app/modules/user-grants/user-grants.component.html b/console/src/app/modules/user-grants/user-grants.component.html
index 85e77309e5..5fe6e401e1 100644
--- a/console/src/app/modules/user-grants/user-grants.component.html
+++ b/console/src/app/modules/user-grants/user-grants.component.html
@@ -1,9 +1,9 @@
 <app-refresh-table [loading]="dataSource?.loading$ | async" (refreshed)="changePage()"
     [emitRefreshOnPreviousRoutes]="refreshOnPreviousRoutes" [timestamp]="dataSource?.viewTimestamp"
     [dataSize]="dataSource?.totalResult" [selection]="selection">
-    <cnsl-form-field @appearfade *ngIf="userGrantSearchKey != undefined" actions class="filtername">
+    <cnsl-form-field @appearfade *ngIf="userGrantListSearchKey != undefined" actions class="filtername">
         <input cnslInput (keyup)="applyFilter($event)"
-            [placeholder]="('USER.TABLE.FILTER.' + userGrantSearchKey.toString()) | translate" #input>
+            [placeholder]="('USER.TABLE.FILTER.' + userGrantListSearchKey.toString()) | translate" #input>
     </cnsl-form-field>
 
     <button color="warn" matTooltip="{{'GRANTS.DELETE' | translate}}" class="icon-button" mat-icon-button actions
@@ -40,7 +40,7 @@
             <ng-container matColumnDef="user">
                 <th mat-header-cell *matHeaderCellDef> {{ 'PROJECT.GRANT.USER' | translate }}
                     <template [ngTemplateOutlet]="templateRef"
-                        [ngTemplateOutletContext]="{key: UserGrantSearchKey.USERGRANTSEARCHKEY_DISPLAY_NAME}"></template>
+                        [ngTemplateOutletContext]="{key: UserGrantListSearchKey.DISPLAY_NAME}"></template>
                 </th>
                 <td mat-cell *matCellDef="let grant">
                     {{grant?.displayName}}</td>
@@ -49,7 +49,7 @@
             <ng-container matColumnDef="org">
                 <th mat-header-cell *matHeaderCellDef> {{ 'PROJECT.GRANT.GRANTEDORGDOMAIN' | translate }}
                     <template [ngTemplateOutlet]="templateRef"
-                        [ngTemplateOutletContext]="{key: UserGrantSearchKey.USERGRANTSEARCHKEY_ORG_NAME}"></template>
+                        [ngTemplateOutletContext]="{key: UserGrantListSearchKey.ORG_NAME}"></template>
                 </th>
                 <td mat-cell *matCellDef="let grant">
                     {{grant.orgName}} </td>
@@ -58,7 +58,7 @@
             <ng-container matColumnDef="projectId">
                 <th mat-header-cell *matHeaderCellDef> {{ 'PROJECT.GRANT.PROJECTNAME' | translate }}
                     <template [ngTemplateOutlet]="templateRef"
-                        [ngTemplateOutletContext]="{key: UserGrantSearchKey.USERGRANTSEARCHKEY_PROJECT_NAME}"></template>
+                        [ngTemplateOutletContext]="{key: UserGrantListSearchKey.PROJECT_NAME}"></template>
                 </th>
                 <td mat-cell *matCellDef="let grant">
                     {{grant.projectName}} </td>
@@ -82,7 +82,7 @@
                 <th mat-header-cell *matHeaderCellDef class="role-data">
                     {{ 'PROJECT.GRANT.ROLENAMESLIST' | translate }}
                     <template [ngTemplateOutlet]="templateRef"
-                        [ngTemplateOutletContext]="{key: UserGrantSearchKey.USERGRANTSEARCHKEY_ROLE_KEY}"></template>
+                        [ngTemplateOutletContext]="{key: UserGrantListSearchKey.ROLE_KEY}"></template>
                 </th>
                 <td mat-cell *matCellDef="let grant; let i = index" class="role-data">
                     <ng-container
@@ -161,7 +161,7 @@
 
 <ng-template #templateRef let-key="key">
     <button class="search-button" mat-icon-button (click)="setFilter(key)">
-        <mat-icon class="icon" *ngIf="this.userGrantSearchKey != key">search</mat-icon>
-        <mat-icon class="icon" *ngIf="this.userGrantSearchKey == key">search_off</mat-icon>
+        <mat-icon class="icon" *ngIf="this.userGrantListSearchKey != key">search</mat-icon>
+        <mat-icon class="icon" *ngIf="this.userGrantListSearchKey == key">search_off</mat-icon>
     </button>
 </ng-template>
\ No newline at end of file
diff --git a/console/src/app/modules/user-grants/user-grants.component.ts b/console/src/app/modules/user-grants/user-grants.component.ts
index 9263d85fc6..74a056fa9b 100644
--- a/console/src/app/modules/user-grants/user-grants.component.ts
+++ b/console/src/app/modules/user-grants/user-grants.component.ts
@@ -6,19 +6,27 @@ import { MatSelectChange } from '@angular/material/select';
 import { MatTable } from '@angular/material/table';
 import { tap } from 'rxjs/operators';
 import { enterAnimations } from 'src/app/animations';
+import { TextQueryMethod } from 'src/app/proto/generated/zitadel/object_pb';
+import { Role } from 'src/app/proto/generated/zitadel/project_pb';
 import {
-    ProjectRoleView,
-    SearchMethod,
     UserGrant,
-    UserGrantSearchKey,
-    UserGrantSearchQuery,
-    UserGrantView,
-} from 'src/app/proto/generated/management_pb';
+    UserGrantDisplayNameQuery,
+    UserGrantOrgNameQuery,
+    UserGrantProjectNameQuery,
+    UserGrantQuery,
+    UserGrantRoleKeyQuery,
+} from 'src/app/proto/generated/zitadel/user_pb';
 import { ManagementService } from 'src/app/services/mgmt.service';
 import { ToastService } from 'src/app/services/toast.service';
 
 import { UserGrantContext, UserGrantsDataSource } from './user-grants-datasource';
 
+export enum UserGrantListSearchKey {
+    DISPLAY_NAME,
+    ORG_NAME,
+    PROJECT_NAME,
+    ROLE_KEY,
+}
 @Component({
     selector: 'app-user-grants',
     templateUrl: './user-grants.component.html',
@@ -28,17 +36,17 @@ import { UserGrantContext, UserGrantsDataSource } from './user-grants-datasource
     ],
 })
 export class UserGrantsComponent implements OnInit, AfterViewInit {
-    public userGrantSearchKey: UserGrantSearchKey | undefined = undefined;
-    public UserGrantSearchKey: any = UserGrantSearchKey;
+    public userGrantListSearchKey: UserGrantListSearchKey | undefined = undefined;
+    public UserGrantListSearchKey: any = UserGrantListSearchKey;
 
     public INITIAL_PAGE_SIZE: number = 50;
     @Input() context: UserGrantContext = UserGrantContext.NONE;
     @Input() refreshOnPreviousRoutes: string[] = [];
 
     public dataSource!: UserGrantsDataSource;
-    public selection: SelectionModel<UserGrantView.AsObject> = new SelectionModel<UserGrantView.AsObject>(true, []);
+    public selection: SelectionModel<UserGrant.AsObject> = new SelectionModel<UserGrant.AsObject>(true, []);
     @ViewChild(MatPaginator) public paginator!: MatPaginator;
-    @ViewChild(MatTable) public table!: MatTable<UserGrantView.AsObject>;
+    @ViewChild(MatTable) public table!: MatTable<UserGrant.AsObject>;
 
     @Input() disableWrite: boolean = false;
     @Input() disableDelete: boolean = false;
@@ -49,7 +57,7 @@ export class UserGrantsComponent implements OnInit, AfterViewInit {
     @ViewChild('input') public filter!: MatInput;
 
     public grantRoleOptions: string[] = [];
-    public projectRoleOptions: ProjectRoleView.AsObject[] = [];
+    public projectRoleOptions: Role.AsObject[] = [];
     public routerLink: any = [''];
 
     public loadedGrantId: string = '';
@@ -106,12 +114,36 @@ export class UserGrantsComponent implements OnInit, AfterViewInit {
     }
 
     private loadGrantsPage(filterValue?: string): void {
-        let queries: UserGrantSearchQuery[] = [];
-        if (this.userGrantSearchKey !== undefined && filterValue) {
-            const query = new UserGrantSearchQuery();
-            query.setKey(this.userGrantSearchKey);
-            query.setMethod(SearchMethod.SEARCHMETHOD_CONTAINS_IGNORE_CASE);
-            query.setValue(filterValue);
+        let queries: UserGrantQuery[] = [];
+        if (this.userGrantListSearchKey !== undefined && filterValue) {
+            const query = new UserGrantQuery();
+            switch (this.userGrantListSearchKey) {
+                case UserGrantListSearchKey.DISPLAY_NAME:
+                    const ugDnQ = new UserGrantDisplayNameQuery();
+                    ugDnQ.setDisplayName(filterValue);
+                    ugDnQ.setMethod(TextQueryMethod.TEXT_QUERY_METHOD_CONTAINS_IGNORE_CASE);
+                    query.setDisplayNameQuery(ugDnQ);
+                    break;
+                case UserGrantListSearchKey.ORG_NAME:
+                    const ugOnQ = new UserGrantOrgNameQuery();
+                    ugOnQ.setOrgName(filterValue);
+                    ugOnQ.setMethod(TextQueryMethod.TEXT_QUERY_METHOD_CONTAINS_IGNORE_CASE);
+                    query.setOrgNameQuery(ugOnQ);
+                    break;
+                case UserGrantListSearchKey.PROJECT_NAME:
+                    const ugPnQ = new UserGrantProjectNameQuery();
+                    ugPnQ.setProjectName(filterValue);
+                    ugPnQ.setMethod(TextQueryMethod.TEXT_QUERY_METHOD_CONTAINS_IGNORE_CASE);
+                    query.setProjectNameQuery(ugPnQ);
+                    break;
+                case UserGrantListSearchKey.ROLE_KEY:
+                    const ugRkQ = new UserGrantRoleKeyQuery();
+                    ugRkQ.setRoleKey(filterValue);
+                    ugRkQ.setMethod(TextQueryMethod.TEXT_QUERY_METHOD_CONTAINS_IGNORE_CASE);
+                    query.setRoleKeyQuery(ugRkQ);
+                    break;
+
+            }
             queries = [query];
         }
 
@@ -140,8 +172,8 @@ export class UserGrantsComponent implements OnInit, AfterViewInit {
             this.dataSource.grantsSubject.value.forEach(row => this.selection.select(row));
     }
 
-    public loadGrantOptions(grant: UserGrantView.AsObject): void {
-        this.grantToEdit = grant.id;
+    public loadGrantOptions(grant: UserGrant.AsObject): void {
+        this.grantToEdit = grant.grantId;
         if (grant.grantId && grant.projectId) {
             this.getGrantRoleOptions(grant.grantId, grant.projectId);
         } else if (grant.projectId) {
@@ -150,23 +182,25 @@ export class UserGrantsComponent implements OnInit, AfterViewInit {
     }
 
     private getGrantRoleOptions(grantId: string, projectId: string): void {
-        this.mgmtService.GetGrantedProjectByID(projectId, grantId).then(resp => {
-            this.loadedGrantId = grantId;
-            this.grantRoleOptions = resp.toObject().roleKeysList;
+        this.mgmtService.getGrantedProjectByID(projectId, grantId).then(resp => {
+            if (resp.grantedProject) {
+                this.loadedGrantId = grantId;
+                this.grantRoleOptions = resp.grantedProject?.grantedRoleKeysList;
+            }
         }).catch(error => {
             this.toast.showError(error);
         });
     }
 
     private getProjectRoleOptions(projectId: string): void {
-        this.mgmtService.SearchProjectRoles(projectId, 100, 0).then(resp => {
+        this.mgmtService.listProjectRoles(projectId, 100, 0).then(resp => {
             this.loadedProjectId = projectId;
-            this.projectRoleOptions = resp.toObject().resultList;
+            this.projectRoleOptions = resp.resultList;
         });
     }
 
     updateRoles(grant: UserGrant.AsObject, selectionChange: MatSelectChange): void {
-        this.userService.UpdateUserGrant(grant.id, grant.userId, selectionChange.value)
+        this.userService.updateUserGrant(grant.grantId, grant.userId, selectionChange.value)
             .then(() => {
                 this.toast.showInfo('GRANTS.TOAST.UPDATED', true);
             }).catch(error => {
@@ -175,11 +209,11 @@ export class UserGrantsComponent implements OnInit, AfterViewInit {
     }
 
     deleteGrantSelection(): void {
-        this.userService.BulkRemoveUserGrant(this.selection.selected.map(grant => grant.id)).then(() => {
+        this.userService.bulkRemoveUserGrant(this.selection.selected.map(grant => grant.grantId)).then(() => {
             this.toast.showInfo('GRANTS.TOAST.BULKREMOVED', true);
             const data = this.dataSource.grantsSubject.getValue();
             this.selection.selected.forEach((item) => {
-                const index = data.findIndex(i => i.id === item.id);
+                const index = data.findIndex(i => i.grantId === item.grantId);
                 if (index > -1) {
                     data.splice(index, 1);
                     this.dataSource.grantsSubject.next(data);
@@ -211,17 +245,17 @@ export class UserGrantsComponent implements OnInit, AfterViewInit {
         this.loadGrantsPage(filterValue);
     }
 
-    public setFilter(key: UserGrantSearchKey): void {
+    public setFilter(key: UserGrantListSearchKey): void {
         setTimeout(() => {
             if (this.filter) {
                 (this.filter as any).nativeElement.focus();
             }
         }, 100);
 
-        if (this.userGrantSearchKey !== key) {
-            this.userGrantSearchKey = key;
+        if (this.userGrantListSearchKey !== key) {
+            this.userGrantListSearchKey = key;
         } else {
-            this.userGrantSearchKey = undefined;
+            this.userGrantListSearchKey = undefined;
             this.loadGrantsPage();
         }
     }
diff --git a/console/src/app/pages/iam/failed-events/failed-events.component.ts b/console/src/app/pages/iam/failed-events/failed-events.component.ts
index e76a28428b..f971a5e543 100644
--- a/console/src/app/pages/iam/failed-events/failed-events.component.ts
+++ b/console/src/app/pages/iam/failed-events/failed-events.component.ts
@@ -3,7 +3,7 @@ import { MatPaginator } from '@angular/material/paginator';
 import { MatTableDataSource } from '@angular/material/table';
 import { BehaviorSubject, from, Observable, of } from 'rxjs';
 import { catchError, finalize, map } from 'rxjs/operators';
-import { FailedEvent } from 'src/app/proto/generated/admin_pb';
+import { FailedEvent } from 'src/app/proto/generated/zitadel/admin_pb';
 import { AdminService } from 'src/app/services/admin.service';
 import { ToastService } from 'src/app/services/toast.service';
 
@@ -32,13 +32,9 @@ export class FailedEventsComponent implements AfterViewInit {
 
     public loadEvents(): void {
         this.loadingSubject.next(true);
-        from(this.adminService.GetFailedEvents()).pipe(
+        from(this.adminService.listFailedEvents()).pipe(
             map(resp => {
-                const response = resp.toObject();
-                // if (response.viewTimestamp) {
-                //     this.viewTimestamp = response.viewTimestamp;
-                // }
-                return response.failedEventsList;
+                return resp?.resultList;
             }),
             catchError(() => of([])),
             finalize(() => this.loadingSubject.next(false)),
@@ -49,7 +45,7 @@ export class FailedEventsComponent implements AfterViewInit {
     }
 
     public cancelEvent(viewname: string, db: string, seq: number): void {
-        this.adminService.RemoveFailedEvent(viewname, db, seq).then(() => {
+        this.adminService.removeFailedEvent(viewname, db, seq).then(() => {
             this.toast.showInfo('IAM.FAILEDEVENTS.DELETESUCCESS', true);
         });
     }
diff --git a/console/src/app/pages/iam/iam-members/iam-members-datasource.ts b/console/src/app/pages/iam/iam-members/iam-members-datasource.ts
index 7aca1514ae..f6b684253c 100644
--- a/console/src/app/pages/iam/iam-members/iam-members-datasource.ts
+++ b/console/src/app/pages/iam/iam-members/iam-members-datasource.ts
@@ -2,7 +2,7 @@ import { DataSource } from '@angular/cdk/collections';
 import { Timestamp } from 'google-protobuf/google/protobuf/timestamp_pb';
 import { BehaviorSubject, from, Observable, of } from 'rxjs';
 import { catchError, finalize, map } from 'rxjs/operators';
-import { IamMemberView } from 'src/app/proto/generated/admin_pb';
+import { Member } from 'src/app/proto/generated/zitadel/member_pb';
 import { AdminService } from 'src/app/services/admin.service';
 
 /**
@@ -10,10 +10,10 @@ import { AdminService } from 'src/app/services/admin.service';
  * encapsulate all logic for fetching and manipulating the displayed data
  * (including sorting, pagination, and filtering).
  */
-export class IamMembersDataSource extends DataSource<IamMemberView.AsObject> {
+export class IamMembersDataSource extends DataSource<Member.AsObject> {
     public totalResult: number = 0;
     public viewTimestamp!: Timestamp.AsObject;
-    public membersSubject: BehaviorSubject<IamMemberView.AsObject[]> = new BehaviorSubject<IamMemberView.AsObject[]>([]);
+    public membersSubject: BehaviorSubject<Member.AsObject[]> = new BehaviorSubject<Member.AsObject[]>([]);
     private loadingSubject: BehaviorSubject<boolean> = new BehaviorSubject<boolean>(false);
     public loading$: Observable<boolean> = this.loadingSubject.asObservable();
 
@@ -27,14 +27,13 @@ export class IamMembersDataSource extends DataSource<IamMemberView.AsObject> {
 
         this.loadingSubject.next(true);
 
-        from(this.adminService.SearchIamMembers(pageSize, offset)).pipe(
+        from(this.adminService.listIAMMembers(pageSize, offset)).pipe(
             map(resp => {
-                const response = resp.toObject();
-                this.totalResult = response.totalResult;
-                if (response.viewTimestamp) {
-                    this.viewTimestamp = response.viewTimestamp;
+                this.totalResult = resp.details?.totalResult || 0;
+                if (resp.details?.viewTimestamp) {
+                    this.viewTimestamp = resp.details?.viewTimestamp;
                 }
-                return response.resultList;
+                return resp.resultList;
             }),
             catchError(() => of([])),
             finalize(() => this.loadingSubject.next(false)),
@@ -49,7 +48,7 @@ export class IamMembersDataSource extends DataSource<IamMemberView.AsObject> {
      * the returned stream emits new items.
      * @returns A stream of the items to be rendered.
      */
-    public connect(): Observable<IamMemberView.AsObject[]> {
+    public connect(): Observable<Member.AsObject[]> {
         return this.membersSubject.asObservable();
     }
 
diff --git a/console/src/app/pages/iam/iam-members/iam-members.component.ts b/console/src/app/pages/iam/iam-members/iam-members.component.ts
index 731a83dd87..c6d4257d72 100644
--- a/console/src/app/pages/iam/iam-members/iam-members.component.ts
+++ b/console/src/app/pages/iam/iam-members/iam-members.component.ts
@@ -3,8 +3,9 @@ import { MatDialog } from '@angular/material/dialog';
 import { PageEvent } from '@angular/material/paginator';
 import { MatSelectChange } from '@angular/material/select';
 import { CreationType, MemberCreateDialogComponent } from 'src/app/modules/add-member-dialog/member-create-dialog.component';
-import { IamMember, IamMemberView } from 'src/app/proto/generated/admin_pb';
-import { ProjectMember, ProjectType, UserView } from 'src/app/proto/generated/management_pb';
+import { ProjectType } from 'src/app/modules/project-members/project-members.component';
+import { Member } from 'src/app/proto/generated/zitadel/member_pb';
+import { User } from 'src/app/proto/generated/zitadel/user_pb';
 import { AdminService } from 'src/app/services/admin.service';
 import { ToastService } from 'src/app/services/toast.service';
 
@@ -23,7 +24,7 @@ export class IamMembersComponent {
     public memberRoleOptions: string[] = [];
     public changePageFactory!: Function;
     public changePage: EventEmitter<void> = new EventEmitter();
-    public selection: Array<IamMemberView.AsObject> = [];
+    public selection: Array<Member.AsObject> = [];
 
     constructor(private adminService: AdminService,
         private dialog: MatDialog,
@@ -42,16 +43,16 @@ export class IamMembersComponent {
     }
 
     public getRoleOptions(): void {
-        this.adminService.GetIamMemberRoles().then(resp => {
-            this.memberRoleOptions = resp.toObject().rolesList;
+        this.adminService.listIAMMemberRoles().then(resp => {
+            this.memberRoleOptions = resp.rolesList;
         }).catch(error => {
             this.toast.showError(error);
         });
     }
 
-    updateRoles(member: IamMemberView.AsObject, selectionChange: MatSelectChange): void {
-        this.adminService.ChangeIamMember(member.userId, selectionChange.value)
-            .then((newmember: IamMember) => {
+    updateRoles(member: Member.AsObject, selectionChange: MatSelectChange): void {
+        this.adminService.updateIAMMember(member.userId, selectionChange.value)
+            .then(() => {
                 this.toast.showInfo('ORG.TOAST.MEMBERCHANGED', true);
             }).catch(error => {
                 this.toast.showError(error);
@@ -60,7 +61,7 @@ export class IamMembersComponent {
 
     public removeMemberSelection(): void {
         Promise.all(this.selection.map(member => {
-            return this.adminService.RemoveIamMember(member.userId).then(() => {
+            return this.adminService.removeIAMMember(member.userId).then(() => {
                 this.toast.showInfo('IAM.TOAST.MEMBERREMOVED', true);
                 this.changePage.emit();
             }).catch(error => {
@@ -69,8 +70,8 @@ export class IamMembersComponent {
         }));
     }
 
-    public removeMember(member: ProjectMember.AsObject): void {
-        this.adminService.RemoveIamMember(member.userId).then(() => {
+    public removeMember(member: Member.AsObject): void {
+        this.adminService.removeIAMMember(member.userId).then(() => {
             this.toast.showInfo('IAM.TOAST.MEMBERREMOVED', true);
             setTimeout(() => {
                 this.changePage.emit();
@@ -90,12 +91,12 @@ export class IamMembersComponent {
 
         dialogRef.afterClosed().subscribe(resp => {
             if (resp) {
-                const users: UserView.AsObject[] = resp.users;
+                const users: User.AsObject[] = resp.users;
                 const roles: string[] = resp.roles;
 
                 if (users && users.length && roles && roles.length) {
                     Promise.all(users.map(user => {
-                        return this.adminService.AddIamMember(user.id, roles);
+                        return this.adminService.addIAMMember(user.id, roles);
                     })).then(() => {
                         this.toast.showInfo('IAM.TOAST.MEMBERADDED', true);
                         setTimeout(() => {
diff --git a/console/src/app/pages/iam/iam-views/iam-views.component.ts b/console/src/app/pages/iam/iam-views/iam-views.component.ts
index c1f07a3fb5..fef8432e61 100644
--- a/console/src/app/pages/iam/iam-views/iam-views.component.ts
+++ b/console/src/app/pages/iam/iam-views/iam-views.component.ts
@@ -6,7 +6,7 @@ import { MatTableDataSource } from '@angular/material/table';
 import { BehaviorSubject, from, Observable, of } from 'rxjs';
 import { catchError, finalize, map } from 'rxjs/operators';
 import { WarnDialogComponent } from 'src/app/modules/warn-dialog/warn-dialog.component';
-import { View } from 'src/app/proto/generated/admin_pb';
+import { View } from 'src/app/proto/generated/zitadel/admin_pb';
 import { AdminService } from 'src/app/services/admin.service';
 import { ToastService } from 'src/app/services/toast.service';
 
@@ -35,9 +35,9 @@ export class IamViewsComponent implements AfterViewInit {
 
     public loadViews(): void {
         this.loadingSubject.next(true);
-        from(this.adminService.GetViews()).pipe(
+        from(this.adminService.listViews()).pipe(
             map(resp => {
-                return resp.toObject().viewsList;
+                return resp.resultList;
             }),
             catchError(() => of([])),
             finalize(() => this.loadingSubject.next(false)),
@@ -61,7 +61,7 @@ export class IamViewsComponent implements AfterViewInit {
 
         dialogRef.afterClosed().subscribe(resp => {
             if (resp) {
-                this.adminService.ClearView(viewname, db).then(() => {
+                this.adminService.clearView(viewname, db).then(() => {
                     this.toast.showInfo('IAM.VIEWS.CLEARED', true);
                     this.loadViews();
                 }).catch(error => {
diff --git a/console/src/app/pages/iam/iam.component.ts b/console/src/app/pages/iam/iam.component.ts
index 55d248c5d0..ad4a4eedff 100644
--- a/console/src/app/pages/iam/iam.component.ts
+++ b/console/src/app/pages/iam/iam.component.ts
@@ -6,7 +6,8 @@ import { catchError, finalize, map } from 'rxjs/operators';
 import { CreationType, MemberCreateDialogComponent } from 'src/app/modules/add-member-dialog/member-create-dialog.component';
 import { PolicyComponentServiceType } from 'src/app/modules/policies/policy-component-types.enum';
 import { PolicyGridType } from 'src/app/modules/policy-grid/policy-grid.component';
-import { OrgMemberView, UserView } from 'src/app/proto/generated/management_pb';
+import { Member } from 'src/app/proto/generated/zitadel/member_pb';
+import { User } from 'src/app/proto/generated/zitadel/user_pb';
 import { AdminService } from 'src/app/services/admin.service';
 import { ToastService } from 'src/app/services/toast.service';
 
@@ -20,8 +21,8 @@ export class IamComponent {
     private loadingSubject: BehaviorSubject<boolean> = new BehaviorSubject<boolean>(false);
     public loading$: Observable<boolean> = this.loadingSubject.asObservable();
     public totalMemberResult: number = 0;
-    public membersSubject: BehaviorSubject<OrgMemberView.AsObject[]>
-        = new BehaviorSubject<OrgMemberView.AsObject[]>([]);
+    public membersSubject: BehaviorSubject<Member.AsObject[]>
+        = new BehaviorSubject<Member.AsObject[]>([]);
 
     public PolicyGridType: any = PolicyGridType;
 
@@ -32,10 +33,12 @@ export class IamComponent {
 
     public loadMembers(): void {
         this.loadingSubject.next(true);
-        from(this.adminService.SearchIamMembers(100, 0)).pipe(
+        from(this.adminService.listIAMMembers(100, 0)).pipe(
             map(resp => {
-                this.totalMemberResult = resp.toObject().totalResult;
-                return resp.toObject().resultList;
+                if (resp.details?.totalResult) {
+                    this.totalMemberResult = resp.details.totalResult;
+                }
+                return resp.resultList;
             }),
             catchError(() => of([])),
             finalize(() => this.loadingSubject.next(false)),
@@ -54,12 +57,12 @@ export class IamComponent {
 
         dialogRef.afterClosed().subscribe(resp => {
             if (resp) {
-                const users: UserView.AsObject[] = resp.users;
+                const users: User.AsObject[] = resp.users;
                 const roles: string[] = resp.roles;
 
                 if (users && users.length && roles && roles.length) {
                     Promise.all(users.map(user => {
-                        return this.adminService.AddIamMember(user.id, roles);
+                        return this.adminService.addIAMMember(user.id, roles);
                     })).then(() => {
                         this.toast.showInfo('IAM.TOAST.MEMBERADDED');
                         setTimeout(() => {
diff --git a/console/src/app/pages/orgs/org-create/org-create.component.ts b/console/src/app/pages/orgs/org-create/org-create.component.ts
index 5261a80d69..0ec3e1e08b 100644
--- a/console/src/app/pages/orgs/org-create/org-create.component.ts
+++ b/console/src/app/pages/orgs/org-create/org-create.component.ts
@@ -6,8 +6,9 @@ import { MatSlideToggleChange } from '@angular/material/slide-toggle';
 import { Router } from '@angular/router';
 import { take } from 'rxjs/operators';
 import { lowerCaseValidator, numberValidator, symbolValidator, upperCaseValidator } from 'src/app/pages/validators';
-import { CreateHumanRequest, CreateOrgRequest, Gender, OrgSetUpResponse } from 'src/app/proto/generated/admin_pb';
-import { PasswordComplexityPolicy as MgmtPasswordComplexityPolicy } from 'src/app/proto/generated/management_pb';
+import { SetUpOrgRequest } from 'src/app/proto/generated/zitadel/admin_pb';
+import { PasswordComplexityPolicy } from 'src/app/proto/generated/zitadel/policy_pb';
+import { Gender } from 'src/app/proto/generated/zitadel/user_pb';
 import { AdminService } from 'src/app/services/admin.service';
 import { GrpcAuthService } from 'src/app/services/grpc-auth.service';
 import { ManagementService } from 'src/app/services/mgmt.service';
@@ -57,7 +58,7 @@ export class OrgCreateComponent {
     public genders: Gender[] = [Gender.GENDER_FEMALE, Gender.GENDER_MALE, Gender.GENDER_UNSPECIFIED];
     public languages: string[] = ['de', 'en'];
 
-    public policy!: MgmtPasswordComplexityPolicy.AsObject;
+    public policy!: PasswordComplexityPolicy.AsObject;
     public usePassword: boolean = false;
 
     public forSelf: boolean = true;
@@ -89,25 +90,29 @@ export class OrgCreateComponent {
     public currentCreateStep: number = 1;
 
     public finish(): void {
-        const createOrgRequest: CreateOrgRequest = new CreateOrgRequest();
+        const createOrgRequest: SetUpOrgRequest.Org = new SetUpOrgRequest.Org();
         createOrgRequest.setName(this.name?.value);
         createOrgRequest.setDomain(this.domain?.value);
 
-        const humanRequest: CreateHumanRequest = new CreateHumanRequest();
+        const humanRequest: SetUpOrgRequest.Human = new SetUpOrgRequest.Human();
         humanRequest.setEmail(this.email?.value);
-        humanRequest.setFirstName(this.firstName?.value);
-        humanRequest.setLastName(this.lastName?.value);
-        humanRequest.setNickName(this.nickName?.value);
-        humanRequest.setGender(this.gender?.value);
-        humanRequest.setPreferredLanguage(this.preferredLanguage?.value);
+        humanRequest.setUserName(this.userName?.value);
 
+        const profile: SetUpOrgRequest.Human.Profile = new SetUpOrgRequest.Human.Profile();
+        profile.setFirstName(this.firstName?.value);
+        profile.setLastName(this.lastName?.value);
+        profile.setNickName(this.nickName?.value);
+        profile.setGender(this.gender?.value);
+        profile.setPreferredLanguage(this.preferredLanguage?.value);
+
+        humanRequest.setProfile(this.firstName?.value);
         if (this.usePassword && this.password) {
             humanRequest.setPassword(this.password?.value);
         }
 
         this.adminService
             .SetUpOrg(createOrgRequest, humanRequest)
-            .then((org: OrgSetUpResponse) => {
+            .then(() => {
                 this.router.navigate(['/org/overview']);
                 // const orgResp = org.getOrg();
                 // if (orgResp) {
@@ -146,31 +151,33 @@ export class OrgCreateComponent {
         const validators: Validators[] = [Validators.required];
 
         if (this.usePassword) {
-            this.mgmtService.GetDefaultPasswordComplexityPolicy().then(data => {
-                this.policy = data.toObject();
+            this.mgmtService.getDefaultPasswordComplexityPolicy().then(data => {
+                if (data.policy) {
+                    this.policy = data.policy;
 
-                if (this.policy.minLength) {
-                    validators.push(Validators.minLength(this.policy.minLength));
-                }
-                if (this.policy.hasLowercase) {
-                    validators.push(lowerCaseValidator);
-                }
-                if (this.policy.hasUppercase) {
-                    validators.push(upperCaseValidator);
-                }
-                if (this.policy.hasNumber) {
-                    validators.push(numberValidator);
-                }
-                if (this.policy.hasSymbol) {
-                    validators.push(symbolValidator);
-                }
+                    if (this.policy.minLength) {
+                        validators.push(Validators.minLength(this.policy.minLength));
+                    }
+                    if (this.policy.hasLowercase) {
+                        validators.push(lowerCaseValidator);
+                    }
+                    if (this.policy.hasUppercase) {
+                        validators.push(upperCaseValidator);
+                    }
+                    if (this.policy.hasNumber) {
+                        validators.push(numberValidator);
+                    }
+                    if (this.policy.hasSymbol) {
+                        validators.push(symbolValidator);
+                    }
 
-                const pwdValidators = [...validators] as ValidatorFn[];
-                const confirmPwdValidators = [...validators, passwordConfirmValidator] as ValidatorFn[];
-                this.pwdForm = this.fb.group({
-                    password: ['', pwdValidators],
-                    confirmPassword: ['', confirmPwdValidators],
-                });
+                    const pwdValidators = [...validators] as ValidatorFn[];
+                    const confirmPwdValidators = [...validators, passwordConfirmValidator] as ValidatorFn[];
+                    this.pwdForm = this.fb.group({
+                        password: ['', pwdValidators],
+                        confirmPassword: ['', confirmPwdValidators],
+                    });
+                }
             });
         } else {
             this.pwdForm = this.fb.group({
@@ -199,7 +206,7 @@ export class OrgCreateComponent {
 
     public createOrgForSelf(): void {
         if (this.name && this.name.value) {
-            this.mgmtService.CreateOrg(this.name.value).then((org) => {
+            this.mgmtService.addOrg(this.name.value).then(() => {
                 this.router.navigate(['/org/overview']);
                 // const newOrg = org.toObject();
                 // setTimeout(() => {
diff --git a/console/src/app/pages/orgs/org-detail/domain-verification/domain-verification.component.html b/console/src/app/pages/orgs/org-detail/domain-verification/domain-verification.component.html
index c8c7dea050..fa71741792 100644
--- a/console/src/app/pages/orgs/org-detail/domain-verification/domain-verification.component.html
+++ b/console/src/app/pages/orgs/org-detail/domain-verification/domain-verification.component.html
@@ -1,16 +1,16 @@
-<span class="title" mat-dialog-title>{{'ORG.PAGES.ORGDOMAIN.TITLE' | translate}} {{domain.domain}}</span>
+<span class="title" mat-dialog-title>{{'ORG.PAGES.ORGDOMAIN.TITLE' | translate}} {{domain.domainName}}</span>
 <div mat-dialog-content>
     <p class="desc">{{ 'ORG.PAGES.ORGDOMAIN.VERIFICATION' | translate }}</p>
 
     <p class="desc warn">{{ 'ORG.PAGES.ORGDOMAIN.VERIFICATION_VALIDATION_DESC' | translate }}</p>
 
 
-    <p *ngIf="domain.validationType !== OrgDomainValidationType.ORGDOMAINVALIDATIONTYPE_UNSPECIFIED && !(dns || http)"
+    <p *ngIf="domain.validationType !== DomainValidationType.DOMAIN_VALIDATION_TYPE_UNSPECIFIED && !(dns || http)"
         class="desc">
         {{'ORG.PAGES.ORGDOMAIN.VERIFICATION_VALIDATION_ONGOING' | translate: domain }}
         {{'ORG.PAGES.ORGDOMAIN.VERIFICATION_VALIDATION_ONGOING_TYPE' | translate}}
         {{'ORG.PAGES.ORGDOMAIN.TYPES.'+ domain.validationType | translate}}</p>
-    <div *ngIf="domain.validationType !== OrgDomainValidationType.ORGDOMAINVALIDATIONTYPE_UNSPECIFIED"
+    <div *ngIf="domain.validationType !== DomainValidationType.DOMAIN_VALIDATION_TYPE_UNSPECIFIED"
         class="btn-container">
         <button color="primary" type="submit" mat-raised-button *ngIf="!(dns || http)" (click)="validate()">
             {{ 'ACTIONS.VERIFY' | translate }}
@@ -34,8 +34,8 @@
             <p class="entry">{{http?.url}}.txt</p>
 
             <div class="btn-container">
-                <button mat-stroked-button (click)="saveFile()"
-                    color="primary">{{ 'ORG.PAGES.DOWNLOAD_FILE' | translate }}</button>
+                <button mat-stroked-button (click)="saveFile()" color="primary">{{ 'ORG.PAGES.DOWNLOAD_FILE' | translate
+                    }}</button>
                 <button color="primary" class="verify-button" type="submit" mat-raised-button (click)="validate()">
                     <span>{{ 'ACTIONS.VERIFY' | translate }}</span>
                 </button>
diff --git a/console/src/app/pages/orgs/org-detail/domain-verification/domain-verification.component.ts b/console/src/app/pages/orgs/org-detail/domain-verification/domain-verification.component.ts
index 0fbbf41ef3..4c5fbf9b0c 100644
--- a/console/src/app/pages/orgs/org-detail/domain-verification/domain-verification.component.ts
+++ b/console/src/app/pages/orgs/org-detail/domain-verification/domain-verification.component.ts
@@ -1,7 +1,8 @@
 import { Component, Inject } from '@angular/core';
 import { MAT_DIALOG_DATA, MatDialogRef } from '@angular/material/dialog';
 import { saveAs } from 'file-saver';
-import { OrgDomainValidationResponse, OrgDomainValidationType, OrgDomainView } from 'src/app/proto/generated/management_pb';
+import { GenerateOrgDomainValidationResponse } from 'src/app/proto/generated/zitadel/management_pb';
+import { Domain, DomainValidationType } from 'src/app/proto/generated/zitadel/org_pb';
 import { ManagementService } from 'src/app/services/mgmt.service';
 import { ToastService } from 'src/app/services/toast.service';
 
@@ -11,12 +12,13 @@ import { ToastService } from 'src/app/services/toast.service';
     styleUrls: ['./domain-verification.component.scss'],
 })
 export class DomainVerificationComponent {
-    public domain!: OrgDomainView.AsObject;
+    public domain!: Domain.AsObject;
 
-    public OrgDomainValidationType: any = OrgDomainValidationType;
+    public DomainValidationType: any = DomainValidationType;
+
+    public http!: GenerateOrgDomainValidationResponse.AsObject;
+    public dns!: GenerateOrgDomainValidationResponse.AsObject;
 
-    public http!: OrgDomainValidationResponse.AsObject;
-    public dns!: OrgDomainValidationResponse.AsObject;
     public copied: string = '';
 
     public showNew: boolean = false;
@@ -29,24 +31,24 @@ export class DomainVerificationComponent {
         private mgmtService: ManagementService,
     ) {
         this.domain = data.domain;
-        if (this.domain.validationType === OrgDomainValidationType.ORGDOMAINVALIDATIONTYPE_UNSPECIFIED) {
+        if (this.domain.validationType === DomainValidationType.DOMAIN_VALIDATION_TYPE_UNSPECIFIED) {
             this.showNew = true;
         }
     }
 
     async loadHttpToken(): Promise<void> {
-        this.mgmtService.GenerateMyOrgDomainValidation(
-            this.domain.domain,
-            OrgDomainValidationType.ORGDOMAINVALIDATIONTYPE_HTTP).then((http) => {
-                this.http = http.toObject();
+        this.mgmtService.generateOrgDomainValidation(
+            this.domain.domainName,
+            DomainValidationType.DOMAIN_VALIDATION_TYPE_HTTP).then((http) => {
+                this.http = http;
             });
     }
 
     async loadDnsToken(): Promise<void> {
-        this.mgmtService.GenerateMyOrgDomainValidation(
-            this.domain.domain,
-            OrgDomainValidationType.ORGDOMAINVALIDATIONTYPE_DNS).then((dns) => {
-                this.dns = dns.toObject();
+        this.mgmtService.generateOrgDomainValidation(
+            this.domain.domainName,
+            DomainValidationType.DOMAIN_VALIDATION_TYPE_DNS).then((dns) => {
+                this.dns = dns;
             });
     }
 
@@ -56,7 +58,7 @@ export class DomainVerificationComponent {
 
     public validate(): void {
         this.validating = true;
-        this.mgmtService.ValidateMyOrgDomain(this.domain.domain).then(() => {
+        this.mgmtService.validateOrgDomain(this.domain.domainName).then(() => {
             this.dialogRef.close(true);
             this.toast.showInfo('ORG.PAGES.ORGDOMAIN.VERIFICATION_SUCCESSFUL', true);
             this.validating = false;
diff --git a/console/src/app/pages/orgs/org-detail/org-detail.component.ts b/console/src/app/pages/orgs/org-detail/org-detail.component.ts
index 64c2584535..c338b82207 100644
--- a/console/src/app/pages/orgs/org-detail/org-detail.component.ts
+++ b/console/src/app/pages/orgs/org-detail/org-detail.component.ts
@@ -1,26 +1,18 @@
-import { SelectionModel } from '@angular/cdk/collections';
-import { Component, OnDestroy, OnInit } from '@angular/core';
+import { Component, OnInit } from '@angular/core';
 import { MatButtonToggleChange } from '@angular/material/button-toggle';
 import { MatDialog } from '@angular/material/dialog';
-import { MatTableDataSource } from '@angular/material/table';
 import { Router } from '@angular/router';
 import { TranslateService } from '@ngx-translate/core';
-import { BehaviorSubject, from, Observable, of, Subscription } from 'rxjs';
+import { BehaviorSubject, from, Observable, of } from 'rxjs';
 import { catchError, finalize, map } from 'rxjs/operators';
 import { CreationType, MemberCreateDialogComponent } from 'src/app/modules/add-member-dialog/member-create-dialog.component';
 import { ChangeType } from 'src/app/modules/changes/changes.component';
 import { PolicyComponentServiceType } from 'src/app/modules/policies/policy-component-types.enum';
 import { PolicyGridType } from 'src/app/modules/policy-grid/policy-grid.component';
 import { WarnDialogComponent } from 'src/app/modules/warn-dialog/warn-dialog.component';
-import {
-    Org,
-    OrgDomainView,
-    OrgMember,
-    OrgMemberSearchResponse,
-    OrgMemberView,
-    OrgState,
-    UserView,
-} from 'src/app/proto/generated/management_pb';
+import { Member } from 'src/app/proto/generated/zitadel/member_pb';
+import { Domain, Org, OrgState } from 'src/app/proto/generated/zitadel/org_pb';
+import { User } from 'src/app/proto/generated/zitadel/user_pb';
 import { ManagementService } from 'src/app/services/mgmt.service';
 import { ToastService } from 'src/app/services/toast.service';
 
@@ -33,28 +25,22 @@ import { DomainVerificationComponent } from './domain-verification/domain-verifi
     templateUrl: './org-detail.component.html',
     styleUrls: ['./org-detail.component.scss'],
 })
-export class OrgDetailComponent implements OnInit, OnDestroy {
+export class OrgDetailComponent implements OnInit {
     public org!: Org.AsObject;
     public PolicyComponentServiceType: any = PolicyComponentServiceType;
 
-    public dataSource: MatTableDataSource<OrgMember.AsObject> = new MatTableDataSource<OrgMember.AsObject>();
-    public memberResult!: OrgMemberSearchResponse.AsObject;
-    public displayedColumns: string[] = ['select', 'firstname', 'lastname', 'username', 'email', 'roles'];
-    public selection: SelectionModel<OrgMember.AsObject> = new SelectionModel<OrgMember.AsObject>(true, []);
     public OrgState: any = OrgState;
     public ChangeType: any = ChangeType;
 
-    private subscription: Subscription = new Subscription();
-
-    public domains: OrgDomainView.AsObject[] = [];
+    public domains: Domain.AsObject[] = [];
     public primaryDomain: string = '';
 
     // members
     private loadingSubject: BehaviorSubject<boolean> = new BehaviorSubject<boolean>(false);
     public loading$: Observable<boolean> = this.loadingSubject.asObservable();
     public totalMemberResult: number = 0;
-    public membersSubject: BehaviorSubject<OrgMemberView.AsObject[]>
-        = new BehaviorSubject<OrgMemberView.AsObject[]>([]);
+    public membersSubject: BehaviorSubject<Member.AsObject[]>
+        = new BehaviorSubject<Member.AsObject[]>([]);
     public PolicyGridType: any = PolicyGridType;
 
     constructor(
@@ -69,13 +55,11 @@ export class OrgDetailComponent implements OnInit, OnDestroy {
         this.getData();
     }
 
-    public ngOnDestroy(): void {
-        this.subscription.unsubscribe();
-    }
-
     private async getData(): Promise<void> {
-        this.mgmtService.GetMyOrg().then((org: Org) => {
-            this.org = org.toObject();
+        this.mgmtService.getMyOrg().then((resp) => {
+            if (resp.org) {
+                this.org = resp.org;
+            }
         }).catch(error => {
             this.toast.showError(error);
         });
@@ -84,14 +68,14 @@ export class OrgDetailComponent implements OnInit, OnDestroy {
     }
 
     public loadDomains(): void {
-        this.mgmtService.SearchMyOrgDomains().then(result => {
-            this.domains = result.toObject().resultList;
-            this.primaryDomain = this.domains.find(domain => domain.primary)?.domain ?? '';
+        this.mgmtService.listOrgDomains().then(result => {
+            this.domains = result.resultList;
+            this.primaryDomain = this.domains.find(domain => domain.isPrimary)?.domainName ?? '';
         });
     }
 
-    public setPrimary(domain: OrgDomainView.AsObject): void {
-        this.mgmtService.setMyPrimaryOrgDomain(domain.domain).then(() => {
+    public setPrimary(domain: Domain.AsObject): void {
+        this.mgmtService.setPrimaryOrgDomain(domain.domainName).then(() => {
             this.toast.showInfo('ORG.TOAST.SETPRIMARY', true);
             this.loadDomains();
         }).catch((error) => {
@@ -100,14 +84,14 @@ export class OrgDetailComponent implements OnInit, OnDestroy {
     }
 
     public changeState(event: MatButtonToggleChange | any): void {
-        if (event.value === OrgState.ORGSTATE_ACTIVE) {
-            this.mgmtService.ReactivateMyOrg().then(() => {
+        if (event.value === OrgState.ORG_STATE_ACTIVE) {
+            this.mgmtService.reactivateOrg().then(() => {
                 this.toast.showInfo('ORG.TOAST.REACTIVATED', true);
             }).catch((error) => {
                 this.toast.showError(error);
             });
-        } else if (event.value === OrgState.ORGSTATE_INACTIVE) {
-            this.mgmtService.DeactivateMyOrg().then(() => {
+        } else if (event.value === OrgState.ORG_STATE_INACTIVE) {
+            this.mgmtService.deactivateOrg().then(() => {
                 this.toast.showInfo('ORG.TOAST.DEACTIVATED', true);
             }).catch((error) => {
                 this.toast.showError(error);
@@ -123,21 +107,11 @@ export class OrgDetailComponent implements OnInit, OnDestroy {
 
         dialogRef.afterClosed().subscribe(resp => {
             if (resp) {
-                this.mgmtService.AddMyOrgDomain(resp).then(domain => {
-                    const newDomain = domain;
+                this.mgmtService.addOrgDomain(resp).then(resp => {
+                    const newDomain = resp;
 
-                    const newDomainView = new OrgDomainView();
-                    newDomainView.setChangeDate(newDomain.getChangeDate());
-                    newDomainView.setCreationDate(newDomain.getCreationDate());
-                    newDomainView.setDomain(newDomain.getDomain());
-                    newDomainView.setOrgId(newDomain.getOrgId());
-                    newDomainView.setPrimary(newDomain.getPrimary());
-                    newDomainView.setSequence(newDomain.getSequence());
-                    newDomainView.setVerified(newDomain.getVerified());
-
-                    this.domains.push(newDomainView.toObject());
-
-                    this.verifyDomain(newDomainView.toObject());
+                    // TODO send domainname only 
+                    // this.verifyDomain(newDomainView.toObject());
                     this.toast.showInfo('ORG.TOAST.DOMAINADDED', true);
                 });
             }
@@ -157,9 +131,9 @@ export class OrgDetailComponent implements OnInit, OnDestroy {
 
         dialogRef.afterClosed().subscribe(resp => {
             if (resp) {
-                this.mgmtService.RemoveMyOrgDomain(domain).then(() => {
+                this.mgmtService.removeOrgDomain(domain).then(() => {
                     this.toast.showInfo('ORG.TOAST.DOMAINREMOVED', true);
-                    const index = this.domains.findIndex(d => d.domain === domain);
+                    const index = this.domains.findIndex(d => d.domainName === domain);
                     if (index > -1) {
                         this.domains.splice(index, 1);
                     }
@@ -180,12 +154,12 @@ export class OrgDetailComponent implements OnInit, OnDestroy {
 
         dialogRef.afterClosed().subscribe(resp => {
             if (resp) {
-                const users: UserView.AsObject[] = resp.users;
+                const users: User.AsObject[] = resp.users;
                 const roles: string[] = resp.roles;
 
                 if (users && users.length && roles && roles.length) {
                     Promise.all(users.map(user => {
-                        return this.mgmtService.AddMyOrgMember(user.id, roles);
+                        return this.mgmtService.addOrgMember(user.id, roles);
                     })).then(() => {
                         this.toast.showInfo('ORG.TOAST.MEMBERADDED', true);
                         setTimeout(() => {
@@ -203,7 +177,7 @@ export class OrgDetailComponent implements OnInit, OnDestroy {
         this.router.navigate(['org/members']);
     }
 
-    public verifyDomain(domain: OrgDomainView.AsObject): void {
+    public verifyDomain(domain: Domain.AsObject): void {
         const dialogRef = this.dialog.open(DomainVerificationComponent, {
             data: {
                 domain: domain,
@@ -220,10 +194,12 @@ export class OrgDetailComponent implements OnInit, OnDestroy {
 
     public loadMembers(): void {
         this.loadingSubject.next(true);
-        from(this.mgmtService.SearchMyOrgMembers(100, 0)).pipe(
+        from(this.mgmtService.listOrgMembers(100, 0)).pipe(
             map(resp => {
-                this.totalMemberResult = resp.toObject().totalResult;
-                return resp.toObject().resultList;
+                if (resp.details?.totalResult) {
+                    this.totalMemberResult = resp.details?.totalResult;
+                }
+                return resp.resultList;
             }),
             catchError(() => of([])),
             finalize(() => this.loadingSubject.next(false)),
diff --git a/console/src/app/pages/orgs/org-list/org-list.component.html b/console/src/app/pages/orgs/org-list/org-list.component.html
index 6c1432639b..b319068149 100644
--- a/console/src/app/pages/orgs/org-list/org-list.component.html
+++ b/console/src/app/pages/orgs/org-list/org-list.component.html
@@ -31,10 +31,10 @@
 
             <ng-container matColumnDef="name">
                 <th mat-header-cell *matHeaderCellDef mat-sort-header
-                    [ngClass]="{'search-active': this.orgSearchKey == MyProjectOrgSearchKey.MYPROJECTORGSEARCHKEY_ORG_NAME}">
+                    [ngClass]="{'search-active': this.orgSearchKey == OrgListSearchKey.NAME}">
                     {{ 'ORG.PAGES.NAME' | translate }}
                     <template [ngTemplateOutlet]="templateRef"
-                        [ngTemplateOutletContext]="{key: MyProjectOrgSearchKey.MYPROJECTORGSEARCHKEY_ORG_NAME}"></template>
+                        [ngTemplateOutletContext]="{key: OrgListSearchKey.NAME}"></template>
                 </th>
                 <td mat-cell *matCellDef="let org"> {{org.name}} </td>
             </ng-container>
diff --git a/console/src/app/pages/orgs/org-list/org-list.component.ts b/console/src/app/pages/orgs/org-list/org-list.component.ts
index a614451773..572aa0e416 100644
--- a/console/src/app/pages/orgs/org-list/org-list.component.ts
+++ b/console/src/app/pages/orgs/org-list/org-list.component.ts
@@ -6,9 +6,14 @@ import { Router } from '@angular/router';
 import { BehaviorSubject, from, Observable, of } from 'rxjs';
 import { catchError, finalize, map } from 'rxjs/operators';
 import { enterAnimations } from 'src/app/animations';
-import { MyProjectOrgSearchKey, MyProjectOrgSearchQuery, Org, SearchMethod } from 'src/app/proto/generated/auth_pb';
+import { TextQueryMethod } from 'src/app/proto/generated/zitadel/object_pb';
+import { Org, OrgNameQuery, OrgQuery } from 'src/app/proto/generated/zitadel/org_pb';
 import { GrpcAuthService } from 'src/app/services/grpc-auth.service';
 
+enum OrgListSearchKey {
+    NAME = "NAME",
+}
+
 @Component({
     selector: 'app-org-list',
     templateUrl: './org-list.component.html',
@@ -18,7 +23,7 @@ import { GrpcAuthService } from 'src/app/services/grpc-auth.service';
     ],
 })
 export class OrgListComponent implements AfterViewInit {
-    public orgSearchKey: MyProjectOrgSearchKey | undefined = undefined;
+    public orgSearchKey: OrgListSearchKey | undefined = undefined;
 
     @ViewChild(MatPaginator) public paginator!: MatPaginator;
     @ViewChild(MatSort) sort!: MatSort;
@@ -29,7 +34,7 @@ export class OrgListComponent implements AfterViewInit {
     private loadingSubject: BehaviorSubject<boolean> = new BehaviorSubject<boolean>(false);
     public loading$: Observable<boolean> = this.loadingSubject.asObservable();
     public activeOrg!: Org.AsObject;
-    public MyProjectOrgSearchKey: any = MyProjectOrgSearchKey;
+    public OrgListSearchKey: any = OrgListSearchKey;
 
     constructor(
         private authService: GrpcAuthService,
@@ -37,7 +42,7 @@ export class OrgListComponent implements AfterViewInit {
     ) {
         this.loadOrgs(10, 0);
 
-        this.authService.GetActiveOrg().then(org => this.activeOrg = org);
+        this.authService.getActiveOrg().then(org => this.activeOrg = org);
     }
 
     public ngAfterViewInit(): void {
@@ -48,15 +53,16 @@ export class OrgListComponent implements AfterViewInit {
         this.loadingSubject.next(true);
         let query;
         if (filter) {
-            query = new MyProjectOrgSearchQuery();
-            query.setMethod(SearchMethod.SEARCHMETHOD_CONTAINS_IGNORE_CASE);
-            query.setKey(MyProjectOrgSearchKey.MYPROJECTORGSEARCHKEY_ORG_NAME);
-            query.setValue(filter);
+            const query = new OrgQuery();
+            const orgNameQuery = new OrgNameQuery();
+            orgNameQuery.setMethod(TextQueryMethod.TEXT_QUERY_METHOD_CONTAINS_IGNORE_CASE);
+            orgNameQuery.setName(filter);
+            query.setNameQuery(orgNameQuery);
         }
 
-        from(this.authService.SearchMyProjectOrgs(limit, offset, query ? [query] : undefined)).pipe(
+        from(this.authService.listMyProjectOrgs(limit, offset, query ? [query] : undefined)).pipe(
             map(resp => {
-                return resp.toObject().resultList;
+                return resp.resultList;
             }),
             catchError(() => of([])),
             finalize(() => this.loadingSubject.next(false)),
@@ -75,7 +81,7 @@ export class OrgListComponent implements AfterViewInit {
         this.loadOrgs(this.paginator.length, this.paginator.pageSize * this.paginator.pageIndex);
     }
 
-    public setFilter(key: MyProjectOrgSearchKey): void {
+    public setFilter(key: OrgListSearchKey): void {
         setTimeout(() => {
             if (this.filter) {
                 (this.filter as any).nativeElement.focus();
diff --git a/console/src/app/pages/orgs/org-member-roles-autocomplete/org-member-roles-autocomplete.component.ts b/console/src/app/pages/orgs/org-member-roles-autocomplete/org-member-roles-autocomplete.component.ts
index a8469433b6..3cf8314418 100644
--- a/console/src/app/pages/orgs/org-member-roles-autocomplete/org-member-roles-autocomplete.component.ts
+++ b/console/src/app/pages/orgs/org-member-roles-autocomplete/org-member-roles-autocomplete.component.ts
@@ -19,8 +19,8 @@ export class OrgMemberRolesAutocompleteComponent {
     @ViewChild('auto') public matAutocomplete!: MatAutocomplete;
     @Output() public selectionChanged: EventEmitter<string[]> = new EventEmitter();
     constructor(private mgmtService: ManagementService, private toast: ToastService) {
-        this.mgmtService.GetOrgMemberRoles().then(resp => {
-            this.allRoles = resp.toObject().rolesList;
+        this.mgmtService.listOrgMemberRoles().then(resp => {
+            this.allRoles = resp.resultList;
         }).catch(error => {
             this.toast.showError(error);
         });
diff --git a/console/src/app/pages/orgs/org-members/org-members-datasource.ts b/console/src/app/pages/orgs/org-members/org-members-datasource.ts
index b161e5d74b..fdbced5bfd 100644
--- a/console/src/app/pages/orgs/org-members/org-members-datasource.ts
+++ b/console/src/app/pages/orgs/org-members/org-members-datasource.ts
@@ -2,13 +2,13 @@ import { DataSource } from '@angular/cdk/collections';
 import { Timestamp } from 'google-protobuf/google/protobuf/timestamp_pb';
 import { BehaviorSubject, from, Observable, of } from 'rxjs';
 import { catchError, finalize, map } from 'rxjs/operators';
-import { OrgMemberView } from 'src/app/proto/generated/management_pb';
+import { Member } from 'src/app/proto/generated/zitadel/member_pb';
 import { ManagementService } from 'src/app/services/mgmt.service';
 
-export class OrgMembersDataSource extends DataSource<OrgMemberView.AsObject> {
+export class OrgMembersDataSource extends DataSource<Member.AsObject> {
     public totalResult: number = 0;
     public viewTimestamp!: Timestamp.AsObject;
-    public membersSubject: BehaviorSubject<OrgMemberView.AsObject[]> = new BehaviorSubject<OrgMemberView.AsObject[]>([]);
+    public membersSubject: BehaviorSubject<Member.AsObject[]> = new BehaviorSubject<Member.AsObject[]>([]);
     private loadingSubject: BehaviorSubject<boolean> = new BehaviorSubject<boolean>(false);
     public loading$: Observable<boolean> = this.loadingSubject.asObservable();
 
@@ -20,14 +20,13 @@ export class OrgMembersDataSource extends DataSource<OrgMemberView.AsObject> {
         const offset = pageIndex * pageSize;
 
         this.loadingSubject.next(true);
-        from(this.mgmtService.SearchMyOrgMembers(pageSize, offset)).pipe(
+        from(this.mgmtService.listOrgMembers(pageSize, offset)).pipe(
             map(resp => {
-                const response = resp.toObject();
-                this.totalResult = response.totalResult;
-                if (response.viewTimestamp) {
-                    this.viewTimestamp = response.viewTimestamp;
+                this.totalResult = resp.details?.totalResult || 0;
+                if (resp.details?.viewTimestamp) {
+                    this.viewTimestamp = resp.details.viewTimestamp;
                 }
-                return response.resultList;
+                return resp.resultList;
             }),
             catchError(() => of([])),
             finalize(() => this.loadingSubject.next(false)),
@@ -42,7 +41,7 @@ export class OrgMembersDataSource extends DataSource<OrgMemberView.AsObject> {
      * the returned stream emits new items.
      * @returns A stream of the items to be rendered.
      */
-    public connect(): Observable<OrgMemberView.AsObject[]> {
+    public connect(): Observable<Member.AsObject[]> {
         return this.membersSubject.asObservable();
     }
 
diff --git a/console/src/app/pages/orgs/org-members/org-members.component.ts b/console/src/app/pages/orgs/org-members/org-members.component.ts
index 37e9e01a42..68a9058d14 100644
--- a/console/src/app/pages/orgs/org-members/org-members.component.ts
+++ b/console/src/app/pages/orgs/org-members/org-members.component.ts
@@ -3,7 +3,9 @@ import { MatDialog } from '@angular/material/dialog';
 import { PageEvent } from '@angular/material/paginator';
 import { MatSelectChange } from '@angular/material/select';
 import { CreationType, MemberCreateDialogComponent } from 'src/app/modules/add-member-dialog/member-create-dialog.component';
-import { Org, OrgMemberView, UserView } from 'src/app/proto/generated/management_pb';
+import { Member } from 'src/app/proto/generated/zitadel/member_pb';
+import { Org } from 'src/app/proto/generated/zitadel/org_pb';
+import { User } from 'src/app/proto/generated/zitadel/user_pb';
 import { ManagementService } from 'src/app/services/mgmt.service';
 import { ToastService } from 'src/app/services/toast.service';
 
@@ -23,17 +25,19 @@ export class OrgMembersComponent {
     public memberRoleOptions: string[] = [];
     public changePageFactory!: Function;
     public changePage: EventEmitter<void> = new EventEmitter();
-    public selection: Array<OrgMemberView.AsObject> = [];
+    public selection: Array<Member.AsObject> = [];
 
     constructor(
         private mgmtService: ManagementService,
         private dialog: MatDialog,
         private toast: ToastService,
     ) {
-        this.mgmtService.GetMyOrg().then(org => {
-            this.org = org.toObject();
-            this.dataSource = new OrgMembersDataSource(this.mgmtService);
-            this.dataSource.loadMembers(0, this.INITIALPAGESIZE);
+        this.mgmtService.getMyOrg().then(resp => {
+            if (resp.org) {
+                this.org = resp.org;
+                this.dataSource = new OrgMembersDataSource(this.mgmtService);
+                this.dataSource.loadMembers(0, this.INITIALPAGESIZE);
+            }
         });
 
         this.getRoleOptions();
@@ -47,15 +51,15 @@ export class OrgMembersComponent {
     }
 
     public getRoleOptions(): void {
-        this.mgmtService.GetOrgMemberRoles().then(resp => {
-            this.memberRoleOptions = resp.toObject().rolesList;
+        this.mgmtService.listOrgMemberRoles().then(resp => {
+            this.memberRoleOptions = resp.resultList;
         }).catch(error => {
             this.toast.showError(error);
         });
     }
 
-    updateRoles(member: OrgMemberView.AsObject, selectionChange: MatSelectChange): void {
-        this.mgmtService.ChangeMyOrgMember(member.userId, selectionChange.value)
+    updateRoles(member: Member.AsObject, selectionChange: MatSelectChange): void {
+        this.mgmtService.updateOrgMember(member.userId, selectionChange.value)
             .then(() => {
                 this.toast.showInfo('ORG.TOAST.MEMBERCHANGED', true);
             }).catch(error => {
@@ -65,7 +69,7 @@ export class OrgMembersComponent {
 
     public removeOrgMemberSelection(): void {
         Promise.all(this.selection.map(member => {
-            return this.mgmtService.RemoveMyOrgMember(member.userId).then(() => {
+            return this.mgmtService.removeOrgMember(member.userId).then(() => {
                 this.toast.showInfo('ORG.TOAST.MEMBERREMOVED', true);
             }).catch(error => {
                 this.toast.showError(error);
@@ -77,8 +81,8 @@ export class OrgMembersComponent {
         });
     }
 
-    public removeOrgMember(member: OrgMemberView.AsObject): void {
-        this.mgmtService.RemoveMyOrgMember(member.userId).then(() => {
+    public removeOrgMember(member: Member.AsObject): void {
+        this.mgmtService.removeOrgMember(member.userId).then(() => {
             this.toast.showInfo('ORG.TOAST.MEMBERREMOVED', true);
 
             setTimeout(() => {
@@ -99,12 +103,12 @@ export class OrgMembersComponent {
 
         dialogRef.afterClosed().subscribe(resp => {
             if (resp) {
-                const users: UserView.AsObject[] = resp.users;
+                const users: User.AsObject[] = resp.users;
                 const roles: string[] = resp.roles;
 
                 if (users && users.length && roles && roles.length) {
                     Promise.all(users.map(user => {
-                        return this.mgmtService.AddMyOrgMember(user.id, roles);
+                        return this.mgmtService.addOrgMember(user.id, roles);
                     })).then(() => {
                         this.toast.showInfo('ORG.TOAST.MEMBERADDED', true);
                         setTimeout(() => {
diff --git a/console/src/app/pages/projects/apps/app-create/app-create.component.html b/console/src/app/pages/projects/apps/app-create/app-create.component.html
index 901659fa17..6d12c2bebb 100644
--- a/console/src/app/pages/projects/apps/app-create/app-create.component.html
+++ b/console/src/app/pages/projects/apps/app-create/app-create.component.html
@@ -41,8 +41,8 @@
         </mat-step>
 
         <!-- skip for native applications -->
-        <mat-step *ngIf="oidcApp.applicationType !== OIDCApplicationType.OIDCAPPLICATIONTYPE_NATIVE"
-            [stepControl]="secondFormGroup" [editable]="true">
+        <mat-step *ngIf="oidcAppRequest.appType !== OIDCAppType.OIDC_APP_TYPE_NATIVE" [stepControl]="secondFormGroup"
+            [editable]="true">
             <form [formGroup]="secondFormGroup">
                 <ng-template matStepLabel>{{'APP.AUTHMETHODSECTION' | translate}}</ng-template>
 
@@ -65,31 +65,29 @@
             <ng-template matStepLabel>{{'APP.OIDC.REDIRECTSECTION' | translate}}</ng-template>
 
             <p class="step-title">{{'APP.OIDC.REDIRECTTITLE' | translate}}</p>
-            <p class="step-description"
-                *ngIf="oidcApp.applicationType === OIDCApplicationType.OIDCAPPLICATIONTYPE_NATIVE">
+            <p class="step-description" *ngIf="oidcAppRequest.appType === OIDCAppType.OIDC_APP_TYPE_NATIVE">
                 {{'APP.OIDC.REDIRECTDESCRIPTIONNATIVE' | translate}}</p>
-            <p class="step-description" *ngIf="oidcApp.applicationType === OIDCApplicationType.OIDCAPPLICATIONTYPE_WEB">
+            <p class="step-description" *ngIf="oidcAppRequest.appType === OIDCAppType.OIDC_APP_TYPE_WEB">
                 {{'APP.OIDC.REDIRECTDESCRIPTIONWEB' | translate}}</p>
 
             <cnsl-redirect-uris class="redirect-section" [canWrite]="true"
-                [isNative]="oidcApp.applicationType == OIDCApplicationType.OIDCAPPLICATIONTYPE_NATIVE"
-                (changedUris)="oidcApp.redirectUrisList = $event" [urisList]="oidcApp.redirectUrisList"
+                [isNative]="oidcAppRequest.appType == OIDCAppType.OIDC_APP_TYPE_NATIVE"
+                (changedUris)="oidcAppRequest.redirectUrisList = $event" [urisList]="oidcAppRequest.redirectUrisList"
                 [getValues]="requestRedirectValuesSubject$" title="{{ 'APP.OIDC.REDIRECT' | translate }}">
             </cnsl-redirect-uris>
 
             <p class="step-title">{{'APP.OIDC.POSTREDIRECTTITLE' | translate}}</p>
-            <p class="step-description"
-                *ngIf="oidcApp.applicationType === OIDCApplicationType.OIDCAPPLICATIONTYPE_NATIVE">
+            <p class="step-description" *ngIf="oidcAppRequest.appType === OIDCAppType.OIDC_APP_TYPE_NATIVE">
                 {{'APP.OIDC.REDIRECTDESCRIPTIONNATIVE' | translate}}</p>
             <p class="step-description"
-                *ngIf="oidcApp.applicationType === OIDCApplicationType.OIDCAPPLICATIONTYPE_WEB || oidcApp.applicationType === OIDCApplicationType.OIDCAPPLICATIONTYPE_USER_AGENT">
+                *ngIf="oidcAppRequest.appType === OIDCAppType.OIDC_APP_TYPE_WEB || oidcAppRequest.appType === OIDCAppType.OIDC_APP_TYPE_USER_AGENT">
                 {{'APP.OIDC.REDIRECTDESCRIPTIONWEB' | translate}}</p>
 
             <cnsl-redirect-uris class="redirect-section" [canWrite]="true"
-                (changedUris)="oidcApp.postLogoutRedirectUrisList = $event"
-                [urisList]="oidcApp.postLogoutRedirectUrisList" title="{{ 'APP.OIDC.POSTLOGOUTREDIRECT' | translate }}"
-                [getValues]="requestRedirectValuesSubject$"
-                [isNative]="oidcApp.applicationType == OIDCApplicationType.OIDCAPPLICATIONTYPE_NATIVE">
+                (changedUris)="oidcAppRequest.postLogoutRedirectUrisList = $event"
+                [urisList]="oidcAppRequest.postLogoutRedirectUrisList"
+                title="{{ 'APP.OIDC.POSTLOGOUTREDIRECT' | translate }}" [getValues]="requestRedirectValuesSubject$"
+                [isNative]="oidcAppRequest.appType == OIDCAppType.OIDC_APP_TYPE_NATIVE">
             </cnsl-redirect-uris>
 
             <div class="actions">
@@ -107,7 +105,7 @@
                     {{ 'APP.NAME' | translate }}
                 </span>
                 <span class="right">
-                    {{oidcApp.name}}
+                    {{oidcAppRequest.name}}
                 </span>
             </div>
 
@@ -117,27 +115,27 @@
                         {{ 'APP.TYPE' | translate }}
                     </span>
                     <span class="right">
-                        {{'APP.OIDC.APPTYPE.'+oidcApp.applicationType | translate}}
+                        {{'APP.OIDC.APPTYPE.'+oidcAppRequest.appType | translate}}
                     </span>
                 </div>
                 <div class="row">
                     <span class="left">
                         {{ 'APP.GRANT' | translate }}
                     </span>
-                    <span class="right" *ngIf="oidcApp.grantTypesList?.length > 0">
-                        [<span *ngFor="let element of oidcApp.grantTypesList; index as i">
+                    <span class="right" *ngIf="oidcAppRequest.grantTypesList?.length > 0">
+                        [<span *ngFor="let element of oidcAppRequest.grantTypesList; index as i">
                             {{'APP.OIDC.GRANT.'+element | translate}}
-                            {{i < oidcApp.grantTypesList.length - 1 ? ', ' : '' }} </span>]
+                            {{i < oidcAppRequest.grantTypesList.length - 1 ? ', ' : '' }} </span>]
                         </span>
                 </div>
                 <div class="row">
                     <span class="left">
                         {{ 'APP.OIDC.RESPONSETYPE' | translate }}
                     </span>
-                    <span class="right" *ngIf="oidcApp.responseTypesList?.length > 0">
-                        [<span *ngFor="let element of oidcApp.responseTypesList; index as i">
+                    <span class="right" *ngIf="oidcAppRequest.responseTypesList?.length > 0">
+                        [<span *ngFor="let element of oidcAppRequest.responseTypesList; index as i">
                             {{('APP.OIDC.RESPONSE.'+element | translate)}}
-                            {{i < oidcApp.responseTypesList.length - 1 ? ', ' : '' }} </span>]
+                            {{i < oidcAppRequest.responseTypesList.length - 1 ? ', ' : '' }} </span>]
                         </span>
                 </div>
 
@@ -147,7 +145,7 @@
                     </span>
                     <span class="right">
                         <span>
-                            {{'APP.OIDC.AUTHMETHOD.'+oidcApp?.authMethodType | translate}}
+                            {{'APP.OIDC.AUTHMETHOD.'+oidcAppRequest?.authMethodType | translate}}
                         </span>
                     </span>
                 </div>
@@ -156,10 +154,10 @@
                     <span class="left">
                         {{ 'APP.OIDC.REDIRECT' | translate }}
                     </span>
-                    <span class="right" *ngIf="oidcApp.redirectUrisList?.length > 0">
-                        [<span *ngFor="let redirect of oidcApp.redirectUrisList; index as i">
+                    <span class="right" *ngIf="oidcAppRequest.redirectUrisList?.length > 0">
+                        [<span *ngFor="let redirect of oidcAppRequest.redirectUrisList; index as i">
                             {{redirect}}
-                            {{i < oidcApp.redirectUrisList.length - 1 ? ', ' : '' }} </span>]
+                            {{i < oidcAppRequest.redirectUrisList.length - 1 ? ', ' : '' }} </span>]
                         </span>
                 </div>
 
@@ -167,10 +165,10 @@
                     <span class="left">
                         {{ 'APP.OIDC.POSTLOGOUTREDIRECT' | translate }}
                     </span>
-                    <span class="right" *ngIf="oidcApp.postLogoutRedirectUrisList?.length > 0">
-                        [<span *ngFor="let redirect of oidcApp.postLogoutRedirectUrisList; index as i">
+                    <span class="right" *ngIf="oidcAppRequest.postLogoutRedirectUrisList?.length > 0">
+                        [<span *ngFor="let redirect of oidcAppRequest.postLogoutRedirectUrisList; index as i">
                             {{redirect}}
-                            {{i < oidcApp.postLogoutRedirectUrisList.length - 1 ? ', ' : '' }} </span>]
+                            {{i < oidcAppRequest.postLogoutRedirectUrisList.length - 1 ? ', ' : '' }} </span>]
                         </span>
                 </div>
             </ng-container>
@@ -182,7 +180,7 @@
                     </span>
                     <span class="right">
                         <span>
-                            {{'APP.API.AUTHMETHOD.'+apiApp?.authMethodType | translate}}
+                            {{'APP.API.AUTHMETHOD.'+oidcAppRequest?.authMethodType | translate}}
                         </span>
                     </span>
                 </div>
@@ -247,17 +245,18 @@
             <div class="content" *ngIf="formappType?.value?.createType == AppCreateType.OIDC">
                 <div class="formfield full-width">
                     <cnsl-redirect-uris class="redirect-section" [canWrite]="true"
-                        (changedUris)="oidcApp.redirectUrisList = $event" [urisList]="oidcApp.redirectUrisList"
-                        title="{{ 'APP.OIDC.REDIRECT' | translate }}" [getValues]="requestRedirectValuesSubject$"
-                        [isNative]="oidcApp.applicationType == OIDCApplicationType.OIDCAPPLICATIONTYPE_NATIVE">
+                        (changedUris)="oidcAppRequest.redirectUrisList = $event"
+                        [urisList]="oidcAppRequest.redirectUrisList" title="{{ 'APP.OIDC.REDIRECT' | translate }}"
+                        [getValues]="requestRedirectValuesSubject$"
+                        [isNative]="oidcAppRequest.appType == OIDCAppType.OIDC_APP_TYPE_NATIVE">
                     </cnsl-redirect-uris>
 
                     <cnsl-redirect-uris class="redirect-section" [canWrite]="true"
-                        (changedUris)="oidcApp.postLogoutRedirectUrisList = $event"
-                        [urisList]="oidcApp.postLogoutRedirectUrisList"
+                        (changedUris)="oidcAppRequest.postLogoutRedirectUrisList = $event"
+                        [urisList]="oidcAppRequest.postLogoutRedirectUrisList"
                         title="{{ 'APP.OIDC.POSTLOGOUTREDIRECT' | translate }}"
                         [getValues]="requestRedirectValuesSubject$"
-                        [isNative]="oidcApp.applicationType == OIDCApplicationType.OIDCAPPLICATIONTYPE_NATIVE">
+                        [isNative]="oidcAppRequest.appType == OIDCAppType.OIDC_APP_TYPE_NATIVE">
                     </cnsl-redirect-uris>
                 </div>
             </div>
diff --git a/console/src/app/pages/projects/apps/app-create/app-create.component.ts b/console/src/app/pages/projects/apps/app-create/app-create.component.ts
index 2175ed2b05..8fdb0508cf 100644
--- a/console/src/app/pages/projects/apps/app-create/app-create.component.ts
+++ b/console/src/app/pages/projects/apps/app-create/app-create.component.ts
@@ -1,4 +1,5 @@
 import { COMMA, ENTER, SPACE } from '@angular/cdk/keycodes';
+import { StepperSelectionEvent } from '@angular/cdk/stepper';
 import { Location } from '@angular/common';
 import { Component, OnDestroy, OnInit } from '@angular/core';
 import { AbstractControl, FormBuilder, FormControl, FormGroup, Validators } from '@angular/forms';
@@ -8,31 +9,28 @@ import { Subject, Subscription } from 'rxjs';
 import { debounceTime, takeUntil } from 'rxjs/operators';
 import { RadioItemAuthType } from 'src/app/modules/app-radio/app-auth-method-radio/app-auth-method-radio.component';
 import {
-    APIApplicationCreate,
     APIAuthMethodType,
-    Application,
-    OIDCApplicationCreate,
-    OIDCApplicationType,
+    App,
+    OIDCAppType,
     OIDCAuthMethodType,
-    OIDCConfig,
     OIDCGrantType,
     OIDCResponseType,
-} from 'src/app/proto/generated/management_pb';
+} from 'src/app/proto/generated/zitadel/app_pb';
+import { AddAPIAppRequest, AddOIDCAppRequest } from 'src/app/proto/generated/zitadel/management_pb';
 import { ManagementService } from 'src/app/services/mgmt.service';
 import { ToastService } from 'src/app/services/toast.service';
 
-import {
-    WEB_TYPE,
-    NATIVE_TYPE,
-    USER_AGENT_TYPE,
-    API_TYPE,
-    RadioItemAppType,
-    AppCreateType
-} from '../authtypes';
-
 import { AppSecretDialogComponent } from '../app-secret-dialog/app-secret-dialog.component';
-import { CODE_METHOD, getPartialConfigFromAuthMethod, IMPLICIT_METHOD, BASIC_AUTH_METHOD, PKCE_METHOD, PK_JWT_METHOD, POST_METHOD } from '../authmethods';
-import { StepperSelectionEvent } from '@angular/cdk/stepper';
+import {
+    BASIC_AUTH_METHOD,
+    CODE_METHOD,
+    getPartialConfigFromAuthMethod,
+    IMPLICIT_METHOD,
+    PK_JWT_METHOD,
+    PKCE_METHOD,
+    POST_METHOD,
+} from '../authmethods';
+import { API_TYPE, AppCreateType, NATIVE_TYPE, RadioItemAppType, USER_AGENT_TYPE, WEB_TYPE } from '../authtypes';
 
 
 @Component({
@@ -47,19 +45,19 @@ export class AppCreateComponent implements OnInit, OnDestroy {
     public projectId: string = '';
     public loading: boolean = false;
 
-    public oidcApp: OIDCApplicationCreate.AsObject = new OIDCApplicationCreate().toObject();
-    public apiApp: APIApplicationCreate.AsObject = new APIApplicationCreate().toObject();
+    public oidcAppRequest: AddOIDCAppRequest.AsObject = new AddOIDCAppRequest().toObject();
+    public apiAppRequest: AddAPIAppRequest.AsObject = new AddAPIAppRequest().toObject();
 
     public oidcResponseTypes: { type: OIDCResponseType, checked: boolean; disabled: boolean; }[] = [
-        { type: OIDCResponseType.OIDCRESPONSETYPE_CODE, checked: false, disabled: false },
-        { type: OIDCResponseType.OIDCRESPONSETYPE_ID_TOKEN, checked: false, disabled: false },
-        { type: OIDCResponseType.OIDCRESPONSETYPE_ID_TOKEN_TOKEN, checked: false, disabled: false },
+        { type: OIDCResponseType.OIDC_RESPONSE_TYPE_CODE, checked: false, disabled: false },
+        { type: OIDCResponseType.OIDC_RESPONSE_TYPE_ID_TOKEN, checked: false, disabled: false },
+        { type: OIDCResponseType.OIDC_RESPONSE_TYPE_ID_TOKEN_TOKEN, checked: false, disabled: false },
     ];
 
-    public oidcAppTypes: OIDCApplicationType[] = [
-        OIDCApplicationType.OIDCAPPLICATIONTYPE_WEB,
-        OIDCApplicationType.OIDCAPPLICATIONTYPE_NATIVE,
-        OIDCApplicationType.OIDCAPPLICATIONTYPE_USER_AGENT,
+    public oidcAppTypes: OIDCAppType[] = [
+        OIDCAppType.OIDC_APP_TYPE_WEB,
+        OIDCAppType.OIDC_APP_TYPE_NATIVE,
+        OIDCAppType.OIDC_APP_TYPE_USER_AGENT,
     ];
     public appTypes: any = [
         WEB_TYPE,
@@ -77,9 +75,9 @@ export class AppCreateComponent implements OnInit, OnDestroy {
 
     // set to oidc first
     public authMethodTypes: { type: OIDCAuthMethodType | APIAuthMethodType, checked: boolean, disabled: boolean; api?: boolean; oidc?: boolean; }[] = [
-        { type: OIDCAuthMethodType.OIDCAUTHMETHODTYPE_BASIC, checked: false, disabled: false, oidc: true },
-        { type: OIDCAuthMethodType.OIDCAUTHMETHODTYPE_NONE, checked: false, disabled: false, oidc: true },
-        { type: OIDCAuthMethodType.OIDCAUTHMETHODTYPE_POST, checked: false, disabled: false, oidc: true },
+        { type: OIDCAuthMethodType.OIDC_AUTH_METHOD_TYPE_BASIC, checked: false, disabled: false, oidc: true },
+        { type: OIDCAuthMethodType.OIDC_AUTH_METHOD_TYPE_NONE, checked: false, disabled: false, oidc: true },
+        { type: OIDCAuthMethodType.OIDC_AUTH_METHOD_TYPE_POST, checked: false, disabled: false, oidc: true },
     ];
 
     // stepper
@@ -90,7 +88,7 @@ export class AppCreateComponent implements OnInit, OnDestroy {
     public form!: FormGroup;
 
     public AppCreateType: any = AppCreateType;
-    public OIDCApplicationType: any = OIDCApplicationType;
+    public OIDCAppType: any = OIDCAppType;
     public OIDCGrantType: any = OIDCGrantType;
     public OIDCAuthMethodType: any = OIDCAuthMethodType;
 
@@ -99,8 +97,8 @@ export class AppCreateComponent implements OnInit, OnDestroy {
         checked: boolean,
         disabled: boolean,
     }[] = [
-            { type: OIDCGrantType.OIDCGRANTTYPE_AUTHORIZATION_CODE, checked: true, disabled: false },
-            { type: OIDCGrantType.OIDCGRANTTYPE_IMPLICIT, checked: false, disabled: true },
+            { type: OIDCGrantType.OIDC_GRANT_TYPE_AUTHORIZATION_CODE, checked: true, disabled: false },
+            { type: OIDCGrantType.OIDC_GRANT_TYPE_IMPLICIT, checked: false, disabled: true },
             // { type: OIDCGrantType.OIDCGRANTTYPE_REFRESH_TOKEN, checked: false, disabled: true },
             // TODO show when implemented
         ];
@@ -134,28 +132,28 @@ export class AppCreateComponent implements OnInit, OnDestroy {
 
         this.firstFormGroup.valueChanges.subscribe(value => {
             if (this.firstFormGroup.valid) {
-                this.oidcApp.name = this.name?.value;
-                this.apiApp.name = this.name?.value;
+                this.oidcAppRequest.name = this.name?.value;
+                this.apiAppRequest.name = this.name?.value;
 
                 if (this.isStepperOIDC) {
-                    const oidcAppType = (this.appType?.value as RadioItemAppType).oidcApplicationType;
+                    const oidcAppType = (this.appType?.value as RadioItemAppType).oidcAppType;
                     if (oidcAppType !== undefined) {
-                        this.oidcApp.applicationType = oidcAppType;
+                        this.oidcAppRequest.appType = oidcAppType;
                     }
 
-                    switch (this.oidcApp.applicationType) {
-                        case OIDCApplicationType.OIDCAPPLICATIONTYPE_NATIVE:
+                    switch (this.oidcAppRequest.appType) {
+                        case OIDCAppType.OIDC_APP_TYPE_NATIVE:
                             this.authMethods = [
                                 PKCE_METHOD,
                             ];
 
                             // automatically set to PKCE and skip step
-                            this.oidcApp.responseTypesList = [OIDCResponseType.OIDCRESPONSETYPE_CODE];
-                            this.oidcApp.grantTypesList = [OIDCGrantType.OIDCGRANTTYPE_AUTHORIZATION_CODE];
-                            this.oidcApp.authMethodType = OIDCAuthMethodType.OIDCAUTHMETHODTYPE_NONE;
+                            this.oidcAppRequest.responseTypesList = [OIDCResponseType.OIDC_RESPONSE_TYPE_CODE];
+                            this.oidcAppRequest.grantTypesList = [OIDCGrantType.OIDC_GRANT_TYPE_AUTHORIZATION_CODE];
+                            this.oidcAppRequest.authMethodType = OIDCAuthMethodType.OIDC_AUTH_METHOD_TYPE_NONE;
 
                             break;
-                        case OIDCApplicationType.OIDCAPPLICATIONTYPE_WEB:
+                        case OIDCAppType.OIDC_APP_TYPE_WEB:
                             // PK_JWT_METHOD.recommended = false;
                             this.authMethods = [
                                 PKCE_METHOD,
@@ -166,7 +164,7 @@ export class AppCreateComponent implements OnInit, OnDestroy {
 
                             this.authMethod?.setValue(PKCE_METHOD.key);
                             break;
-                        case OIDCApplicationType.OIDCAPPLICATIONTYPE_USER_AGENT:
+                        case OIDCAppType.OIDC_APP_TYPE_USER_AGENT:
                             this.authMethods = [
                                 PKCE_METHOD,
                                 IMPLICIT_METHOD,
@@ -194,11 +192,11 @@ export class AppCreateComponent implements OnInit, OnDestroy {
             const partialConfig = getPartialConfigFromAuthMethod(form.authMethod);
 
             if (this.isStepperOIDC && partialConfig && partialConfig.oidc) {
-                this.oidcApp.responseTypesList = partialConfig.oidc?.responseTypesList ?? [];
-                this.oidcApp.grantTypesList = partialConfig.oidc?.grantTypesList ?? [];
-                this.oidcApp.authMethodType = partialConfig.oidc?.authMethodType ?? OIDCAuthMethodType.OIDCAUTHMETHODTYPE_NONE;
+                this.oidcAppRequest.responseTypesList = partialConfig.oidc?.responseTypesList ?? [];
+                this.oidcAppRequest.grantTypesList = partialConfig.oidc?.grantTypesList ?? [];
+                this.oidcAppRequest.authMethodType = partialConfig.oidc?.authMethodType ?? OIDCAuthMethodType.OIDC_AUTH_METHOD_TYPE_NONE;
             } else if (this.isStepperAPI && partialConfig && partialConfig.api) {
-                this.apiApp.authMethodType = partialConfig.api?.authMethodType ?? APIAuthMethodType.APIAUTHMETHODTYPE_BASIC;
+                this.apiAppRequest.authMethodType = partialConfig.api?.authMethodType ?? APIAuthMethodType.API_AUTH_METHOD_TYPE_BASIC;
             }
         });
     }
@@ -216,18 +214,18 @@ export class AppCreateComponent implements OnInit, OnDestroy {
         this.form.valueChanges.pipe(
             takeUntil(this.destroyed$),
             debounceTime(150)).subscribe(() => {
-                this.oidcApp.name = this.formname?.value;
-                this.apiApp.name = this.formname?.value;
+                this.oidcAppRequest.name = this.formname?.value;
+                this.apiAppRequest.name = this.formname?.value;
 
-                this.oidcApp.responseTypesList = this.formresponseTypesList?.value;
-                this.oidcApp.grantTypesList = this.formgrantTypesList?.value;
+                this.oidcAppRequest.responseTypesList = this.formresponseTypesList?.value;
+                this.oidcAppRequest.grantTypesList = this.formgrantTypesList?.value;
 
-                this.oidcApp.authMethodType = this.formauthMethodType?.value;
-                this.apiApp.authMethodType = this.formauthMethodType?.value;
+                this.oidcAppRequest.authMethodType = this.formauthMethodType?.value;
+                this.apiAppRequest.authMethodType = this.formauthMethodType?.value;
 
-                const oidcAppType = (this.formappType?.value as RadioItemAppType).oidcApplicationType;
+                const oidcAppType = (this.formappType?.value as RadioItemAppType).oidcAppType;
                 if (oidcAppType !== undefined) {
-                    this.oidcApp.applicationType = oidcAppType;
+                    this.oidcAppRequest.appType = oidcAppType;
                 }
             });
 
@@ -245,20 +243,20 @@ export class AppCreateComponent implements OnInit, OnDestroy {
             this.form.addControl('responseTypesList', responseTypesControl);
 
             this.authMethodTypes = [
-                { type: OIDCAuthMethodType.OIDCAUTHMETHODTYPE_BASIC, checked: false, disabled: false, oidc: true },
-                { type: OIDCAuthMethodType.OIDCAUTHMETHODTYPE_NONE, checked: false, disabled: false, oidc: true },
-                { type: OIDCAuthMethodType.OIDCAUTHMETHODTYPE_POST, checked: false, disabled: false, oidc: true },
+                { type: OIDCAuthMethodType.OIDC_AUTH_METHOD_TYPE_BASIC, checked: false, disabled: false, oidc: true },
+                { type: OIDCAuthMethodType.OIDC_AUTH_METHOD_TYPE_NONE, checked: false, disabled: false, oidc: true },
+                { type: OIDCAuthMethodType.OIDC_AUTH_METHOD_TYPE_POST, checked: false, disabled: false, oidc: true },
             ];
-            this.authMethod?.setValue(OIDCAuthMethodType.OIDCAUTHMETHODTYPE_BASIC);
+            this.authMethod?.setValue(OIDCAuthMethodType.OIDC_AUTH_METHOD_TYPE_BASIC);
         } else if (this.isDevAPI) {
             this.form.removeControl('grantTypesList');
             this.form.removeControl('responseTypesList');
 
             this.authMethodTypes = [
-                { type: APIAuthMethodType.APIAUTHMETHODTYPE_PRIVATE_KEY_JWT, checked: false, disabled: false, api: true },
-                { type: APIAuthMethodType.APIAUTHMETHODTYPE_BASIC, checked: false, disabled: false, api: true },
+                { type: APIAuthMethodType.API_AUTH_METHOD_TYPE_PRIVATE_KEY_JWT, checked: false, disabled: false, api: true },
+                { type: APIAuthMethodType.API_AUTH_METHOD_TYPE_BASIC, checked: false, disabled: false, api: true },
             ];
-            this.authMethod?.setValue(APIAuthMethodType.APIAUTHMETHODTYPE_PRIVATE_KEY_JWT);
+            this.authMethod?.setValue(APIAuthMethodType.API_AUTH_METHOD_TYPE_PRIVATE_KEY_JWT);
         }
         this.form.updateValueAndValidity();
     }
@@ -271,8 +269,8 @@ export class AppCreateComponent implements OnInit, OnDestroy {
 
     private async getData({ projectid }: Params): Promise<void> {
         this.projectId = projectid;
-        this.oidcApp.projectId = projectid;
-        this.apiApp.projectId = projectid;
+        this.oidcAppRequest.projectId = projectid;
+        this.apiAppRequest.projectId = projectid;
     }
 
     public close(): void {
@@ -288,15 +286,14 @@ export class AppCreateComponent implements OnInit, OnDestroy {
 
             this.loading = true;
             this.mgmtService
-                .CreateOIDCApp(this.oidcApp)
-                .then((data: Application) => {
+                .addOIDCApp(this.oidcAppRequest)
+                .then((resp) => {
                     this.loading = false;
-                    const response = data.toObject();
-                    if (response.oidcConfig?.authMethodType !== OIDCAuthMethodType.OIDCAUTHMETHODTYPE_NONE) {
-                        this.showSavedDialog(response);
-                    } else {
-                        this.router.navigate(['projects', this.projectId, 'apps', response.id]);
-                    }
+                    // if (resp.oidcConfig?.authMethodType !== OIDCAuthMethodType.OIDCAUTHMETHODTYPE_NONE) {
+                    // this.showSavedDialog(resp);
+                    // } else {
+                    //     this.router.navigate(['projects', this.projectId, 'apps', response.id]);
+                    // }
                 })
                 .catch(error => {
                     this.loading = false;
@@ -305,15 +302,15 @@ export class AppCreateComponent implements OnInit, OnDestroy {
         } else if (appAPICheck) {
             this.loading = true;
             this.mgmtService
-                .CreateAPIApplication(this.apiApp)
-                .then((data: Application) => {
+                .addAPIApp(this.apiAppRequest)
+                .then((resp) => {
                     this.loading = false;
-                    const response = data.toObject();
-                    if (response.apiConfig?.authMethodType == APIAuthMethodType.APIAUTHMETHODTYPE_BASIC) {
-                        this.showSavedDialog(response);
-                    } else {
-                        this.router.navigate(['projects', this.projectId, 'apps', response.id]);
-                    }
+                    // const response = resp.toObject();
+                    // if (response.apiConfig?.authMethodType == APIAuthMethodType.APIAUTHMETHODTYPE_BASIC) {
+                    // this.showSavedDialog(resp);
+                    // } else {
+                    //     this.router.navigate(['projects', this.projectId, 'apps', response.id]);
+                    // }
                 })
                 .catch(error => {
                     this.loading = false;
@@ -322,7 +319,7 @@ export class AppCreateComponent implements OnInit, OnDestroy {
         }
     }
 
-    public showSavedDialog(app: Application.AsObject): void {
+    public showSavedDialog(app: App.AsObject): void {
         if (app.oidcConfig?.clientSecret !== undefined) {
             const dialogRef = this.dialog.open(AppSecretDialogComponent, {
                 data: app.oidcConfig,
diff --git a/console/src/app/pages/projects/apps/app-detail/app-detail.component.html b/console/src/app/pages/projects/apps/app-detail/app-detail.component.html
index 3391d3b569..bac4068bf5 100644
--- a/console/src/app/pages/projects/apps/app-detail/app-detail.component.html
+++ b/console/src/app/pages/projects/apps/app-detail/app-detail.component.html
@@ -106,29 +106,28 @@
                 {{ 'APP.OIDC.DEVMODE' | translate }}
             </mat-slide-toggle>
 
-            <cnsl-info-section class="step-description"
-                *ngIf="applicationType?.value == OIDCApplicationType.OIDCAPPLICATIONTYPE_NATIVE">
+            <cnsl-info-section class="step-description" *ngIf="appType?.value == OIDCAppType.OIDC_APP_TYPE_NATIVE">
                 <span>{{'APP.OIDC.REDIRECTDESCRIPTIONNATIVE' | translate}}</span>
             </cnsl-info-section>
 
             <cnsl-info-section class="step-description"
-                *ngIf="applicationType?.value == OIDCApplicationType.OIDCAPPLICATIONTYPE_WEB || applicationType?.value == OIDCApplicationType.OIDCAPPLICATIONTYPE_USER_AGENT">
+                *ngIf="OIDCAppType?.value == OIDCAppType.OIDC_APP_TYPE_WEB || appType?.value == OIDCAppType.OIDC_APP_TYPE_USER_AGENT">
                 {{'APP.OIDC.REDIRECTDESCRIPTIONWEB' | translate}}
             </cnsl-info-section>
 
             <div style="margin: .5rem" class="divider"></div>
-            <cnsl-redirect-uris *ngIf="applicationType?.value !== undefined" class="redirect-section"
-                [canWrite]="canWrite" [devMode]="devMode?.value" [getValues]="requestRedirectValuesSubject$"
+            <cnsl-redirect-uris *ngIf="appType?.value !== undefined" class="redirect-section" [canWrite]="canWrite"
+                [devMode]="devMode?.value" [getValues]="requestRedirectValuesSubject$"
                 (changedUris)="redirectUrisList = $event" [urisList]="redirectUrisList"
                 title="{{ 'APP.OIDC.REDIRECT' | translate }}"
-                [isNative]="applicationType?.value == OIDCApplicationType.OIDCAPPLICATIONTYPE_NATIVE">
+                [isNative]="appType?.value == OIDCAppType.OIDC_APP_TYPE_NATIVE">
             </cnsl-redirect-uris>
 
-            <cnsl-redirect-uris *ngIf="applicationType?.value !== undefined" class="redirect-section"
-                [canWrite]="canWrite" [devMode]="devMode?.value" (changedUris)="postLogoutRedirectUrisList = $event"
+            <cnsl-redirect-uris *ngIf="appType?.value !== undefined" class="redirect-section" [canWrite]="canWrite"
+                [devMode]="devMode?.value" (changedUris)="postLogoutRedirectUrisList = $event"
                 [urisList]="postLogoutRedirectUrisList" [getValues]="requestRedirectValuesSubject$"
                 title="{{ 'APP.OIDC.POSTLOGOUTREDIRECT' | translate }}"
-                [isNative]="applicationType?.value == OIDCApplicationType.OIDCAPPLICATIONTYPE_NATIVE">
+                [isNative]="appType?.value == OIDCAppType.OIDC_APP_TYPE_NATIVE">
             </cnsl-redirect-uris>
         </div>
 
@@ -262,7 +261,7 @@
             <div class="meta-row">
                 <span class="first">{{'PROJECT.STATE.TITLE' | translate}}:</span>
                 <span *ngIf="app && app.state !== undefined"
-                    [ngClass]="{'active': app.state === AppState.APPSTATE_ACTIVE, 'inactive': app.state === AppState.APPSTATE_INACTIVE}"
+                    [ngClass]="{'active': app.state === AppState.APP_STATE_ACTIVE, 'inactive': app.state === AppState.APP_STATE_INACTIVE}"
                     class="state">{{'APP.PAGES.DETAIL.STATE.'+app.state | translate}}</span>
             </div>
         </div>
diff --git a/console/src/app/pages/projects/apps/app-detail/app-detail.component.ts b/console/src/app/pages/projects/apps/app-detail/app-detail.component.ts
index 0e305606c5..2001818cef 100644
--- a/console/src/app/pages/projects/apps/app-detail/app-detail.component.ts
+++ b/console/src/app/pages/projects/apps/app-detail/app-detail.component.ts
@@ -2,11 +2,11 @@ import { COMMA, ENTER, SPACE } from '@angular/cdk/keycodes';
 import { Location } from '@angular/common';
 import { HttpClient } from '@angular/common/http';
 import { Component, OnDestroy, OnInit } from '@angular/core';
-import { AbstractControl, FormBuilder, FormControl, FormGroup, Validators } from '@angular/forms';
+import { AbstractControl, FormBuilder, FormGroup, Validators } from '@angular/forms';
 import { MatButtonToggleChange } from '@angular/material/button-toggle';
 import { MatDialog } from '@angular/material/dialog';
 import { MatSnackBar } from '@angular/material/snack-bar';
-import { ActivatedRoute, Params, Router, RouterLink } from '@angular/router';
+import { ActivatedRoute, Params, Router } from '@angular/router';
 import { TranslateService } from '@ngx-translate/core';
 import { Duration } from 'google-protobuf/google/protobuf/duration_pb';
 import { Subject, Subscription } from 'rxjs';
@@ -18,25 +18,36 @@ import { WarnDialogComponent } from 'src/app/modules/warn-dialog/warn-dialog.com
 import {
     APIAuthMethodType,
     APIConfig,
-    APIConfigUpdate,
-    Application,
+    App,
     AppState,
-    ClientSecret,
-    OIDCApplicationType,
+    OIDCAppType,
     OIDCAuthMethodType,
     OIDCConfig,
-    OIDCConfigUpdate,
     OIDCGrantType,
     OIDCResponseType,
     OIDCTokenType,
-    ZitadelDocs,
-} from 'src/app/proto/generated/management_pb';
+} from 'src/app/proto/generated/zitadel/app_pb';
+import {
+    GetOIDCInformationResponse,
+    UpdateAPIAppConfigRequest,
+    UpdateOIDCAppConfigRequest,
+} from 'src/app/proto/generated/zitadel/management_pb';
 import { GrpcAuthService } from 'src/app/services/grpc-auth.service';
 import { ManagementService } from 'src/app/services/mgmt.service';
 import { ToastService } from 'src/app/services/toast.service';
 
 import { AppSecretDialogComponent } from '../app-secret-dialog/app-secret-dialog.component';
-import { CODE_METHOD, getAuthMethodFromPartialConfig, getPartialConfigFromAuthMethod, IMPLICIT_METHOD, PKCE_METHOD, PK_JWT_METHOD, POST_METHOD, CUSTOM_METHOD, BASIC_AUTH_METHOD } from '../authmethods';
+import {
+    BASIC_AUTH_METHOD,
+    CODE_METHOD,
+    CUSTOM_METHOD,
+    getAuthMethodFromPartialConfig,
+    getPartialConfigFromAuthMethod,
+    IMPLICIT_METHOD,
+    PK_JWT_METHOD,
+    PKCE_METHOD,
+    POST_METHOD,
+} from '../authmethods';
 
 @Component({
     selector: 'app-app-detail',
@@ -56,33 +67,33 @@ export class AppDetailComponent implements OnInit, OnDestroy {
     public authMethods: RadioItemAuthType[] = [];
     private subscription?: Subscription;
     public projectId: string = '';
-    public app!: Application.AsObject;
+    public app!: App.AsObject;
     public oidcResponseTypes: OIDCResponseType[] = [
-        OIDCResponseType.OIDCRESPONSETYPE_CODE,
-        OIDCResponseType.OIDCRESPONSETYPE_ID_TOKEN,
-        OIDCResponseType.OIDCRESPONSETYPE_ID_TOKEN_TOKEN,
+        OIDCResponseType.OIDC_RESPONSE_TYPE_CODE,
+        OIDCResponseType.OIDC_RESPONSE_TYPE_ID_TOKEN,
+        OIDCResponseType.OIDC_RESPONSE_TYPE_ID_TOKEN_TOKEN,
     ];
     public oidcGrantTypes: OIDCGrantType[] = [
-        OIDCGrantType.OIDCGRANTTYPE_AUTHORIZATION_CODE,
-        OIDCGrantType.OIDCGRANTTYPE_IMPLICIT,
-        OIDCGrantType.OIDCGRANTTYPE_REFRESH_TOKEN,
+        OIDCGrantType.OIDC_GRANT_TYPE_AUTHORIZATION_CODE,
+        OIDCGrantType.OIDC_GRANT_TYPE_IMPLICIT,
+        OIDCGrantType.OIDC_GRANT_TYPE_REFRESH_TOKEN,
     ];
-    public oidcAppTypes: OIDCApplicationType[] = [
-        OIDCApplicationType.OIDCAPPLICATIONTYPE_WEB,
-        OIDCApplicationType.OIDCAPPLICATIONTYPE_USER_AGENT,
-        OIDCApplicationType.OIDCAPPLICATIONTYPE_NATIVE,
+    public oidcAppTypes: OIDCAppType[] = [
+        OIDCAppType.OIDC_APP_TYPE_WEB,
+        OIDCAppType.OIDC_APP_TYPE_USER_AGENT,
+        OIDCAppType.OIDC_APP_TYPE_NATIVE,
     ];
 
     public oidcAuthMethodType: OIDCAuthMethodType[] = [
-        OIDCAuthMethodType.OIDCAUTHMETHODTYPE_BASIC,
-        OIDCAuthMethodType.OIDCAUTHMETHODTYPE_POST,
-        OIDCAuthMethodType.OIDCAUTHMETHODTYPE_NONE,
-        OIDCAuthMethodType.OIDCAUTHMETHODTYPE_PRIVATE_KEY_JWT,
+        OIDCAuthMethodType.OIDC_AUTH_METHOD_TYPE_BASIC,
+        OIDCAuthMethodType.OIDC_AUTH_METHOD_TYPE_POST,
+        OIDCAuthMethodType.OIDC_AUTH_METHOD_TYPE_NONE,
+        OIDCAuthMethodType.OIDC_AUTH_METHOD_TYPE_PRIVATE_KEY_JWT,
     ];
 
     public oidcTokenTypes: OIDCTokenType[] = [
-        OIDCTokenType.OIDCTOKENTYPE_BEARER,
-        OIDCTokenType.OIDCTOKENTYPE_JWT,
+        OIDCTokenType.OIDC_TOKEN_TYPE_BEARER,
+        OIDCTokenType.OIDC_TOKEN_TYPE_JWT,
     ];
 
     public AppState: any = AppState;
@@ -94,9 +105,9 @@ export class AppDetailComponent implements OnInit, OnDestroy {
     public postLogoutRedirectUrisList: string[] = [];
 
     public isZitadel: boolean = false;
-    public docs!: ZitadelDocs.AsObject;
+    public docs!: GetOIDCInformationResponse.AsObject;
 
-    public OIDCApplicationType: any = OIDCApplicationType;
+    public OIDCAppType: any = OIDCAppType;
     public OIDCAuthMethodType: any = OIDCAuthMethodType;
     public APIAuthMethodType: any = APIAuthMethodType;
     public OIDCTokenType: any = OIDCTokenType;
@@ -142,7 +153,7 @@ export class AppDetailComponent implements OnInit, OnDestroy {
             clientId: [{ value: '', disabled: true }],
             responseTypesList: [{ value: [], disabled: true }],
             grantTypesList: [{ value: [], disabled: true }],
-            applicationType: [{ value: '', disabled: true }],
+            appType: [{ value: '', disabled: true }],
             authMethodType: [{ value: '', disabled: true }],
             accessTokenType: [{ value: '', disabled: true }],
             accessTokenRoleAssertion: [{ value: false, disabled: true }],
@@ -192,93 +203,95 @@ export class AppDetailComponent implements OnInit, OnDestroy {
 
         this.initLinks();
 
-        this.mgmtService.GetIam().then(iam => {
-            this.isZitadel = iam.toObject().iamProjectId === this.projectId;
+        this.mgmtService.getIAM().then(iam => {
+            this.isZitadel = iam.iamProjectId === this.projectId;
         });
         this.authService.isAllowed(['project.app.write$', 'project.app.write:' + projectid]).pipe(take(1)).subscribe((allowed) => {
             this.canWrite = allowed;
-            this.mgmtService.GetApplicationById(projectid, id).then(app => {
-                this.app = app.toObject();
-                this.appNameForm.patchValue(this.app);
+            this.mgmtService.getAppByID(projectid, id).then(app => {
+                if (app.app) {
+                    this.app = app.app;
+                    this.appNameForm.patchValue(this.app);
 
-                if (this.app.oidcConfig) {
-                    this.getAuthMethodOptions('OIDC');
+                    if (this.app.oidcConfig) {
+                        this.getAuthMethodOptions('OIDC');
 
-                    this.initialAuthMethod = this.authMethodFromPartialConfig({ oidc: this.app.oidcConfig });
-                    this.currentAuthMethod = this.initialAuthMethod;
-                    if (this.initialAuthMethod === CUSTOM_METHOD.key) {
-                        if (!this.authMethods.includes(CUSTOM_METHOD)) {
-                            this.authMethods.push(CUSTOM_METHOD);
+                        this.initialAuthMethod = this.authMethodFromPartialConfig({ oidc: this.app.oidcConfig });
+                        this.currentAuthMethod = this.initialAuthMethod;
+                        if (this.initialAuthMethod === CUSTOM_METHOD.key) {
+                            if (!this.authMethods.includes(CUSTOM_METHOD)) {
+                                this.authMethods.push(CUSTOM_METHOD);
+                            }
+                        } else {
+                            this.authMethods = this.authMethods.filter(element => element != CUSTOM_METHOD);
                         }
-                    } else {
-                        this.authMethods = this.authMethods.filter(element => element != CUSTOM_METHOD);
-                    }
-                } else if (this.app.apiConfig) {
-                    this.getAuthMethodOptions('API');
+                    } else if (this.app.apiConfig) {
+                        this.getAuthMethodOptions('API');
 
-                    this.initialAuthMethod = this.authMethodFromPartialConfig({ api: this.app.apiConfig });
-                    this.currentAuthMethod = this.initialAuthMethod;
-                    if (this.initialAuthMethod === CUSTOM_METHOD.key) {
-                        if (!this.authMethods.includes(CUSTOM_METHOD)) {
-                            this.authMethods.push(CUSTOM_METHOD);
+                        this.initialAuthMethod = this.authMethodFromPartialConfig({ api: this.app.apiConfig });
+                        this.currentAuthMethod = this.initialAuthMethod;
+                        if (this.initialAuthMethod === CUSTOM_METHOD.key) {
+                            if (!this.authMethods.includes(CUSTOM_METHOD)) {
+                                this.authMethods.push(CUSTOM_METHOD);
+                            }
+                        } else {
+                            this.authMethods = this.authMethods.filter(element => element != CUSTOM_METHOD);
                         }
-                    } else {
-                        this.authMethods = this.authMethods.filter(element => element != CUSTOM_METHOD);
-                    }
-                }
-
-                if (allowed) {
-                    this.appNameForm.enable();
-                    this.oidcForm.enable();
-                    this.apiForm.enable();
-                }
-
-                if (this.app.oidcConfig?.redirectUrisList) {
-                    this.redirectUrisList = this.app.oidcConfig.redirectUrisList;
-                }
-                if (this.app.oidcConfig?.postLogoutRedirectUrisList) {
-                    this.postLogoutRedirectUrisList = this.app.oidcConfig.postLogoutRedirectUrisList;
-                }
-                if (this.app.oidcConfig?.clockSkew) {
-                    const inSecs = this.app.oidcConfig?.clockSkew.seconds + this.app.oidcConfig?.clockSkew.nanos / 100000;
-                    this.oidcForm.controls['clockSkewSeconds'].setValue(inSecs);
-                }
-                if (this.app.oidcConfig) {
-                    this.oidcForm.patchValue(this.app.oidcConfig);
-                }
-
-                this.oidcForm.valueChanges.subscribe((oidcConfig) => {
-                    this.initialAuthMethod = this.authMethodFromPartialConfig({ oidc: oidcConfig });
-                    if (this.initialAuthMethod === CUSTOM_METHOD.key) {
-                        if (!this.authMethods.includes(CUSTOM_METHOD)) {
-                            this.authMethods.push(CUSTOM_METHOD);
-                        }
-                    } else {
-                        this.authMethods = this.authMethods.filter(element => element != CUSTOM_METHOD);
                     }
 
-                    this.showSaveSnack();
-                });
-
-                this.apiForm.valueChanges.subscribe((apiConfig) => {
-                    this.initialAuthMethod = this.authMethodFromPartialConfig({ api: apiConfig });
-                    if (this.initialAuthMethod === CUSTOM_METHOD.key) {
-                        if (!this.authMethods.includes(CUSTOM_METHOD)) {
-                            this.authMethods.push(CUSTOM_METHOD);
-                        }
-                    } else {
-                        this.authMethods = this.authMethods.filter(element => element != CUSTOM_METHOD);
+                    if (allowed) {
+                        this.appNameForm.enable();
+                        this.oidcForm.enable();
+                        this.apiForm.enable();
                     }
 
-                    this.showSaveSnack();
-                });
+                    if (this.app.oidcConfig?.redirectUrisList) {
+                        this.redirectUrisList = this.app.oidcConfig.redirectUrisList;
+                    }
+                    if (this.app.oidcConfig?.postLogoutRedirectUrisList) {
+                        this.postLogoutRedirectUrisList = this.app.oidcConfig.postLogoutRedirectUrisList;
+                    }
+                    if (this.app.oidcConfig?.clockSkew) {
+                        const inSecs = this.app.oidcConfig?.clockSkew.seconds + this.app.oidcConfig?.clockSkew.nanos / 100000;
+                        this.oidcForm.controls['clockSkewSeconds'].setValue(inSecs);
+                    }
+                    if (this.app.oidcConfig) {
+                        this.oidcForm.patchValue(this.app.oidcConfig);
+                    }
+
+                    this.oidcForm.valueChanges.subscribe((oidcConfig) => {
+                        this.initialAuthMethod = this.authMethodFromPartialConfig({ oidc: oidcConfig });
+                        if (this.initialAuthMethod === CUSTOM_METHOD.key) {
+                            if (!this.authMethods.includes(CUSTOM_METHOD)) {
+                                this.authMethods.push(CUSTOM_METHOD);
+                            }
+                        } else {
+                            this.authMethods = this.authMethods.filter(element => element != CUSTOM_METHOD);
+                        }
+
+                        this.showSaveSnack();
+                    });
+
+                    this.apiForm.valueChanges.subscribe((apiConfig) => {
+                        this.initialAuthMethod = this.authMethodFromPartialConfig({ api: apiConfig });
+                        if (this.initialAuthMethod === CUSTOM_METHOD.key) {
+                            if (!this.authMethods.includes(CUSTOM_METHOD)) {
+                                this.authMethods.push(CUSTOM_METHOD);
+                            }
+                        } else {
+                            this.authMethods = this.authMethods.filter(element => element != CUSTOM_METHOD);
+                        }
+
+                        this.showSaveSnack();
+                    });
+                }
             }).catch(error => {
                 console.error(error);
                 this.toast.showError(error);
                 this.errorMessage = error.message;
             });
         });
-        this.docs = (await this.mgmtService.GetZitadelDocs()).toObject();
+        this.docs = (await this.mgmtService.getOIDCInformation());
     }
 
     private async showSaveSnack(): Promise<void> {
@@ -297,14 +310,14 @@ export class AppDetailComponent implements OnInit, OnDestroy {
 
     private getAuthMethodOptions(type: string): void {
         if (type == 'OIDC') {
-            switch (this.app.oidcConfig?.applicationType) {
-                case OIDCApplicationType.OIDCAPPLICATIONTYPE_NATIVE:
+            switch (this.app.oidcConfig?.appType) {
+                case OIDCAppType.OIDC_APP_TYPE_NATIVE:
                     this.authMethods = [
                         PKCE_METHOD,
                         CUSTOM_METHOD,
                     ];
                     break;
-                case OIDCApplicationType.OIDCAPPLICATIONTYPE_WEB:
+                case OIDCAppType.OIDC_APP_TYPE_WEB:
                     this.authMethods = [
                         PKCE_METHOD,
                         CODE_METHOD,
@@ -312,7 +325,7 @@ export class AppDetailComponent implements OnInit, OnDestroy {
                         POST_METHOD,
                     ];
                     break;
-                case OIDCApplicationType.OIDCAPPLICATIONTYPE_USER_AGENT:
+                case OIDCAppType.OIDC_APP_TYPE_USER_AGENT:
                     this.authMethods = [
                         PKCE_METHOD,
                         IMPLICIT_METHOD,
@@ -338,10 +351,10 @@ export class AppDetailComponent implements OnInit, OnDestroy {
         if (partialConfig && partialConfig.oidc && this.app.oidcConfig) {
             this.app.oidcConfig.responseTypesList = (partialConfig.oidc as Partial<OIDCConfig.AsObject>).responseTypesList ?? [];
             this.app.oidcConfig.grantTypesList = (partialConfig.oidc as Partial<OIDCConfig.AsObject>).grantTypesList ?? [];
-            this.app.oidcConfig.authMethodType = (partialConfig.oidc as Partial<OIDCConfig.AsObject>).authMethodType ?? OIDCAuthMethodType.OIDCAUTHMETHODTYPE_NONE;
+            this.app.oidcConfig.authMethodType = (partialConfig.oidc as Partial<OIDCConfig.AsObject>).authMethodType ?? OIDCAuthMethodType.OIDC_AUTH_METHOD_TYPE_NONE;
             this.oidcForm.patchValue(this.app.oidcConfig);
         } else if (partialConfig && partialConfig.api && this.app.apiConfig) {
-            this.app.apiConfig.authMethodType = (partialConfig.api as Partial<APIConfig.AsObject>).authMethodType ?? APIAuthMethodType.APIAUTHMETHODTYPE_BASIC;
+            this.app.apiConfig.authMethodType = (partialConfig.api as Partial<APIConfig.AsObject>).authMethodType ?? APIAuthMethodType.API_AUTH_METHOD_TYPE_BASIC;
             this.apiAuthMethodType?.setValue(this.app.apiConfig.authMethodType);
         }
     }
@@ -358,7 +371,7 @@ export class AppDetailComponent implements OnInit, OnDestroy {
         });
         dialogRef.afterClosed().subscribe(resp => {
             if (resp && this.projectId && this.app.id) {
-                this.mgmtService.RemoveApplication(this.projectId, this.app.id).then(() => {
+                this.mgmtService.removeApp(this.projectId, this.app.id).then(() => {
                     this.toast.showInfo('APP.TOAST.DELETED', true);
 
                     this.router.navigate(['/projects', this.projectId]);
@@ -370,14 +383,14 @@ export class AppDetailComponent implements OnInit, OnDestroy {
     }
 
     public changeState(event: MatButtonToggleChange): void {
-        if (event.value === AppState.APPSTATE_ACTIVE) {
-            this.mgmtService.ReactivateApplication(this.projectId, this.app.id).then(() => {
+        if (event.value === AppState.APP_STATE_ACTIVE) {
+            this.mgmtService.reactivateApp(this.projectId, this.app.id).then(() => {
                 this.toast.showInfo('APP.TOAST.REACTIVATED', true);
             }).catch((error: any) => {
                 this.toast.showError(error);
             });
-        } else if (event.value === AppState.APPSTATE_INACTIVE) {
-            this.mgmtService.DeactivateApplication(this.projectId, this.app.id).then(() => {
+        } else if (event.value === AppState.APP_STATE_INACTIVE) {
+            this.mgmtService.deactivateApp(this.projectId, this.app.id).then(() => {
                 this.toast.showInfo('APP.TOAST.DEACTIVATED', true);
             }).catch((error: any) => {
                 this.toast.showError(error);
@@ -390,7 +403,7 @@ export class AppDetailComponent implements OnInit, OnDestroy {
             this.app.name = this.name?.value;
 
             this.mgmtService
-                .UpdateApplication(this.projectId, this.app.id, this.name?.value)
+                .updateApp(this.projectId, this.app.id, this.name?.value)
                 .then(() => {
                     this.toast.showInfo('APP.TOAST.UPDATED', true);
                     this.editState = false;
@@ -412,7 +425,7 @@ export class AppDetailComponent implements OnInit, OnDestroy {
             if (this.app.oidcConfig) {
                 this.app.oidcConfig.responseTypesList = this.responseTypesList?.value;
                 this.app.oidcConfig.grantTypesList = this.grantTypesList?.value;
-                this.app.oidcConfig.applicationType = this.applicationType?.value;
+                this.app.oidcConfig.appType = this.appType?.value;
                 this.app.oidcConfig.authMethodType = this.authMethodType?.value;
                 this.app.oidcConfig.redirectUrisList = this.redirectUrisList;
                 this.app.oidcConfig.postLogoutRedirectUrisList = this.postLogoutRedirectUrisList;
@@ -422,16 +435,15 @@ export class AppDetailComponent implements OnInit, OnDestroy {
                 this.app.oidcConfig.idTokenRoleAssertion = this.idTokenRoleAssertion?.value;
                 this.app.oidcConfig.idTokenUserinfoAssertion = this.idTokenUserinfoAssertion?.value;
 
-
-                const req = new OIDCConfigUpdate();
+                const req = new UpdateOIDCAppConfigRequest();
                 req.setProjectId(this.projectId);
-                req.setApplicationId(this.app.id);
+                req.setAppId(this.app.id);
                 req.setRedirectUrisList(this.app.oidcConfig.redirectUrisList);
                 req.setResponseTypesList(this.app.oidcConfig.responseTypesList);
                 req.setAuthMethodType(this.app.oidcConfig.authMethodType);
                 req.setPostLogoutRedirectUrisList(this.app.oidcConfig.postLogoutRedirectUrisList);
                 req.setGrantTypesList(this.app.oidcConfig.grantTypesList);
-                req.setApplicationType(this.app.oidcConfig.applicationType);
+                req.setAppType(this.app.oidcConfig.appType);
                 req.setDevMode(this.app.oidcConfig.devMode);
                 req.setAccessTokenType(this.app.oidcConfig.accessTokenType);
                 req.setAccessTokenRoleAssertion(this.app.oidcConfig.accessTokenRoleAssertion);
@@ -444,7 +456,7 @@ export class AppDetailComponent implements OnInit, OnDestroy {
                     req.setClockSkew(dur);
                 }
                 this.mgmtService
-                    .UpdateOIDCAppConfig(req)
+                    .updateOIDCAppConfig(req)
                     .then(() => {
                         if (this.app.oidcConfig) {
                             const config = { oidc: this.app.oidcConfig };
@@ -463,13 +475,13 @@ export class AppDetailComponent implements OnInit, OnDestroy {
         if (this.apiForm.valid && this.app.apiConfig) {
             this.app.apiConfig.authMethodType = this.apiAuthMethodType?.value;
 
-            const req = new APIConfigUpdate();
+            const req = new UpdateAPIAppConfigRequest();
             req.setProjectId(this.projectId);
-            req.setApplicationId(this.app.id);
+            req.setAppId(this.app.id);
             req.setAuthMethodType(this.app.apiConfig.authMethodType);
 
             this.mgmtService
-                .UpdateAPIAppConfig(req)
+                .updateAPIAppConfig(req)
                 .then(() => {
                     if (this.app.apiConfig) {
                         const config = { api: this.app.apiConfig };
@@ -484,12 +496,12 @@ export class AppDetailComponent implements OnInit, OnDestroy {
     }
 
     public regenerateOIDCClientSecret(): void {
-        this.mgmtService.RegenerateOIDCClientSecret(this.app.id, this.projectId).then((data: ClientSecret) => {
+        this.mgmtService.regenerateOIDCClientSecret(this.app.id, this.projectId).then(resp => {
             this.toast.showInfo('APP.TOAST.CLIENTSECRETREGENERATED', true);
             this.dialog.open(AppSecretDialogComponent, {
                 data: {
                     // clientId: data.toObject() as ClientSecret.AsObject.clientId,
-                    clientSecret: data.toObject().clientSecret,
+                    clientSecret: resp.clientSecret,
                 },
                 width: '400px',
             });
@@ -500,12 +512,12 @@ export class AppDetailComponent implements OnInit, OnDestroy {
     }
 
     public regenerateAPIClientSecret(): void {
-        this.mgmtService.RegenerateAPIClientSecret(this.app.id, this.projectId).then((data: ClientSecret) => {
+        this.mgmtService.regenerateAPIClientSecret(this.app.id, this.projectId).then(resp => {
             this.toast.showInfo('APP.TOAST.CLIENTSECRETREGENERATED', true);
             this.dialog.open(AppSecretDialogComponent, {
                 data: {
                     // clientId: data.toObject().clientId ?? '',
-                    clientSecret: data.toObject().clientSecret,
+                    clientSecret: resp.clientSecret,
                 },
                 width: '400px',
             });
@@ -535,8 +547,8 @@ export class AppDetailComponent implements OnInit, OnDestroy {
         return this.oidcForm.get('grantTypesList');
     }
 
-    public get applicationType(): AbstractControl | null {
-        return this.oidcForm.get('applicationType');
+    public get appType(): AbstractControl | null {
+        return this.oidcForm.get('appType');
     }
 
     public get authMethodType(): AbstractControl | null {
diff --git a/console/src/app/pages/projects/apps/authmethods.ts b/console/src/app/pages/projects/apps/authmethods.ts
index 335f886dc7..7ea6ceeb7d 100644
--- a/console/src/app/pages/projects/apps/authmethods.ts
+++ b/console/src/app/pages/projects/apps/authmethods.ts
@@ -1,5 +1,12 @@
 import { RadioItemAuthType } from 'src/app/modules/app-radio/app-auth-method-radio/app-auth-method-radio.component';
-import { APIAuthMethodType, APIConfig, OIDCAuthMethodType, OIDCConfig, OIDCGrantType, OIDCResponseType } from 'src/app/proto/generated/management_pb';
+import {
+    APIAuthMethodType,
+    APIConfig,
+    OIDCAuthMethodType,
+    OIDCConfig,
+    OIDCGrantType,
+    OIDCResponseType,
+} from 'src/app/proto/generated/zitadel/app_pb';
 
 export const CODE_METHOD: RadioItemAuthType = {
     key: 'CODE',
@@ -8,9 +15,9 @@ export const CODE_METHOD: RadioItemAuthType = {
     disabled: false,
     prefix: 'CODE',
     background: 'rgb(89 115 128)',
-    responseType: OIDCResponseType.OIDCRESPONSETYPE_CODE,
-    grantType: OIDCGrantType.OIDCGRANTTYPE_AUTHORIZATION_CODE,
-    authMethod: OIDCAuthMethodType.OIDCAUTHMETHODTYPE_BASIC,
+    responseType: OIDCResponseType.OIDC_RESPONSE_TYPE_CODE,
+    grantType: OIDCGrantType.OIDC_GRANT_TYPE_AUTHORIZATION_CODE,
+    authMethod: OIDCAuthMethodType.OIDC_AUTH_METHOD_TYPE_BASIC,
     recommended: false,
 };
 export const PKCE_METHOD: RadioItemAuthType = {
@@ -20,9 +27,9 @@ export const PKCE_METHOD: RadioItemAuthType = {
     disabled: false,
     prefix: 'PKCE',
     background: 'rgb(80 110 92)',
-    responseType: OIDCResponseType.OIDCRESPONSETYPE_CODE,
-    grantType: OIDCGrantType.OIDCGRANTTYPE_AUTHORIZATION_CODE,
-    authMethod: OIDCAuthMethodType.OIDCAUTHMETHODTYPE_NONE,
+    responseType: OIDCResponseType.OIDC_RESPONSE_TYPE_CODE,
+    grantType: OIDCGrantType.OIDC_GRANT_TYPE_AUTHORIZATION_CODE,
+    authMethod: OIDCAuthMethodType.OIDC_AUTH_METHOD_TYPE_NONE,
     recommended: true,
 };
 export const POST_METHOD: RadioItemAuthType = {
@@ -32,9 +39,9 @@ export const POST_METHOD: RadioItemAuthType = {
     disabled: false,
     prefix: 'POST',
     background: 'rgb(144 75 75)',
-    responseType: OIDCResponseType.OIDCRESPONSETYPE_CODE,
-    grantType: OIDCGrantType.OIDCGRANTTYPE_AUTHORIZATION_CODE,
-    authMethod: OIDCAuthMethodType.OIDCAUTHMETHODTYPE_POST,
+    responseType: OIDCResponseType.OIDC_RESPONSE_TYPE_CODE,
+    grantType: OIDCGrantType.OIDC_GRANT_TYPE_AUTHORIZATION_CODE,
+    authMethod: OIDCAuthMethodType.OIDC_AUTH_METHOD_TYPE_POST,
     notRecommended: true,
 };
 export const PK_JWT_METHOD: RadioItemAuthType = {
@@ -44,10 +51,10 @@ export const PK_JWT_METHOD: RadioItemAuthType = {
     disabled: false,
     prefix: 'JWT',
     background: 'rgb(89, 93, 128)',
-    responseType: OIDCResponseType.OIDCRESPONSETYPE_CODE,
-    grantType: OIDCGrantType.OIDCGRANTTYPE_AUTHORIZATION_CODE,
-    authMethod: OIDCAuthMethodType.OIDCAUTHMETHODTYPE_PRIVATE_KEY_JWT,
-    apiAuthMethod: APIAuthMethodType.APIAUTHMETHODTYPE_PRIVATE_KEY_JWT,
+    responseType: OIDCResponseType.OIDC_RESPONSE_TYPE_CODE,
+    grantType: OIDCGrantType.OIDC_GRANT_TYPE_AUTHORIZATION_CODE,
+    authMethod: OIDCAuthMethodType.OIDC_AUTH_METHOD_TYPE_PRIVATE_KEY_JWT,
+    apiAuthMethod: APIAuthMethodType.API_AUTH_METHOD_TYPE_PRIVATE_KEY_JWT,
     // recommended: true,
 };
 export const BASIC_AUTH_METHOD: RadioItemAuthType = {
@@ -57,10 +64,10 @@ export const BASIC_AUTH_METHOD: RadioItemAuthType = {
     disabled: false,
     prefix: 'BASIC',
     background: 'rgb(144 75 75)',
-    responseType: OIDCResponseType.OIDCRESPONSETYPE_CODE,
-    grantType: OIDCGrantType.OIDCGRANTTYPE_AUTHORIZATION_CODE,
-    authMethod: OIDCAuthMethodType.OIDCAUTHMETHODTYPE_POST,
-    apiAuthMethod: APIAuthMethodType.APIAUTHMETHODTYPE_BASIC,
+    responseType: OIDCResponseType.OIDC_RESPONSE_TYPE_CODE,
+    grantType: OIDCGrantType.OIDC_GRANT_TYPE_AUTHORIZATION_CODE,
+    authMethod: OIDCAuthMethodType.OIDC_AUTH_METHOD_TYPE_POST,
+    apiAuthMethod: APIAuthMethodType.API_AUTH_METHOD_TYPE_BASIC,
 };
 
 export const IMPLICIT_METHOD: RadioItemAuthType = {
@@ -70,9 +77,9 @@ export const IMPLICIT_METHOD: RadioItemAuthType = {
     disabled: false,
     prefix: 'IMP',
     background: 'rgb(144 75 75)',
-    responseType: OIDCResponseType.OIDCRESPONSETYPE_ID_TOKEN,
-    grantType: OIDCGrantType.OIDCGRANTTYPE_IMPLICIT,
-    authMethod: OIDCAuthMethodType.OIDCAUTHMETHODTYPE_NONE,
+    responseType: OIDCResponseType.OIDC_RESPONSE_TYPE_ID_TOKEN,
+    grantType: OIDCGrantType.OIDC_GRANT_TYPE_IMPLICIT,
+    authMethod: OIDCAuthMethodType.OIDC_AUTH_METHOD_TYPE_NONE,
     notRecommended: true,
 };
 
@@ -97,61 +104,61 @@ export function getPartialConfigFromAuthMethod(authMethod: string): {
         case CODE_METHOD.key:
             config = {
                 oidc: {
-                    responseTypesList: [OIDCResponseType.OIDCRESPONSETYPE_CODE],
-                    grantTypesList: [OIDCGrantType.OIDCGRANTTYPE_AUTHORIZATION_CODE],
-                    authMethodType: OIDCAuthMethodType.OIDCAUTHMETHODTYPE_BASIC,
+                    responseTypesList: [OIDCResponseType.OIDC_RESPONSE_TYPE_CODE],
+                    grantTypesList: [OIDCGrantType.OIDC_GRANT_TYPE_AUTHORIZATION_CODE],
+                    authMethodType: OIDCAuthMethodType.OIDC_AUTH_METHOD_TYPE_BASIC,
                 },
             };
             return config;
         case PKCE_METHOD.key:
             config = {
                 oidc: {
-                    responseTypesList: [OIDCResponseType.OIDCRESPONSETYPE_CODE],
-                    grantTypesList: [OIDCGrantType.OIDCGRANTTYPE_AUTHORIZATION_CODE],
-                    authMethodType: OIDCAuthMethodType.OIDCAUTHMETHODTYPE_NONE,
+                    responseTypesList: [OIDCResponseType.OIDC_RESPONSE_TYPE_CODE],
+                    grantTypesList: [OIDCGrantType.OIDC_GRANT_TYPE_AUTHORIZATION_CODE],
+                    authMethodType: OIDCAuthMethodType.OIDC_AUTH_METHOD_TYPE_NONE,
                 }
             };
             return config;
         case POST_METHOD.key:
             config = {
                 oidc: {
-                    responseTypesList: [OIDCResponseType.OIDCRESPONSETYPE_CODE],
-                    grantTypesList: [OIDCGrantType.OIDCGRANTTYPE_AUTHORIZATION_CODE],
-                    authMethodType: OIDCAuthMethodType.OIDCAUTHMETHODTYPE_POST,
+                    responseTypesList: [OIDCResponseType.OIDC_RESPONSE_TYPE_CODE],
+                    grantTypesList: [OIDCGrantType.OIDC_GRANT_TYPE_AUTHORIZATION_CODE],
+                    authMethodType: OIDCAuthMethodType.OIDC_AUTH_METHOD_TYPE_POST,
                 }
             };
             return config;
         case PK_JWT_METHOD.key:
             config = {
                 oidc: {
-                    responseTypesList: [OIDCResponseType.OIDCRESPONSETYPE_CODE],
-                    grantTypesList: [OIDCGrantType.OIDCGRANTTYPE_AUTHORIZATION_CODE],
-                    authMethodType: OIDCAuthMethodType.OIDCAUTHMETHODTYPE_PRIVATE_KEY_JWT,
+                    responseTypesList: [OIDCResponseType.OIDC_RESPONSE_TYPE_CODE],
+                    grantTypesList: [OIDCGrantType.OIDC_GRANT_TYPE_AUTHORIZATION_CODE],
+                    authMethodType: OIDCAuthMethodType.OIDC_AUTH_METHOD_TYPE_PRIVATE_KEY_JWT,
                 },
                 api: {
-                    authMethodType: APIAuthMethodType.APIAUTHMETHODTYPE_PRIVATE_KEY_JWT,
+                    authMethodType: APIAuthMethodType.API_AUTH_METHOD_TYPE_PRIVATE_KEY_JWT,
                 }
             };
             return config;
         case BASIC_AUTH_METHOD.key:
             config = {
                 oidc: {
-                    authMethodType: OIDCAuthMethodType.OIDCAUTHMETHODTYPE_BASIC,
+                    authMethodType: OIDCAuthMethodType.OIDC_AUTH_METHOD_TYPE_BASIC,
                 },
                 api: {
-                    authMethodType: APIAuthMethodType.APIAUTHMETHODTYPE_BASIC,
+                    authMethodType: APIAuthMethodType.API_AUTH_METHOD_TYPE_BASIC,
                 }
             };
             return config;
         case IMPLICIT_METHOD.key:
             config = {
                 oidc: {
-                    responseTypesList: [OIDCResponseType.OIDCRESPONSETYPE_ID_TOKEN_TOKEN],
-                    grantTypesList: [OIDCGrantType.OIDCGRANTTYPE_IMPLICIT],
-                    authMethodType: OIDCAuthMethodType.OIDCAUTHMETHODTYPE_NONE,
+                    responseTypesList: [OIDCResponseType.OIDC_RESPONSE_TYPE_ID_TOKEN_TOKEN],
+                    grantTypesList: [OIDCGrantType.OIDC_GRANT_TYPE_IMPLICIT],
+                    authMethodType: OIDCAuthMethodType.OIDC_AUTH_METHOD_TYPE_NONE,
                 },
                 api: {
-                    authMethodType: APIAuthMethodType.APIAUTHMETHODTYPE_PRIVATE_KEY_JWT,
+                    authMethodType: APIAuthMethodType.API_AUTH_METHOD_TYPE_PRIVATE_KEY_JWT,
                 }
             };
             return config;
@@ -165,41 +172,41 @@ export function getAuthMethodFromPartialConfig(config: { oidc?: Partial<OIDCConf
         const toCheck = [config.oidc.responseTypesList, config.oidc.grantTypesList, config.oidc.authMethodType];
         const code = JSON.stringify(
             [
-                [OIDCResponseType.OIDCRESPONSETYPE_CODE],
-                [OIDCGrantType.OIDCGRANTTYPE_AUTHORIZATION_CODE],
-                OIDCAuthMethodType.OIDCAUTHMETHODTYPE_BASIC,
+                [OIDCResponseType.OIDC_RESPONSE_TYPE_CODE],
+                [OIDCGrantType.OIDC_GRANT_TYPE_AUTHORIZATION_CODE],
+                OIDCAuthMethodType.OIDC_AUTH_METHOD_TYPE_BASIC,
             ]
         );
 
         const pkce = JSON.stringify(
             [
-                [OIDCResponseType.OIDCRESPONSETYPE_CODE],
-                [OIDCGrantType.OIDCGRANTTYPE_AUTHORIZATION_CODE],
-                OIDCAuthMethodType.OIDCAUTHMETHODTYPE_NONE,
+                [OIDCResponseType.OIDC_RESPONSE_TYPE_CODE],
+                [OIDCGrantType.OIDC_GRANT_TYPE_AUTHORIZATION_CODE],
+                OIDCAuthMethodType.OIDC_AUTH_METHOD_TYPE_NONE,
             ]
         );
 
         const post = JSON.stringify(
             [
-                [OIDCResponseType.OIDCRESPONSETYPE_CODE],
-                [OIDCGrantType.OIDCGRANTTYPE_AUTHORIZATION_CODE],
-                OIDCAuthMethodType.OIDCAUTHMETHODTYPE_POST,
+                [OIDCResponseType.OIDC_RESPONSE_TYPE_CODE],
+                [OIDCGrantType.OIDC_GRANT_TYPE_AUTHORIZATION_CODE],
+                OIDCAuthMethodType.OIDC_AUTH_METHOD_TYPE_POST,
             ]
         );
 
         const pk_jwt = JSON.stringify(
             [
-                [OIDCResponseType.OIDCRESPONSETYPE_CODE],
-                [OIDCGrantType.OIDCGRANTTYPE_AUTHORIZATION_CODE],
-                OIDCAuthMethodType.OIDCAUTHMETHODTYPE_PRIVATE_KEY_JWT,
+                [OIDCResponseType.OIDC_RESPONSE_TYPE_CODE],
+                [OIDCGrantType.OIDC_GRANT_TYPE_AUTHORIZATION_CODE],
+                OIDCAuthMethodType.OIDC_AUTH_METHOD_TYPE_PRIVATE_KEY_JWT,
             ]
         );
 
         const implicit = JSON.stringify(
             [
-                [OIDCResponseType.OIDCRESPONSETYPE_ID_TOKEN_TOKEN],
-                [OIDCGrantType.OIDCGRANTTYPE_IMPLICIT],
-                OIDCAuthMethodType.OIDCAUTHMETHODTYPE_NONE,
+                [OIDCResponseType.OIDC_RESPONSE_TYPE_ID_TOKEN_TOKEN],
+                [OIDCGrantType.OIDC_GRANT_TYPE_IMPLICIT],
+                OIDCAuthMethodType.OIDC_AUTH_METHOD_TYPE_NONE,
             ]
         );
 
@@ -214,8 +221,8 @@ export function getAuthMethodFromPartialConfig(config: { oidc?: Partial<OIDCConf
         }
     } else if (config.api && config.api.authMethodType !== undefined) {
         switch (config.api.authMethodType.toString()) {
-            case APIAuthMethodType.APIAUTHMETHODTYPE_PRIVATE_KEY_JWT.toString(): return PK_JWT_METHOD.key;
-            case APIAuthMethodType.APIAUTHMETHODTYPE_BASIC.toString(): return BASIC_AUTH_METHOD.key;
+            case APIAuthMethodType.API_AUTH_METHOD_TYPE_PRIVATE_KEY_JWT.toString(): return PK_JWT_METHOD.key;
+            case APIAuthMethodType.API_AUTH_METHOD_TYPE_BASIC.toString(): return BASIC_AUTH_METHOD.key;
             default:
                 return CUSTOM_METHOD.key;
         }
diff --git a/console/src/app/pages/projects/apps/authtypes.ts b/console/src/app/pages/projects/apps/authtypes.ts
index b047886396..1217c36dd7 100644
--- a/console/src/app/pages/projects/apps/authtypes.ts
+++ b/console/src/app/pages/projects/apps/authtypes.ts
@@ -1,4 +1,4 @@
-import { OIDCApplicationType } from 'src/app/proto/generated/management_pb';
+import { OIDCAppType } from 'src/app/proto/generated/zitadel/app_pb';
 
 // export enum AppType {
 //     "WEB",
@@ -15,7 +15,7 @@ export enum AppCreateType {
 export interface RadioItemAppType {
     // key: string;
     createType: AppCreateType;
-    oidcApplicationType?: OIDCApplicationType;
+    oidcAppType?: OIDCAppType;
     titleI18nKey: string;
     descI18nKey: string;
     prefix: string;
@@ -27,7 +27,7 @@ export const WEB_TYPE = {
     titleI18nKey: 'APP.OIDC.SELECTION.APPTYPE.WEB.TITLE',
     descI18nKey: 'APP.OIDC.SELECTION.APPTYPE.WEB.DESCRIPTION',
     createType: AppCreateType.OIDC,
-    oidcApplicationType: OIDCApplicationType.OIDCAPPLICATIONTYPE_WEB,
+    oidcApplicationType: OIDCAppType.OIDC_APP_TYPE_WEB,
     prefix: 'WEB',
     background: 'rgb(80, 110, 110)',
 };
@@ -37,7 +37,7 @@ export const USER_AGENT_TYPE = {
     titleI18nKey: 'APP.OIDC.SELECTION.APPTYPE.USERAGENT.TITLE',
     descI18nKey: 'APP.OIDC.SELECTION.APPTYPE.USERAGENT.DESCRIPTION',
     createType: AppCreateType.OIDC,
-    oidcApplicationType: OIDCApplicationType.OIDCAPPLICATIONTYPE_USER_AGENT,
+    oidcApplicationType: OIDCAppType.OIDC_APP_TYPE_USER_AGENT,
     prefix: 'UA',
     background: '#6a506e',
 };
@@ -47,7 +47,7 @@ export const NATIVE_TYPE = {
     titleI18nKey: 'APP.OIDC.SELECTION.APPTYPE.NATIVE.TITLE',
     descI18nKey: 'APP.OIDC.SELECTION.APPTYPE.NATIVE.DESCRIPTION',
     createType: AppCreateType.OIDC,
-    oidcApplicationType: OIDCApplicationType.OIDCAPPLICATIONTYPE_NATIVE,
+    oidcApplicationType: OIDCAppType.OIDC_APP_TYPE_NATIVE,
     prefix: 'N',
     background: '#595d80',
 };
diff --git a/console/src/app/pages/projects/granted-projects/granted-project-detail/granted-project-detail.component.html b/console/src/app/pages/projects/granted-projects/granted-project-detail/granted-project-detail.component.html
index d80dbde077..4b579335f6 100644
--- a/console/src/app/pages/projects/granted-projects/granted-project-detail/granted-project-detail.component.html
+++ b/console/src/app/pages/projects/granted-projects/granted-project-detail/granted-project-detail.component.html
@@ -1,6 +1,6 @@
 <app-meta-layout>
     <div class="max-width-container">
-        <div class="head" *ngIf="project?.id">
+        <div class="head" *ngIf="project?.projectId">
             <a [routerLink]="[ '/granted-projects' ]" mat-icon-button>
                 <mat-icon class="icon">arrow_back</mat-icon>
             </a>
diff --git a/console/src/app/pages/projects/granted-projects/granted-project-detail/granted-project-detail.component.ts b/console/src/app/pages/projects/granted-projects/granted-project-detail/granted-project-detail.component.ts
index 06406be216..bf93b74d89 100644
--- a/console/src/app/pages/projects/granted-projects/granted-project-detail/granted-project-detail.component.ts
+++ b/console/src/app/pages/projects/granted-projects/granted-project-detail/granted-project-detail.component.ts
@@ -1,29 +1,17 @@
-import { SelectionModel } from '@angular/cdk/collections';
 import { Location } from '@angular/common';
 import { Component, OnDestroy, OnInit } from '@angular/core';
 import { MatDialog } from '@angular/material/dialog';
-import { MatTableDataSource } from '@angular/material/table';
 import { ActivatedRoute, Params, Router } from '@angular/router';
 import { TranslateService } from '@ngx-translate/core';
 import { BehaviorSubject, from, Observable, of, Subscription } from 'rxjs';
 import { catchError, finalize, map } from 'rxjs/operators';
 import { CreationType, MemberCreateDialogComponent } from 'src/app/modules/add-member-dialog/member-create-dialog.component';
 import { ChangeType } from 'src/app/modules/changes/changes.component';
+import { ProjectType } from 'src/app/modules/project-members/project-members.component';
 import { UserGrantContext } from 'src/app/modules/user-grants/user-grants-datasource';
-import {
-    Application,
-    ApplicationSearchResponse,
-    ProjectGrantView,
-    ProjectMember,
-    ProjectMemberSearchResponse,
-    ProjectMemberView,
-    ProjectRole,
-    ProjectRoleSearchResponse,
-    ProjectState,
-    ProjectType,
-    UserGrantSearchKey,
-    UserView,
-} from 'src/app/proto/generated/management_pb';
+import { Member } from 'src/app/proto/generated/zitadel/member_pb';
+import { GrantedProject, ProjectState } from 'src/app/proto/generated/zitadel/project_pb';
+import { User } from 'src/app/proto/generated/zitadel/user_pb';
 import { ManagementService } from 'src/app/services/mgmt.service';
 import { ToastService } from 'src/app/services/toast.service';
 
@@ -35,41 +23,22 @@ import { ToastService } from 'src/app/services/toast.service';
 export class GrantedProjectDetailComponent implements OnInit, OnDestroy {
     public projectId: string = '';
     public grantId: string = '';
-    public project!: ProjectGrantView.AsObject;
-
-    public pageSizeRoles: number = 10;
-    public roleDataSource: MatTableDataSource<ProjectRole.AsObject> = new MatTableDataSource<ProjectRole.AsObject>();
-    public roleResult!: ProjectRoleSearchResponse.AsObject;
-    public roleColumns: string[] = ['name', 'displayname', 'group', 'actions'];
-
-    public pageSizeMembers: number = 10;
-    public projectDataSource: MatTableDataSource<ProjectMember.AsObject> = new MatTableDataSource<ProjectMember.AsObject>();
-    public memberResult!: ProjectMemberSearchResponse.AsObject;
-    public memberColumns: string[] = ['firstname', 'lastname', 'username', 'email', 'roles'];
-    public selection: SelectionModel<ProjectMember.AsObject> = new SelectionModel<ProjectMember.AsObject>(true, []);
-
-    public pageSizeApps: number = 10;
-    public appsDataSource: MatTableDataSource<Application.AsObject> = new MatTableDataSource<Application.AsObject>();
-    public appsResult!: ApplicationSearchResponse.AsObject;
-    public appsColumns: string[] = ['name'];
+    public project!: GrantedProject.AsObject;
 
     public ProjectState: any = ProjectState;
     public ProjectType: any = ProjectType;
     public ChangeType: any = ChangeType;
 
-    public grid: boolean = true;
     private subscription?: Subscription;
-    public editstate: boolean = false;
 
     public isZitadel: boolean = false;
 
     UserGrantContext: any = UserGrantContext;
-    public userGrantSearchKey: UserGrantSearchKey = UserGrantSearchKey.USERGRANTSEARCHKEY_PROJECT_ID;
 
     // members
     public totalMemberResult: number = 0;
-    public membersSubject: BehaviorSubject<ProjectMemberView.AsObject[]>
-        = new BehaviorSubject<ProjectMemberView.AsObject[]>([]);
+    public membersSubject: BehaviorSubject<Member.AsObject[]>
+        = new BehaviorSubject<Member.AsObject[]>([]);
     private loadingSubject: BehaviorSubject<boolean> = new BehaviorSubject<boolean>(true);
     public loading$: Observable<boolean> = this.loadingSubject.asObservable();
 
@@ -96,13 +65,15 @@ export class GrantedProjectDetailComponent implements OnInit, OnDestroy {
         this.projectId = id;
         this.grantId = grantId;
 
-        this.mgmtService.GetIam().then(iam => {
-            this.isZitadel = iam.toObject().iamProjectId === this.projectId;
+        this.mgmtService.getIAM().then(iam => {
+            this.isZitadel = iam.iamProjectId === this.projectId;
         });
 
         if (this.projectId && this.grantId) {
-            this.mgmtService.GetGrantedProjectByID(this.projectId, this.grantId).then(proj => {
-                this.project = proj.toObject();
+            this.mgmtService.getGrantedProjectByID(this.projectId, this.grantId).then(proj => {
+                if (proj.grantedProject) {
+                    this.project = proj.grantedProject;
+                }
             }).catch(error => {
                 this.toast.showError(error);
             });
@@ -113,11 +84,13 @@ export class GrantedProjectDetailComponent implements OnInit, OnDestroy {
 
     public loadMembers(): void {
         this.loadingSubject.next(true);
-        from(this.mgmtService.SearchProjectGrantMembers(this.projectId,
+        from(this.mgmtService.listProjectGrantMembers(this.projectId,
             this.grantId, 100, 0)).pipe(
                 map(resp => {
-                    this.totalMemberResult = resp.toObject().totalResult;
-                    return resp.toObject().resultList;
+                    if (resp.details?.totalResult) {
+                        this.totalMemberResult = resp.details.totalResult;
+                    }
+                    return resp.resultList;
                 }),
                 catchError(() => of([])),
                 finalize(() => this.loadingSubject.next(false)),
@@ -140,12 +113,12 @@ export class GrantedProjectDetailComponent implements OnInit, OnDestroy {
 
         dialogRef.afterClosed().subscribe(resp => {
             if (resp) {
-                const users: UserView.AsObject[] = resp.users;
+                const users: User.AsObject[] = resp.users;
                 const roles: string[] = resp.roles;
 
                 if (users && users.length && roles && roles.length) {
                     users.forEach(user => {
-                        return this.mgmtService.AddProjectGrantMember(
+                        return this.mgmtService.addProjectGrantMember(
                             this.projectId,
                             this.grantId,
                             user.id,
diff --git a/console/src/app/pages/projects/granted-projects/granted-project-list/granted-project-grid/granted-project-grid.component.ts b/console/src/app/pages/projects/granted-projects/granted-project-list/granted-project-grid/granted-project-grid.component.ts
index d4d5e7d5ec..371a66ab43 100644
--- a/console/src/app/pages/projects/granted-projects/granted-project-list/granted-project-grid/granted-project-grid.component.ts
+++ b/console/src/app/pages/projects/granted-projects/granted-project-list/granted-project-grid/granted-project-grid.component.ts
@@ -2,8 +2,9 @@ import { animate, animateChild, query, stagger, style, transition, trigger } fro
 import { SelectionModel } from '@angular/cdk/collections';
 import { Component, EventEmitter, Input, OnChanges, Output, SimpleChanges } from '@angular/core';
 import { Router } from '@angular/router';
-import { Org } from 'src/app/proto/generated/auth_pb';
-import { ProjectGrantView, ProjectState, ProjectType } from 'src/app/proto/generated/management_pb';
+import { ProjectType } from 'src/app/modules/project-members/project-members.component';
+import { Org } from 'src/app/proto/generated/zitadel/org_pb';
+import { GrantedProject, ProjectState } from 'src/app/proto/generated/zitadel/project_pb';
 import { StorageKey, StorageService } from 'src/app/services/storage.service';
 
 @Component({
@@ -31,12 +32,12 @@ import { StorageKey, StorageService } from 'src/app/services/storage.service';
     ],
 })
 export class GrantedProjectGridComponent implements OnChanges {
-    @Input() items: Array<ProjectGrantView.AsObject> = [];
-    public notPinned: Array<ProjectGrantView.AsObject> = [];
+    @Input() items: Array<GrantedProject.AsObject> = [];
+    public notPinned: Array<GrantedProject.AsObject> = [];
     @Output() newClicked: EventEmitter<boolean> = new EventEmitter();
     @Output() changedView: EventEmitter<boolean> = new EventEmitter();
     @Input() loading: boolean = false;
-    public selection: SelectionModel<ProjectGrantView.AsObject> = new SelectionModel<ProjectGrantView.AsObject>(true, []);
+    public selection: SelectionModel<GrantedProject.AsObject> = new SelectionModel<GrantedProject.AsObject>(true, []);
 
     public showNewProject: boolean = false;
     public ProjectState: any = ProjectState;
@@ -71,7 +72,7 @@ export class GrantedProjectGridComponent implements OnChanges {
         this.getPrefixedItem('pinned-granted-projects').then(storageEntry => {
             if (storageEntry) {
                 const array: string[] = JSON.parse(storageEntry);
-                const toSelect: ProjectGrantView.AsObject[] = this.items.filter((item, index) => {
+                const toSelect: GrantedProject.AsObject[] = this.items.filter((item, index) => {
                     if (array.includes(item.projectId)) {
                         return true;
                     }
diff --git a/console/src/app/pages/projects/granted-projects/granted-project-list/granted-project-list.component.ts b/console/src/app/pages/projects/granted-projects/granted-project-list/granted-project-list.component.ts
index 9ceb8d451a..e788567e56 100644
--- a/console/src/app/pages/projects/granted-projects/granted-project-list/granted-project-list.component.ts
+++ b/console/src/app/pages/projects/granted-projects/granted-project-list/granted-project-list.component.ts
@@ -7,7 +7,7 @@ import { Router } from '@angular/router';
 import { TranslateService } from '@ngx-translate/core';
 import { Timestamp } from 'google-protobuf/google/protobuf/timestamp_pb';
 import { BehaviorSubject, Observable, Subscription } from 'rxjs';
-import { ProjectGrantView } from 'src/app/proto/generated/management_pb';
+import { GrantedProject } from 'src/app/proto/generated/zitadel/project_pb';
 import { ManagementService } from 'src/app/services/mgmt.service';
 import { ToastService } from 'src/app/services/toast.service';
 
@@ -39,13 +39,13 @@ export class GrantedProjectListComponent implements OnInit, OnDestroy {
     public totalResult: number = 0;
     public viewTimestamp!: Timestamp.AsObject;
 
-    public dataSource: MatTableDataSource<ProjectGrantView.AsObject> =
-        new MatTableDataSource<ProjectGrantView.AsObject>();
+    public dataSource: MatTableDataSource<GrantedProject.AsObject> =
+        new MatTableDataSource<GrantedProject.AsObject>();
     @ViewChild(MatPaginator) public paginator!: MatPaginator;
 
-    public grantedProjectList: ProjectGrantView.AsObject[] = [];
+    public grantedProjectList: GrantedProject.AsObject[] = [];
     public displayedColumns: string[] = ['select', 'name', 'resourceOwnerName', 'state', 'creationDate', 'changeDate'];
-    public selection: SelectionModel<ProjectGrantView.AsObject> = new SelectionModel<ProjectGrantView.AsObject>(true, []);
+    public selection: SelectionModel<GrantedProject.AsObject> = new SelectionModel<GrantedProject.AsObject>(true, []);
 
     private loadingSubject: BehaviorSubject<boolean> = new BehaviorSubject<boolean>(false);
     public loading$: Observable<boolean> = this.loadingSubject.asObservable();
@@ -89,12 +89,13 @@ export class GrantedProjectListComponent implements OnInit, OnDestroy {
 
     private async getData(limit: number, offset: number): Promise<void> {
         this.loadingSubject.next(true);
-        this.mgmtService.SearchGrantedProjects(limit, offset).then(res => {
-            const response = res.toObject();
-            this.grantedProjectList = response.resultList;
-            this.totalResult = response.totalResult;
-            if (response.viewTimestamp) {
-                this.viewTimestamp = response.viewTimestamp;
+        this.mgmtService.listGrantedProjects(limit, offset).then(resp => {
+            this.grantedProjectList = resp.resultList;
+            if (resp.details?.totalResult) {
+                this.totalResult = resp.details.totalResult;
+            }
+            if (resp.details?.viewTimestamp) {
+                this.viewTimestamp = resp.details?.viewTimestamp;
             }
             if (this.totalResult > 5) {
                 this.grid = false;
diff --git a/console/src/app/pages/projects/granted-projects/granted-projects-routing.module.ts b/console/src/app/pages/projects/granted-projects/granted-projects-routing.module.ts
index f602fc505c..ad3c492ba9 100644
--- a/console/src/app/pages/projects/granted-projects/granted-projects-routing.module.ts
+++ b/console/src/app/pages/projects/granted-projects/granted-projects-routing.module.ts
@@ -2,7 +2,7 @@ import { NgModule } from '@angular/core';
 import { RouterModule, Routes } from '@angular/router';
 import { AuthGuard } from 'src/app/guards/auth.guard';
 import { RoleGuard } from 'src/app/guards/role.guard';
-import { ProjectType } from 'src/app/proto/generated/management_pb';
+import { ProjectType } from 'src/app/modules/project-members/project-members.component';
 
 import { GrantedProjectDetailComponent } from './granted-project-detail/granted-project-detail.component';
 import { GrantedProjectsComponent } from './granted-projects.component';
diff --git a/console/src/app/pages/projects/owned-projects/owned-project-detail/application-grid/application-grid.component.ts b/console/src/app/pages/projects/owned-projects/owned-project-detail/application-grid/application-grid.component.ts
index a73e8687c2..9303519ee4 100644
--- a/console/src/app/pages/projects/owned-projects/owned-project-detail/application-grid/application-grid.component.ts
+++ b/console/src/app/pages/projects/owned-projects/owned-project-detail/application-grid/application-grid.component.ts
@@ -1,8 +1,9 @@
 import { Component, EventEmitter, Input, OnInit, Output } from '@angular/core';
 import { BehaviorSubject, from, Observable, of } from 'rxjs';
 import { catchError, finalize, map } from 'rxjs/operators';
-import { Application, OIDCApplicationType, OIDCResponseType } from 'src/app/proto/generated/management_pb';
+import { App, OIDCAppType } from 'src/app/proto/generated/zitadel/app_pb';
 import { ManagementService } from 'src/app/services/mgmt.service';
+
 import { NATIVE_TYPE, USER_AGENT_TYPE, WEB_TYPE } from '../../../apps/authtypes';
 
 @Component({
@@ -14,10 +15,10 @@ export class ApplicationGridComponent implements OnInit {
     @Input() public projectId: string = '';
     @Input() public disabled: boolean = false;
     @Output() public changeView: EventEmitter<void> = new EventEmitter();
-    public appsSubject: BehaviorSubject<Application.AsObject[]> = new BehaviorSubject<Application.AsObject[]>([]);
+    public appsSubject: BehaviorSubject<App.AsObject[]> = new BehaviorSubject<App.AsObject[]>([]);
     private loadingSubject: BehaviorSubject<boolean> = new BehaviorSubject<boolean>(true);
     public loading$: Observable<boolean> = this.loadingSubject.asObservable();
-    public OIDCApplicationType: any = OIDCApplicationType;
+    public OIDCApplicationType: any = OIDCAppType;
 
     public NATIVE_TYPE: any = NATIVE_TYPE;
     public WEB_TYPE: any = WEB_TYPE;
@@ -30,14 +31,14 @@ export class ApplicationGridComponent implements OnInit {
     }
 
     public loadApps(): void {
-        from(this.mgmtService.SearchApplications(this.projectId, 100, 0)).pipe(
+        from(this.mgmtService.listApps(this.projectId, 100, 0)).pipe(
             map(resp => {
-                return resp.toObject().resultList;
+                return resp.resultList;
             }),
             catchError(() => of([])),
             finalize(() => this.loadingSubject.next(false)),
         ).subscribe((apps) => {
-            this.appsSubject.next(apps as Application.AsObject[]);
+            this.appsSubject.next(apps as App.AsObject[]);
         });
     }
 
diff --git a/console/src/app/pages/projects/owned-projects/owned-project-detail/applications/applications-datasource.ts b/console/src/app/pages/projects/owned-projects/owned-project-detail/applications/applications-datasource.ts
index 97fe8a1c78..b04b9eccee 100644
--- a/console/src/app/pages/projects/owned-projects/owned-project-detail/applications/applications-datasource.ts
+++ b/console/src/app/pages/projects/owned-projects/owned-project-detail/applications/applications-datasource.ts
@@ -2,7 +2,7 @@ import { DataSource } from '@angular/cdk/collections';
 import { Timestamp } from 'google-protobuf/google/protobuf/timestamp_pb';
 import { BehaviorSubject, from, Observable, of } from 'rxjs';
 import { catchError, finalize, map } from 'rxjs/operators';
-import { Application } from 'src/app/proto/generated/management_pb';
+import { App } from 'src/app/proto/generated/zitadel/app_pb';
 import { ManagementService } from 'src/app/services/mgmt.service';
 
 /**
@@ -10,11 +10,11 @@ import { ManagementService } from 'src/app/services/mgmt.service';
  * encapsulate all logic for fetching and manipulating the displayed data
  * (including sorting, pagination, and filtering).
  */
-export class ProjectApplicationsDataSource extends DataSource<Application.AsObject> {
+export class ProjectApplicationsDataSource extends DataSource<App.AsObject> {
     public totalResult: number = 0;
     public viewTimestamp!: Timestamp.AsObject;
 
-    public appsSubject: BehaviorSubject<Application.AsObject[]> = new BehaviorSubject<Application.AsObject[]>([]);
+    public appsSubject: BehaviorSubject<App.AsObject[]> = new BehaviorSubject<App.AsObject[]>([]);
     private loadingSubject: BehaviorSubject<boolean> = new BehaviorSubject<boolean>(false);
     public loading$: Observable<boolean> = this.loadingSubject.asObservable();
 
@@ -26,12 +26,14 @@ export class ProjectApplicationsDataSource extends DataSource<Application.AsObje
         const offset = pageIndex * pageSize;
 
         this.loadingSubject.next(true);
-        from(this.mgmtService.SearchApplications(projectId, pageSize, offset)).pipe(
+        from(this.mgmtService.listApps(projectId, pageSize, offset)).pipe(
             map(resp => {
-                const response = resp.toObject();
-                this.totalResult = response.totalResult;
-                if (response.viewTimestamp) {
-                    this.viewTimestamp = response.viewTimestamp;
+                const response = resp;
+                if (response.details?.totalResult) {
+                    this.totalResult = response.details.totalResult;
+                }
+                if (response.details?.viewTimestamp) {
+                    this.viewTimestamp = response.details.viewTimestamp;
                 }
                 return response.resultList;
             }),
@@ -48,7 +50,7 @@ export class ProjectApplicationsDataSource extends DataSource<Application.AsObje
      * the returned stream emits new items.
      * @returns A stream of the items to be rendered.
      */
-    public connect(): Observable<Application.AsObject[]> {
+    public connect(): Observable<App.AsObject[]> {
         return this.appsSubject.asObservable();
     }
 
diff --git a/console/src/app/pages/projects/owned-projects/owned-project-detail/applications/applications.component.ts b/console/src/app/pages/projects/owned-projects/owned-project-detail/applications/applications.component.ts
index c4b70f1431..e2532bd928 100644
--- a/console/src/app/pages/projects/owned-projects/owned-project-detail/applications/applications.component.ts
+++ b/console/src/app/pages/projects/owned-projects/owned-project-detail/applications/applications.component.ts
@@ -5,9 +5,8 @@ import { MatSort } from '@angular/material/sort';
 import { MatTable } from '@angular/material/table';
 import { merge, of } from 'rxjs';
 import { tap } from 'rxjs/operators';
-import { Application } from 'src/app/proto/generated/management_pb';
+import { App } from 'src/app/proto/generated/zitadel/app_pb';
 import { ManagementService } from 'src/app/services/mgmt.service';
-import { ToastService } from 'src/app/services/toast.service';
 
 import { ProjectApplicationsDataSource } from './applications-datasource';
 
@@ -22,13 +21,13 @@ export class ApplicationsComponent implements AfterViewInit, OnInit {
     @Input() public disabled: boolean = false;
     @ViewChild(MatPaginator) public paginator!: MatPaginator;
     @ViewChild(MatSort) public sort!: MatSort;
-    @ViewChild(MatTable) public table!: MatTable<Application.AsObject>;
+    @ViewChild(MatTable) public table!: MatTable<App.AsObject>;
     public dataSource!: ProjectApplicationsDataSource;
-    public selection: SelectionModel<Application.AsObject> = new SelectionModel<Application.AsObject>(true, []);
+    public selection: SelectionModel<App.AsObject> = new SelectionModel<App.AsObject>(true, []);
 
     public displayedColumns: string[] = ['select', 'name', 'type'];
 
-    constructor(private mgmtService: ManagementService, private toast: ToastService) { }
+    constructor(private mgmtService: ManagementService) { }
 
     public ngOnInit(): void {
         this.dataSource = new ProjectApplicationsDataSource(this.mgmtService);
@@ -60,7 +59,7 @@ export class ApplicationsComponent implements AfterViewInit, OnInit {
     public masterToggle(): void {
         this.isAllSelected() ?
             this.selection.clear() :
-            this.dataSource.appsSubject.value.forEach((row: Application.AsObject) => this.selection.select(row));
+            this.dataSource.appsSubject.value.forEach((row: App.AsObject) => this.selection.select(row));
     }
 
     public refreshPage(): void {
diff --git a/console/src/app/pages/projects/owned-projects/owned-project-detail/owned-project-detail.component.html b/console/src/app/pages/projects/owned-projects/owned-project-detail/owned-project-detail.component.html
index d83a9208e7..30e25ed8d8 100644
--- a/console/src/app/pages/projects/owned-projects/owned-project-detail/owned-project-detail.component.html
+++ b/console/src/app/pages/projects/owned-projects/owned-project-detail/owned-project-detail.component.html
@@ -1,6 +1,6 @@
 <app-meta-layout>
     <div class="max-width-container">
-        <div class="head" *ngIf="project?.projectId">
+        <div class="head" *ngIf="project?.id">
             <a [routerLink]="[ '/projects' ]" mat-icon-button>
                 <mat-icon class="icon">arrow_back</mat-icon>
             </a>
@@ -22,12 +22,12 @@
             <span class="fill-space"></span>
 
             <button mat-stroked-button color="warn"
-                [disabled]="isZitadel || (['project.write$', 'project.write:'+ project.projectId]| hasRole | async) == false"
+                [disabled]="isZitadel || (['project.write$', 'project.write:'+ project.id]| hasRole | async) == false"
                 *ngIf="project?.state === ProjectState.PROJECTSTATE_ACTIVE"
                 (click)="changeState(ProjectState.PROJECTSTATE_INACTIVE)">{{'PROJECT.TABLE.DEACTIVATE' |
                 translate}}</button>
             <button mat-stroked-button color="warn"
-                [disabled]="isZitadel || (['project.write$', 'project.write:'+ project.projectId]| hasRole | async) == false"
+                [disabled]="isZitadel || (['project.write$', 'project.write:'+ project.id]| hasRole | async) == false"
                 *ngIf="project?.state === ProjectState.PROJECTSTATE_INACTIVE"
                 (click)="changeState(ProjectState.PROJECTSTATE_ACTIVE)">{{'PROJECT.TABLE.ACTIVATE' |
                 translate}}</button>
@@ -53,7 +53,7 @@
         </div>
 
         <ng-container *ngIf="project">
-            <ng-template appHasRole [appHasRole]="['project.app.read:' + project.projectId, 'project.app.read']">
+            <ng-template appHasRole [appHasRole]="['project.app.read:' + project.id, 'project.app.read']">
                 <app-application-grid *ngIf="grid" [disabled]="isZitadel" (changeView)="grid = false"
                     [projectId]="projectId"></app-application-grid>
                 <app-card *ngIf="!grid" title="{{ 'PROJECT.APP.TITLE' | translate }}">
@@ -68,18 +68,18 @@
 
             <ng-container *ngIf="isZitadel == false">
                 <ng-template appHasRole
-                    [appHasRole]="['project.grant.read:' + project.projectId, 'project.grant.read']">
+                    [appHasRole]="['project.grant.read:' + project.id, 'project.grant.read']">
                     <app-card title="{{ 'PROJECT.GRANT.TITLE' | translate }}"
                         description="{{ 'PROJECT.GRANT.DESCRIPTION' | translate }}">
                         <app-project-grants
                             [refreshOnPreviousRoutes]="['/projects/'+projectId+'/grants/create','/projects/'+projectId+'/roles/create']"
-                            [disabled]="((['project.grant.write$', 'project.grant.write:'+ project.projectId]| hasRole | async))== false"
+                            [disabled]="((['project.grant.write$', 'project.grant.write:'+ project.id]| hasRole | async))== false"
                             [projectId]="projectId">
                         </app-project-grants>
                     </app-card>
                 </ng-template>
 
-                <ng-template appHasRole [appHasRole]="['project.role.read:' + project.projectId, 'project.role.read']">
+                <ng-template appHasRole [appHasRole]="['project.role.read:' + project.id, 'project.role.read']">
                     <app-card id="roles" title="{{ 'PROJECT.ROLE.TITLE' | translate }}"
                         description="{{ 'PROJECT.ROLE.DESCRIPTION' | translate }}">
                         <p>{{'PROJECT.ROLE.OPTIONS' | translate}}</p>
@@ -92,14 +92,14 @@
                         <p class="desc">{{'PROJECT.ROLE.CHECK_DESCRIPTION' | translate}}</p>
                         <div class="divider"></div>
                         <app-project-roles
-                            [disabled]="(['project.role.write$', 'project.role.write:'+ project.projectId]| hasRole | async) == false"
+                            [disabled]="(['project.role.write$', 'project.role.write:'+ project.id]| hasRole | async) == false"
                             [actionsVisible]="true" [projectId]="projectId">
                         </app-project-roles>
                     </app-card>
                 </ng-template>
 
                 <ng-template appHasRole [appHasRole]="['user.grant.read']">
-                    <app-card *ngIf="project?.projectId" title="{{ 'GRANTS.PROJECT.TITLE' | translate }}"
+                    <app-card *ngIf="project?.id" title="{{ 'GRANTS.PROJECT.TITLE' | translate }}"
                         description="{{'GRANTS.PROJECT.DESCRIPTION' | translate }}">
                         <app-user-grants [context]="UserGrantContext.OWNED_PROJECT" [projectId]="projectId"
                             [refreshOnPreviousRoutes]="['/grant-create/project/'+projectId]"
@@ -131,11 +131,11 @@
                     [membersSubject]="membersSubject" title="{{ 'PROJECT.MEMBER.TITLE' | translate }}"
                     description="{{ 'PROJECT.MEMBER.TITLEDESC' | translate }}" (addClicked)="openAddMember()"
                     (showDetailClicked)="showDetail()" (refreshClicked)="loadMembers()"
-                    [disabled]="(['project.member.write$', 'project.member.write:'+ project.projectId]| hasRole | async) == false">
+                    [disabled]="(['project.member.write$', 'project.member.write:'+ project.id]| hasRole | async) == false">
                 </app-contributors>
             </mat-tab>
             <mat-tab label="{{ 'CHANGES.PROJECT.TITLE' | translate }}" class="meta-flex-col">
-                <app-changes *ngIf="project" [changeType]="ChangeType.PROJECT" [id]="project.projectId"></app-changes>
+                <app-changes *ngIf="project" [changeType]="ChangeType.PROJECT" [id]="project.id"></app-changes>
             </mat-tab>
         </mat-tab-group>
     </div>
diff --git a/console/src/app/pages/projects/owned-projects/owned-project-detail/owned-project-detail.component.ts b/console/src/app/pages/projects/owned-projects/owned-project-detail/owned-project-detail.component.ts
index 14f291b64f..002a3a175c 100644
--- a/console/src/app/pages/projects/owned-projects/owned-project-detail/owned-project-detail.component.ts
+++ b/console/src/app/pages/projects/owned-projects/owned-project-detail/owned-project-detail.component.ts
@@ -1,4 +1,3 @@
-import { SelectionModel } from '@angular/cdk/collections';
 import { Location } from '@angular/common';
 import { Component, EventEmitter, OnDestroy, OnInit } from '@angular/core';
 import { MatDialog } from '@angular/material/dialog';
@@ -9,22 +8,14 @@ import { BehaviorSubject, from, Observable, of, Subscription } from 'rxjs';
 import { catchError, finalize, map } from 'rxjs/operators';
 import { CreationType, MemberCreateDialogComponent } from 'src/app/modules/add-member-dialog/member-create-dialog.component';
 import { ChangeType } from 'src/app/modules/changes/changes.component';
+import { ProjectType } from 'src/app/modules/project-members/project-members.component';
 import { UserGrantContext } from 'src/app/modules/user-grants/user-grants-datasource';
 import { WarnDialogComponent } from 'src/app/modules/warn-dialog/warn-dialog.component';
-import {
-    Application,
-    ApplicationSearchResponse,
-    ProjectMember,
-    ProjectMemberSearchResponse,
-    ProjectMemberView,
-    ProjectRole,
-    ProjectRoleSearchResponse,
-    ProjectState,
-    ProjectType,
-    ProjectView,
-    UserGrantSearchKey,
-    UserView,
-} from 'src/app/proto/generated/management_pb';
+import { App } from 'src/app/proto/generated/zitadel/app_pb';
+import { ListAppsResponse, UpdateProjectRequest } from 'src/app/proto/generated/zitadel/management_pb';
+import { Member } from 'src/app/proto/generated/zitadel/member_pb';
+import { Project, ProjectState } from 'src/app/proto/generated/zitadel/project_pb';
+import { User } from 'src/app/proto/generated/zitadel/user_pb';
 import { ManagementService } from 'src/app/services/mgmt.service';
 import { ToastService } from 'src/app/services/toast.service';
 
@@ -36,22 +27,11 @@ import { ToastService } from 'src/app/services/toast.service';
 })
 export class OwnedProjectDetailComponent implements OnInit, OnDestroy {
     public projectId: string = '';
-    public project!: ProjectView.AsObject;
-
-    public pageSizeRoles: number = 10;
-    public roleDataSource: MatTableDataSource<ProjectRole.AsObject> = new MatTableDataSource<ProjectRole.AsObject>();
-    public roleResult!: ProjectRoleSearchResponse.AsObject;
-    public roleColumns: string[] = ['name', 'displayname', 'group', 'actions'];
-
-    public pageSizeMembers: number = 10;
-    public projectDataSource: MatTableDataSource<ProjectMember.AsObject> = new MatTableDataSource<ProjectMember.AsObject>();
-    public memberResult!: ProjectMemberSearchResponse.AsObject;
-    public memberColumns: string[] = ['firstname', 'lastname', 'username', 'email', 'roles'];
-    public selection: SelectionModel<ProjectMember.AsObject> = new SelectionModel<ProjectMember.AsObject>(true, []);
+    public project!: Project.AsObject;
 
     public pageSizeApps: number = 10;
-    public appsDataSource: MatTableDataSource<Application.AsObject> = new MatTableDataSource<Application.AsObject>();
-    public appsResult!: ApplicationSearchResponse.AsObject;
+    public appsDataSource: MatTableDataSource<App.AsObject> = new MatTableDataSource<App.AsObject>();
+    public appsResult!: ListAppsResponse.AsObject;
     public appsColumns: string[] = ['name'];
 
     public ProjectState: any = ProjectState;
@@ -64,13 +44,12 @@ export class OwnedProjectDetailComponent implements OnInit, OnDestroy {
 
     public isZitadel: boolean = false;
 
-    public userGrantSearchKey: UserGrantSearchKey = UserGrantSearchKey.USERGRANTSEARCHKEY_PROJECT_ID;
     public UserGrantContext: any = UserGrantContext;
 
     // members
     public totalMemberResult: number = 0;
-    public membersSubject: BehaviorSubject<ProjectMemberView.AsObject[]>
-        = new BehaviorSubject<ProjectMemberView.AsObject[]>([]);
+    public membersSubject: BehaviorSubject<Member.AsObject[]>
+        = new BehaviorSubject<Member.AsObject[]>([]);
     private loadingSubject: BehaviorSubject<boolean> = new BehaviorSubject<boolean>(true);
     public loading$: Observable<boolean> = this.loadingSubject.asObservable();
     public refreshChanges$: EventEmitter<void> = new EventEmitter();
@@ -96,12 +75,14 @@ export class OwnedProjectDetailComponent implements OnInit, OnDestroy {
     private async getData({ id }: Params): Promise<void> {
         this.projectId = id;
 
-        this.mgmtService.GetIam().then(iam => {
-            this.isZitadel = iam.toObject().iamProjectId === this.projectId;
+        this.mgmtService.getIAM().then(iam => {
+            this.isZitadel = iam.iamProjectId === this.projectId;
         });
 
-        this.mgmtService.GetProjectById(id).then(proj => {
-            this.project = proj.toObject();
+        this.mgmtService.getProjectByID(id).then(resp => {
+            if (resp.project) {
+                this.project = resp.project;
+            }
         }).catch(error => {
             console.error(error);
             this.toast.showError(error);
@@ -112,10 +93,12 @@ export class OwnedProjectDetailComponent implements OnInit, OnDestroy {
 
     public loadMembers(): void {
         this.loadingSubject.next(true);
-        from(this.mgmtService.SearchProjectMembers(this.projectId, 100, 0)).pipe(
+        from(this.mgmtService.listProjectMembers(this.projectId, 100, 0)).pipe(
             map(resp => {
-                this.totalMemberResult = resp.toObject().totalResult;
-                return resp.toObject().resultList;
+                if (resp.details?.totalResult) {
+                    this.totalMemberResult = resp.details?.totalResult;
+                }
+                return resp.resultList;
             }),
             catchError(() => of([])),
             finalize(() => this.loadingSubject.next(false)),
@@ -125,7 +108,7 @@ export class OwnedProjectDetailComponent implements OnInit, OnDestroy {
     }
 
     public changeState(newState: ProjectState): void {
-        if (newState === ProjectState.PROJECTSTATE_ACTIVE) {
+        if (newState === ProjectState.PROJECT_STATE_ACTIVE) {
             const dialogRef = this.dialog.open(WarnDialogComponent, {
                 data: {
                     confirmKey: 'ACTIONS.REACTIVATE',
@@ -137,9 +120,9 @@ export class OwnedProjectDetailComponent implements OnInit, OnDestroy {
             });
             dialogRef.afterClosed().subscribe(resp => {
                 if (resp) {
-                    this.mgmtService.ReactivateProject(this.projectId).then(() => {
+                    this.mgmtService.reactivateProject(this.projectId).then(() => {
                         this.toast.showInfo('PROJECT.TOAST.REACTIVATED', true);
-                        this.project.state = ProjectState.PROJECTSTATE_ACTIVE;
+                        this.project.state = ProjectState.PROJECT_STATE_ACTIVE;
                         this.refreshChanges$.emit();
                     }).catch(error => {
                         this.toast.showError(error);
@@ -147,7 +130,7 @@ export class OwnedProjectDetailComponent implements OnInit, OnDestroy {
                 }
             });
 
-        } else if (newState === ProjectState.PROJECTSTATE_INACTIVE) {
+        } else if (newState === ProjectState.PROJECT_STATE_INACTIVE) {
             const dialogRef = this.dialog.open(WarnDialogComponent, {
                 data: {
                     confirmKey: 'ACTIONS.DEACTIVATE',
@@ -159,9 +142,9 @@ export class OwnedProjectDetailComponent implements OnInit, OnDestroy {
             });
             dialogRef.afterClosed().subscribe(resp => {
                 if (resp) {
-                    this.mgmtService.DeactivateProject(this.projectId).then(() => {
+                    this.mgmtService.deactivateProject(this.projectId).then(() => {
                         this.toast.showInfo('PROJECT.TOAST.DEACTIVATED', true);
-                        this.project.state = ProjectState.PROJECTSTATE_INACTIVE;
+                        this.project.state = ProjectState.PROJECT_STATE_INACTIVE;
                         this.refreshChanges$.emit();
                     }).catch(error => {
                         this.toast.showError(error);
@@ -183,7 +166,7 @@ export class OwnedProjectDetailComponent implements OnInit, OnDestroy {
         });
         dialogRef.afterClosed().subscribe(resp => {
             if (resp) {
-                this.mgmtService.RemoveProject(this.projectId).then(() => {
+                this.mgmtService.removeProject(this.projectId).then(() => {
                     this.toast.showInfo('PROJECT.TOAST.DELETED', true);
                     const params: Params = {
                         'deferredReload': true,
@@ -197,7 +180,13 @@ export class OwnedProjectDetailComponent implements OnInit, OnDestroy {
     }
 
     public saveProject(): void {
-        this.mgmtService.UpdateProject(this.project.projectId, this.project).then(() => {
+        const req = new UpdateProjectRequest();
+        req.setId(this.project.id);
+        req.setName(this.project.name);
+        req.setProjectRoleAssertion(this.project.projectRoleAssertion);
+        req.setProjectRoleCheck(this.project.projectRoleCheck);
+
+        this.mgmtService.updateProject(req).then(() => {
             this.toast.showInfo('PROJECT.TOAST.UPDATED', true);
             this.refreshChanges$.emit();
         }).catch(error => {
@@ -218,19 +207,19 @@ export class OwnedProjectDetailComponent implements OnInit, OnDestroy {
         const dialogRef = this.dialog.open(MemberCreateDialogComponent, {
             data: {
                 creationType: CreationType.PROJECT_OWNED,
-                projectId: this.project.projectId,
+                projectId: this.project.id,
             },
             width: '400px',
         });
 
         dialogRef.afterClosed().subscribe(resp => {
             if (resp) {
-                const users: UserView.AsObject[] = resp.users;
+                const users: User.AsObject[] = resp.users;
                 const roles: string[] = resp.roles;
 
                 if (users && users.length && roles && roles.length) {
                     users.forEach(user => {
-                        return this.mgmtService.AddProjectMember(this.projectId, user.id, roles)
+                        return this.mgmtService.addProjectMember(this.projectId, user.id, roles)
                             .then(() => {
                                 this.toast.showInfo('PROJECT.TOAST.MEMBERADDED', true);
                                 setTimeout(() => {
@@ -246,6 +235,6 @@ export class OwnedProjectDetailComponent implements OnInit, OnDestroy {
     }
 
     public showDetail(): void {
-        this.router.navigate(['projects', this.project.projectId, 'members']);
+        this.router.navigate(['projects', this.project.id, 'members']);
     }
 }
diff --git a/console/src/app/pages/projects/owned-projects/owned-project-detail/project-grants/project-grants-datasource.ts b/console/src/app/pages/projects/owned-projects/owned-project-detail/project-grants/project-grants-datasource.ts
index abe5554ff5..bc1daa4391 100644
--- a/console/src/app/pages/projects/owned-projects/owned-project-detail/project-grants/project-grants-datasource.ts
+++ b/console/src/app/pages/projects/owned-projects/owned-project-detail/project-grants/project-grants-datasource.ts
@@ -2,7 +2,7 @@ import { DataSource } from '@angular/cdk/collections';
 import { Timestamp } from 'google-protobuf/google/protobuf/timestamp_pb';
 import { BehaviorSubject, from, Observable, of } from 'rxjs';
 import { catchError, finalize, map } from 'rxjs/operators';
-import { ProjectGrant } from 'src/app/proto/generated/management_pb';
+import { GrantedProject } from 'src/app/proto/generated/zitadel/project_pb';
 import { ManagementService } from 'src/app/services/mgmt.service';
 
 /**
@@ -10,10 +10,10 @@ import { ManagementService } from 'src/app/services/mgmt.service';
  * encapsulate all logic for fetching and manipulating the displayed data
  * (including sorting, pagination, and filtering).
  */
-export class ProjectGrantsDataSource extends DataSource<ProjectGrant.AsObject> {
+export class ProjectGrantsDataSource extends DataSource<GrantedProject.AsObject> {
     public totalResult: number = 0;
     public viewTimestamp!: Timestamp.AsObject;
-    public grantsSubject: BehaviorSubject<ProjectGrant.AsObject[]> = new BehaviorSubject<ProjectGrant.AsObject[]>([]);
+    public grantsSubject: BehaviorSubject<GrantedProject.AsObject[]> = new BehaviorSubject<GrantedProject.AsObject[]>([]);
     private loadingSubject: BehaviorSubject<boolean> = new BehaviorSubject<boolean>(false);
     public loading$: Observable<boolean> = this.loadingSubject.asObservable();
 
@@ -25,14 +25,15 @@ export class ProjectGrantsDataSource extends DataSource<ProjectGrant.AsObject> {
         const offset = pageIndex * pageSize;
 
         this.loadingSubject.next(true);
-        from(this.mgmtService.SearchProjectGrants(projectId, pageSize, offset)).pipe(
+        from(this.mgmtService.listProjectGrants(projectId, pageSize, offset)).pipe(
             map(resp => {
-                const response = resp.toObject();
-                this.totalResult = response.totalResult;
-                if (response.viewTimestamp) {
-                    this.viewTimestamp = response.viewTimestamp;
+                if (resp.details?.totalResult) {
+                    this.totalResult = resp.details.totalResult;
                 }
-                return response.resultList;
+                if (resp.details?.viewTimestamp) {
+                    this.viewTimestamp = resp.details?.viewTimestamp;
+                }
+                return resp.resultList;
             }),
             catchError(() => of([])),
             finalize(() => this.loadingSubject.next(false)),
@@ -47,7 +48,7 @@ export class ProjectGrantsDataSource extends DataSource<ProjectGrant.AsObject> {
      * the returned stream emits new items.
      * @returns A stream of the items to be rendered.
      */
-    public connect(): Observable<ProjectGrant.AsObject[]> {
+    public connect(): Observable<GrantedProject.AsObject[]> {
         return this.grantsSubject.asObservable();
     }
 
diff --git a/console/src/app/pages/projects/owned-projects/owned-project-detail/project-grants/project-grants.component.ts b/console/src/app/pages/projects/owned-projects/owned-project-detail/project-grants/project-grants.component.ts
index 74e89876f9..a377803559 100644
--- a/console/src/app/pages/projects/owned-projects/owned-project-detail/project-grants/project-grants.component.ts
+++ b/console/src/app/pages/projects/owned-projects/owned-project-detail/project-grants/project-grants.component.ts
@@ -5,7 +5,7 @@ import { MatPaginator } from '@angular/material/paginator';
 import { MatSelectChange } from '@angular/material/select';
 import { MatTable } from '@angular/material/table';
 import { tap } from 'rxjs/operators';
-import { ProjectGrant, ProjectRoleView } from 'src/app/proto/generated/management_pb';
+import { GrantedProject, Role } from 'src/app/proto/generated/zitadel/project_pb';
 import { ManagementService } from 'src/app/services/mgmt.service';
 import { ToastService } from 'src/app/services/toast.service';
 
@@ -28,10 +28,10 @@ export class ProjectGrantsComponent implements OnInit, AfterViewInit {
     @Input() public projectId: string = '';
     @Input() public disabled: boolean = false;
     @ViewChild(MatPaginator) public paginator!: MatPaginator;
-    @ViewChild(MatTable) public table!: MatTable<ProjectGrant.AsObject>;
+    @ViewChild(MatTable) public table!: MatTable<GrantedProject.AsObject>;
     public dataSource!: ProjectGrantsDataSource;
-    public selection: SelectionModel<ProjectGrant.AsObject> = new SelectionModel<ProjectGrant.AsObject>(true, []);
-    public memberRoleOptions: ProjectRoleView.AsObject[] = [];
+    public selection: SelectionModel<GrantedProject.AsObject> = new SelectionModel<GrantedProject.AsObject>(true, []);
+    public memberRoleOptions: Role.AsObject[] = [];
 
     /** Columns displayed in the table. Columns IDs can be added, removed, or reordered. */
     public displayedColumns: string[] = ['select', 'grantedOrgName', 'dates'];
@@ -73,14 +73,14 @@ export class ProjectGrantsComponent implements OnInit, AfterViewInit {
     }
 
     public getRoleOptions(projectId: string): void {
-        this.mgmtService.SearchProjectRoles(projectId, 100, 0).then(resp => {
-            this.memberRoleOptions = resp.toObject().resultList;
+        this.mgmtService.listProjectRoles(projectId, 100, 0).then(resp => {
+            this.memberRoleOptions = resp.resultList;
         });
     }
 
-    updateRoles(grant: ProjectGrant.AsObject, selectionChange: MatSelectChange): void {
-        this.mgmtService.UpdateProjectGrant(grant.id, grant.projectId, selectionChange.value)
-            .then((newgrant: ProjectGrant) => {
+    updateRoles(grant: GrantedProject.AsObject, selectionChange: MatSelectChange): void {
+        this.mgmtService.updateProjectGrant(grant.grantId, grant.projectId, selectionChange.value)
+            .then(() => {
                 this.toast.showInfo('PROJECT.GRANT.TOAST.PROJECTGRANTCHANGED', true);
             }).catch(error => {
                 this.toast.showError(error);
@@ -89,14 +89,14 @@ export class ProjectGrantsComponent implements OnInit, AfterViewInit {
 
     deleteSelectedGrants(): void {
         const promises = this.selection.selected.map(grant => {
-            return this.mgmtService.RemoveProjectGrant(grant.id, grant.projectId);
+            return this.mgmtService.removeProjectGrant(grant.grantId, grant.projectId);
         });
 
         Promise.all(promises).then(() => {
             this.toast.showInfo('GRANTS.TOAST.BULKREMOVED', true);
             const data = this.dataSource.grantsSubject.getValue();
             this.selection.selected.forEach((item) => {
-                const index = data.findIndex(i => i.id === item.id);
+                const index = data.findIndex(i => i.grantId === item.grantId);
                 if (index > -1) {
                     data.splice(index, 1);
                     this.dataSource.grantsSubject.next(data);
diff --git a/console/src/app/pages/projects/owned-projects/owned-project-list/owned-project-grid/owned-project-grid.component.ts b/console/src/app/pages/projects/owned-projects/owned-project-list/owned-project-grid/owned-project-grid.component.ts
index e2db225480..d5759c7047 100644
--- a/console/src/app/pages/projects/owned-projects/owned-project-list/owned-project-grid/owned-project-grid.component.ts
+++ b/console/src/app/pages/projects/owned-projects/owned-project-list/owned-project-grid/owned-project-grid.component.ts
@@ -3,9 +3,10 @@ import { SelectionModel } from '@angular/cdk/collections';
 import { Component, EventEmitter, Input, OnChanges, Output, SimpleChanges } from '@angular/core';
 import { MatDialog } from '@angular/material/dialog';
 import { Router } from '@angular/router';
+import { ProjectType } from 'src/app/modules/project-members/project-members.component';
 import { WarnDialogComponent } from 'src/app/modules/warn-dialog/warn-dialog.component';
-import { Org } from 'src/app/proto/generated/auth_pb';
-import { ProjectState, ProjectType, ProjectView } from 'src/app/proto/generated/management_pb';
+import { Org } from 'src/app/proto/generated/zitadel/org_pb';
+import { Project, ProjectState } from 'src/app/proto/generated/zitadel/project_pb';
 import { ManagementService } from 'src/app/services/mgmt.service';
 import { StorageKey, StorageService } from 'src/app/services/storage.service';
 import { ToastService } from 'src/app/services/toast.service';
@@ -39,14 +40,14 @@ import { ToastService } from 'src/app/services/toast.service';
     ],
 })
 export class OwnedProjectGridComponent implements OnChanges {
-    @Input() items: Array<ProjectView.AsObject> = [];
-    public notPinned: Array<ProjectView.AsObject> = [];
+    @Input() items: Array<Project.AsObject> = [];
+    public notPinned: Array<Project.AsObject> = [];
 
     @Output() newClicked: EventEmitter<boolean> = new EventEmitter();
     @Output() changedView: EventEmitter<boolean> = new EventEmitter();
     @Input() loading: boolean = false;
 
-    public selection: SelectionModel<ProjectView.AsObject> = new SelectionModel<ProjectView.AsObject>(true, []);
+    public selection: SelectionModel<Project.AsObject> = new SelectionModel<Project.AsObject>(true, []);
 
     public showNewProject: boolean = false;
     public ProjectState: any = ProjectState;
@@ -61,10 +62,10 @@ export class OwnedProjectGridComponent implements OnChanges {
     ) {
         this.selection.changed.subscribe(selection => {
             this.setPrefixedItem('pinned-projects', JSON.stringify(
-                this.selection.selected.map(item => item.projectId),
+                this.selection.selected.map(item => item.id),
             )).then(() => {
                 selection.added.forEach(item => {
-                    const index = this.notPinned.findIndex(i => i.projectId === item.projectId);
+                    const index = this.notPinned.findIndex(i => i.id === item.id);
                     this.notPinned.splice(index, 1);
                 });
                 this.notPinned.push(...selection.removed);
@@ -72,11 +73,11 @@ export class OwnedProjectGridComponent implements OnChanges {
         });
     }
 
-    public selectItem(item: ProjectView.AsObject, event?: any): void {
+    public selectItem(item: Project.AsObject, event?: any): void {
         if (event && !event.target.classList.contains('mat-icon')) {
-            this.router.navigate(['/projects', item.projectId]);
+            this.router.navigate(['/projects', item.id]);
         } else if (!event) {
-            this.router.navigate(['/projects', item.projectId]);
+            this.router.navigate(['/projects', item.id]);
         }
     }
 
@@ -95,8 +96,8 @@ export class OwnedProjectGridComponent implements OnChanges {
         this.getPrefixedItem('pinned-projects').then(storageEntry => {
             if (storageEntry) {
                 const array: string[] = JSON.parse(storageEntry);
-                const toSelect: ProjectView.AsObject[] = this.items.filter((item, index) => {
-                    if (array.includes(item.projectId)) {
+                const toSelect: Project.AsObject[] = this.items.filter((item, index) => {
+                    if (array.includes(item.id)) {
                         return true;
                     }
                 });
@@ -125,12 +126,12 @@ export class OwnedProjectGridComponent implements OnChanges {
         this.changedView.emit(true);
     }
 
-    public toggle(item: ProjectView.AsObject, event: any): void {
+    public toggle(item: Project.AsObject, event: any): void {
         event.stopPropagation();
         this.selection.toggle(item);
     }
 
-    public deleteProject(event: any, item: ProjectView.AsObject): void {
+    public deleteProject(event: any, item: Project.AsObject): void {
         event.stopPropagation();
         const dialogRef = this.dialog.open(WarnDialogComponent, {
             data: {
@@ -143,20 +144,20 @@ export class OwnedProjectGridComponent implements OnChanges {
         });
 
         dialogRef.afterClosed().subscribe(resp => {
-            if (resp && item.projectId !== this.zitadelProjectId) {
-                this.mgmtService.RemoveProject(item.projectId).then(() => {
+            if (resp && item.id !== this.zitadelProjectId) {
+                this.mgmtService.removeProject(item.id).then(() => {
                     this.toast.showInfo('PROJECT.TOAST.DELETED', true);
-                    const index = this.items.findIndex(iter => iter.projectId === item.projectId);
+                    const index = this.items.findIndex(iter => iter.id === item.id);
                     if (index > -1) {
                         this.items.splice(index, 1);
                     }
 
-                    const indexSelection = this.selection.selected.findIndex(iter => iter.projectId === item.projectId);
+                    const indexSelection = this.selection.selected.findIndex(iter => iter.id === item.id);
                     if (indexSelection > -1) {
                         this.selection.selected.splice(indexSelection, 1);
                     }
 
-                    const indexPinned = this.notPinned.findIndex(iter => iter.projectId === item.projectId);
+                    const indexPinned = this.notPinned.findIndex(iter => iter.id === item.id);
                     if (indexPinned > -1) {
                         this.notPinned.splice(indexPinned, 1);
                     }
diff --git a/console/src/app/pages/projects/owned-projects/owned-project-list/owned-project-list.component.ts b/console/src/app/pages/projects/owned-projects/owned-project-list/owned-project-list.component.ts
index 86d510c845..a6e38d2ca8 100644
--- a/console/src/app/pages/projects/owned-projects/owned-project-list/owned-project-list.component.ts
+++ b/console/src/app/pages/projects/owned-projects/owned-project-list/owned-project-list.component.ts
@@ -10,7 +10,7 @@ import { Timestamp } from 'google-protobuf/google/protobuf/timestamp_pb';
 import { BehaviorSubject, Observable, Subscription } from 'rxjs';
 import { take } from 'rxjs/operators';
 import { WarnDialogComponent } from 'src/app/modules/warn-dialog/warn-dialog.component';
-import { ProjectView } from 'src/app/proto/generated/management_pb';
+import { Project } from 'src/app/proto/generated/zitadel/project_pb';
 import { ManagementService } from 'src/app/services/mgmt.service';
 import { ToastService } from 'src/app/services/toast.service';
 
@@ -42,14 +42,14 @@ export class OwnedProjectListComponent implements OnInit, OnDestroy {
     public totalResult: number = 0;
     public viewTimestamp!: Timestamp.AsObject;
 
-    public dataSource: MatTableDataSource<ProjectView.AsObject> =
-        new MatTableDataSource<ProjectView.AsObject>();
+    public dataSource: MatTableDataSource<Project.AsObject> =
+        new MatTableDataSource<Project.AsObject>();
 
     @ViewChild(MatPaginator) public paginator!: MatPaginator;
 
-    public ownedProjectList: ProjectView.AsObject[] = [];
+    public ownedProjectList: Project.AsObject[] = [];
     public displayedColumns: string[] = ['select', 'name', 'state', 'creationDate', 'changeDate', 'actions'];
-    public selection: SelectionModel<ProjectView.AsObject> = new SelectionModel<ProjectView.AsObject>(true, []);
+    public selection: SelectionModel<Project.AsObject> = new SelectionModel<Project.AsObject>(true, []);
 
     private loadingSubject: BehaviorSubject<boolean> = new BehaviorSubject<boolean>(false);
     public loading$: Observable<boolean> = this.loadingSubject.asObservable();
@@ -66,8 +66,8 @@ export class OwnedProjectListComponent implements OnInit, OnDestroy {
         private toast: ToastService,
         private dialog: MatDialog,
     ) {
-        this.mgmtService.GetIam().then(iam => {
-            this.zitadelProjectId = iam.toObject().iamProjectId;
+        this.mgmtService.getIAM().then(iam => {
+            this.zitadelProjectId = iam.iamProjectId;
         });
     }
 
@@ -108,15 +108,16 @@ export class OwnedProjectListComponent implements OnInit, OnDestroy {
 
     private async getData(limit?: number, offset?: number): Promise<void> {
         this.loadingSubject.next(true);
-        this.mgmtService.SearchProjects(limit, offset).then(res => {
-            const response = res.toObject();
-            this.ownedProjectList = response.resultList;
-            this.totalResult = response.totalResult;
+        this.mgmtService.listProjects(limit, offset).then(resp => {
+            this.ownedProjectList = resp.resultList;
+            if (resp.details?.totalResult) {
+                this.totalResult = resp.details.totalResult;
+            }
             if (this.totalResult > 10) {
                 this.grid = false;
             }
-            if (response.viewTimestamp) {
-                this.viewTimestamp = response.viewTimestamp;
+            if (resp.details?.viewTimestamp) {
+                this.viewTimestamp = resp.details?.viewTimestamp;
             }
             this.dataSource.data = this.ownedProjectList;
             this.loadingSubject.next(false);
@@ -131,7 +132,7 @@ export class OwnedProjectListComponent implements OnInit, OnDestroy {
 
     public reactivateSelectedProjects(): void {
         const promises = this.selection.selected.map(project => {
-            this.mgmtService.ReactivateProject(project.projectId);
+            this.mgmtService.reactivateProject(project.id);
         });
 
         Promise.all(promises).then(() => {
@@ -144,7 +145,7 @@ export class OwnedProjectListComponent implements OnInit, OnDestroy {
 
     public deactivateSelectedProjects(): void {
         const promises = this.selection.selected.map(project => {
-            this.mgmtService.DeactivateProject(project.projectId);
+            this.mgmtService.deactivateProject(project.id);
         });
 
         Promise.all(promises).then(() => {
@@ -159,7 +160,7 @@ export class OwnedProjectListComponent implements OnInit, OnDestroy {
         this.getData(this.paginator.pageSize, this.paginator.pageIndex * this.paginator.pageSize);
     }
 
-    public deleteProject(item: ProjectView.AsObject): void {
+    public deleteProject(item: Project.AsObject): void {
         const dialogRef = this.dialog.open(WarnDialogComponent, {
             data: {
                 confirmKey: 'ACTIONS.DELETE',
@@ -171,8 +172,8 @@ export class OwnedProjectListComponent implements OnInit, OnDestroy {
         });
 
         dialogRef.afterClosed().subscribe(resp => {
-            if (this.zitadelProjectId && resp && item.projectId !== this.zitadelProjectId) {
-                this.mgmtService.RemoveProject(item.projectId).then(() => {
+            if (this.zitadelProjectId && resp && item.id !== this.zitadelProjectId) {
+                this.mgmtService.removeProject(item.id).then(() => {
                     this.toast.showInfo('PROJECT.TOAST.DELETED', true);
                     setTimeout(() => {
                         this.refreshPage();
diff --git a/console/src/app/pages/projects/owned-projects/owned-projects-routing.module.ts b/console/src/app/pages/projects/owned-projects/owned-projects-routing.module.ts
index 113db2595e..12b1e6cfca 100644
--- a/console/src/app/pages/projects/owned-projects/owned-projects-routing.module.ts
+++ b/console/src/app/pages/projects/owned-projects/owned-projects-routing.module.ts
@@ -1,7 +1,7 @@
 import { NgModule } from '@angular/core';
 import { RouterModule, Routes } from '@angular/router';
 import { RoleGuard } from 'src/app/guards/role.guard';
-import { ProjectType } from 'src/app/proto/generated/management_pb';
+import { ProjectType } from 'src/app/modules/project-members/project-members.component';
 
 import { OwnedProjectsComponent } from './owned-projects.component';
 
diff --git a/console/src/app/pages/projects/owned-projects/project-grant-detail/project-grant-detail.component.html b/console/src/app/pages/projects/owned-projects/project-grant-detail/project-grant-detail.component.html
index 031c088860..eb101d1fbb 100644
--- a/console/src/app/pages/projects/owned-projects/project-grant-detail/project-grant-detail.component.html
+++ b/console/src/app/pages/projects/owned-projects/project-grant-detail/project-grant-detail.component.html
@@ -10,7 +10,7 @@
             <div class="row">
                 <span class="first">{{'PROJECT.GRANT.DETAIL.RESOURCEOWNER' | translate}}</span>
                 <span class="fill-space"></span>
-                <span>{{grant?.resourceOwnerName}}</span>
+                <span>{{grant?.details?.resourceOwner}}</span>
             </div>
         </div>
 
@@ -25,9 +25,9 @@
         </div>
     </div>
 
-    <cnsl-form-field class="formfield" appearance="outline" *ngIf="grant && grant.roleKeysList">
+    <cnsl-form-field class="formfield" appearance="outline" *ngIf="grant && grant.grantedRoleKeysList">
         <cnsl-label>{{ 'PROJECT.GRANT.ROLENAMESLIST' | translate }}</cnsl-label>
-        <mat-select [(ngModel)]="grant.roleKeysList" multiple (selectionChange)="updateRoles($event)">
+        <mat-select [(ngModel)]="grant.grantedRoleKeysList" multiple (selectionChange)="updateRoles($event)">
             <mat-option *ngFor="let role of projectRoleOptions" [value]="role.key">
                 {{role.key}}
             </mat-option>
@@ -39,17 +39,17 @@
     <h1 class="h1">{{ 'PROJECT.GRANT.DETAIL.MEMBERTITLE' | translate }}</h1>
     <p class="desc">{{ 'PROJECT.GRANT.DETAIL.MEMBERDESC' | translate }}</p>
 
-    <app-members-table *ngIf="grant" style="width: 100%;" [dataSource]="dataSource" [canWrite]="['project.grant.member.write','project.grant.member.write:' + grant.id] | hasRole | async"
+    <app-members-table *ngIf="grant" style="width: 100%;" [dataSource]="dataSource" [canWrite]="['project.grant.member.write','project.grant.member.write:' + grant.grantId] | hasRole | async"
         [memberRoleOptions]="memberRoleOptions" (updateRoles)="updateMemberRoles($event.member, $event.change)"
         [factoryLoadFunc]="changePageFactory" (changedSelection)="selection = $event" [refreshTrigger]="changePage">
         <button selectactions (click)="removeProjectMemberSelection()"
-            [disabled]="(['project.grant.member.delete','project.grant.member.delete:' + grant.id] | hasRole | async) == false"
+            [disabled]="(['project.grant.member.delete','project.grant.member.delete:' + grant.grantId] | hasRole | async) == false"
             matTooltip="{{'ORG_DETAIL.TABLE.DELETE' | translate}}" class="del-button" color="warn" mat-raised-button>
             <i class="las la-trash"></i>
             {{'ACTIONS.SELECTIONDELETE' | translate}}
         </button>
         <a writeactions color="primary"
-            [disabled]="(['project.grant.member.write','project.grant.member.write:' + grant.id] | hasRole | async) == false"
+            [disabled]="(['project.grant.member.write','project.grant.member.write:' + grant.grantId] | hasRole | async) == false"
             (click)="openAddMember()" color="primary" mat-raised-button>
             <mat-icon class="icon">add</mat-icon>{{ 'ACTIONS.NEW' | translate }}
         </a>
diff --git a/console/src/app/pages/projects/owned-projects/project-grant-detail/project-grant-detail.component.ts b/console/src/app/pages/projects/owned-projects/project-grant-detail/project-grant-detail.component.ts
index 40da52c844..442b7d774d 100644
--- a/console/src/app/pages/projects/owned-projects/project-grant-detail/project-grant-detail.component.ts
+++ b/console/src/app/pages/projects/owned-projects/project-grant-detail/project-grant-detail.component.ts
@@ -3,15 +3,9 @@ import { MatDialog } from '@angular/material/dialog';
 import { PageEvent } from '@angular/material/paginator';
 import { MatSelectChange } from '@angular/material/select';
 import { ActivatedRoute } from '@angular/router';
-import {
-    ProjectGrant,
-    ProjectGrantMember,
-    ProjectGrantMemberView,
-    ProjectGrantState,
-    ProjectGrantView,
-    ProjectRoleView,
-    ProjectType,
-} from 'src/app/proto/generated/management_pb';
+import { ProjectType } from 'src/app/modules/project-members/project-members.component';
+import { Member } from 'src/app/proto/generated/zitadel/member_pb';
+import { GrantedProject, ProjectGrantState, Role } from 'src/app/proto/generated/zitadel/project_pb';
 import { ManagementService } from 'src/app/services/mgmt.service';
 import { ToastService } from 'src/app/services/toast.service';
 
@@ -29,7 +23,7 @@ import { ProjectGrantMembersDataSource } from './project-grant-members-datasourc
 export class ProjectGrantDetailComponent {
     public INITIALPAGESIZE: number = 25;
 
-    public grant!: ProjectGrantView.AsObject;
+    public grant!: GrantedProject.AsObject;
     public projectid: string = '';
     public grantid: string = '';
 
@@ -39,12 +33,12 @@ export class ProjectGrantDetailComponent {
     public isZitadel: boolean = false;
     ProjectGrantState: any = ProjectGrantState;
 
-    public projectRoleOptions: ProjectRoleView.AsObject[] = [];
+    public projectRoleOptions: Role.AsObject[] = [];
     public memberRoleOptions: Array<string> = [];
 
     public changePageFactory!: Function;
     public changePage: EventEmitter<void> = new EventEmitter();
-    public selection: Array<ProjectGrantMemberView.AsObject> = [];
+    public selection: Array<Member.AsObject> = [];
     public dataSource!: ProjectGrantMembersDataSource;
     constructor(
         private mgmtService: ManagementService,
@@ -71,22 +65,24 @@ export class ProjectGrantDetailComponent {
                 );
             };
 
-            this.mgmtService.ProjectGrantByID(this.grantid, this.projectid).then((grant) => {
-                this.grant = grant.toObject();
+            this.mgmtService.getProjectGrantByID(this.grantid, this.projectid).then((resp) => {
+                if (resp.projectGrant) {
+                    this.grant = resp.projectGrant;
+                }
             });
         });
     }
 
     public changeState(newState: ProjectGrantState): void {
-        if (newState === ProjectGrantState.PROJECTGRANTSTATE_ACTIVE) {
-            this.mgmtService.ReactivateProjectGrant(this.grantid, this.projectid).then(() => {
+        if (newState === ProjectGrantState.PROJECT_GRANT_STATE_ACTIVE) {
+            this.mgmtService.reactivateProjectGrant(this.grantid, this.projectid).then(() => {
                 this.toast.showInfo('PROJECT.TOAST.REACTIVATED', true);
                 this.grant.state = newState;
             }).catch(error => {
                 this.toast.showError(error);
             });
-        } else if (newState === ProjectGrantState.PROJECTGRANTSTATE_INACTIVE) {
-            this.mgmtService.DeactivateProjectGrant(this.grantid, this.projectid).then(() => {
+        } else if (newState === ProjectGrantState.PROJECT_GRANT_STATE_INACTIVE) {
+            this.mgmtService.deactivateProjectGrant(this.grantid, this.projectid).then(() => {
                 this.toast.showInfo('PROJECT.TOAST.DEACTIVATED', true);
                 this.grant.state = newState;
             }).catch(error => {
@@ -96,22 +92,22 @@ export class ProjectGrantDetailComponent {
     }
 
     public getRoleOptions(projectId: string): void {
-        this.mgmtService.SearchProjectRoles(projectId, 100, 0).then(resp => {
-            this.projectRoleOptions = resp.toObject().resultList;
+        this.mgmtService.listProjectRoles(projectId, 100, 0).then(resp => {
+            this.projectRoleOptions = resp.resultList;
         });
     }
 
     public getMemberRoleOptions(): void {
-        this.mgmtService.GetProjectGrantMemberRoles().then(resp => {
-            this.memberRoleOptions = resp.toObject().rolesList;
+        this.mgmtService.listProjectGrantMemberRoles().then(resp => {
+            this.memberRoleOptions = resp.resultList;
         }).catch(error => {
             this.toast.showError(error);
         });
     }
 
     updateRoles(selectionChange: MatSelectChange): void {
-        this.mgmtService.UpdateProjectGrant(this.grant.id, this.grant.projectId, selectionChange.value)
-            .then((newgrant: ProjectGrant) => {
+        this.mgmtService.updateProjectGrant(this.grant.grantId, this.grant.projectId, selectionChange.value)
+            .then(() => {
                 this.toast.showInfo('PROJECT.TOAST.GRANTUPDATED');
             }).catch(error => {
                 this.toast.showError(error);
@@ -120,7 +116,7 @@ export class ProjectGrantDetailComponent {
 
     public removeProjectMemberSelection(): void {
         Promise.all(this.selection.map(member => {
-            return this.mgmtService.RemoveProjectGrantMember(this.grant.projectId, this.grant.id, member.userId).then(() => {
+            return this.mgmtService.removeProjectGrantMember(this.grant.projectId, this.grant.grantId, member.userId).then(() => {
                 this.toast.showInfo('PROJECT.GRANT.TOAST.PROJECTGRANTMEMBERREMOVED', true);
                 setTimeout(() => {
                     this.changePage.emit();
@@ -132,11 +128,11 @@ export class ProjectGrantDetailComponent {
     }
 
     public async openAddMember(): Promise<any> {
-        const keysList = (await this.mgmtService.GetProjectGrantMemberRoles()).toObject();
+        const keysList = (await this.mgmtService.listProjectGrantMemberRoles());
 
         const dialogRef = this.dialog.open(ProjectGrantMembersCreateDialogComponent, {
             data: {
-                roleKeysList: keysList.rolesList,
+                roleKeysList: keysList.resultList,
             },
             width: '400px',
         });
@@ -144,9 +140,9 @@ export class ProjectGrantDetailComponent {
         dialogRef.afterClosed().subscribe((dataToAdd: ProjectGrantMembersCreateDialogExportType) => {
             if (dataToAdd) {
                 Promise.all(dataToAdd.userIds.map((userid: string) => {
-                    return this.mgmtService.AddProjectGrantMember(
+                    return this.mgmtService.addProjectGrantMember(
                         this.grant.projectId,
-                        this.grant.id,
+                        this.grant.grantId,
                         userid,
                         dataToAdd.rolesKeyList,
                     );
@@ -162,9 +158,9 @@ export class ProjectGrantDetailComponent {
         });
     }
 
-    updateMemberRoles(member: ProjectGrantMember.AsObject, selectionChange: MatSelectChange): void {
-        this.mgmtService.ChangeProjectGrantMember(this.grant.projectId, this.grant.id, member.userId, selectionChange.value)
-            .then((_: ProjectGrantMember) => {
+    updateMemberRoles(member: Member.AsObject, selectionChange: MatSelectChange): void {
+        this.mgmtService.updateProjectGrantMember(this.grant.projectId, this.grant.grantId, member.userId, selectionChange.value)
+            .then(() => {
                 this.toast.showInfo('PROJECT.GRANT.TOAST.PROJECTGRANTMEMBERCHANGED', true);
             }).catch(error => {
                 this.toast.showError(error);
diff --git a/console/src/app/pages/projects/owned-projects/project-grant-detail/project-grant-members-create-dialog/project-grant-members-create-dialog.component.ts b/console/src/app/pages/projects/owned-projects/project-grant-detail/project-grant-members-create-dialog/project-grant-members-create-dialog.component.ts
index 8b4cf54773..c4be8b5045 100644
--- a/console/src/app/pages/projects/owned-projects/project-grant-detail/project-grant-members-create-dialog/project-grant-members-create-dialog.component.ts
+++ b/console/src/app/pages/projects/owned-projects/project-grant-detail/project-grant-members-create-dialog/project-grant-members-create-dialog.component.ts
@@ -1,7 +1,7 @@
 import { Component, Inject } from '@angular/core';
 import { FormGroup } from '@angular/forms';
 import { MAT_DIALOG_DATA, MatDialogRef } from '@angular/material/dialog';
-import { UserView } from 'src/app/proto/generated/management_pb';
+import { User } from 'src/app/proto/generated/zitadel/user_pb';
 
 export interface ProjectGrantMembersCreateDialogExportType {
     userIds: string[];
@@ -22,7 +22,7 @@ export class ProjectGrantMembersCreateDialogComponent {
         @Inject(MAT_DIALOG_DATA) public data: any,
     ) { }
 
-    public selectUsers(users: UserView.AsObject[]): void {
+    public selectUsers(users: User.AsObject[]): void {
         this.userIds = users.map(user => user.id);
     }
 
diff --git a/console/src/app/pages/projects/owned-projects/project-grant-detail/project-grant-members-datasource.ts b/console/src/app/pages/projects/owned-projects/project-grant-detail/project-grant-members-datasource.ts
index 7cbb4d6d7d..cfab7c7dfb 100644
--- a/console/src/app/pages/projects/owned-projects/project-grant-detail/project-grant-members-datasource.ts
+++ b/console/src/app/pages/projects/owned-projects/project-grant-detail/project-grant-members-datasource.ts
@@ -2,7 +2,7 @@ import { DataSource } from '@angular/cdk/collections';
 import { Timestamp } from 'google-protobuf/google/protobuf/timestamp_pb';
 import { BehaviorSubject, from, Observable, of } from 'rxjs';
 import { catchError, finalize, map } from 'rxjs/operators';
-import { ProjectMember } from 'src/app/proto/generated/management_pb';
+import { Member } from 'src/app/proto/generated/zitadel/member_pb';
 import { ManagementService } from 'src/app/services/mgmt.service';
 
 /**
@@ -10,11 +10,11 @@ import { ManagementService } from 'src/app/services/mgmt.service';
  * encapsulate all logic for fetching and manipulating the displayed data
  * (including sorting, pagination, and filtering).
  */
-export class ProjectGrantMembersDataSource extends DataSource<ProjectMember.AsObject> {
+export class ProjectGrantMembersDataSource extends DataSource<Member.AsObject> {
     public totalResult: number = 0;
     public viewTimestamp!: Timestamp.AsObject;
 
-    public membersSubject: BehaviorSubject<ProjectMember.AsObject[]> = new BehaviorSubject<ProjectMember.AsObject[]>([]);
+    public membersSubject: BehaviorSubject<Member.AsObject[]> = new BehaviorSubject<Member.AsObject[]>([]);
     private loadingSubject: BehaviorSubject<boolean> = new BehaviorSubject<boolean>(false);
     public loading$: Observable<boolean> = this.loadingSubject.asObservable();
 
@@ -28,15 +28,14 @@ export class ProjectGrantMembersDataSource extends DataSource<ProjectMember.AsOb
 
         this.loadingSubject.next(true);
 
-        from(this.mgmtService.SearchProjectGrantMembers(projectId,
+        from(this.mgmtService.listProjectGrantMembers(projectId,
             grantId, pageSize, offset)).pipe(
                 map(resp => {
-                    const response = resp.toObject();
-                    this.totalResult = response.totalResult;
-                    if (response.viewTimestamp) {
-                        this.viewTimestamp = response.viewTimestamp;
+                    this.totalResult = resp.details?.totalResult || 0;
+                    if (resp.details?.viewTimestamp) {
+                        this.viewTimestamp = resp.details?.viewTimestamp;
                     }
-                    return response.resultList;
+                    return resp.resultList;
                 }),
                 catchError(() => of([])),
                 finalize(() => this.loadingSubject.next(false)),
@@ -51,7 +50,7 @@ export class ProjectGrantMembersDataSource extends DataSource<ProjectMember.AsOb
      * the returned stream emits new items.
      * @returns A stream of the items to be rendered.
      */
-    public connect(): Observable<ProjectMember.AsObject[]> {
+    public connect(): Observable<Member.AsObject[]> {
         return this.membersSubject.asObservable();
     }
 
diff --git a/console/src/app/pages/projects/project-create/project-create.component.ts b/console/src/app/pages/projects/project-create/project-create.component.ts
index 1dae4ce83b..039b4ee842 100644
--- a/console/src/app/pages/projects/project-create/project-create.component.ts
+++ b/console/src/app/pages/projects/project-create/project-create.component.ts
@@ -1,7 +1,7 @@
 import { Location } from '@angular/common';
 import { Component, OnInit } from '@angular/core';
 import { Router } from '@angular/router';
-import { Project, ProjectCreateRequest } from 'src/app/proto/generated/management_pb';
+import { AddProjectRequest, AddProjectResponse } from 'src/app/proto/generated/zitadel/management_pb';
 import { ManagementService } from 'src/app/services/mgmt.service';
 import { ToastService } from 'src/app/services/toast.service';
 
@@ -11,7 +11,7 @@ import { ToastService } from 'src/app/services/toast.service';
     styleUrls: ['./project-create.component.scss'],
 })
 export class ProjectCreateComponent implements OnInit {
-    public project: ProjectCreateRequest.AsObject = new ProjectCreateRequest().toObject();
+    public project: AddProjectRequest.AsObject = new AddProjectRequest().toObject();
 
     constructor(
         private router: Router,
@@ -26,9 +26,9 @@ export class ProjectCreateComponent implements OnInit {
 
     public saveProject(): void {
         this.mgmtService
-            .CreateProject(this.project)
-            .then((data: Project) => {
-                this.router.navigate(['projects', data.getId()]);
+            .addProject(this.project)
+            .then((resp: AddProjectResponse.AsObject) => {
+                this.router.navigate(['projects', resp.id]);
             })
             .catch(error => {
                 this.toast.showError(error);
diff --git a/console/src/app/pages/projects/project-grant-create/project-grant-create.component.ts b/console/src/app/pages/projects/project-grant-create/project-grant-create.component.ts
index 511e3ef92a..897b22bdb4 100644
--- a/console/src/app/pages/projects/project-grant-create/project-grant-create.component.ts
+++ b/console/src/app/pages/projects/project-grant-create/project-grant-create.component.ts
@@ -2,7 +2,8 @@ import { Location } from '@angular/common';
 import { Component, OnDestroy, OnInit } from '@angular/core';
 import { ActivatedRoute } from '@angular/router';
 import { Subscription } from 'rxjs';
-import { Org, ProjectRole } from 'src/app/proto/generated/management_pb';
+import { Org } from 'src/app/proto/generated/zitadel/org_pb';
+import { Role } from 'src/app/proto/generated/zitadel/project_pb';
 import { GrpcAuthService } from 'src/app/services/grpc-auth.service';
 import { ManagementService } from 'src/app/services/mgmt.service';
 import { ToastService } from 'src/app/services/toast.service';
@@ -42,13 +43,15 @@ export class ProjectGrantCreateComponent implements OnInit, OnDestroy {
 
     public searchOrg(domain: string): void {
         this.mgmtService.getOrgByDomainGlobal(domain).then((ret) => {
-            const tmp = ret.toObject();
-            this.authService.GetActiveOrg().then((org) => {
-                if (tmp !== org) {
-                    this.org = tmp;
-                }
-            });
-            this.org = ret.toObject();
+            if (ret.org) {
+                const tmp = ret.org;
+                this.authService.getActiveOrg().then((org) => {
+                    if (tmp !== org) {
+                        this.org = tmp;
+                    }
+                });
+                this.org = ret.org;
+            }
         }).catch(error => {
             this.toast.showError(error);
         });
@@ -60,8 +63,8 @@ export class ProjectGrantCreateComponent implements OnInit, OnDestroy {
 
     public addGrant(): void {
         this.mgmtService
-            .CreateProjectGrant(this.org.id, this.projectId, this.rolesKeyList)
-            .then((data) => {
+            .addProjectGrant(this.org.id, this.projectId, this.rolesKeyList)
+            .then(() => {
                 this.close();
             })
             .catch(error => {
@@ -69,7 +72,7 @@ export class ProjectGrantCreateComponent implements OnInit, OnDestroy {
             });
     }
 
-    public selectRoles(roles: ProjectRole.AsObject[]): void {
+    public selectRoles(roles: Role.AsObject[]): void {
         this.rolesKeyList = roles.map(role => role.key);
     }
 
diff --git a/console/src/app/pages/projects/project-role-create/project-role-create.component.ts b/console/src/app/pages/projects/project-role-create/project-role-create.component.ts
index 99fdff5625..3ab27ba69f 100644
--- a/console/src/app/pages/projects/project-role-create/project-role-create.component.ts
+++ b/console/src/app/pages/projects/project-role-create/project-role-create.component.ts
@@ -4,7 +4,7 @@ import { Component, OnDestroy, OnInit } from '@angular/core';
 import { FormArray, FormControl, FormGroup, Validators } from '@angular/forms';
 import { ActivatedRoute, Params, Router } from '@angular/router';
 import { Subscription } from 'rxjs';
-import { ProjectRoleAdd } from 'src/app/proto/generated/management_pb';
+import { BulkAddProjectRolesRequest } from 'src/app/proto/generated/zitadel/management_pb';
 import { ManagementService } from 'src/app/services/mgmt.service';
 import { ToastService } from 'src/app/services/toast.service';
 
@@ -84,16 +84,15 @@ export class ProjectRoleCreateComponent implements OnInit, OnDestroy {
     }
 
     public addRole(): void {
-        const rolesToAdd: ProjectRoleAdd[] = this.formArray.value.map((element: any) => {
-            const role = new ProjectRoleAdd();
+        const rolesToAdd: BulkAddProjectRolesRequest.Role[] = this.formArray.value.map((element: any) => {
+            const role = new BulkAddProjectRolesRequest.Role;
             role.setKey(element.key);
             role.setDisplayName(element.displayName);
             role.setGroup(element.group);
-            role.setId(this.projectId);
             return role;
         });
 
-        this.mgmtService.BulkAddProjectRole(this.projectId, rolesToAdd).then(() => {
+        this.mgmtService.bulkAddProjectRoles(this.projectId, rolesToAdd).then(() => {
             this.router.navigate(['projects', this.projectId]);
         }).catch(error => {
             this.toast.showError(error);
diff --git a/console/src/app/pages/user-grant-create/user-grant-create.component.ts b/console/src/app/pages/user-grant-create/user-grant-create.component.ts
index e64b350edb..a7121ad150 100644
--- a/console/src/app/pages/user-grant-create/user-grant-create.component.ts
+++ b/console/src/app/pages/user-grant-create/user-grant-create.component.ts
@@ -4,8 +4,9 @@ import { ActivatedRoute, Params } from '@angular/router';
 import { Subscription } from 'rxjs';
 import { UserTarget } from 'src/app/modules/search-user-autocomplete/search-user-autocomplete.component';
 import { UserGrantContext } from 'src/app/modules/user-grants/user-grants-datasource';
-import { Org } from 'src/app/proto/generated/auth_pb';
-import { ProjectGrantView, ProjectRole, ProjectView, UserGrant, UserView } from 'src/app/proto/generated/management_pb';
+import { Org } from 'src/app/proto/generated/zitadel/org_pb';
+import { GrantedProject, Project, Role } from 'src/app/proto/generated/zitadel/project_pb';
+import { User } from 'src/app/proto/generated/zitadel/user_pb';
 import { GrpcAuthService } from 'src/app/services/grpc-auth.service';
 import { ManagementService } from 'src/app/services/mgmt.service';
 import { ToastService } from 'src/app/services/toast.service';
@@ -22,7 +23,7 @@ export class UserGrantCreateComponent implements OnDestroy {
     public userId: string = '';
 
     public projectId: string = '';
-    public project!: ProjectGrantView.AsObject | ProjectView.AsObject;
+    public project!: GrantedProject.AsObject | Project.AsObject;
 
     public grantId: string = '';
     public rolesList: string[] = [];
@@ -38,11 +39,11 @@ export class UserGrantCreateComponent implements OnDestroy {
 
     public grantRolesKeyList: string[] = [];
 
-    public user!: UserView.AsObject;
+    public user!: User.AsObject;
     public UserTarget: any = UserTarget;
 
-    public ProjectGrantView: any = ProjectGrantView;
-    public ProjectView: any = ProjectView;
+    public ProjectGrantView: any = GrantedProject;
+    public ProjectView: any = Project;
     constructor(
         private userService: ManagementService,
         private toast: ToastService,
@@ -63,22 +64,26 @@ export class UserGrantCreateComponent implements OnDestroy {
                 this.context = UserGrantContext.OWNED_PROJECT;
             } else if (this.projectId && this.grantId) {
                 this.context = UserGrantContext.GRANTED_PROJECT;
-                this.mgmtService.GetGrantedProjectByID(this.projectId, this.grantId).then(resp => {
-                    this.grantRolesKeyList = resp.toObject().roleKeysList;
+                this.mgmtService.getGrantedProjectByID(this.projectId, this.grantId).then(resp => {
+                    if (resp.grantedProject?.grantedRoleKeysList) {
+                        this.grantRolesKeyList = resp.grantedProject?.grantedRoleKeysList;
+                    }
                 }).catch((error: any) => {
                     this.toast.showError(error);
                 });
             } else if (this.userId) {
                 this.context = UserGrantContext.USER;
-                this.mgmtService.GetUserByID(this.userId).then(resp => {
-                    this.user = resp.toObject();
+                this.mgmtService.getUserByID(this.userId).then(resp => {
+                    if (resp.user) {
+                        this.user = resp.user;
+                    }
                 }).catch((error: any) => {
                     this.toast.showError(error);
                 });
             }
         });
 
-        this.authService.GetActiveOrg().then(org => {
+        this.authService.getActiveOrg().then(org => {
             this.org = org;
         });
     }
@@ -90,11 +95,11 @@ export class UserGrantCreateComponent implements OnDestroy {
     public addGrant(): void {
         switch (this.context) {
             case UserGrantContext.OWNED_PROJECT:
-                this.userService.CreateUserGrant(
+                this.userService.addUserGrant(
                     this.userId,
                     this.rolesList,
                     this.projectId,
-                ).then((data: UserGrant) => {
+                ).then(() => {
                     this.toast.showInfo('PROJECT.GRANT.TOAST.PROJECTGRANTADDED', true);
                     this.close();
                 }).catch((error: any) => {
@@ -102,12 +107,12 @@ export class UserGrantCreateComponent implements OnDestroy {
                 });
                 break;
             case UserGrantContext.GRANTED_PROJECT:
-                this.userService.CreateUserGrant(
+                this.userService.addUserGrant(
                     this.userId,
                     this.rolesList,
                     this.projectId,
                     this.grantId,
-                ).then((data: UserGrant) => {
+                ).then(() => {
                     this.toast.showInfo('PROJECT.GRANT.TOAST.PROJECTGRANTUSERGRANTADDED', true);
                     this.close();
                 }).catch((error: any) => {
@@ -117,16 +122,16 @@ export class UserGrantCreateComponent implements OnDestroy {
             case UserGrantContext.USER:
                 let grantId;
 
-                if ((this.project as ProjectGrantView.AsObject)?.id) {
-                    grantId = (this.project as ProjectGrantView.AsObject).id;
+                if ((this.project as GrantedProject.AsObject)?.grantId) {
+                    grantId = (this.project as GrantedProject.AsObject).grantId;
                 }
 
-                this.userService.CreateUserGrant(
+                this.userService.addUserGrant(
                     this.userId,
                     this.rolesList,
-                    this.project.projectId,
+                    (this.project as GrantedProject.AsObject).projectId,
                     grantId,
-                ).then((data: UserGrant) => {
+                ).then(() => {
                     this.toast.showInfo('PROJECT.GRANT.TOAST.PROJECTGRANTUSERGRANTADDED', true);
                     this.close();
                 }).catch((error: any) => {
@@ -136,16 +141,16 @@ export class UserGrantCreateComponent implements OnDestroy {
             case UserGrantContext.NONE:
                 let tempGrantId;
 
-                if ((this.project as ProjectGrantView.AsObject)?.id) {
-                    tempGrantId = (this.project as ProjectGrantView.AsObject).id;
+                if ((this.project as GrantedProject.AsObject)?.projectId) {
+                    tempGrantId = (this.project as GrantedProject.AsObject).projectId;
                 }
 
-                this.userService.CreateUserGrant(
+                this.userService.addUserGrant(
                     this.userId,
                     this.rolesList,
-                    this.project.projectId,
+                    (this.project as GrantedProject.AsObject).projectId,
                     tempGrantId,
-                ).then((data: UserGrant) => {
+                ).then(() => {
                     this.toast.showInfo('PROJECT.GRANT.TOAST.PROJECTGRANTUSERGRANTADDED', true);
                     this.close();
                 }).catch((error: any) => {
@@ -156,17 +161,17 @@ export class UserGrantCreateComponent implements OnDestroy {
 
     }
 
-    public selectProject(project: ProjectView.AsObject | ProjectGrantView.AsObject | any): void {
+    public selectProject(project: Project.AsObject | GrantedProject.AsObject | any): void {
         this.project = project;
         this.projectId = project.projectId;
         this.grantRolesKeyList = project.roleKeysList ?? [];
     }
 
-    public selectUser(user: UserView.AsObject): void {
+    public selectUser(user: User.AsObject): void {
         this.userId = user.id;
     }
 
-    public selectRoles(roles: ProjectRole.AsObject[]): void {
+    public selectRoles(roles: Role.AsObject[]): void {
         this.rolesList = roles.map(role => role.key);
     }
 
diff --git a/console/src/app/pages/users/user-create-machine/user-create-machine.component.ts b/console/src/app/pages/users/user-create-machine/user-create-machine.component.ts
index 3bd27af15f..29fe7e2b1e 100644
--- a/console/src/app/pages/users/user-create-machine/user-create-machine.component.ts
+++ b/console/src/app/pages/users/user-create-machine/user-create-machine.component.ts
@@ -2,36 +2,17 @@ import { Component, OnDestroy } from '@angular/core';
 import { AbstractControl, FormBuilder, FormGroup, Validators } from '@angular/forms';
 import { Router } from '@angular/router';
 import { Subscription } from 'rxjs';
-import { CreateMachineRequest } from 'src/app/proto/generated/admin_pb';
-import { UserResponse } from 'src/app/proto/generated/management_pb';
+import { AddMachineUserRequest } from 'src/app/proto/generated/zitadel/management_pb';
 import { ManagementService } from 'src/app/services/mgmt.service';
 import { ToastService } from 'src/app/services/toast.service';
 
-function noEmailValidator(c: AbstractControl): any {
-    const EMAIL_REGEXP: RegExp = /^((?!@).)*$/gm;
-    if (!c.parent || !c) {
-        return;
-    }
-    const username = c.parent.get('userName');
-
-    if (!username) {
-        return;
-    }
-
-    return EMAIL_REGEXP.test(username.value) ? null : {
-        noEmailValidator: {
-            valid: false,
-        },
-    };
-}
-
 @Component({
     selector: 'app-user-create-machine',
     templateUrl: './user-create-machine.component.html',
     styleUrls: ['./user-create-machine.component.scss'],
 })
 export class UserCreateMachineComponent implements OnDestroy {
-    public user: CreateMachineRequest.AsObject = new CreateMachineRequest().toObject();
+    public user: AddMachineUserRequest.AsObject = new AddMachineUserRequest().toObject();
     public userForm!: FormGroup;
 
     private sub: Subscription = new Subscription();
@@ -64,16 +45,17 @@ export class UserCreateMachineComponent implements OnDestroy {
 
         this.loading = true;
 
-        const machineReq = new CreateMachineRequest();
+        const machineReq = new AddMachineUserRequest();
         machineReq.setDescription(this.description?.value);
         machineReq.setName(this.name?.value);
+        machineReq.setUserName(this.userName?.value);
 
         this.userService
-            .CreateUserMachine(this.userName?.value, machineReq)
-            .then((data: UserResponse) => {
+            .addMachineUser(machineReq)
+            .then((data) => {
                 this.loading = false;
                 this.toast.showInfo('USER.TOAST.CREATED', true);
-                const id = data.getId();
+                const id = data.userId;
                 if (id) {
                     this.router.navigate(['users', id]);
                 }
diff --git a/console/src/app/pages/users/user-create/user-create.component.ts b/console/src/app/pages/users/user-create/user-create.component.ts
index 19889b9f7a..e3198a0e58 100644
--- a/console/src/app/pages/users/user-create/user-create.component.ts
+++ b/console/src/app/pages/users/user-create/user-create.component.ts
@@ -2,13 +2,9 @@ import { ChangeDetectorRef, Component, OnDestroy, ViewChild } from '@angular/cor
 import { AbstractControl, FormBuilder, FormGroup, Validators } from '@angular/forms';
 import { Router } from '@angular/router';
 import { Subscription } from 'rxjs';
-import {
-    CreateHumanRequest,
-    CreateUserRequest,
-    Gender,
-    OrgDomain,
-    UserResponse,
-} from 'src/app/proto/generated/management_pb';
+import { AddHumanUserRequest } from 'src/app/proto/generated/zitadel/management_pb';
+import { Domain } from 'src/app/proto/generated/zitadel/org_pb';
+import { Gender } from 'src/app/proto/generated/zitadel/user_pb';
 import { ManagementService } from 'src/app/services/mgmt.service';
 import { ToastService } from 'src/app/services/toast.service';
 
@@ -36,7 +32,7 @@ function noEmailValidator(c: AbstractControl): any {
     styleUrls: ['./user-create.component.scss'],
 })
 export class UserCreateComponent implements OnDestroy {
-    public user: CreateUserRequest.AsObject = new CreateUserRequest().toObject();
+    public user: AddHumanUserRequest.AsObject = new AddHumanUserRequest().toObject();
     public genders: Gender[] = [Gender.GENDER_FEMALE, Gender.GENDER_MALE, Gender.GENDER_UNSPECIFIED];
     public languages: string[] = ['de', 'en'];
     public userForm!: FormGroup;
@@ -47,7 +43,7 @@ export class UserCreateComponent implements OnDestroy {
     public loading: boolean = false;
 
     @ViewChild('suffix') public suffix!: any;
-    private primaryDomain!: OrgDomain.AsObject;
+    private primaryDomain!: Domain.AsObject;
 
     constructor(
         private router: Router,
@@ -58,8 +54,10 @@ export class UserCreateComponent implements OnDestroy {
     ) {
         this.loading = true;
         this.loadOrg();
-        this.mgmtService.GetMyOrgIamPolicy().then((iampolicy) => {
-            this.userLoginMustBeDomain = iampolicy.toObject().userLoginMustBeDomain;
+        this.mgmtService.getOrgIAMPolicy().then((resp) => {
+            if (resp.policy?.userLoginMustBeDomain) {
+                this.userLoginMustBeDomain = resp.policy.userLoginMustBeDomain;
+            }
             this.initForm();
             this.loading = false;
             this.envSuffixLabel = this.envSuffix();
@@ -74,8 +72,8 @@ export class UserCreateComponent implements OnDestroy {
     }
 
     private async loadOrg(): Promise<void> {
-        const domains = (await this.mgmtService.SearchMyOrgDomains().then(doms => doms.toObject()));
-        const found = domains.resultList.find(domain => domain.primary);
+        const domains = (await this.mgmtService.listOrgDomains());
+        const found = domains.resultList.find(resp => resp.isPrimary);
         if (found) {
             this.primaryDomain = found;
         }
@@ -110,22 +108,26 @@ export class UserCreateComponent implements OnDestroy {
 
         this.loading = true;
 
-        const humanReq = new CreateHumanRequest();
-        humanReq.setFirstName(this.firstName?.value);
-        humanReq.setLastName(this.lastName?.value);
-        humanReq.setNickName(this.nickName?.value);
-        humanReq.setPreferredLanguage(this.preferredLanguage?.value);
+        const profileReq = new AddHumanUserRequest.Profile();
+        profileReq.setFirstName(this.firstName?.value);
+        profileReq.setLastName(this.lastName?.value);
+        profileReq.setNickName(this.nickName?.value);
+        profileReq.setPreferredLanguage(this.preferredLanguage?.value);
+        profileReq.setGender(this.gender?.value);
+
+        const humanReq = new AddHumanUserRequest();
+        humanReq.setUserName(this.userName?.value);
+        humanReq.setProfile(profileReq);
+
         humanReq.setEmail(this.email?.value);
         humanReq.setPhone(this.phone?.value);
-        humanReq.setGender(this.gender?.value);
-        humanReq.setCountry(this.country?.value);
 
         this.mgmtService
-            .CreateUserHuman(this.userName?.value, humanReq)
-            .then((data: UserResponse) => {
+            .addHumanUser(humanReq)
+            .then((data) => {
                 this.loading = false;
                 this.toast.showInfo('USER.TOAST.CREATED', true);
-                this.router.navigate(['users', data.getId()]);
+                this.router.navigate(['users', data.userId]);
             })
             .catch(error => {
                 this.loading = false;
@@ -161,25 +163,10 @@ export class UserCreateComponent implements OnDestroy {
     public get phone(): AbstractControl | null {
         return this.userForm.get('phone');
     }
-    public get streetAddress(): AbstractControl | null {
-        return this.userForm.get('streetAddress');
-    }
-    public get postalCode(): AbstractControl | null {
-        return this.userForm.get('postalCode');
-    }
-    public get locality(): AbstractControl | null {
-        return this.userForm.get('locality');
-    }
-    public get region(): AbstractControl | null {
-        return this.userForm.get('region');
-    }
-    public get country(): AbstractControl | null {
-        return this.userForm.get('country');
-    }
 
     private envSuffix(): string {
-        if (this.userLoginMustBeDomain && this.primaryDomain?.domain) {
-            return `@${this.primaryDomain.domain}`;
+        if (this.userLoginMustBeDomain && this.primaryDomain?.domainName) {
+            return `@${this.primaryDomain.domainName}`;
         } else {
             return '';
         }
diff --git a/console/src/app/pages/users/user-detail/auth-user-detail/auth-passwordless/auth-passwordless.component.html b/console/src/app/pages/users/user-detail/auth-user-detail/auth-passwordless/auth-passwordless.component.html
index d5e79db8b1..bd67de17df 100644
--- a/console/src/app/pages/users/user-detail/auth-user-detail/auth-passwordless/auth-passwordless.component.html
+++ b/console/src/app/pages/users/user-detail/auth-user-detail/auth-passwordless/auth-passwordless.component.html
@@ -15,7 +15,7 @@
                 <th mat-header-cell *matHeaderCellDef> {{ 'USER.PASSWORDLESS.TABLESTATE' | translate }} </th>
                 <td mat-cell *matCellDef="let mfa"><span class="centered">
                         {{'USER.PASSWORDLESS.STATE.'+ mfa.state | translate}}
-                        <i matTooltip="verified" *ngIf="mfa.state === MFAState.MFASTATE_READY"
+                        <i matTooltip="verified" *ngIf="mfa.state === AuthFactorState.AUTH_FACTOR_STATE_READY"
                             class="verified las la-check-circle"></i>
                     </span>
                 </td>
diff --git a/console/src/app/pages/users/user-detail/auth-user-detail/auth-passwordless/auth-passwordless.component.ts b/console/src/app/pages/users/user-detail/auth-user-detail/auth-passwordless/auth-passwordless.component.ts
index eefdb0efe1..ff0a442c54 100644
--- a/console/src/app/pages/users/user-detail/auth-user-detail/auth-passwordless/auth-passwordless.component.ts
+++ b/console/src/app/pages/users/user-detail/auth-user-detail/auth-passwordless/auth-passwordless.component.ts
@@ -4,7 +4,7 @@ import { MatSort } from '@angular/material/sort';
 import { MatTable, MatTableDataSource } from '@angular/material/table';
 import { BehaviorSubject, Observable } from 'rxjs';
 import { WarnDialogComponent } from 'src/app/modules/warn-dialog/warn-dialog.component';
-import { MFAState, WebAuthNResponse, WebAuthNToken } from 'src/app/proto/generated/auth_pb';
+import { AuthFactorState, WebAuthNToken } from 'src/app/proto/generated/zitadel/user_pb';
 import { GrpcAuthService } from 'src/app/services/grpc-auth.service';
 import { ToastService } from 'src/app/services/toast.service';
 
@@ -35,7 +35,7 @@ export class AuthPasswordlessComponent implements OnInit, OnDestroy {
     @ViewChild(MatSort) public sort!: MatSort;
     public dataSource!: MatTableDataSource<WebAuthNToken.AsObject>;
 
-    public MFAState: any = MFAState;
+    public AuthFactorState: any = AuthFactorState;
     public error: string = '';
 
     constructor(private service: GrpcAuthService,
@@ -51,45 +51,44 @@ export class AuthPasswordlessComponent implements OnInit, OnDestroy {
     }
 
     public addPasswordless(): void {
-        this.service.AddMyPasswordless().then((u2fresp) => {
-            const webauthn: WebAuthNResponse.AsObject = u2fresp.toObject();
-            const credOptions: CredentialCreationOptions = JSON.parse(atob(webauthn.publicKey as string));
+        this.service.addMyPasswordless().then((resp) => {
+            if (resp.key) {
+                const credOptions: CredentialCreationOptions = JSON.parse(atob(resp.key.publicKey as string));
 
-            if (credOptions.publicKey?.challenge) {
-                credOptions.publicKey.challenge = _base64ToArrayBuffer(credOptions.publicKey.challenge as any);
-                credOptions.publicKey.user.id = _base64ToArrayBuffer(credOptions.publicKey.user.id as any);
-                if (credOptions.publicKey.excludeCredentials) {
-                    credOptions.publicKey.excludeCredentials.map(cred => {
-                        cred.id = _base64ToArrayBuffer(cred.id as any);
-                        return cred;
+                if (credOptions.publicKey?.challenge) {
+                    credOptions.publicKey.challenge = _base64ToArrayBuffer(credOptions.publicKey.challenge as any);
+                    credOptions.publicKey.user.id = _base64ToArrayBuffer(credOptions.publicKey.user.id as any);
+                    if (credOptions.publicKey.excludeCredentials) {
+                        credOptions.publicKey.excludeCredentials.map(cred => {
+                            cred.id = _base64ToArrayBuffer(cred.id as any);
+                            return cred;
+                        });
+                    }
+                    const dialogRef = this.dialog.open(DialogU2FComponent, {
+                        width: '400px',
+                        data: {
+                            credOptions,
+                            type: U2FComponentDestination.PASSWORDLESS,
+                        },
+                    });
+
+                    dialogRef.afterClosed().subscribe(done => {
+                        if (done) {
+                            this.getPasswordless();
+                        } else {
+                            this.getPasswordless();
+                        }
                     });
                 }
-                console.log(credOptions);
-                const dialogRef = this.dialog.open(DialogU2FComponent, {
-                    width: '400px',
-                    data: {
-                        credOptions,
-                        type: U2FComponentDestination.PASSWORDLESS,
-                    },
-                });
-
-                dialogRef.afterClosed().subscribe(done => {
-                    if (done) {
-                        this.getPasswordless();
-                    } else {
-                        this.getPasswordless();
-                    }
-                });
             }
-
         }, error => {
             this.toast.showError(error);
         });
     }
 
     public getPasswordless(): void {
-        this.service.GetMyPasswordless().then(passwordless => {
-            this.dataSource = new MatTableDataSource(passwordless.toObject().tokensList);
+        this.service.listMyPasswordless().then(passwordless => {
+            this.dataSource = new MatTableDataSource(passwordless.resultList);
             this.dataSource.sort = this.sort;
         }).catch(error => {
             this.error = error.message;
@@ -109,7 +108,7 @@ export class AuthPasswordlessComponent implements OnInit, OnDestroy {
 
         dialogRef.afterClosed().subscribe(resp => {
             if (resp && id) {
-                this.service.RemoveMyPasswordless(id).then(() => {
+                this.service.removeMyPasswordless(id).then(() => {
                     this.toast.showInfo('USER.TOAST.PASSWORDLESSREMOVED', true);
                     this.getPasswordless();
                 }).catch(error => {
diff --git a/console/src/app/pages/users/user-detail/auth-user-detail/auth-user-detail.component.ts b/console/src/app/pages/users/user-detail/auth-user-detail/auth-user-detail.component.ts
index 5cd08d9f0f..5e32e29e8d 100644
--- a/console/src/app/pages/users/user-detail/auth-user-detail/auth-user-detail.component.ts
+++ b/console/src/app/pages/users/user-detail/auth-user-detail/auth-user-detail.component.ts
@@ -4,15 +4,7 @@ import { TranslateService } from '@ngx-translate/core';
 import { Subscription } from 'rxjs';
 import { ChangeType } from 'src/app/modules/changes/changes.component';
 import { UserGrantContext } from 'src/app/modules/user-grants/user-grants-datasource';
-import {
-    Gender,
-    UserAddress,
-    UserEmail,
-    UserPhone,
-    UserProfile,
-    UserState,
-    UserView,
-} from 'src/app/proto/generated/auth_pb';
+import { Email, Gender, Phone, Profile, User, UserState } from 'src/app/proto/generated/zitadel/user_pb';
 import { GrpcAuthService } from 'src/app/services/grpc-auth.service';
 import { ToastService } from 'src/app/services/toast.service';
 
@@ -25,8 +17,7 @@ import { EditDialogComponent } from './edit-dialog/edit-dialog.component';
     styleUrls: ['./auth-user-detail.component.scss'],
 })
 export class AuthUserDetailComponent implements OnDestroy {
-    public user!: UserView.AsObject;
-    public address: UserAddress.AsObject = { id: '' } as any;
+    public user!: User.AsObject;
     public genders: Gender[] = [Gender.GENDER_MALE, Gender.GENDER_FEMALE, Gender.GENDER_DIVERSE];
     public languages: string[] = ['de', 'en'];
 
@@ -55,8 +46,10 @@ export class AuthUserDetailComponent implements OnDestroy {
 
     refreshUser(): void {
         this.refreshChanges$.emit();
-        this.userService.GetMyUser().then(user => {
-            this.user = user.toObject();
+        this.userService.getMyUser().then(resp => {
+            if (resp.user) {
+                this.user = resp.user;
+            }
             this.loading = false;
         }).catch(error => {
             this.toast.showError(error);
@@ -68,26 +61,20 @@ export class AuthUserDetailComponent implements OnDestroy {
         this.subscription.unsubscribe();
     }
 
-    public saveProfile(profileData: UserProfile.AsObject): void {
+    public saveProfile(profileData: Profile.AsObject): void {
         if (this.user.human) {
-            this.user.human.firstName = profileData.firstName;
-            this.user.human.lastName = profileData.lastName;
-            this.user.human.nickName = profileData.nickName;
-            this.user.human.displayName = profileData.displayName;
-            this.user.human.gender = profileData.gender;
-            this.user.human.preferredLanguage = profileData.preferredLanguage;
+            this.user.human.profile = profileData;
 
             this.userService
-                .SaveMyUserProfile(
-                    this.user.human.firstName,
-                    this.user.human.lastName,
-                    this.user.human.nickName,
-                    this.user.human.preferredLanguage,
-                    this.user.human.gender,
+                .updateMyProfile(
+                    this.user.human.profile?.firstName,
+                    this.user.human.profile?.lastName,
+                    this.user.human.profile?.nickName,
+                    this.user.human.profile?.preferredLanguage,
+                    this.user.human.profile?.gender,
                 )
-                .then((data: UserProfile) => {
+                .then(() => {
                     this.toast.showInfo('USER.TOAST.SAVED', true);
-                    this.user = Object.assign(this.user, data.toObject());
                     this.refreshChanges$.emit();
                 })
                 .catch(error => {
@@ -98,10 +85,12 @@ export class AuthUserDetailComponent implements OnDestroy {
 
     public saveEmail(email: string): void {
         this.userService
-            .SaveMyUserEmail(email).then((data: UserEmail) => {
+            .setMyPhone(email).then(() => {
                 this.toast.showInfo('USER.TOAST.EMAILSAVED', true);
                 if (this.user.human) {
-                    this.user.human.email = data.toObject().email;
+                    const mailToSet = new Email();
+                    mailToSet.setEmail(email);
+                    this.user.human.email = mailToSet.toObject();
                     this.refreshUser();
                 }
             }).catch(error => {
@@ -110,7 +99,7 @@ export class AuthUserDetailComponent implements OnDestroy {
     }
 
     public enteredPhoneCode(code: string): void {
-        this.userService.VerifyMyUserPhone(code).then(() => {
+        this.userService.verifyMyPhone(code).then(() => {
             this.toast.showInfo('USER.TOAST.PHONESAVED', true);
             this.refreshUser();
         }).catch(error => {
@@ -123,7 +112,7 @@ export class AuthUserDetailComponent implements OnDestroy {
     }
 
     public resendPhoneVerification(): void {
-        this.userService.ResendPhoneVerification().then(() => {
+        this.userService.resendMyPhoneVerification().then(() => {
             this.toast.showInfo('USER.TOAST.PHONEVERIFICATIONSENT', true);
             this.refreshChanges$.emit();
         }).catch(error => {
@@ -132,7 +121,7 @@ export class AuthUserDetailComponent implements OnDestroy {
     }
 
     public resendEmailVerification(): void {
-        this.userService.ResendMyEmailVerificationMail().then(() => {
+        this.userService.resendMyEmailVerification().then(() => {
             this.toast.showInfo('USER.TOAST.EMAILVERIFICATIONSENT', true);
             this.refreshChanges$.emit();
         }).catch(error => {
@@ -141,10 +130,11 @@ export class AuthUserDetailComponent implements OnDestroy {
     }
 
     public deletePhone(): void {
-        this.userService.RemoveMyUserPhone().then(() => {
+        this.userService.removeMyPhone().then(() => {
             this.toast.showInfo('USER.TOAST.PHONEREMOVED', true);
-            if (this.user.human) {
-                this.user.human.phone = '';
+            if (this.user.human?.phone) {
+                const phone = new Phone();
+                this.user.human.phone = phone.toObject();
                 this.refreshUser();
             }
         }).catch(error => {
@@ -155,10 +145,12 @@ export class AuthUserDetailComponent implements OnDestroy {
     public savePhone(phone: string): void {
         if (this.user.human) {
             this.userService
-                .SaveMyUserPhone(phone).then((data: UserPhone) => {
+                .setMyPhone(phone).then(() => {
                     this.toast.showInfo('USER.TOAST.PHONESAVED', true);
                     if (this.user.human) {
-                        this.user.human.phone = data.toObject().phone;
+                        const phoneToSet = new Phone();
+                        phoneToSet.setPhone(phone);
+                        this.user.human.phone = phoneToSet.toObject();
                         this.refreshUser();
                     }
                 }).catch(error => {
diff --git a/console/src/app/pages/users/user-detail/auth-user-detail/auth-user-mfa/auth-user-mfa.component.html b/console/src/app/pages/users/user-detail/auth-user-detail/auth-user-mfa/auth-user-mfa.component.html
index 8e0ee30ab8..107a428135 100644
--- a/console/src/app/pages/users/user-detail/auth-user-detail/auth-user-mfa/auth-user-mfa.component.html
+++ b/console/src/app/pages/users/user-detail/auth-user-detail/auth-user-mfa/auth-user-mfa.component.html
@@ -18,7 +18,7 @@
                 <th mat-header-cell *matHeaderCellDef> {{ 'USER.MFA.TABLESTATE' | translate }} </th>
                 <td mat-cell *matCellDef="let mfa"><span class="centered">
                         {{'USER.MFA.STATE.'+ mfa.state | translate}}
-                        <i matTooltip="verified" *ngIf="mfa.state === MFAState.MFASTATE_READY"
+                        <i matTooltip="verified" *ngIf="mfa.state === AuthFactorState.AUTH_FACTOR_STATE_READY"
                             class="verified las la-check-circle"></i>
                     </span>
                 </td>
@@ -28,7 +28,7 @@
                 <th mat-header-cell *matHeaderCellDef> {{ 'USER.MFA.TABLEACTIONS' | translate }} </th>
                 <td mat-cell *matCellDef="let mfa">
                     <button matTooltip="{{'ACTIONS.REMOVE' | translate}}" color="warn" mat-icon-button
-                        (click)="deleteMFA(mfa.type, mfa.id)">
+                        (click)="deleteMFA(mfa)">
                         <i class="las la-trash"></i>
                     </button>
                 </td>
diff --git a/console/src/app/pages/users/user-detail/auth-user-detail/auth-user-mfa/auth-user-mfa.component.ts b/console/src/app/pages/users/user-detail/auth-user-detail/auth-user-mfa/auth-user-mfa.component.ts
index 972d7172ae..26bd3afdb9 100644
--- a/console/src/app/pages/users/user-detail/auth-user-detail/auth-user-mfa/auth-user-mfa.component.ts
+++ b/console/src/app/pages/users/user-detail/auth-user-detail/auth-user-mfa/auth-user-mfa.component.ts
@@ -4,7 +4,7 @@ import { MatSort } from '@angular/material/sort';
 import { MatTable, MatTableDataSource } from '@angular/material/table';
 import { BehaviorSubject, Observable } from 'rxjs';
 import { WarnDialogComponent } from 'src/app/modules/warn-dialog/warn-dialog.component';
-import { MfaOtpResponse, MFAState, MfaType, MultiFactor, WebAuthNResponse } from 'src/app/proto/generated/auth_pb';
+import { AuthFactor, AuthFactorState } from 'src/app/proto/generated/zitadel/user_pb';
 import { GrpcAuthService } from 'src/app/services/grpc-auth.service';
 import { ToastService } from 'src/app/services/toast.service';
 
@@ -32,19 +32,20 @@ export class AuthUserMfaComponent implements OnInit, OnDestroy {
     private loadingSubject: BehaviorSubject<boolean> = new BehaviorSubject<boolean>(false);
     public loading$: Observable<boolean> = this.loadingSubject.asObservable();
 
-    @ViewChild(MatTable) public table!: MatTable<MultiFactor.AsObject>;
+    @ViewChild(MatTable) public table!: MatTable<AuthFactor.AsObject>;
     @ViewChild(MatSort) public sort!: MatSort;
-    public dataSource!: MatTableDataSource<MultiFactor.AsObject>;
+    public dataSource!: MatTableDataSource<AuthFactor.AsObject>;
 
-    public MfaType: any = MfaType;
-    public MFAState: any = MFAState;
+    public AuthFactorState: any = AuthFactorState;
 
     public error: string = '';
     public otpAvailable: boolean = false;
 
-    constructor(private service: GrpcAuthService,
+    constructor(
+        private service: GrpcAuthService,
         private toast: ToastService,
-        private dialog: MatDialog) { }
+        private dialog: MatDialog
+    ) { }
 
     public ngOnInit(): void {
         this.getMFAs();
@@ -55,8 +56,8 @@ export class AuthUserMfaComponent implements OnInit, OnDestroy {
     }
 
     public addOTP(): void {
-        this.service.AddMfaOTP().then((otpresp) => {
-            const otp: MfaOtpResponse.AsObject = otpresp.toObject();
+        this.service.addMyMultiFactorOTP().then((otpresp) => {
+            const otp = otpresp;
             const dialogRef = this.dialog.open(DialogOtpComponent, {
                 data: otp.url,
                 width: '400px',
@@ -64,7 +65,7 @@ export class AuthUserMfaComponent implements OnInit, OnDestroy {
 
             dialogRef.afterClosed().subscribe((code) => {
                 if (code) {
-                    this.service.VerifyMfaOTP(code).then(() => {
+                    this.service.verifyMyMultiFactorOTP(code).then(() => {
                         this.getMFAs();
                     });
                 }
@@ -75,9 +76,8 @@ export class AuthUserMfaComponent implements OnInit, OnDestroy {
     }
 
     public addU2F(): void {
-        this.service.AddMyMfaU2F().then((u2fresp) => {
-            const webauthn: WebAuthNResponse.AsObject = u2fresp.toObject();
-            const credOptions: CredentialCreationOptions = JSON.parse(atob(webauthn.publicKey as string));
+        this.service.addMyMultiFactorU2F().then((u2fresp) => {
+            const credOptions: CredentialCreationOptions = JSON.parse(atob(u2fresp.key?.publicKey as string));
 
             if (credOptions.publicKey?.challenge) {
                 credOptions.publicKey.challenge = _base64ToArrayBuffer(credOptions.publicKey.challenge as any);
@@ -112,11 +112,12 @@ export class AuthUserMfaComponent implements OnInit, OnDestroy {
     }
 
     public getMFAs(): void {
-        this.service.GetMyMfas().then(mfas => {
-            this.dataSource = new MatTableDataSource(mfas.toObject().mfasList);
+        this.service.listMyMultiFactors().then(mfas => {
+            const list = mfas.resultList;
+            this.dataSource = new MatTableDataSource(list);
             this.dataSource.sort = this.sort;
 
-            const index = mfas.toObject().mfasList.findIndex(mfa => mfa.type === MfaType.MFATYPE_OTP);
+            const index = list.findIndex(mfa => mfa.otp);
             if (index === -1) {
                 this.otpAvailable = true;
             }
@@ -125,7 +126,7 @@ export class AuthUserMfaComponent implements OnInit, OnDestroy {
         });
     }
 
-    public deleteMFA(type: MfaType, id?: string): void {
+    public deleteMFA(factor: AuthFactor.AsObject): void {
         const dialogRef = this.dialog.open(WarnDialogComponent, {
             data: {
                 confirmKey: 'ACTIONS.DELETE',
@@ -138,11 +139,11 @@ export class AuthUserMfaComponent implements OnInit, OnDestroy {
 
         dialogRef.afterClosed().subscribe(resp => {
             if (resp) {
-                if (type === MfaType.MFATYPE_OTP) {
-                    this.service.RemoveMfaOTP().then(() => {
+                if (factor.otp) {
+                    this.service.removeMyMultiFactorOTP().then(() => {
                         this.toast.showInfo('USER.TOAST.OTPREMOVED', true);
 
-                        const index = this.dataSource.data.findIndex(mfa => mfa.type === type);
+                        const index = this.dataSource.data.findIndex(mfa => !!mfa.otp);
                         if (index > -1) {
                             this.dataSource.data.splice(index, 1);
                         }
@@ -150,19 +151,20 @@ export class AuthUserMfaComponent implements OnInit, OnDestroy {
                     }).catch(error => {
                         this.toast.showError(error);
                     });
-                } else if (type === MfaType.MFATYPE_U2F && id) {
-                    this.service.RemoveMyMfaU2F(id).then(() => {
-                        this.toast.showInfo('USER.TOAST.U2FREMOVED', true);
+                } else
+                    if (factor.u2f) {
+                        this.service.removeMyMultiFactorU2F(factor.u2f.id).then(() => {
+                            this.toast.showInfo('USER.TOAST.U2FREMOVED', true);
 
-                        const index = this.dataSource.data.findIndex(mfa => mfa.type === type);
-                        if (index > -1) {
-                            this.dataSource.data.splice(index, 1);
-                        }
-                        this.getMFAs();
-                    }).catch(error => {
-                        this.toast.showError(error);
-                    });
-                }
+                            const index = this.dataSource.data.findIndex(mfa => !!mfa.u2f);
+                            if (index > -1) {
+                                this.dataSource.data.splice(index, 1);
+                            }
+                            this.getMFAs();
+                        }).catch(error => {
+                            this.toast.showError(error);
+                        });
+                    }
             }
         });
     }
diff --git a/console/src/app/pages/users/user-detail/auth-user-detail/dialog-u2f/dialog-u2f.component.ts b/console/src/app/pages/users/user-detail/auth-user-detail/dialog-u2f/dialog-u2f.component.ts
index cee3116522..764b57f7bc 100644
--- a/console/src/app/pages/users/user-detail/auth-user-detail/dialog-u2f/dialog-u2f.component.ts
+++ b/console/src/app/pages/users/user-detail/auth-user-detail/dialog-u2f/dialog-u2f.component.ts
@@ -70,7 +70,7 @@ export class DialogU2FComponent {
 
                     const base64 = btoa(data);
                     if (this.type === U2FComponentDestination.MFA) {
-                        this.service.VerifyMyMfaU2F(base64, this.name).then(() => {
+                        this.service.verifyMyMultiFactorU2F(base64, this.name).then(() => {
                             this.translate.get('USER.MFA.U2F_SUCCESS').pipe(take(1)).subscribe(msg => {
                                 this.toast.showInfo(msg);
                             });
diff --git a/console/src/app/pages/users/user-detail/contact/contact.component.html b/console/src/app/pages/users/user-detail/contact/contact.component.html
index c0045aebb1..37ec6979cb 100644
--- a/console/src/app/pages/users/user-detail/contact/contact.component.html
+++ b/console/src/app/pages/users/user-detail/contact/contact.component.html
@@ -19,9 +19,9 @@
         <div class="left">
             <span class="label">{{ 'USER.EMAIL' | translate }}</span>
             <span class="name">{{human?.email}}</span>
-            <span *ngIf="human?.isEmailVerified" class="contact-state verified">{{'USER.EMAILVERIFIED' |
+            <span *ngIf="human?.profile.email.isEmailVerified" class="contact-state verified">{{'USER.EMAILVERIFIED' |
                 translate}}</span>
-            <div *ngIf="!human?.isEmailVerified" class="block">
+            <div *ngIf="!human?.profile.email.isEmailVerified" class="block">
                 <span class="contact-state notverified">{{'USER.NOTVERIFIED' | translate}}</span>
 
                 <ng-container *ngIf="human?.email">
@@ -46,9 +46,9 @@
         <div class="left">
             <span class="label">{{ 'USER.PHONE' | translate }}</span>
             <span class="name">{{human?.phone ? human.phone : ('USER.PHONEEMPTY' | translate)}}</span>
-            <span *ngIf="human?.isPhoneVerified" class="contact-state verified">{{'USER.PHONEVERIFIED' |
+            <span *ngIf="human?.profile.phone.isPhoneVerified" class="contact-state verified">{{'USER.PHONEVERIFIED' |
                 translate}}</span>
-            <div *ngIf="!human?.isPhoneVerified" class="block">
+            <div *ngIf="!human?.profile.phone.isPhoneVerified" class="block">
                 <span class="contact-state notverified">{{'USER.NOTVERIFIED' | translate}}</span>
 
                 <ng-container *ngIf="human?.phone">
diff --git a/console/src/app/pages/users/user-detail/contact/contact.component.ts b/console/src/app/pages/users/user-detail/contact/contact.component.ts
index 649f600c5f..bce28bd9ac 100644
--- a/console/src/app/pages/users/user-detail/contact/contact.component.ts
+++ b/console/src/app/pages/users/user-detail/contact/contact.component.ts
@@ -1,8 +1,7 @@
 import { Component, EventEmitter, Input, Output } from '@angular/core';
 import { MatDialog } from '@angular/material/dialog';
 import { WarnDialogComponent } from 'src/app/modules/warn-dialog/warn-dialog.component';
-import { HumanView as AuthHumanView, UserState as AuthUserState } from 'src/app/proto/generated/auth_pb';
-import { HumanView as MgmtHumanView, UserState as MgmtUserState } from 'src/app/proto/generated/management_pb';
+import { Human, UserState } from 'src/app/proto/generated/zitadel/user_pb';
 
 import { CodeDialogComponent } from '../auth-user-detail/code-dialog/code-dialog.component';
 import { EditDialogType } from '../user-detail/user-detail.component';
@@ -15,8 +14,8 @@ import { EditDialogType } from '../user-detail/user-detail.component';
 export class ContactComponent {
     @Input() disablePhoneCode: boolean = false;
     @Input() canWrite: boolean = false;
-    @Input() human!: AuthHumanView.AsObject | MgmtHumanView.AsObject;
-    @Input() state!: AuthUserState | MgmtUserState;
+    @Input() human!: Human.AsObject;
+    @Input() state!: UserState;
     @Output() editType: EventEmitter<EditDialogType> = new EventEmitter();
     @Output() resendEmailVerification: EventEmitter<void> = new EventEmitter();
     @Output() resendPhoneVerification: EventEmitter<void> = new EventEmitter();
diff --git a/console/src/app/pages/users/user-detail/detail-form-machine/detail-form-machine.component.ts b/console/src/app/pages/users/user-detail/detail-form-machine/detail-form-machine.component.ts
index 584ec8f5d4..6cd53052ee 100644
--- a/console/src/app/pages/users/user-detail/detail-form-machine/detail-form-machine.component.ts
+++ b/console/src/app/pages/users/user-detail/detail-form-machine/detail-form-machine.component.ts
@@ -1,8 +1,7 @@
 import { Component, EventEmitter, Input, OnDestroy, OnInit, Output } from '@angular/core';
 import { AbstractControl, FormBuilder, FormGroup, Validators } from '@angular/forms';
 import { Subscription } from 'rxjs';
-
-import { UserView } from '../../../../proto/generated/management_pb';
+import { User } from 'src/app/proto/generated/zitadel/user_pb';
 
 @Component({
     selector: 'app-detail-form-machine',
@@ -11,7 +10,7 @@ import { UserView } from '../../../../proto/generated/management_pb';
 })
 export class DetailFormMachineComponent implements OnInit, OnDestroy {
     @Input() public username!: string;
-    @Input() public user!: UserView;
+    @Input() public user!: User;
     @Input() public disabled: boolean = false;
     @Output() public submitData: EventEmitter<any> = new EventEmitter<any>();
 
diff --git a/console/src/app/pages/users/user-detail/detail-form/detail-form.component.ts b/console/src/app/pages/users/user-detail/detail-form/detail-form.component.ts
index c4266a740c..dad4fad301 100644
--- a/console/src/app/pages/users/user-detail/detail-form/detail-form.component.ts
+++ b/console/src/app/pages/users/user-detail/detail-form/detail-form.component.ts
@@ -1,8 +1,7 @@
 import { Component, EventEmitter, Input, OnChanges, OnDestroy, Output } from '@angular/core';
 import { AbstractControl, FormBuilder, FormGroup, Validators } from '@angular/forms';
 import { Subscription } from 'rxjs';
-import { Gender as authGender, UserProfile as authUP, UserView as authUV } from 'src/app/proto/generated/auth_pb';
-import { Gender as mgmtGender, UserProfile as mgmtUP, UserView as mgmtUV } from 'src/app/proto/generated/management_pb';
+import { Gender, User } from 'src/app/proto/generated/zitadel/user_pb';
 
 
 @Component({
@@ -12,11 +11,11 @@ import { Gender as mgmtGender, UserProfile as mgmtUP, UserView as mgmtUV } from
 })
 export class DetailFormComponent implements OnDestroy, OnChanges {
     @Input() public username!: string;
-    @Input() public user!: mgmtUV | authUV;
+    @Input() public user!: User;
     @Input() public disabled: boolean = false;
-    @Input() public genders: mgmtGender[] | authGender[] = [];
+    @Input() public genders: Gender[] = [];
     @Input() public languages: string[] = ['de', 'en'];
-    @Output() public submitData: EventEmitter<mgmtUP | authUP> = new EventEmitter<mgmtUP | authUP>();
+    @Output() public submitData: EventEmitter<User> = new EventEmitter<User>();
     @Output() public changedLanguage: EventEmitter<string> = new EventEmitter<string>();
 
     public profileForm!: FormGroup;
diff --git a/console/src/app/pages/users/user-detail/external-idps/external-idps.component.html b/console/src/app/pages/users/user-detail/external-idps/external-idps.component.html
index 5474e4634e..424cc9854e 100644
--- a/console/src/app/pages/users/user-detail/external-idps/external-idps.component.html
+++ b/console/src/app/pages/users/user-detail/external-idps/external-idps.component.html
@@ -1,5 +1,5 @@
 <app-refresh-table [loading]="loading$ | async" (refreshed)="refreshPage()" [dataSize]="dataSource.data.length"
-    [timestamp]="externalIdpResult?.viewTimestamp" [selection]="selection">
+    [timestamp]="viewTimestamp" [selection]="selection">
 
     <div class="table-wrapper">
         <table class="table" mat-table [dataSource]="dataSource">
@@ -52,7 +52,7 @@
             </tr>
 
         </table>
-        <mat-paginator #paginator class="paginator" [length]="externalIdpResult?.totalResult || 0" [pageSize]="10"
+        <mat-paginator #paginator class="paginator" [length]="totalResult || 0" [pageSize]="10"
             [pageSizeOptions]="[5, 10, 20]" (page)="changePage($event)"></mat-paginator>
     </div>
 
diff --git a/console/src/app/pages/users/user-detail/external-idps/external-idps.component.ts b/console/src/app/pages/users/user-detail/external-idps/external-idps.component.ts
index b79d3c9918..0011ec0682 100644
--- a/console/src/app/pages/users/user-detail/external-idps/external-idps.component.ts
+++ b/console/src/app/pages/users/user-detail/external-idps/external-idps.component.ts
@@ -3,14 +3,11 @@ import { Component, Input, OnInit, ViewChild } from '@angular/core';
 import { MatDialog } from '@angular/material/dialog';
 import { MatPaginator, PageEvent } from '@angular/material/paginator';
 import { MatTableDataSource } from '@angular/material/table';
+import { Timestamp } from 'google-protobuf/google/protobuf/timestamp_pb';
 import { BehaviorSubject, Observable } from 'rxjs';
 import { WarnDialogComponent } from 'src/app/modules/warn-dialog/warn-dialog.component';
+import { IDPUserLink } from 'src/app/proto/generated/zitadel/idp_pb';
 
-import { ExternalIDPView as AuthExternalIDPView } from '../../../../proto/generated/auth_pb';
-import {
-    ExternalIDPSearchResponse,
-    ExternalIDPView as MgmtExternalIDPView,
-} from '../../../../proto/generated/management_pb';
 import { GrpcAuthService } from '../../../../services/grpc-auth.service';
 import { ManagementService } from '../../../../services/mgmt.service';
 import { ToastService } from '../../../../services/toast.service';
@@ -24,11 +21,12 @@ export class ExternalIdpsComponent implements OnInit {
     @Input() service!: GrpcAuthService | ManagementService;
     @Input() userId!: string;
     @ViewChild(MatPaginator) public paginator!: MatPaginator;
-    public externalIdpResult!: ExternalIDPSearchResponse.AsObject;
-    public dataSource: MatTableDataSource<MgmtExternalIDPView.AsObject | AuthExternalIDPView.AsObject>
-        = new MatTableDataSource<MgmtExternalIDPView.AsObject | AuthExternalIDPView.AsObject>();
-    public selection: SelectionModel<MgmtExternalIDPView.AsObject | AuthExternalIDPView.AsObject>
-        = new SelectionModel<MgmtExternalIDPView.AsObject | AuthExternalIDPView.AsObject>(true, []);
+    public totalResult: number = 0;
+    public viewTimestamp!: Timestamp.AsObject;
+    public dataSource: MatTableDataSource<IDPUserLink.AsObject>
+        = new MatTableDataSource<IDPUserLink.AsObject>();
+    public selection: SelectionModel<IDPUserLink.AsObject>
+        = new SelectionModel<IDPUserLink.AsObject>(true, []);
     private loadingSubject: BehaviorSubject<boolean> = new BehaviorSubject<boolean>(false);
     public loading$: Observable<boolean> = this.loadingSubject.asObservable();
     @Input() public displayedColumns: string[] = ['idpConfigId', 'idpName', 'externalUserId', 'externalUserDisplayName', 'actions'];
@@ -60,15 +58,20 @@ export class ExternalIdpsComponent implements OnInit {
 
         let promise;
         if (this.service instanceof ManagementService) {
-            promise = (this.service as ManagementService).SearchUserExternalIDPs(limit, offset, this.userId);
+            promise = (this.service as ManagementService).listHumanLinkedIDPs(this.userId, limit, offset);
         } else if (this.service instanceof GrpcAuthService) {
-            promise = (this.service as GrpcAuthService).SearchMyExternalIdps(limit, offset);
+            promise = (this.service as GrpcAuthService).listMyLinkedIDPs(limit, offset);
         }
 
         if (promise) {
             promise.then(resp => {
-                this.externalIdpResult = resp.toObject();
-                this.dataSource.data = this.externalIdpResult.resultList;
+                this.dataSource.data = resp.resultList;
+                if (resp.details?.viewTimestamp) {
+                    this.viewTimestamp = resp.details.viewTimestamp;
+                }
+                if (resp.details?.totalResult) {
+                    this.totalResult = resp.details?.totalResult;
+                }
                 this.loadingSubject.next(false);
             }).catch((error: any) => {
                 this.toast.showError(error);
@@ -81,7 +84,7 @@ export class ExternalIdpsComponent implements OnInit {
         this.getData(this.paginator.pageSize, this.paginator.pageIndex * this.paginator.pageSize);
     }
 
-    public removeExternalIdp(idp: AuthExternalIDPView.AsObject | MgmtExternalIDPView.AsObject): void {
+    public removeExternalIdp(idp: IDPUserLink.AsObject): void {
         const dialogRef = this.dialog.open(WarnDialogComponent, {
             data: {
                 confirmKey: 'ACTIONS.REMOVE',
@@ -97,10 +100,10 @@ export class ExternalIdpsComponent implements OnInit {
                 let promise;
                 if (this.service instanceof ManagementService) {
                     promise = (this.service as ManagementService)
-                        .RemoveExternalIDP(idp.externalUserId, idp.idpConfigId, idp.userId);
+                        .removeHumanLinkedIDP(idp.providedUserId, idp.idpId, idp.userId);
                 } else if (this.service instanceof GrpcAuthService) {
                     promise = (this.service as GrpcAuthService)
-                        .RemoveExternalIDP(idp.externalUserId, idp.idpConfigId);
+                        .removeMyLinkedIDP(idp.providedUserId, idp.idpId);
                 }
 
                 if (promise) {
diff --git a/console/src/app/pages/users/user-detail/membership-detail/membership-detail-datasource.ts b/console/src/app/pages/users/user-detail/membership-detail/membership-detail-datasource.ts
index 78ae8f75c1..4bdc030055 100644
--- a/console/src/app/pages/users/user-detail/membership-detail/membership-detail-datasource.ts
+++ b/console/src/app/pages/users/user-detail/membership-detail/membership-detail-datasource.ts
@@ -2,14 +2,14 @@ import { DataSource } from '@angular/cdk/collections';
 import { Timestamp } from 'google-protobuf/google/protobuf/timestamp_pb';
 import { BehaviorSubject, from, Observable, of } from 'rxjs';
 import { catchError, finalize, map } from 'rxjs/operators';
-import { UserMembershipView } from 'src/app/proto/generated/management_pb';
+import { Membership } from 'src/app/proto/generated/zitadel/user_pb';
 import { ManagementService } from 'src/app/services/mgmt.service';
 
-export class MembershipDetailDataSource extends DataSource<UserMembershipView.AsObject> {
+export class MembershipDetailDataSource extends DataSource<Membership.AsObject> {
     public totalResult: number = 0;
     public viewTimestamp!: Timestamp.AsObject;
-    public membersSubject: BehaviorSubject<UserMembershipView.AsObject[]>
-        = new BehaviorSubject<UserMembershipView.AsObject[]>([]);
+    public membersSubject: BehaviorSubject<Membership.AsObject[]>
+        = new BehaviorSubject<Membership.AsObject[]>([]);
     private loadingSubject: BehaviorSubject<boolean> = new BehaviorSubject<boolean>(false);
     public loading$: Observable<boolean> = this.loadingSubject.asObservable();
 
@@ -21,14 +21,13 @@ export class MembershipDetailDataSource extends DataSource<UserMembershipView.As
         const offset = pageIndex * pageSize;
 
         this.loadingSubject.next(true);
-        from(this.mgmtUserService.SearchUserMemberships(userId, pageSize, offset)).pipe(
+        from(this.mgmtUserService.listUserMemberships(userId, pageSize, offset)).pipe(
             map(resp => {
-                const response = resp.toObject();
-                this.totalResult = response.totalResult;
-                if (response.viewTimestamp) {
-                    this.viewTimestamp = response.viewTimestamp;
+                this.totalResult = resp.details?.totalResult || 0;
+                if (resp.details?.viewTimestamp) {
+                    this.viewTimestamp = resp.details.viewTimestamp;
                 }
-                return response.resultList;
+                return resp.resultList;
             }),
             catchError(() => of([])),
             finalize(() => this.loadingSubject.next(false)),
@@ -43,7 +42,7 @@ export class MembershipDetailDataSource extends DataSource<UserMembershipView.As
      * the returned stream emits new items.
      * @returns A stream of the items to be rendered.
      */
-    public connect(): Observable<UserMembershipView.AsObject[]> {
+    public connect(): Observable<Membership.AsObject[]> {
         return this.membersSubject.asObservable();
     }
 
diff --git a/console/src/app/pages/users/user-detail/membership-detail/membership-detail.component.ts b/console/src/app/pages/users/user-detail/membership-detail/membership-detail.component.ts
index 4a4a061d37..36797dc356 100644
--- a/console/src/app/pages/users/user-detail/membership-detail/membership-detail.component.ts
+++ b/console/src/app/pages/users/user-detail/membership-detail/membership-detail.component.ts
@@ -6,7 +6,7 @@ import { MatTable } from '@angular/material/table';
 import { ActivatedRoute } from '@angular/router';
 import { tap } from 'rxjs/operators';
 import { CreationType, MemberCreateDialogComponent } from 'src/app/modules/add-member-dialog/member-create-dialog.component';
-import { UserMembershipSearchResponse, UserMembershipView, UserView } from 'src/app/proto/generated/management_pb';
+import { Membership, User } from 'src/app/proto/generated/zitadel/user_pb';
 import { AdminService } from 'src/app/services/admin.service';
 import { ManagementService } from 'src/app/services/mgmt.service';
 import { ToastService } from 'src/app/services/toast.service';
@@ -19,13 +19,13 @@ import { MembershipDetailDataSource } from './membership-detail-datasource';
     styleUrls: ['./membership-detail.component.scss'],
 })
 export class MembershipDetailComponent implements AfterViewInit {
-    public user!: UserView.AsObject;
+    public user!: User.AsObject;
 
     @ViewChild(MatPaginator) public paginator!: MatPaginator;
-    @ViewChild(MatTable) public table!: MatTable<UserMembershipView.AsObject>;
+    @ViewChild(MatTable) public table!: MatTable<Membership.AsObject>;
     public dataSource!: MembershipDetailDataSource;
-    public selection: SelectionModel<UserMembershipView.AsObject>
-        = new SelectionModel<UserMembershipView.AsObject>(true, []);
+    public selection: SelectionModel<Membership.AsObject>
+        = new SelectionModel<Membership.AsObject>(true, []);
 
     public memberRoleOptions: string[] = [];
 
@@ -33,7 +33,7 @@ export class MembershipDetailComponent implements AfterViewInit {
     public displayedColumns: string[] = ['select', 'memberType', 'displayName', 'creationDate', 'changeDate', 'roles'];
 
     public loading: boolean = false;
-    public memberships!: UserMembershipSearchResponse.AsObject;
+    public memberships!: Membership.AsObject[];
 
     constructor(
         activatedRoute: ActivatedRoute,
@@ -45,14 +45,16 @@ export class MembershipDetailComponent implements AfterViewInit {
         activatedRoute.params.subscribe(data => {
             const { id } = data;
             if (id) {
-                this.mgmtService.GetUserByID(id).then(user => {
-                    this.user = user.toObject();
-                    this.dataSource = new MembershipDetailDataSource(this.mgmtService);
-                    this.dataSource.loadMemberships(
-                        this.user.id,
-                        0,
-                        50,
-                    );
+                this.mgmtService.getUserByID(id).then(resp => {
+                    if (resp.user) {
+                        this.user = resp.user;
+                        this.dataSource = new MembershipDetailDataSource(this.mgmtService);
+                        this.dataSource.loadMemberships(
+                            this.user.id,
+                            0,
+                            50,
+                        );
+                    }
                 }).catch(err => {
                     console.error(err);
                 });
@@ -117,19 +119,19 @@ export class MembershipDetailComponent implements AfterViewInit {
     }
 
     public async loadManager(userId: string): Promise<void> {
-        this.mgmtService.SearchUserMemberships(userId, 100, 0, []).then(response => {
-            this.memberships = response.toObject();
+        this.mgmtService.listUserMemberships(userId, 100, 0, []).then(response => {
+            this.memberships = response.resultList;
             this.loading = false;
         });
     }
 
     public createIamMember(response: any): void {
-        const users: UserView.AsObject[] = response.users;
+        const users: User.AsObject[] = response.users;
         const roles: string[] = response.roles;
 
         if (users && users.length && roles && roles.length) {
             Promise.all(users.map(user => {
-                return this.adminService.AddIamMember(user.id, roles);
+                return this.adminService.addIAMMember(user.id, roles);
             })).then(() => {
                 this.toast.showInfo('IAM.TOAST.MEMBERADDED', true);
                 setTimeout(() => {
@@ -142,12 +144,12 @@ export class MembershipDetailComponent implements AfterViewInit {
     }
 
     private createOrgMember(response: any): void {
-        const users: UserView.AsObject[] = response.users;
+        const users: User.AsObject[] = response.users;
         const roles: string[] = response.roles;
 
         if (users && users.length && roles && roles.length) {
             Promise.all(users.map(user => {
-                return this.mgmtService.AddMyOrgMember(user.id, roles);
+                return this.mgmtService.addOrgMember(user.id, roles);
             })).then(() => {
                 this.toast.showInfo('ORG.TOAST.MEMBERADDED', true);
                 setTimeout(() => {
@@ -160,12 +162,12 @@ export class MembershipDetailComponent implements AfterViewInit {
     }
 
     private createGrantedProjectMember(response: any): void {
-        const users: UserView.AsObject[] = response.users;
+        const users: User.AsObject[] = response.users;
         const roles: string[] = response.roles;
 
         if (users && users.length && roles && roles.length) {
             users.forEach(user => {
-                return this.mgmtService.AddProjectGrantMember(
+                return this.mgmtService.addProjectGrantMember(
                     response.projectId,
                     response.grantId,
                     user.id,
@@ -183,12 +185,12 @@ export class MembershipDetailComponent implements AfterViewInit {
     }
 
     private createOwnedProjectMember(response: any): void {
-        const users: UserView.AsObject[] = response.users;
+        const users: User.AsObject[] = response.users;
         const roles: string[] = response.roles;
 
         if (users && users.length && roles && roles.length) {
             users.forEach(user => {
-                return this.mgmtService.AddProjectMember(response.projectId, user.id, roles)
+                return this.mgmtService.addProjectMember(response.projectId, user.id, roles)
                     .then(() => {
                         this.toast.showInfo('PROJECT.TOAST.MEMBERADDED', true);
                         setTimeout(() => {
diff --git a/console/src/app/pages/users/user-detail/memberships/memberships.component.html b/console/src/app/pages/users/user-detail/memberships/memberships.component.html
index 9249a989ae..f7da1ce4aa 100644
--- a/console/src/app/pages/users/user-detail/memberships/memberships.component.html
+++ b/console/src/app/pages/users/user-detail/memberships/memberships.component.html
@@ -1,21 +1,17 @@
 <div class="membership-groups">
     <span class="me-header">{{ 'USER.MEMBERSHIPS.TITLE' | translate }}</span>
     <div class="people" *ngIf="memberships">
-        <div class="img-list" [@cardAnimation]="memberships.totalResult">
+        <div class="img-list" [@cardAnimation]="totalResult">
             <mat-spinner class="spinner" diameter="20" *ngIf="loading"></mat-spinner>
-            <ng-container *ngIf="memberships.totalResult < 8; else compact">
-                <ng-container *ngFor="let membership of memberships.resultList; index as i">
+            <ng-container *ngIf="totalResult < 8; else compact">
+                <ng-container *ngFor="let membership of memberships; index as i">
                     <div @animate class="avatar-circle" (click)="navigateToObject()"
                         matTooltip="{{ membership.displayName }} | {{membership.rolesList?.join(' ')}}"
                         [ngStyle]="{'z-index': 100 - i}">
-                        <div class="membership-avatar"
-                            [ngStyle]="{'background-color': getColor(membership.memberType)}">
-                            <i *ngIf="membership.memberType == MemberType.MEMBERTYPE_ORGANISATION"
-                                class="las la-archway"></i>
-                            <i *ngIf="membership.memberType == MemberType.MEMBERTYPE_PROJECT"
-                                class="icon las la-layer-group"></i>
-                            <i *ngIf="membership.memberType == MemberType.MEMBERTYPE_PROJECT_GRANT"
-                                class="icon las la-layer-group"></i>
+                        <div class="membership-avatar" [ngStyle]="{'background-color': getColor(membership)}">
+                            <i *ngIf="membership.orgId" class="las la-archway"></i>
+                            <i *ngIf="membership.projectId && !membership.grantId" class="icon las la-layer-group"></i>
+                            <i *ngIf="membership.projectId && membership.grantId" class="icon las la-layer-group"></i>
 
                             <span>{{membership.displayName}}</span>
                         </div>
@@ -25,7 +21,7 @@
             <ng-template #compact>
                 <div class="avatar-circle" matTooltip="Click to show detail" (click)="navigateToObject()" role="button">
                     <div class="membership-avatar">
-                        <span style="font-size: 16px;">{{memberships.totalResult}}</span>
+                        <span style="font-size: 16px;">{{totalResult}}</span>
                     </div>
                 </div>
             </ng-template>
diff --git a/console/src/app/pages/users/user-detail/memberships/memberships.component.ts b/console/src/app/pages/users/user-detail/memberships/memberships.component.ts
index c4b2610999..38e0df3aa2 100644
--- a/console/src/app/pages/users/user-detail/memberships/memberships.component.ts
+++ b/console/src/app/pages/users/user-detail/memberships/memberships.component.ts
@@ -3,8 +3,8 @@ import { Component, Input, OnInit } from '@angular/core';
 import { MatDialog } from '@angular/material/dialog';
 import { Router } from '@angular/router';
 import { CreationType, MemberCreateDialogComponent } from 'src/app/modules/add-member-dialog/member-create-dialog.component';
-import { AuthServiceClient } from 'src/app/proto/generated/auth_grpc_web_pb';
-import { MemberType, UserMembershipSearchResponse, UserView } from 'src/app/proto/generated/management_pb';
+import { UserGrant } from 'src/app/proto/generated/zitadel/auth_pb';
+import { Membership, User } from 'src/app/proto/generated/zitadel/user_pb';
 import { AdminService } from 'src/app/services/admin.service';
 import { GrpcAuthService } from 'src/app/services/grpc-auth.service';
 import { ManagementService } from 'src/app/services/mgmt.service';
@@ -33,14 +33,13 @@ import { ToastService } from 'src/app/services/toast.service';
 })
 export class MembershipsComponent implements OnInit {
     public loading: boolean = false;
-    public memberships!: UserMembershipSearchResponse.AsObject;
+    public memberships!: Membership.AsObject[] | UserGrant.AsObject[];
+    public totalResult: number = 0;
 
     @Input() public auth: boolean = false;
-    @Input() public user!: UserView.AsObject;
+    @Input() public user!: User.AsObject;
     @Input() public disabled: boolean = false;
 
-    public MemberType: any = MemberType;
-
     constructor(
         private authService: GrpcAuthService,
         private mgmtService: ManagementService,
@@ -56,13 +55,14 @@ export class MembershipsComponent implements OnInit {
 
     public async loadManager(userId: string): Promise<void> {
         if (this.auth) {
-            this.authService.SearchUserMemberships(100, 0, []).then(response => {
-                this.memberships = response.toObject();
+            this.authService.listMyUserGrants(100, 0, []).then(resp => {
+                this.memberships = resp.resultList;
+                this.totalResult = resp.details?.totalResult || 0;
                 this.loading = false;
             });
         } else {
-            this.mgmtService.SearchUserMemberships(userId, 100, 0, []).then(response => {
-                this.memberships = response.toObject();
+            this.mgmtService.listUserMemberships(userId, 100, 0, []).then(resp => {
+                this.memberships = resp.resultList;
                 this.loading = false;
             });
         }
@@ -103,12 +103,12 @@ export class MembershipsComponent implements OnInit {
     }
 
     public createIamMember(response: any): void {
-        const users: UserView.AsObject[] = response.users;
+        const users: User.AsObject[] = response.users;
         const roles: string[] = response.roles;
 
         if (users && users.length && roles && roles.length) {
             Promise.all(users.map(user => {
-                return this.adminService.AddIamMember(user.id, roles);
+                return this.adminService.addIAMMember(user.id, roles);
             })).then(() => {
                 this.toast.showInfo('IAM.TOAST.MEMBERADDED', true);
                 setTimeout(() => {
@@ -121,12 +121,12 @@ export class MembershipsComponent implements OnInit {
     }
 
     private createOrgMember(response: any): void {
-        const users: UserView.AsObject[] = response.users;
+        const users: User.AsObject[] = response.users;
         const roles: string[] = response.roles;
 
         if (users && users.length && roles && roles.length) {
             Promise.all(users.map(user => {
-                return this.mgmtService.AddMyOrgMember(user.id, roles);
+                return this.mgmtService.addOrgMember(user.id, roles);
             })).then(() => {
                 this.toast.showInfo('ORG.TOAST.MEMBERADDED', true);
                 setTimeout(() => {
@@ -139,12 +139,12 @@ export class MembershipsComponent implements OnInit {
     }
 
     private createGrantedProjectMember(response: any): void {
-        const users: UserView.AsObject[] = response.users;
+        const users: User.AsObject[] = response.users;
         const roles: string[] = response.roles;
 
         if (users && users.length && roles && roles.length) {
             users.forEach(user => {
-                return this.mgmtService.AddProjectGrantMember(
+                return this.mgmtService.addProjectGrantMember(
                     response.projectId,
                     response.grantId,
                     user.id,
@@ -162,12 +162,12 @@ export class MembershipsComponent implements OnInit {
     }
 
     private createOwnedProjectMember(response: any): void {
-        const users: UserView.AsObject[] = response.users;
+        const users: User.AsObject[] = response.users;
         const roles: string[] = response.roles;
 
         if (users && users.length && roles && roles.length) {
             users.forEach(user => {
-                return this.mgmtService.AddProjectMember(response.projectId, user.id, roles)
+                return this.mgmtService.addProjectMember(response.projectId, user.id, roles)
                     .then(() => {
                         this.toast.showInfo('PROJECT.TOAST.MEMBERADDED', true);
                         setTimeout(() => {
@@ -180,7 +180,7 @@ export class MembershipsComponent implements OnInit {
         }
     }
 
-    getColor(type: MemberType): string {
+    getColor(type: Membership.AsObject[] | UserGrant.AsObject[]): string {
         const gen = type.toString();
         const colors = [
             'rgb(201, 115, 88)',
diff --git a/console/src/app/pages/users/user-detail/password/password.component.ts b/console/src/app/pages/users/user-detail/password/password.component.ts
index e0d49a9e27..0ce8f366ab 100644
--- a/console/src/app/pages/users/user-detail/password/password.component.ts
+++ b/console/src/app/pages/users/user-detail/password/password.component.ts
@@ -3,7 +3,7 @@ import { AbstractControl, FormBuilder, FormGroup, Validators } from '@angular/fo
 import { ActivatedRoute } from '@angular/router';
 import { Subscription } from 'rxjs';
 import { lowerCaseValidator, numberValidator, symbolValidator, upperCaseValidator } from 'src/app/pages/validators';
-import { PasswordComplexityPolicy } from 'src/app/proto/generated/auth_pb';
+import { PasswordComplexityPolicy } from 'src/app/proto/generated/zitadel/policy_pb';
 import { GrpcAuthService } from 'src/app/services/grpc-auth.service';
 import { ManagementService } from 'src/app/services/mgmt.service';
 import { ToastService } from 'src/app/services/toast.service';
@@ -50,8 +50,10 @@ export class PasswordComponent implements OnDestroy {
             }
 
             const validators: Validators[] = [Validators.required];
-            this.authService.GetMyPasswordComplexityPolicy().then(complexity => {
-                this.policy = complexity.toObject();
+            this.authService.getMyPasswordComplexityPolicy().then(resp => {
+                if (resp.policy) {
+                    this.policy = resp.policy;
+                }
                 if (this.policy.minLength) {
                     validators.push(Validators.minLength(this.policy.minLength));
                 }
@@ -96,7 +98,7 @@ export class PasswordComponent implements OnDestroy {
 
     public setInitialPassword(userId: string): void {
         if (this.passwordForm.valid && this.password && this.password.value) {
-            this.mgmtUserService.SetInitialPassword(userId, this.password.value).then((data: any) => {
+            this.mgmtUserService.setHumanInitialPassword(userId, this.password.value).then((data: any) => {
                 this.toast.showInfo('USER.TOAST.INITIALPASSWORDSET', true);
                 window.history.back();
             }).catch(error => {
@@ -109,7 +111,7 @@ export class PasswordComponent implements OnDestroy {
         if (this.passwordForm.valid && this.currentPassword &&
             this.currentPassword.value &&
             this.newPassword && this.newPassword.value && this.newPassword.valid) {
-            this.authService.ChangeMyPassword(this.currentPassword.value, this.newPassword.value)
+            this.authService.updateMyPassword(this.currentPassword.value, this.newPassword.value)
                 .then((data: any) => {
                     this.toast.showInfo('USER.TOAST.PASSWORDCHANGED', true);
                     window.history.back();
diff --git a/console/src/app/pages/users/user-detail/user-detail/passwordless/passwordless.component.html b/console/src/app/pages/users/user-detail/user-detail/passwordless/passwordless.component.html
index 6f6f40f267..d3f95ff661 100644
--- a/console/src/app/pages/users/user-detail/user-detail/passwordless/passwordless.component.html
+++ b/console/src/app/pages/users/user-detail/user-detail/passwordless/passwordless.component.html
@@ -15,7 +15,7 @@
                 <th mat-header-cell *matHeaderCellDef> {{ 'USER.PASSWORDLESS.TABLESTATE' | translate }} </th>
                 <td mat-cell *matCellDef="let mfa"><span class="centered">
                         {{'USER.PASSWORDLESS.STATE.'+ mfa.state | translate}}
-                        <i matTooltip="verified" *ngIf="mfa.state === MFAState.MFASTATE_READY"
+                        <i matTooltip="verified" *ngIf="mfa.state === AuthFactorState.AUTH_FACTOR_STATE_READY"
                             class="verified las la-check-circle"></i>
                     </span>
                 </td>
diff --git a/console/src/app/pages/users/user-detail/user-detail/passwordless/passwordless.component.ts b/console/src/app/pages/users/user-detail/user-detail/passwordless/passwordless.component.ts
index b56ae64ab9..35dc13587b 100644
--- a/console/src/app/pages/users/user-detail/user-detail/passwordless/passwordless.component.ts
+++ b/console/src/app/pages/users/user-detail/user-detail/passwordless/passwordless.component.ts
@@ -4,8 +4,7 @@ import { MatSort } from '@angular/material/sort';
 import { MatTable, MatTableDataSource } from '@angular/material/table';
 import { BehaviorSubject, Observable } from 'rxjs';
 import { WarnDialogComponent } from 'src/app/modules/warn-dialog/warn-dialog.component';
-import { MFAState, WebAuthNToken } from 'src/app/proto/generated/auth_pb';
-import { UserView } from 'src/app/proto/generated/management_pb';
+import { AuthFactorState, User, WebAuthNToken } from 'src/app/proto/generated/zitadel/user_pb';
 import { ManagementService } from 'src/app/services/mgmt.service';
 import { ToastService } from 'src/app/services/toast.service';
 
@@ -25,7 +24,7 @@ export interface WebAuthNOptions {
     styleUrls: ['./passwordless.component.scss'],
 })
 export class PasswordlessComponent implements OnInit, OnDestroy {
-    @Input() private user!: UserView.AsObject;
+    @Input() private user!: User.AsObject;
     public displayedColumns: string[] = ['name', 'state', 'actions'];
     private loadingSubject: BehaviorSubject<boolean> = new BehaviorSubject<boolean>(false);
     public loading$: Observable<boolean> = this.loadingSubject.asObservable();
@@ -34,7 +33,7 @@ export class PasswordlessComponent implements OnInit, OnDestroy {
     @ViewChild(MatSort) public sort!: MatSort;
     public dataSource!: MatTableDataSource<WebAuthNToken.AsObject>;
 
-    public MFAState: any = MFAState;
+    public AuthFactorState: any = AuthFactorState;
     public error: string = '';
 
     constructor(private service: ManagementService,
@@ -50,8 +49,8 @@ export class PasswordlessComponent implements OnInit, OnDestroy {
     }
 
     public getPasswordless(): void {
-        this.service.GetPasswordless(this.user.id).then(passwordless => {
-            this.dataSource = new MatTableDataSource(passwordless.toObject().tokensList);
+        this.service.listHumanPasswordless(this.user.id).then(passwordless => {
+            this.dataSource = new MatTableDataSource(passwordless.resultList);
             this.dataSource.sort = this.sort;
         }).catch(error => {
             this.error = error.message;
@@ -71,7 +70,7 @@ export class PasswordlessComponent implements OnInit, OnDestroy {
 
         dialogRef.afterClosed().subscribe(resp => {
             if (resp && id) {
-                this.service.RemovePasswordless(id, this.user.id).then(() => {
+                this.service.removeHumanPasswordless(id, this.user.id).then(() => {
                     this.toast.showInfo('USER.TOAST.PASSWORDLESSREMOVED', true);
                     this.getPasswordless();
                 }).catch(error => {
diff --git a/console/src/app/pages/users/user-detail/user-detail/user-detail.component.html b/console/src/app/pages/users/user-detail/user-detail/user-detail.component.html
index 61b915c0d3..7db32aea8a 100644
--- a/console/src/app/pages/users/user-detail/user-detail/user-detail.component.html
+++ b/console/src/app/pages/users/user-detail/user-detail/user-detail.component.html
@@ -4,7 +4,7 @@
             <a (click)="navigateBack()" mat-icon-button>
                 <mat-icon class="icon">arrow_back</mat-icon>
             </a>
-            <h1>{{user.human ? user.human?.displayName : user.machine?.name}}</h1>
+            <h1>{{user.human ? user.human?.profile?.displayName : user.machine?.name}}</h1>
 
             <ng-template appHasRole [appHasRole]="['user.delete$', 'user.delete:'+user?.id]">
                 <button mat-icon-button color="warn" matTooltip="{{'USER.PAGES.DELETE' | translate}}"
diff --git a/console/src/app/pages/users/user-detail/user-detail/user-detail.component.ts b/console/src/app/pages/users/user-detail/user-detail/user-detail.component.ts
index ba7d839385..e4bc356962 100644
--- a/console/src/app/pages/users/user-detail/user-detail/user-detail.component.ts
+++ b/console/src/app/pages/users/user-detail/user-detail/user-detail.component.ts
@@ -7,17 +7,8 @@ import { take } from 'rxjs/operators';
 import { ChangeType } from 'src/app/modules/changes/changes.component';
 import { UserGrantContext } from 'src/app/modules/user-grants/user-grants-datasource';
 import { WarnDialogComponent } from 'src/app/modules/warn-dialog/warn-dialog.component';
-import {
-    Gender,
-    MachineResponse,
-    MachineView,
-    NotificationType,
-    UserEmail,
-    UserPhone,
-    UserProfile,
-    UserState,
-    UserView,
-} from 'src/app/proto/generated/management_pb';
+import { SendHumanResetPasswordNotificationRequest } from 'src/app/proto/generated/zitadel/management_pb';
+import { Email, Gender, Machine, Phone, Profile, User, UserState } from 'src/app/proto/generated/zitadel/user_pb';
 import { ManagementService } from 'src/app/services/mgmt.service';
 import { ToastService } from 'src/app/services/toast.service';
 
@@ -35,7 +26,7 @@ export enum EditDialogType {
     styleUrls: ['./user-detail.component.scss'],
 })
 export class UserDetailComponent implements OnInit {
-    public user!: UserView.AsObject;
+    public user!: User.AsObject;
     public genders: Gender[] = [Gender.GENDER_MALE, Gender.GENDER_FEMALE, Gender.GENDER_DIVERSE];
     public languages: string[] = ['de', 'en'];
 
@@ -63,8 +54,10 @@ export class UserDetailComponent implements OnInit {
         this.refreshChanges$.emit();
         this.route.params.pipe(take(1)).subscribe(params => {
             const { id } = params;
-            this.mgmtUserService.GetUserByID(id).then(user => {
-                this.user = user.toObject();
+            this.mgmtUserService.getUserByID(id).then(resp => {
+                if (resp.user) {
+                    this.user = resp.user;
+                }
             }).catch(err => {
                 console.error(err);
             });
@@ -76,15 +69,15 @@ export class UserDetailComponent implements OnInit {
     }
 
     public changeState(newState: UserState): void {
-        if (newState === UserState.USERSTATE_ACTIVE) {
-            this.mgmtUserService.ReactivateUser(this.user.id).then(() => {
+        if (newState === UserState.USER_STATE_ACTIVE) {
+            this.mgmtUserService.reactivateUser(this.user.id).then(() => {
                 this.toast.showInfo('USER.TOAST.REACTIVATED', true);
                 this.user.state = newState;
             }).catch(error => {
                 this.toast.showError(error);
             });
-        } else if (newState === UserState.USERSTATE_INACTIVE) {
-            this.mgmtUserService.DeactivateUser(this.user.id).then(() => {
+        } else if (newState === UserState.USER_STATE_INACTIVE) {
+            this.mgmtUserService.deactivateUser(this.user.id).then(() => {
                 this.toast.showInfo('USER.TOAST.DEACTIVATED', true);
                 this.user.state = newState;
             }).catch(error => {
@@ -93,25 +86,19 @@ export class UserDetailComponent implements OnInit {
         }
     }
 
-    public saveProfile(profileData: UserProfile.AsObject): void {
+    public saveProfile(profileData: Profile.AsObject): void {
         if (this.user.human) {
-            this.user.human.firstName = profileData.firstName;
-            this.user.human.lastName = profileData.lastName;
-            this.user.human.nickName = profileData.nickName;
-            this.user.human.displayName = profileData.displayName;
-            this.user.human.gender = profileData.gender;
-            this.user.human.preferredLanguage = profileData.preferredLanguage;
+            this.user.human.profile = profileData;
             this.mgmtUserService
-                .SaveUserProfile(
+                .updateHumanProfile(
                     this.user.id,
-                    this.user.human.firstName,
-                    this.user.human.lastName,
-                    this.user.human.nickName,
-                    this.user.human.preferredLanguage,
-                    this.user.human.gender)
-                .then((data: UserProfile) => {
+                    this.user.human.profile.firstName,
+                    this.user.human.profile.lastName,
+                    this.user.human.profile.nickName,
+                    this.user.human.profile.preferredLanguage,
+                    this.user.human.profile.gender)
+                .then(() => {
                     this.toast.showInfo('USER.TOAST.SAVED', true);
-                    this.user = Object.assign(this.user, data.toObject());
                     this.refreshChanges$.emit();
                 })
                 .catch(error => {
@@ -120,18 +107,17 @@ export class UserDetailComponent implements OnInit {
         }
     }
 
-    public saveMachine(machineData: MachineView.AsObject): void {
+    public saveMachine(machineData: Machine.AsObject): void {
         if (this.user.machine) {
             this.user.machine.name = machineData.name;
             this.user.machine.description = machineData.description;
 
             this.mgmtUserService
-                .UpdateUserMachine(
+                .updateMachine(
                     this.user.id,
                     this.user.machine.description)
-                .then((data: MachineResponse) => {
+                .then(() => {
                     this.toast.showInfo('USER.TOAST.SAVED', true);
-                    this.user = Object.assign(this.user, data.toObject());
                     this.refreshChanges$.emit();
                 })
                 .catch(error => {
@@ -141,7 +127,7 @@ export class UserDetailComponent implements OnInit {
     }
 
     public resendEmailVerification(): void {
-        this.mgmtUserService.ResendEmailVerification(this.user.id).then(() => {
+        this.mgmtUserService.resendHumanEmailVerification(this.user.id).then(() => {
             this.toast.showInfo('USER.TOAST.EMAILVERIFICATIONSENT', true);
             this.refreshChanges$.emit();
         }).catch(error => {
@@ -150,7 +136,7 @@ export class UserDetailComponent implements OnInit {
     }
 
     public resendPhoneVerification(): void {
-        this.mgmtUserService.ResendPhoneVerification(this.user.id).then(() => {
+        this.mgmtUserService.resendHumanPhoneVerification(this.user.id).then(() => {
             this.toast.showInfo('USER.TOAST.PHONEVERIFICATIONSENT', true);
             this.refreshChanges$.emit();
         }).catch(error => {
@@ -159,10 +145,10 @@ export class UserDetailComponent implements OnInit {
     }
 
     public deletePhone(): void {
-        this.mgmtUserService.RemoveUserPhone(this.user.id).then(() => {
+        this.mgmtUserService.removeHumanPhone(this.user.id).then(() => {
             this.toast.showInfo('USER.TOAST.PHONEREMOVED', true);
             if (this.user.human) {
-                this.user.human.phone = '';
+                this.user.human.phone = new Phone().setPhone('').toObject();
                 this.refreshUser();
             }
         }).catch(error => {
@@ -172,10 +158,10 @@ export class UserDetailComponent implements OnInit {
 
     public saveEmail(email: string): void {
         if (this.user.id && email) {
-            this.mgmtUserService.SaveUserEmail(this.user.id, email).then((data: UserEmail) => {
+            this.mgmtUserService.updateHumanEmail(this.user.id, email).then(() => {
                 this.toast.showInfo('USER.TOAST.EMAILSAVED', true);
                 if (this.user.human) {
-                    this.user.human.email = data.toObject().email;
+                    this.user.human.email = new Email().setEmail(email).toObject();
                     this.refreshUser();
                 }
             }).catch(error => {
@@ -187,10 +173,10 @@ export class UserDetailComponent implements OnInit {
     public savePhone(phone: string): void {
         if (this.user.id && phone) {
             this.mgmtUserService
-                .SaveUserPhone(this.user.id, phone).then((data: UserPhone) => {
+                .updateHumanPhone(this.user.id, phone).then(() => {
                     this.toast.showInfo('USER.TOAST.PHONESAVED', true);
                     if (this.user.human) {
-                        this.user.human.phone = data.toObject().phone;
+                        this.user.human.phone = new Phone().setPhone(phone).toObject();
                         this.refreshUser();
                     }
                 }).catch(error => {
@@ -204,7 +190,7 @@ export class UserDetailComponent implements OnInit {
     }
 
     public sendSetPasswordNotification(): void {
-        this.mgmtUserService.SendSetPasswordNotification(this.user.id, NotificationType.NOTIFICATIONTYPE_EMAIL)
+        this.mgmtUserService.sendHumanResetPasswordNotification(this.user.id, SendHumanResetPasswordNotificationRequest.Type.TYPE_EMAIL)
             .then(() => {
                 this.toast.showInfo('USER.TOAST.PASSWORDNOTIFICATIONSENT', true);
                 this.refreshChanges$.emit();
@@ -226,7 +212,7 @@ export class UserDetailComponent implements OnInit {
 
         dialogRef.afterClosed().subscribe(resp => {
             if (resp) {
-                this.mgmtUserService.DeleteUser(this.user.id).then(() => {
+                this.mgmtUserService.removeUser(this.user.id).then(() => {
                     const params: Params = {
                         'deferredReload': true,
                     };
@@ -246,7 +232,7 @@ export class UserDetailComponent implements OnInit {
 
         dialogRef.afterClosed().subscribe(resp => {
             if (resp.send && this.user.id) {
-                this.mgmtUserService.ResendInitialMail(this.user.id, resp.email ?? '').then(() => {
+                this.mgmtUserService.resendHumanInitialization(this.user.id, resp.email ?? '').then(() => {
                     this.toast.showInfo('USER.TOAST.INITEMAILSENT', true);
                     this.refreshChanges$.emit();
                 }).catch(error => {
diff --git a/console/src/app/pages/users/user-detail/user-detail/user-mfa/user-mfa.component.html b/console/src/app/pages/users/user-detail/user-detail/user-mfa/user-mfa.component.html
index 34c66b9495..d14b4a22d6 100644
--- a/console/src/app/pages/users/user-detail/user-detail/user-mfa/user-mfa.component.html
+++ b/console/src/app/pages/users/user-detail/user-detail/user-mfa/user-mfa.component.html
@@ -19,8 +19,6 @@
                 <td mat-cell *matCellDef="let mfa">
                     <span class="centered">
                         {{'USER.MFA.STATE.'+ mfa.state | translate}}
-                        <i matTooltip="verified" *ngIf="mfa.state === MFAState.MFASTATE_READY"
-                            class="verified las la-check-circle"></i>
                     </span>
                 </td>
             </ng-container>
@@ -29,7 +27,7 @@
                 <th mat-header-cell *matHeaderCellDef> {{ 'USER.MFA.TABLEACTIONS' | translate }} </th>
                 <td mat-cell *matCellDef="let mfa">
                     <button matTooltip="{{'ACTIONS.REMOVE' | translate}}" color="warn" mat-icon-button
-                        (click)="deleteMFA(mfa.type, mfa.id)">
+                        (click)="deleteMFA(mfa)">
                         <i class="las la-trash"></i>
                     </button>
                 </td>
diff --git a/console/src/app/pages/users/user-detail/user-detail/user-mfa/user-mfa.component.ts b/console/src/app/pages/users/user-detail/user-detail/user-mfa/user-mfa.component.ts
index 25a725c6b1..0d03bca91a 100644
--- a/console/src/app/pages/users/user-detail/user-detail/user-mfa/user-mfa.component.ts
+++ b/console/src/app/pages/users/user-detail/user-detail/user-mfa/user-mfa.component.ts
@@ -4,7 +4,7 @@ import { MatSort } from '@angular/material/sort';
 import { MatTable, MatTableDataSource } from '@angular/material/table';
 import { BehaviorSubject, Observable } from 'rxjs';
 import { WarnDialogComponent } from 'src/app/modules/warn-dialog/warn-dialog.component';
-import { MFAState, MfaType, UserMultiFactor, UserView } from 'src/app/proto/generated/management_pb';
+import { AuthFactor, AuthFactorState, User } from 'src/app/proto/generated/zitadel/user_pb';
 import { ManagementService } from 'src/app/services/mgmt.service';
 import { ToastService } from 'src/app/services/toast.service';
 
@@ -21,17 +21,16 @@ export interface MFAItem {
 })
 export class UserMfaComponent implements OnInit, OnDestroy {
     public displayedColumns: string[] = ['type', 'attr', 'state', 'actions'];
-    @Input() private user!: UserView.AsObject;
-    public mfaSubject: BehaviorSubject<UserMultiFactor.AsObject[]> = new BehaviorSubject<UserMultiFactor.AsObject[]>([]);
+    @Input() private user!: User.AsObject;
+    public mfaSubject: BehaviorSubject<AuthFactor.AsObject[]> = new BehaviorSubject<AuthFactor.AsObject[]>([]);
     private loadingSubject: BehaviorSubject<boolean> = new BehaviorSubject<boolean>(false);
     public loading$: Observable<boolean> = this.loadingSubject.asObservable();
 
-    @ViewChild(MatTable) public table!: MatTable<UserMultiFactor.AsObject>;
+    @ViewChild(MatTable) public table!: MatTable<AuthFactor.AsObject>;
     @ViewChild(MatSort) public sort!: MatSort;
-    public dataSource!: MatTableDataSource<UserMultiFactor.AsObject>;
+    public dataSource!: MatTableDataSource<AuthFactor.AsObject>;
 
-    public MfaType: any = MfaType;
-    public MFAState: any = MFAState;
+    public AuthFactorState: any = AuthFactorState;
 
     public error: string = '';
     constructor(private mgmtUserService: ManagementService, private dialog: MatDialog, private toast: ToastService) { }
@@ -46,15 +45,15 @@ export class UserMfaComponent implements OnInit, OnDestroy {
     }
 
     public getMFAs(): void {
-        this.mgmtUserService.getUserMfas(this.user.id).then(mfas => {
-            this.dataSource = new MatTableDataSource(mfas.toObject().mfasList);
+        this.mgmtUserService.listHumanMultiFactors(this.user.id).then(mfas => {
+            this.dataSource = new MatTableDataSource(mfas.resultList);
             this.dataSource.sort = this.sort;
         }).catch(error => {
             this.error = error.message;
         });
     }
 
-    public deleteMFA(type: MfaType, id?: string): void {
+    public deleteMFA(factor: AuthFactor.AsObject): void {
         const dialogRef = this.dialog.open(WarnDialogComponent, {
             data: {
                 confirmKey: 'ACTIONS.DELETE',
@@ -67,11 +66,11 @@ export class UserMfaComponent implements OnInit, OnDestroy {
 
         dialogRef.afterClosed().subscribe(resp => {
             if (resp) {
-                if (type === MfaType.MFATYPE_OTP) {
-                    this.mgmtUserService.removeMfaOTP(this.user.id).then(() => {
+                if (factor.otp) {
+                    this.mgmtUserService.removeHumanMultiFactorOTP(this.user.id).then(() => {
                         this.toast.showInfo('USER.TOAST.OTPREMOVED', true);
 
-                        const index = this.dataSource.data.findIndex(mfa => mfa.type === type);
+                        const index = this.dataSource.data.findIndex(mfa => !!mfa.otp);
                         if (index > -1) {
                             this.dataSource.data.splice(index, 1);
                         }
@@ -79,11 +78,11 @@ export class UserMfaComponent implements OnInit, OnDestroy {
                     }).catch(error => {
                         this.toast.showError(error);
                     });
-                } else if (type === MfaType.MFATYPE_U2F && id) {
-                    this.mgmtUserService.RemoveMfaU2F(this.user.id, id).then(() => {
+                } else if (factor.u2f) {
+                    this.mgmtUserService.removeHumanAuthFactorU2F(this.user.id).then(() => {
                         this.toast.showInfo('USER.TOAST.U2FREMOVED', true);
 
-                        const index = this.dataSource.data.findIndex(mfa => mfa.type === type);
+                        const index = this.dataSource.data.findIndex(mfa => !!mfa.u2f);
                         if (index > -1) {
                             this.dataSource.data.splice(index, 1);
                         }
diff --git a/console/src/app/pages/users/user-list/user-list-routing.module.ts b/console/src/app/pages/users/user-list/user-list-routing.module.ts
index 17b5b60039..78bfd27e07 100644
--- a/console/src/app/pages/users/user-list/user-list-routing.module.ts
+++ b/console/src/app/pages/users/user-list/user-list-routing.module.ts
@@ -1,7 +1,8 @@
 import { NgModule } from '@angular/core';
 import { RouterModule, Routes } from '@angular/router';
+import { Type } from 'src/app/proto/generated/zitadel/user_pb';
 
-import { UserListComponent, UserType } from './user-list.component';
+import { UserListComponent } from './user-list.component';
 
 
 const routes: Routes = [
@@ -10,7 +11,7 @@ const routes: Routes = [
         component: UserListComponent,
         data: {
             animation: 'HomePage',
-            type: UserType.HUMAN,
+            type: Type.TYPE_HUMAN,
         },
     },
     {
@@ -18,7 +19,7 @@ const routes: Routes = [
         component: UserListComponent,
         data: {
             animation: 'HomePage',
-            type: UserType.MACHINE,
+            type: Type.TYPE_MACHINE,
         },
     },
 ];
diff --git a/console/src/app/pages/users/user-list/user-list.component.html b/console/src/app/pages/users/user-list/user-list.component.html
index 4565cf8af0..406ab5ac21 100644
--- a/console/src/app/pages/users/user-list/user-list.component.html
+++ b/console/src/app/pages/users/user-list/user-list.component.html
@@ -1,17 +1,17 @@
 <div class="max-width-container" [ngSwitch]="type">
-    <ng-container *ngSwitchCase="UserType.HUMAN">
+    <ng-container *ngSwitchCase="Type.TYPE_HUMAN">
         <h1>{{ 'USER.PAGES.LIST' | translate }}</h1>
         <p class="sub">{{ 'USER.PAGES.DESCRIPTION' | translate }}</p>
 
-        <app-user-table [userType]="UserType.HUMAN" [disabled]="(['user.write$'] | hasRole | async) == false">
+        <app-user-table [type]="Type.TYPE_HUMAN" [disabled]="(['user.write$'] | hasRole | async) == false">
         </app-user-table>
     </ng-container>
 
-    <ng-container *ngSwitchCase="UserType.MACHINE">
+    <ng-container *ngSwitchCase="Type.TYPE_MACHINE">
         <h1>{{ 'USER.PAGES.LISTMACHINE' | translate }}</h1>
         <p class="sub">{{ 'USER.PAGES.DESCRIPTIONMACHINE' | translate }}</p>
 
-        <app-user-table [userType]="UserType.MACHINE"
+        <app-user-table [type]="Type.TYPE_MACHINE"
             [displayedColumns]="['select','name', 'username', 'description','state', 'actions']"
             [disabled]="(['user.write$'] | hasRole | async) == false">
         </app-user-table>
diff --git a/console/src/app/pages/users/user-list/user-list.component.ts b/console/src/app/pages/users/user-list/user-list.component.ts
index 9372c42131..ca5c165f8a 100644
--- a/console/src/app/pages/users/user-list/user-list.component.ts
+++ b/console/src/app/pages/users/user-list/user-list.component.ts
@@ -2,19 +2,17 @@ import { Component } from '@angular/core';
 import { ActivatedRoute } from '@angular/router';
 import { TranslateService } from '@ngx-translate/core';
 import { take } from 'rxjs/operators';
+import { Type } from 'src/app/proto/generated/zitadel/user_pb';
 
-export enum UserType {
-    HUMAN = 'human',
-    MACHINE = 'machine',
-}
 @Component({
     selector: 'app-user-list',
     templateUrl: './user-list.component.html',
     styleUrls: ['./user-list.component.scss'],
 })
 export class UserListComponent {
-    public UserType: any = UserType;
-    public type: UserType = UserType.HUMAN;
+    public Type: any = Type;
+    public type: Type = Type.TYPE_HUMAN;
+
     constructor(public translate: TranslateService, activatedRoute: ActivatedRoute) {
         activatedRoute.data.pipe(take(1)).subscribe(params => {
             const { type } = params;
diff --git a/console/src/app/pages/users/user-list/user-table/user-table.component.html b/console/src/app/pages/users/user-list/user-table/user-table.component.html
index 74d0cad53e..86444f83e7 100644
--- a/console/src/app/pages/users/user-list/user-table/user-table.component.html
+++ b/console/src/app/pages/users/user-list/user-table/user-table.component.html
@@ -1,6 +1,5 @@
-<app-refresh-table [loading]="loading$ | async" (refreshed)="refreshPage()" [dataSize]="userResult?.totalResult"
-    [timestamp]="userResult?.viewTimestamp" [selection]="selection"
-    [emitRefreshOnPreviousRoutes]="refreshOnPreviousRoutes">
+<app-refresh-table [loading]="loading$ | async" (refreshed)="refreshPage()" [dataSize]="totalResult"
+    [timestamp]="viewTimestamp" [selection]="selection" [emitRefreshOnPreviousRoutes]="refreshOnPreviousRoutes">
     <cnsl-form-field @appearfade *ngIf="userSearchKey != undefined" actions class="filtername">
         <input cnslInput (keyup)="applyFilter($event)"
             [placeholder]="('USER.TABLE.FILTER.' + userSearchKey.toString()) | translate" #input>
@@ -15,7 +14,7 @@
             class="icon-button" mat-icon-button *ngIf="selection.hasValue()" [disabled]="disabled">
             <mat-icon svgIcon="mdi_account_check_outline"></mat-icon>
         </button>
-        <a [routerLink]="[ '/users',userType == UserType.HUMAN ? 'create' : 'create-machine']" color="primary"
+        <a [routerLink]="[ '/users',type == Type.TYPE_HUMAN ? 'create' : 'create-machine']" color="primary"
             mat-raised-button [disabled]="disabled">
             <mat-icon class="icon">add</mat-icon>{{ 'ACTIONS.NEW' | translate }}
         </a>
@@ -34,8 +33,8 @@
                     <mat-checkbox [disabled]="disabled" color="primary" (click)="$event.stopPropagation()"
                         (change)="$event ? selection.toggle(user) : null" [checked]="selection.isSelected(user)">
                         <app-avatar
-                            *ngIf="user[userType] && user[userType].displayName && user[userType]?.firstName && user[userType]?.lastName; else cog"
-                            class="avatar" [name]="user[userType].displayName" [size]="32">
+                            *ngIf="user[type] && user[type].displayName && user[type]?.firstName && user[type]?.lastName; else cog"
+                            class="avatar" [name]="user[type].displayName" [size]="32">
                         </app-avatar>
                         <ng-template #cog>
                             <div class="sa-icon">
@@ -48,35 +47,35 @@
 
             <ng-container matColumnDef="firstname">
                 <th mat-header-cell *matHeaderCellDef
-                    [ngClass]="{'search-active': this.userSearchKey == UserSearchKey.USERSEARCHKEY_FIRST_NAME}">
+                    [ngClass]="{'search-active': this.userSearchKey == UserListSearchKey.FIRST_NAME}">
                     {{ 'USER.PROFILE.FIRSTNAME' | translate }}
                     <template [ngTemplateOutlet]="templateRef"
-                        [ngTemplateOutletContext]="{key: UserSearchKey.USERSEARCHKEY_FIRST_NAME}"></template>
+                        [ngTemplateOutletContext]="{key: UserListSearchKey.FIRST_NAME}"></template>
                 </th>
                 <td mat-cell *matCellDef="let user" [routerLink]="user.id ? ['/users', user.id ]: null">
-                    {{user[userType]?.firstName}} </td>
+                    {{user[type]?.firstName}} </td>
             </ng-container>
 
             <ng-container matColumnDef="lastname">
                 <th mat-header-cell *matHeaderCellDef
-                    [ngClass]="{'search-active': this.userSearchKey == UserSearchKey.USERSEARCHKEY_LAST_NAME}">
+                    [ngClass]="{'search-active': this.userSearchKey == UserListSearchKey.LAST_NAME}">
                     {{ 'USER.PROFILE.LASTNAME' | translate }}
                     <template [ngTemplateOutlet]="templateRef"
-                        [ngTemplateOutletContext]="{key: UserSearchKey.USERSEARCHKEY_LAST_NAME}"></template>
+                        [ngTemplateOutletContext]="{key: UserListSearchKey.LAST_NAME}"></template>
                 </th>
                 <td mat-cell *matCellDef="let user" [routerLink]="user.id ? ['/users', user.id ]: null">
-                    {{user[userType]?.lastName}} </td>
+                    {{user[type]?.lastName}} </td>
             </ng-container>
 
             <ng-container matColumnDef="displayName">
                 <th mat-header-cell *matHeaderCellDef
-                    [ngClass]="{'search-active': this.userSearchKey == UserSearchKey.USERSEARCHKEY_DISPLAY_NAME}">
+                    [ngClass]="{'search-active': this.userSearchKey == UserListSearchKey.USERSEARCHKEY_DISPLAY_NAME}">
                     {{ 'USER.PROFILE.DISPLAYNAME' | translate }}
                     <template [ngTemplateOutlet]="templateRef"
-                        [ngTemplateOutletContext]="{key: UserSearchKey.USERSEARCHKEY_DISPLAY_NAME}"></template>
+                        [ngTemplateOutletContext]="{key: UserListSearchKey.USERSEARCHKEY_DISPLAY_NAME}"></template>
                 </th>
                 <td mat-cell *matCellDef="let user" [routerLink]="user.id ? ['/users', user.id ]: null">
-                    {{user[userType]?.displayName}} </td>
+                    {{user[type]?.displayName}} </td>
             </ng-container>
 
             <ng-container matColumnDef="name">
@@ -84,21 +83,21 @@
                     {{ 'USER.MACHINE.NAME' | translate }}
                 </th>
                 <td mat-cell *matCellDef="let user" [routerLink]="user.id ? ['/users', user.id ]: null">
-                    {{user[userType]?.name}} </td>
+                    {{user[type]?.name}} </td>
             </ng-container>
 
             <ng-container matColumnDef="description">
                 <th mat-header-cell *matHeaderCellDef> {{ 'USER.MACHINE.DESCRIPTION' | translate }} </th>
                 <td mat-cell *matCellDef="let user" [routerLink]="user.id ? ['/users', user.id ]: null">
-                    {{user[userType]?.description}} </td>
+                    {{user[type]?.description}} </td>
             </ng-container>
 
             <ng-container matColumnDef="username">
                 <th mat-header-cell *matHeaderCellDef
-                    [ngClass]="{'search-active': this.userSearchKey == UserSearchKey.USERSEARCHKEY_USER_NAME}">
+                    [ngClass]="{'search-active': this.userSearchKey == UserListSearchKey.USER_NAME}">
                     {{ 'USER.PROFILE.USERNAME' | translate }}
                     <template [ngTemplateOutlet]="templateRef"
-                        [ngTemplateOutletContext]="{key: UserSearchKey.USERSEARCHKEY_USER_NAME}"></template>
+                        [ngTemplateOutletContext]="{key: UserListSearchKey.USER_NAME}"></template>
                 </th>
                 <td mat-cell *matCellDef="let user" [routerLink]="user.id ? ['/users', user.id ]: null">
                     {{user.userName}} </td>
@@ -106,20 +105,21 @@
 
             <ng-container matColumnDef="email">
                 <th mat-header-cell *matHeaderCellDef
-                    [ngClass]="{'search-active': this.userSearchKey == UserSearchKey.USERSEARCHKEY_EMAIL}">
+                    [ngClass]="{'search-active': this.UserListSearchKey == UserListSearchKey.EMAIL}">
                     {{ 'USER.EMAIL' | translate }}
                     <template [ngTemplateOutlet]="templateRef"
-                        [ngTemplateOutletContext]="{key: UserSearchKey.USERSEARCHKEY_EMAIL}"></template>
+                        [ngTemplateOutletContext]="{key: UserListSearchKey.EMAIL}"></template>
                 </th>
                 <td mat-cell *matCellDef="let user" [routerLink]="user.id ? ['/users', user.id ]: null">
-                    {{user[userType]?.email}} </td>
+                    {{user[type]?.email}} </td>
             </ng-container>
 
             <ng-container matColumnDef="state">
                 <th mat-header-cell *matHeaderCellDef> {{ 'USER.DATA.STATE' | translate }} </th>
                 <td mat-cell *matCellDef="let user" [routerLink]="user.id ? ['/users', user.id ]: null">
                     <span class="state"
-                        [ngClass]="{'active': user.state === UserState.USERSTATE_ACTIVE, 'inactive': user.state === UserState.USERSTATE_INACTIVE}">{{ 'USER.DATA.STATE'+user.state | translate }}</span>
+                        [ngClass]="{'active': user.state === UserState.USERSTATE_ACTIVE, 'inactive': user.state === UserState.USERSTATE_INACTIVE}">{{
+                        'USER.DATA.STATE'+user.state | translate }}</span>
                 </td>
             </ng-container>
 
@@ -142,7 +142,7 @@
             <i class="las la-exclamation"></i>
             <span>{{'USER.TABLE.EMPTY' | translate}}</span>
         </div>
-        <mat-paginator #paginator class="paginator" [length]="userResult?.totalResult || 0" [pageSize]="10"
+        <mat-paginator #paginator class="paginator" [length]="totalResult || 0" [pageSize]="10"
             [pageSizeOptions]="[5, 10, 20]" (page)="changePage($event)"></mat-paginator>
     </div>
 </app-refresh-table>
diff --git a/console/src/app/pages/users/user-list/user-table/user-table.component.ts b/console/src/app/pages/users/user-list/user-table/user-table.component.ts
index 0e338445b6..ba4b64f9d9 100644
--- a/console/src/app/pages/users/user-list/user-table/user-table.component.ts
+++ b/console/src/app/pages/users/user-list/user-table/user-table.component.ts
@@ -9,18 +9,30 @@ import { BehaviorSubject, Observable } from 'rxjs';
 import { take } from 'rxjs/operators';
 import { enterAnimations } from 'src/app/animations';
 import { WarnDialogComponent } from 'src/app/modules/warn-dialog/warn-dialog.component';
-import { UserView } from 'src/app/proto/generated/auth_pb';
+import { Timestamp } from 'src/app/proto/generated/google/protobuf/timestamp_pb';
+import { TextQueryMethod } from 'src/app/proto/generated/zitadel/object_pb';
 import {
-    SearchMethod,
-    UserSearchKey,
-    UserSearchQuery,
-    UserSearchResponse,
+    DisplayNameQuery,
+    EmailQuery,
+    FirstNameQuery,
+    LastNameQuery,
+    SearchQuery,
+    Type,
+    TypeQuery,
+    User,
+    UserNameQuery,
     UserState,
-} from 'src/app/proto/generated/management_pb';
+} from 'src/app/proto/generated/zitadel/user_pb';
 import { ManagementService } from 'src/app/services/mgmt.service';
 import { ToastService } from 'src/app/services/toast.service';
 
-import { UserType } from '../user-list.component';
+enum UserListSearchKey {
+    FIRST_NAME,
+    LAST_NAME,
+    DISPLAY_NAME,
+    USER_NAME,
+    EMAIL,
+}
 
 @Component({
     selector: 'app-user-table',
@@ -31,24 +43,26 @@ import { UserType } from '../user-list.component';
     ],
 })
 export class UserTableComponent implements OnInit {
-    public userSearchKey: UserSearchKey | undefined = undefined;
-    public UserType: any = UserType;
-    @Input() userType: UserType = UserType.HUMAN;
+    public userSearchKey: UserListSearchKey | undefined = undefined;
+    public Type: any = Type;
+    @Input() type: Type = Type.TYPE_HUMAN;
     @Input() refreshOnPreviousRoutes: string[] = [];
     @Input() disabled: boolean = false;
     @ViewChild(MatPaginator) public paginator!: MatPaginator;
     @ViewChild('input') public filter!: Input;
-    public dataSource: MatTableDataSource<UserView.AsObject> = new MatTableDataSource<UserView.AsObject>();
-    public selection: SelectionModel<UserView.AsObject> = new SelectionModel<UserView.AsObject>(true, []);
-    public userResult!: UserSearchResponse.AsObject;
+
+    public viewTimestamp!: Timestamp.AsObject;
+    public totalResult: number = 0;
+    public dataSource: MatTableDataSource<User.AsObject> = new MatTableDataSource<User.AsObject>();
+    public selection: SelectionModel<User.AsObject> = new SelectionModel<User.AsObject>(true, []);
     private loadingSubject: BehaviorSubject<boolean> = new BehaviorSubject<boolean>(false);
     public loading$: Observable<boolean> = this.loadingSubject.asObservable();
     @Input() public displayedColumns: string[] = ['select', 'displayName', 'username', 'email', 'state', 'actions'];
 
-    @Output() public changedSelection: EventEmitter<Array<UserView.AsObject>> = new EventEmitter();
-    UserSearchKey: any = UserSearchKey;
+    @Output() public changedSelection: EventEmitter<Array<User.AsObject>> = new EventEmitter();
 
     public UserState: any = UserState;
+    public UserListSearchKey: any = UserListSearchKey;
 
     constructor(
         public translate: TranslateService,
@@ -64,10 +78,10 @@ export class UserTableComponent implements OnInit {
 
     ngOnInit(): void {
         this.route.queryParams.pipe(take(1)).subscribe(params => {
-            this.getData(10, 0, this.userType);
+            this.getData(10, 0, this.type);
             if (params.deferredReload) {
                 setTimeout(() => {
-                    this.getData(10, 0, this.userType);
+                    this.getData(10, 0, this.type);
                 }, 2000);
             }
         });
@@ -87,12 +101,12 @@ export class UserTableComponent implements OnInit {
 
 
     public changePage(event: PageEvent): void {
-        this.getData(event.pageSize, event.pageIndex * event.pageSize, this.userType);
+        this.getData(event.pageSize, event.pageIndex * event.pageSize, this.type);
     }
 
     public deactivateSelectedUsers(): void {
         Promise.all(this.selection.selected.map(value => {
-            return this.userService.DeactivateUser(value.id);
+            return this.userService.deactivateUser(value.id);
         })).then(() => {
             this.toast.showInfo('USER.TOAST.SELECTEDDEACTIVATED', true);
             this.selection.clear();
@@ -106,7 +120,7 @@ export class UserTableComponent implements OnInit {
 
     public reactivateSelectedUsers(): void {
         Promise.all(this.selection.selected.map(value => {
-            return this.userService.ReactivateUser(value.id);
+            return this.userService.reactivateUser(value.id);
         })).then(() => {
             this.toast.showInfo('USER.TOAST.SELECTEDREACTIVATED', true);
             this.selection.clear();
@@ -118,24 +132,61 @@ export class UserTableComponent implements OnInit {
         });
     }
 
-    private async getData(limit: number, offset: number, filterTypeValue: UserType, filterName?: string): Promise<void> {
+    private async getData(limit: number, offset: number, type: Type, searchValue?: string): Promise<void> {
         this.loadingSubject.next(true);
-        const query = new UserSearchQuery();
-        query.setKey(UserSearchKey.USERSEARCHKEY_TYPE);
-        query.setMethod(SearchMethod.SEARCHMETHOD_EQUALS);
-        query.setValue(filterTypeValue);
+        const query = new SearchQuery();
+        const typeQuery = new TypeQuery();
+        typeQuery.setType(type);
+        query.setTypeQuery(typeQuery);
 
-        let namequery;
-        if (filterName && this.userSearchKey !== undefined) {
-            namequery = new UserSearchQuery();
-            namequery.setMethod(SearchMethod.SEARCHMETHOD_CONTAINS_IGNORE_CASE);
-            namequery.setKey(this.userSearchKey);
-            namequery.setValue(filterName.toLowerCase());
+        if (searchValue && this.userSearchKey !== undefined) {
+            switch (this.userSearchKey) {
+                case UserListSearchKey.DISPLAY_NAME:
+                    const dNQuery = new DisplayNameQuery();
+                    dNQuery.setDisplayName(searchValue);
+                    dNQuery.setMethod(TextQueryMethod.TEXT_QUERY_METHOD_CONTAINS_IGNORE_CASE);
+
+                    query.setDisplayNameQuery(dNQuery);
+                    break;
+                case UserListSearchKey.USER_NAME:
+                    const uNQuery = new UserNameQuery();
+                    uNQuery.setUserName(searchValue);
+                    uNQuery.setMethod(TextQueryMethod.TEXT_QUERY_METHOD_CONTAINS_IGNORE_CASE);
+
+                    query.setUserNameQuery(uNQuery);
+                    break;
+                case UserListSearchKey.FIRST_NAME:
+                    const fNQuery = new FirstNameQuery();
+                    fNQuery.setFirstName(searchValue);
+                    fNQuery.setMethod(TextQueryMethod.TEXT_QUERY_METHOD_CONTAINS_IGNORE_CASE);
+
+                    query.setFirstNameQuery(fNQuery);
+                    break;
+                case UserListSearchKey.FIRST_NAME:
+                    const lNQuery = new LastNameQuery();
+                    lNQuery.setLastName(searchValue);
+                    lNQuery.setMethod(TextQueryMethod.TEXT_QUERY_METHOD_CONTAINS_IGNORE_CASE);
+
+                    query.setLastNameQuery(lNQuery);
+                    break;
+                case UserListSearchKey.EMAIL:
+                    const eQuery = new EmailQuery();
+                    eQuery.setEmailAddress(searchValue);
+                    eQuery.setMethod(TextQueryMethod.TEXT_QUERY_METHOD_CONTAINS_IGNORE_CASE);
+
+                    query.setEmailQuery(eQuery);
+                    break;
+            }
         }
 
-        this.userService.SearchUsers(limit, offset, namequery ? [query, namequery] : [query]).then(resp => {
-            this.userResult = resp.toObject();
-            this.dataSource.data = this.userResult.resultList;
+        this.userService.listUsers(limit, offset, [query]).then(resp => {
+            if (resp.details?.totalResult) {
+                this.totalResult = resp.details?.totalResult;
+            }
+            if (resp.details?.viewTimestamp) {
+                this.viewTimestamp = resp.details?.viewTimestamp;
+            }
+            this.dataSource.data = resp.resultList;
             this.loadingSubject.next(false);
         }).catch(error => {
             this.toast.showError(error);
@@ -144,7 +195,7 @@ export class UserTableComponent implements OnInit {
     }
 
     public refreshPage(): void {
-        this.getData(this.paginator.pageSize, this.paginator.pageIndex * this.paginator.pageSize, this.userType);
+        this.getData(this.paginator.pageSize, this.paginator.pageIndex * this.paginator.pageSize, this.type);
     }
 
     public applyFilter(event: Event): void {
@@ -154,12 +205,12 @@ export class UserTableComponent implements OnInit {
         this.getData(
             this.paginator.pageSize,
             this.paginator.pageIndex * this.paginator.pageSize,
-            this.userType,
+            this.type,
             filterValue,
         );
     }
 
-    public setFilter(key: UserSearchKey): void {
+    public setFilter(key: UserListSearchKey): void {
         setTimeout(() => {
             if (this.filter) {
                 (this.filter as any).nativeElement.focus();
@@ -174,7 +225,7 @@ export class UserTableComponent implements OnInit {
         }
     }
 
-    public deleteUser(user: UserView.AsObject): void {
+    public deleteUser(user: User.AsObject): void {
         const dialogRef = this.dialog.open(WarnDialogComponent, {
             data: {
                 confirmKey: 'ACTIONS.DELETE',
@@ -187,7 +238,7 @@ export class UserTableComponent implements OnInit {
 
         dialogRef.afterClosed().subscribe(resp => {
             if (resp) {
-                this.userService.DeleteUser(user.id).then(() => {
+                this.userService.removeUser(user.id).then(() => {
                     setTimeout(() => {
                         this.refreshPage();
                     }, 1000);
diff --git a/console/src/app/services/admin.service.ts b/console/src/app/services/admin.service.ts
index 3e4f5cc167..7bfbe92cdb 100644
--- a/console/src/app/services/admin.service.ts
+++ b/console/src/app/services/admin.service.ts
@@ -1,60 +1,96 @@
 import { Injectable } from '@angular/core';
-import { Empty } from 'google-protobuf/google/protobuf/empty_pb';
 
 import {
-    AddIamMemberRequest,
-    ChangeIamMemberRequest,
-    CreateHumanRequest,
-    CreateOrgRequest,
-    CreateUserRequest,
-    DefaultLabelPolicy,
-    DefaultLabelPolicyUpdate,
-    DefaultLabelPolicyView,
-    DefaultLoginPolicy,
-    DefaultLoginPolicyRequest,
-    DefaultLoginPolicyView,
-    DefaultPasswordAgePolicyRequest,
-    DefaultPasswordAgePolicyView,
-    DefaultPasswordComplexityPolicy,
-    DefaultPasswordComplexityPolicyRequest,
-    DefaultPasswordComplexityPolicyView,
-    DefaultPasswordLockoutPolicy,
-    DefaultPasswordLockoutPolicyRequest,
-    DefaultPasswordLockoutPolicyView,
-    FailedEventID,
-    FailedEvents,
-    IamMember,
-    IamMemberRoles,
-    IamMemberSearchQuery,
-    IamMemberSearchRequest,
-    IamMemberSearchResponse,
-    Idp,
-    IdpID,
-    IdpProviderID,
-    IdpProviderSearchRequest,
-    IdpProviderSearchResponse,
-    IdpSearchQuery,
-    IdpSearchRequest,
-    IdpSearchResponse,
-    IdpView,
-    MultiFactor,
-    MultiFactorsResult,
-    OidcIdpConfig,
-    OidcIdpConfigCreate,
-    OidcIdpConfigUpdate,
-    OrgIamPolicy,
-    OrgIamPolicyID,
-    OrgIamPolicyRequest,
-    OrgIamPolicyView,
-    OrgSetUpRequest,
-    OrgSetUpResponse,
-    RemoveIamMemberRequest,
-    SecondFactor,
-    SecondFactorsResult,
-    ViewID,
-    Views,
-} from '../proto/generated/admin_pb';
-import { IdpUpdate } from '../proto/generated/management_pb';
+    AddCustomOrgIAMPolicyRequest,
+    AddCustomOrgIAMPolicyResponse,
+    AddIAMMemberRequest,
+    AddIAMMemberResponse,
+    AddIDPToLoginPolicyRequest,
+    AddIDPToLoginPolicyResponse,
+    AddMultiFactorToLoginPolicyRequest,
+    AddMultiFactorToLoginPolicyResponse,
+    AddOIDCIDPRequest,
+    AddOIDCIDPResponse,
+    AddSecondFactorToLoginPolicyRequest,
+    AddSecondFactorToLoginPolicyResponse,
+    ClearViewRequest,
+    ClearViewResponse,
+    DeactivateIDPRequest,
+    DeactivateIDPResponse,
+    GetCustomOrgIAMPolicyRequest,
+    GetCustomOrgIAMPolicyResponse,
+    GetIDPByIDRequest,
+    GetIDPByIDResponse,
+    GetLabelPolicyRequest,
+    GetLabelPolicyResponse,
+    GetLoginPolicyRequest,
+    GetLoginPolicyResponse,
+    GetOrgIAMPolicyRequest,
+    GetOrgIAMPolicyResponse,
+    GetPasswordAgePolicyRequest,
+    GetPasswordAgePolicyResponse,
+    GetPasswordComplexityPolicyRequest,
+    GetPasswordComplexityPolicyResponse,
+    GetPasswordLockoutPolicyRequest,
+    GetPasswordLockoutPolicyResponse,
+    IDPQuery,
+    ListFailedEventsRequest,
+    ListFailedEventsResponse,
+    ListIAMMemberRolesRequest,
+    ListIAMMemberRolesResponse,
+    ListIAMMembersRequest,
+    ListIAMMembersResponse,
+    ListIDPsRequest,
+    ListIDPsResponse,
+    ListLoginPolicyIDPsRequest,
+    ListLoginPolicyIDPsResponse,
+    ListLoginPolicyMultiFactorsRequest,
+    ListLoginPolicyMultiFactorsResponse,
+    ListLoginPolicySecondFactorsRequest,
+    ListLoginPolicySecondFactorsResponse,
+    ListViewsRequest,
+    ListViewsResponse,
+    ReactivateIDPRequest,
+    ReactivateIDPResponse,
+    RemoveFailedEventRequest,
+    RemoveFailedEventResponse,
+    RemoveIAMMemberRequest,
+    RemoveIAMMemberResponse,
+    RemoveIDPFromLoginPolicyRequest,
+    RemoveIDPFromLoginPolicyResponse,
+    RemoveIDPRequest,
+    RemoveIDPResponse,
+    RemoveMultiFactorFromLoginPolicyRequest,
+    RemoveMultiFactorFromLoginPolicyResponse,
+    RemoveSecondFactorFromLoginPolicyRequest,
+    RemoveSecondFactorFromLoginPolicyResponse,
+    ResetCustomOrgIAMPolicyToDefaultRequest,
+    ResetCustomOrgIAMPolicyToDefaultResponse,
+    SetUpOrgRequest,
+    SetUpOrgResponse,
+    UpdateCustomOrgIAMPolicyRequest,
+    UpdateCustomOrgIAMPolicyResponse,
+    UpdateIAMMemberRequest,
+    UpdateIAMMemberResponse,
+    UpdateIDPOIDCConfigRequest,
+    UpdateIDPOIDCConfigResponse,
+    UpdateIDPRequest,
+    UpdateIDPResponse,
+    UpdateLabelPolicyRequest,
+    UpdateLabelPolicyResponse,
+    UpdateLoginPolicyRequest,
+    UpdateLoginPolicyResponse,
+    UpdateOrgIAMPolicyRequest,
+    UpdateOrgIAMPolicyResponse,
+    UpdatePasswordAgePolicyRequest,
+    UpdatePasswordAgePolicyResponse,
+    UpdatePasswordComplexityPolicyRequest,
+    UpdatePasswordComplexityPolicyResponse,
+    UpdatePasswordLockoutPolicyRequest,
+    UpdatePasswordLockoutPolicyResponse,
+} from '../proto/generated/zitadel/admin_pb';
+import { SearchQuery } from '../proto/generated/zitadel/member_pb';
+import { ListQuery } from '../proto/generated/zitadel/object_pb';
 import { GrpcService } from './grpc.service';
 
 @Injectable({
@@ -64,338 +100,352 @@ export class AdminService {
     constructor(private readonly grpcService: GrpcService) { }
 
     public SetUpOrg(
-        createOrgRequest: CreateOrgRequest,
-        humanRequest: CreateHumanRequest,
-    ): Promise<OrgSetUpResponse> {
-        const req: OrgSetUpRequest = new OrgSetUpRequest();
-        const userReq: CreateUserRequest = new CreateUserRequest();
+        org: SetUpOrgRequest.Org,
+        human: SetUpOrgRequest.Human,
+    ): Promise<SetUpOrgResponse.AsObject> {
+        const req = new SetUpOrgRequest();
 
-        userReq.setHuman(humanRequest);
+        req.setOrg(org);
+        req.setHuman(human);
 
-        req.setOrg(createOrgRequest);
-        req.setUser(userReq);
-
-        return this.grpcService.admin.setUpOrg(req);
+        return this.grpcService.admin.setUpOrg(req, null).then(resp => resp.toObject());
     }
 
-    public getDefaultLoginPolicyMultiFactors(): Promise<MultiFactorsResult> {
-        const req = new Empty();
-        return this.grpcService.admin.getDefaultLoginPolicyMultiFactors(req);
+    public listLoginPolicyMultiFactors(): Promise<ListLoginPolicyMultiFactorsResponse.AsObject> {
+        const req = new ListLoginPolicyMultiFactorsRequest();
+        return this.grpcService.admin.listLoginPolicyMultiFactors(req, null).then(resp => resp.toObject());;
     }
 
-    public addMultiFactorToDefaultLoginPolicy(req: MultiFactor): Promise<MultiFactor> {
-        return this.grpcService.admin.addMultiFactorToDefaultLoginPolicy(req);
+    public addMultiFactorToLoginPolicy(req: AddMultiFactorToLoginPolicyRequest): Promise<AddMultiFactorToLoginPolicyResponse.AsObject> {
+        return this.grpcService.admin.addMultiFactorToLoginPolicy(req, null).then(resp => resp.toObject());;
     }
 
-    public RemoveMultiFactorFromDefaultLoginPolicy(req: MultiFactor): Promise<Empty> {
-        return this.grpcService.admin.removeMultiFactorFromDefaultLoginPolicy(req);
+    public removeMultiFactorFromLoginPolicy(req: RemoveMultiFactorFromLoginPolicyRequest): Promise<RemoveMultiFactorFromLoginPolicyResponse.AsObject> {
+        return this.grpcService.admin.removeMultiFactorFromLoginPolicy(req, null).then(resp => resp.toObject());;
     }
 
-    public GetDefaultLoginPolicySecondFactors(): Promise<SecondFactorsResult> {
-        const req = new Empty();
-        return this.grpcService.admin.getDefaultLoginPolicySecondFactors(req);
+    public listLoginPolicySecondFactors(): Promise<ListLoginPolicySecondFactorsResponse.AsObject> {
+        const req = new ListLoginPolicySecondFactorsRequest();
+        return this.grpcService.admin.listLoginPolicySecondFactors(req, null).then(resp => resp.toObject());
     }
 
-    public AddSecondFactorToDefaultLoginPolicy(req: SecondFactor): Promise<SecondFactor> {
-        return this.grpcService.admin.addSecondFactorToDefaultLoginPolicy(req);
+    public addSecondFactorToLoginPolicy(req: AddSecondFactorToLoginPolicyRequest): Promise<AddSecondFactorToLoginPolicyResponse.AsObject> {
+        return this.grpcService.admin.addSecondFactorToLoginPolicy(req, null).then(resp => resp.toObject());;
     }
 
-    public RemoveSecondFactorFromDefaultLoginPolicy(req: SecondFactor): Promise<Empty> {
-        return this.grpcService.admin.removeSecondFactorFromDefaultLoginPolicy(req);
+    public removeSecondFactorFromLoginPolicy(req: RemoveSecondFactorFromLoginPolicyRequest): Promise<RemoveSecondFactorFromLoginPolicyResponse.AsObject> {
+        return this.grpcService.admin.removeSecondFactorFromLoginPolicy(req, null).then(resp => resp.toObject());;
     }
 
-    public GetIamMemberRoles(): Promise<IamMemberRoles> {
-        const req = new Empty();
-        return this.grpcService.admin.getIamMemberRoles(req);
+    public listIAMMemberRoles(): Promise<ListIAMMemberRolesResponse.AsObject> {
+        const req = new ListIAMMemberRolesRequest();
+        return this.grpcService.admin.listIAMMemberRoles(req, null).then(resp => resp.toObject());;
     }
 
-    public GetViews(): Promise<Views> {
-        const req = new Empty();
-        return this.grpcService.admin.getViews(req);
+    public listViews(): Promise<ListViewsResponse.AsObject> {
+        const req = new ListViewsRequest();
+        return this.grpcService.admin.listViews(req, null).then(resp => resp.toObject());;
     }
 
-    public GetFailedEvents(): Promise<FailedEvents> {
-        const req = new Empty();
-        return this.grpcService.admin.getFailedEvents(req);
+    public listFailedEvents(): Promise<ListFailedEventsResponse.AsObject> {
+        const req = new ListFailedEventsRequest();
+        return this.grpcService.admin.listFailedEvents(req, null).then(resp => resp.toObject());;
     }
 
-    public ClearView(viewname: string, db: string): Promise<Empty> {
-        const req: ViewID = new ViewID();
+    public clearView(viewname: string, db: string): Promise<ClearViewResponse.AsObject> {
+        const req = new ClearViewRequest();
         req.setDatabase(db);
         req.setViewName(viewname);
-        return this.grpcService.admin.clearView(req);
+        return this.grpcService.admin.clearView(req, null).then(resp => resp.toObject());;
     }
 
-    public RemoveFailedEvent(viewname: string, db: string, sequence: number): Promise<Empty> {
-        const req: FailedEventID = new FailedEventID();
+    public removeFailedEvent(viewname: string, db: string, sequence: number): Promise<RemoveFailedEventResponse.AsObject> {
+        const req = new RemoveFailedEventRequest();
         req.setDatabase(db);
         req.setViewName(viewname);
         req.setFailedSequence(sequence);
-        return this.grpcService.admin.removeFailedEvent(req);
+        return this.grpcService.admin.removeFailedEvent(req, null).then(resp => resp.toObject());;
     }
 
     /* Policies */
 
     /* complexity */
 
-    public GetDefaultPasswordComplexityPolicy(): Promise<DefaultPasswordComplexityPolicyView> {
-        const req = new Empty();
-        return this.grpcService.admin.getDefaultPasswordComplexityPolicy(req);
+    public getPasswordComplexityPolicy(): Promise<GetPasswordComplexityPolicyResponse.AsObject> {
+        const req = new GetPasswordComplexityPolicyRequest();
+        return this.grpcService.admin.getPasswordComplexityPolicy(req, null).then(resp => resp.toObject());;
     }
 
-    public UpdateDefaultPasswordComplexityPolicy(
+    public updatePasswordComplexityPolicy(
         hasLowerCase: boolean,
         hasUpperCase: boolean,
         hasNumber: boolean,
         hasSymbol: boolean,
         minLength: number,
-    ): Promise<DefaultPasswordComplexityPolicy> {
-        const req = new DefaultPasswordComplexityPolicyRequest();
+    ): Promise<UpdatePasswordComplexityPolicyResponse.AsObject> {
+        const req = new UpdatePasswordComplexityPolicyRequest();
         req.setHasLowercase(hasLowerCase);
         req.setHasUppercase(hasUpperCase);
         req.setHasNumber(hasNumber);
         req.setHasSymbol(hasSymbol);
         req.setMinLength(minLength);
-        return this.grpcService.admin.updateDefaultPasswordComplexityPolicy(req);
+        return this.grpcService.admin.updatePasswordComplexityPolicy(req, null).then(resp => resp.toObject());;
     }
 
     /* age */
 
-    public GetDefaultPasswordAgePolicy(): Promise<DefaultPasswordAgePolicyView> {
-        const req = new Empty();
+    public getPasswordAgePolicy(): Promise<GetPasswordAgePolicyResponse.AsObject> {
+        const req = new GetPasswordAgePolicyRequest();
 
-        return this.grpcService.admin.getDefaultPasswordAgePolicy(req);
+        return this.grpcService.admin.getPasswordAgePolicy(req, null).then(resp => resp.toObject());;
     }
 
-    public UpdateDefaultPasswordAgePolicy(
+    public updatePasswordAgePolicy(
         maxAgeDays: number,
         expireWarnDays: number,
-    ): Promise<DefaultPasswordAgePolicyView> {
-        const req = new DefaultPasswordAgePolicyRequest();
+    ): Promise<UpdatePasswordAgePolicyResponse.AsObject> {
+        const req = new UpdatePasswordAgePolicyRequest();
         req.setMaxAgeDays(maxAgeDays);
         req.setExpireWarnDays(expireWarnDays);
 
-        return this.grpcService.admin.updateDefaultPasswordAgePolicy(req);
+        return this.grpcService.admin.updatePasswordAgePolicy(req, null).then(resp => resp.toObject());;
     }
 
     /* lockout */
 
-    public GetDefaultPasswordLockoutPolicy(): Promise<DefaultPasswordLockoutPolicyView> {
-        const req = new Empty();
-        return this.grpcService.admin.getDefaultPasswordLockoutPolicy(req);
+    public getPasswordLockoutPolicy(): Promise<GetPasswordLockoutPolicyResponse.AsObject> {
+        const req = new GetPasswordLockoutPolicyRequest();
+        return this.grpcService.admin.getPasswordLockoutPolicy(req, null).then(resp => resp.toObject());;
     }
 
-    public UpdateDefaultPasswordLockoutPolicy(
+    public updatePasswordLockoutPolicy(
         maxAttempts: number,
         showLockoutFailures: boolean,
-    ): Promise<DefaultPasswordLockoutPolicy> {
-        const req = new DefaultPasswordLockoutPolicyRequest();
+    ): Promise<UpdatePasswordLockoutPolicyResponse.AsObject> {
+        const req = new UpdatePasswordLockoutPolicyRequest();
         req.setMaxAttempts(maxAttempts);
         req.setShowLockoutFailure(showLockoutFailures);
 
-        return this.grpcService.admin.updateDefaultPasswordLockoutPolicy(req);
+        return this.grpcService.admin.updatePasswordLockoutPolicy(req, null).then(resp => resp.toObject());;
     }
 
     /* label */
 
-    public GetDefaultLabelPolicy(): Promise<DefaultLabelPolicyView> {
-        const req = new Empty();
-        return this.grpcService.admin.getDefaultLabelPolicy(req);
+    public getLabelPolicy(): Promise<GetLabelPolicyResponse.AsObject> {
+        const req = new GetLabelPolicyRequest();
+        return this.grpcService.admin.getLabelPolicy(req, null).then(resp => resp.toObject());
     }
 
-    public UpdateDefaultLabelPolicy(req: DefaultLabelPolicyUpdate): Promise<DefaultLabelPolicy> {
-        return this.grpcService.admin.updateDefaultLabelPolicy(req);
+    public updateLabelPolicy(req: UpdateLabelPolicyRequest): Promise<UpdateLabelPolicyResponse.AsObject> {
+        return this.grpcService.admin.updateLabelPolicy(req, null).then(resp => resp.toObject());;
     }
 
     /* login */
 
-    public GetDefaultLoginPolicy(
-    ): Promise<DefaultLoginPolicyView> {
-        const req = new Empty();
-        return this.grpcService.admin.getDefaultLoginPolicy(req);
+    public getLoginPolicy(
+    ): Promise<GetLoginPolicyResponse.AsObject> {
+        const req = new GetLoginPolicyRequest();
+        return this.grpcService.admin.getLoginPolicy(req, null).then(resp => resp.toObject());;
     }
 
-    public UpdateDefaultLoginPolicy(req: DefaultLoginPolicyRequest): Promise<DefaultLoginPolicy> {
-        return this.grpcService.admin.updateDefaultLoginPolicy(req);
+    public updateLoginPolicy(req: UpdateLoginPolicyRequest): Promise<UpdateLoginPolicyResponse.AsObject> {
+        return this.grpcService.admin.updateLoginPolicy(req, null).then(resp => resp.toObject());;
     }
 
     /* org iam */
 
-    public GetOrgIamPolicy(orgId: string): Promise<OrgIamPolicyView> {
-        const req = new OrgIamPolicyID();
+    public getCustomOrgIAMPolicy(orgId: string): Promise<GetCustomOrgIAMPolicyResponse.AsObject> {
+        const req = new GetCustomOrgIAMPolicyRequest();
         req.setOrgId(orgId);
-        return this.grpcService.admin.getOrgIamPolicy(req);
+        return this.grpcService.admin.getCustomOrgIAMPolicy(req, null).then(resp => resp.toObject());;
     }
 
-    public CreateOrgIamPolicy(
+    public addCustomOrgIAMPolicy(
         orgId: string,
-        userLoginMustBeDomain: boolean): Promise<OrgIamPolicy> {
-        const req = new OrgIamPolicyRequest();
+        userLoginMustBeDomain: boolean): Promise<AddCustomOrgIAMPolicyResponse.AsObject> {
+        const req = new AddCustomOrgIAMPolicyRequest();
         req.setOrgId(orgId);
         req.setUserLoginMustBeDomain(userLoginMustBeDomain);
 
-        return this.grpcService.admin.createOrgIamPolicy(req);
+        return this.grpcService.admin.addCustomOrgIAMPolicy(req, null).then(resp => resp.toObject());;
     }
 
-    public UpdateOrgIamPolicy(
+    public updateCustomOrgIAMPolicy(
         orgId: string,
-        userLoginMustBeDomain: boolean): Promise<OrgIamPolicy> {
-        const req = new OrgIamPolicyRequest();
+        userLoginMustBeDomain: boolean): Promise<UpdateCustomOrgIAMPolicyResponse.AsObject> {
+        const req = new UpdateCustomOrgIAMPolicyRequest();
         req.setOrgId(orgId);
         req.setUserLoginMustBeDomain(userLoginMustBeDomain);
-        return this.grpcService.admin.updateOrgIamPolicy(req);
+        return this.grpcService.admin.updateCustomOrgIAMPolicy(req, null).then(resp => resp.toObject());;
     }
 
-    public RemoveOrgIamPolicy(
+    public resetCustomOrgIAMPolicyToDefault(
         orgId: string,
-    ): Promise<Empty> {
-        const req = new OrgIamPolicyID();
+    ): Promise<ResetCustomOrgIAMPolicyToDefaultResponse.AsObject> {
+        const req = new ResetCustomOrgIAMPolicyToDefaultRequest();
         req.setOrgId(orgId);
-        return this.grpcService.admin.removeOrgIamPolicy(req);
+        return this.grpcService.admin.resetCustomOrgIAMPolicyToDefault(req, null).then(resp => resp.toObject());;
     }
 
     /* admin iam */
 
-    public GetDefaultOrgIamPolicy(): Promise<OrgIamPolicyView> {
-        const req = new Empty();
-        return this.grpcService.admin.getDefaultOrgIamPolicy(req);
+    public getOrgIAMPolicy(): Promise<GetOrgIAMPolicyResponse.AsObject> {
+        const req = new GetOrgIAMPolicyRequest();
+        return this.grpcService.admin.getOrgIAMPolicy(req, null).then(resp => resp.toObject());;
+    }
+
+    public updateOrgIAMPolicy(userLoginMustBeDomain: boolean): Promise<UpdateOrgIAMPolicyResponse.AsObject> {
+        const req = new UpdateOrgIAMPolicyRequest();
+        req.setUserLoginMustBeDomain(userLoginMustBeDomain);
+        return this.grpcService.admin.updateOrgIAMPolicy(req, null).then(resp => resp.toObject());;
     }
 
     /* policies end */
 
-    public AddIdpProviderToDefaultLoginPolicy(configId: string): Promise<IdpProviderID> {
-        const req = new IdpProviderID();
-        req.setIdpConfigId(configId);
-        return this.grpcService.admin.addIdpProviderToDefaultLoginPolicy(req);
+    public addIDPToLoginPolicy(idpId: string): Promise<AddIDPToLoginPolicyResponse.AsObject> {
+        const req = new AddIDPToLoginPolicyRequest();
+        req.setIdpId(idpId);
+        return this.grpcService.admin.addIDPToLoginPolicy(req, null).then(resp => resp.toObject());;
     }
 
-    public RemoveIdpProviderFromDefaultLoginPolicy(configId: string): Promise<Empty> {
-        const req = new IdpProviderID();
-        req.setIdpConfigId(configId);
-        return this.grpcService.admin.removeIdpProviderFromDefaultLoginPolicy(req);
+    public removeIDPFromLoginPolicy(idpId: string): Promise<RemoveIDPFromLoginPolicyResponse.AsObject> {
+        const req = new RemoveIDPFromLoginPolicyRequest();
+        req.setIdpId(idpId);
+        return this.grpcService.admin.removeIDPFromLoginPolicy(req, null).then(resp => resp.toObject());;
     }
 
-    public GetDefaultLoginPolicyIdpProviders(limit?: number, offset?: number): Promise<IdpProviderSearchResponse> {
-        const req = new IdpProviderSearchRequest();
+    public listLoginPolicyIDPs(limit?: number, offset?: number): Promise<ListLoginPolicyIDPsResponse.AsObject> {
+        const req = new ListLoginPolicyIDPsRequest();
+        const query = new ListQuery();
         if (limit) {
-            req.setLimit(limit);
+            query.setLimit(limit);
         }
         if (offset) {
-            req.setOffset(offset);
+            query.setOffset(offset);
         }
-        return this.grpcService.admin.getDefaultLoginPolicyIdpProviders(req);
+        req.setQuery(query);
+        return this.grpcService.admin.listLoginPolicyIDPs(req, null).then(resp => resp.toObject());;
     }
 
-    public SearchIdps(
+    public listIDPs(
         limit?: number,
         offset?: number,
-        queryList?: IdpSearchQuery[],
-    ): Promise<IdpSearchResponse> {
-        const req = new IdpSearchRequest();
+        queriesList?: IDPQuery[],
+    ): Promise<ListIDPsResponse.AsObject> {
+        const req = new ListIDPsRequest();
+        const query = new ListQuery();
+
         if (limit) {
-            req.setLimit(limit);
+            query.setLimit(limit);
         }
         if (offset) {
-            req.setOffset(offset);
+            query.setOffset(offset);
         }
-        if (queryList) {
-            req.setQueriesList(queryList);
+        if (queriesList) {
+            req.setQueriesList(queriesList);
         }
-        return this.grpcService.admin.searchIdps(req);
+        req.setQuery(query);
+        return this.grpcService.admin.listIDPs(req, null).then(resp => resp.toObject());;
     }
 
-    public IdpByID(
+    public getIDPByID(
         id: string,
-    ): Promise<IdpView> {
-        const req = new IdpID();
+    ): Promise<GetIDPByIDResponse.AsObject> {
+        const req = new GetIDPByIDRequest();
         req.setId(id);
-        return this.grpcService.admin.idpByID(req);
+        return this.grpcService.admin.getIDPByID(req, null).then(resp => resp.toObject());;
     }
 
-    public UpdateIdp(
-        req: IdpUpdate,
-    ): Promise<Idp> {
-        return this.grpcService.admin.updateIdpConfig(req);
+    public updateIDP(
+        req: UpdateIDPRequest,
+    ): Promise<UpdateIDPResponse.AsObject> {
+        return this.grpcService.admin.updateIDP(req, null).then(resp => resp.toObject());;
     }
 
-    public CreateOidcIdp(
-        req: OidcIdpConfigCreate,
-    ): Promise<Idp> {
-        return this.grpcService.admin.createOidcIdp(req);
+    public addOIDCIDP(
+        req: AddOIDCIDPRequest,
+    ): Promise<AddOIDCIDPResponse.AsObject> {
+        return this.grpcService.admin.addOIDCIDP(req, null).then(resp => resp.toObject());;
     }
 
-    public UpdateOidcIdpConfig(
-        req: OidcIdpConfigUpdate,
-    ): Promise<OidcIdpConfig> {
-        return this.grpcService.admin.updateOidcIdpConfig(req);
+    public updateIDPOIDCConfig(
+        req: UpdateIDPOIDCConfigRequest,
+    ): Promise<UpdateIDPOIDCConfigResponse.AsObject> {
+        return this.grpcService.admin.updateIDPOIDCConfig(req, null).then(resp => resp.toObject());;
     }
 
-    public RemoveIdpConfig(
+    public removeIDP(
         id: string,
-    ): Promise<Empty> {
-        const req = new IdpID;
-        req.setId(id);
-        return this.grpcService.admin.removeIdpConfig(req);
+    ): Promise<RemoveIDPResponse.AsObject> {
+        const req = new RemoveIDPRequest;
+        req.setIdpId(id);
+        return this.grpcService.admin.removeIDP(req, null).then(resp => resp.toObject());;
     }
 
-    public DeactivateIdpConfig(
+    public deactivateIDP(
         id: string,
-    ): Promise<Empty> {
-        const req = new IdpID;
-        req.setId(id);
-        return this.grpcService.admin.deactivateIdpConfig(req);
+    ): Promise<DeactivateIDPResponse.AsObject> {
+        const req = new DeactivateIDPRequest;
+        req.setIdpId(id);
+        return this.grpcService.admin.deactivateIDP(req, null).then(resp => resp.toObject());;
     }
 
-    public ReactivateIdpConfig(
+    public reactivateIDP(
         id: string,
-    ): Promise<Empty> {
-        const req = new IdpID;
-        req.setId(id);
-        return this.grpcService.admin.reactivateIdpConfig(req);
+    ): Promise<ReactivateIDPResponse.AsObject> {
+        const req = new ReactivateIDPRequest;
+        req.setIdpId(id);
+        return this.grpcService.admin.reactivateIDP(req, null).then(resp => resp.toObject());;
     }
 
-    public SearchIamMembers(
+    public listIAMMembers(
         limit: number,
         offset: number,
-        queryList?: IamMemberSearchQuery[],
-    ): Promise<IamMemberSearchResponse> {
-        const req = new IamMemberSearchRequest();
-        req.setLimit(limit);
-        req.setOffset(offset);
-        if (queryList) {
-            req.setQueriesList(queryList);
+        queriesList?: SearchQuery[],
+    ): Promise<ListIAMMembersResponse.AsObject> {
+        const req = new ListIAMMembersRequest();
+        const metadata = new ListQuery();
+        if (limit) {
+            metadata.setLimit(limit);
         }
-        return this.grpcService.admin.searchIamMembers(req);
+        if (offset) {
+            metadata.setOffset(offset);
+        }
+        if (queriesList) {
+            req.setQueriesList(queriesList);
+        }
+        req.setQuery(metadata);
+
+        return this.grpcService.admin.listIAMMembers(req, null).then(resp => resp.toObject());;
     }
 
-    public RemoveIamMember(
+    public removeIAMMember(
         userId: string,
-    ): Promise<Empty> {
-        const req = new RemoveIamMemberRequest();
+    ): Promise<RemoveIAMMemberResponse.AsObject> {
+        const req = new RemoveIAMMemberRequest();
         req.setUserId(userId);
-
-        return this.grpcService.admin.removeIamMember(req);
+        return this.grpcService.admin.removeIAMMember(req, null).then(resp => resp.toObject());;
     }
 
-    public AddIamMember(
+    public addIAMMember(
         userId: string,
         rolesList: string[],
-    ): Promise<IamMember> {
-        const req = new AddIamMemberRequest();
+    ): Promise<AddIAMMemberResponse.AsObject> {
+        const req = new AddIAMMemberRequest();
         req.setUserId(userId);
         req.setRolesList(rolesList);
 
-        return this.grpcService.admin.addIamMember(req);
+        return this.grpcService.admin.addIAMMember(req, null).then(resp => resp.toObject());;
     }
 
-    public ChangeIamMember(
+    public updateIAMMember(
         userId: string,
         rolesList: string[],
-    ): Promise<IamMember> {
-        const req = new ChangeIamMemberRequest();
+    ): Promise<UpdateIAMMemberResponse.AsObject> {
+        const req = new UpdateIAMMemberRequest();
         req.setUserId(userId);
         req.setRolesList(rolesList);
 
-        return this.grpcService.admin.changeIamMember(req);
+        return this.grpcService.admin.updateIAMMember(req, null).then(resp => resp.toObject());;
     }
 }
diff --git a/console/src/app/services/grpc-auth.service.ts b/console/src/app/services/grpc-auth.service.ts
index 915cdcdfb7..0799fe7e26 100644
--- a/console/src/app/services/grpc-auth.service.ts
+++ b/console/src/app/services/grpc-auth.service.ts
@@ -1,46 +1,75 @@
 import { Injectable } from '@angular/core';
 import { OAuthService } from 'angular-oauth2-oidc';
-import { Empty } from 'google-protobuf/google/protobuf/empty_pb';
 import { BehaviorSubject, from, merge, Observable, of, Subject } from 'rxjs';
 import { catchError, filter, finalize, first, map, mergeMap, switchMap, take, timeout } from 'rxjs/operators';
 
 import {
-    Changes,
-    ChangesRequest,
-    ExternalIDPRemoveRequest,
-    ExternalIDPSearchRequest,
-    ExternalIDPSearchResponse,
-    Gender,
-    MfaOtpResponse,
-    MultiFactors,
-    MyPermissions,
-    MyProjectOrgSearchQuery,
-    MyProjectOrgSearchRequest,
-    MyProjectOrgSearchResponse,
-    Org,
-    PasswordChange,
-    PasswordComplexityPolicy,
-    UpdateUserAddressRequest,
-    UpdateUserEmailRequest,
-    UpdateUserPhoneRequest,
-    UpdateUserProfileRequest,
-    UserAddress,
-    UserEmail,
-    UserMembershipSearchQuery,
-    UserMembershipSearchRequest,
-    UserMembershipSearchResponse,
-    UserPhone,
-    UserProfile,
-    UserProfileView,
-    UserSessionViews,
-    UserView,
-    VerifyMfaOtp,
-    VerifyUserPhoneRequest,
-    VerifyWebAuthN,
-    WebAuthNResponse,
-    WebAuthNTokenID,
-    WebAuthNTokens,
-} from '../proto/generated/auth_pb';
+    AddMyAuthFactorOTPRequest,
+    AddMyAuthFactorOTPResponse,
+    AddMyAuthFactorU2FRequest,
+    AddMyAuthFactorU2FResponse,
+    AddMyPasswordlessRequest,
+    AddMyPasswordlessResponse,
+    GetMyEmailRequest,
+    GetMyEmailResponse,
+    GetMyPasswordComplexityPolicyRequest,
+    GetMyPasswordComplexityPolicyResponse,
+    GetMyPhoneRequest,
+    GetMyPhoneResponse,
+    GetMyProfileRequest,
+    GetMyProfileResponse,
+    GetMyUserRequest,
+    GetMyUserResponse,
+    ListMyAuthFactorsRequest,
+    ListMyAuthFactorsResponse,
+    ListMyLinkedIDPsRequest,
+    ListMyLinkedIDPsResponse,
+    ListMyPasswordlessRequest,
+    ListMyPasswordlessResponse,
+    ListMyProjectOrgsRequest,
+    ListMyProjectOrgsResponse,
+    ListMyUserChangesRequest,
+    ListMyUserChangesResponse,
+    ListMyUserGrantsRequest,
+    ListMyUserGrantsResponse,
+    ListMyUserSessionsRequest,
+    ListMyUserSessionsResponse,
+    ListMyZitadelPermissionsRequest,
+    ListMyZitadelPermissionsResponse,
+    RemoveMyAuthFactorOTPRequest,
+    RemoveMyAuthFactorOTPResponse,
+    RemoveMyAuthFactorU2FRequest,
+    RemoveMyAuthFactorU2FResponse,
+    RemoveMyLinkedIDPRequest,
+    RemoveMyLinkedIDPResponse,
+    RemoveMyPasswordlessRequest,
+    RemoveMyPasswordlessResponse,
+    RemoveMyPhoneRequest,
+    RemoveMyPhoneResponse,
+    ResendMyEmailVerificationRequest,
+    ResendMyEmailVerificationResponse,
+    ResendMyPhoneVerificationRequest,
+    ResendMyPhoneVerificationResponse,
+    SetMyEmailRequest,
+    SetMyEmailResponse,
+    SetMyPhoneRequest,
+    SetMyPhoneResponse,
+    UpdateMyPasswordRequest,
+    UpdateMyPasswordResponse,
+    UpdateMyProfileRequest,
+    UpdateMyProfileResponse,
+    VerifyMyAuthFactorOTPRequest,
+    VerifyMyAuthFactorOTPResponse,
+    VerifyMyAuthFactorU2FRequest,
+    VerifyMyAuthFactorU2FResponse,
+    VerifyMyPasswordlessRequest,
+    VerifyMyPasswordlessResponse,
+    VerifyMyPhoneRequest,
+    VerifyMyPhoneResponse,
+} from '../proto/generated/zitadel/auth_pb';
+import { ListQuery } from '../proto/generated/zitadel/object_pb';
+import { Org, OrgQuery } from '../proto/generated/zitadel/org_pb';
+import { Gender, User, WebAuthNVerification } from '../proto/generated/zitadel/user_pb';
 import { GrpcService } from './grpc.service';
 import { StorageKey, StorageService } from './storage.service';
 
@@ -50,7 +79,7 @@ import { StorageKey, StorageService } from './storage.service';
 })
 export class GrpcAuthService {
     private _activeOrgChanged: Subject<Org.AsObject> = new Subject();
-    public user!: Observable<UserProfileView.AsObject>;
+    public user!: Observable<User.AsObject | undefined>;
     private zitadelPermissions: BehaviorSubject<string[]> = new BehaviorSubject(['user.resourceowner']);
     public readonly fetchedZitadelPermissions: BehaviorSubject<boolean> = new BehaviorSubject(false as boolean);
 
@@ -74,7 +103,14 @@ export class GrpcAuthService {
         ).pipe(
             take(1),
             mergeMap(() => {
-                return from(this.GetMyUserProfile().then(userprofile => userprofile.toObject()));
+                return from(this.getMyUser().then(resp => {
+                    const user = resp.user;
+                    if (user) {
+                        return user;
+                    } else {
+                        return undefined;
+                    }
+                }));
             }),
             finalize(() => {
                 this.loadPermissions();
@@ -86,7 +122,7 @@ export class GrpcAuthService {
         });
     }
 
-    public async GetActiveOrg(id?: string): Promise<Org.AsObject> {
+    public async getActiveOrg(id?: string): Promise<Org.AsObject> {
         if (id) {
             const org = this.storage.getItem<Org.AsObject>(StorageKey.organization);
             if (org && this.cachedOrgs.find(tmp => tmp.id === org.id)) {
@@ -96,7 +132,7 @@ export class GrpcAuthService {
         } else {
             let orgs = this.cachedOrgs;
             if (orgs.length === 0) {
-                orgs = (await this.SearchMyProjectOrgs(10, 0)).toObject().resultList;
+                orgs = (await this.listMyProjectOrgs(10, 0)).resultList;
                 this.cachedOrgs = orgs;
             }
 
@@ -133,8 +169,8 @@ export class GrpcAuthService {
             this.activeOrgChanged.pipe(map(org => !!org)),
         ]).pipe(
             first(),
-            switchMap(() => from(this.GetMyzitadelPermissions())),
-            map(rolesResp => rolesResp.toObject().permissionsList),
+            switchMap(() => from(this.listMyZitadelPermissions())),
+            map(rolesResp => rolesResp.resultList),
             catchError(_ => {
                 return of([]);
             }),
@@ -171,51 +207,56 @@ export class GrpcAuthService {
         }) > -1;
     }
 
-    public GetMyUserProfile(): Promise<UserProfileView> {
-        return this.grpcService.auth.getMyUserProfile(new Empty());
+    public getMyProfile(): Promise<GetMyProfileResponse.AsObject> {
+        return this.grpcService.auth.getMyProfile(new GetMyProfileRequest(), null).then(resp => resp.toObject());
     }
 
-    public GetMyPasswordComplexityPolicy(): Promise<PasswordComplexityPolicy> {
+    public getMyPasswordComplexityPolicy(): Promise<GetMyPasswordComplexityPolicyResponse.AsObject> {
         return this.grpcService.auth.getMyPasswordComplexityPolicy(
-            new Empty(),
-        );
+            new GetMyPasswordComplexityPolicyRequest(), null
+        ).then(resp => resp.toObject());
     }
 
-    public GetMyUser(): Promise<UserView> {
+    public getMyUser(): Promise<GetMyUserResponse.AsObject> {
         return this.grpcService.auth.getMyUser(
-            new Empty(),
-        );
+            new GetMyUserRequest(), null
+        ).then(resp => resp.toObject());
     }
 
-    public GetMyMfas(): Promise<MultiFactors> {
-        return this.grpcService.auth.getMyMfas(
-            new Empty(),
-        );
+    public listMyMultiFactors(): Promise<ListMyAuthFactorsResponse.AsObject> {
+        return this.grpcService.auth.listMyAuthFactors(
+            new ListMyAuthFactorsRequest(), null
+        ).then(resp => resp.toObject());
     }
 
-    public SearchMyProjectOrgs(
+    public listMyProjectOrgs(
         limit: number,
         offset: number,
-        queryList?: MyProjectOrgSearchQuery[],
-    ): Promise<MyProjectOrgSearchResponse> {
-        const req: MyProjectOrgSearchRequest = new MyProjectOrgSearchRequest();
-        req.setOffset(offset);
-        req.setLimit(limit);
+        queryList?: OrgQuery[],
+    ): Promise<ListMyProjectOrgsResponse.AsObject> {
+        const req = new ListMyProjectOrgsRequest();
+        const metadata = new ListQuery();
+        if (offset) {
+            metadata.setOffset(offset);
+        }
+        if (limit) {
+            metadata.setLimit(limit);
+        }
         if (queryList) {
             req.setQueriesList(queryList);
         }
 
-        return this.grpcService.auth.searchMyProjectOrgs(req);
+        return this.grpcService.auth.listMyProjectOrgs(req, null).then(resp => resp.toObject());
     }
 
-    public SaveMyUserProfile(
+    public updateMyProfile(
         firstName?: string,
         lastName?: string,
         nickName?: string,
         preferredLanguage?: string,
         gender?: Gender,
-    ): Promise<UserProfile> {
-        const req = new UpdateUserProfileRequest();
+    ): Promise<UpdateMyProfileResponse.AsObject> {
+        const req = new UpdateMyProfileRequest();
         if (firstName) {
             req.setFirstName(firstName);
         }
@@ -231,202 +272,195 @@ export class GrpcAuthService {
         if (preferredLanguage) {
             req.setPreferredLanguage(preferredLanguage);
         }
-        return this.grpcService.auth.updateMyUserProfile(req);
+        return this.grpcService.auth.updateMyProfile(req, null).then(resp => resp.toObject());
     }
 
     public get zitadelPermissionsChanged(): Observable<string[]> {
         return this.zitadelPermissions;
     }
 
-    public getMyUserSessions(): Promise<UserSessionViews> {
-        return this.grpcService.auth.getMyUserSessions(
-            new Empty(),
-        );
+    public listMyUserSessions(): Promise<ListMyUserSessionsResponse.AsObject> {
+        const req = new ListMyUserSessionsRequest();
+        return this.grpcService.auth.listMyUserSessions(req, null).then(resp => resp.toObject());
     }
 
-    public SearchUserMemberships(limit: number, offset: number, queryList?: UserMembershipSearchQuery[]): Promise<UserMembershipSearchResponse> {
-        const req = new UserMembershipSearchRequest();
-        req.setLimit(limit);
-        req.setOffset(offset);
-        if (queryList) {
-            req.setQueriesList(queryList);
+    public listMyUserGrants(limit?: number, offset?: number, queryList?: ListQuery[]): Promise<ListMyUserGrantsResponse.AsObject> {
+        const req = new ListMyUserGrantsRequest();
+        const query = new ListQuery();
+        if (limit) {
+            query.setLimit(limit);
         }
-        return this.grpcService.auth.searchMyUserMemberships(req);
+        if (offset) {
+            query.setOffset(offset);
+        }
+        req.setQuery(query);
+        return this.grpcService.auth.listMyUserGrants(req, null).then(resp => resp.toObject());
     }
 
-    public GetMyUserEmail(): Promise<UserEmail> {
-        return this.grpcService.auth.getMyUserEmail(
-            new Empty(),
-        );
+    public getMyEmail(): Promise<GetMyEmailResponse.AsObject> {
+        const req = new GetMyEmailRequest();
+        return this.grpcService.auth.getMyEmail(req, null).then(resp => resp.toObject());
     }
 
-    public SaveMyUserEmail(email: string): Promise<UserEmail> {
-        const req = new UpdateUserEmailRequest();
+    public setMyEmail(email: string): Promise<SetMyEmailResponse.AsObject> {
+        const req = new SetMyEmailRequest();
         req.setEmail(email);
-        return this.grpcService.auth.changeMyUserEmail(req);
+        return this.grpcService.auth.setMyEmail(req, null).then(resp => resp.toObject());
     }
 
-    public ResendMyEmailVerificationMail(): Promise<Empty> {
-        return this.grpcService.auth.resendMyEmailVerificationMail(
-            new Empty(),
-        );
+    public resendMyEmailVerification(): Promise<ResendMyEmailVerificationResponse.AsObject> {
+        const req = new ResendMyEmailVerificationRequest();
+        return this.grpcService.auth.resendMyEmailVerification(req, null).then(resp => resp.toObject());
     }
 
-    public RemoveMyUserPhone(): Promise<Empty> {
-        return this.grpcService.auth.removeMyUserPhone(
-            new Empty(),
-        );
+    public removeMyPhone(): Promise<RemoveMyPhoneResponse.AsObject> {
+        return this.grpcService.auth.removeMyPhone(
+            new RemoveMyPhoneRequest(), null
+        ).then(resp => resp.toObject());
     }
 
-    public GetMyzitadelPermissions(): Promise<MyPermissions> {
-        return this.grpcService.auth.getMyZitadelPermissions(
-            new Empty(),
-        );
+    public listMyZitadelPermissions(): Promise<ListMyZitadelPermissionsResponse.AsObject> {
+        return this.grpcService.auth.listMyZitadelPermissions(
+            new ListMyZitadelPermissionsRequest(), null
+        ).then(resp => resp.toObject());
     }
 
-    public GetMyUserPhone(): Promise<UserPhone> {
-        return this.grpcService.auth.getMyUserPhone(
-            new Empty(),
-        );
+    public getMyPhone(): Promise<GetMyPhoneResponse.AsObject> {
+        return this.grpcService.auth.getMyPhone(
+            new GetMyPhoneRequest(), null
+        ).then(resp => resp.toObject());
     }
 
-    public SaveMyUserPhone(phone: string): Promise<UserPhone> {
-        const req = new UpdateUserPhoneRequest();
+    public setMyPhone(phone: string): Promise<SetMyPhoneResponse.AsObject> {
+        const req = new SetMyPhoneRequest();
         req.setPhone(phone);
-        return this.grpcService.auth.changeMyUserPhone(req);
+        return this.grpcService.auth.setMyPhone(req, null).then(resp => resp.toObject());
     }
 
-    public GetMyUserAddress(): Promise<UserAddress> {
-        return this.grpcService.auth.getMyUserAddress(
-            new Empty(),
-        );
+    public resendMyPhoneVerification(): Promise<ResendMyPhoneVerificationResponse.AsObject> {
+        const req = new ResendMyPhoneVerificationRequest();
+        return this.grpcService.auth.resendMyPhoneVerification(req, null).then(resp => resp.toObject());
     }
 
-    public ResendEmailVerification(): Promise<Empty> {
-        const req = new Empty();
-        return this.grpcService.auth.resendMyEmailVerificationMail(req);
-    }
-
-    public ResendPhoneVerification(): Promise<Empty> {
-        const req = new Empty();
-        return this.grpcService.auth.resendMyPhoneVerificationCode(req);
-    }
-
-    public ChangeMyPassword(oldPassword: string, newPassword: string): Promise<Empty> {
-        const req = new PasswordChange();
+    public updateMyPassword(oldPassword: string, newPassword: string): Promise<UpdateMyPasswordResponse.AsObject> {
+        const req = new UpdateMyPasswordRequest();
         req.setOldPassword(oldPassword);
         req.setNewPassword(newPassword);
-        return this.grpcService.auth.changeMyPassword(req);
+        return this.grpcService.auth.updateMyPassword(req, null).then(resp => resp.toObject());
     }
 
-    public RemoveExternalIDP(
+    public removeMyLinkedIDP(
         externalUserId: string,
-        idpConfigId: string,
-    ): Promise<Empty> {
-        const req = new ExternalIDPRemoveRequest();
-        req.setExternalUserId(externalUserId);
-        req.setIdpConfigId(idpConfigId);
-        return this.grpcService.auth.removeMyExternalIDP(req);
+        idpId: string,
+    ): Promise<RemoveMyLinkedIDPResponse.AsObject> {
+        const req = new RemoveMyLinkedIDPRequest();
+        req.setLinkedUserId(externalUserId);
+        req.setIdpId(idpId);
+        return this.grpcService.auth.removeMyLinkedIDP(req, null).then(resp => resp.toObject());
     }
 
-    public SearchMyExternalIdps(
+    public listMyLinkedIDPs(
         limit: number,
         offset: number,
-    ): Promise<ExternalIDPSearchResponse> {
-        const req = new ExternalIDPSearchRequest();
-        req.setLimit(limit);
-        req.setOffset(offset);
-        return this.grpcService.auth.searchMyExternalIDPs(req);
+    ): Promise<ListMyLinkedIDPsResponse.AsObject> {
+        const req = new ListMyLinkedIDPsRequest();
+        const metadata = new ListQuery();
+        if (limit) {
+            metadata.setLimit(limit);
+        }
+        if (offset) {
+            metadata.setOffset(offset);
+        }
+        req.setQuery(metadata);
+        return this.grpcService.auth.listMyLinkedIDPs(req, null).then(resp => resp.toObject());
     }
 
-    public AddMfaOTP(): Promise<MfaOtpResponse> {
-        return this.grpcService.auth.addMfaOTP(
-            new Empty(),
-        );
+    public addMyMultiFactorOTP(): Promise<AddMyAuthFactorOTPResponse.AsObject> {
+        return this.grpcService.auth.addMyAuthFactorOTP(
+            new AddMyAuthFactorOTPRequest(), null
+        ).then(resp => resp.toObject());
     }
 
-    public AddMyMfaU2F(): Promise<WebAuthNResponse> {
-        return this.grpcService.auth.addMyMfaU2F(
-            new Empty(),
-        );
+    public addMyMultiFactorU2F(): Promise<AddMyAuthFactorU2FResponse.AsObject> {
+        return this.grpcService.auth.addMyAuthFactorU2F(
+            new AddMyAuthFactorU2FRequest(), null
+        ).then(resp => resp.toObject());
     }
 
-    public RemoveMyMfaU2F(id: string): Promise<Empty> {
-        const req = new WebAuthNTokenID();
-        req.setId(id);
-        return this.grpcService.auth.removeMyMfaU2F(req);
+    public removeMyMultiFactorU2F(tokenId: string): Promise<RemoveMyAuthFactorU2FResponse.AsObject> {
+        const req = new RemoveMyAuthFactorU2FRequest();
+        req.setTokenId(tokenId);
+        return this.grpcService.auth.removeMyAuthFactorU2F(req, null).then(resp => resp.toObject());
     }
 
-    public VerifyMyMfaU2F(credential: string, tokenname: string): Promise<Empty> {
-        const req = new VerifyWebAuthN();
-        req.setPublicKeyCredential(credential);
-        req.setTokenName(tokenname);
+    public verifyMyMultiFactorU2F(credential: string, tokenname: string): Promise<VerifyMyAuthFactorU2FResponse.AsObject> {
+        const req = new VerifyMyAuthFactorU2FRequest();
+        const verification = new WebAuthNVerification();
+        verification.setPublicKeyCredential(credential);
+        verification.setTokenName(tokenname);
+        req.setVerification(verification);
 
-        return this.grpcService.auth.verifyMyMfaU2F(
-            req,
-        );
+        return this.grpcService.auth.verifyMyAuthFactorU2F(req, null).then(resp => resp.toObject());
     }
 
-    public GetMyPasswordless(): Promise<WebAuthNTokens> {
-        return this.grpcService.auth.getMyPasswordless(
-            new Empty(),
-        );
+    public listMyPasswordless(): Promise<ListMyPasswordlessResponse.AsObject> {
+        return this.grpcService.auth.listMyPasswordless(
+            new ListMyPasswordlessRequest(), null
+        ).then(resp => resp.toObject());
     }
 
-    public AddMyPasswordless(): Promise<WebAuthNResponse> {
+    public addMyPasswordless(): Promise<AddMyPasswordlessResponse.AsObject> {
         return this.grpcService.auth.addMyPasswordless(
-            new Empty(),
-        );
+            new AddMyPasswordlessRequest(), null
+        ).then(resp => resp.toObject());
     }
 
-    public RemoveMyPasswordless(id: string): Promise<Empty> {
-        const req = new WebAuthNTokenID();
-        req.setId(id);
-        return this.grpcService.auth.removeMyPasswordless(req);
+    public removeMyPasswordless(tokenId: string): Promise<RemoveMyPasswordlessResponse.AsObject> {
+        const req = new RemoveMyPasswordlessRequest();
+        req.setTokenId(tokenId);
+        return this.grpcService.auth.removeMyPasswordless(req, null).then(resp => resp.toObject());
     }
 
-    public verifyMyPasswordless(credential: string, tokenname: string): Promise<Empty> {
-        const req = new VerifyWebAuthN();
-        req.setPublicKeyCredential(credential);
-        req.setTokenName(tokenname);
+    public verifyMyPasswordless(credential: string, tokenname: string): Promise<VerifyMyPasswordlessResponse.AsObject> {
+        const req = new VerifyMyPasswordlessRequest();
+        const verification = new WebAuthNVerification();
+        verification.setTokenName(tokenname);
+        verification.setPublicKeyCredential(credential);
+        req.setVerification(verification);
 
         return this.grpcService.auth.verifyMyPasswordless(
-            req,
-        );
+            req, null
+        ).then(resp => resp.toObject());
     }
 
-    public RemoveMfaOTP(): Promise<Empty> {
-        return this.grpcService.auth.removeMfaOTP(
-            new Empty(),
-        );
+    public removeMyMultiFactorOTP(): Promise<RemoveMyAuthFactorOTPResponse.AsObject> {
+        return this.grpcService.auth.removeMyAuthFactorOTP(
+            new RemoveMyAuthFactorOTPRequest(), null
+        ).then(resp => resp.toObject());
     }
 
-    public VerifyMfaOTP(code: string): Promise<Empty> {
-        const req = new VerifyMfaOtp();
+    public verifyMyMultiFactorOTP(code: string): Promise<VerifyMyAuthFactorOTPResponse.AsObject> {
+        const req = new VerifyMyAuthFactorOTPRequest();
         req.setCode(code);
-        return this.grpcService.auth.verifyMfaOTP(req);
+        return this.grpcService.auth.verifyMyAuthFactorOTP(req, null).then(resp => resp.toObject());
     }
 
-    public VerifyMyUserPhone(code: string): Promise<Empty> {
-        const req = new VerifyUserPhoneRequest();
+    public verifyMyPhone(code: string): Promise<VerifyMyPhoneResponse.AsObject> {
+        const req = new VerifyMyPhoneRequest();
         req.setCode(code);
-        return this.grpcService.auth.verifyMyUserPhone(req);
+        return this.grpcService.auth.verifyMyPhone(req, null).then(resp => resp.toObject());
     }
 
-    public SaveMyUserAddress(address: UserAddress.AsObject): Promise<UserAddress> {
-        const req = new UpdateUserAddressRequest();
-        req.setStreetAddress(address.streetAddress);
-        req.setPostalCode(address.postalCode);
-        req.setLocality(address.locality);
-        req.setRegion(address.region);
-        req.setCountry(address.country);
-        return this.grpcService.auth.updateMyUserAddress(req);
-    }
-
-    public GetMyUserChanges(limit: number, sequenceoffset: number): Promise<Changes> {
-        const req = new ChangesRequest();
-        req.setLimit(limit);
-        req.setSequenceOffset(sequenceoffset);
-        return this.grpcService.auth.getMyUserChanges(req);
+    public listMyUserChanges(limit: number, offset: number): Promise<ListMyUserChangesResponse.AsObject> {
+        const req = new ListMyUserChangesRequest();
+        const query = new ListQuery();
+        if (limit) {
+            query.setLimit(limit);
+        }
+        if (offset) {
+            query.setOffset(offset);
+        }
+        req.setQuery(query);
+        return this.grpcService.auth.listMyUserChanges(req, null).then(resp => resp.toObject());
     }
 }
diff --git a/console/src/app/services/grpc.service.ts b/console/src/app/services/grpc.service.ts
index a2a305dfe4..523d8a2eff 100644
--- a/console/src/app/services/grpc.service.ts
+++ b/console/src/app/services/grpc.service.ts
@@ -4,9 +4,9 @@ import { Injectable } from '@angular/core';
 import { MatDialog } from '@angular/material/dialog';
 import { AuthConfig } from 'angular-oauth2-oidc';
 
-import { AdminServicePromiseClient } from '../proto/generated/admin_grpc_web_pb';
-import { AuthServicePromiseClient } from '../proto/generated/auth_grpc_web_pb';
-import { ManagementServicePromiseClient } from '../proto/generated/management_grpc_web_pb';
+import { AdminServiceClient } from '../proto/generated/zitadel/AdminServiceClientPb';
+import { AuthServiceClient } from '../proto/generated/zitadel/AuthServiceClientPb';
+import { ManagementServiceClient } from '../proto/generated/zitadel/ManagementServiceClientPb';
 import { AuthenticationService } from './authentication.service';
 import { AuthInterceptor } from './interceptors/auth.interceptor';
 import { I18nInterceptor } from './interceptors/i18n.interceptor';
@@ -17,9 +17,9 @@ import { StorageService } from './storage.service';
     providedIn: 'root',
 })
 export class GrpcService {
-    public auth!: AuthServicePromiseClient;
-    public mgmt!: ManagementServicePromiseClient;
-    public admin!: AdminServicePromiseClient;
+    public auth!: AuthServiceClient;
+    public mgmt!: ManagementServiceClient;
+    public admin!: AdminServiceClient;
 
     constructor(
         private http: HttpClient,
@@ -42,19 +42,19 @@ export class GrpcService {
                         ],
                     };
 
-                    this.auth = new AuthServicePromiseClient(
+                    this.auth = new AuthServiceClient(
                         data.authServiceUrl,
                         null,
                         // @ts-ignore
                         interceptors,
                     );
-                    this.mgmt = new ManagementServicePromiseClient(
+                    this.mgmt = new ManagementServiceClient(
                         data.mgmtServiceUrl,
                         null,
                         // @ts-ignore
                         interceptors,
                     );
-                    this.admin = new AdminServicePromiseClient(
+                    this.admin = new AdminServiceClient(
                         // TODO: replace with service url
                         data.mgmtServiceUrl,
                         null,
diff --git a/console/src/app/services/interceptors/org.interceptor.ts b/console/src/app/services/interceptors/org.interceptor.ts
index f488132b3e..ae5a2bf128 100644
--- a/console/src/app/services/interceptors/org.interceptor.ts
+++ b/console/src/app/services/interceptors/org.interceptor.ts
@@ -1,6 +1,6 @@
 import { Injectable } from '@angular/core';
 import { Request, UnaryInterceptor, UnaryResponse } from 'grpc-web';
-import { Org } from 'src/app/proto/generated/auth_pb';
+import { Org } from 'src/app/proto/generated/zitadel/org_pb';
 
 import { StorageService } from '../storage.service';
 
diff --git a/console/src/app/services/mgmt.service.ts b/console/src/app/services/mgmt.service.ts
index d4f47016b2..e0eb16705a 100644
--- a/console/src/app/services/mgmt.service.ts
+++ b/console/src/app/services/mgmt.service.ts
@@ -3,174 +3,300 @@ import { Empty } from 'google-protobuf/google/protobuf/empty_pb';
 import { Timestamp } from 'google-protobuf/google/protobuf/timestamp_pb';
 import { BehaviorSubject } from 'rxjs';
 
-import { MultiFactorsResult } from '../proto/generated/admin_pb';
+import { AppQuery } from '../proto/generated/zitadel/app_pb';
+import { KeyType } from '../proto/generated/zitadel/auth_n_key_pb';
 import {
-    AddClientKeyRequest,
-    AddClientKeyResponse,
+    AddAPIAppRequest,
+    AddAPIAppResponse,
+    AddAppKeyRequest,
+    AddAppKeyResponse,
+    AddCustomLoginPolicyRequest,
+    AddCustomLoginPolicyResponse,
+    AddCustomPasswordAgePolicyRequest,
+    AddCustomPasswordAgePolicyResponse,
+    AddCustomPasswordComplexityPolicyRequest,
+    AddCustomPasswordComplexityPolicyResponse,
+    AddCustomPasswordLockoutPolicyRequest,
+    AddCustomPasswordLockoutPolicyResponse,
+    AddHumanUserRequest,
+    AddHumanUserResponse,
+    AddIDPToLoginPolicyRequest,
+    AddIDPToLoginPolicyResponse,
     AddMachineKeyRequest,
     AddMachineKeyResponse,
+    AddMachineUserRequest,
+    AddMachineUserResponse,
+    AddMultiFactorToLoginPolicyRequest,
+    AddMultiFactorToLoginPolicyResponse,
+    AddOIDCAppRequest,
+    AddOIDCAppResponse,
     AddOrgDomainRequest,
+    AddOrgDomainResponse,
     AddOrgMemberRequest,
-    APIApplicationCreate,
-    APIAuthMethodType,
-    APIConfig,
-    APIConfigUpdate,
-    Application,
-    ApplicationID,
-    ApplicationSearchQuery,
-    ApplicationSearchRequest,
-    ApplicationSearchResponse,
-    ApplicationUpdate,
-    ApplicationView,
-    AuthNKeyType,
-    ChangeOrgMemberRequest,
-    ChangeRequest,
-    Changes,
-    ClientKeyIDRequest,
-    ClientKeySearchRequest,
-    ClientKeySearchResponse,
-    ClientSecret,
-    CreateHumanRequest,
-    CreateMachineRequest,
-    CreateUserRequest,
-    Domain,
-    ExternalIDPRemoveRequest,
-    ExternalIDPSearchRequest,
-    ExternalIDPSearchResponse,
-    Gender,
-    GrantedProjectSearchRequest,
-    Iam,
-    Idp,
-    IdpID,
-    IdpProviderAdd,
-    IdpProviderID,
-    IdpProviderSearchRequest,
-    IdpProviderSearchResponse,
-    IdpProviderType,
-    IdpSearchQuery,
-    IdpSearchRequest,
-    IdpSearchResponse,
-    IdpUpdate,
-    IdpView,
-    InitialMailRequest,
-    LoginName,
-    LoginPolicy,
-    LoginPolicyRequest,
-    LoginPolicyView,
-    MachineKeyIDRequest,
-    MachineKeySearchRequest,
-    MachineKeySearchResponse,
-    MachineKeyType,
-    MachineResponse,
-    MultiFactor,
-    NotificationType,
-    OIDCApplicationCreate,
-    OIDCConfig,
-    OIDCConfigUpdate,
-    OidcIdpConfig,
-    OidcIdpConfigCreate,
-    OidcIdpConfigUpdate,
-    Org,
-    OrgCreateRequest,
-    OrgDomain,
-    OrgDomainSearchQuery,
-    OrgDomainSearchRequest,
-    OrgDomainSearchResponse,
-    OrgDomainValidationRequest,
-    OrgDomainValidationResponse,
-    OrgDomainValidationType,
-    OrgIamPolicyView,
-    OrgMember,
-    OrgMemberRoles,
-    OrgMemberSearchRequest,
-    OrgMemberSearchResponse,
-    OrgView,
-    PasswordAgePolicy,
-    PasswordAgePolicyRequest,
-    PasswordAgePolicyView,
-    PasswordComplexityPolicy,
-    PasswordComplexityPolicyRequest,
-    PasswordComplexityPolicyView,
-    PasswordLockoutPolicy,
-    PasswordLockoutPolicyRequest,
-    PasswordRequest,
-    PrimaryOrgDomainRequest,
-    Project,
-    ProjectCreateRequest,
-    ProjectGrant,
-    ProjectGrantCreate,
-    ProjectGrantID,
-    ProjectGrantMember,
-    ProjectGrantMemberAdd,
-    ProjectGrantMemberChange,
-    ProjectGrantMemberRemove,
-    ProjectGrantMemberRoles,
-    ProjectGrantMemberSearchQuery,
-    ProjectGrantMemberSearchRequest,
-    ProjectGrantSearchRequest,
-    ProjectGrantSearchResponse,
-    ProjectGrantUpdate,
-    ProjectGrantView,
-    ProjectID,
-    ProjectMember,
-    ProjectMemberAdd,
-    ProjectMemberChange,
-    ProjectMemberRemove,
-    ProjectMemberRoles,
-    ProjectMemberSearchQuery,
-    ProjectMemberSearchRequest,
-    ProjectMemberSearchResponse,
-    ProjectRole,
-    ProjectRoleAdd,
-    ProjectRoleAddBulk,
-    ProjectRoleChange,
-    ProjectRoleRemove,
-    ProjectRoleSearchQuery,
-    ProjectRoleSearchRequest,
-    ProjectRoleSearchResponse,
-    ProjectSearchQuery,
-    ProjectSearchRequest,
-    ProjectSearchResponse,
-    ProjectUpdateRequest,
-    ProjectView,
+    AddOrgMemberResponse,
+    AddOrgOIDCIDPRequest,
+    AddOrgOIDCIDPResponse,
+    AddOrgRequest,
+    AddOrgResponse,
+    AddProjectGrantMemberRequest,
+    AddProjectGrantMemberResponse,
+    AddProjectGrantRequest,
+    AddProjectGrantResponse,
+    AddProjectMemberRequest,
+    AddProjectMemberResponse,
+    AddProjectRequest,
+    AddProjectResponse,
+    AddProjectRoleRequest,
+    AddProjectRoleResponse,
+    AddSecondFactorToLoginPolicyRequest,
+    AddSecondFactorToLoginPolicyResponse,
+    AddUserGrantRequest,
+    AddUserGrantResponse,
+    BulkAddProjectRolesRequest,
+    BulkAddProjectRolesResponse,
+    BulkRemoveUserGrantRequest,
+    BulkRemoveUserGrantResponse,
+    DeactivateAppRequest,
+    DeactivateAppResponse,
+    DeactivateOrgIDPRequest,
+    DeactivateOrgIDPResponse,
+    DeactivateOrgRequest,
+    DeactivateOrgResponse,
+    DeactivateProjectGrantRequest,
+    DeactivateProjectGrantResponse,
+    DeactivateProjectRequest,
+    DeactivateProjectResponse,
+    DeactivateUserRequest,
+    DeactivateUserResponse,
+    GenerateOrgDomainValidationRequest,
+    GenerateOrgDomainValidationResponse,
+    GetAppByIDRequest,
+    GetAppByIDResponse,
+    GetDefaultPasswordComplexityPolicyRequest,
+    GetDefaultPasswordComplexityPolicyResponse,
+    GetGrantedProjectByIDRequest,
+    GetGrantedProjectByIDResponse,
+    GetHumanEmailRequest,
+    GetHumanEmailResponse,
+    GetHumanPhoneRequest,
+    GetHumanPhoneResponse,
+    GetHumanProfileRequest,
+    GetHumanProfileResponse,
+    GetIAMRequest,
+    GetIAMResponse,
+    GetLoginPolicyRequest,
+    GetLoginPolicyResponse,
+    GetMyOrgRequest,
+    GetMyOrgResponse,
+    GetOIDCInformationRequest,
+    GetOIDCInformationResponse,
+    GetOrgByDomainGlobalRequest,
+    GetOrgByDomainGlobalResponse,
+    GetOrgIAMPolicyRequest,
+    GetOrgIAMPolicyResponse,
+    GetOrgIDPByIDRequest,
+    GetOrgIDPByIDResponse,
+    GetPasswordAgePolicyRequest,
+    GetPasswordAgePolicyResponse,
+    GetPasswordComplexityPolicyRequest,
+    GetPasswordComplexityPolicyResponse,
+    GetPasswordLockoutPolicyRequest,
+    GetPasswordLockoutPolicyResponse,
+    GetProjectByIDRequest,
+    GetProjectByIDResponse,
+    GetProjectGrantByIDRequest,
+    GetProjectGrantByIDResponse,
+    GetUserByIDRequest,
+    GetUserByIDResponse,
+    GetUserByLoginNameGlobalRequest,
+    GetUserByLoginNameGlobalResponse,
+    GetUserGrantByIDRequest,
+    GetUserGrantByIDResponse,
+    IDPQuery,
+    ListAppChangesRequest,
+    ListAppChangesResponse,
+    ListAppKeysRequest,
+    ListAppKeysResponse,
+    ListAppsRequest,
+    ListAppsResponse,
+    ListGrantedProjectsRequest,
+    ListGrantedProjectsResponse,
+    ListHumanAuthFactorsRequest,
+    ListHumanAuthFactorsResponse,
+    ListHumanLinkedIDPsRequest,
+    ListHumanLinkedIDPsResponse,
+    ListHumanPasswordlessRequest,
+    ListHumanPasswordlessResponse,
+    ListLoginPolicyIDPsRequest,
+    ListLoginPolicyIDPsResponse,
+    ListLoginPolicyMultiFactorsRequest,
+    ListLoginPolicyMultiFactorsResponse,
+    ListLoginPolicySecondFactorsResponse,
+    ListMachineKeysRequest,
+    ListMachineKeysResponse,
+    ListOrgChangesRequest,
+    ListOrgChangesResponse,
+    ListOrgDomainsRequest,
+    ListOrgDomainsResponse,
+    ListOrgIDPsRequest,
+    ListOrgIDPsResponse,
+    ListOrgMemberRolesRequest,
+    ListOrgMemberRolesResponse,
+    ListOrgMembersRequest,
+    ListOrgMembersResponse,
+    ListProjectChangesRequest,
+    ListProjectChangesResponse,
+    ListProjectGrantMemberRolesRequest,
+    ListProjectGrantMemberRolesResponse,
+    ListProjectGrantMembersRequest,
+    ListProjectGrantMembersResponse,
+    ListProjectGrantsRequest,
+    ListProjectGrantsResponse,
+    ListProjectMemberRolesRequest,
+    ListProjectMemberRolesResponse,
+    ListProjectMembersRequest,
+    ListProjectMembersResponse,
+    ListProjectRolesRequest,
+    ListProjectRolesResponse,
+    ListProjectsRequest,
+    ListProjectsResponse,
+    ListUserChangesRequest,
+    ListUserChangesResponse,
+    ListUserGrantRequest,
+    ListUserGrantResponse,
+    ListUserMembershipsRequest,
+    ListUserMembershipsResponse,
+    ListUsersRequest,
+    ListUsersResponse,
+    ReactivateAppRequest,
+    ReactivateAppResponse,
+    ReactivateOrgIDPRequest,
+    ReactivateOrgIDPResponse,
+    ReactivateOrgRequest,
+    ReactivateOrgResponse,
+    ReactivateProjectGrantRequest,
+    ReactivateProjectGrantResponse,
+    ReactivateProjectRequest,
+    ReactivateProjectResponse,
+    ReactivateUserRequest,
+    ReactivateUserResponse,
+    RegenerateAPIClientSecretRequest,
+    RegenerateAPIClientSecretResponse,
+    RegenerateOIDCClientSecretRequest,
+    RegenerateOIDCClientSecretResponse,
+    RemoveAppKeyRequest,
+    RemoveAppKeyResponse,
+    RemoveAppRequest,
+    RemoveAppResponse,
+    RemoveHumanAuthFactorOTPRequest,
+    RemoveHumanAuthFactorOTPResponse,
+    RemoveHumanAuthFactorU2FRequest,
+    RemoveHumanAuthFactorU2FResponse,
+    RemoveHumanLinkedIDPRequest,
+    RemoveHumanLinkedIDPResponse,
+    RemoveHumanPasswordlessRequest,
+    RemoveHumanPasswordlessResponse,
+    RemoveHumanPhoneRequest,
+    RemoveHumanPhoneResponse,
+    RemoveIDPFromLoginPolicyRequest,
+    RemoveIDPFromLoginPolicyResponse,
+    RemoveMachineKeyRequest,
+    RemoveMachineKeyResponse,
+    RemoveMultiFactorFromLoginPolicyRequest,
+    RemoveMultiFactorFromLoginPolicyResponse,
     RemoveOrgDomainRequest,
+    RemoveOrgDomainResponse,
+    RemoveOrgIDPRequest,
+    RemoveOrgIDPResponse,
     RemoveOrgMemberRequest,
-    SecondFactor,
-    SecondFactorsResult,
-    SetPasswordNotificationRequest,
+    RemoveOrgMemberResponse,
+    RemoveProjectGrantMemberRequest,
+    RemoveProjectGrantMemberResponse,
+    RemoveProjectGrantRequest,
+    RemoveProjectGrantResponse,
+    RemoveProjectMemberRequest,
+    RemoveProjectMemberResponse,
+    RemoveProjectRequest,
+    RemoveProjectResponse,
+    RemoveProjectRoleRequest,
+    RemoveProjectRoleResponse,
+    RemoveSecondFactorFromLoginPolicyRequest,
+    RemoveSecondFactorFromLoginPolicyResponse,
+    RemoveUserGrantRequest,
+    RemoveUserGrantResponse,
+    RemoveUserRequest,
+    RemoveUserResponse,
+    ResendHumanEmailVerificationRequest,
+    ResendHumanInitializationRequest,
+    ResendHumanInitializationResponse,
+    ResendHumanPhoneVerificationRequest,
+    ResetLoginPolicyToDefaultRequest,
+    ResetLoginPolicyToDefaultResponse,
+    ResetPasswordAgePolicyToDefaultRequest,
+    ResetPasswordAgePolicyToDefaultResponse,
+    ResetPasswordComplexityPolicyToDefaultRequest,
+    ResetPasswordComplexityPolicyToDefaultResponse,
+    ResetPasswordLockoutPolicyToDefaultRequest,
+    ResetPasswordLockoutPolicyToDefaultResponse,
+    SendHumanResetPasswordNotificationRequest,
+    SetHumanInitialPasswordRequest,
+    SetPrimaryOrgDomainRequest,
+    SetPrimaryOrgDomainResponse,
+    UpdateAPIAppConfigRequest,
+    UpdateAPIAppConfigResponse,
+    UpdateAppRequest,
+    UpdateAppResponse,
+    UpdateCustomLoginPolicyRequest,
+    UpdateCustomLoginPolicyResponse,
+    UpdateCustomPasswordAgePolicyRequest,
+    UpdateCustomPasswordAgePolicyResponse,
+    UpdateCustomPasswordComplexityPolicyRequest,
+    UpdateCustomPasswordComplexityPolicyResponse,
+    UpdateCustomPasswordLockoutPolicyRequest,
+    UpdateCustomPasswordLockoutPolicyResponse,
+    UpdateHumanEmailRequest,
+    UpdateHumanEmailResponse,
+    UpdateHumanPhoneRequest,
+    UpdateHumanPhoneResponse,
+    UpdateHumanProfileRequest,
+    UpdateHumanProfileResponse,
     UpdateMachineRequest,
-    UpdateUserAddressRequest,
-    UpdateUserEmailRequest,
-    UpdateUserPhoneRequest,
-    UpdateUserProfileRequest,
-    UserAddress,
-    UserEmail,
-    UserGrant,
-    UserGrantCreate,
-    UserGrantID,
-    UserGrantRemoveBulk,
-    UserGrantSearchQuery,
-    UserGrantSearchRequest,
-    UserGrantSearchResponse,
-    UserGrantUpdate,
-    UserGrantView,
-    UserID,
-    UserMembershipSearchQuery,
-    UserMembershipSearchRequest,
-    UserMembershipSearchResponse,
-    UserMultiFactors,
-    UserPhone,
-    UserProfile,
-    UserResponse,
-    UserSearchQuery,
-    UserSearchRequest,
-    UserSearchResponse,
-    UserView,
+    UpdateMachineResponse,
+    UpdateOIDCAppConfigRequest,
+    UpdateOIDCAppConfigResponse,
+    UpdateOrgIDPOIDCConfigRequest,
+    UpdateOrgIDPOIDCConfigResponse,
+    UpdateOrgIDPRequest,
+    UpdateOrgIDPResponse,
+    UpdateOrgMemberRequest,
+    UpdateOrgMemberResponse,
+    UpdateProjectGrantMemberRequest,
+    UpdateProjectGrantMemberResponse,
+    UpdateProjectGrantRequest,
+    UpdateProjectGrantResponse,
+    UpdateProjectMemberRequest,
+    UpdateProjectMemberResponse,
+    UpdateProjectRequest,
+    UpdateProjectResponse,
+    UpdateProjectRoleRequest,
+    UpdateProjectRoleResponse,
+    UpdateUserGrantRequest,
+    UpdateUserGrantResponse,
     ValidateOrgDomainRequest,
-    WebAuthNTokenID,
-    WebAuthNTokens,
-    ZitadelDocs,
-} from '../proto/generated/management_pb';
+    ValidateOrgDomainResponse,
+} from '../proto/generated/zitadel/management_pb';
+import { SearchQuery } from '../proto/generated/zitadel/member_pb';
+import { ListQuery } from '../proto/generated/zitadel/object_pb';
+import { DomainSearchQuery, DomainValidationType } from '../proto/generated/zitadel/org_pb';
+import { PasswordComplexityPolicy } from '../proto/generated/zitadel/policy_pb';
+import { ProjectQuery, RoleQuery } from '../proto/generated/zitadel/project_pb';
+import {
+    Gender,
+    MembershipQuery,
+    SearchQuery as UserSearchQuery,
+    UserFieldName,
+    UserGrantQuery,
+} from '../proto/generated/zitadel/user_pb';
 import { GrpcService } from './grpc.service';
 
 export type ResponseMapper<TResp, TMappedResp> = (resp: TResp) => TMappedResp;
@@ -184,538 +310,505 @@ export class ManagementService {
 
     constructor(private readonly grpcService: GrpcService) { }
 
-    public SearchIdps(
+    public listOrgIDPs(
         limit?: number,
         offset?: number,
-        queryList?: IdpSearchQuery[],
-    ): Promise<IdpSearchResponse> {
-        const req = new IdpSearchRequest();
+        queryList?: IDPQuery[],
+    ): Promise<ListOrgIDPsResponse.AsObject> {
+        const req = new ListOrgIDPsRequest();
+        const metadata = new ListQuery();
+
         if (limit) {
-            req.setLimit(limit);
+            metadata.setLimit(limit);
         }
         if (offset) {
-            req.setOffset(offset);
+            metadata.setOffset(offset);
         }
         if (queryList) {
             req.setQueriesList(queryList);
         }
-        return this.grpcService.mgmt.searchIdps(req);
+        return this.grpcService.mgmt.listOrgIDPs(req, null).then(resp => resp.toObject());
     }
 
-    public GetPasswordless(userId: string): Promise<WebAuthNTokens> {
-        const req = new UserID();
-        req.setId(userId);
-        return this.grpcService.mgmt.getPasswordless(req);
-    }
-
-    public RemovePasswordless(id: string, userId: string): Promise<Empty> {
-        const req = new WebAuthNTokenID();
-        req.setId(id);
+    public listHumanPasswordless(userId: string): Promise<ListHumanPasswordlessResponse.AsObject> {
+        const req = new ListHumanPasswordlessRequest();
         req.setUserId(userId);
-        return this.grpcService.mgmt.removePasswordless(req);
+        return this.grpcService.mgmt.listHumanPasswordless(req, null).then(resp => resp.toObject());
     }
 
-    public GetLoginPolicyMultiFactors(): Promise<MultiFactorsResult> {
+    public removeHumanPasswordless(tokenId: string, userId: string): Promise<RemoveHumanPasswordlessResponse.AsObject> {
+        const req = new RemoveHumanPasswordlessRequest();
+        req.setTokenId(tokenId);
+        req.setUserId(userId);
+        return this.grpcService.mgmt.removeHumanPasswordless(req, null).then(resp => resp.toObject());
+    }
+
+    public listLoginPolicyMultiFactors(): Promise<ListLoginPolicyMultiFactorsResponse.AsObject> {
+        const req = new ListLoginPolicyMultiFactorsRequest();
+        return this.grpcService.mgmt.listLoginPolicyMultiFactors(req, null).then(resp => resp.toObject());
+    }
+
+    public addMultiFactorToLoginPolicy(req: AddMultiFactorToLoginPolicyRequest): Promise<AddMultiFactorToLoginPolicyResponse.AsObject> {
+        return this.grpcService.mgmt.addMultiFactorToLoginPolicy(req, null).then(resp => resp.toObject());
+    }
+
+    public removeMultiFactorFromLoginPolicy(req: RemoveMultiFactorFromLoginPolicyRequest): Promise<RemoveMultiFactorFromLoginPolicyResponse.AsObject> {
+        return this.grpcService.mgmt.removeMultiFactorFromLoginPolicy(req, null).then(resp => resp.toObject());
+    }
+
+    public listLoginPolicySecondFactors(): Promise<ListLoginPolicySecondFactorsResponse.AsObject> {
         const req = new Empty();
-        return this.grpcService.mgmt.getLoginPolicyMultiFactors(req);
+        return this.grpcService.mgmt.listLoginPolicySecondFactors(req, null).then(resp => resp.toObject());
     }
 
-    public AddMultiFactorToLoginPolicy(req: MultiFactor): Promise<MultiFactor> {
-        return this.grpcService.mgmt.addMultiFactorToLoginPolicy(req);
+    public addSecondFactorToLoginPolicy(req: AddSecondFactorToLoginPolicyRequest): Promise<AddSecondFactorToLoginPolicyResponse.AsObject> {
+        return this.grpcService.mgmt.addSecondFactorToLoginPolicy(req, null).then(resp => resp.toObject());
     }
 
-    public RemoveMultiFactorFromLoginPolicy(req: MultiFactor): Promise<Empty> {
-        return this.grpcService.mgmt.removeMultiFactorFromLoginPolicy(req);
+    public removeSecondFactorFromLoginPolicy(req: RemoveSecondFactorFromLoginPolicyRequest): Promise<RemoveSecondFactorFromLoginPolicyResponse.AsObject> {
+        return this.grpcService.mgmt.removeSecondFactorFromLoginPolicy(req, null).then(resp => resp.toObject());
     }
 
-    public GetLoginPolicySecondFactors(): Promise<SecondFactorsResult> {
-        const req = new Empty();
-        return this.grpcService.mgmt.getLoginPolicySecondFactors(req);
+    public getLoginPolicy(): Promise<GetLoginPolicyResponse.AsObject> {
+        const req = new GetLoginPolicyRequest();
+        return this.grpcService.mgmt.getLoginPolicy(req, null).then(resp => resp.toObject());
     }
 
-    public AddSecondFactorToLoginPolicy(req: SecondFactor): Promise<SecondFactor> {
-        return this.grpcService.mgmt.addSecondFactorToLoginPolicy(req);
+    public updateCustomLoginPolicy(req: UpdateCustomLoginPolicyRequest): Promise<UpdateCustomLoginPolicyResponse.AsObject> {
+        return this.grpcService.mgmt.updateCustomLoginPolicy(req, null).then(resp => resp.toObject());
     }
 
-    public RemoveSecondFactorFromLoginPolicy(req: SecondFactor): Promise<Empty> {
-        return this.grpcService.mgmt.removeSecondFactorFromLoginPolicy(req);
+    public addCustomLoginPolicy(req: AddCustomLoginPolicyRequest): Promise<AddCustomLoginPolicyResponse.AsObject> {
+        return this.grpcService.mgmt.addCustomLoginPolicy(req, null).then(resp => resp.toObject());
     }
 
-    public GetLoginPolicy(): Promise<LoginPolicyView> {
-        const req = new Empty();
-        return this.grpcService.mgmt.getLoginPolicy(req);
+    public resetLoginPolicyToDefault(): Promise<ResetLoginPolicyToDefaultResponse.AsObject> {
+        const req = new ResetLoginPolicyToDefaultRequest();
+        return this.grpcService.mgmt.resetLoginPolicyToDefault(req, null).then(resp => resp.toObject());
     }
 
-    public UpdateLoginPolicy(req: LoginPolicyRequest): Promise<LoginPolicy> {
-        return this.grpcService.mgmt.updateLoginPolicy(req);
+    public addIDPToLoginPolicy(idpId: string): Promise<AddIDPToLoginPolicyResponse.AsObject> {
+        const req = new AddIDPToLoginPolicyRequest();
+        req.setIdpId(idpId);
+        return this.grpcService.mgmt.addIDPToLoginPolicy(req, null).then(resp => resp.toObject());
     }
 
-    public CreateLoginPolicy(req: LoginPolicyRequest): Promise<LoginPolicy> {
-        return this.grpcService.mgmt.createLoginPolicy(req);
+    public removeIDPFromLoginPolicy(idpId: string): Promise<RemoveIDPFromLoginPolicyResponse.AsObject> {
+        const req = new RemoveIDPFromLoginPolicyRequest();
+        req.setIdpId(idpId);
+        return this.grpcService.mgmt.removeIDPFromLoginPolicy(req, null).then(resp => resp.toObject());
     }
 
-    public RemoveLoginPolicy(): Promise<Empty> {
-        return this.grpcService.mgmt.removeLoginPolicy(new Empty());
-    }
-
-    public addIdpProviderToLoginPolicy(configId: string, idpType: IdpProviderType): Promise<IdpProviderID> {
-        const req = new IdpProviderAdd();
-        req.setIdpProviderType(idpType);
-        req.setIdpConfigId(configId);
-        return this.grpcService.mgmt.addIdpProviderToLoginPolicy(req);
-    }
-
-    public RemoveIdpProviderFromLoginPolicy(configId: string): Promise<Empty> {
-        const req = new IdpProviderID();
-        req.setIdpConfigId(configId);
-        return this.grpcService.mgmt.removeIdpProviderFromLoginPolicy(req);
-    }
-
-    public GetLoginPolicyIdpProviders(limit?: number, offset?: number): Promise<IdpProviderSearchResponse> {
-        const req = new IdpProviderSearchRequest();
+    public listLoginPolicyIDPs(limit?: number, offset?: number): Promise<ListLoginPolicyIDPsResponse.AsObject> {
+        const req = new ListLoginPolicyIDPsRequest();
+        const metadata = new ListQuery();
         if (limit) {
-            req.setLimit(limit);
+            metadata.setLimit(limit);
         }
         if (offset) {
-            req.setOffset(offset);
+            metadata.setOffset(offset);
         }
-        return this.grpcService.mgmt.getLoginPolicyIdpProviders(req);
+        return this.grpcService.mgmt.listLoginPolicyIDPs(req, null).then(resp => resp.toObject());
     }
 
-    public IdpByID(
+    public getOrgIDPByID(
         id: string,
-    ): Promise<IdpView> {
-        const req = new IdpID();
+    ): Promise<GetOrgIDPByIDResponse.AsObject> {
+        const req = new GetOrgIDPByIDRequest();
         req.setId(id);
-        return this.grpcService.mgmt.idpByID(req);
+        return this.grpcService.mgmt.getOrgIDPByID(req, null).then(resp => resp.toObject());
     }
 
-    public UpdateIdp(
-        req: IdpUpdate,
-    ): Promise<Idp> {
-        return this.grpcService.mgmt.updateIdpConfig(req);
+    public updateOrgIDP(
+        req: UpdateOrgIDPRequest,
+    ): Promise<UpdateOrgIDPResponse.AsObject> {
+        return this.grpcService.mgmt.updateOrgIDP(req, null).then(resp => resp.toObject());
     }
 
-    public CreateOidcIdp(
-        req: OidcIdpConfigCreate,
-    ): Promise<Idp> {
-        return this.grpcService.mgmt.createOidcIdp(req);
+    public addOrgOIDCIDP(
+        req: AddOrgOIDCIDPRequest,
+    ): Promise<AddOrgOIDCIDPResponse.AsObject> {
+        return this.grpcService.mgmt.addOrgOIDCIDP(req, null).then(resp => resp.toObject());
     }
 
-    public UpdateOidcIdpConfig(
-        req: OidcIdpConfigUpdate,
-    ): Promise<OidcIdpConfig> {
-        return this.grpcService.mgmt.updateOidcIdpConfig(req);
+    public updateOrgIDPOIDCConfig(
+        req: UpdateOrgIDPOIDCConfigRequest,
+    ): Promise<UpdateOrgIDPOIDCConfigResponse.AsObject> {
+        return this.grpcService.mgmt.updateOrgIDPOIDCConfig(req, null).then(resp => resp.toObject());
     }
 
-    public RemoveIdpConfig(
-        id: string,
-    ): Promise<Empty> {
-        const req = new IdpID;
-        req.setId(id);
-        return this.grpcService.mgmt.removeIdpConfig(req);
+    public removeOrgIDP(
+        idpId: string,
+    ): Promise<RemoveOrgIDPResponse.AsObject> {
+        const req = new RemoveOrgIDPRequest();
+        req.setIdpId(idpId);
+        return this.grpcService.mgmt.removeOrgIDP(req, null).then(resp => resp.toObject());
     }
 
-    public DeactivateIdpConfig(
-        id: string,
-    ): Promise<Empty> {
-        const req = new IdpID;
-        req.setId(id);
-        return this.grpcService.mgmt.deactivateIdpConfig(req);
+    public deactivateOrgIDP(
+        idpId: string,
+    ): Promise<DeactivateOrgIDPResponse.AsObject> {
+        const req = new DeactivateOrgIDPRequest();
+        req.setIdpId(idpId);
+        return this.grpcService.mgmt.deactivateOrgIDP(req, null).then(resp => resp.toObject());
     }
 
-    public ReactivateIdpConfig(
-        id: string,
-    ): Promise<Empty> {
-        const req = new IdpID;
-        req.setId(id);
-        return this.grpcService.mgmt.reactivateIdpConfig(req);
+    public reactivateOrgIDP(
+        idpId: string,
+    ): Promise<ReactivateOrgIDPResponse.AsObject> {
+        const req = new ReactivateOrgIDPRequest();
+        req.setIdpId(idpId);
+        return this.grpcService.mgmt.reactivateOrgIDP(req, null).then(resp => resp.toObject());
     }
 
-    public CreateUserHuman(username: string, user: CreateHumanRequest): Promise<UserResponse> {
-        const req = new CreateUserRequest();
-
-        req.setUserName(username);
-        req.setHuman(user);
-
-        return this.grpcService.mgmt.createUser(req);
+    public addHumanUser(req: AddHumanUserRequest): Promise<AddHumanUserResponse.AsObject> {
+        return this.grpcService.mgmt.addHumanUser(req, null).then(resp => resp.toObject());
     }
 
-    public CreateUserMachine(username: string, user: CreateMachineRequest): Promise<UserResponse> {
-        const req = new CreateUserRequest();
-
-        req.setUserName(username);
-        req.setMachine(user);
-
-        return this.grpcService.mgmt.createUser(req);
+    public addMachineUser(req: AddMachineUserRequest): Promise<AddMachineUserResponse.AsObject> {
+        return this.grpcService.mgmt.addMachineUser(req, null).then(resp => resp.toObject());
     }
 
-    public UpdateUserMachine(
-        id: string,
+    public updateMachine(
+        userId: string,
+        name?: string,
         description?: string,
-    ): Promise<MachineResponse> {
+    ): Promise<UpdateMachineResponse.AsObject> {
         const req = new UpdateMachineRequest();
-        req.setId(id);
+        req.setUserId(userId);
+        if (name) {
+            req.setName(name);
+        }
         if (description) {
             req.setDescription(description);
         }
-        return this.grpcService.mgmt.updateUserMachine(req);
+        return this.grpcService.mgmt.updateMachine(req, null).then(resp => resp.toObject());
     }
 
-    public AddMachineKey(
+    public addMachineKey(
         userId: string,
-        type: MachineKeyType,
+        type: KeyType,
         date?: Timestamp,
-    ): Promise<AddMachineKeyResponse> {
+    ): Promise<AddMachineKeyResponse.AsObject> {
         const req = new AddMachineKeyRequest();
         req.setType(type);
         req.setUserId(userId);
         if (date) {
             req.setExpirationDate(date);
         }
-        return this.grpcService.mgmt.addMachineKey(req);
+        return this.grpcService.mgmt.addMachineKey(req, null).then(resp => resp.toObject());
     }
 
-    public addClientKey(
-        projectId: string,
-        appId: string,
-        type: AuthNKeyType,
-        date?: Timestamp,
-    ): Promise<AddClientKeyResponse> {
-        const req = new AddClientKeyRequest();
-        req.setType(type);
-        req.setProjectId(projectId);
-        req.setApplicationId(appId);
-        if (date) {
-            req.setExpirationDate(date);
-        }
-        return this.grpcService.mgmt.addClientKey(req);
-    }
-
-
-    public DeleteMachineKey(
+    public removeMachineKey(
         keyId: string,
         userId: string,
-    ): Promise<Empty> {
-        const req = new MachineKeyIDRequest();
+    ): Promise<RemoveMachineKeyResponse.AsObject> {
+        const req = new RemoveMachineKeyRequest();
         req.setKeyId(keyId);
         req.setUserId(userId);
 
-        return this.grpcService.mgmt.deleteMachineKey(req);
+        return this.grpcService.mgmt.removeMachineKey(req, null).then(resp => resp.toObject());
     }
 
-    public DeleteClientKey(
-        keyId: string,
-        projectId: string,
-        appId: string,
-    ): Promise<Empty> {
-        const req = new ClientKeyIDRequest();
-        req.setKeyId(keyId);
-        req.setProjectId(projectId);
-        req.setApplicationId(appId);
-        console.log(keyId, projectId, appId);
-
-        return this.grpcService.mgmt.deleteClientKey(req);
-    }
-
-    public SearchMachineKeys(
+    public listMachineKeys(
         userId: string,
-        limit: number,
-        offset: number,
+        limit?: number,
+        offset?: number,
         asc?: boolean,
-    ): Promise<MachineKeySearchResponse> {
-        const req = new MachineKeySearchRequest();
+    ): Promise<ListMachineKeysResponse.AsObject> {
+        const req = new ListMachineKeysRequest();
+        const metadata = new ListQuery();
         req.setUserId(userId);
-        req.setLimit(limit);
-        req.setOffset(offset);
-        if (asc) {
-            req.setAsc(asc);
+        if (limit) {
+            metadata.setLimit(limit);
         }
-        return this.grpcService.mgmt.searchMachineKeys(req);
-    }
-
-    public SearchClientKeys(
-        projectId: string,
-        appId: string,
-        limit: number,
-        offset: number,
-        asc?: boolean,
-    ): Promise<ClientKeySearchResponse> {
-        const req = new ClientKeySearchRequest();
-        req.setProjectId(projectId);
-        req.setApplicationId(appId);
-        req.setLimit(limit);
-        req.setOffset(offset);
-        if (asc) {
-            req.setAsc(asc);
+        if (offset) {
+            metadata.setOffset(offset);
         }
-        return this.grpcService.mgmt.searchClientKeys(req);
+        if (asc) {
+            metadata.setAsc(asc);
+        }
+        req.setQuery(metadata);
+        return this.grpcService.mgmt.listMachineKeys(req, null).then(resp => resp.toObject());
     }
 
-    public RemoveExternalIDP(
-        externalUserId: string,
-        idpConfigId: string,
+    public removeHumanLinkedIDP(
+        idpId: string,
         userId: string,
-    ): Promise<Empty> {
-        const req = new ExternalIDPRemoveRequest();
+        linkedUserId: string,
+    ): Promise<RemoveHumanLinkedIDPResponse.AsObject> {
+        const req = new RemoveHumanLinkedIDPRequest();
         req.setUserId(userId);
-        req.setExternalUserId(externalUserId);
-        req.setIdpConfigId(idpConfigId);
-        return this.grpcService.mgmt.removeExternalIDP(req);
+        req.setIdpId(idpId);
+        req.setUserId(userId);
+        req.setLinkedUserId(linkedUserId);
+        return this.grpcService.mgmt.removeHumanLinkedIDP(req, null).then(resp => resp.toObject());
     }
 
-    public SearchUserExternalIDPs(
-        limit: number,
-        offset: number,
+    public listHumanLinkedIDPs(
         userId: string,
-    ): Promise<ExternalIDPSearchResponse> {
-        const req = new ExternalIDPSearchRequest();
+        limit?: number,
+        offset?: number,
+    ): Promise<ListHumanLinkedIDPsResponse.AsObject> {
+        const req = new ListHumanLinkedIDPsRequest();
+        const metadata = new ListQuery();
         req.setUserId(userId);
-        req.setLimit(limit);
-        req.setOffset(offset);
-        return this.grpcService.mgmt.searchUserExternalIDPs(req);
+        if (limit) {
+            metadata.setLimit(limit);
+        }
+        if (offset) {
+            metadata.setOffset(offset);
+        }
+        req.setQuery(metadata);
+        return this.grpcService.mgmt.listHumanLinkedIDPs(req, null).then(resp => resp.toObject());
     }
 
-    public GetIam(): Promise<Iam> {
-        const req = new Empty();
-        return this.grpcService.mgmt.getIam(req);
+    public getIAM(): Promise<GetIAMResponse.AsObject> {
+        const req = new GetIAMRequest();
+        return this.grpcService.mgmt.getIAM(req, null).then(resp => resp.toObject());
     }
 
-    public GetDefaultPasswordComplexityPolicy(): Promise<PasswordComplexityPolicy> {
-        const req = new Empty();
-        return this.grpcService.mgmt.getDefaultPasswordComplexityPolicy(req);
+    public getDefaultPasswordComplexityPolicy(): Promise<GetDefaultPasswordComplexityPolicyResponse.AsObject> {
+        const req = new GetDefaultPasswordComplexityPolicyRequest();
+        return this.grpcService.mgmt.getDefaultPasswordComplexityPolicy(req, null).then(resp => resp.toObject());
     }
 
-    public GetMyOrg(): Promise<OrgView> {
-        const req = new Empty();
-        return this.grpcService.mgmt.getMyOrg(req);
+    public getMyOrg(): Promise<GetMyOrgResponse.AsObject> {
+        const req = new GetMyOrgRequest();
+        return this.grpcService.mgmt.getMyOrg(req, null).then(resp => resp.toObject());
     }
 
-    public AddMyOrgDomain(domain: string): Promise<OrgDomain> {
-        const req: AddOrgDomainRequest = new AddOrgDomainRequest();
+    public addOrgDomain(domain: string): Promise<AddOrgDomainResponse.AsObject> {
+        const req = new AddOrgDomainRequest();
         req.setDomain(domain);
-        return this.grpcService.mgmt.addMyOrgDomain(req);
+        return this.grpcService.mgmt.addOrgDomain(req, null).then(resp => resp.toObject());
     }
 
-    public RemoveMyOrgDomain(domain: string): Promise<Empty> {
-        const req: RemoveOrgDomainRequest = new AddOrgDomainRequest();
+    public removeOrgDomain(domain: string): Promise<RemoveOrgDomainResponse.AsObject> {
+        const req = new RemoveOrgDomainRequest();
         req.setDomain(domain);
-        return this.grpcService.mgmt.removeMyOrgDomain(req);
+        return this.grpcService.mgmt.removeOrgDomain(req, null).then(resp => resp.toObject());
     }
 
-    public SearchMyOrgDomains(queryList?: OrgDomainSearchQuery[]):
-        Promise<OrgDomainSearchResponse> {
-        const req: OrgDomainSearchRequest = new OrgDomainSearchRequest();
+    public listOrgDomains(queryList?: DomainSearchQuery[]):
+        Promise<ListOrgDomainsResponse.AsObject> {
+        const req: ListOrgDomainsRequest = new ListOrgDomainsRequest();
+        // const metadata= new ListQuery();
         if (queryList) {
             req.setQueriesList(queryList);
         }
-
-        return this.grpcService.mgmt.searchMyOrgDomains(req);
+        return this.grpcService.mgmt.listOrgDomains(req, null).then(resp => resp.toObject());
     }
 
-    public setMyPrimaryOrgDomain(domain: string): Promise<Empty> {
-        const req: PrimaryOrgDomainRequest = new PrimaryOrgDomainRequest();
+    public setPrimaryOrgDomain(domain: string): Promise<SetPrimaryOrgDomainResponse.AsObject> {
+        const req = new SetPrimaryOrgDomainRequest();
         req.setDomain(domain);
-        return this.grpcService.mgmt.setMyPrimaryOrgDomain(req);
+        return this.grpcService.mgmt.setPrimaryOrgDomain(req, null).then(resp => resp.toObject());
     }
 
-    public GenerateMyOrgDomainValidation(domain: string, type: OrgDomainValidationType):
-        Promise<OrgDomainValidationResponse> {
-        const req: OrgDomainValidationRequest = new OrgDomainValidationRequest();
+    public generateOrgDomainValidation(domain: string, type: DomainValidationType):
+        Promise<GenerateOrgDomainValidationResponse.AsObject> {
+        const req: GenerateOrgDomainValidationRequest = new GenerateOrgDomainValidationRequest();
         req.setDomain(domain);
         req.setType(type);
 
-        return this.grpcService.mgmt.generateMyOrgDomainValidation(req);
+        return this.grpcService.mgmt.generateOrgDomainValidation(req, null).then(resp => resp.toObject());
     }
 
-    public ValidateMyOrgDomain(domain: string):
-        Promise<Empty> {
-        const req: ValidateOrgDomainRequest = new ValidateOrgDomainRequest();
+    public validateOrgDomain(domain: string):
+        Promise<ValidateOrgDomainResponse.AsObject> {
+        const req = new ValidateOrgDomainRequest();
         req.setDomain(domain);
 
-        return this.grpcService.mgmt.validateMyOrgDomain(req);
+        return this.grpcService.mgmt.validateOrgDomain(req, null).then(resp => resp.toObject());
     }
 
-    public SearchMyOrgMembers(limit: number, offset: number): Promise<OrgMemberSearchResponse> {
-        const req = new OrgMemberSearchRequest();
-        req.setLimit(limit);
-        req.setOffset(offset);
-        return this.grpcService.mgmt.searchMyOrgMembers(req);
+    public listOrgMembers(limit: number, offset: number): Promise<ListOrgMembersResponse.AsObject> {
+        const req = new ListOrgMembersRequest();
+        const query = new ListQuery();
+        if (limit) {
+            query.setLimit(limit);
+        }
+        if (offset) {
+            query.setOffset(offset);
+        }
+        req.setQuery(query);
+
+        return this.grpcService.mgmt.listOrgMembers(req, null).then(resp => resp.toObject());
     }
 
-    public getOrgByDomainGlobal(domain: string): Promise<Org> {
-        const req = new Domain();
+    public getOrgByDomainGlobal(domain: string): Promise<GetOrgByDomainGlobalResponse.AsObject> {
+        const req = new GetOrgByDomainGlobalRequest();
         req.setDomain(domain);
-        return this.grpcService.mgmt.getOrgByDomainGlobal(req);
+        return this.grpcService.mgmt.getOrgByDomainGlobal(req, null).then(resp => resp.toObject());
     }
 
-    public CreateOrg(name: string): Promise<Org> {
-        const req = new OrgCreateRequest();
+    public addOrg(name: string): Promise<AddOrgResponse.AsObject> {
+        const req = new AddOrgRequest();
         req.setName(name);
-        return this.grpcService.mgmt.createOrg(req);
+        return this.grpcService.mgmt.addOrg(req, null).then(resp => resp.toObject());
     }
 
-    public AddMyOrgMember(userId: string, rolesList: string[]): Promise<Empty> {
+    public addOrgMember(userId: string, rolesList: string[]): Promise<AddOrgMemberResponse.AsObject> {
         const req = new AddOrgMemberRequest();
         req.setUserId(userId);
         if (rolesList) {
             req.setRolesList(rolesList);
         }
-        return this.grpcService.mgmt.addMyOrgMember(req);
+        return this.grpcService.mgmt.addOrgMember(req, null).then(resp => resp.toObject());
     }
 
-    public ChangeMyOrgMember(userId: string, rolesList: string[]): Promise<OrgMember> {
-        const req = new ChangeOrgMemberRequest();
+    public updateOrgMember(userId: string, rolesList: string[]): Promise<UpdateOrgMemberResponse.AsObject> {
+        const req = new UpdateOrgMemberRequest();
         req.setUserId(userId);
         req.setRolesList(rolesList);
-        return this.grpcService.mgmt.changeMyOrgMember(req);
+        return this.grpcService.mgmt.updateOrgMember(req, null).then(resp => resp.toObject());
     }
 
 
-    public RemoveMyOrgMember(userId: string): Promise<Empty> {
+    public removeOrgMember(userId: string): Promise<RemoveOrgMemberResponse.AsObject> {
         const req = new RemoveOrgMemberRequest();
         req.setUserId(userId);
-        return this.grpcService.mgmt.removeMyOrgMember(req);
+        return this.grpcService.mgmt.removeOrgMember(req, null).then(resp => resp.toObject());
     }
 
-    public DeactivateMyOrg(): Promise<Org> {
-        const req = new Empty();
-        return this.grpcService.mgmt.deactivateMyOrg(req);
+    public deactivateOrg(): Promise<DeactivateOrgResponse.AsObject> {
+        const req = new DeactivateOrgRequest();
+        return this.grpcService.mgmt.deactivateOrg(req, null).then(resp => resp.toObject());
     }
 
-    public ReactivateMyOrg(): Promise<Org> {
-        const req = new Empty();
-        return this.grpcService.mgmt.reactivateMyOrg(req);
+    public reactivateOrg(): Promise<ReactivateOrgResponse.AsObject> {
+        const req = new ReactivateOrgRequest();
+        return this.grpcService.mgmt.reactivateOrg(req, null).then(resp => resp.toObject());
     }
 
-    public CreateProjectGrant(
+    public addProjectGrant(
         orgId: string,
         projectId: string,
         roleKeysList: string[],
-    ): Promise<ProjectGrant> {
-        const req = new ProjectGrantCreate();
+    ): Promise<AddProjectGrantResponse.AsObject> {
+        const req = new AddProjectGrantRequest();
         req.setProjectId(projectId);
         req.setGrantedOrgId(orgId);
         req.setRoleKeysList(roleKeysList);
-        return this.grpcService.mgmt.createProjectGrant(req);
+        return this.grpcService.mgmt.addProjectGrant(req, null).then(resp => resp.toObject());
     }
 
-    public GetOrgMemberRoles(): Promise<OrgMemberRoles> {
-        const req = new Empty();
-        return this.grpcService.mgmt.getOrgMemberRoles(req);
+    public listOrgMemberRoles(): Promise<ListOrgMemberRolesResponse.AsObject> {
+        const req = new ListOrgMemberRolesRequest();
+        return this.grpcService.mgmt.listOrgMemberRoles(req, null).then(resp => resp.toObject());
     }
 
     // Policy
 
-    public GetMyOrgIamPolicy(): Promise<OrgIamPolicyView> {
-        const req = new Empty();
-        return this.grpcService.mgmt.getMyOrgIamPolicy(req);
+    public getOrgIAMPolicy(): Promise<GetOrgIAMPolicyResponse.AsObject> {
+        const req = new GetOrgIAMPolicyRequest();
+        return this.grpcService.mgmt.getOrgIAMPolicy(req, null).then(resp => resp.toObject());
     }
 
-    public GetPasswordAgePolicy(): Promise<PasswordAgePolicyView> {
-        const req = new Empty();
-
-        return this.grpcService.mgmt.getPasswordAgePolicy(req);
+    public getPasswordAgePolicy(): Promise<GetPasswordAgePolicyResponse.AsObject> {
+        const req = new GetPasswordAgePolicyRequest();
+        return this.grpcService.mgmt.getPasswordAgePolicy(req, null).then(resp => resp.toObject());
     }
 
-    public CreatePasswordAgePolicy(
+    public addCustomPasswordAgePolicy(
         maxAgeDays: number,
         expireWarnDays: number,
-    ): Promise<PasswordAgePolicy> {
-        const req = new PasswordAgePolicyRequest();
+    ): Promise<AddCustomPasswordAgePolicyResponse.AsObject> {
+        const req = new AddCustomPasswordAgePolicyRequest();
         req.setMaxAgeDays(maxAgeDays);
         req.setExpireWarnDays(expireWarnDays);
 
-        return this.grpcService.mgmt.createPasswordAgePolicy(req);
+        return this.grpcService.mgmt.addCustomPasswordAgePolicy(req, null).then(resp => resp.toObject());
     }
 
-    public RemovePasswordAgePolicy(): Promise<Empty> {
-        const req = new Empty();
-        return this.grpcService.mgmt.removePasswordAgePolicy(req);
+    public resetPasswordAgePolicyToDefault(): Promise<ResetPasswordAgePolicyToDefaultResponse.AsObject> {
+        const req = new ResetPasswordAgePolicyToDefaultRequest();
+        return this.grpcService.mgmt.resetPasswordAgePolicyToDefault(req, null).then(resp => resp.toObject());
     }
 
-    public UpdatePasswordAgePolicy(
+    public updateCustomPasswordAgePolicy(
         maxAgeDays: number,
         expireWarnDays: number,
-    ): Promise<PasswordAgePolicy> {
-        const req = new PasswordAgePolicyRequest();
+    ): Promise<UpdateCustomPasswordAgePolicyResponse.AsObject> {
+        const req = new UpdateCustomPasswordAgePolicyRequest();
         req.setMaxAgeDays(maxAgeDays);
         req.setExpireWarnDays(expireWarnDays);
-        return this.grpcService.mgmt.updatePasswordAgePolicy(req);
+        return this.grpcService.mgmt.updateCustomPasswordAgePolicy(req, null).then(resp => resp.toObject());
     }
 
-    public GetPasswordComplexityPolicy(): Promise<PasswordComplexityPolicyView> {
-        const req = new Empty();
-        return this.grpcService.mgmt.getPasswordComplexityPolicy(req);
+    public getPasswordComplexityPolicy(): Promise<GetPasswordComplexityPolicyResponse.AsObject> {
+        const req = new GetPasswordComplexityPolicyRequest();
+        return this.grpcService.mgmt.getPasswordComplexityPolicy(req, null).then(resp => resp.toObject());
     }
 
-    public CreatePasswordComplexityPolicy(
+    public addCustomPasswordComplexityPolicy(
         hasLowerCase: boolean,
         hasUpperCase: boolean,
         hasNumber: boolean,
         hasSymbol: boolean,
         minLength: number,
-    ): Promise<PasswordComplexityPolicy> {
-        const req = new PasswordComplexityPolicyRequest();
+    ): Promise<AddCustomPasswordComplexityPolicyResponse.AsObject> {
+        const req = new AddCustomPasswordComplexityPolicyRequest();
         req.setHasLowercase(hasLowerCase);
         req.setHasUppercase(hasUpperCase);
         req.setHasNumber(hasNumber);
         req.setHasSymbol(hasSymbol);
         req.setMinLength(minLength);
-        return this.grpcService.mgmt.createPasswordComplexityPolicy(req);
+        return this.grpcService.mgmt.addCustomPasswordComplexityPolicy(req, null).then(resp => resp.toObject());
     }
 
-    public removePasswordComplexityPolicy(): Promise<Empty> {
-        const req = new Empty();
-        return this.grpcService.mgmt.removePasswordComplexityPolicy(req);
+    public resetPasswordComplexityPolicyToDefault(): Promise<ResetPasswordComplexityPolicyToDefaultResponse.AsObject> {
+        const req = new ResetPasswordComplexityPolicyToDefaultRequest();
+        return this.grpcService.mgmt.resetPasswordComplexityPolicyToDefault(req, null).then(resp => resp.toObject());
     }
 
-    public UpdatePasswordComplexityPolicy(
+    public updateCustomPasswordComplexityPolicy(
         hasLowerCase: boolean,
         hasUpperCase: boolean,
         hasNumber: boolean,
         hasSymbol: boolean,
         minLength: number,
-    ): Promise<PasswordComplexityPolicy> {
-        const req = new PasswordComplexityPolicy();
+    ): Promise<UpdateCustomPasswordComplexityPolicyResponse.AsObject> {
+        const req = new UpdateCustomPasswordComplexityPolicyRequest();
         req.setHasLowercase(hasLowerCase);
         req.setHasUppercase(hasUpperCase);
         req.setHasNumber(hasNumber);
         req.setHasSymbol(hasSymbol);
         req.setMinLength(minLength);
-        return this.grpcService.mgmt.updatePasswordComplexityPolicy(req);
+        return this.grpcService.mgmt.updateCustomPasswordComplexityPolicy(req, null).then(resp => resp.toObject());
     }
 
-    public GetPasswordLockoutPolicy(): Promise<PasswordLockoutPolicy> {
-        const req = new Empty();
+    public getPasswordLockoutPolicy(): Promise<GetPasswordLockoutPolicyResponse.AsObject> {
+        const req = new GetPasswordLockoutPolicyRequest();
 
-        return this.grpcService.mgmt.getPasswordLockoutPolicy(req);
+        return this.grpcService.mgmt.getPasswordLockoutPolicy(req, null).then(resp => resp.toObject());
     }
 
-    public CreatePasswordLockoutPolicy(
+    public addCustomPasswordLockoutPolicy(
         maxAttempts: number,
         showLockoutFailures: boolean,
-    ): Promise<PasswordLockoutPolicy> {
-        const req = new PasswordLockoutPolicyRequest();
+    ): Promise<AddCustomPasswordLockoutPolicyResponse.AsObject> {
+        const req = new AddCustomPasswordLockoutPolicyRequest();
         req.setMaxAttempts(maxAttempts);
         req.setShowLockoutFailure(showLockoutFailures);
 
-        return this.grpcService.mgmt.createPasswordLockoutPolicy(req);
+        return this.grpcService.mgmt.addCustomPasswordLockoutPolicy(req, null).then(resp => resp.toObject());
     }
 
-    public RemovePasswordLockoutPolicy(): Promise<Empty> {
-        const req = new Empty();
-        return this.grpcService.mgmt.removePasswordLockoutPolicy(req);
+    public resetPasswordLockoutPolicyToDefault(): Promise<ResetPasswordLockoutPolicyToDefaultResponse.AsObject> {
+        const req = new ResetPasswordLockoutPolicyToDefaultRequest();
+        return this.grpcService.mgmt.resetPasswordLockoutPolicyToDefault(req, null).then(resp => resp.toObject());
     }
 
-    public UpdatePasswordLockoutPolicy(
+    public updateCustomPasswordLockoutPolicy(
         maxAttempts: number,
         showLockoutFailures: boolean,
-    ): Promise<PasswordLockoutPolicy> {
-        const req = new PasswordLockoutPolicy();
+    ): Promise<UpdateCustomPasswordLockoutPolicyResponse.AsObject> {
+        const req = new UpdateCustomPasswordLockoutPolicyRequest();
         req.setMaxAttempts(maxAttempts);
         req.setShowLockoutFailure(showLockoutFailures);
-        return this.grpcService.mgmt.updatePasswordLockoutPolicy(req);
+        return this.grpcService.mgmt.updateCustomPasswordLockoutPolicy(req, null).then(resp => resp.toObject());
     }
 
     public getLocalizedComplexityPolicyPatternErrorString(policy: PasswordComplexityPolicy.AsObject): string {
@@ -730,81 +823,95 @@ export class ManagementService {
         }
     }
 
-    public GetUserByID(id: string): Promise<UserView> {
-        const req = new UserID();
+    public getUserByID(id: string): Promise<GetUserByIDResponse.AsObject> {
+        const req = new GetUserByIDRequest();
         req.setId(id);
-        return this.grpcService.mgmt.getUserByID(req);
+        return this.grpcService.mgmt.getUserByID(req, null).then(resp => resp.toObject());
     }
 
-    public DeleteUser(id: string): Promise<Empty> {
-        const req = new UserID();
+    public removeUser(id: string): Promise<RemoveUserResponse.AsObject> {
+        const req = new RemoveUserRequest();
         req.setId(id);
-        return this.grpcService.mgmt.deleteUser(req);
+        return this.grpcService.mgmt.removeUser(req, null).then(resp => resp.toObject());
     }
 
-    public SearchProjectMembers(
+    public listProjectMembers(
         projectId: string,
         limit: number,
         offset: number,
-        queryList?: ProjectMemberSearchQuery[],
-    ): Promise<ProjectMemberSearchResponse> {
-        const req = new ProjectMemberSearchRequest();
+        queryList?: SearchQuery[],
+    ): Promise<ListProjectMembersResponse.AsObject> {
+        const req = new ListProjectMembersRequest();
+        const query = new ListQuery();
+        req.setQuery(query);
         req.setProjectId(projectId);
-        req.setLimit(limit);
-        req.setOffset(offset);
+        if (limit) {
+            query.setLimit(limit);
+        }
+        if (offset) {
+            query.setOffset(offset);
+        }
         if (queryList) {
             req.setQueriesList(queryList);
         }
-        return this.grpcService.mgmt.searchProjectMembers(req);
+        req.setQuery(query);
+        return this.grpcService.mgmt.listProjectMembers(req, null).then(resp => resp.toObject());
     }
 
-    public SearchUserMemberships(userId: string,
-        limit: number, offset: number, queryList?: UserMembershipSearchQuery[]): Promise<UserMembershipSearchResponse> {
-        const req = new UserMembershipSearchRequest();
-        req.setLimit(limit);
-        req.setOffset(offset);
+    public listUserMemberships(userId: string,
+        limit: number, offset: number,
+        queryList?: MembershipQuery[],
+    ): Promise<ListUserMembershipsResponse.AsObject> {
+        const req = new ListUserMembershipsRequest();
         req.setUserId(userId);
+        const metadata = new ListQuery();
+        if (limit) {
+            metadata.setLimit(limit);
+        }
+        if (offset) {
+            metadata.setOffset(offset);
+        }
         if (queryList) {
             req.setQueriesList(queryList);
         }
-        return this.grpcService.mgmt.searchUserMemberships(req);
+        req.setQuery(metadata);
+        return this.grpcService.mgmt.listUserMemberships(req, null).then(resp => resp.toObject());
     }
 
-    public GetUserProfile(id: string): Promise<UserProfile> {
-        const req = new UserID();
-        req.setId(id);
-        return this.grpcService.mgmt.getUserProfile(req);
+    public getHumanProfile(userId: string): Promise<GetHumanProfileResponse.AsObject> {
+        const req = new GetHumanProfileRequest();
+        req.setUserId(userId);
+        return this.grpcService.mgmt.getHumanProfile(req, null).then(resp => resp.toObject());
     }
 
-    public getUserMfas(id: string): Promise<UserMultiFactors> {
-        const req = new UserID();
-        req.setId(id);
-        return this.grpcService.mgmt.getUserMfas(req);
+    public listHumanMultiFactors(userId: string): Promise<ListHumanAuthFactorsResponse.AsObject> {
+        const req = new ListHumanAuthFactorsRequest();
+        req.setUserId(userId);
+        return this.grpcService.mgmt.listHumanAuthFactors(req, null).then(resp => resp.toObject());
     }
 
-    public removeMfaOTP(id: string): Promise<Empty> {
-        const req = new UserID();
-        req.setId(id);
-        return this.grpcService.mgmt.removeMfaOTP(req);
+    public removeHumanMultiFactorOTP(userId: string): Promise<RemoveHumanAuthFactorOTPResponse.AsObject> {
+        const req = new RemoveHumanAuthFactorOTPRequest();
+        req.setUserId(userId);
+        return this.grpcService.mgmt.removeHumanAuthFactorOTP(req, null).then(resp => resp.toObject());
     }
 
-    public RemoveMfaU2F(userid: string, id: string): Promise<Empty> {
-        const req = new WebAuthNTokenID();
-        req.setId(id);
-        req.setUserId(userid);
-        return this.grpcService.mgmt.removeMfaU2F(req);
+    public removeHumanAuthFactorU2F(userId: string): Promise<RemoveHumanAuthFactorU2FResponse.AsObject> {
+        const req = new RemoveHumanAuthFactorU2FRequest();
+        req.setUserId(userId);
+        return this.grpcService.mgmt.removeHumanAuthFactorU2F(req, null).then(resp => resp.toObject());
     }
 
-    public SaveUserProfile(
-        id: string,
+    public updateHumanProfile(
+        userId: string,
         firstName?: string,
         lastName?: string,
         nickName?: string,
         preferredLanguage?: string,
-        gender?: Gender,
-    ): Promise<UserProfile> {
-        const req = new UpdateUserProfileRequest();
-        req.setId(id);
+        gender?: Gender
+    ): Promise<UpdateHumanProfileResponse.AsObject> {
+        const req = new UpdateHumanProfileRequest();
+        req.setUserId(userId);
         if (firstName) {
             req.setFirstName(firstName);
         }
@@ -820,637 +927,734 @@ export class ManagementService {
         if (preferredLanguage) {
             req.setPreferredLanguage(preferredLanguage);
         }
-        return this.grpcService.mgmt.updateUserProfile(req);
+        return this.grpcService.mgmt.updateHumanProfile(req, null).then(resp => resp.toObject());
     }
 
-    public GetUserEmail(id: string): Promise<UserEmail> {
-        const req = new UserID();
-        req.setId(id);
-        return this.grpcService.mgmt.getUserEmail(req);
+    public getHumanEmail(id: string): Promise<GetHumanEmailResponse.AsObject> {
+        const req = new GetHumanEmailRequest();
+        req.setUserId(id);
+        return this.grpcService.mgmt.getHumanEmail(req, null).then(resp => resp.toObject());
     }
 
-    public SaveUserEmail(id: string, email: string): Promise<UserEmail> {
-        const req = new UpdateUserEmailRequest();
-        req.setId(id);
+    public updateHumanEmail(userId: string, email: string): Promise<UpdateHumanEmailResponse.AsObject> {
+        const req = new UpdateHumanEmailRequest();
+        req.setUserId(userId);
         req.setEmail(email);
-        return this.grpcService.mgmt.changeUserEmail(req);
+        return this.grpcService.mgmt.updateHumanEmail(req, null).then(resp => resp.toObject());
     }
 
-    public GetUserPhone(id: string): Promise<UserPhone> {
-        const req = new UserID();
-        req.setId(id);
-        return this.grpcService.mgmt.getUserPhone(req);
+    public getHumanPhone(userId: string): Promise<GetHumanPhoneResponse.AsObject> {
+        const req = new GetHumanPhoneRequest();
+        req.setUserId(userId);
+        return this.grpcService.mgmt.getHumanPhone(req, null).then(resp => resp.toObject());
     }
 
-    public SaveUserPhone(id: string, phone: string): Promise<UserPhone> {
-        const req = new UpdateUserPhoneRequest();
-        req.setId(id);
+    public updateHumanPhone(userId: string, phone: string): Promise<UpdateHumanPhoneResponse.AsObject> {
+        const req = new UpdateHumanPhoneRequest();
+        req.setUserId(userId);
         req.setPhone(phone);
-        return this.grpcService.mgmt.changeUserPhone(req);
+        return this.grpcService.mgmt.updateHumanPhone(req, null).then(resp => resp.toObject());
     }
 
-    public RemoveUserPhone(id: string): Promise<Empty> {
-        const req = new UserID();
+    public removeHumanPhone(userId: string): Promise<RemoveHumanPhoneResponse.AsObject> {
+        const req = new RemoveHumanPhoneRequest();
+        req.setUserId(userId);
+        return this.grpcService.mgmt.removeHumanPhone(req, null).then(resp => resp.toObject());
+    }
+
+    public deactivateUser(id: string): Promise<DeactivateUserResponse.AsObject> {
+        const req = new DeactivateUserRequest();
         req.setId(id);
-        return this.grpcService.mgmt.removeUserPhone(req);
+        return this.grpcService.mgmt.deactivateUser(req, null).then(resp => resp.toObject());
     }
 
-    public DeactivateUser(id: string): Promise<UserResponse> {
-        const req = new UserID();
-        req.setId(id);
-        return this.grpcService.mgmt.deactivateUser(req);
-    }
-
-    public CreateUserGrant(
+    public addUserGrant(
         userId: string,
         roleNamesList: string[],
         projectId?: string,
-        grantId?: string,
-    ): Promise<UserGrant> {
-        const req = new UserGrantCreate();
-        if (projectId) { req.setProjectId(projectId); }
-        if (grantId) { req.setGrantId(grantId); }
+        projectGrantId?: string,
+    ): Promise<AddUserGrantResponse.AsObject> {
+        const req = new AddUserGrantRequest();
+        if (projectId) {
+            req.setProjectId(projectId);
+        }
+        if (projectGrantId) {
+            req.setProjectGrantId(projectGrantId);
+        }
         req.setUserId(userId);
         req.setRoleKeysList(roleNamesList);
 
-        return this.grpcService.mgmt.createUserGrant(req);
+        return this.grpcService.mgmt.addUserGrant(req, null).then(resp => resp.toObject());
     }
 
-    public ReactivateUser(id: string): Promise<UserResponse> {
-        const req = new UserID();
+    public reactivateUser(id: string): Promise<ReactivateUserResponse.AsObject> {
+        const req = new ReactivateUserRequest();
         req.setId(id);
-        return this.grpcService.mgmt.reactivateUser(req);
+        return this.grpcService.mgmt.reactivateUser(req, null).then(resp => resp.toObject());
     }
 
-    public AddRole(id: string, key: string, displayName: string, group: string): Promise<Empty> {
-        const req = new ProjectRoleAdd();
-        req.setId(id);
-        req.setKey(key);
+    public addProjectRole(projectId: string, roleKey: string, displayName: string, group: string): Promise<AddProjectRoleResponse.AsObject> {
+        const req = new AddProjectRoleRequest();
+        req.setProjectId(projectId);
+        req.setRoleKey(roleKey);
         if (displayName) {
             req.setDisplayName(displayName);
         }
         req.setGroup(group);
-        return this.grpcService.mgmt.addProjectRole(req);
+        return this.grpcService.mgmt.addProjectRole(req, null).then(resp => resp.toObject());
     }
 
-    public GetUserAddress(id: string): Promise<UserAddress> {
-        const req = new UserID();
-        req.setId(id);
-        return this.grpcService.mgmt.getUserAddress(req);
+    public resendHumanEmailVerification(userId: string): Promise<any> {
+        const req = new ResendHumanEmailVerificationRequest();
+        req.setUserId(userId);
+        return this.grpcService.mgmt.resendHumanEmailVerification(req, null).then(resp => resp.toObject());
     }
 
-    public ResendEmailVerification(id: string): Promise<any> {
-        const req = new UserID();
-        req.setId(id);
-        return this.grpcService.mgmt.resendEmailVerificationMail(req);
-    }
-
-    public ResendInitialMail(userId: string, newemail: string): Promise<Empty> {
-        const req = new InitialMailRequest();
+    public resendHumanInitialization(userId: string, newemail: string): Promise<ResendHumanInitializationResponse.AsObject> {
+        const req = new ResendHumanInitializationRequest();
         if (newemail) {
             req.setEmail(newemail);
         }
-        req.setId(userId);
+        req.setUserId(userId);
 
-        return this.grpcService.mgmt.resendInitialMail(req);
+        return this.grpcService.mgmt.resendHumanInitialization(req, null).then(resp => resp.toObject());
     }
 
-    public ResendPhoneVerification(id: string): Promise<any> {
-        const req = new UserID();
-        req.setId(id);
-        return this.grpcService.mgmt.resendPhoneVerificationCode(req);
+    public resendHumanPhoneVerification(userId: string): Promise<any> {
+        const req = new ResendHumanPhoneVerificationRequest();
+        req.setUserId(userId);
+        return this.grpcService.mgmt.resendHumanPhoneVerification(req, null).then(resp => resp.toObject());
     }
 
-    public SetInitialPassword(id: string, password: string): Promise<any> {
-        const req = new PasswordRequest();
-        req.setId(id);
+    public setHumanInitialPassword(id: string, password: string): Promise<any> {
+        const req = new SetHumanInitialPasswordRequest();
+        req.setUserId(id);
         req.setPassword(password);
-        return this.grpcService.mgmt.setInitialPassword(req);
+        return this.grpcService.mgmt.setHumanInitialPassword(req, null).then(resp => resp.toObject());
     }
 
-    public SendSetPasswordNotification(id: string, type: NotificationType): Promise<any> {
-        const req = new SetPasswordNotificationRequest();
-        req.setId(id);
+    public sendHumanResetPasswordNotification(id: string, type: SendHumanResetPasswordNotificationRequest.Type): Promise<any> {
+        const req = new SendHumanResetPasswordNotificationRequest();
+        req.setUserId(id);
         req.setType(type);
-        return this.grpcService.mgmt.sendSetPasswordNotification(req);
+        return this.grpcService.mgmt.sendHumanResetPasswordNotification(req, null).then(resp => resp.toObject());
     }
 
-    public SaveUserAddress(address: UserAddress.AsObject): Promise<UserAddress> {
-        const req = new UpdateUserAddressRequest();
-        req.setId(address.id);
-        req.setStreetAddress(address.streetAddress);
-        req.setPostalCode(address.postalCode);
-        req.setLocality(address.locality);
-        req.setRegion(address.region);
-        req.setCountry(address.country);
-        return this.grpcService.mgmt.updateUserAddress(req);
-    }
-
-    public SearchUsers(limit: number, offset: number, queryList?: UserSearchQuery[]): Promise<UserSearchResponse> {
-        const req = new UserSearchRequest();
-        req.setLimit(limit);
-        req.setOffset(offset);
-        if (queryList) {
-            req.setQueriesList(queryList);
+    public listUsers(limit: number, offset: number, queriesList?: UserSearchQuery[], sortingColumn?: UserFieldName): Promise<ListUsersResponse.AsObject> {
+        const req = new ListUsersRequest();
+        const query = new ListQuery();
+        if (limit) {
+            query.setLimit(limit);
         }
-        return this.grpcService.mgmt.searchUsers(req);
+        if (offset) {
+            query.setOffset(offset);
+        }
+        req.setQuery(query);
+        if (sortingColumn) {
+            req.setSortingColumn(sortingColumn);
+        }
+        if (queriesList) {
+            req.setQueriesList(queriesList);
+        }
+        return this.grpcService.mgmt.listUsers(req, null).then(resp => resp.toObject());
     }
 
-    public GetUserByLoginNameGlobal(loginname: string): Promise<UserView> {
-        const req = new LoginName();
+    public getUserByLoginNameGlobal(loginname: string): Promise<GetUserByLoginNameGlobalResponse.AsObject> {
+        const req = new GetUserByLoginNameGlobalRequest();
         req.setLoginName(loginname);
-        return this.grpcService.mgmt.getUserByLoginNameGlobal(req);
+        return this.grpcService.mgmt.getUserByLoginNameGlobal(req, null).then(resp => resp.toObject());
     }
 
     // USER GRANTS
 
-    public SearchUserGrants(
+    public listUserGrants(
         limit?: number,
         offset?: number,
-        queryList?: UserGrantSearchQuery[],
-    ): Promise<UserGrantSearchResponse> {
-        const req = new UserGrantSearchRequest();
+        queryList?: UserGrantQuery[],
+    ): Promise<ListUserGrantResponse.AsObject> {
+        const req = new ListUserGrantRequest();
+        const query = new ListQuery();
         if (limit) {
-            req.setLimit(limit);
+            query.setLimit(limit);
         }
         if (offset) {
-            req.setOffset(offset);
+            query.setOffset(offset);
         }
+        req.setQuery(query);
+
         if (queryList) {
             req.setQueriesList(queryList);
         }
-        return this.grpcService.mgmt.searchUserGrants(req);
+        return this.grpcService.mgmt.listUserGrants(req, null).then(resp => resp.toObject());
     }
 
 
-    public UserGrantByID(
-        id: string,
+    public getUserGrantByID(
+        grantId: string,
         userId: string,
-    ): Promise<UserGrantView> {
-        const req = new UserGrantID();
-        req.setId(id);
+    ): Promise<GetUserGrantByIDResponse.AsObject> {
+        const req = new GetUserGrantByIDRequest();
+        req.setGrantId(grantId);
         req.setUserId(userId);
 
-        return this.grpcService.mgmt.userGrantByID(req);
+        return this.grpcService.mgmt.getUserGrantByID(req, null).then(resp => resp.toObject());
     }
 
-    public UpdateUserGrant(
-        id: string,
+    public updateUserGrant(
+        grantId: string,
         userId: string,
         roleKeysList: string[],
-    ): Promise<UserGrant> {
-        const req = new UserGrantUpdate();
-        req.setId(id);
+    ): Promise<UpdateUserGrantResponse.AsObject> {
+        const req = new UpdateUserGrantRequest();
+        req.setGrantId(grantId);
         req.setRoleKeysList(roleKeysList);
         req.setUserId(userId);
 
-        return this.grpcService.mgmt.updateUserGrant(req);
+        return this.grpcService.mgmt.updateUserGrant(req, null).then(resp => resp.toObject());
     }
 
-    public RemoveUserGrant(
-        id: string,
+    public removeUserGrant(
+        grantId: string,
         userId: string,
-    ): Promise<Empty> {
-        const req = new UserGrantID();
-        req.setId(id);
+    ): Promise<RemoveUserGrantResponse.AsObject> {
+        const req = new RemoveUserGrantRequest();
+        req.setGrantId(grantId);
         req.setUserId(userId);
 
-        return this.grpcService.mgmt.removeUserGrant(req);
+        return this.grpcService.mgmt.removeUserGrant(req, null).then(resp => resp.toObject());
     }
 
-    public BulkRemoveUserGrant(
-        idsList: string[],
-    ): Promise<Empty> {
-        const req = new UserGrantRemoveBulk();
-        req.setIdsList(idsList);
+    public bulkRemoveUserGrant(
+        grantIdsList: string[],
+    ): Promise<BulkRemoveUserGrantResponse.AsObject> {
+        const req = new BulkRemoveUserGrantRequest();
+        req.setGrantIdList(grantIdsList);
 
-        return this.grpcService.mgmt.bulkRemoveUserGrant(req);
+        return this.grpcService.mgmt.bulkRemoveUserGrant(req, null).then(resp => resp.toObject());
     }
 
-    //
-
-    public ApplicationChanges(id: string, secId: string, limit: number, offset: number): Promise<Changes> {
-        const req = new ChangeRequest();
-        req.setId(id);
-        req.setSecId(secId);
-        req.setLimit(limit);
-        req.setAsc(false);
-        req.setSequenceOffset(offset);
-        return this.grpcService.mgmt.applicationChanges(req);
+    public listAppChanges(appId: string, projectId: string, limit: number, offset: number): Promise<ListAppChangesResponse.AsObject> {
+        const req = new ListAppChangesRequest();
+        const query = new ListQuery();
+        req.setAppId(appId);
+        req.setProjectId(projectId);
+        if (limit) {
+            query.setLimit(limit);
+        }
+        if (offset) {
+            query.setOffset(offset);
+        }
+        req.setQuery(query);
+        return this.grpcService.mgmt.listAppChanges(req, null).then(resp => resp.toObject());
     }
 
-    public OrgChanges(id: string, limit: number, offset: number): Promise<Changes> {
-        const req = new ChangeRequest();
-        req.setId(id);
-        req.setLimit(limit);
-        req.setAsc(false);
-        req.setSequenceOffset(offset);
-        return this.grpcService.mgmt.orgChanges(req);
+    public listOrgChanges(limit: number, offset: number): Promise<ListOrgChangesResponse.AsObject> {
+        const req = new ListOrgChangesRequest();
+        const query = new ListQuery();
+
+        if (limit) {
+            query.setLimit(limit);
+        }
+        if (offset) {
+            query.setOffset(offset);
+        }
+
+        req.setQuery(query);
+        return this.grpcService.mgmt.listOrgChanges(req, null).then(resp => resp.toObject());
     }
 
-    public ProjectChanges(id: string, limit: number, offset: number): Promise<Changes> {
-        const req = new ChangeRequest();
-        req.setId(id);
-        req.setLimit(limit);
-        req.setAsc(false);
-        req.setSequenceOffset(offset);
-        return this.grpcService.mgmt.projectChanges(req);
+    public listProjectChanges(projectId: string, limit: number, offset: number): Promise<ListProjectChangesResponse.AsObject> {
+        const req = new ListProjectChangesRequest();
+        req.setProjectId(projectId);
+        const query = new ListQuery();
+
+        if (limit) {
+            query.setLimit(limit);
+        }
+        if (offset) {
+            query.setOffset(offset);
+        }
+
+        req.setQuery(query);
+        return this.grpcService.mgmt.listProjectChanges(req, null).then(resp => resp.toObject());
     }
 
-    public UserChanges(id: string, limit: number, sequenceoffset: number): Promise<Changes> {
-        const req = new ChangeRequest();
-        req.setId(id);
-        req.setLimit(limit);
-        req.setAsc(false);
-        req.setSequenceOffset(sequenceoffset);
-        return this.grpcService.mgmt.userChanges(req);
+    public listUserChanges(userId: string, limit: number, offset: number): Promise<ListUserChangesResponse.AsObject> {
+        const req = new ListUserChangesRequest();
+        req.setUserId(userId);
+        const query = new ListQuery();
+
+        if (limit) {
+            query.setLimit(limit);
+        }
+        if (offset) {
+            query.setOffset(offset);
+        }
+
+        req.setQuery(query);
+        return this.grpcService.mgmt.listUserChanges(req, null).then(resp => resp.toObject());
     }
 
     // project
 
-    public SearchProjects(
-        limit?: number, offset?: number, queryList?: ProjectSearchQuery[]): Promise<ProjectSearchResponse> {
-        const req = new ProjectSearchRequest();
+    public listProjects(
+        limit?: number, offset?: number, queryList?: ProjectQuery[]): Promise<ListProjectsResponse.AsObject> {
+        const req = new ListProjectsRequest();
+        const query = new ListQuery();
+
         if (limit) {
-            req.setLimit(limit);
+            query.setLimit(limit);
         }
         if (offset) {
-            req.setOffset(offset);
+            query.setOffset(offset);
         }
 
+        req.setQuery(query);
+
         if (queryList) {
             req.setQueriesList(queryList);
         }
-        return this.grpcService.mgmt.searchProjects(req).then(value => {
-            const count = value.toObject().resultList.length;
+        return this.grpcService.mgmt.listProjects(req, null).then(value => {
+            const obj = value.toObject();
+            const count = obj.resultList.length;
             if (count >= 0) {
                 this.ownedProjectsCount.next(count);
             }
 
-            return value;
+            return obj;
         });
     }
 
-    public SearchGrantedProjects(
-        limit: number, offset: number, queryList?: ProjectSearchQuery[]): Promise<ProjectGrantSearchResponse> {
-        const req = new GrantedProjectSearchRequest();
-        req.setLimit(limit);
-        req.setOffset(offset);
+    public listGrantedProjects(
+        limit: number, offset: number, queryList?: ProjectQuery[]): Promise<ListGrantedProjectsResponse.AsObject> {
+        const req = new ListGrantedProjectsRequest();
+        const query = new ListQuery();
+
+        if (limit) {
+            query.setLimit(limit);
+        }
+        if (offset) {
+            query.setOffset(offset);
+        }
+
+        req.setQuery(query);
         if (queryList) {
             req.setQueriesList(queryList);
         }
-        return this.grpcService.mgmt.searchGrantedProjects(req).then(value => {
-            this.grantedProjectsCount.next(value.toObject().resultList.length);
-            return value;
+        return this.grpcService.mgmt.listGrantedProjects(req, null).then(value => {
+            const obj = value.toObject();
+            this.grantedProjectsCount.next(obj.resultList.length);
+            return obj;
         });
     }
 
-    public GetZitadelDocs(): Promise<ZitadelDocs> {
-        const req = new Empty();
-        return this.grpcService.mgmt.getZitadelDocs(req);
+    public getOIDCInformation(): Promise<GetOIDCInformationResponse.AsObject> {
+        const req = new GetOIDCInformationRequest();
+        return this.grpcService.mgmt.getOIDCInformation(req, null).then(resp => resp.toObject());
     }
 
-    public GetProjectById(projectId: string): Promise<ProjectView> {
-        const req = new ProjectID();
+    public getProjectByID(projectId: string): Promise<GetProjectByIDResponse.AsObject> {
+        const req = new GetProjectByIDRequest();
         req.setId(projectId);
-        return this.grpcService.mgmt.projectByID(req);
+        return this.grpcService.mgmt.getProjectByID(req, null).then(resp => resp.toObject());
     }
 
-    public GetGrantedProjectByID(projectId: string, id: string): Promise<ProjectGrantView> {
-        const req = new ProjectGrantID();
-        req.setId(id);
+    public getGrantedProjectByID(projectId: string, grantId: string): Promise<GetGrantedProjectByIDResponse.AsObject> {
+        const req = new GetGrantedProjectByIDRequest();
+        req.setGrantId(grantId);
         req.setProjectId(projectId);
-        return this.grpcService.mgmt.getGrantedProjectByID(req);
+        return this.grpcService.mgmt.getGrantedProjectByID(req, null).then(resp => resp.toObject());
     }
 
-    public CreateProject(project: ProjectCreateRequest.AsObject): Promise<Project> {
-        const req = new ProjectCreateRequest();
+    public addProject(project: AddProjectRequest.AsObject): Promise<AddProjectResponse.AsObject> {
+        const req = new AddProjectRequest();
         req.setName(project.name);
-        return this.grpcService.mgmt.createProject(req).then(value => {
+        return this.grpcService.mgmt.addProject(req, null).then(value => {
             const current = this.ownedProjectsCount.getValue();
             this.ownedProjectsCount.next(current + 1);
-            return value;
+            return value.toObject();
         });
     }
 
-    public UpdateProject(id: string, projectView: ProjectView.AsObject): Promise<Project> {
-        const req = new ProjectUpdateRequest();
-        req.setId(id);
-        req.setName(projectView.name);
-        req.setProjectRoleAssertion(projectView.projectRoleAssertion);
-        req.setProjectRoleCheck(projectView.projectRoleCheck);
-        return this.grpcService.mgmt.updateProject(req);
+    public updateProject(req: UpdateProjectRequest): Promise<UpdateProjectResponse.AsObject> {
+        return this.grpcService.mgmt.updateProject(req, null).then(resp => resp.toObject());
     }
 
-    public UpdateProjectGrant(id: string, projectId: string, rolesList: string[]): Promise<ProjectGrant> {
-        const req = new ProjectGrantUpdate();
+    public updateProjectGrant(grantId: string, projectId: string, rolesList: string[]): Promise<UpdateProjectGrantResponse.AsObject> {
+        const req = new UpdateProjectGrantRequest();
         req.setRoleKeysList(rolesList);
-        req.setId(id);
+        req.setGrantId(grantId);
         req.setProjectId(projectId);
-        return this.grpcService.mgmt.updateProjectGrant(req);
+        return this.grpcService.mgmt.updateProjectGrant(req, null).then(resp => resp.toObject());
     }
 
-    public RemoveProjectGrant(id: string, projectId: string): Promise<Empty> {
-        const req = new ProjectGrantID();
-        req.setId(id);
+    public removeProjectGrant(grantId: string, projectId: string): Promise<RemoveProjectGrantResponse.AsObject> {
+        const req = new RemoveProjectGrantRequest();
+        req.setGrantId(grantId);
         req.setProjectId(projectId);
-        return this.grpcService.mgmt.removeProjectGrant(req);
+        return this.grpcService.mgmt.removeProjectGrant(req, null).then(resp => resp.toObject());
     }
 
-    public DeactivateProject(projectId: string): Promise<Project> {
-        const req = new ProjectID();
+    public deactivateProject(projectId: string): Promise<DeactivateProjectResponse.AsObject> {
+        const req = new DeactivateProjectRequest();
         req.setId(projectId);
-        return this.grpcService.mgmt.deactivateProject(req);
+        return this.grpcService.mgmt.deactivateProject(req, null).then(resp => resp.toObject());
     }
 
-    public ReactivateProject(projectId: string): Promise<Project> {
-        const req = new ProjectID();
+    public reactivateProject(projectId: string): Promise<ReactivateProjectResponse.AsObject> {
+        const req = new ReactivateProjectRequest();
         req.setId(projectId);
-        return this.grpcService.mgmt.reactivateProject(req);
+        return this.grpcService.mgmt.reactivateProject(req, null).then(resp => resp.toObject());
     }
 
-    public SearchProjectGrants(projectId: string, limit: number, offset: number): Promise<ProjectGrantSearchResponse> {
-        const req = new ProjectGrantSearchRequest();
+    public listProjectGrants(projectId: string, limit: number, offset: number): Promise<ListProjectGrantsResponse.AsObject> {
+        const req = new ListProjectGrantsRequest();
         req.setProjectId(projectId);
-        req.setLimit(limit);
-        req.setOffset(offset);
-        return this.grpcService.mgmt.searchProjectGrants(req);
+        const query = new ListQuery();
+
+        if (limit) {
+            query.setLimit(limit);
+        }
+        if (offset) {
+            query.setOffset(offset);
+        }
+
+        req.setQuery(query);
+        return this.grpcService.mgmt.listProjectGrants(req, null).then(resp => resp.toObject());
     }
 
-    public GetProjectGrantMemberRoles(): Promise<ProjectGrantMemberRoles> {
-        const req = new Empty();
-        return this.grpcService.mgmt.getProjectGrantMemberRoles(req);
+    public listProjectGrantMemberRoles(): Promise<ListProjectGrantMemberRolesResponse.AsObject> {
+        const req = new ListProjectGrantMemberRolesRequest();
+        return this.grpcService.mgmt.listProjectGrantMemberRoles(req, null).then(resp => resp.toObject());
     }
 
-    public AddProjectMember(id: string, userId: string, rolesList: string[]): Promise<Empty> {
-        const req = new ProjectMemberAdd();
-        req.setId(id);
+    public addProjectMember(projectId: string, userId: string, rolesList: string[]): Promise<AddProjectMemberResponse.AsObject> {
+        const req = new AddProjectMemberRequest();
+        req.setProjectId(projectId);
         req.setUserId(userId);
         req.setRolesList(rolesList);
-        return this.grpcService.mgmt.addProjectMember(req);
+        return this.grpcService.mgmt.addProjectMember(req, null).then(resp => resp.toObject());
     }
 
-    public ChangeProjectMember(id: string, userId: string, rolesList: string[]): Promise<ProjectMember> {
-        const req = new ProjectMemberChange();
-        req.setId(id);
+    public updateProjectMember(projectId: string, userId: string, rolesList: string[]): Promise<UpdateProjectMemberResponse.AsObject> {
+        const req = new UpdateProjectMemberRequest();
+        req.setProjectId(projectId);
         req.setUserId(userId);
         req.setRolesList(rolesList);
-        return this.grpcService.mgmt.changeProjectMember(req);
+        return this.grpcService.mgmt.updateProjectMember(req, null).then(resp => resp.toObject());
     }
 
-    public AddProjectGrantMember(
+    public addProjectGrantMember(
         projectId: string,
         grantId: string,
         userId: string,
         rolesList: string[],
-    ): Promise<Empty> {
-        const req = new ProjectGrantMemberAdd();
+    ): Promise<AddProjectGrantMemberResponse.AsObject> {
+        const req = new AddProjectGrantMemberRequest();
         req.setProjectId(projectId);
         req.setGrantId(grantId);
         req.setUserId(userId);
         req.setRolesList(rolesList);
-        return this.grpcService.mgmt.addProjectGrantMember(req);
+        return this.grpcService.mgmt.addProjectGrantMember(req, null).then(resp => resp.toObject());
     }
 
-    public ChangeProjectGrantMember(
+    public updateProjectGrantMember(
         projectId: string,
         grantId: string,
         userId: string,
         rolesList: string[],
-    ): Promise<ProjectGrantMember> {
-        const req = new ProjectGrantMemberChange();
+    ): Promise<UpdateProjectGrantMemberResponse.AsObject> {
+        const req = new UpdateProjectGrantMemberRequest();
         req.setProjectId(projectId);
         req.setGrantId(grantId);
         req.setUserId(userId);
         req.setRolesList(rolesList);
-        return this.grpcService.mgmt.changeProjectGrantMember(req);
+        return this.grpcService.mgmt.updateProjectGrantMember(req, null).then(resp => resp.toObject());
     }
 
-    public SearchProjectGrantMembers(
+    public listProjectGrantMembers(
         projectId: string,
         grantId: string,
         limit: number,
         offset: number,
-        queryList?: ProjectGrantMemberSearchQuery[],
-    ): Promise<ProjectMemberSearchResponse> {
-        const req = new ProjectGrantMemberSearchRequest();
-        req.setLimit(limit);
-        req.setOffset(offset);
+        queryList?: SearchQuery[],
+    ): Promise<ListProjectGrantMembersResponse.AsObject> {
+        const req = new ListProjectGrantMembersRequest();
+        req.setProjectId(projectId);
+        req.setGrantId(grantId);
+
+        const query = new ListQuery();
+        if (limit) {
+            query.setLimit(limit);
+        }
+        if (offset) {
+            query.setOffset(offset);
+        }
+
+        req.setQuery(query);
         if (queryList) {
             req.setQueriesList(queryList);
         }
-        req.setProjectId(projectId);
-        req.setGrantId(grantId);
-        return this.grpcService.mgmt.searchProjectGrantMembers(req);
+
+        return this.grpcService.mgmt.listProjectGrantMembers(req, null).then(resp => resp.toObject());
     }
 
-    public RemoveProjectGrantMember(
+    public removeProjectGrantMember(
         projectId: string,
         grantId: string,
         userId: string,
-    ): Promise<Empty> {
-        const req = new ProjectGrantMemberRemove();
+    ): Promise<RemoveProjectGrantMemberResponse.AsObject> {
+        const req = new RemoveProjectGrantMemberRequest();
         req.setGrantId(grantId);
         req.setUserId(userId);
         req.setProjectId(projectId);
-        return this.grpcService.mgmt.removeProjectGrantMember(req);
+        return this.grpcService.mgmt.removeProjectGrantMember(req, null).then(resp => resp.toObject());
     }
 
-    public ReactivateApplication(projectId: string, appId: string): Promise<Application> {
-        const req = new ApplicationID();
-        req.setId(appId);
+    public reactivateApp(projectId: string, appId: string): Promise<ReactivateAppResponse.AsObject> {
+        const req = new ReactivateAppRequest();
+        req.setAppId(appId);
         req.setProjectId(projectId);
 
-        return this.grpcService.mgmt.reactivateApplication(req);
+        return this.grpcService.mgmt.reactivateApp(req, null).then(resp => resp.toObject());
     }
 
-    public DeactivateApplication(projectId: string, appId: string): Promise<Application> {
-        const req = new ApplicationID();
-        req.setId(appId);
+    public deactivateApp(projectId: string, appId: string): Promise<DeactivateAppResponse.AsObject> {
+        const req = new DeactivateAppRequest();
+        req.setAppId(appId);
         req.setProjectId(projectId);
 
-        return this.grpcService.mgmt.deactivateApplication(req);
+        return this.grpcService.mgmt.deactivateApp(req, null).then(resp => resp.toObject());
     }
 
-    public RegenerateOIDCClientSecret(id: string, projectId: string): Promise<ClientSecret> {
-        const req = new ApplicationID();
-        req.setId(id);
+    public regenerateOIDCClientSecret(appId: string, projectId: string): Promise<RegenerateOIDCClientSecretResponse.AsObject> {
+        const req = new RegenerateOIDCClientSecretRequest();
+        req.setAppId(appId);
         req.setProjectId(projectId);
-        return this.grpcService.mgmt.regenerateOIDCClientSecret(req);
+        return this.grpcService.mgmt.regenerateOIDCClientSecret(req, null).then(resp => resp.toObject());
     }
 
-    public RegenerateAPIClientSecret(id: string, projectId: string): Promise<ClientSecret> {
-        const req = new ApplicationID();
-        req.setId(id);
+    public listAppKeys(
+        projectId: string,
+        appId: string,
+        limit: number,
+        offset: number,
+    ): Promise<ListAppKeysResponse.AsObject> {
+        const req = new ListAppKeysRequest();
         req.setProjectId(projectId);
-        return this.grpcService.mgmt.regenerateAPIClientSecret(req);
+        req.setAppId(appId);
+        const metaData = new ListQuery();
+        if (limit) {
+            metaData.setLimit(limit);
+        }
+        if (offset) {
+            metaData.setOffset(offset);
+        }
+        req.setQuery(metaData);
+        return this.grpcService.mgmt.listAppKeys(req, null).then(resp => resp.toObject());
     }
 
-    public SearchProjectRoles(
+    public addAppKey(
+        projectId: string,
+        appId: string,
+        type: KeyType,
+        expirationDate?: Timestamp,
+    ): Promise<AddAppKeyResponse.AsObject> {
+        const req = new AddAppKeyRequest();
+        req.setProjectId(projectId);
+        req.setAppId(appId);
+        req.setType(type);
+        if (expirationDate) {
+            req.setExpirationDate(expirationDate);
+        }
+        return this.grpcService.mgmt.addAppKey(req, null).then(resp => resp.toObject());
+    }
+
+    public removeAppKey(
+        projectId: string,
+        appId: string,
+        keyId: string,
+    ): Promise<RemoveAppKeyResponse.AsObject> {
+        const req = new RemoveAppKeyRequest();
+        req.setAppId(appId);
+        req.setKeyId(keyId);
+        req.setProjectId(projectId);
+        return this.grpcService.mgmt.removeAppKey(req, null).then(resp => resp.toObject());
+    }
+
+    public listProjectRoles(
         projectId: string,
         limit: number,
         offset: number,
-        queryList?: ProjectRoleSearchQuery[],
-    ): Promise<ProjectRoleSearchResponse> {
-        const req = new ProjectRoleSearchRequest();
+        queryList?: RoleQuery[],
+    ): Promise<ListProjectRolesResponse.AsObject> {
+        const req = new ListProjectRolesRequest();
         req.setProjectId(projectId);
-        req.setLimit(limit);
-        req.setOffset(offset);
+
+        const query = new ListQuery();
+        if (limit) {
+            query.setLimit(limit);
+        }
+        if (offset) {
+            query.setOffset(offset);
+        }
+
+        req.setQuery(query);
         if (queryList) {
             req.setQueriesList(queryList);
         }
-        return this.grpcService.mgmt.searchProjectRoles(req);
+        return this.grpcService.mgmt.listProjectRoles(req, null).then(resp => resp.toObject());
     }
 
-    public AddProjectRole(role: ProjectRoleAdd.AsObject): Promise<Empty> {
-        const req = new ProjectRoleAdd();
-        req.setId(role.id);
-        if (role.displayName) {
-            req.setDisplayName(role.displayName);
-        }
-        req.setKey(role.key);
-        req.setGroup(role.group);
-        return this.grpcService.mgmt.addProjectRole(req);
+    public bulkAddProjectRoles(
+        projectId: string,
+        rolesList: BulkAddProjectRolesRequest.Role[],
+    ): Promise<BulkAddProjectRolesResponse.AsObject> {
+        const req = new BulkAddProjectRolesRequest();
+        req.setProjectId(projectId);
+        req.setRolesList(rolesList);
+        return this.grpcService.mgmt.bulkAddProjectRoles(req, null).then(resp => resp.toObject());
     }
 
-    public BulkAddProjectRole(
-        id: string,
-        rolesList: ProjectRoleAdd[],
-    ): Promise<Empty> {
-        const req = new ProjectRoleAddBulk();
-        req.setId(id);
-        req.setProjectRolesList(rolesList);
-        return this.grpcService.mgmt.bulkAddProjectRole(req);
-    }
-
-    public RemoveProjectRole(projectId: string, key: string): Promise<Empty> {
-        const req = new ProjectRoleRemove();
-        req.setId(projectId);
-        req.setKey(key);
-        return this.grpcService.mgmt.removeProjectRole(req);
+    public removeProjectRole(projectId: string, roleKey: string): Promise<RemoveProjectRoleResponse.AsObject> {
+        const req = new RemoveProjectRoleRequest();
+        req.setProjectId(projectId);
+        req.setRoleKey(roleKey);
+        return this.grpcService.mgmt.removeProjectRole(req, null).then(resp => resp.toObject());
     }
 
 
-    public ChangeProjectRole(projectId: string, key: string, displayName: string, group: string):
-        Promise<ProjectRole> {
-        const req = new ProjectRoleChange();
-        req.setId(projectId);
-        req.setKey(key);
+    public updateProjectRole(projectId: string, roleKey: string, displayName: string, group: string):
+        Promise<UpdateProjectRoleResponse.AsObject> {
+        const req = new UpdateProjectRoleRequest();
+        req.setProjectId(projectId);
+        req.setRoleKey(roleKey);
         req.setGroup(group);
         req.setDisplayName(displayName);
-        return this.grpcService.mgmt.changeProjectRole(req);
+        return this.grpcService.mgmt.updateProjectRole(req, null).then(resp => resp.toObject());
     }
 
 
-    public RemoveProjectMember(id: string, userId: string): Promise<Empty> {
-        const req = new ProjectMemberRemove();
-        req.setId(id);
+    public removeProjectMember(projectId: string, userId: string): Promise<RemoveProjectMemberResponse.AsObject> {
+        const req = new RemoveProjectMemberRequest();
+        req.setProjectId(projectId);
         req.setUserId(userId);
-        return this.grpcService.mgmt.removeProjectMember(req);
+        return this.grpcService.mgmt.removeProjectMember(req, null).then(resp => resp.toObject());
     }
 
-    public SearchApplications(
+    public listApps(
         projectId: string,
         limit: number,
         offset: number,
-        queryList?: ApplicationSearchQuery[]): Promise<ApplicationSearchResponse> {
-        const req = new ApplicationSearchRequest();
+        queryList?: AppQuery[]): Promise<ListAppsResponse.AsObject> {
+        const req = new ListAppsRequest();
         req.setProjectId(projectId);
-        req.setLimit(limit);
-        req.setOffset(offset);
+        const query = new ListQuery();
+        if (limit) {
+            query.setLimit(limit);
+        }
+        if (offset) {
+            query.setOffset(offset);
+        }
+
+        req.setQuery(query);
         if (queryList) {
             req.setQueriesList(queryList);
         }
-        return this.grpcService.mgmt.searchApplications(req);
+        return this.grpcService.mgmt.listApps(req, null).then(resp => resp.toObject());
     }
 
-    public GetApplicationById(projectId: string, applicationId: string): Promise<ApplicationView> {
-        const req = new ApplicationID();
+    public getAppByID(projectId: string, appId: string): Promise<GetAppByIDResponse.AsObject> {
+        const req = new GetAppByIDRequest();
         req.setProjectId(projectId);
-        req.setId(applicationId);
-        return this.grpcService.mgmt.applicationByID(req);
+        req.setAppId(appId);
+        return this.grpcService.mgmt.getAppByID(req, null).then(resp => resp.toObject());
     }
 
-    public GetProjectMemberRoles(): Promise<ProjectMemberRoles> {
-        const req = new Empty();
-        return this.grpcService.mgmt.getProjectMemberRoles(req);
+    public listProjectMemberRoles(): Promise<ListProjectMemberRolesResponse.AsObject> {
+        const req = new ListProjectMemberRolesRequest();
+        return this.grpcService.mgmt.listProjectMemberRoles(req, null).then(resp => resp.toObject());
     }
 
-    public ProjectGrantByID(id: string, projectId: string): Promise<ProjectGrantView> {
-        const req = new ProjectGrantID();
-        req.setId(id);
+    public getProjectGrantByID(grantId: string, projectId: string): Promise<GetProjectGrantByIDResponse.AsObject> {
+        const req = new GetProjectGrantByIDRequest();
+        req.setGrantId(grantId);
         req.setProjectId(projectId);
-        return this.grpcService.mgmt.projectGrantByID(req);
+        return this.grpcService.mgmt.getProjectGrantByID(req, null).then(resp => resp.toObject());
     }
 
-    public RemoveProject(id: string): Promise<Empty> {
-        const req = new ProjectID();
+    public removeProject(id: string): Promise<RemoveProjectResponse.AsObject> {
+        const req = new RemoveProjectRequest();
         req.setId(id);
-        return this.grpcService.mgmt.removeProject(req).then(value => {
+        return this.grpcService.mgmt.removeProject(req, null).then(value => {
             const current = this.ownedProjectsCount.getValue();
             this.ownedProjectsCount.next(current > 0 ? current - 1 : 0);
-            return value;
+            return value.toObject();
         });
     }
 
-
-    public DeactivateProjectGrant(id: string, projectId: string): Promise<ProjectGrant> {
-        const req = new ProjectGrantID();
-        req.setId(id);
+    public deactivateProjectGrant(grantId: string, projectId: string): Promise<DeactivateProjectGrantResponse.AsObject> {
+        const req = new DeactivateProjectGrantRequest();
+        req.setGrantId(grantId);
         req.setProjectId(projectId);
-        return this.grpcService.mgmt.deactivateProjectGrant(req);
+        return this.grpcService.mgmt.deactivateProjectGrant(req, null).then(resp => resp.toObject());
     }
 
-    public ReactivateProjectGrant(id: string, projectId: string): Promise<ProjectGrant> {
-        const req = new ProjectGrantID();
-        req.setId(id);
+    public reactivateProjectGrant(grantId: string, projectId: string): Promise<ReactivateProjectGrantResponse.AsObject> {
+        const req = new ReactivateProjectGrantRequest();
+        req.setGrantId(grantId);
         req.setProjectId(projectId);
-        return this.grpcService.mgmt.reactivateProjectGrant(req);
+        return this.grpcService.mgmt.reactivateProjectGrant(req, null).then(resp => resp.toObject());
     }
 
-    public CreateOIDCApp(app: OIDCApplicationCreate.AsObject): Promise<Application> {
-        const req = new OIDCApplicationCreate();
-        req.setProjectId(app.projectId);
+    public addOIDCApp(app: AddOIDCAppRequest.AsObject): Promise<AddOIDCAppResponse.AsObject> {
+        const req: AddOIDCAppRequest = new AddOIDCAppRequest();
+        req.setAuthMethodType(app.authMethodType);
         req.setName(app.name);
-        req.setRedirectUrisList(app.redirectUrisList);
+        req.setProjectId(app.projectId);
         req.setResponseTypesList(app.responseTypesList);
         req.setGrantTypesList(app.grantTypesList);
-        req.setApplicationType(app.applicationType);
-        req.setAuthMethodType(app.authMethodType);
+        req.setAppType(app.appType);
         req.setPostLogoutRedirectUrisList(app.postLogoutRedirectUrisList);
-
-        return this.grpcService.mgmt.createOIDCApplication(req);
+        req.setRedirectUrisList(app.redirectUrisList);
+        return this.grpcService.mgmt.addOIDCApp(req, null).then(resp => resp.toObject());
     }
 
-    public CreateAPIApplication(app: APIApplicationCreate.AsObject): Promise<Application> {
-        const req = new APIApplicationCreate();
-        req.setProjectId(app.projectId);
-        req.setName(app.name);
+    public addAPIApp(app: AddAPIAppRequest.AsObject): Promise<AddAPIAppResponse.AsObject> {
+        const req: AddAPIAppRequest = new AddAPIAppRequest();
         req.setAuthMethodType(app.authMethodType);
-
-        return this.grpcService.mgmt.createAPIApplication(req);
+        req.setName(app.name);
+        req.setProjectId(app.projectId);
+        return this.grpcService.mgmt.addAPIApp(req, null).then(resp => resp.toObject());
     }
 
-    public UpdateApplication(projectId: string, appId: string, name: string): Promise<Application> {
-        const req = new ApplicationUpdate();
-        req.setId(appId);
+    public regenerateAPIClientSecret(appId: string, projectId: string): Promise<RegenerateAPIClientSecretResponse.AsObject> {
+        const req = new RegenerateAPIClientSecretRequest();
+        req.setAppId(appId);
+        req.setProjectId(projectId);
+        return this.grpcService.mgmt.regenerateAPIClientSecret(req, null).then(resp => resp.toObject());
+    }
+
+    public updateApp(projectId: string, appId: string, name: string): Promise<UpdateAppResponse.AsObject> {
+        const req = new UpdateAppRequest();
+        req.setAppId(appId);
         req.setName(name);
         req.setProjectId(projectId);
-        return this.grpcService.mgmt.updateApplication(req);
+        return this.grpcService.mgmt.updateApp(req, null).then(resp => resp.toObject());
     }
 
-    public UpdateOIDCAppConfig(req: OIDCConfigUpdate): Promise<OIDCConfig> {
-        return this.grpcService.mgmt.updateApplicationOIDCConfig(req);
+    public updateOIDCAppConfig(req: UpdateOIDCAppConfigRequest): Promise<UpdateOIDCAppConfigResponse.AsObject> {
+        return this.grpcService.mgmt.updateOIDCAppConfig(req, null).then(resp => resp.toObject());
     }
 
-    public UpdateAPIAppConfig(req: APIConfigUpdate): Promise<APIConfig> {
-        return this.grpcService.mgmt.updateApplicationAPIConfig(req);
+    public updateAPIAppConfig(req: UpdateAPIAppConfigRequest): Promise<UpdateAPIAppConfigResponse.AsObject> {
+        return this.grpcService.mgmt.updateAPIAppConfig(req, null).then(resp => resp.toObject());
     }
 
-    public RemoveApplication(projectId: string, appId: string): Promise<Empty> {
-        const req = new ApplicationID();
-        req.setId(appId);
+    public removeApp(projectId: string, appId: string): Promise<RemoveAppResponse.AsObject> {
+        const req = new RemoveAppRequest();
+        req.setAppId(appId);
         req.setProjectId(projectId);
-        return this.grpcService.mgmt.removeApplication(req);
+        return this.grpcService.mgmt.removeApp(req, null).then(resp => resp.toObject());
     }
 }
diff --git a/go.mod b/go.mod
index e8f4c9fc47..bc337304e2 100644
--- a/go.mod
+++ b/go.mod
@@ -26,13 +26,13 @@ require (
 	github.com/golang/mock v1.5.0
 	github.com/golang/protobuf v1.4.3
 	github.com/golang/snappy v0.0.2 // indirect
-	github.com/google/go-cmp v0.5.3 // indirect
 	github.com/gorilla/csrf v1.7.0
 	github.com/gorilla/mux v1.8.0
 	github.com/gorilla/schema v1.2.0
 	github.com/gorilla/securecookie v1.1.1
 	github.com/grpc-ecosystem/go-grpc-middleware v1.2.2
 	github.com/grpc-ecosystem/grpc-gateway v1.16.0
+	github.com/grpc-ecosystem/grpc-gateway/v2 v2.2.0
 	github.com/huandu/xstrings v1.3.2 // indirect
 	github.com/imdario/mergo v0.3.11 // indirect
 	github.com/inconshreveable/log15 v0.0.0-20200109203555-b30bc20e4fd1 // indirect
@@ -73,8 +73,8 @@ require (
 	golang.org/x/tools v0.0.0-20201103235415-b653051172e4
 	google.golang.org/api v0.34.0
 	google.golang.org/appengine v1.6.7 // indirect
-	google.golang.org/genproto v0.0.0-20201103154000-415bd0cd5df6
-	google.golang.org/grpc v1.34.0
+	google.golang.org/genproto v0.0.0-20210207032614-bba0dbe2a9ea
+	google.golang.org/grpc v1.35.0
 	google.golang.org/protobuf v1.25.0
 	gopkg.in/square/go-jose.v2 v2.5.1
 	gopkg.in/yaml.v3 v3.0.0-20200605160147-a5ece683394c
diff --git a/go.sum b/go.sum
index 8e4f12dec7..42de9d4ae4 100644
--- a/go.sum
+++ b/go.sum
@@ -167,6 +167,7 @@ github.com/cloudflare/cloudflare-go v0.12.1/go.mod h1:gmzHQPAyHh8N8UgX0Z+3rSMRbN
 github.com/cloudscale-ch/cloudscale-go-sdk v1.6.0/go.mod h1:FhOTOCgKAVvRRMQc1mC0D7xK/3zYnmcZBWFXNkacvMc=
 github.com/cncf/udpa/go v0.0.0-20191209042840-269d4d468f6f/go.mod h1:M8M6+tZqaGXZJjfX53e64911xZQV5JYwmTeXPW+k8Sc=
 github.com/cncf/udpa/go v0.0.0-20200629203442-efcf912fb354/go.mod h1:WmhPx2Nbnhtbo57+VJT5O0JRkEi1Wbu0z5j0R8u5Hbk=
+github.com/cncf/udpa/go v0.0.0-20201120205902-5459f2c99403/go.mod h1:WmhPx2Nbnhtbo57+VJT5O0JRkEi1Wbu0z5j0R8u5Hbk=
 github.com/cockroachdb/apd v1.1.0/go.mod h1:8Sl8LxpKi29FqWXR16WEFZRNSz3SoPzUzeMeY4+DwBQ=
 github.com/cockroachdb/cockroach-go/v2 v2.1.0 h1:zicZlBhWZu6wfK7Ezg4Owdc3HamLpRdBllPTT9tb+2k=
 github.com/cockroachdb/cockroach-go/v2 v2.1.0/go.mod h1:ilhrLnPDDwGHL+iK2UxQhp1UzUhst8sfItSAgCYwAyg=
@@ -228,6 +229,7 @@ github.com/envoyproxy/go-control-plane v0.9.0/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymF
 github.com/envoyproxy/go-control-plane v0.9.1-0.20191026205805-5f8ba28d4473/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4=
 github.com/envoyproxy/go-control-plane v0.9.4/go.mod h1:6rpuAdCZL397s3pYoYcLgu1mIlRU8Am5FuJP05cCM98=
 github.com/envoyproxy/go-control-plane v0.9.7/go.mod h1:cwu0lG7PUMfa9snN8LXBig5ynNVH9qI8YYLbd1fK2po=
+github.com/envoyproxy/go-control-plane v0.9.9-0.20201210154907-fd9021fe5dad/go.mod h1:cXg6YxExXjJnVBQHBLXeUAgxn2UodCpnH306RInaBQk=
 github.com/envoyproxy/protoc-gen-validate v0.1.0 h1:EQciDnbrYxy13PgWoY8AqoxGiPrpgBZ1R8UNe3ddc+A=
 github.com/envoyproxy/protoc-gen-validate v0.1.0/go.mod h1:iSmxcyjqTsJpI2R4NaDN7+kN2VEUnK/pcBlmesArF7c=
 github.com/erikstmartin/go-testdb v0.0.0-20160219214506-8d10e4a1bae5 h1:Yzb9+7DPaBjB8zlTR87/ElzFsnQfuHnVUVqpZZIcV5Y=
@@ -377,6 +379,8 @@ github.com/google/go-cmp v0.5.1/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/
 github.com/google/go-cmp v0.5.2/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
 github.com/google/go-cmp v0.5.3 h1:x95R7cp+rSeeqAMI2knLtQ0DKlaBhv2NrtrOvafPHRo=
 github.com/google/go-cmp v0.5.3/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
+github.com/google/go-cmp v0.5.4 h1:L8R9j+yAqZuZjsqh/z+F1NCffTKKLShY6zXTItVIZ8M=
+github.com/google/go-cmp v0.5.4/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
 github.com/google/go-github/v31 v31.0.0/go.mod h1:NQPZol8/1sMoWYGN2yaALIBytu17gAWfhbweiEed3pM=
 github.com/google/go-querystring v1.0.0/go.mod h1:odCYkC5MyYFN7vkCjXpyrEuKhc/BUO6wN/zVPAxq5ck=
 github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=
@@ -441,6 +445,8 @@ github.com/grpc-ecosystem/grpc-gateway v1.9.0/go.mod h1:vNeuVxBJEsws4ogUvrchl83t
 github.com/grpc-ecosystem/grpc-gateway v1.9.5/go.mod h1:vNeuVxBJEsws4ogUvrchl83t/GYV9WGTSLVdBhOQFDY=
 github.com/grpc-ecosystem/grpc-gateway v1.16.0 h1:gmcG1KaJ57LophUzW0Hy8NmPhnMZb4M0+kPpLofRdBo=
 github.com/grpc-ecosystem/grpc-gateway v1.16.0/go.mod h1:BDjrQk3hbvj6Nolgz8mAMFbcEtjT1g+wF4CSlocrBnw=
+github.com/grpc-ecosystem/grpc-gateway/v2 v2.2.0 h1:HlJcTiqGHvaWDG7/s85d68Kw7G7FqMz+9LlcyVauOAw=
+github.com/grpc-ecosystem/grpc-gateway/v2 v2.2.0/go.mod h1:gRq9gZWcIFvz68EgWqy2qQpRbmtn5j2qLZ4zHjqiLpg=
 github.com/hashicorp/consul/api v1.3.0/go.mod h1:MmDNSzIMUjNpY/mQ398R4bk2FnqQLoPndWW5VkKPlCE=
 github.com/hashicorp/consul/sdk v0.3.0/go.mod h1:VKf9jXwCTEY1QZP2MOLRhb5i/I/ssyNV1vwHyQBF0x8=
 github.com/hashicorp/errwrap v1.0.0/go.mod h1:YH+1FKiLXxHSkmPseP+kNlulaMuP3n2brvKWEqk/Jc4=
@@ -1014,6 +1020,8 @@ golang.org/x/oauth2 v0.0.0-20191202225959-858c2ad4c8b6/go.mod h1:gOpvHmFTYa4Iltr
 golang.org/x/oauth2 v0.0.0-20200107190931-bf48bf16ab8d/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
 golang.org/x/oauth2 v0.0.0-20200902213428-5d25da1a8d43 h1:ld7aEMNHoBnnDAX15v1T6z31v8HwR2A9FYOuAhWqkwc=
 golang.org/x/oauth2 v0.0.0-20200902213428-5d25da1a8d43/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A=
+golang.org/x/oauth2 v0.0.0-20210201163806-010130855d6c h1:HiAZXo96zOhVhtFHchj/ojzoxCFiPrp9/j0GtS38V3g=
+golang.org/x/oauth2 v0.0.0-20210201163806-010130855d6c/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A=
 golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20181221193216-37e7f081c4d4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
@@ -1234,6 +1242,8 @@ google.golang.org/genproto v0.0.0-20200904004341-0bd0a958aa1d/go.mod h1:FWY/as6D
 google.golang.org/genproto v0.0.0-20201030142918-24207fddd1c3/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no=
 google.golang.org/genproto v0.0.0-20201103154000-415bd0cd5df6 h1:rMoZiLTOobSD3eg30lPMcFkBFNSyKUQQIQlw/hsAXME=
 google.golang.org/genproto v0.0.0-20201103154000-415bd0cd5df6/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no=
+google.golang.org/genproto v0.0.0-20210207032614-bba0dbe2a9ea h1:N98SvVh7Hdle2lgUVFuIkf0B3u29CUakMUQa7Hwz8Wc=
+google.golang.org/genproto v0.0.0-20210207032614-bba0dbe2a9ea/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no=
 google.golang.org/grpc v1.17.0/go.mod h1:6QZJwpn2B+Zp71q/5VxRsJ6NXXVCE5NRUHRo+f3cWCs=
 google.golang.org/grpc v1.19.0/go.mod h1:mqu4LbDTu4XGKhr4mRzUsmM4RtVoemTSY81AxZiDr8c=
 google.golang.org/grpc v1.20.0/go.mod h1:chYK+tFQF0nDUGJgXMSgLCQk3phJEuONr2DCgLDdAQM=
@@ -1256,6 +1266,9 @@ google.golang.org/grpc v1.32.0/go.mod h1:N36X2cJ7JwdamYAgDz+s+rVMFjt3numwzf/HckM
 google.golang.org/grpc v1.33.1/go.mod h1:fr5YgcSWrqhRRxogOsw7RzIpsmvOZ6IcH4kBYTpR3n0=
 google.golang.org/grpc v1.34.0 h1:raiipEjMOIC/TO2AvyTxP25XFdLxNIBwzDh3FM3XztI=
 google.golang.org/grpc v1.34.0/go.mod h1:WotjhfgOW/POjDeRt8vscBtXq+2VjORFy659qA51WJ8=
+google.golang.org/grpc v1.35.0 h1:TwIQcH3es+MojMVojxxfQ3l3OF2KzlRxML2xZq0kRo8=
+google.golang.org/grpc v1.35.0/go.mod h1:qjiiYl8FncCW8feJPdyg3v6XW24KsRHe+dy9BAGRRjU=
+google.golang.org/grpc/cmd/protoc-gen-go-grpc v1.0.0/go.mod h1:6Kw0yEErY5E/yWrBtf03jp27GLLJujG4z/JK95pnjjw=
 google.golang.org/protobuf v0.0.0-20200109180630-ec00e32a8dfd/go.mod h1:DFci5gLYBciE7Vtevhsrf46CRTquxDuWsQurQQe4oz8=
 google.golang.org/protobuf v0.0.0-20200221191635-4d8936d0db64/go.mod h1:kwYJMbMJ01Woi6D6+Kah6886xMZcty6N08ah7+eCXa0=
 google.golang.org/protobuf v0.0.0-20200228230310-ab0ca4ff8a60/go.mod h1:cfTl7dwQJ+fmap5saPgwCLgHXTUD7jkjRqWcaiX5VyM=
diff --git a/internal/api/grpc/admin/administrator.go b/internal/api/grpc/admin/administrator.go
deleted file mode 100644
index 1d855a61f2..0000000000
--- a/internal/api/grpc/admin/administrator.go
+++ /dev/null
@@ -1,36 +0,0 @@
-package admin
-
-import (
-	"context"
-
-	"github.com/golang/protobuf/ptypes/empty"
-
-	view_model "github.com/caos/zitadel/internal/view/model"
-	"github.com/caos/zitadel/pkg/grpc/admin"
-)
-
-func (s *Server) GetViews(ctx context.Context, _ *empty.Empty) (_ *admin.Views, err error) {
-	views, err := s.administrator.GetViews()
-	if err != nil {
-		return nil, err
-	}
-	return &admin.Views{Views: viewsFromModel(views)}, nil
-}
-
-func (s *Server) ClearView(ctx context.Context, viewID *admin.ViewID) (_ *empty.Empty, err error) {
-	err = s.administrator.ClearView(ctx, viewID.Database, viewID.ViewName)
-	return &empty.Empty{}, err
-}
-
-func (s *Server) GetFailedEvents(ctx context.Context, _ *empty.Empty) (_ *admin.FailedEvents, err error) {
-	failedEvents, err := s.administrator.GetFailedEvents(ctx)
-	if err != nil {
-		return nil, err
-	}
-	return &admin.FailedEvents{FailedEvents: failedEventsFromModel(failedEvents)}, nil
-}
-
-func (s *Server) RemoveFailedEvent(ctx context.Context, failedEventID *admin.FailedEventID) (_ *empty.Empty, err error) {
-	err = s.administrator.RemoveFailedEvent(ctx, &view_model.FailedEvent{Database: failedEventID.Database, ViewName: failedEventID.ViewName, FailedSequence: failedEventID.FailedSequence})
-	return &empty.Empty{}, err
-}
diff --git a/internal/api/grpc/admin/administrator_converter.go b/internal/api/grpc/admin/administrator_converter.go
deleted file mode 100644
index edd1691eaa..0000000000
--- a/internal/api/grpc/admin/administrator_converter.go
+++ /dev/null
@@ -1,51 +0,0 @@
-package admin
-
-import (
-	"github.com/caos/logging"
-	view_model "github.com/caos/zitadel/internal/view/model"
-	"github.com/caos/zitadel/pkg/grpc/admin"
-	"github.com/golang/protobuf/ptypes"
-)
-
-func viewsFromModel(views []*view_model.View) []*admin.View {
-	result := make([]*admin.View, len(views))
-	for i, view := range views {
-		result[i] = viewFromModel(view)
-	}
-
-	return result
-}
-
-func failedEventsFromModel(failedEvents []*view_model.FailedEvent) []*admin.FailedEvent {
-	result := make([]*admin.FailedEvent, len(failedEvents))
-	for i, view := range failedEvents {
-		result[i] = failedEventFromModel(view)
-	}
-
-	return result
-}
-
-func viewFromModel(view *view_model.View) *admin.View {
-	eventTimestamp, err := ptypes.TimestampProto(view.EventTimestamp)
-	logging.Log("GRPC-KSo03").OnError(err).Debug("unable to parse timestamp")
-	lastSpool, err := ptypes.TimestampProto(view.LastSuccessfulSpoolerRun)
-	logging.Log("GRPC-0oP87").OnError(err).Debug("unable to parse timestamp")
-
-	return &admin.View{
-		Database:                 view.Database,
-		ViewName:                 view.ViewName,
-		ProcessedSequence:        view.CurrentSequence,
-		EventTimestamp:           eventTimestamp,
-		LastSuccessfulSpoolerRun: lastSpool,
-	}
-}
-
-func failedEventFromModel(failedEvent *view_model.FailedEvent) *admin.FailedEvent {
-	return &admin.FailedEvent{
-		Database:       failedEvent.Database,
-		ViewName:       failedEvent.ViewName,
-		FailedSequence: failedEvent.FailedSequence,
-		FailureCount:   failedEvent.FailureCount,
-		ErrorMessage:   failedEvent.ErrMsg,
-	}
-}
diff --git a/internal/api/grpc/admin/failed_event.go b/internal/api/grpc/admin/failed_event.go
new file mode 100644
index 0000000000..9f49fd00a4
--- /dev/null
+++ b/internal/api/grpc/admin/failed_event.go
@@ -0,0 +1,23 @@
+package admin
+
+import (
+	"context"
+
+	admin_pb "github.com/caos/zitadel/pkg/grpc/admin"
+)
+
+func (s *Server) ListFailedEvents(ctx context.Context, req *admin_pb.ListFailedEventsRequest) (*admin_pb.ListFailedEventsResponse, error) {
+	failedEvents, err := s.administrator.GetFailedEvents(ctx)
+	if err != nil {
+		return nil, err
+	}
+	return &admin_pb.ListFailedEventsResponse{Result: FailedEventsToPb(failedEvents)}, nil
+}
+
+func (s *Server) RemoveFailedEvent(ctx context.Context, req *admin_pb.RemoveFailedEventRequest) (*admin_pb.RemoveFailedEventResponse, error) {
+	err := s.administrator.RemoveFailedEvent(ctx, RemoveFailedEventRequestToModel(req))
+	if err != nil {
+		return nil, err
+	}
+	return &admin_pb.RemoveFailedEventResponse{}, nil
+}
diff --git a/internal/api/grpc/admin/failed_event_converter.go b/internal/api/grpc/admin/failed_event_converter.go
new file mode 100644
index 0000000000..ad5b415e0a
--- /dev/null
+++ b/internal/api/grpc/admin/failed_event_converter.go
@@ -0,0 +1,32 @@
+package admin
+
+import (
+	"github.com/caos/zitadel/internal/view/model"
+	admin_pb "github.com/caos/zitadel/pkg/grpc/admin"
+)
+
+func FailedEventsToPb(failedEvents []*model.FailedEvent) []*admin_pb.FailedEvent {
+	events := make([]*admin_pb.FailedEvent, len(failedEvents))
+	for i, failedEvent := range failedEvents {
+		events[i] = FailedEventToPb(failedEvent)
+	}
+	return events
+}
+
+func FailedEventToPb(failedEvent *model.FailedEvent) *admin_pb.FailedEvent {
+	return &admin_pb.FailedEvent{
+		Database:       failedEvent.Database,
+		ViewName:       failedEvent.ViewName,
+		FailedSequence: failedEvent.FailedSequence,
+		FailureCount:   failedEvent.FailureCount,
+		ErrorMessage:   failedEvent.ErrMsg,
+	}
+}
+
+func RemoveFailedEventRequestToModel(req *admin_pb.RemoveFailedEventRequest) *model.FailedEvent {
+	return &model.FailedEvent{
+		Database:       req.Database,
+		ViewName:       req.ViewName,
+		FailedSequence: req.FailedSequence,
+	}
+}
diff --git a/internal/api/grpc/admin/failed_event_converter_test.go b/internal/api/grpc/admin/failed_event_converter_test.go
new file mode 100644
index 0000000000..0aa2180941
--- /dev/null
+++ b/internal/api/grpc/admin/failed_event_converter_test.go
@@ -0,0 +1,95 @@
+package admin_test
+
+import (
+	"testing"
+
+	admin_grpc "github.com/caos/zitadel/internal/api/grpc/admin"
+	"github.com/caos/zitadel/internal/test"
+	"github.com/caos/zitadel/internal/view/model"
+	admin_pb "github.com/caos/zitadel/pkg/grpc/admin"
+)
+
+func TestFailedEventsToPbFields(t *testing.T) {
+	type args struct {
+		failedEvents []*model.FailedEvent
+	}
+	tests := []struct {
+		name string
+		args args
+	}{
+		{
+			name: "all fields",
+			args: args{
+				failedEvents: []*model.FailedEvent{
+					{
+						Database:       "admin",
+						ViewName:       "users",
+						FailedSequence: 456,
+						FailureCount:   5,
+						ErrMsg:         "some error",
+					},
+				},
+			},
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			got := admin_grpc.FailedEventsToPb(tt.args.failedEvents)
+			for _, g := range got {
+				test.AssertFieldsMapped(t, g)
+			}
+		})
+	}
+}
+
+func TestFailedEventToPbFields(t *testing.T) {
+	type args struct {
+		failedEvent *model.FailedEvent
+	}
+	tests := []struct {
+		name string
+		args args
+	}{
+		{
+			"all fields",
+			args{
+				failedEvent: &model.FailedEvent{
+					Database:       "admin",
+					ViewName:       "users",
+					FailedSequence: 456,
+					FailureCount:   5,
+					ErrMsg:         "some error",
+				},
+			},
+		},
+	}
+	for _, tt := range tests {
+		converted := admin_grpc.FailedEventToPb(tt.args.failedEvent)
+		test.AssertFieldsMapped(t, converted)
+	}
+}
+
+func TestRemoveFailedEventRequestToModelFields(t *testing.T) {
+	type args struct {
+		req *admin_pb.RemoveFailedEventRequest
+	}
+	tests := []struct {
+		name string
+		args args
+	}{
+		{
+			"all fields",
+			args{
+				req: &admin_pb.RemoveFailedEventRequest{
+					Database:       "admin",
+					ViewName:       "users",
+					FailedSequence: 456,
+				},
+			},
+		},
+	}
+	for _, tt := range tests {
+		converted := admin_grpc.RemoveFailedEventRequestToModel(tt.args.req)
+		test.AssertFieldsMapped(t, converted, "FailureCount", "ErrMsg")
+	}
+}
diff --git a/internal/api/grpc/admin/iam_member.go b/internal/api/grpc/admin/iam_member.go
index e25d8df192..c89e83485b 100644
--- a/internal/api/grpc/admin/iam_member.go
+++ b/internal/api/grpc/admin/iam_member.go
@@ -2,42 +2,65 @@ package admin
 
 import (
 	"context"
+	"time"
 
-	"github.com/golang/protobuf/ptypes/empty"
-
-	"github.com/caos/zitadel/pkg/grpc/admin"
+	"github.com/caos/zitadel/internal/api/grpc/member"
+	"github.com/caos/zitadel/internal/api/grpc/object"
+	admin_pb "github.com/caos/zitadel/pkg/grpc/admin"
 )
 
-func (s *Server) GetIamMemberRoles(ctx context.Context, _ *empty.Empty) (*admin.IamMemberRoles, error) {
-	return &admin.IamMemberRoles{Roles: s.iam.GetIAMMemberRoles()}, nil
+func (s *Server) ListIAMMemberRoles(ctx context.Context, req *admin_pb.ListIAMMemberRolesRequest) (*admin_pb.ListIAMMemberRolesResponse, error) {
+	roles := s.iam.GetIAMMemberRoles()
+	return &admin_pb.ListIAMMemberRolesResponse{
+		Details: object.ToListDetails(uint64(len(roles)), 0, time.Now()),
+	}, nil
 }
 
-func (s *Server) SearchIamMembers(ctx context.Context, in *admin.IamMemberSearchRequest) (*admin.IamMemberSearchResponse, error) {
-	members, err := s.iam.SearchIAMMembers(ctx, iamMemberSearchRequestToModel(in))
+func (s *Server) ListIAMMembers(ctx context.Context, req *admin_pb.ListIAMMembersRequest) (*admin_pb.ListIAMMembersResponse, error) {
+	res, err := s.iam.SearchIAMMembers(ctx, ListIAMMemberRequestToModel(req))
 	if err != nil {
 		return nil, err
 	}
-	return iamMemberSearchResponseFromModel(members), nil
+	return &admin_pb.ListIAMMembersResponse{
+		Details: object.ToListDetails(res.TotalResult, res.Sequence, res.Timestamp),
+		Result:  member.IAMMembersToPb(res.Result),
+	}, nil
 }
 
-func (s *Server) AddIamMember(ctx context.Context, member *admin.AddIamMemberRequest) (*admin.IamMember, error) {
-	addedMember, err := s.command.AddIAMMember(ctx, addIamMemberToDomain(member))
+func (s *Server) AddIAMMember(ctx context.Context, req *admin_pb.AddIAMMemberRequest) (*admin_pb.AddIAMMemberResponse, error) {
+	member, err := s.command.AddIAMMember(ctx, AddIAMMemberToDomain(req))
 	if err != nil {
 		return nil, err
 	}
-
-	return iamMemberFromDomain(addedMember), nil
+	return &admin_pb.AddIAMMemberResponse{
+		Details: object.ToDetailsPb(
+			member.Sequence,
+			member.ChangeDate,
+			member.ResourceOwner,
+		),
+	}, nil
 }
 
-func (s *Server) ChangeIamMember(ctx context.Context, member *admin.ChangeIamMemberRequest) (*admin.IamMember, error) {
-	changedMember, err := s.command.ChangeIAMMember(ctx, changeIamMemberToDomain(member))
+func (s *Server) UpdateIAMMember(ctx context.Context, req *admin_pb.UpdateIAMMemberRequest) (*admin_pb.UpdateIAMMemberResponse, error) {
+	member, err := s.command.ChangeIAMMember(ctx, UpdateIAMMemberToDomain(req))
 	if err != nil {
 		return nil, err
 	}
-	return iamMemberFromDomain(changedMember), nil
+	return &admin_pb.UpdateIAMMemberResponse{
+		Details: object.ToDetailsPb(
+			member.Sequence,
+			member.ChangeDate,
+			member.ResourceOwner,
+		),
+	}, nil
 }
 
-func (s *Server) RemoveIamMember(ctx context.Context, member *admin.RemoveIamMemberRequest) (*empty.Empty, error) {
-	err := s.command.RemoveIAMMember(ctx, member.UserId)
-	return &empty.Empty{}, err
+func (s *Server) RemoveIAMMember(ctx context.Context, req *admin_pb.RemoveIAMMemberRequest) (*admin_pb.RemoveIAMMemberResponse, error) {
+	objectDetails, err := s.command.RemoveIAMMember(ctx, req.UserId)
+	if err != nil {
+		return nil, err
+	}
+	return &admin_pb.RemoveIAMMemberResponse{
+		Details: object.DomainToDetailsPb(objectDetails),
+	}, nil
 }
diff --git a/internal/api/grpc/admin/iam_member_converter.go b/internal/api/grpc/admin/iam_member_converter.go
index 929230fa25..aa3d09b6a3 100644
--- a/internal/api/grpc/admin/iam_member_converter.go
+++ b/internal/api/grpc/admin/iam_member_converter.go
@@ -1,129 +1,32 @@
 package admin
 
 import (
-	"github.com/caos/logging"
+	member_grpc "github.com/caos/zitadel/internal/api/grpc/member"
 	"github.com/caos/zitadel/internal/domain"
-	"github.com/golang/protobuf/ptypes"
-	"google.golang.org/protobuf/types/known/timestamppb"
-
-	iam_model "github.com/caos/zitadel/internal/iam/model"
-	"github.com/caos/zitadel/pkg/grpc/admin"
+	"github.com/caos/zitadel/internal/iam/model"
+	admin_pb "github.com/caos/zitadel/pkg/grpc/admin"
 )
 
-func addIamMemberToDomain(member *admin.AddIamMemberRequest) *domain.Member {
-	return domain.NewMember(domain.IAMID, member.UserId, member.Roles...)
-}
-
-func changeIamMemberToDomain(member *admin.ChangeIamMemberRequest) *domain.Member {
-	return domain.NewMember(domain.IAMID, member.UserId, member.Roles...)
-}
-
-func iamMemberFromDomain(member *domain.Member) *admin.IamMember {
-	return &admin.IamMember{
-		UserId:     member.UserID,
-		ChangeDate: timestamppb.New(member.ChangeDate),
-		Roles:      member.Roles,
-		Sequence:   member.Sequence,
+func AddIAMMemberToDomain(req *admin_pb.AddIAMMemberRequest) *domain.Member {
+	return &domain.Member{
+		UserID: req.UserId,
+		Roles:  req.Roles,
 	}
 }
 
-func iamMemberSearchRequestToModel(request *admin.IamMemberSearchRequest) *iam_model.IAMMemberSearchRequest {
-	return &iam_model.IAMMemberSearchRequest{
-		Limit:   request.Limit,
-		Offset:  request.Offset,
-		Queries: iamMemberSearchQueriesToModel(request.Queries),
+func UpdateIAMMemberToDomain(req *admin_pb.UpdateIAMMemberRequest) *domain.Member {
+	return &domain.Member{
+		UserID: req.UserId,
+		Roles:  req.Roles,
 	}
 }
 
-func iamMemberSearchQueriesToModel(queries []*admin.IamMemberSearchQuery) []*iam_model.IAMMemberSearchQuery {
-	modelQueries := make([]*iam_model.IAMMemberSearchQuery, len(queries))
-	for i, query := range queries {
-		modelQueries[i] = iamMemberSearchQueryToModel(query)
-	}
-
-	return modelQueries
-}
-
-func iamMemberSearchQueryToModel(query *admin.IamMemberSearchQuery) *iam_model.IAMMemberSearchQuery {
-	return &iam_model.IAMMemberSearchQuery{
-		Key:    iamMemberSearchKeyToModel(query.Key),
-		Method: searchMethodToModel(query.Method),
-		Value:  query.Value,
-	}
-}
-
-func iamMemberSearchKeyToModel(key admin.IamMemberSearchKey) iam_model.IAMMemberSearchKey {
-	switch key {
-	case admin.IamMemberSearchKey_IAMMEMBERSEARCHKEY_EMAIL:
-		return iam_model.IAMMemberSearchKeyEmail
-	case admin.IamMemberSearchKey_IAMMEMBERSEARCHKEY_FIRST_NAME:
-		return iam_model.IAMMemberSearchKeyFirstName
-	case admin.IamMemberSearchKey_IAMMEMBERSEARCHKEY_LAST_NAME:
-		return iam_model.IAMMemberSearchKeyLastName
-	case admin.IamMemberSearchKey_IAMMEMBERSEARCHKEY_USER_ID:
-		return iam_model.IAMMemberSearchKeyUserID
-	default:
-		return iam_model.IAMMemberSearchKeyUnspecified
-	}
-}
-
-func searchMethodToModel(key admin.SearchMethod) domain.SearchMethod {
-	switch key {
-	case admin.SearchMethod_SEARCHMETHOD_CONTAINS:
-		return domain.SearchMethodContains
-	case admin.SearchMethod_SEARCHMETHOD_CONTAINS_IGNORE_CASE:
-		return domain.SearchMethodContainsIgnoreCase
-	case admin.SearchMethod_SEARCHMETHOD_EQUALS:
-		return domain.SearchMethodEquals
-	case admin.SearchMethod_SEARCHMETHOD_EQUALS_IGNORE_CASE:
-		return domain.SearchMethodEqualsIgnoreCase
-	case admin.SearchMethod_SEARCHMETHOD_STARTS_WITH:
-		return domain.SearchMethodStartsWith
-	case admin.SearchMethod_SEARCHMETHOD_STARTS_WITH_IGNORE_CASE:
-		return domain.SearchMethodStartsWithIgnoreCase
-	default:
-		return -1
-	}
-}
-
-func iamMemberSearchResponseFromModel(resp *iam_model.IAMMemberSearchResponse) *admin.IamMemberSearchResponse {
-	timestamp, err := ptypes.TimestampProto(resp.Timestamp)
-	logging.Log("GRPC-5shu8").OnError(err).Debug("date parse failed")
-	return &admin.IamMemberSearchResponse{
-		Limit:             resp.Limit,
-		Offset:            resp.Offset,
-		TotalResult:       resp.TotalResult,
-		Result:            iamMembersFromView(resp.Result),
-		ProcessedSequence: resp.Sequence,
-		ViewTimestamp:     timestamp,
-	}
-}
-func iamMembersFromView(viewMembers []*iam_model.IAMMemberView) []*admin.IamMemberView {
-	members := make([]*admin.IamMemberView, len(viewMembers))
-
-	for i, member := range viewMembers {
-		members[i] = iamMemberFromView(member)
-	}
-
-	return members
-}
-
-func iamMemberFromView(member *iam_model.IAMMemberView) *admin.IamMemberView {
-	changeDate, err := ptypes.TimestampProto(member.ChangeDate)
-	logging.Log("GRPC-Lso9c").OnError(err).Debug("unable to parse changedate")
-	creationDate, err := ptypes.TimestampProto(member.CreationDate)
-	logging.Log("GRPC-6szE").OnError(err).Debug("unable to parse creation date")
-
-	return &admin.IamMemberView{
-		ChangeDate:   changeDate,
-		CreationDate: creationDate,
-		Roles:        member.Roles,
-		Sequence:     member.Sequence,
-		UserId:       member.UserID,
-		UserName:     member.UserName,
-		Email:        member.Email,
-		FirstName:    member.FirstName,
-		LastName:     member.LastName,
-		DisplayName:  member.DisplayName,
+func ListIAMMemberRequestToModel(req *admin_pb.ListIAMMembersRequest) *model.IAMMemberSearchRequest {
+	return &model.IAMMemberSearchRequest{
+		Offset: req.Query.Offset,
+		Limit:  uint64(req.Query.Limit),
+		Asc:    req.Query.Asc,
+		// SortingColumn: model.IAMMemberSearchKey, //TOOD: not implemented in proto
+		Queries: member_grpc.MemberQueriesToIAMMember(req.Queries),
 	}
 }
diff --git a/internal/api/grpc/admin/iam_member_converter_test.go b/internal/api/grpc/admin/iam_member_converter_test.go
new file mode 100644
index 0000000000..0f0438fd39
--- /dev/null
+++ b/internal/api/grpc/admin/iam_member_converter_test.go
@@ -0,0 +1,60 @@
+package admin
+
+import (
+	"testing"
+
+	"github.com/caos/zitadel/internal/test"
+	"github.com/caos/zitadel/pkg/grpc/admin"
+)
+
+func TestAddIAMMemberToDomain(t *testing.T) {
+	type args struct {
+		req *admin.AddIAMMemberRequest
+	}
+	tests := []struct {
+		name string
+		args args
+	}{
+		{
+			name: "all fields filled",
+			args: args{
+				req: &admin.AddIAMMemberRequest{
+					UserId: "1232452",
+					Roles:  []string{"admin"},
+				},
+			},
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			got := AddIAMMemberToDomain(tt.args.req)
+			test.AssertFieldsMapped(t, got, "ObjectRoot")
+		})
+	}
+}
+
+func TestUpdateIAMMemberToDomain(t *testing.T) {
+	type args struct {
+		req *admin.UpdateIAMMemberRequest
+	}
+	tests := []struct {
+		name string
+		args args
+	}{
+		{
+			name: "all fields filled",
+			args: args{
+				req: &admin.UpdateIAMMemberRequest{
+					UserId: "1232452",
+					Roles:  []string{"admin"},
+				},
+			},
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			got := UpdateIAMMemberToDomain(tt.args.req)
+			test.AssertFieldsMapped(t, got, "ObjectRoot")
+		})
+	}
+}
diff --git a/internal/api/grpc/admin/idp.go b/internal/api/grpc/admin/idp.go
new file mode 100644
index 0000000000..e4f7236903
--- /dev/null
+++ b/internal/api/grpc/admin/idp.go
@@ -0,0 +1,103 @@
+package admin
+
+import (
+	"context"
+
+	idp_grpc "github.com/caos/zitadel/internal/api/grpc/idp"
+	object_pb "github.com/caos/zitadel/internal/api/grpc/object"
+	admin_pb "github.com/caos/zitadel/pkg/grpc/admin"
+)
+
+func (s *Server) GetIDPByID(ctx context.Context, req *admin_pb.GetIDPByIDRequest) (*admin_pb.GetIDPByIDResponse, error) {
+	idp, err := s.query.DefaultIDPConfigByID(ctx, req.Id)
+	if err != nil {
+		return nil, err
+	}
+	return &admin_pb.GetIDPByIDResponse{Idp: idp_grpc.IDPViewToPb(idp)}, nil
+}
+
+func (s *Server) ListIDPs(ctx context.Context, req *admin_pb.ListIDPsRequest) (*admin_pb.ListIDPsResponse, error) {
+	resp, err := s.iam.SearchIDPConfigs(ctx, listIDPsToModel(req))
+	if err != nil {
+		return nil, err
+	}
+	return &admin_pb.ListIDPsResponse{
+		Result:  idp_grpc.IDPViewsToPb(resp.Result),
+		Details: object_pb.ToListDetails(resp.TotalResult, resp.Sequence, resp.Timestamp),
+	}, nil
+}
+
+func (s *Server) AddOIDCIDP(ctx context.Context, req *admin_pb.AddOIDCIDPRequest) (*admin_pb.AddOIDCIDPResponse, error) {
+	config, err := s.command.AddDefaultIDPConfig(ctx, addOIDCIDPRequestToDomain(req))
+	if err != nil {
+		return nil, err
+	}
+	return &admin_pb.AddOIDCIDPResponse{
+		IdpId: config.AggregateID,
+		Details: object_pb.ToDetailsPb(
+			config.Sequence,
+			config.ChangeDate,
+			config.ResourceOwner,
+		),
+	}, nil
+}
+
+func (s *Server) UpdateIDP(ctx context.Context, req *admin_pb.UpdateIDPRequest) (*admin_pb.UpdateIDPResponse, error) {
+	config, err := s.command.ChangeDefaultIDPConfig(ctx, updateIDPToDomain(req))
+	if err != nil {
+		return nil, err
+	}
+	return &admin_pb.UpdateIDPResponse{
+		Details: object_pb.ToDetailsPb(
+			config.Sequence,
+			config.ChangeDate,
+			config.ResourceOwner,
+		),
+	}, nil
+}
+
+func (s *Server) DeactivateIDP(ctx context.Context, req *admin_pb.DeactivateIDPRequest) (*admin_pb.DeactivateIDPResponse, error) {
+	objectDetails, err := s.command.DeactivateDefaultIDPConfig(ctx, req.IdpId)
+	if err != nil {
+		return nil, err
+	}
+	return &admin_pb.DeactivateIDPResponse{Details: object_pb.DomainToDetailsPb(objectDetails)}, nil
+}
+
+func (s *Server) ReactivateIDP(ctx context.Context, req *admin_pb.ReactivateIDPRequest) (*admin_pb.ReactivateIDPResponse, error) {
+	objectDetails, err := s.command.ReactivateDefaultIDPConfig(ctx, req.IdpId)
+	if err != nil {
+		return nil, err
+	}
+	return &admin_pb.ReactivateIDPResponse{Details: object_pb.DomainToDetailsPb(objectDetails)}, nil
+}
+
+func (s *Server) RemoveIDP(ctx context.Context, req *admin_pb.RemoveIDPRequest) (*admin_pb.RemoveIDPResponse, error) {
+	idpProviders, err := s.iam.IDPProvidersByIDPConfigID(ctx, req.IdpId)
+	if err != nil {
+		return nil, err
+	}
+	externalIDPs, err := s.iam.ExternalIDPsByIDPConfigID(ctx, req.IdpId)
+	if err != nil {
+		return nil, err
+	}
+	objectDetails, err := s.command.RemoveDefaultIDPConfig(ctx, req.IdpId, idpProviderViewsToDomain(idpProviders), externalIDPViewsToDomain(externalIDPs)...)
+	if err != nil {
+		return nil, err
+	}
+	return &admin_pb.RemoveIDPResponse{Details: object_pb.DomainToDetailsPb(objectDetails)}, nil
+}
+
+func (s *Server) UpdateIDPOIDCConfig(ctx context.Context, req *admin_pb.UpdateIDPOIDCConfigRequest) (*admin_pb.UpdateIDPOIDCConfigResponse, error) {
+	config, err := s.command.ChangeDefaultIDPOIDCConfig(ctx, updateOIDCConfigToDomain(req))
+	if err != nil {
+		return nil, err
+	}
+	return &admin_pb.UpdateIDPOIDCConfigResponse{
+		Details: object_pb.ToDetailsPb(
+			config.Sequence,
+			config.ChangeDate,
+			config.ResourceOwner,
+		),
+	}, nil
+}
diff --git a/internal/api/grpc/admin/idp_config.go b/internal/api/grpc/admin/idp_config.go
deleted file mode 100644
index c17510804b..0000000000
--- a/internal/api/grpc/admin/idp_config.go
+++ /dev/null
@@ -1,71 +0,0 @@
-package admin
-
-import (
-	"context"
-	"github.com/golang/protobuf/ptypes/empty"
-
-	"github.com/caos/zitadel/pkg/grpc/admin"
-)
-
-func (s *Server) IdpByID(ctx context.Context, id *admin.IdpID) (*admin.IdpView, error) {
-	config, err := s.query.DefaultIDPConfigByID(ctx, id.Id)
-	if err != nil {
-		return nil, err
-	}
-	return idpViewFromDomain(config), nil
-}
-
-func (s *Server) CreateOidcIdp(ctx context.Context, oidcIdpConfig *admin.OidcIdpConfigCreate) (*admin.Idp, error) {
-	config, err := s.command.AddDefaultIDPConfig(ctx, createOIDCIDPToDomain(oidcIdpConfig))
-	if err != nil {
-		return nil, err
-	}
-	return idpFromDomain(config), nil
-}
-
-func (s *Server) UpdateIdpConfig(ctx context.Context, idpConfig *admin.IdpUpdate) (*admin.Idp, error) {
-	config, err := s.command.ChangeDefaultIDPConfig(ctx, updateIdpToDomain(idpConfig))
-	if err != nil {
-		return nil, err
-	}
-	return idpFromDomain(config), nil
-}
-
-func (s *Server) DeactivateIdpConfig(ctx context.Context, id *admin.IdpID) (*empty.Empty, error) {
-	err := s.command.DeactivateDefaultIDPConfig(ctx, id.Id)
-	return &empty.Empty{}, err
-}
-
-func (s *Server) ReactivateIdpConfig(ctx context.Context, id *admin.IdpID) (*empty.Empty, error) {
-	err := s.command.ReactivateDefaultIDPConfig(ctx, id.Id)
-	return &empty.Empty{}, err
-}
-
-func (s *Server) RemoveIdpConfig(ctx context.Context, id *admin.IdpID) (*empty.Empty, error) {
-	idpProviders, err := s.iam.IDPProvidersByIDPConfigID(ctx, id.Id)
-	if err != nil {
-		return &empty.Empty{}, err
-	}
-	externalIDPs, err := s.iam.ExternalIDPsByIDPConfigID(ctx, id.Id)
-	if err != nil {
-		return &empty.Empty{}, err
-	}
-	err = s.command.RemoveDefaultIDPConfig(ctx, id.Id, idpProviderViewsToDomain(idpProviders), externalIDPViewsToDomain(externalIDPs)...)
-	return &empty.Empty{}, err
-}
-
-func (s *Server) UpdateOidcIdpConfig(ctx context.Context, request *admin.OidcIdpConfigUpdate) (*admin.OidcIdpConfig, error) {
-	config, err := s.command.ChangeDefaultIDPOIDCConfig(ctx, updateOIDCIDPToDomain(request))
-	if err != nil {
-		return nil, err
-	}
-	return oidcIDPConfigFromDomain(config), nil
-}
-
-func (s *Server) SearchIdps(ctx context.Context, request *admin.IdpSearchRequest) (*admin.IdpSearchResponse, error) {
-	response, err := s.iam.SearchIDPConfigs(ctx, idpConfigSearchRequestToModel(request))
-	if err != nil {
-		return nil, err
-	}
-	return idpConfigSearchResponseFromModel(response), nil
-}
diff --git a/internal/api/grpc/admin/idp_config_converter.go b/internal/api/grpc/admin/idp_config_converter.go
deleted file mode 100644
index 533d69fe27..0000000000
--- a/internal/api/grpc/admin/idp_config_converter.go
+++ /dev/null
@@ -1,283 +0,0 @@
-package admin
-
-import (
-	"github.com/caos/logging"
-	"github.com/caos/zitadel/internal/domain"
-	"github.com/caos/zitadel/internal/eventstore/v1/models"
-	iam_model "github.com/caos/zitadel/internal/iam/model"
-	"github.com/caos/zitadel/pkg/grpc/admin"
-	"github.com/golang/protobuf/ptypes"
-	"google.golang.org/protobuf/types/known/timestamppb"
-)
-
-func createOIDCIDPToDomain(idp *admin.OidcIdpConfigCreate) *domain.IDPConfig {
-	return &domain.IDPConfig{
-		Name:        idp.Name,
-		StylingType: idpConfigStylingTypeToDomain(idp.StylingType),
-		Type:        domain.IDPConfigTypeOIDC,
-		OIDCConfig: &domain.OIDCIDPConfig{
-			ClientID:              idp.ClientId,
-			ClientSecretString:    idp.ClientSecret,
-			Issuer:                idp.Issuer,
-			Scopes:                idp.Scopes,
-			IDPDisplayNameMapping: oidcMappingFieldToDomain(idp.IdpDisplayNameMapping),
-			UsernameMapping:       oidcMappingFieldToDomain(idp.UsernameMapping),
-		},
-	}
-}
-
-func updateIdpToDomain(idp *admin.IdpUpdate) *domain.IDPConfig {
-	return &domain.IDPConfig{
-		IDPConfigID: idp.Id,
-		Name:        idp.Name,
-		StylingType: idpConfigStylingTypeToDomain(idp.StylingType),
-	}
-}
-
-func updateOIDCIDPToDomain(idp *admin.OidcIdpConfigUpdate) *domain.OIDCIDPConfig {
-	return &domain.OIDCIDPConfig{
-		IDPConfigID:           idp.IdpId,
-		ClientID:              idp.ClientId,
-		ClientSecretString:    idp.ClientSecret,
-		Issuer:                idp.Issuer,
-		Scopes:                idp.Scopes,
-		IDPDisplayNameMapping: oidcMappingFieldToDomain(idp.IdpDisplayNameMapping),
-		UsernameMapping:       oidcMappingFieldToDomain(idp.UsernameMapping),
-	}
-}
-
-func idpFromDomain(idp *domain.IDPConfig) *admin.Idp {
-	return &admin.Idp{
-		Id:          idp.IDPConfigID,
-		ChangeDate:  timestamppb.New(idp.ChangeDate),
-		Sequence:    idp.Sequence,
-		Name:        idp.Name,
-		StylingType: idpConfigStylingTypeFromDomain(idp.StylingType),
-		State:       idpConfigStateFromDomain(idp.State),
-		IdpConfig:   idpConfigFromDomain(idp),
-	}
-}
-
-func idpViewFromDomain(idp *domain.IDPConfigView) *admin.IdpView {
-	creationDate, err := ptypes.TimestampProto(idp.CreationDate)
-	logging.Log("GRPC-8dju8").OnError(err).Debug("date parse failed")
-
-	changeDate, err := ptypes.TimestampProto(idp.ChangeDate)
-	logging.Log("GRPC-Dsj8i").OnError(err).Debug("date parse failed")
-
-	return &admin.IdpView{
-		Id:            idp.IDPConfigID,
-		CreationDate:  creationDate,
-		ChangeDate:    changeDate,
-		Sequence:      idp.Sequence,
-		Name:          idp.Name,
-		StylingType:   admin.IdpStylingType(idp.StylingType),
-		State:         admin.IdpState(idp.State),
-		IdpConfigView: idpConfigViewFromDomain(idp),
-	}
-}
-
-func idpViewFromModel(idp *iam_model.IDPConfigView) *admin.IdpView {
-	creationDate, err := ptypes.TimestampProto(idp.CreationDate)
-	logging.Log("GRPC-8dju8").OnError(err).Debug("date parse failed")
-
-	changeDate, err := ptypes.TimestampProto(idp.ChangeDate)
-	logging.Log("GRPC-Dsj8i").OnError(err).Debug("date parse failed")
-
-	return &admin.IdpView{
-		Id:            idp.IDPConfigID,
-		CreationDate:  creationDate,
-		ChangeDate:    changeDate,
-		Sequence:      idp.Sequence,
-		Name:          idp.Name,
-		StylingType:   admin.IdpStylingType(idp.StylingType),
-		State:         admin.IdpState(idp.State),
-		IdpConfigView: idpConfigViewFromModel(idp),
-	}
-}
-
-func idpConfigFromDomain(idp *domain.IDPConfig) *admin.Idp_OidcConfig {
-	if idp.Type == domain.IDPConfigTypeOIDC {
-		return &admin.Idp_OidcConfig{
-			OidcConfig: oidcIDPConfigFromDomain(idp.OIDCConfig),
-		}
-	}
-	return nil
-}
-
-func oidcIDPConfigFromDomain(idp *domain.OIDCIDPConfig) *admin.OidcIdpConfig {
-	return &admin.OidcIdpConfig{
-		ClientId: idp.ClientID,
-		Issuer:   idp.Issuer,
-		Scopes:   idp.Scopes,
-	}
-}
-
-func idpConfigViewFromDomain(idp *domain.IDPConfigView) *admin.IdpView_OidcConfig {
-	if idp.IsOIDC {
-		return &admin.IdpView_OidcConfig{
-			OidcConfig: oidcIdpConfigViewFromDomain(idp),
-		}
-	}
-	return nil
-}
-
-func idpConfigViewFromModel(idp *iam_model.IDPConfigView) *admin.IdpView_OidcConfig {
-	if idp.IsOIDC {
-		return &admin.IdpView_OidcConfig{
-			OidcConfig: oidcIdpConfigViewFromModel(idp),
-		}
-	}
-	return nil
-}
-
-func oidcIdpConfigViewFromDomain(idp *domain.IDPConfigView) *admin.OidcIdpConfigView {
-	return &admin.OidcIdpConfigView{
-		ClientId:              idp.OIDCClientID,
-		Issuer:                idp.OIDCIssuer,
-		Scopes:                idp.OIDCScopes,
-		IdpDisplayNameMapping: oidcMappingFieldFromDomain(idp.OIDCIDPDisplayNameMapping),
-		UsernameMapping:       oidcMappingFieldFromDomain(idp.OIDCUsernameMapping),
-	}
-}
-
-func oidcIdpConfigViewFromModel(idp *iam_model.IDPConfigView) *admin.OidcIdpConfigView {
-	return &admin.OidcIdpConfigView{
-		ClientId:              idp.OIDCClientID,
-		Issuer:                idp.OIDCIssuer,
-		Scopes:                idp.OIDCScopes,
-		IdpDisplayNameMapping: admin.OIDCMappingField(idp.OIDCIDPDisplayNameMapping),
-		UsernameMapping:       admin.OIDCMappingField(idp.OIDCUsernameMapping),
-	}
-}
-
-func idpConfigStateFromDomain(state domain.IDPConfigState) admin.IdpState {
-	switch state {
-	case domain.IDPConfigStateActive:
-		return admin.IdpState_IDPCONFIGSTATE_ACTIVE
-	case domain.IDPConfigStateInactive:
-		return admin.IdpState_IDPCONFIGSTATE_INACTIVE
-	default:
-		return admin.IdpState_IDPCONFIGSTATE_UNSPECIFIED
-	}
-}
-
-func oidcMappingFieldFromDomain(field domain.OIDCMappingField) admin.OIDCMappingField {
-	switch field {
-	case domain.OIDCMappingFieldPreferredLoginName:
-		return admin.OIDCMappingField_OIDCMAPPINGFIELD_PREFERRED_USERNAME
-	case domain.OIDCMappingFieldEmail:
-		return admin.OIDCMappingField_OIDCMAPPINGFIELD_EMAIL
-	default:
-		return admin.OIDCMappingField_OIDCMAPPINGFIELD_UNSPECIFIED
-	}
-}
-
-func oidcMappingFieldToDomain(field admin.OIDCMappingField) domain.OIDCMappingField {
-	switch field {
-	case admin.OIDCMappingField_OIDCMAPPINGFIELD_PREFERRED_USERNAME:
-		return domain.OIDCMappingFieldPreferredLoginName
-	case admin.OIDCMappingField_OIDCMAPPINGFIELD_EMAIL:
-		return domain.OIDCMappingFieldEmail
-	default:
-		return domain.OIDCMappingFieldPreferredLoginName
-	}
-}
-
-func idpConfigSearchRequestToModel(request *admin.IdpSearchRequest) *iam_model.IDPConfigSearchRequest {
-	return &iam_model.IDPConfigSearchRequest{
-		Limit:   request.Limit,
-		Offset:  request.Offset,
-		Queries: idpConfigSearchQueriesToModel(request.Queries),
-	}
-}
-
-func idpConfigSearchQueriesToModel(queries []*admin.IdpSearchQuery) []*iam_model.IDPConfigSearchQuery {
-	modelQueries := make([]*iam_model.IDPConfigSearchQuery, len(queries))
-	for i, query := range queries {
-		modelQueries[i] = idpConfigSearchQueryToModel(query)
-	}
-
-	return modelQueries
-}
-
-func idpConfigSearchQueryToModel(query *admin.IdpSearchQuery) *iam_model.IDPConfigSearchQuery {
-	return &iam_model.IDPConfigSearchQuery{
-		Key:    idpConfigSearchKeyToModel(query.Key),
-		Method: searchMethodToModel(query.Method),
-		Value:  query.Value,
-	}
-}
-
-func idpConfigSearchKeyToModel(key admin.IdpSearchKey) iam_model.IDPConfigSearchKey {
-	switch key {
-	case admin.IdpSearchKey_IDPSEARCHKEY_IDP_CONFIG_ID:
-		return iam_model.IDPConfigSearchKeyIdpConfigID
-	case admin.IdpSearchKey_IDPSEARCHKEY_NAME:
-		return iam_model.IDPConfigSearchKeyName
-	default:
-		return iam_model.IDPConfigSearchKeyUnspecified
-	}
-}
-
-func idpConfigSearchResponseFromModel(resp *iam_model.IDPConfigSearchResponse) *admin.IdpSearchResponse {
-	timestamp, err := ptypes.TimestampProto(resp.Timestamp)
-	logging.Log("GRPC-KSi8c").OnError(err).Debug("date parse failed")
-	return &admin.IdpSearchResponse{
-		Limit:             resp.Limit,
-		Offset:            resp.Offset,
-		TotalResult:       resp.TotalResult,
-		Result:            idpConfigsFromView(resp.Result),
-		ProcessedSequence: resp.Sequence,
-		ViewTimestamp:     timestamp,
-	}
-}
-
-func idpConfigsFromView(viewIdps []*iam_model.IDPConfigView) []*admin.IdpView {
-	idps := make([]*admin.IdpView, len(viewIdps))
-	for i, idp := range viewIdps {
-		idps[i] = idpViewFromModel(idp)
-	}
-	return idps
-}
-
-func idpConfigStylingTypeFromDomain(stylingType domain.IDPConfigStylingType) admin.IdpStylingType {
-	switch stylingType {
-	case domain.IDPConfigStylingTypeGoogle:
-		return admin.IdpStylingType_IDPSTYLINGTYPE_GOOGLE
-	default:
-		return admin.IdpStylingType_IDPSTYLINGTYPE_UNSPECIFIED
-	}
-}
-
-func idpConfigStylingTypeToDomain(stylingType admin.IdpStylingType) domain.IDPConfigStylingType {
-	switch stylingType {
-	case admin.IdpStylingType_IDPSTYLINGTYPE_GOOGLE:
-		return domain.IDPConfigStylingTypeGoogle
-	default:
-		return domain.IDPConfigStylingTypeUnspecified
-	}
-}
-
-func idpConfigTypeToDomain(idpType iam_model.IDPProviderType) domain.IdentityProviderType {
-	switch idpType {
-	case iam_model.IDPProviderTypeOrg:
-		return domain.IdentityProviderTypeOrg
-	default:
-		return domain.IdentityProviderTypeSystem
-	}
-}
-
-func idpProviderViewsToDomain(idps []*iam_model.IDPProviderView) []*domain.IDPProvider {
-	idpProvider := make([]*domain.IDPProvider, len(idps))
-	for i, idp := range idps {
-		idpProvider[i] = &domain.IDPProvider{
-			ObjectRoot: models.ObjectRoot{
-				AggregateID: idp.AggregateID,
-			},
-			IDPConfigID: idp.IDPConfigID,
-			Type:        idpConfigTypeToDomain(idp.IDPProviderType),
-		}
-	}
-	return idpProvider
-}
diff --git a/internal/api/grpc/admin/idp_converter.go b/internal/api/grpc/admin/idp_converter.go
new file mode 100644
index 0000000000..6f0d46db64
--- /dev/null
+++ b/internal/api/grpc/admin/idp_converter.go
@@ -0,0 +1,119 @@
+package admin
+
+import (
+	idp_grpc "github.com/caos/zitadel/internal/api/grpc/idp"
+	"github.com/caos/zitadel/internal/domain"
+	"github.com/caos/zitadel/internal/eventstore/v1/models"
+	iam_model "github.com/caos/zitadel/internal/iam/model"
+	user_model "github.com/caos/zitadel/internal/user/model"
+	admin_pb "github.com/caos/zitadel/pkg/grpc/admin"
+)
+
+func addOIDCIDPRequestToDomain(req *admin_pb.AddOIDCIDPRequest) *domain.IDPConfig {
+	return &domain.IDPConfig{
+		Name:        req.Name,
+		OIDCConfig:  addOIDCIDPRequestToDomainOIDCIDPConfig(req),
+		StylingType: idp_grpc.IDPStylingTypeToDomain(req.StylingType),
+		Type:        domain.IDPConfigTypeOIDC,
+	}
+}
+
+func addOIDCIDPRequestToDomainOIDCIDPConfig(req *admin_pb.AddOIDCIDPRequest) *domain.OIDCIDPConfig {
+	return &domain.OIDCIDPConfig{
+		ClientID:              req.ClientId,
+		ClientSecretString:    req.ClientSecret,
+		Issuer:                req.Issuer,
+		Scopes:                req.Scopes,
+		IDPDisplayNameMapping: idp_grpc.MappingFieldToDomain(req.DisplayNameMapping),
+		UsernameMapping:       idp_grpc.MappingFieldToDomain(req.UsernameMapping),
+	}
+}
+
+func updateIDPToDomain(req *admin_pb.UpdateIDPRequest) *domain.IDPConfig {
+	return &domain.IDPConfig{
+		IDPConfigID: req.IdpId,
+		Name:        req.Name,
+		StylingType: idp_grpc.IDPStylingTypeToDomain(req.StylingType),
+	}
+}
+
+func updateOIDCConfigToDomain(req *admin_pb.UpdateIDPOIDCConfigRequest) *domain.OIDCIDPConfig {
+	return &domain.OIDCIDPConfig{
+		IDPConfigID:           req.IdpId,
+		ClientID:              req.ClientId,
+		ClientSecretString:    req.ClientSecret,
+		Issuer:                req.Issuer,
+		Scopes:                req.Scopes,
+		IDPDisplayNameMapping: idp_grpc.MappingFieldToDomain(req.DisplayNameMapping),
+		UsernameMapping:       idp_grpc.MappingFieldToDomain(req.UsernameMapping),
+	}
+}
+
+func listIDPsToModel(req *admin_pb.ListIDPsRequest) *iam_model.IDPConfigSearchRequest {
+	return &iam_model.IDPConfigSearchRequest{
+		Offset:        req.Query.Offset,
+		Limit:         uint64(req.Query.Limit),
+		Asc:           req.Query.Asc,
+		SortingColumn: idp_grpc.FieldNameToModel(req.SortingColumn),
+		Queries:       idpQueriesToModel(req.Queries),
+	}
+}
+
+func idpQueriesToModel(queries []*admin_pb.IDPQuery) []*iam_model.IDPConfigSearchQuery {
+	q := make([]*iam_model.IDPConfigSearchQuery, len(queries))
+	for i, query := range queries {
+		q[i] = idpQueryToModel(query)
+	}
+
+	return q
+}
+
+func idpQueryToModel(query *admin_pb.IDPQuery) *iam_model.IDPConfigSearchQuery {
+	switch q := query.Query.(type) {
+	case *admin_pb.IDPQuery_IdpNameQuery:
+		return idp_grpc.IDPNameQueryToModel(q.IdpNameQuery)
+	case *admin_pb.IDPQuery_IdpIdQuery:
+		return idp_grpc.IDPIDQueryToModel(q.IdpIdQuery)
+	default:
+		return nil
+	}
+}
+
+func idpProviderViewsToDomain(idps []*iam_model.IDPProviderView) []*domain.IDPProvider {
+	idpProvider := make([]*domain.IDPProvider, len(idps))
+	for i, idp := range idps {
+		idpProvider[i] = &domain.IDPProvider{
+			ObjectRoot: models.ObjectRoot{
+				AggregateID: idp.AggregateID,
+			},
+			IDPConfigID: idp.IDPConfigID,
+			Type:        idpConfigTypeToDomain(idp.IDPProviderType),
+		}
+	}
+	return idpProvider
+}
+
+func idpConfigTypeToDomain(idpType iam_model.IDPProviderType) domain.IdentityProviderType {
+	switch idpType {
+	case iam_model.IDPProviderTypeOrg:
+		return domain.IdentityProviderTypeOrg
+	default:
+		return domain.IdentityProviderTypeSystem
+	}
+}
+
+func externalIDPViewsToDomain(idps []*user_model.ExternalIDPView) []*domain.ExternalIDP {
+	externalIDPs := make([]*domain.ExternalIDP, len(idps))
+	for i, idp := range idps {
+		externalIDPs[i] = &domain.ExternalIDP{
+			ObjectRoot: models.ObjectRoot{
+				AggregateID:   idp.UserID,
+				ResourceOwner: idp.ResourceOwner,
+			},
+			IDPConfigID:    idp.IDPConfigID,
+			ExternalUserID: idp.ExternalUserID,
+			DisplayName:    idp.UserDisplayName,
+		}
+	}
+	return externalIDPs
+}
diff --git a/internal/api/grpc/admin/idp_converter_test.go b/internal/api/grpc/admin/idp_converter_test.go
new file mode 100644
index 0000000000..1cc31a9258
--- /dev/null
+++ b/internal/api/grpc/admin/idp_converter_test.go
@@ -0,0 +1,149 @@
+package admin
+
+import (
+	"testing"
+
+	"github.com/caos/zitadel/internal/test"
+	admin_pb "github.com/caos/zitadel/pkg/grpc/admin"
+	"github.com/caos/zitadel/pkg/grpc/idp"
+)
+
+func Test_addOIDCIDPRequestToDomain(t *testing.T) {
+	type args struct {
+		req *admin_pb.AddOIDCIDPRequest
+	}
+	tests := []struct {
+		name string
+		args args
+	}{
+		{
+			name: "all fields filled",
+			args: args{
+				req: &admin_pb.AddOIDCIDPRequest{
+					Name:               "ZITADEL",
+					StylingType:        idp.IDPStylingType_STYLING_TYPE_GOOGLE,
+					ClientId:           "test1234",
+					ClientSecret:       "test4321",
+					Issuer:             "zitadel.ch",
+					Scopes:             []string{"email", "profile"},
+					DisplayNameMapping: idp.OIDCMappingField_OIDC_MAPPING_FIELD_EMAIL,
+					UsernameMapping:    idp.OIDCMappingField_OIDC_MAPPING_FIELD_PREFERRED_USERNAME,
+				},
+			},
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			got := addOIDCIDPRequestToDomain(tt.args.req)
+			test.AssertFieldsMapped(t, got,
+				"ObjectRoot",
+				"OIDCConfig.ClientSecret",
+				"OIDCConfig.ObjectRoot",
+				"OIDCConfig.IDPConfigID",
+				"IDPConfigID",
+				"State",
+				"Type", //TODO: default (0) is oidc
+			)
+		})
+	}
+}
+
+func Test_addOIDCIDPRequestToDomainOIDCIDPConfig(t *testing.T) {
+	type args struct {
+		req *admin_pb.AddOIDCIDPRequest
+	}
+	tests := []struct {
+		name string
+		args args
+	}{
+		{
+			name: "all fields filled",
+			args: args{
+				req: &admin_pb.AddOIDCIDPRequest{
+					ClientId:           "test1234",
+					ClientSecret:       "test4321",
+					Issuer:             "zitadel.ch",
+					Scopes:             []string{"email", "profile"},
+					DisplayNameMapping: idp.OIDCMappingField_OIDC_MAPPING_FIELD_EMAIL,
+					UsernameMapping:    idp.OIDCMappingField_OIDC_MAPPING_FIELD_PREFERRED_USERNAME,
+				},
+			},
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			got := addOIDCIDPRequestToDomainOIDCIDPConfig(tt.args.req)
+			test.AssertFieldsMapped(t, got,
+				"ObjectRoot",
+				"ClientSecret", //TODO: is client secret string enough for backend?
+				"IDPConfigID",
+			)
+		})
+	}
+}
+
+func Test_updateIDPToDomain(t *testing.T) {
+	type args struct {
+		req *admin_pb.UpdateIDPRequest
+	}
+	tests := []struct {
+		name string
+		args args
+	}{
+		{
+			name: "all fields filled",
+			args: args{
+				req: &admin_pb.UpdateIDPRequest{
+					Id:          "13523",
+					Name:        "new name",
+					StylingType: idp.IDPStylingType_STYLING_TYPE_GOOGLE,
+				},
+			},
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			got := updateIDPToDomain(tt.args.req)
+			test.AssertFieldsMapped(t, got,
+				"ObjectRoot",
+				"OIDCConfig",
+				"State",
+				"Type", //TODO: type should not be changeable
+			)
+		})
+	}
+}
+
+func Test_updateOIDCConfigToDomain(t *testing.T) {
+	type args struct {
+		req *admin_pb.UpdateIDPOIDCConfigRequest
+	}
+	tests := []struct {
+		name string
+		args args
+	}{
+		{
+			name: "all fields filled",
+			args: args{
+				req: &admin_pb.UpdateIDPOIDCConfigRequest{
+					IdpId:              "4208",
+					Issuer:             "zitadel.ch",
+					ClientId:           "ZITEADEL",
+					ClientSecret:       "i'm so secret",
+					Scopes:             []string{"profile"},
+					DisplayNameMapping: idp.OIDCMappingField_OIDC_MAPPING_FIELD_EMAIL,
+					UsernameMapping:    idp.OIDCMappingField_OIDC_MAPPING_FIELD_PREFERRED_USERNAME,
+				},
+			},
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			got := updateOIDCConfigToDomain(tt.args.req)
+			test.AssertFieldsMapped(t, got,
+				"ObjectRoot",
+				"ClientSecret",
+			)
+		})
+	}
+}
diff --git a/internal/api/grpc/admin/information.go b/internal/api/grpc/admin/information.go
new file mode 100644
index 0000000000..be0ccf80ed
--- /dev/null
+++ b/internal/api/grpc/admin/information.go
@@ -0,0 +1,11 @@
+package admin
+
+import (
+	"context"
+
+	"github.com/caos/zitadel/pkg/grpc/admin"
+)
+
+func (s *Server) Healthz(context.Context, *admin.HealthzRequest) (*admin.HealthzResponse, error) {
+	return &admin.HealthzResponse{}, nil
+}
diff --git a/internal/api/grpc/admin/label_policy.go b/internal/api/grpc/admin/label_policy.go
index a0f6c56635..ef94e518d0 100644
--- a/internal/api/grpc/admin/label_policy.go
+++ b/internal/api/grpc/admin/label_policy.go
@@ -3,22 +3,29 @@ package admin
 import (
 	"context"
 
-	"github.com/caos/zitadel/pkg/grpc/admin"
-	"github.com/golang/protobuf/ptypes/empty"
+	"github.com/caos/zitadel/internal/api/grpc/object"
+	policy_grpc "github.com/caos/zitadel/internal/api/grpc/policy"
+	admin_pb "github.com/caos/zitadel/pkg/grpc/admin"
 )
 
-func (s *Server) GetDefaultLabelPolicy(ctx context.Context, _ *empty.Empty) (*admin.DefaultLabelPolicyView, error) {
-	result, err := s.iam.GetDefaultLabelPolicy(ctx)
+func (s *Server) GetLabelPolicy(ctx context.Context, req *admin_pb.GetLabelPolicyRequest) (*admin_pb.GetLabelPolicyResponse, error) {
+	policy, err := s.iam.GetDefaultLabelPolicy(ctx)
 	if err != nil {
 		return nil, err
 	}
-	return labelPolicyViewFromModel(result), nil
+	return &admin_pb.GetLabelPolicyResponse{Policy: policy_grpc.ModelLabelPolicyToPb(policy)}, nil
 }
 
-func (s *Server) UpdateDefaultLabelPolicy(ctx context.Context, policy *admin.DefaultLabelPolicyUpdate) (*admin.DefaultLabelPolicy, error) {
-	result, err := s.command.ChangeDefaultLabelPolicy(ctx, labelPolicyToDomain(policy))
+func (s *Server) UpdateLabelPolicy(ctx context.Context, req *admin_pb.UpdateLabelPolicyRequest) (*admin_pb.UpdateLabelPolicyResponse, error) {
+	policy, err := s.command.ChangeDefaultLabelPolicy(ctx, updateLabelPolicyToDomain(req))
 	if err != nil {
 		return nil, err
 	}
-	return labelPolicyFromDomain(result), nil
+	return &admin_pb.UpdateLabelPolicyResponse{
+		Details: object.ToDetailsPb(
+			policy.Sequence,
+			policy.ChangeDate,
+			policy.ResourceOwner,
+		),
+	}, nil
 }
diff --git a/internal/api/grpc/admin/label_policy_converter.go b/internal/api/grpc/admin/label_policy_converter.go
index 164df5ebcd..5254d52207 100644
--- a/internal/api/grpc/admin/label_policy_converter.go
+++ b/internal/api/grpc/admin/label_policy_converter.go
@@ -1,40 +1,13 @@
 package admin
 
 import (
-	"github.com/caos/logging"
 	"github.com/caos/zitadel/internal/domain"
-	iam_model "github.com/caos/zitadel/internal/iam/model"
-	"github.com/caos/zitadel/pkg/grpc/admin"
-	"github.com/golang/protobuf/ptypes"
-	"google.golang.org/protobuf/types/known/timestamppb"
+	admin_pb "github.com/caos/zitadel/pkg/grpc/admin"
 )
 
-func labelPolicyToDomain(policy *admin.DefaultLabelPolicyUpdate) *domain.LabelPolicy {
+func updateLabelPolicyToDomain(policy *admin_pb.UpdateLabelPolicyRequest) *domain.LabelPolicy {
 	return &domain.LabelPolicy{
 		PrimaryColor:   policy.PrimaryColor,
 		SecondaryColor: policy.SecondaryColor,
 	}
 }
-
-func labelPolicyFromDomain(policy *domain.LabelPolicy) *admin.DefaultLabelPolicy {
-	return &admin.DefaultLabelPolicy{
-		PrimaryColor:   policy.PrimaryColor,
-		SecondaryColor: policy.SecondaryColor,
-		ChangeDate:     timestamppb.New(policy.ChangeDate),
-	}
-}
-
-func labelPolicyViewFromModel(policy *iam_model.LabelPolicyView) *admin.DefaultLabelPolicyView {
-	creationDate, err := ptypes.TimestampProto(policy.CreationDate)
-	logging.Log("ADMIN-zMnlF").OnError(err).Debug("date parse failed")
-
-	changeDate, err := ptypes.TimestampProto(policy.ChangeDate)
-	logging.Log("ADMIN-Vhvfp").OnError(err).Debug("date parse failed")
-
-	return &admin.DefaultLabelPolicyView{
-		PrimaryColor:   policy.PrimaryColor,
-		SecondaryColor: policy.SecondaryColor,
-		CreationDate:   creationDate,
-		ChangeDate:     changeDate,
-	}
-}
diff --git a/internal/api/grpc/admin/login_policy.go b/internal/api/grpc/admin/login_policy.go
index badf1e2410..94439ade12 100644
--- a/internal/api/grpc/admin/login_policy.go
+++ b/internal/api/grpc/admin/login_policy.go
@@ -2,89 +2,138 @@ package admin
 
 import (
 	"context"
-	"github.com/caos/zitadel/pkg/grpc/admin"
-	"github.com/golang/protobuf/ptypes/empty"
+	"github.com/caos/zitadel/internal/api/grpc/user"
+	"time"
+
+	"github.com/caos/zitadel/internal/api/grpc/idp"
+	"github.com/caos/zitadel/internal/api/grpc/object"
+	"github.com/caos/zitadel/internal/api/grpc/policy"
+	policy_grpc "github.com/caos/zitadel/internal/api/grpc/policy"
+	"github.com/caos/zitadel/internal/domain"
+	admin_pb "github.com/caos/zitadel/pkg/grpc/admin"
 )
 
-func (s *Server) GetDefaultLoginPolicy(ctx context.Context, _ *empty.Empty) (*admin.DefaultLoginPolicyView, error) {
-	result, err := s.iam.GetDefaultLoginPolicy(ctx)
+func (s *Server) GetLoginPolicy(ctx context.Context, _ *admin_pb.GetLoginPolicyRequest) (*admin_pb.GetLoginPolicyResponse, error) {
+	policy, err := s.iam.GetDefaultLoginPolicy(ctx)
 	if err != nil {
 		return nil, err
 	}
-	return loginPolicyViewFromModel(result), nil
+	return &admin_pb.GetLoginPolicyResponse{Policy: policy_grpc.ModelLoginPolicyToPb(policy)}, nil
 }
 
-func (s *Server) UpdateDefaultLoginPolicy(ctx context.Context, policy *admin.DefaultLoginPolicyRequest) (*admin.DefaultLoginPolicy, error) {
-	result, err := s.command.ChangeDefaultLoginPolicy(ctx, loginPolicyToDomain(policy))
+func (s *Server) UpdateLoginPolicy(ctx context.Context, p *admin_pb.UpdateLoginPolicyRequest) (*admin_pb.UpdateLoginPolicyResponse, error) {
+	policy, err := s.command.ChangeDefaultLoginPolicy(ctx, updateLoginPolicyToDomain(p))
 	if err != nil {
 		return nil, err
 	}
-	return loginPolicyFromDomain(result), nil
+	return &admin_pb.UpdateLoginPolicyResponse{
+		Details: object.ToDetailsPb(
+			policy.Sequence,
+			policy.ChangeDate,
+			policy.ResourceOwner,
+		),
+	}, nil
 }
 
-func (s *Server) GetDefaultLoginPolicyIdpProviders(ctx context.Context, request *admin.IdpProviderSearchRequest) (*admin.IdpProviderSearchResponse, error) {
-	result, err := s.iam.SearchDefaultIDPProviders(ctx, idpProviderSearchRequestToModel(request))
+func (s *Server) ListLoginPolicyIDPs(ctx context.Context, req *admin_pb.ListLoginPolicyIDPsRequest) (*admin_pb.ListLoginPolicyIDPsResponse, error) {
+	res, err := s.iam.SearchDefaultIDPProviders(ctx, ListLoginPolicyIDPsRequestToModel(req))
 	if err != nil {
 		return nil, err
 	}
-	return idpProviderSearchResponseFromModel(result), nil
+	return &admin_pb.ListLoginPolicyIDPsResponse{
+		Result:  idp.ExternalIDPViewsToLoginPolicyLinkPb(res.Result),
+		Details: object.ToListDetails(res.TotalResult, res.Sequence, res.Timestamp),
+	}, nil
 }
 
-func (s *Server) AddIdpProviderToDefaultLoginPolicy(ctx context.Context, provider *admin.IdpProviderID) (*admin.IdpProviderID, error) {
-	result, err := s.command.AddIDPProviderToDefaultLoginPolicy(ctx, idpProviderToDomain(provider))
+func (s *Server) AddIDPToLoginPolicy(ctx context.Context, req *admin_pb.AddIDPToLoginPolicyRequest) (*admin_pb.AddIDPToLoginPolicyResponse, error) {
+	idp, err := s.command.AddIDPProviderToDefaultLoginPolicy(ctx, &domain.IDPProvider{IDPConfigID: req.IdpId}) //TODO: old way was to also add type but this doesnt make sense in my point of view
 	if err != nil {
 		return nil, err
 	}
-	return idpProviderFromDomain(result), nil
+	return &admin_pb.AddIDPToLoginPolicyResponse{
+		Details: object.ToDetailsPb(
+			idp.Sequence,
+			idp.ChangeDate,
+			idp.ResourceOwner,
+		),
+	}, nil
 }
 
-func (s *Server) RemoveIdpProviderFromDefaultLoginPolicy(ctx context.Context, provider *admin.IdpProviderID) (*empty.Empty, error) {
-	externalIDPs, err := s.iam.ExternalIDPsByIDPConfigIDFromDefaultPolicy(ctx, provider.IdpConfigId)
+func (s *Server) RemoveIDPFromLoginPolicy(ctx context.Context, req *admin_pb.RemoveIDPFromLoginPolicyRequest) (*admin_pb.RemoveIDPFromLoginPolicyResponse, error) {
+	externalIDPs, err := s.iam.ExternalIDPsByIDPConfigID(ctx, req.IdpId)
 	if err != nil {
-		return &empty.Empty{}, err
+		return nil, err
 	}
-	err = s.command.RemoveIDPProviderFromDefaultLoginPolicy(ctx, idpProviderToDomain(provider), externalIDPViewsToDomain(externalIDPs)...)
-	return &empty.Empty{}, err
+	objectDetails, err := s.command.RemoveIDPProviderFromDefaultLoginPolicy(ctx, &domain.IDPProvider{IDPConfigID: req.IdpId}, user.ExternalIDPViewsToExternalIDPs(externalIDPs)...)
+	if err != nil {
+		return nil, err
+	}
+	return &admin_pb.RemoveIDPFromLoginPolicyResponse{
+		Details: object.DomainToDetailsPb(objectDetails),
+	}, nil
 }
 
-func (s *Server) GetDefaultLoginPolicySecondFactors(ctx context.Context, _ *empty.Empty) (*admin.SecondFactorsResult, error) {
+func (s *Server) ListLoginPolicySecondFactors(ctx context.Context, req *admin_pb.ListLoginPolicySecondFactorsRequest) (*admin_pb.ListLoginPolicySecondFactorsResponse, error) {
 	result, err := s.iam.SearchDefaultSecondFactors(ctx)
 	if err != nil {
 		return nil, err
 	}
-	return secondFactorsResultFromModel(result), nil
+	return &admin_pb.ListLoginPolicySecondFactorsResponse{
+		//TODO: missing values from res
+		Details: object.ToListDetails(result.TotalResult, 0, time.Time{}),
+		Result:  policy.ModelSecondFactorTypesToPb(result.Result),
+	}, nil
 }
 
-func (s *Server) AddSecondFactorToDefaultLoginPolicy(ctx context.Context, mfa *admin.SecondFactor) (*admin.SecondFactor, error) {
-	result, err := s.command.AddSecondFactorToDefaultLoginPolicy(ctx, secondFactorTypeToDomain(mfa))
+func (s *Server) AddSecondFactorToLoginPolicy(ctx context.Context, req *admin_pb.AddSecondFactorToLoginPolicyRequest) (*admin_pb.AddSecondFactorToLoginPolicyResponse, error) {
+	_, objectDetails, err := s.command.AddSecondFactorToDefaultLoginPolicy(ctx, policy.SecondFactorTypeToDomain(req.Type))
 	if err != nil {
 		return nil, err
 	}
-	return secondFactorFromDomain(result), nil
+	return &admin_pb.AddSecondFactorToLoginPolicyResponse{
+		Details: object.DomainToDetailsPb(objectDetails),
+	}, nil
 }
 
-func (s *Server) RemoveSecondFactorFromDefaultLoginPolicy(ctx context.Context, mfa *admin.SecondFactor) (*empty.Empty, error) {
-	err := s.command.RemoveSecondFactorFromDefaultLoginPolicy(ctx, secondFactorTypeToDomain(mfa))
-	return &empty.Empty{}, err
-}
-
-func (s *Server) GetDefaultLoginPolicyMultiFactors(ctx context.Context, _ *empty.Empty) (*admin.MultiFactorsResult, error) {
-	result, err := s.iam.SearchDefaultMultiFactors(ctx)
+func (s *Server) RemoveSecondFactorFromLoginPolicy(ctx context.Context, req *admin_pb.RemoveSecondFactorFromLoginPolicyRequest) (*admin_pb.RemoveSecondFactorFromLoginPolicyResponse, error) {
+	objectDetails, err := s.command.RemoveSecondFactorFromDefaultLoginPolicy(ctx, policy.SecondFactorTypeToDomain(req.Type))
 	if err != nil {
 		return nil, err
 	}
-	return multiFactorResultFromModel(result), nil
+	return &admin_pb.RemoveSecondFactorFromLoginPolicyResponse{
+		Details: object.DomainToDetailsPb(objectDetails),
+	}, nil
 }
 
-func (s *Server) AddMultiFactorToDefaultLoginPolicy(ctx context.Context, mfa *admin.MultiFactor) (*admin.MultiFactor, error) {
-	result, err := s.command.AddMultiFactorToDefaultLoginPolicy(ctx, multiFactorTypeToDomain(mfa))
+func (s *Server) ListLoginPolicyMultiFactors(ctx context.Context, req *admin_pb.ListLoginPolicyMultiFactorsRequest) (*admin_pb.ListLoginPolicyMultiFactorsResponse, error) {
+	res, err := s.iam.SearchDefaultMultiFactors(ctx)
 	if err != nil {
 		return nil, err
 	}
-	return multiFactorFromDomain(result), nil
+	return &admin_pb.ListLoginPolicyMultiFactorsResponse{
+		//TODO: additional values
+		Details: object.ToListDetails(res.TotalResult, 0, time.Time{}),
+		Result:  policy.ModelMultiFactorTypesToPb(res.Result),
+	}, nil
 }
 
-func (s *Server) RemoveMultiFactorFromDefaultLoginPolicy(ctx context.Context, mfa *admin.MultiFactor) (*empty.Empty, error) {
-	err := s.command.RemoveMultiFactorFromDefaultLoginPolicy(ctx, multiFactorTypeToDomain(mfa))
-	return &empty.Empty{}, err
+func (s *Server) AddMultiFactorToLoginPolicy(ctx context.Context, req *admin_pb.AddMultiFactorToLoginPolicyRequest) (*admin_pb.AddMultiFactorToLoginPolicyResponse, error) {
+	_, objectDetails, err := s.command.AddMultiFactorToDefaultLoginPolicy(ctx, policy_grpc.MultiFactorTypeToDomain(req.Type))
+	if err != nil {
+		return nil, err
+	}
+	return &admin_pb.AddMultiFactorToLoginPolicyResponse{
+		Details: object.DomainToDetailsPb(objectDetails),
+	}, nil
+}
+
+func (s *Server) RemoveMultiFactorFromLoginPolicy(ctx context.Context, req *admin_pb.RemoveMultiFactorFromLoginPolicyRequest) (*admin_pb.RemoveMultiFactorFromLoginPolicyResponse, error) {
+	objectDetails, err := s.command.RemoveMultiFactorFromDefaultLoginPolicy(ctx, policy.MultiFactorTypeToDomain(req.Type))
+	if err != nil {
+		return nil, err
+	}
+	return &admin_pb.RemoveMultiFactorFromLoginPolicyResponse{
+		Details: object.DomainToDetailsPb(objectDetails),
+	}, nil
 }
diff --git a/internal/api/grpc/admin/login_policy_converter.go b/internal/api/grpc/admin/login_policy_converter.go
index 30fd414c11..22fcff4d11 100644
--- a/internal/api/grpc/admin/login_policy_converter.go
+++ b/internal/api/grpc/admin/login_policy_converter.go
@@ -1,223 +1,28 @@
 package admin
 
 import (
-	"github.com/caos/logging"
+	policy_grpc "github.com/caos/zitadel/internal/api/grpc/policy"
 	"github.com/caos/zitadel/internal/domain"
-	iam_model "github.com/caos/zitadel/internal/iam/model"
-	"github.com/caos/zitadel/pkg/grpc/admin"
-	"github.com/golang/protobuf/ptypes"
-	"google.golang.org/protobuf/types/known/timestamppb"
+	"github.com/caos/zitadel/internal/iam/model"
+	admin_pb "github.com/caos/zitadel/pkg/grpc/admin"
 )
 
-func loginPolicyToDomain(policy *admin.DefaultLoginPolicyRequest) *domain.LoginPolicy {
+func updateLoginPolicyToDomain(p *admin_pb.UpdateLoginPolicyRequest) *domain.LoginPolicy {
 	return &domain.LoginPolicy{
-		AllowUsernamePassword: policy.AllowUsernamePassword,
-		AllowExternalIDP:      policy.AllowExternalIdp,
-		AllowRegister:         policy.AllowRegister,
-		ForceMFA:              policy.ForceMfa,
-		PasswordlessType:      passwordlessTypeToDomain(policy.PasswordlessType),
+		AllowUsernamePassword: p.AllowUsernamePassword,
+		AllowRegister:         p.AllowRegister,
+		AllowExternalIDP:      p.AllowExternalIdp,
+		ForceMFA:              p.ForceMfa,
+		PasswordlessType:      policy_grpc.PasswordlessTypeToDomain(p.PasswordlessType),
 	}
 }
 
-func loginPolicyFromDomain(policy *domain.LoginPolicy) *admin.DefaultLoginPolicy {
-	return &admin.DefaultLoginPolicy{
-		AllowUsernamePassword: policy.AllowUsernamePassword,
-		AllowExternalIdp:      policy.AllowExternalIDP,
-		AllowRegister:         policy.AllowRegister,
-		ForceMfa:              policy.ForceMFA,
-		PasswordlessType:      passwordlessTypeFromDomain(policy.PasswordlessType),
-		ChangeDate:            timestamppb.New(policy.ChangeDate),
-	}
-}
-
-func loginPolicyViewFromModel(policy *iam_model.LoginPolicyView) *admin.DefaultLoginPolicyView {
-	creationDate, err := ptypes.TimestampProto(policy.CreationDate)
-	logging.Log("GRPC-3Gk9s").OnError(err).Debug("date parse failed")
-
-	changeDate, err := ptypes.TimestampProto(policy.ChangeDate)
-	logging.Log("GRPC-6Jlos").OnError(err).Debug("date parse failed")
-
-	return &admin.DefaultLoginPolicyView{
-		AllowUsernamePassword: policy.AllowUsernamePassword,
-		AllowExternalIdp:      policy.AllowExternalIDP,
-		AllowRegister:         policy.AllowRegister,
-		ForceMfa:              policy.ForceMFA,
-		PasswordlessType:      admin.PasswordlessType(policy.PasswordlessType),
-		CreationDate:          creationDate,
-		ChangeDate:            changeDate,
-	}
-}
-
-func idpProviderSearchRequestToModel(request *admin.IdpProviderSearchRequest) *iam_model.IDPProviderSearchRequest {
-	return &iam_model.IDPProviderSearchRequest{
-		Limit:  request.Limit,
-		Offset: request.Offset,
-	}
-}
-
-func idpProviderSearchResponseFromModel(response *iam_model.IDPProviderSearchResponse) *admin.IdpProviderSearchResponse {
-	return &admin.IdpProviderSearchResponse{
-		Limit:       response.Limit,
-		Offset:      response.Offset,
-		TotalResult: response.TotalResult,
-		Result:      idpProviderViewsFromModel(response.Result),
-	}
-}
-
-func idpProviderToDomain(provider *admin.IdpProviderID) *domain.IDPProvider {
-	return &domain.IDPProvider{
-		IDPConfigID: provider.IdpConfigId,
-		Type:        domain.IdentityProviderTypeSystem,
-	}
-}
-
-func idpProviderToModel(provider *admin.IdpProviderID) *iam_model.IDPProvider {
-	return &iam_model.IDPProvider{
-		IDPConfigID: provider.IdpConfigId,
-		Type:        iam_model.IDPProviderTypeSystem,
-	}
-}
-
-func idpProviderFromDomain(provider *domain.IDPProvider) *admin.IdpProviderID {
-	return &admin.IdpProviderID{
-		IdpConfigId: provider.IDPConfigID,
-	}
-}
-
-func idpProviderViewsFromModel(providers []*iam_model.IDPProviderView) []*admin.IdpProviderView {
-	converted := make([]*admin.IdpProviderView, len(providers))
-	for i, provider := range providers {
-		converted[i] = idpProviderViewFromModel(provider)
-	}
-
-	return converted
-}
-
-func idpProviderViewFromModel(provider *iam_model.IDPProviderView) *admin.IdpProviderView {
-	return &admin.IdpProviderView{
-		IdpConfigId: provider.IDPConfigID,
-		Name:        provider.Name,
-		Type:        idpConfigTypeToModel(provider.IDPConfigType),
-	}
-}
-
-func idpConfigTypeToModel(providerType iam_model.IdpConfigType) admin.IdpType {
-	switch providerType {
-	case iam_model.IDPConfigTypeOIDC:
-		return admin.IdpType_IDPTYPE_OIDC
-	case iam_model.IDPConfigTypeSAML:
-		return admin.IdpType_IDPTYPE_SAML
-	default:
-		return admin.IdpType_IDPTYPE_UNSPECIFIED
-	}
-}
-
-func secondFactorsResultFromModel(result *iam_model.SecondFactorsSearchResponse) *admin.SecondFactorsResult {
-	converted := make([]admin.SecondFactorType, len(result.Result))
-	for i, mfaType := range result.Result {
-		converted[i] = secondFactorTypeFromModel(mfaType)
-	}
-	return &admin.SecondFactorsResult{
-		SecondFactors: converted,
-	}
-}
-
-func secondFactorFromDomain(mfaType domain.SecondFactorType) *admin.SecondFactor {
-	return &admin.SecondFactor{
-		SecondFactor: secondFactorTypeFromDomain(mfaType),
-	}
-}
-
-func secondFactorTypeFromDomain(mfaType domain.SecondFactorType) admin.SecondFactorType {
-	switch mfaType {
-	case domain.SecondFactorTypeOTP:
-		return admin.SecondFactorType_SECONDFACTORTYPE_OTP
-	case domain.SecondFactorTypeU2F:
-		return admin.SecondFactorType_SECONDFACTORTYPE_U2F
-	default:
-		return admin.SecondFactorType_SECONDFACTORTYPE_UNSPECIFIED
-	}
-}
-
-func secondFactorTypeFromModel(mfaType iam_model.SecondFactorType) admin.SecondFactorType {
-	switch mfaType {
-	case iam_model.SecondFactorTypeOTP:
-		return admin.SecondFactorType_SECONDFACTORTYPE_OTP
-	case iam_model.SecondFactorTypeU2F:
-		return admin.SecondFactorType_SECONDFACTORTYPE_U2F
-	default:
-		return admin.SecondFactorType_SECONDFACTORTYPE_UNSPECIFIED
-	}
-}
-
-func secondFactorTypeToDomain(mfaType *admin.SecondFactor) domain.SecondFactorType {
-	switch mfaType.SecondFactor {
-	case admin.SecondFactorType_SECONDFACTORTYPE_OTP:
-		return domain.SecondFactorTypeOTP
-	case admin.SecondFactorType_SECONDFACTORTYPE_U2F:
-		return domain.SecondFactorTypeU2F
-	default:
-		return domain.SecondFactorTypeUnspecified
-	}
-}
-
-func passwordlessTypeFromDomain(passwordlessType domain.PasswordlessType) admin.PasswordlessType {
-	switch passwordlessType {
-	case domain.PasswordlessTypeAllowed:
-		return admin.PasswordlessType_PASSWORDLESSTYPE_ALLOWED
-	default:
-		return admin.PasswordlessType_PASSWORDLESSTYPE_NOT_ALLOWED
-	}
-}
-
-func passwordlessTypeToDomain(passwordlessType admin.PasswordlessType) domain.PasswordlessType {
-	switch passwordlessType {
-	case admin.PasswordlessType_PASSWORDLESSTYPE_ALLOWED:
-		return domain.PasswordlessTypeAllowed
-	default:
-		return domain.PasswordlessTypeNotAllowed
-	}
-}
-
-func multiFactorResultFromModel(result *iam_model.MultiFactorsSearchResponse) *admin.MultiFactorsResult {
-	converted := make([]admin.MultiFactorType, len(result.Result))
-	for i, mfaType := range result.Result {
-		converted[i] = multiFactorTypeFromModel(mfaType)
-	}
-	return &admin.MultiFactorsResult{
-		MultiFactors: converted,
-	}
-}
-
-func multiFactorFromDomain(mfaType domain.MultiFactorType) *admin.MultiFactor {
-	return &admin.MultiFactor{
-		MultiFactor: multiFactorTypeFromDomain(mfaType),
-	}
-}
-
-func multiFactorTypeFromDomain(mfaType domain.MultiFactorType) admin.MultiFactorType {
-	switch mfaType {
-	case domain.MultiFactorTypeU2FWithPIN:
-		return admin.MultiFactorType_MULTIFACTORTYPE_U2F_WITH_PIN
-	default:
-		return admin.MultiFactorType_MULTIFACTORTYPE_UNSPECIFIED
-	}
-}
-
-func multiFactorTypeFromModel(mfaType iam_model.MultiFactorType) admin.MultiFactorType {
-	switch mfaType {
-	case iam_model.MultiFactorTypeU2FWithPIN:
-		return admin.MultiFactorType_MULTIFACTORTYPE_U2F_WITH_PIN
-	default:
-		return admin.MultiFactorType_MULTIFACTORTYPE_UNSPECIFIED
-	}
-}
-
-func multiFactorTypeToDomain(mfaType *admin.MultiFactor) domain.MultiFactorType {
-	switch mfaType.MultiFactor {
-	case admin.MultiFactorType_MULTIFACTORTYPE_U2F_WITH_PIN:
-		return domain.MultiFactorTypeU2FWithPIN
-	default:
-		return domain.MultiFactorTypeUnspecified
+func ListLoginPolicyIDPsRequestToModel(req *admin_pb.ListLoginPolicyIDPsRequest) *model.IDPProviderSearchRequest {
+	return &model.IDPProviderSearchRequest{
+		Offset: req.Query.Offset,
+		Limit:  uint64(req.Query.Limit),
+		Asc:    req.Query.Asc,
+		// SortingColumn: model.IDPProviderSearchKey, //TODO: not in proto
+		// Queries: []*model.IDPProviderSearchQuery, //TODO: not in proto
 	}
 }
diff --git a/internal/api/grpc/admin/oneof.go b/internal/api/grpc/admin/oneof.go
new file mode 100644
index 0000000000..b6d73310e6
--- /dev/null
+++ b/internal/api/grpc/admin/oneof.go
@@ -0,0 +1,6 @@
+package admin
+
+//IdpConfig is a type alias of the generated isIdp_IdpConfig config
+//to make it public
+// type IdpConfig = isIdp_IdpConfig
+// type IdpConfigView = isIdpView_IdpConfigView
diff --git a/internal/api/grpc/admin/org.go b/internal/api/grpc/admin/org.go
index 49577be718..2ec352c9b7 100644
--- a/internal/api/grpc/admin/org.go
+++ b/internal/api/grpc/admin/org.go
@@ -2,85 +2,46 @@ package admin
 
 import (
 	"context"
-	"github.com/caos/zitadel/internal/errors"
+	"github.com/caos/zitadel/internal/api/grpc/object"
 
-	"github.com/golang/protobuf/ptypes/empty"
-
-	"github.com/caos/zitadel/pkg/grpc/admin"
+	org_grpc "github.com/caos/zitadel/internal/api/grpc/org"
+	admin_pb "github.com/caos/zitadel/pkg/grpc/admin"
 )
 
-func (s *Server) GetOrgByID(ctx context.Context, orgID *admin.OrgID) (_ *admin.Org, err error) {
-	org, err := s.org.OrgByID(ctx, orgID.Id)
+func (s *Server) IsOrgUnique(ctx context.Context, req *admin_pb.IsOrgUniqueRequest) (*admin_pb.IsOrgUniqueResponse, error) {
+	isUnique, err := s.org.IsOrgUnique(ctx, req.Name, req.Domain)
+	return &admin_pb.IsOrgUniqueResponse{IsUnique: isUnique}, err
+}
+
+func (s *Server) GetOrgByID(ctx context.Context, req *admin_pb.GetOrgByIDRequest) (*admin_pb.GetOrgByIDResponse, error) {
+	org, err := s.org.OrgByID(ctx, req.Id)
 	if err != nil {
 		return nil, err
 	}
-	return orgViewFromModel(org), nil
+	return &admin_pb.GetOrgByIDResponse{Org: org_grpc.OrgViewToPb(org)}, nil
 }
 
-func (s *Server) SearchOrgs(ctx context.Context, request *admin.OrgSearchRequest) (_ *admin.OrgSearchResponse, err error) {
-	result, err := s.org.SearchOrgs(ctx, orgSearchRequestToModel(request))
+func (s *Server) ListOrgs(ctx context.Context, req *admin_pb.ListOrgsRequest) (*admin_pb.ListOrgsResponse, error) {
+	query, err := listOrgRequestToModel(req)
 	if err != nil {
 		return nil, err
 	}
-	return orgSearchResponseFromModel(result), nil
-}
-
-func (s *Server) IsOrgUnique(ctx context.Context, request *admin.UniqueOrgRequest) (org *admin.UniqueOrgResponse, err error) {
-	isUnique, err := s.org.IsOrgUnique(ctx, request.Name, request.Domain)
-
-	return &admin.UniqueOrgResponse{IsUnique: isUnique}, err
-}
-
-func (s *Server) SetUpOrg(ctx context.Context, orgSetUp *admin.OrgSetUpRequest) (_ *empty.Empty, err error) {
-	human, _ := userCreateRequestToDomain(orgSetUp.User)
-	if human == nil {
-		return &empty.Empty{}, errors.ThrowPreconditionFailed(nil, "ADMIN-4nd9f", "Errors.User.NotHuman")
-	}
-	err = s.command.SetUpOrg(ctx, orgCreateRequestToDomain(orgSetUp.Org), human)
-	return &empty.Empty{}, nil
-}
-
-func (s *Server) GetDefaultOrgIamPolicy(ctx context.Context, _ *empty.Empty) (_ *admin.OrgIamPolicyView, err error) {
-	policy, err := s.iam.GetDefaultOrgIAMPolicy(ctx)
+	orgs, err := s.org.SearchOrgs(ctx, query)
 	if err != nil {
 		return nil, err
 	}
-	return orgIAMPolicyViewFromModel(policy), err
+	return &admin_pb.ListOrgsResponse{Result: org_grpc.OrgViewsToPb(orgs.Result)}, nil
 }
 
-func (s *Server) UpdateDefaultOrgIamPolicy(ctx context.Context, in *admin.OrgIamPolicyRequest) (_ *admin.OrgIamPolicy, err error) {
-	policy, err := s.command.ChangeDefaultOrgIAMPolicy(ctx, orgIAMPolicyRequestToDomain(in))
+func (s *Server) SetUpOrg(ctx context.Context, req *admin_pb.SetUpOrgRequest) (*admin_pb.SetUpOrgResponse, error) {
+	human := setUpOrgHumanToDomain(req.User.(*admin_pb.SetUpOrgRequest_Human_).Human) //TODO: handle machine
+	org := setUpOrgOrgToDomain(req.Org)
+
+	objectDetails, err := s.command.SetUpOrg(ctx, org, human)
 	if err != nil {
 		return nil, err
 	}
-	return orgIAMPolicyFromDomain(policy), err
-}
-
-func (s *Server) GetOrgIamPolicy(ctx context.Context, in *admin.OrgIamPolicyID) (_ *admin.OrgIamPolicyView, err error) {
-	policy, err := s.org.GetOrgIAMPolicyByID(ctx, in.OrgId)
-	if err != nil {
-		return nil, err
-	}
-	return orgIAMPolicyViewFromModel(policy), err
-}
-
-func (s *Server) CreateOrgIamPolicy(ctx context.Context, in *admin.OrgIamPolicyRequest) (_ *admin.OrgIamPolicy, err error) {
-	policy, err := s.command.AddOrgIAMPolicy(ctx, in.OrgId, orgIAMPolicyRequestToDomain(in))
-	if err != nil {
-		return nil, err
-	}
-	return orgIAMPolicyFromDomain(policy), err
-}
-
-func (s *Server) UpdateOrgIamPolicy(ctx context.Context, in *admin.OrgIamPolicyRequest) (_ *admin.OrgIamPolicy, err error) {
-	policy, err := s.command.ChangeOrgIAMPolicy(ctx, in.OrgId, orgIAMPolicyRequestToDomain(in))
-	if err != nil {
-		return nil, err
-	}
-	return orgIAMPolicyFromDomain(policy), err
-}
-
-func (s *Server) RemoveOrgIamPolicy(ctx context.Context, in *admin.OrgIamPolicyID) (_ *empty.Empty, err error) {
-	err = s.command.RemoveOrgIAMPolicy(ctx, in.OrgId)
-	return &empty.Empty{}, err
+	return &admin_pb.SetUpOrgResponse{
+		Details: object.DomainToDetailsPb(objectDetails),
+	}, nil
 }
diff --git a/internal/api/grpc/admin/org_converter.go b/internal/api/grpc/admin/org_converter.go
index 0a8dcd42c2..404d9ba5b2 100644
--- a/internal/api/grpc/admin/org_converter.go
+++ b/internal/api/grpc/admin/org_converter.go
@@ -1,209 +1,32 @@
 package admin
 
 import (
-	"github.com/caos/logging"
-	"github.com/golang/protobuf/ptypes"
-	"google.golang.org/protobuf/types/known/timestamppb"
-
+	org_grpc "github.com/caos/zitadel/internal/api/grpc/org"
 	"github.com/caos/zitadel/internal/domain"
-	iam_model "github.com/caos/zitadel/internal/iam/model"
-
-	"github.com/caos/zitadel/internal/eventstore/v1/models"
-	org_model "github.com/caos/zitadel/internal/org/model"
-	usr_model "github.com/caos/zitadel/internal/user/model"
+	"github.com/caos/zitadel/internal/org/model"
 	"github.com/caos/zitadel/pkg/grpc/admin"
 )
 
-func orgCreateRequestToDomain(org *admin.CreateOrgRequest) *domain.Org {
-	o := &domain.Org{
+func listOrgRequestToModel(req *admin.ListOrgsRequest) (*model.OrgSearchRequest, error) {
+	queries, err := org_grpc.OrgQueriesToModel(req.Queries)
+	if err != nil {
+		return nil, err
+	}
+	return &model.OrgSearchRequest{
+		Offset:  req.Query.Offset,
+		Limit:   uint64(req.Query.Limit),
+		Asc:     req.Query.Asc,
+		Queries: queries,
+	}, nil
+}
+
+func setUpOrgOrgToDomain(req *admin.SetUpOrgRequest_Org) *domain.Org {
+	org := &domain.Org{
+		Name:    req.Name,
 		Domains: []*domain.OrgDomain{},
-		Name:    org.Name,
 	}
-	if org.Domain != "" {
-		o.Domains = append(o.Domains, &domain.OrgDomain{Domain: org.Domain})
-	}
-
-	return o
-}
-
-func orgSearchResponseFromModel(request *org_model.OrgSearchResult) *admin.OrgSearchResponse {
-	timestamp, err := ptypes.TimestampProto(request.Timestamp)
-	logging.Log("GRPC-shu7s").OnError(err).Debug("unable to get timestamp from time")
-	return &admin.OrgSearchResponse{
-		Result:            orgViewsFromModel(request.Result),
-		Limit:             request.Limit,
-		Offset:            request.Offset,
-		TotalResult:       request.TotalResult,
-		ProcessedSequence: request.Sequence,
-		ViewTimestamp:     timestamp,
-	}
-}
-
-func orgViewsFromModel(orgs []*org_model.OrgView) []*admin.Org {
-	result := make([]*admin.Org, len(orgs))
-	for i, org := range orgs {
-		result[i] = orgViewFromModel(org)
-	}
-
-	return result
-}
-
-func orgFromModel(org *org_model.Org) *admin.Org {
-	changeDate, err := ptypes.TimestampProto(org.ChangeDate)
-	logging.Log("GRPC-dVnoj").OnError(err).Debug("unable to get timestamp from time")
-
-	return &admin.Org{
-		ChangeDate: changeDate,
-		Id:         org.AggregateID,
-		Name:       org.Name,
-		State:      orgStateFromModel(org.State),
-	}
-}
-
-func orgViewFromModel(org *org_model.OrgView) *admin.Org {
-	changeDate, err := ptypes.TimestampProto(org.ChangeDate)
-	logging.Log("GRPC-dVnoj").OnError(err).Debug("unable to get timestamp from time")
-
-	return &admin.Org{
-		ChangeDate: changeDate,
-		Id:         org.ID,
-		Name:       org.Name,
-		State:      orgStateFromModel(org.State),
-	}
-}
-
-func orgStateFromModel(state org_model.OrgState) admin.OrgState {
-	switch state {
-	case org_model.OrgStateActive:
-		return admin.OrgState_ORGSTATE_ACTIVE
-	case org_model.OrgStateInactive:
-		return admin.OrgState_ORGSTATE_INACTIVE
-	default:
-		return admin.OrgState_ORGSTATE_UNSPECIFIED
-	}
-}
-
-func genderFromModel(gender usr_model.Gender) admin.Gender {
-	switch gender {
-	case usr_model.GenderFemale:
-		return admin.Gender_GENDER_FEMALE
-	case usr_model.GenderMale:
-		return admin.Gender_GENDER_MALE
-	case usr_model.GenderDiverse:
-		return admin.Gender_GENDER_DIVERSE
-	default:
-		return admin.Gender_GENDER_UNSPECIFIED
-	}
-}
-
-func genderToModel(gender admin.Gender) usr_model.Gender {
-	switch gender {
-	case admin.Gender_GENDER_FEMALE:
-		return usr_model.GenderFemale
-	case admin.Gender_GENDER_MALE:
-		return usr_model.GenderMale
-	case admin.Gender_GENDER_DIVERSE:
-		return usr_model.GenderDiverse
-	default:
-		return usr_model.GenderUnspecified
-	}
-}
-
-func userStateFromModel(state usr_model.UserState) admin.UserState {
-	switch state {
-	case usr_model.UserStateActive:
-		return admin.UserState_USERSTATE_ACTIVE
-	case usr_model.UserStateInactive:
-		return admin.UserState_USERSTATE_INACTIVE
-	case usr_model.UserStateLocked:
-		return admin.UserState_USERSTATE_LOCKED
-	default:
-		return admin.UserState_USERSTATE_UNSPECIFIED
-	}
-}
-
-func orgSearchRequestToModel(req *admin.OrgSearchRequest) *org_model.OrgSearchRequest {
-	return &org_model.OrgSearchRequest{
-		Limit:         req.Limit,
-		Asc:           req.Asc,
-		Offset:        req.Offset,
-		Queries:       orgQueriesToModel(req.Queries),
-		SortingColumn: orgQueryKeyToModel(req.SortingColumn),
-	}
-}
-
-func orgQueriesToModel(queries []*admin.OrgSearchQuery) []*org_model.OrgSearchQuery {
-	modelQueries := make([]*org_model.OrgSearchQuery, len(queries))
-
-	for i, query := range queries {
-		modelQueries[i] = orgQueryToModel(query)
-	}
-
-	return modelQueries
-}
-
-func orgQueryToModel(query *admin.OrgSearchQuery) *org_model.OrgSearchQuery {
-	return &org_model.OrgSearchQuery{
-		Key:    orgQueryKeyToModel(query.Key),
-		Value:  query.Value,
-		Method: orgQueryMethodToModel(query.Method),
-	}
-}
-
-func orgQueryKeyToModel(key admin.OrgSearchKey) org_model.OrgSearchKey {
-	switch key {
-	case admin.OrgSearchKey_ORGSEARCHKEY_DOMAIN:
-		return org_model.OrgSearchKeyOrgDomain
-	case admin.OrgSearchKey_ORGSEARCHKEY_NAME:
-		return org_model.OrgSearchKeyOrgName
-	case admin.OrgSearchKey_ORGSEARCHKEY_STATE:
-		return org_model.OrgSearchKeyState
-	default:
-		return org_model.OrgSearchKeyUnspecified
-	}
-}
-
-func orgQueryMethodToModel(method admin.OrgSearchMethod) domain.SearchMethod {
-	switch method {
-	case admin.OrgSearchMethod_ORGSEARCHMETHOD_CONTAINS:
-		return domain.SearchMethodContains
-	case admin.OrgSearchMethod_ORGSEARCHMETHOD_EQUALS:
-		return domain.SearchMethodEquals
-	case admin.OrgSearchMethod_ORGSEARCHMETHOD_STARTS_WITH:
-		return domain.SearchMethodStartsWith
-	default:
-		return 0
-	}
-}
-
-func orgIAMPolicyFromDomain(policy *domain.OrgIAMPolicy) *admin.OrgIamPolicy {
-	return &admin.OrgIamPolicy{
-		OrgId:                 policy.AggregateID,
-		UserLoginMustBeDomain: policy.UserLoginMustBeDomain,
-		ChangeDate:            timestamppb.New(policy.ChangeDate),
-	}
-}
-
-func orgIAMPolicyViewFromModel(policy *iam_model.OrgIAMPolicyView) *admin.OrgIamPolicyView {
-	creationDate, err := ptypes.TimestampProto(policy.CreationDate)
-	logging.Log("GRPC-ush36").OnError(err).Debug("unable to get timestamp from time")
-
-	changeDate, err := ptypes.TimestampProto(policy.ChangeDate)
-	logging.Log("GRPC-Ps9fW").OnError(err).Debug("unable to get timestamp from time")
-
-	return &admin.OrgIamPolicyView{
-		OrgId:                 policy.AggregateID,
-		UserLoginMustBeDomain: policy.UserLoginMustBeDomain,
-		CreationDate:          creationDate,
-		ChangeDate:            changeDate,
-	}
-}
-
-func orgIAMPolicyRequestToDomain(policy *admin.OrgIamPolicyRequest) *domain.OrgIAMPolicy {
-	return &domain.OrgIAMPolicy{
-		ObjectRoot: models.ObjectRoot{
-			AggregateID: policy.OrgId,
-		},
-		UserLoginMustBeDomain: policy.UserLoginMustBeDomain,
+	if req.Domain != "" {
+		org.Domains = append(org.Domains, &domain.OrgDomain{Domain: req.Domain})
 	}
+	return org
 }
diff --git a/internal/api/grpc/admin/org_iam_policy.go b/internal/api/grpc/admin/org_iam_policy.go
new file mode 100644
index 0000000000..78e1b2e04f
--- /dev/null
+++ b/internal/api/grpc/admin/org_iam_policy.go
@@ -0,0 +1,101 @@
+package admin
+
+import (
+	"context"
+
+	"github.com/caos/zitadel/internal/api/grpc/object"
+	policy_grpc "github.com/caos/zitadel/internal/api/grpc/policy"
+	"github.com/caos/zitadel/internal/domain"
+	"github.com/caos/zitadel/internal/eventstore/v1/models"
+	admin_pb "github.com/caos/zitadel/pkg/grpc/admin"
+)
+
+func (s *Server) GetOrgIAMPolicy(ctx context.Context, _ *admin_pb.GetOrgIAMPolicyRequest) (*admin_pb.GetOrgIAMPolicyResponse, error) {
+	policy, err := s.iam.GetDefaultOrgIAMPolicy(ctx)
+	if err != nil {
+		return nil, err
+	}
+	return &admin_pb.GetOrgIAMPolicyResponse{Policy: policy_grpc.OrgIAMPolicyToPb(policy)}, nil
+}
+
+func (s *Server) GetCustomOrgIAMPolicy(ctx context.Context, req *admin_pb.GetCustomOrgIAMPolicyRequest) (*admin_pb.GetCustomOrgIAMPolicyResponse, error) {
+	policy, err := s.org.GetOrgIAMPolicyByID(ctx, req.OrgId)
+	if err != nil {
+		return nil, err
+	}
+	return &admin_pb.GetCustomOrgIAMPolicyResponse{Policy: policy_grpc.OrgIAMPolicyToPb(policy)}, nil
+}
+
+func (s *Server) AddCustomOrgIAMPolicy(ctx context.Context, req *admin_pb.AddCustomOrgIAMPolicyRequest) (*admin_pb.AddCustomOrgIAMPolicyResponse, error) {
+	policy, err := s.command.AddOrgIAMPolicy(ctx, req.OrgId, toDomainOrgIAMPolicy(req.UserLoginMustBeDomain))
+	if err != nil {
+		return nil, err
+	}
+	return &admin_pb.AddCustomOrgIAMPolicyResponse{
+		Details: object.ToDetailsPb(
+			policy.Sequence,
+			policy.ChangeDate,
+			policy.ResourceOwner,
+		),
+	}, nil
+}
+
+func (s *Server) UpdateOrgIAMPolicy(ctx context.Context, req *admin_pb.UpdateOrgIAMPolicyRequest) (*admin_pb.UpdateOrgIAMPolicyResponse, error) {
+	config, err := s.command.ChangeDefaultOrgIAMPolicy(ctx, updateOrgIAMPolicyToDomain(req))
+	if err != nil {
+		return nil, err
+	}
+	return &admin_pb.UpdateOrgIAMPolicyResponse{
+		Details: object.ToDetailsPb(
+			config.Sequence,
+			config.ChangeDate,
+			config.ResourceOwner,
+		),
+	}, nil
+}
+
+func (s *Server) UpdateCustomOrgIAMPolicy(ctx context.Context, req *admin_pb.UpdateCustomOrgIAMPolicyRequest) (*admin_pb.UpdateCustomOrgIAMPolicyResponse, error) {
+	config, err := s.command.ChangeOrgIAMPolicy(ctx, req.OrgId, updateCustomOrgIAMPolicyToDomain(req))
+	if err != nil {
+		return nil, err
+	}
+	return &admin_pb.UpdateCustomOrgIAMPolicyResponse{
+		Details: object.ToDetailsPb(
+			config.Sequence,
+			config.ChangeDate,
+			config.ResourceOwner,
+		),
+	}, nil
+}
+
+func (s *Server) ResetCustomOrgIAMPolicyTo(ctx context.Context, req *admin_pb.ResetCustomOrgIAMPolicyToDefaultRequest) (*admin_pb.ResetCustomOrgIAMPolicyToDefaultResponse, error) {
+	err := s.command.RemoveOrgIAMPolicy(ctx, req.OrgId)
+	if err != nil {
+		return nil, err
+	}
+	return nil, nil //TOOD: return data
+}
+
+func toDomainOrgIAMPolicy(userLoginMustBeDomain bool) *domain.OrgIAMPolicy {
+	return &domain.OrgIAMPolicy{
+		UserLoginMustBeDomain: userLoginMustBeDomain,
+	}
+}
+
+func updateOrgIAMPolicyToDomain(req *admin_pb.UpdateOrgIAMPolicyRequest) *domain.OrgIAMPolicy {
+	return &domain.OrgIAMPolicy{
+		// ObjectRoot: models.ObjectRoot{
+		// 	// AggreagateID: //TODO: there should only be ONE default
+		// },
+		UserLoginMustBeDomain: req.UserLoginMustBeDomain,
+	}
+}
+
+func updateCustomOrgIAMPolicyToDomain(req *admin_pb.UpdateCustomOrgIAMPolicyRequest) *domain.OrgIAMPolicy {
+	return &domain.OrgIAMPolicy{
+		ObjectRoot: models.ObjectRoot{
+			AggregateID: req.OrgId,
+		},
+		UserLoginMustBeDomain: req.UserLoginMustBeDomain,
+	}
+}
diff --git a/internal/api/grpc/admin/password_age.go b/internal/api/grpc/admin/password_age.go
new file mode 100644
index 0000000000..34de590e18
--- /dev/null
+++ b/internal/api/grpc/admin/password_age.go
@@ -0,0 +1,33 @@
+package admin
+
+import (
+	"context"
+
+	"github.com/caos/zitadel/internal/api/grpc/object"
+	policy_grpc "github.com/caos/zitadel/internal/api/grpc/policy"
+	admin_pb "github.com/caos/zitadel/pkg/grpc/admin"
+)
+
+func (s *Server) GetPasswordAgePolicy(ctx context.Context, req *admin_pb.GetPasswordAgePolicyRequest) (*admin_pb.GetPasswordAgePolicyResponse, error) {
+	policy, err := s.iam.GetDefaultPasswordAgePolicy(ctx)
+	if err != nil {
+		return nil, err
+	}
+	return &admin_pb.GetPasswordAgePolicyResponse{
+		Policy: policy_grpc.ModelPasswordAgePolicyToPb(policy),
+	}, nil
+}
+
+func (s *Server) UpdatePasswordAgePolicy(ctx context.Context, req *admin_pb.UpdatePasswordAgePolicyRequest) (*admin_pb.UpdatePasswordAgePolicyResponse, error) {
+	result, err := s.command.ChangeDefaultPasswordAgePolicy(ctx, UpdatePasswordAgePolicyToDomain(req))
+	if err != nil {
+		return nil, err
+	}
+	return &admin_pb.UpdatePasswordAgePolicyResponse{
+		Details: object.ToDetailsPb(
+			result.Sequence,
+			result.ChangeDate,
+			result.ResourceOwner,
+		),
+	}, nil
+}
diff --git a/internal/api/grpc/admin/password_age_converter.go b/internal/api/grpc/admin/password_age_converter.go
new file mode 100644
index 0000000000..ffefb8dc1e
--- /dev/null
+++ b/internal/api/grpc/admin/password_age_converter.go
@@ -0,0 +1,13 @@
+package admin
+
+import (
+	"github.com/caos/zitadel/internal/domain"
+	admin_pb "github.com/caos/zitadel/pkg/grpc/admin"
+)
+
+func UpdatePasswordAgePolicyToDomain(policy *admin_pb.UpdatePasswordAgePolicyRequest) *domain.PasswordAgePolicy {
+	return &domain.PasswordAgePolicy{
+		MaxAgeDays:     uint64(policy.MaxAgeDays),
+		ExpireWarnDays: uint64(policy.ExpireWarnDays),
+	}
+}
diff --git a/internal/api/grpc/admin/password_age_policy.go b/internal/api/grpc/admin/password_age_policy.go
deleted file mode 100644
index 46e2389c83..0000000000
--- a/internal/api/grpc/admin/password_age_policy.go
+++ /dev/null
@@ -1,23 +0,0 @@
-package admin
-
-import (
-	"context"
-	"github.com/caos/zitadel/pkg/grpc/admin"
-	"github.com/golang/protobuf/ptypes/empty"
-)
-
-func (s *Server) GetDefaultPasswordAgePolicy(ctx context.Context, _ *empty.Empty) (*admin.DefaultPasswordAgePolicyView, error) {
-	result, err := s.iam.GetDefaultPasswordAgePolicy(ctx)
-	if err != nil {
-		return nil, err
-	}
-	return passwordAgePolicyViewFromModel(result), nil
-}
-
-func (s *Server) UpdateDefaultPasswordAgePolicy(ctx context.Context, policy *admin.DefaultPasswordAgePolicyRequest) (*admin.DefaultPasswordAgePolicy, error) {
-	result, err := s.command.ChangeDefaultPasswordAgePolicy(ctx, passwordAgePolicyToDomain(policy))
-	if err != nil {
-		return nil, err
-	}
-	return passwordAgePolicyFromDomain(result), nil
-}
diff --git a/internal/api/grpc/admin/password_age_policy_converter.go b/internal/api/grpc/admin/password_age_policy_converter.go
deleted file mode 100644
index b332412240..0000000000
--- a/internal/api/grpc/admin/password_age_policy_converter.go
+++ /dev/null
@@ -1,40 +0,0 @@
-package admin
-
-import (
-	"github.com/caos/logging"
-	"github.com/caos/zitadel/internal/domain"
-	iam_model "github.com/caos/zitadel/internal/iam/model"
-	"github.com/caos/zitadel/pkg/grpc/admin"
-	"github.com/golang/protobuf/ptypes"
-	"google.golang.org/protobuf/types/known/timestamppb"
-)
-
-func passwordAgePolicyToDomain(policy *admin.DefaultPasswordAgePolicyRequest) *domain.PasswordAgePolicy {
-	return &domain.PasswordAgePolicy{
-		MaxAgeDays:     policy.MaxAgeDays,
-		ExpireWarnDays: policy.ExpireWarnDays,
-	}
-}
-
-func passwordAgePolicyFromDomain(policy *domain.PasswordAgePolicy) *admin.DefaultPasswordAgePolicy {
-	return &admin.DefaultPasswordAgePolicy{
-		MaxAgeDays:     policy.MaxAgeDays,
-		ExpireWarnDays: policy.ExpireWarnDays,
-		ChangeDate:     timestamppb.New(policy.ChangeDate),
-	}
-}
-
-func passwordAgePolicyViewFromModel(policy *iam_model.PasswordAgePolicyView) *admin.DefaultPasswordAgePolicyView {
-	creationDate, err := ptypes.TimestampProto(policy.CreationDate)
-	logging.Log("GRPC-2Gs9o").OnError(err).Debug("date parse failed")
-
-	changeDate, err := ptypes.TimestampProto(policy.ChangeDate)
-	logging.Log("GRPC-8Hjss").OnError(err).Debug("date parse failed")
-
-	return &admin.DefaultPasswordAgePolicyView{
-		MaxAgeDays:     policy.MaxAgeDays,
-		ExpireWarnDays: policy.ExpireWarnDays,
-		CreationDate:   creationDate,
-		ChangeDate:     changeDate,
-	}
-}
diff --git a/internal/api/grpc/admin/password_complexity.go b/internal/api/grpc/admin/password_complexity.go
new file mode 100644
index 0000000000..ea53a65713
--- /dev/null
+++ b/internal/api/grpc/admin/password_complexity.go
@@ -0,0 +1,31 @@
+package admin
+
+import (
+	"context"
+
+	"github.com/caos/zitadel/internal/api/grpc/object"
+	policy_grpc "github.com/caos/zitadel/internal/api/grpc/policy"
+	admin_pb "github.com/caos/zitadel/pkg/grpc/admin"
+)
+
+func (s *Server) GetPasswordComplexityPolicy(ctx context.Context, _ *admin_pb.GetPasswordComplexityPolicyRequest) (*admin_pb.GetPasswordComplexityPolicyResponse, error) {
+	policy, err := s.iam.GetDefaultPasswordComplexityPolicy(ctx)
+	if err != nil {
+		return nil, err
+	}
+	return &admin_pb.GetPasswordComplexityPolicyResponse{Policy: policy_grpc.ModelPasswordComplexityPolicyToPb(policy)}, nil
+}
+
+func (s *Server) UpdatePasswordComplexityPolicy(ctx context.Context, req *admin_pb.UpdatePasswordComplexityPolicyRequest) (*admin_pb.UpdatePasswordComplexityPolicyResponse, error) {
+	result, err := s.command.ChangeDefaultPasswordComplexityPolicy(ctx, UpdatePasswordComplexityPolicyToDomain(req))
+	if err != nil {
+		return nil, err
+	}
+	return &admin_pb.UpdatePasswordComplexityPolicyResponse{
+		Details: object.ToDetailsPb(
+			result.Sequence,
+			result.ChangeDate,
+			result.ResourceOwner,
+		),
+	}, nil
+}
diff --git a/internal/api/grpc/admin/password_complexity_converter.go b/internal/api/grpc/admin/password_complexity_converter.go
new file mode 100644
index 0000000000..d942782cb7
--- /dev/null
+++ b/internal/api/grpc/admin/password_complexity_converter.go
@@ -0,0 +1,16 @@
+package admin
+
+import (
+	"github.com/caos/zitadel/internal/domain"
+	admin_pb "github.com/caos/zitadel/pkg/grpc/admin"
+)
+
+func UpdatePasswordComplexityPolicyToDomain(req *admin_pb.UpdatePasswordComplexityPolicyRequest) *domain.PasswordComplexityPolicy {
+	return &domain.PasswordComplexityPolicy{
+		MinLength:    uint64(req.MinLength),
+		HasLowercase: req.HasLowercase,
+		HasUppercase: req.HasUppercase,
+		HasNumber:    req.HasNumber,
+		HasSymbol:    req.HasSymbol,
+	}
+}
diff --git a/internal/api/grpc/admin/password_complexity_policy.go b/internal/api/grpc/admin/password_complexity_policy.go
deleted file mode 100644
index b784c78fa9..0000000000
--- a/internal/api/grpc/admin/password_complexity_policy.go
+++ /dev/null
@@ -1,23 +0,0 @@
-package admin
-
-import (
-	"context"
-	"github.com/caos/zitadel/pkg/grpc/admin"
-	"github.com/golang/protobuf/ptypes/empty"
-)
-
-func (s *Server) GetDefaultPasswordComplexityPolicy(ctx context.Context, _ *empty.Empty) (*admin.DefaultPasswordComplexityPolicyView, error) {
-	result, err := s.iam.GetDefaultPasswordComplexityPolicy(ctx)
-	if err != nil {
-		return nil, err
-	}
-	return passwordComplexityPolicyViewFromModel(result), nil
-}
-
-func (s *Server) UpdateDefaultPasswordComplexityPolicy(ctx context.Context, policy *admin.DefaultPasswordComplexityPolicyRequest) (*admin.DefaultPasswordComplexityPolicy, error) {
-	result, err := s.command.ChangeDefaultPasswordComplexityPolicy(ctx, passwordComplexityPolicyToDomain(policy))
-	if err != nil {
-		return nil, err
-	}
-	return passwordComplexityPolicyFromDomain(result), nil
-}
diff --git a/internal/api/grpc/admin/password_complexity_policy_converter.go b/internal/api/grpc/admin/password_complexity_policy_converter.go
deleted file mode 100644
index 0b5580ae9d..0000000000
--- a/internal/api/grpc/admin/password_complexity_policy_converter.go
+++ /dev/null
@@ -1,49 +0,0 @@
-package admin
-
-import (
-	"github.com/caos/logging"
-	"github.com/caos/zitadel/internal/domain"
-	iam_model "github.com/caos/zitadel/internal/iam/model"
-	"github.com/caos/zitadel/pkg/grpc/admin"
-	"github.com/golang/protobuf/ptypes"
-	"google.golang.org/protobuf/types/known/timestamppb"
-)
-
-func passwordComplexityPolicyToDomain(policy *admin.DefaultPasswordComplexityPolicyRequest) *domain.PasswordComplexityPolicy {
-	return &domain.PasswordComplexityPolicy{
-		MinLength:    policy.MinLength,
-		HasUppercase: policy.HasUppercase,
-		HasLowercase: policy.HasLowercase,
-		HasNumber:    policy.HasNumber,
-		HasSymbol:    policy.HasSymbol,
-	}
-}
-
-func passwordComplexityPolicyFromDomain(policy *domain.PasswordComplexityPolicy) *admin.DefaultPasswordComplexityPolicy {
-	return &admin.DefaultPasswordComplexityPolicy{
-		MinLength:    policy.MinLength,
-		HasUppercase: policy.HasUppercase,
-		HasLowercase: policy.HasLowercase,
-		HasNumber:    policy.HasNumber,
-		HasSymbol:    policy.HasSymbol,
-		ChangeDate:   timestamppb.New(policy.ChangeDate),
-	}
-}
-
-func passwordComplexityPolicyViewFromModel(policy *iam_model.PasswordComplexityPolicyView) *admin.DefaultPasswordComplexityPolicyView {
-	creationDate, err := ptypes.TimestampProto(policy.CreationDate)
-	logging.Log("GRPC-rTs9f").OnError(err).Debug("date parse failed")
-
-	changeDate, err := ptypes.TimestampProto(policy.ChangeDate)
-	logging.Log("GRPC-ks9Zt").OnError(err).Debug("date parse failed")
-
-	return &admin.DefaultPasswordComplexityPolicyView{
-		MinLength:    policy.MinLength,
-		HasUppercase: policy.HasUppercase,
-		HasLowercase: policy.HasLowercase,
-		HasNumber:    policy.HasNumber,
-		HasSymbol:    policy.HasSymbol,
-		CreationDate: creationDate,
-		ChangeDate:   changeDate,
-	}
-}
diff --git a/internal/api/grpc/admin/password_lockout.go b/internal/api/grpc/admin/password_lockout.go
new file mode 100644
index 0000000000..38303c7800
--- /dev/null
+++ b/internal/api/grpc/admin/password_lockout.go
@@ -0,0 +1,31 @@
+package admin
+
+import (
+	"context"
+
+	"github.com/caos/zitadel/internal/api/grpc/object"
+	policy_grpc "github.com/caos/zitadel/internal/api/grpc/policy"
+	admin_pb "github.com/caos/zitadel/pkg/grpc/admin"
+)
+
+func (s *Server) GetPasswordLockoutPolicy(ctx context.Context, req *admin_pb.GetPasswordLockoutPolicyRequest) (*admin_pb.GetPasswordLockoutPolicyResponse, error) {
+	policy, err := s.iam.GetDefaultPasswordLockoutPolicy(ctx)
+	if err != nil {
+		return nil, err
+	}
+	return &admin_pb.GetPasswordLockoutPolicyResponse{Policy: policy_grpc.ModelPasswordLockoutPolicyToPb(policy)}, nil
+}
+
+func (s *Server) UpdatePasswordLockoutPolicy(ctx context.Context, req *admin_pb.UpdatePasswordLockoutPolicyRequest) (*admin_pb.UpdatePasswordLockoutPolicyResponse, error) {
+	policy, err := s.command.ChangeDefaultPasswordLockoutPolicy(ctx, UpdatePasswordLockoutPolicyToDomain(req))
+	if err != nil {
+		return nil, err
+	}
+	return &admin_pb.UpdatePasswordLockoutPolicyResponse{
+		Details: object.ToDetailsPb(
+			policy.Sequence,
+			policy.ChangeDate,
+			policy.ResourceOwner,
+		),
+	}, nil
+}
diff --git a/internal/api/grpc/admin/password_lockout_converter.go b/internal/api/grpc/admin/password_lockout_converter.go
new file mode 100644
index 0000000000..9427f646de
--- /dev/null
+++ b/internal/api/grpc/admin/password_lockout_converter.go
@@ -0,0 +1,13 @@
+package admin
+
+import (
+	"github.com/caos/zitadel/internal/domain"
+	"github.com/caos/zitadel/pkg/grpc/admin"
+)
+
+func UpdatePasswordLockoutPolicyToDomain(p *admin.UpdatePasswordLockoutPolicyRequest) *domain.PasswordLockoutPolicy {
+	return &domain.PasswordLockoutPolicy{
+		MaxAttempts:         uint64(p.MaxAttempts),
+		ShowLockOutFailures: p.ShowLockoutFailure,
+	}
+}
diff --git a/internal/api/grpc/admin/password_lockout_policy.go b/internal/api/grpc/admin/password_lockout_policy.go
deleted file mode 100644
index a32d82539b..0000000000
--- a/internal/api/grpc/admin/password_lockout_policy.go
+++ /dev/null
@@ -1,23 +0,0 @@
-package admin
-
-import (
-	"context"
-	"github.com/caos/zitadel/pkg/grpc/admin"
-	"github.com/golang/protobuf/ptypes/empty"
-)
-
-func (s *Server) GetDefaultPasswordLockoutPolicy(ctx context.Context, _ *empty.Empty) (*admin.DefaultPasswordLockoutPolicyView, error) {
-	result, err := s.iam.GetDefaultPasswordLockoutPolicy(ctx)
-	if err != nil {
-		return nil, err
-	}
-	return passwordLockoutPolicyViewFromModel(result), nil
-}
-
-func (s *Server) UpdateDefaultPasswordLockoutPolicy(ctx context.Context, policy *admin.DefaultPasswordLockoutPolicyRequest) (*admin.DefaultPasswordLockoutPolicy, error) {
-	result, err := s.command.ChangeDefaultPasswordLockoutPolicy(ctx, passwordLockoutPolicyToDomain(policy))
-	if err != nil {
-		return nil, err
-	}
-	return passwordLockoutPolicyFromDomain(result), nil
-}
diff --git a/internal/api/grpc/admin/password_lockout_policy_converter.go b/internal/api/grpc/admin/password_lockout_policy_converter.go
deleted file mode 100644
index 6bd7125ef7..0000000000
--- a/internal/api/grpc/admin/password_lockout_policy_converter.go
+++ /dev/null
@@ -1,40 +0,0 @@
-package admin
-
-import (
-	"github.com/caos/logging"
-	"github.com/caos/zitadel/internal/domain"
-	iam_model "github.com/caos/zitadel/internal/iam/model"
-	"github.com/caos/zitadel/pkg/grpc/admin"
-	"github.com/golang/protobuf/ptypes"
-	"google.golang.org/protobuf/types/known/timestamppb"
-)
-
-func passwordLockoutPolicyToDomain(policy *admin.DefaultPasswordLockoutPolicyRequest) *domain.PasswordLockoutPolicy {
-	return &domain.PasswordLockoutPolicy{
-		MaxAttempts:         policy.MaxAttempts,
-		ShowLockOutFailures: policy.ShowLockoutFailure,
-	}
-}
-
-func passwordLockoutPolicyFromDomain(policy *domain.PasswordLockoutPolicy) *admin.DefaultPasswordLockoutPolicy {
-	return &admin.DefaultPasswordLockoutPolicy{
-		MaxAttempts:        policy.MaxAttempts,
-		ShowLockoutFailure: policy.ShowLockOutFailures,
-		ChangeDate:         timestamppb.New(policy.ChangeDate),
-	}
-}
-
-func passwordLockoutPolicyViewFromModel(policy *iam_model.PasswordLockoutPolicyView) *admin.DefaultPasswordLockoutPolicyView {
-	creationDate, err := ptypes.TimestampProto(policy.CreationDate)
-	logging.Log("GRPC-7Hmlo").OnError(err).Debug("date parse failed")
-
-	changeDate, err := ptypes.TimestampProto(policy.ChangeDate)
-	logging.Log("GRPC-0oLgs").OnError(err).Debug("date parse failed")
-
-	return &admin.DefaultPasswordLockoutPolicyView{
-		MaxAttempts:        policy.MaxAttempts,
-		ShowLockoutFailure: policy.ShowLockOutFailures,
-		CreationDate:       creationDate,
-		ChangeDate:         changeDate,
-	}
-}
diff --git a/internal/api/grpc/admin/probes.go b/internal/api/grpc/admin/probes.go
deleted file mode 100644
index 0a67a7f967..0000000000
--- a/internal/api/grpc/admin/probes.go
+++ /dev/null
@@ -1,10 +0,0 @@
-package admin
-
-import (
-	"context"
-	"github.com/golang/protobuf/ptypes/empty"
-)
-
-func (s *Server) Healthz(_ context.Context, e *empty.Empty) (*empty.Empty, error) {
-	return &empty.Empty{}, nil
-}
diff --git a/internal/api/grpc/admin/server.go b/internal/api/grpc/admin/server.go
index b2b4dc9ad6..2df0d1ff6b 100644
--- a/internal/api/grpc/admin/server.go
+++ b/internal/api/grpc/admin/server.go
@@ -1,15 +1,14 @@
 package admin
 
 import (
-	"github.com/caos/zitadel/internal/command"
-	"github.com/caos/zitadel/internal/query"
-	"google.golang.org/grpc"
-
 	"github.com/caos/zitadel/internal/admin/repository"
 	"github.com/caos/zitadel/internal/admin/repository/eventsourcing"
 	"github.com/caos/zitadel/internal/api/authz"
 	"github.com/caos/zitadel/internal/api/grpc/server"
+	"github.com/caos/zitadel/internal/command"
+	"github.com/caos/zitadel/internal/query"
 	"github.com/caos/zitadel/pkg/grpc/admin"
+	"google.golang.org/grpc"
 )
 
 const (
@@ -19,6 +18,7 @@ const (
 var _ admin.AdminServiceServer = (*Server)(nil)
 
 type Server struct {
+	admin.UnimplementedAdminServiceServer
 	command       *command.Commands
 	query         *query.Queries
 	org           repository.OrgRepository
diff --git a/internal/api/grpc/admin/template.go b/internal/api/grpc/admin/template.go
deleted file mode 100644
index b4227691d4..0000000000
--- a/internal/api/grpc/admin/template.go
+++ /dev/null
@@ -1,24 +0,0 @@
-package admin
-
-import (
-	"context"
-
-	"github.com/caos/zitadel/pkg/grpc/admin"
-	"github.com/golang/protobuf/ptypes/empty"
-)
-
-func (s *Server) GetDefaultMailTemplate(ctx context.Context, _ *empty.Empty) (*admin.DefaultMailTemplateView, error) {
-	result, err := s.iam.GetDefaultMailTemplate(ctx)
-	if err != nil {
-		return nil, err
-	}
-	return templateViewFromModel(result), nil
-}
-
-func (s *Server) UpdateDefaultMailTemplate(ctx context.Context, policy *admin.DefaultMailTemplateUpdate) (*admin.DefaultMailTemplate, error) {
-	result, err := s.command.ChangeDefaultMailTemplate(ctx, templateToDomain(policy))
-	if err != nil {
-		return nil, err
-	}
-	return templateFromDomain(result), nil
-}
diff --git a/internal/api/grpc/admin/template_converter.go b/internal/api/grpc/admin/template_converter.go
deleted file mode 100644
index 20fe1aa22a..0000000000
--- a/internal/api/grpc/admin/template_converter.go
+++ /dev/null
@@ -1,30 +0,0 @@
-package admin
-
-import (
-	"github.com/caos/zitadel/internal/domain"
-	iam_model "github.com/caos/zitadel/internal/iam/model"
-	"github.com/caos/zitadel/pkg/grpc/admin"
-	"google.golang.org/protobuf/types/known/timestamppb"
-)
-
-func templateToDomain(policy *admin.DefaultMailTemplateUpdate) *domain.MailTemplate {
-	return &domain.MailTemplate{
-		Template: policy.Template,
-	}
-}
-
-func templateFromDomain(policy *domain.MailTemplate) *admin.DefaultMailTemplate {
-	return &admin.DefaultMailTemplate{
-		Template:     policy.Template,
-		CreationDate: timestamppb.New(policy.CreationDate),
-		ChangeDate:   timestamppb.New(policy.ChangeDate),
-	}
-}
-
-func templateViewFromModel(policy *iam_model.MailTemplateView) *admin.DefaultMailTemplateView {
-	return &admin.DefaultMailTemplateView{
-		Template:     policy.Template,
-		CreationDate: timestamppb.New(policy.CreationDate),
-		ChangeDate:   timestamppb.New(policy.ChangeDate),
-	}
-}
diff --git a/internal/api/grpc/admin/text.go b/internal/api/grpc/admin/text.go
deleted file mode 100644
index fc26b10f16..0000000000
--- a/internal/api/grpc/admin/text.go
+++ /dev/null
@@ -1,32 +0,0 @@
-package admin
-
-import (
-	"context"
-
-	"github.com/caos/zitadel/pkg/grpc/admin"
-	"github.com/golang/protobuf/ptypes/empty"
-)
-
-func (s *Server) GetDefaultMailTexts(ctx context.Context, _ *empty.Empty) (*admin.DefaultMailTextsView, error) {
-	result, err := s.iam.GetDefaultMailTexts(ctx)
-	if err != nil {
-		return nil, err
-	}
-	return textsViewFromModel(result), nil
-}
-
-func (s *Server) GetDefaultMailText(ctx context.Context, textType string, language string) (*admin.DefaultMailTextView, error) {
-	result, err := s.iam.GetDefaultMailText(ctx, textType, language)
-	if err != nil {
-		return nil, err
-	}
-	return textViewFromModel(result), nil
-}
-
-func (s *Server) UpdateDefaultMailText(ctx context.Context, text *admin.DefaultMailTextUpdate) (*admin.DefaultMailText, error) {
-	result, err := s.command.ChangeDefaultMailText(ctx, textToDomain(text))
-	if err != nil {
-		return nil, err
-	}
-	return textFromDomain(result), nil
-}
diff --git a/internal/api/grpc/admin/text_converter.go b/internal/api/grpc/admin/text_converter.go
deleted file mode 100644
index 298eb08c06..0000000000
--- a/internal/api/grpc/admin/text_converter.go
+++ /dev/null
@@ -1,66 +0,0 @@
-package admin
-
-import (
-	"github.com/caos/zitadel/internal/domain"
-	iam_model "github.com/caos/zitadel/internal/iam/model"
-	"github.com/caos/zitadel/pkg/grpc/admin"
-	"google.golang.org/protobuf/types/known/timestamppb"
-)
-
-func textToDomain(text *admin.DefaultMailTextUpdate) *domain.MailText {
-	return &domain.MailText{
-		MailTextType: text.MailTextType,
-		Language:     text.Language,
-		Title:        text.Title,
-		PreHeader:    text.PreHeader,
-		Subject:      text.Subject,
-		Greeting:     text.Greeting,
-		Text:         text.Text,
-		ButtonText:   text.ButtonText,
-	}
-}
-
-func textFromDomain(text *domain.MailText) *admin.DefaultMailText {
-	return &admin.DefaultMailText{
-		MailTextType: text.MailTextType,
-		Language:     text.Language,
-		Title:        text.Title,
-		PreHeader:    text.PreHeader,
-		Subject:      text.Subject,
-		Greeting:     text.Greeting,
-		Text:         text.Text,
-		ButtonText:   text.ButtonText,
-		CreationDate: timestamppb.New(text.CreationDate),
-		ChangeDate:   timestamppb.New(text.ChangeDate),
-	}
-}
-
-func textsViewFromModel(textsin *iam_model.MailTextsView) *admin.DefaultMailTextsView {
-	return &admin.DefaultMailTextsView{
-		Texts: textsViewToModel(textsin.Texts),
-	}
-}
-
-func textsViewToModel(queries []*iam_model.MailTextView) []*admin.DefaultMailTextView {
-	modelQueries := make([]*admin.DefaultMailTextView, len(queries))
-	for i, query := range queries {
-		modelQueries[i] = textViewFromModel(query)
-	}
-
-	return modelQueries
-}
-
-func textViewFromModel(text *iam_model.MailTextView) *admin.DefaultMailTextView {
-	return &admin.DefaultMailTextView{
-		MailTextType: text.MailTextType,
-		Language:     text.Language,
-		Title:        text.Title,
-		PreHeader:    text.PreHeader,
-		Subject:      text.Subject,
-		Greeting:     text.Greeting,
-		Text:         text.Text,
-		ButtonText:   text.ButtonText,
-		CreationDate: timestamppb.New(text.CreationDate),
-		ChangeDate:   timestamppb.New(text.ChangeDate),
-	}
-}
diff --git a/internal/api/grpc/admin/user_converter.go b/internal/api/grpc/admin/user_converter.go
index adc2f7ec3d..0cd0a6f5e7 100644
--- a/internal/api/grpc/admin/user_converter.go
+++ b/internal/api/grpc/admin/user_converter.go
@@ -2,92 +2,46 @@ package admin
 
 import (
 	"github.com/caos/logging"
+	user_grpc "github.com/caos/zitadel/internal/api/grpc/user"
 	"github.com/caos/zitadel/internal/domain"
-	"github.com/caos/zitadel/internal/eventstore/v1/models"
-	usr_model "github.com/caos/zitadel/internal/user/model"
-	"github.com/caos/zitadel/pkg/grpc/admin"
+	admin_grpc "github.com/caos/zitadel/pkg/grpc/admin"
 	"golang.org/x/text/language"
 )
 
-func userCreateRequestToDomain(user *admin.CreateUserRequest) (*domain.Human, *domain.Machine) {
-	if h := user.GetHuman(); h != nil {
-		human := humanCreateToDomain(h)
-		human.Username = user.UserName
-		return human, nil
-	}
-	if m := user.GetMachine(); m != nil {
-		machine := machineCreateToDomain(m)
-		machine.Username = user.UserName
-		return nil, machine
-	}
-	return nil, nil
-}
-
-func humanCreateToDomain(u *admin.CreateHumanRequest) *domain.Human {
-	preferredLanguage, err := language.Parse(u.PreferredLanguage)
-	logging.Log("GRPC-1ouQc").OnError(err).Debug("language malformed")
-
-	human := &domain.Human{
-		Profile: &domain.Profile{
-			FirstName:         u.FirstName,
-			LastName:          u.LastName,
-			NickName:          u.NickName,
-			PreferredLanguage: preferredLanguage,
-			Gender:            genderToDomain(u.Gender),
-		},
-		Email: &domain.Email{
-			EmailAddress:    u.Email,
-			IsEmailVerified: u.IsEmailVerified,
-		},
-		Address: &domain.Address{
-			Country:       u.Country,
-			Locality:      u.Locality,
-			PostalCode:    u.PostalCode,
-			Region:        u.Region,
-			StreetAddress: u.StreetAddress,
-		},
-	}
-	if u.Password != "" {
-		human.Password = &domain.Password{SecretString: u.Password}
-	}
-	if u.Phone != "" {
-		human.Phone = &domain.Phone{PhoneNumber: u.Phone, IsPhoneVerified: u.IsPhoneVerified}
-	}
-	return human
-}
-
-func genderToDomain(gender admin.Gender) domain.Gender {
-	switch gender {
-	case admin.Gender_GENDER_FEMALE:
-		return domain.GenderFemale
-	case admin.Gender_GENDER_MALE:
-		return domain.GenderMale
-	case admin.Gender_GENDER_DIVERSE:
-		return domain.GenderDiverse
-	default:
-		return domain.GenderUnspecified
+func setUpOrgHumanToDomain(human *admin_grpc.SetUpOrgRequest_Human) *domain.Human {
+	return &domain.Human{
+		Username: human.UserName,
+		Profile:  setUpOrgHumanProfileToDomain(human.Profile),
+		Email:    setUpOrgHumanEmailToDomain(human.Email),
+		Phone:    setUpOrgHumanPhoneToDomain(human.Phone),
 	}
 }
 
-func machineCreateToDomain(machine *admin.CreateMachineRequest) *domain.Machine {
-	return &domain.Machine{
-		Name:        machine.Name,
-		Description: machine.Description,
+func setUpOrgHumanProfileToDomain(profile *admin_grpc.SetUpOrgRequest_Human_Profile) *domain.Profile {
+	var lang language.Tag
+	lang, err := language.Parse(profile.PreferredLanguage)
+	logging.Log("ADMIN-tiMWs").OnError(err).Debug("unable to parse language")
+
+	return &domain.Profile{
+		FirstName:         profile.FirstName,
+		LastName:          profile.LastName,
+		NickName:          profile.NickName,
+		DisplayName:       profile.DisplayName,
+		PreferredLanguage: lang,
+		Gender:            user_grpc.GenderToDomain(profile.Gender),
 	}
 }
 
-func externalIDPViewsToDomain(idps []*usr_model.ExternalIDPView) []*domain.ExternalIDP {
-	externalIDPs := make([]*domain.ExternalIDP, len(idps))
-	for i, idp := range idps {
-		externalIDPs[i] = &domain.ExternalIDP{
-			ObjectRoot: models.ObjectRoot{
-				AggregateID:   idp.UserID,
-				ResourceOwner: idp.ResourceOwner,
-			},
-			IDPConfigID:    idp.IDPConfigID,
-			ExternalUserID: idp.ExternalUserID,
-			DisplayName:    idp.UserDisplayName,
-		}
+func setUpOrgHumanEmailToDomain(email *admin_grpc.SetUpOrgRequest_Human_Email) *domain.Email {
+	return &domain.Email{
+		EmailAddress:    email.Email,
+		IsEmailVerified: email.IsEmailVerified,
+	}
+}
+
+func setUpOrgHumanPhoneToDomain(phone *admin_grpc.SetUpOrgRequest_Human_Phone) *domain.Phone {
+	return &domain.Phone{
+		PhoneNumber:     phone.Phone,
+		IsPhoneVerified: phone.IsPhoneVerified,
 	}
-	return externalIDPs
 }
diff --git a/internal/api/grpc/admin/view.go b/internal/api/grpc/admin/view.go
new file mode 100644
index 0000000000..70bd1f9e72
--- /dev/null
+++ b/internal/api/grpc/admin/view.go
@@ -0,0 +1,23 @@
+package admin
+
+import (
+	"context"
+
+	admin_pb "github.com/caos/zitadel/pkg/grpc/admin"
+)
+
+func (s *Server) ListViews(context.Context, *admin_pb.ListViewsRequest) (*admin_pb.ListViewsResponse, error) {
+	views, err := s.administrator.GetViews()
+	if err != nil {
+		return nil, err
+	}
+	return &admin_pb.ListViewsResponse{Result: ViewsToPb(views)}, nil
+}
+
+func (s *Server) ClearView(ctx context.Context, req *admin_pb.ClearViewRequest) (*admin_pb.ClearViewResponse, error) {
+	err := s.administrator.ClearView(ctx, req.Database, req.ViewName)
+	if err != nil {
+		return nil, err
+	}
+	return &admin_pb.ClearViewResponse{}, nil
+}
diff --git a/internal/api/grpc/admin/view_converter.go b/internal/api/grpc/admin/view_converter.go
new file mode 100644
index 0000000000..eca7fb9aa8
--- /dev/null
+++ b/internal/api/grpc/admin/view_converter.go
@@ -0,0 +1,32 @@
+package admin
+
+import (
+	"github.com/caos/logging"
+	"github.com/caos/zitadel/internal/view/model"
+	admin_pb "github.com/caos/zitadel/pkg/grpc/admin"
+	"github.com/golang/protobuf/ptypes"
+)
+
+func ViewsToPb(views []*model.View) []*admin_pb.View {
+	v := make([]*admin_pb.View, len(views))
+	for i, view := range views {
+		v[i] = ViewToPb(view)
+	}
+	return v
+}
+
+func ViewToPb(view *model.View) *admin_pb.View {
+	lastSuccessfulSpoolerRun, err := ptypes.TimestampProto(view.LastSuccessfulSpoolerRun)
+	logging.Log("ADMIN-4zs01").OnError(err).Debug("unable to parse last successful spooler run")
+
+	eventTs, err := ptypes.TimestampProto(view.EventTimestamp)
+	logging.Log("ADMIN-q2Wzj").OnError(err).Debug("unable to parse event timestamp")
+
+	return &admin_pb.View{
+		Database:                 view.Database,
+		ViewName:                 view.ViewName,
+		LastSuccessfulSpoolerRun: lastSuccessfulSpoolerRun,
+		ProcessedSequence:        view.CurrentSequence,
+		EventTimestamp:           eventTs,
+	}
+}
diff --git a/internal/api/grpc/auth/email.go b/internal/api/grpc/auth/email.go
new file mode 100644
index 0000000000..1db1c0dc41
--- /dev/null
+++ b/internal/api/grpc/auth/email.go
@@ -0,0 +1,61 @@
+package auth
+
+import (
+	"context"
+
+	"github.com/caos/zitadel/internal/api/authz"
+	"github.com/caos/zitadel/internal/api/grpc/object"
+	"github.com/caos/zitadel/internal/api/grpc/user"
+	auth_pb "github.com/caos/zitadel/pkg/grpc/auth"
+)
+
+func (s *Server) GetMyEmail(ctx context.Context, _ *auth_pb.GetMyEmailRequest) (*auth_pb.GetMyEmailResponse, error) {
+	email, err := s.repo.MyEmail(ctx)
+	if err != nil {
+		return nil, err
+	}
+	return &auth_pb.GetMyEmailResponse{
+		Email: user.ModelEmailToPb(email),
+		Details: object.ToDetailsPb(
+			email.Sequence,
+			email.ChangeDate,
+			email.ResourceOwner,
+		),
+	}, nil
+}
+
+func (s *Server) SetMyEmail(ctx context.Context, req *auth_pb.SetMyEmailRequest) (*auth_pb.SetMyEmailResponse, error) {
+	email, err := s.command.ChangeHumanEmail(ctx, UpdateMyEmailToDomain(ctx, req))
+	if err != nil {
+		return nil, err
+	}
+	return &auth_pb.SetMyEmailResponse{
+		Details: object.ToDetailsPb(
+			email.Sequence,
+			email.ChangeDate,
+			email.ResourceOwner,
+		),
+	}, nil
+}
+
+func (s *Server) VerifyMyEmail(ctx context.Context, req *auth_pb.VerifyMyEmailRequest) (*auth_pb.VerifyMyEmailResponse, error) {
+	ctxData := authz.GetCtxData(ctx)
+	objectDetails, err := s.command.VerifyHumanEmail(ctx, ctxData.UserID, req.Code, ctxData.OrgID)
+	if err != nil {
+		return nil, err
+	}
+	return &auth_pb.VerifyMyEmailResponse{
+		Details: object.DomainToDetailsPb(objectDetails),
+	}, nil
+}
+
+func (s *Server) ResendMyEmailVerification(ctx context.Context, _ *auth_pb.ResendMyEmailVerificationRequest) (*auth_pb.ResendMyEmailVerificationResponse, error) {
+	ctxData := authz.GetCtxData(ctx)
+	objectDetails, err := s.command.CreateHumanEmailVerificationCode(ctx, ctxData.UserID, ctxData.ResourceOwner)
+	if err != nil {
+		return nil, err
+	}
+	return &auth_pb.ResendMyEmailVerificationResponse{
+		Details: object.DomainToDetailsPb(objectDetails),
+	}, nil
+}
diff --git a/internal/api/grpc/auth/email_converter.go b/internal/api/grpc/auth/email_converter.go
new file mode 100644
index 0000000000..760bb8a78e
--- /dev/null
+++ b/internal/api/grpc/auth/email_converter.go
@@ -0,0 +1,15 @@
+package auth
+
+import (
+	"context"
+
+	"github.com/caos/zitadel/internal/domain"
+	"github.com/caos/zitadel/pkg/grpc/auth"
+)
+
+func UpdateMyEmailToDomain(ctx context.Context, email *auth.SetMyEmailRequest) *domain.Email {
+	return &domain.Email{
+		ObjectRoot:   ctxToObjectRoot(ctx),
+		EmailAddress: email.Email,
+	}
+}
diff --git a/internal/api/grpc/auth/gateway.go b/internal/api/grpc/auth/gateway.go
deleted file mode 100644
index 00681580cb..0000000000
--- a/internal/api/grpc/auth/gateway.go
+++ /dev/null
@@ -1,50 +0,0 @@
-package auth
-
-import (
-	"strings"
-
-	"github.com/grpc-ecosystem/grpc-gateway/runtime"
-
-	grpc_util "github.com/caos/zitadel/internal/api/grpc"
-	"github.com/caos/zitadel/internal/api/grpc/server"
-	"github.com/caos/zitadel/pkg/grpc/auth"
-)
-
-type Gateway struct {
-	grpcEndpoint string
-	port         string
-	cutomHeaders []string
-}
-
-func StartGateway(conf grpc_util.GatewayConfig) *Gateway {
-	return &Gateway{
-		grpcEndpoint: conf.GRPCEndpoint,
-		port:         conf.Port,
-		cutomHeaders: conf.CustomHeaders,
-	}
-}
-
-func (gw *Gateway) Gateway() server.GatewayFunc {
-	return auth.RegisterAuthServiceHandlerFromEndpoint
-}
-
-func (gw *Gateway) GRPCEndpoint() string {
-	return ":" + gw.grpcEndpoint
-}
-
-func (gw *Gateway) GatewayPort() string {
-	return gw.port
-}
-
-func (gw *Gateway) GatewayServeMuxOptions() []runtime.ServeMuxOption {
-	return []runtime.ServeMuxOption{
-		runtime.WithIncomingHeaderMatcher(func(header string) (string, bool) {
-			for _, customHeader := range gw.cutomHeaders {
-				if strings.HasPrefix(strings.ToLower(header), customHeader) {
-					return header, true
-				}
-			}
-			return runtime.DefaultHeaderMatcher(header)
-		}),
-	}
-}
diff --git a/internal/api/grpc/auth/idp.go b/internal/api/grpc/auth/idp.go
new file mode 100644
index 0000000000..6d816df86a
--- /dev/null
+++ b/internal/api/grpc/auth/idp.go
@@ -0,0 +1,34 @@
+package auth
+
+import (
+	"context"
+
+	idp_grpc "github.com/caos/zitadel/internal/api/grpc/idp"
+	"github.com/caos/zitadel/internal/api/grpc/object"
+	auth_pb "github.com/caos/zitadel/pkg/grpc/auth"
+)
+
+func (s *Server) ListMyLinkedIDPs(ctx context.Context, req *auth_pb.ListMyLinkedIDPsRequest) (*auth_pb.ListMyLinkedIDPsResponse, error) {
+	idps, err := s.repo.SearchMyExternalIDPs(ctx, ListMyLinkedIDPsRequestToModel(req))
+	if err != nil {
+		return nil, err
+	}
+	return &auth_pb.ListMyLinkedIDPsResponse{
+		Result: idp_grpc.IDPsToUserLinkPb(idps.Result),
+		Details: object.ToListDetails(
+			idps.TotalResult,
+			idps.Sequence,
+			idps.Timestamp,
+		),
+	}, nil
+}
+
+func (s *Server) RemoveMyLinkedIDP(ctx context.Context, req *auth_pb.RemoveMyLinkedIDPRequest) (*auth_pb.RemoveMyLinkedIDPResponse, error) {
+	objectDetails, err := s.command.RemoveHumanExternalIDP(ctx, RemoveMyLinkedIDPRequestToDomain(ctx, req))
+	if err != nil {
+		return nil, err
+	}
+	return &auth_pb.RemoveMyLinkedIDPResponse{
+		Details: object.DomainToDetailsPb(objectDetails),
+	}, nil
+}
diff --git a/internal/api/grpc/auth/idp_converter.go b/internal/api/grpc/auth/idp_converter.go
new file mode 100644
index 0000000000..b8c03a36eb
--- /dev/null
+++ b/internal/api/grpc/auth/idp_converter.go
@@ -0,0 +1,24 @@
+package auth
+
+import (
+	"context"
+
+	"github.com/caos/zitadel/internal/domain"
+	"github.com/caos/zitadel/internal/user/model"
+	auth_pb "github.com/caos/zitadel/pkg/grpc/auth"
+)
+
+func ListMyLinkedIDPsRequestToModel(req *auth_pb.ListMyLinkedIDPsRequest) *model.ExternalIDPSearchRequest {
+	return &model.ExternalIDPSearchRequest{
+		Offset: req.Query.Offset,
+		Limit:  uint64(req.Query.Limit),
+	}
+}
+
+func RemoveMyLinkedIDPRequestToDomain(ctx context.Context, req *auth_pb.RemoveMyLinkedIDPRequest) *domain.ExternalIDP {
+	return &domain.ExternalIDP{
+		ObjectRoot:     ctxToObjectRoot(ctx),
+		IDPConfigID:    req.IdpId,
+		ExternalUserID: req.LinkedUserId,
+	}
+}
diff --git a/internal/api/grpc/auth/information.go b/internal/api/grpc/auth/information.go
new file mode 100644
index 0000000000..f1fb7c8dbe
--- /dev/null
+++ b/internal/api/grpc/auth/information.go
@@ -0,0 +1,11 @@
+package auth
+
+import (
+	"context"
+
+	"github.com/caos/zitadel/pkg/grpc/auth"
+)
+
+func (s *Server) Healthz(context.Context, *auth.HealthzRequest) (*auth.HealthzResponse, error) {
+	return &auth.HealthzResponse{}, nil
+}
diff --git a/internal/api/grpc/auth/multi_factor.go b/internal/api/grpc/auth/multi_factor.go
new file mode 100644
index 0000000000..53d5f2eed3
--- /dev/null
+++ b/internal/api/grpc/auth/multi_factor.go
@@ -0,0 +1,101 @@
+package auth
+
+import (
+	"context"
+
+	"github.com/caos/zitadel/internal/api/authz"
+	"github.com/caos/zitadel/internal/api/grpc/object"
+	user_grpc "github.com/caos/zitadel/internal/api/grpc/user"
+	auth_pb "github.com/caos/zitadel/pkg/grpc/auth"
+	user_pb "github.com/caos/zitadel/pkg/grpc/user"
+)
+
+func (s *Server) ListMyAuthFactors(ctx context.Context, _ *auth_pb.ListMyAuthFactorsRequest) (*auth_pb.ListMyAuthFactorsResponse, error) {
+	mfas, err := s.repo.MyUserMFAs(ctx)
+	if err != nil {
+		return nil, err
+	}
+	return &auth_pb.ListMyAuthFactorsResponse{
+		Result: user_grpc.AuthFactorsToPb(mfas),
+	}, nil
+}
+
+func (s *Server) AddMyAuthFactorOTP(ctx context.Context, _ *auth_pb.AddMyAuthFactorOTPRequest) (*auth_pb.AddMyAuthFactorOTPResponse, error) {
+	ctxData := authz.GetCtxData(ctx)
+	otp, err := s.command.AddHumanOTP(ctx, ctxData.UserID, ctxData.OrgID)
+	if err != nil {
+		return nil, err
+	}
+	return &auth_pb.AddMyAuthFactorOTPResponse{
+		Url:    otp.Url,
+		Secret: otp.SecretString,
+		Details: object.ToDetailsPb(
+			otp.Sequence,
+			otp.ChangeDate,
+			otp.ResourceOwner,
+		),
+	}, nil
+}
+
+func (s *Server) VerifyMyAuthFactorOTP(ctx context.Context, req *auth_pb.VerifyMyAuthFactorOTPRequest) (*auth_pb.VerifyMyAuthFactorOTPResponse, error) {
+	ctxData := authz.GetCtxData(ctx)
+	objectDetails, err := s.command.HumanCheckMFAOTPSetup(ctx, ctxData.UserID, req.Code, "", ctxData.ResourceOwner)
+	if err != nil {
+		return nil, err
+	}
+	return &auth_pb.VerifyMyAuthFactorOTPResponse{
+		Details: object.DomainToDetailsPb(objectDetails),
+	}, nil
+}
+
+func (s *Server) RemoveMyAuthFactorOTP(ctx context.Context, _ *auth_pb.RemoveMyAuthFactorOTPRequest) (*auth_pb.RemoveMyAuthFactorOTPResponse, error) {
+	ctxData := authz.GetCtxData(ctx)
+	objectDetails, err := s.command.HumanRemoveOTP(ctx, ctxData.UserID, ctxData.OrgID)
+	if err != nil {
+		return nil, err
+	}
+	return &auth_pb.RemoveMyAuthFactorOTPResponse{
+		Details: object.DomainToDetailsPb(objectDetails),
+	}, nil
+}
+
+func (s *Server) AddMyAuthFactorU2F(ctx context.Context, _ *auth_pb.AddMyAuthFactorU2FRequest) (*auth_pb.AddMyAuthFactorU2FResponse, error) {
+	ctxData := authz.GetCtxData(ctx)
+	u2f, err := s.command.HumanAddU2FSetup(ctx, ctxData.UserID, ctxData.ResourceOwner, false)
+	if err != nil {
+		return nil, err
+	}
+	return &auth_pb.AddMyAuthFactorU2FResponse{
+		Key: &user_pb.WebAuthNKey{
+			Id:        u2f.WebAuthNTokenID,
+			PublicKey: u2f.CredentialCreationData,
+		},
+		Details: object.ToDetailsPb(
+			u2f.Sequence,
+			u2f.ChangeDate,
+			u2f.ResourceOwner,
+		),
+	}, nil
+}
+
+func (s *Server) VerifyMyAuthFactorU2F(ctx context.Context, req *auth_pb.VerifyMyAuthFactorU2FRequest) (*auth_pb.VerifyMyAuthFactorU2FResponse, error) {
+	ctxData := authz.GetCtxData(ctx)
+	objectDetails, err := s.command.HumanVerifyU2FSetup(ctx, ctxData.UserID, ctxData.OrgID, req.Verification.TokenName, "", req.Verification.PublicKeyCredential)
+	if err != nil {
+		return nil, err
+	}
+	return &auth_pb.VerifyMyAuthFactorU2FResponse{
+		Details: object.DomainToDetailsPb(objectDetails),
+	}, nil
+}
+
+func (s *Server) RemoveMyAuthFactorU2F(ctx context.Context, req *auth_pb.RemoveMyAuthFactorU2FRequest) (*auth_pb.RemoveMyAuthFactorU2FResponse, error) {
+	ctxData := authz.GetCtxData(ctx)
+	objectDetails, err := s.command.HumanRemovePasswordless(ctx, ctxData.UserID, req.TokenId, ctxData.ResourceOwner)
+	if err != nil {
+		return nil, err
+	}
+	return &auth_pb.RemoveMyAuthFactorU2FResponse{
+		Details: object.DomainToDetailsPb(objectDetails),
+	}, nil
+}
diff --git a/internal/api/grpc/auth/password.go b/internal/api/grpc/auth/password.go
new file mode 100644
index 0000000000..71aeaf34de
--- /dev/null
+++ b/internal/api/grpc/auth/password.go
@@ -0,0 +1,20 @@
+package auth
+
+import (
+	"context"
+	"github.com/caos/zitadel/internal/api/grpc/object"
+
+	"github.com/caos/zitadel/internal/api/authz"
+	auth_pb "github.com/caos/zitadel/pkg/grpc/auth"
+)
+
+func (s *Server) UpdateMyPassword(ctx context.Context, req *auth_pb.UpdateMyPasswordRequest) (*auth_pb.UpdateMyPasswordResponse, error) {
+	ctxData := authz.GetCtxData(ctx)
+	objectDetails, err := s.command.ChangePassword(ctx, ctxData.OrgID, ctxData.UserID, req.OldPassword, req.NewPassword, "")
+	if err != nil {
+		return nil, err
+	}
+	return &auth_pb.UpdateMyPasswordResponse{
+		Details: object.DomainToDetailsPb(objectDetails),
+	}, nil
+}
diff --git a/internal/api/grpc/auth/password_complexity.go b/internal/api/grpc/auth/password_complexity.go
new file mode 100644
index 0000000000..152774a581
--- /dev/null
+++ b/internal/api/grpc/auth/password_complexity.go
@@ -0,0 +1,16 @@
+package auth
+
+import (
+	"context"
+
+	policy_grpc "github.com/caos/zitadel/internal/api/grpc/policy"
+	auth_pb "github.com/caos/zitadel/pkg/grpc/auth"
+)
+
+func (s *Server) GetMyPasswordComplexityPolicy(ctx context.Context, _ *auth_pb.GetMyPasswordComplexityPolicyRequest) (*auth_pb.GetMyPasswordComplexityPolicyResponse, error) {
+	policy, err := s.repo.GetMyPasswordComplexityPolicy(ctx)
+	if err != nil {
+		return nil, err
+	}
+	return &auth_pb.GetMyPasswordComplexityPolicyResponse{Policy: policy_grpc.ModelPasswordComplexityPolicyToPb(policy)}, nil
+}
diff --git a/internal/api/grpc/auth/passwordless.go b/internal/api/grpc/auth/passwordless.go
new file mode 100644
index 0000000000..cfe1845235
--- /dev/null
+++ b/internal/api/grpc/auth/passwordless.go
@@ -0,0 +1,58 @@
+package auth
+
+import (
+	"context"
+
+	"github.com/caos/zitadel/internal/api/authz"
+	"github.com/caos/zitadel/internal/api/grpc/object"
+	user_grpc "github.com/caos/zitadel/internal/api/grpc/user"
+	auth_pb "github.com/caos/zitadel/pkg/grpc/auth"
+)
+
+func (s *Server) ListMyPasswordless(ctx context.Context, _ *auth_pb.ListMyPasswordlessRequest) (*auth_pb.ListMyPasswordlessResponse, error) {
+	tokens, err := s.repo.GetMyPasswordless(ctx)
+	if err != nil {
+		return nil, err
+	}
+	return &auth_pb.ListMyPasswordlessResponse{
+		Result: user_grpc.WebAuthNTokensViewToPb(tokens),
+	}, nil
+}
+
+func (s *Server) AddMyPasswordless(ctx context.Context, _ *auth_pb.AddMyPasswordlessRequest) (*auth_pb.AddMyPasswordlessResponse, error) {
+	ctxData := authz.GetCtxData(ctx)
+	u2f, err := s.command.HumanAddPasswordlessSetup(ctx, ctxData.UserID, ctxData.ResourceOwner, false)
+	if err != nil {
+		return nil, err
+	}
+	return &auth_pb.AddMyPasswordlessResponse{
+		Key: user_grpc.WebAuthNTokenToWebAuthNKeyPb(u2f),
+		Details: object.ToDetailsPb(
+			u2f.Sequence,
+			u2f.ChangeDate,
+			u2f.ResourceOwner,
+		),
+	}, nil
+}
+
+func (s *Server) VerifyMyPasswordless(ctx context.Context, req *auth_pb.VerifyMyPasswordlessRequest) (*auth_pb.VerifyMyPasswordlessResponse, error) {
+	ctxData := authz.GetCtxData(ctx)
+	objectDetails, err := s.command.HumanHumanPasswordlessSetup(ctx, ctxData.UserID, ctxData.OrgID, req.Verification.TokenName, "", req.Verification.PublicKeyCredential)
+	if err != nil {
+		return nil, err
+	}
+	return &auth_pb.VerifyMyPasswordlessResponse{
+		Details: object.DomainToDetailsPb(objectDetails),
+	}, nil
+}
+
+func (s *Server) RemoveMyPasswordless(ctx context.Context, req *auth_pb.RemoveMyPasswordlessRequest) (*auth_pb.RemoveMyPasswordlessResponse, error) {
+	ctxData := authz.GetCtxData(ctx)
+	objectDetails, err := s.command.HumanRemovePasswordless(ctx, ctxData.UserID, req.TokenId, ctxData.ResourceOwner)
+	if err != nil {
+		return nil, err
+	}
+	return &auth_pb.RemoveMyPasswordlessResponse{
+		Details: object.DomainToDetailsPb(objectDetails),
+	}, nil
+}
diff --git a/internal/api/grpc/auth/permission.go b/internal/api/grpc/auth/permission.go
new file mode 100644
index 0000000000..541e4e6ba1
--- /dev/null
+++ b/internal/api/grpc/auth/permission.go
@@ -0,0 +1,27 @@
+package auth
+
+import (
+	"context"
+
+	auth_pb "github.com/caos/zitadel/pkg/grpc/auth"
+)
+
+func (s *Server) ListMyZitadelPermissions(ctx context.Context, _ *auth_pb.ListMyZitadelPermissionsRequest) (*auth_pb.ListMyZitadelPermissionsResponse, error) {
+	perms, err := s.repo.SearchMyZitadelPermissions(ctx)
+	if err != nil {
+		return nil, err
+	}
+	return &auth_pb.ListMyZitadelPermissionsResponse{
+		Result: perms,
+	}, nil
+}
+
+func (s *Server) ListMyProjectPermissions(ctx context.Context, _ *auth_pb.ListMyProjectPermissionsRequest) (*auth_pb.ListMyProjectPermissionsResponse, error) {
+	perms, err := s.repo.SearchMyProjectPermissions(ctx)
+	if err != nil {
+		return nil, err
+	}
+	return &auth_pb.ListMyProjectPermissionsResponse{
+		Result: perms,
+	}, nil
+}
diff --git a/internal/api/grpc/auth/phone.go b/internal/api/grpc/auth/phone.go
new file mode 100644
index 0000000000..9dc631710f
--- /dev/null
+++ b/internal/api/grpc/auth/phone.go
@@ -0,0 +1,74 @@
+package auth
+
+import (
+	"context"
+
+	"github.com/caos/zitadel/internal/api/authz"
+	"github.com/caos/zitadel/internal/api/grpc/object"
+	"github.com/caos/zitadel/internal/api/grpc/user"
+	auth_pb "github.com/caos/zitadel/pkg/grpc/auth"
+)
+
+func (s *Server) GetMyPhone(ctx context.Context, _ *auth_pb.GetMyPhoneRequest) (*auth_pb.GetMyPhoneResponse, error) {
+	phone, err := s.repo.MyPhone(ctx)
+	if err != nil {
+		return nil, err
+	}
+	return &auth_pb.GetMyPhoneResponse{
+		Phone: user.ModelPhoneToPb(phone),
+		Details: object.ToDetailsPb(
+			phone.Sequence,
+			phone.ChangeDate,
+			phone.ResourceOwner,
+		),
+	}, nil
+}
+
+func (s *Server) SetMyPhone(ctx context.Context, req *auth_pb.SetMyPhoneRequest) (*auth_pb.SetMyPhoneResponse, error) {
+	phone, err := s.command.ChangeHumanPhone(ctx, UpdateMyPhoneToDomain(ctx, req))
+	if err != nil {
+		return nil, err
+	}
+	return &auth_pb.SetMyPhoneResponse{
+		Details: object.ToDetailsPb(
+			phone.Sequence,
+			phone.ChangeDate,
+			phone.ResourceOwner,
+		),
+	}, nil
+}
+
+func (s *Server) VerifyMyPhone(ctx context.Context, req *auth_pb.VerifyMyPhoneRequest) (*auth_pb.VerifyMyPhoneResponse, error) {
+	ctxData := authz.GetCtxData(ctx)
+	_, err := s.command.VerifyHumanPhone(ctx, ctxData.UserID, req.Code, ctxData.OrgID)
+	if err != nil {
+		return nil, err
+	}
+
+	//TODO: response from business
+	return &auth_pb.VerifyMyPhoneResponse{
+		//Details: object.DomainToDetailsPb(objectDetails),
+	}, nil
+}
+
+func (s *Server) ResendMyPhoneVerification(ctx context.Context, _ *auth_pb.ResendMyPhoneVerificationRequest) (*auth_pb.ResendMyPhoneVerificationResponse, error) {
+	ctxData := authz.GetCtxData(ctx)
+	objectDetails, err := s.command.CreateHumanPhoneVerificationCode(ctx, ctxData.UserID, ctxData.ResourceOwner)
+	if err != nil {
+		return nil, err
+	}
+	return &auth_pb.ResendMyPhoneVerificationResponse{
+		Details: object.DomainToDetailsPb(objectDetails),
+	}, nil
+}
+
+func (s *Server) RemoveMyPhone(ctx context.Context, _ *auth_pb.RemoveMyPhoneRequest) (*auth_pb.RemoveMyPhoneResponse, error) {
+	ctxData := authz.GetCtxData(ctx)
+	objectDetails, err := s.command.RemoveHumanPhone(ctx, ctxData.UserID, ctxData.ResourceOwner)
+	if err != nil {
+		return nil, err
+	}
+	return &auth_pb.RemoveMyPhoneResponse{
+		Details: object.DomainToDetailsPb(objectDetails),
+	}, nil
+}
diff --git a/internal/api/grpc/auth/phone_converter.go b/internal/api/grpc/auth/phone_converter.go
new file mode 100644
index 0000000000..9660af0f8b
--- /dev/null
+++ b/internal/api/grpc/auth/phone_converter.go
@@ -0,0 +1,15 @@
+package auth
+
+import (
+	"context"
+
+	"github.com/caos/zitadel/internal/domain"
+	"github.com/caos/zitadel/pkg/grpc/auth"
+)
+
+func UpdateMyPhoneToDomain(ctx context.Context, phone *auth.SetMyPhoneRequest) *domain.Phone {
+	return &domain.Phone{
+		ObjectRoot:  ctxToObjectRoot(ctx),
+		PhoneNumber: phone.Phone,
+	}
+}
diff --git a/internal/api/grpc/auth/policy_complexity_converter.go b/internal/api/grpc/auth/policy_complexity_converter.go
deleted file mode 100644
index 875f506872..0000000000
--- a/internal/api/grpc/auth/policy_complexity_converter.go
+++ /dev/null
@@ -1,30 +0,0 @@
-package auth
-
-import (
-	"github.com/caos/logging"
-	iam_model "github.com/caos/zitadel/internal/iam/model"
-	"github.com/golang/protobuf/ptypes"
-
-	"github.com/caos/zitadel/pkg/grpc/auth"
-)
-
-func passwordComplexityPolicyFromModel(policy *iam_model.PasswordComplexityPolicyView) *auth.PasswordComplexityPolicy {
-	creationDate, err := ptypes.TimestampProto(policy.CreationDate)
-	logging.Log("GRPC-Lsi3d").OnError(err).Debug("unable to parse timestamp")
-
-	changeDate, err := ptypes.TimestampProto(policy.ChangeDate)
-	logging.Log("GRPC-P0wr4").OnError(err).Debug("unable to parse timestamp")
-
-	return &auth.PasswordComplexityPolicy{
-		Id:           policy.AggregateID,
-		CreationDate: creationDate,
-		ChangeDate:   changeDate,
-		Sequence:     policy.Sequence,
-		MinLength:    policy.MinLength,
-		HasLowercase: policy.HasLowercase,
-		HasUppercase: policy.HasUppercase,
-		HasNumber:    policy.HasNumber,
-		HasSymbol:    policy.HasSymbol,
-		IsDefault:    policy.AggregateID == "",
-	}
-}
diff --git a/internal/api/grpc/auth/probes.go b/internal/api/grpc/auth/probes.go
deleted file mode 100644
index dff417eb02..0000000000
--- a/internal/api/grpc/auth/probes.go
+++ /dev/null
@@ -1,11 +0,0 @@
-package auth
-
-import (
-	"context"
-
-	"github.com/golang/protobuf/ptypes/empty"
-)
-
-func (s *Server) Healthz(_ context.Context, e *empty.Empty) (*empty.Empty, error) {
-	return &empty.Empty{}, nil
-}
diff --git a/internal/api/grpc/auth/profile.go b/internal/api/grpc/auth/profile.go
new file mode 100644
index 0000000000..1825e72065
--- /dev/null
+++ b/internal/api/grpc/auth/profile.go
@@ -0,0 +1,38 @@
+package auth
+
+import (
+	"context"
+
+	object_grpc "github.com/caos/zitadel/internal/api/grpc/object"
+	user_grpc "github.com/caos/zitadel/internal/api/grpc/user"
+	auth_pb "github.com/caos/zitadel/pkg/grpc/auth"
+)
+
+func (s *Server) GetMyProfile(ctx context.Context, req *auth_pb.GetMyProfileRequest) (*auth_pb.GetMyProfileResponse, error) {
+	profile, err := s.repo.MyProfile(ctx)
+	if err != nil {
+		return nil, err
+	}
+	return &auth_pb.GetMyProfileResponse{
+		Profile: user_grpc.ProfileToPb(profile),
+		Details: object_grpc.ToDetailsPb(
+			profile.Sequence,
+			profile.ChangeDate,
+			profile.ResourceOwner,
+		),
+	}, nil
+}
+
+func (s *Server) UpdateMyProfile(ctx context.Context, req *auth_pb.UpdateMyProfileRequest) (*auth_pb.UpdateMyProfileResponse, error) {
+	profile, err := s.command.ChangeHumanProfile(ctx, UpdateProfileToDomain(ctx, req))
+	if err != nil {
+		return nil, err
+	}
+	return &auth_pb.UpdateMyProfileResponse{
+		Details: object_grpc.ToDetailsPb(
+			profile.Sequence,
+			profile.ChangeDate,
+			profile.ResourceOwner,
+		),
+	}, nil
+}
diff --git a/internal/api/grpc/auth/profile_converter.go b/internal/api/grpc/auth/profile_converter.go
new file mode 100644
index 0000000000..380f5ca6f9
--- /dev/null
+++ b/internal/api/grpc/auth/profile_converter.go
@@ -0,0 +1,25 @@
+package auth
+
+import (
+	"context"
+
+	"github.com/caos/logging"
+	"github.com/caos/zitadel/internal/api/grpc/user"
+	"github.com/caos/zitadel/internal/domain"
+	"github.com/caos/zitadel/pkg/grpc/auth"
+	"golang.org/x/text/language"
+)
+
+func UpdateProfileToDomain(ctx context.Context, profile *auth.UpdateMyProfileRequest) *domain.Profile {
+	lang, err := language.Parse(profile.PreferredLanguage)
+	logging.Log("AUTH-x19v6").OnError(err).Debug("unable to parse preferred language")
+
+	return &domain.Profile{
+		ObjectRoot:        ctxToObjectRoot(ctx),
+		FirstName:         profile.FirstName,
+		LastName:          profile.LastName,
+		NickName:          profile.NickName,
+		PreferredLanguage: lang,
+		Gender:            user.GenderToDomain(profile.Gender),
+	}
+}
diff --git a/internal/api/grpc/auth/search_converter.go b/internal/api/grpc/auth/search_converter.go
deleted file mode 100644
index 44b7f01c93..0000000000
--- a/internal/api/grpc/auth/search_converter.go
+++ /dev/null
@@ -1,25 +0,0 @@
-package auth
-
-import (
-	"github.com/caos/zitadel/internal/domain"
-	"github.com/caos/zitadel/pkg/grpc/auth"
-)
-
-func searchMethodToModel(method auth.SearchMethod) domain.SearchMethod {
-	switch method {
-	case auth.SearchMethod_SEARCHMETHOD_EQUALS:
-		return domain.SearchMethodEquals
-	case auth.SearchMethod_SEARCHMETHOD_CONTAINS:
-		return domain.SearchMethodContains
-	case auth.SearchMethod_SEARCHMETHOD_STARTS_WITH:
-		return domain.SearchMethodStartsWith
-	case auth.SearchMethod_SEARCHMETHOD_EQUALS_IGNORE_CASE:
-		return domain.SearchMethodEqualsIgnoreCase
-	case auth.SearchMethod_SEARCHMETHOD_CONTAINS_IGNORE_CASE:
-		return domain.SearchMethodContainsIgnoreCase
-	case auth.SearchMethod_SEARCHMETHOD_STARTS_WITH_IGNORE_CASE:
-		return domain.SearchMethodStartsWithIgnoreCase
-	default:
-		return domain.SearchMethodEquals
-	}
-}
diff --git a/internal/api/grpc/auth/server.go b/internal/api/grpc/auth/server.go
index 5b15a3435a..50c0b3b8d3 100644
--- a/internal/api/grpc/auth/server.go
+++ b/internal/api/grpc/auth/server.go
@@ -1,15 +1,14 @@
 package auth
 
 import (
-	"github.com/caos/zitadel/internal/command"
-	"github.com/caos/zitadel/internal/query"
-	"google.golang.org/grpc"
-
 	"github.com/caos/zitadel/internal/api/authz"
 	"github.com/caos/zitadel/internal/api/grpc/server"
 	"github.com/caos/zitadel/internal/auth/repository"
 	"github.com/caos/zitadel/internal/auth/repository/eventsourcing"
+	"github.com/caos/zitadel/internal/command"
+	"github.com/caos/zitadel/internal/query"
 	"github.com/caos/zitadel/pkg/grpc/auth"
+	"google.golang.org/grpc"
 )
 
 var _ auth.AuthServiceServer = (*Server)(nil)
@@ -19,6 +18,7 @@ const (
 )
 
 type Server struct {
+	auth.UnimplementedAuthServiceServer
 	command *command.Commands
 	query   *query.Queries
 	repo    repository.Repository
diff --git a/internal/api/grpc/auth/user.go b/internal/api/grpc/auth/user.go
index 7aee2371cb..6156dc5365 100644
--- a/internal/api/grpc/auth/user.go
+++ b/internal/api/grpc/auth/user.go
@@ -2,240 +2,97 @@ package auth
 
 import (
 	"context"
-
-	"github.com/golang/protobuf/ptypes/empty"
+	"time"
 
 	"github.com/caos/zitadel/internal/api/authz"
-	"github.com/caos/zitadel/pkg/grpc/auth"
+	"github.com/caos/zitadel/internal/api/grpc/change"
+	"github.com/caos/zitadel/internal/api/grpc/object"
+	"github.com/caos/zitadel/internal/api/grpc/org"
+	user_grpc "github.com/caos/zitadel/internal/api/grpc/user"
+	"github.com/caos/zitadel/internal/eventstore/v1/models"
+	grant_model "github.com/caos/zitadel/internal/usergrant/model"
+	auth_pb "github.com/caos/zitadel/pkg/grpc/auth"
 )
 
-func (s *Server) GetMyUser(ctx context.Context, _ *empty.Empty) (*auth.UserView, error) {
+func (s *Server) GetMyUser(ctx context.Context, _ *auth_pb.GetMyUserRequest) (*auth_pb.GetMyUserResponse, error) {
 	user, err := s.repo.MyUser(ctx)
 	if err != nil {
 		return nil, err
 	}
-	return userViewFromModel(user), nil
+	return &auth_pb.GetMyUserResponse{User: user_grpc.UserToPb(user)}, nil
 }
 
-func (s *Server) GetMyUserProfile(ctx context.Context, _ *empty.Empty) (*auth.UserProfileView, error) {
-	profile, err := s.repo.MyProfile(ctx)
+func (s *Server) ListMyUserChanges(ctx context.Context, req *auth_pb.ListMyUserChangesRequest) (*auth_pb.ListMyUserChangesResponse, error) {
+	changes, err := s.repo.MyUserChanges(ctx, req.Query.Offset, uint64(req.Query.Limit), req.Query.Asc)
 	if err != nil {
 		return nil, err
 	}
-	return profileViewFromModel(profile), nil
+	return &auth_pb.ListMyUserChangesResponse{
+		Result: change.UserChangesToPb(changes.Changes),
+	}, nil
 }
 
-func (s *Server) GetMyUserEmail(ctx context.Context, _ *empty.Empty) (*auth.UserEmailView, error) {
-	email, err := s.repo.MyEmail(ctx)
+func (s *Server) ListMyUserSessions(ctx context.Context, req *auth_pb.ListMyUserSessionsRequest) (*auth_pb.ListMyUserSessionsResponse, error) {
+	userSessions, err := s.repo.GetMyUserSessions(ctx)
 	if err != nil {
 		return nil, err
 	}
-	return emailViewFromModel(email), nil
+	return &auth_pb.ListMyUserSessionsResponse{
+		Result: user_grpc.UserSessionsToPb(userSessions),
+	}, nil
 }
 
-func (s *Server) GetMyUserPhone(ctx context.Context, _ *empty.Empty) (*auth.UserPhoneView, error) {
-	phone, err := s.repo.MyPhone(ctx)
-	if err != nil {
-		return nil, err
-	}
-	return phoneViewFromModel(phone), nil
-}
-
-func (s *Server) RemoveMyUserPhone(ctx context.Context, _ *empty.Empty) (*empty.Empty, error) {
+func (s *Server) UpdateMyUserName(ctx context.Context, req *auth_pb.UpdateMyUserNameRequest) (*auth_pb.UpdateMyUserNameResponse, error) {
 	ctxData := authz.GetCtxData(ctx)
-	err := s.command.RemoveHumanPhone(ctx, ctxData.UserID, ctxData.ResourceOwner)
-	return &empty.Empty{}, err
-}
-
-func (s *Server) GetMyUserAddress(ctx context.Context, _ *empty.Empty) (*auth.UserAddressView, error) {
-	address, err := s.repo.MyAddress(ctx)
+	objectDetails, err := s.command.ChangeUsername(ctx, ctxData.ResourceOwner, ctxData.UserID, req.UserName)
 	if err != nil {
 		return nil, err
 	}
-	return addressViewFromModel(address), nil
+	return &auth_pb.UpdateMyUserNameResponse{
+		Details: object.DomainToDetailsPb(objectDetails),
+	}, nil
 }
 
-func (s *Server) GetMyMfas(ctx context.Context, _ *empty.Empty) (*auth.MultiFactors, error) {
-	mfas, err := s.repo.MyUserMFAs(ctx)
+func ctxToObjectRoot(ctx context.Context) models.ObjectRoot {
+	ctxData := authz.GetCtxData(ctx)
+	return models.ObjectRoot{
+		AggregateID:   ctxData.UserID,
+		ResourceOwner: ctxData.ResourceOwner,
+	}
+}
+
+func (s *Server) ListMyUserGrants(ctx context.Context, req *auth_pb.ListMyUserGrantsRequest) (*auth_pb.ListMyUserGrantsResponse, error) {
+	res, err := s.repo.SearchMyUserGrants(ctx, ListMyUserGrantsRequestToModel(req))
 	if err != nil {
 		return nil, err
 	}
-	return &auth.MultiFactors{Mfas: mfasFromModel(mfas)}, nil
+	return &auth_pb.ListMyUserGrantsResponse{
+		Result: UserGrantsToPb(res.Result),
+		Details: object.ToListDetails(
+			res.TotalResult,
+			res.Sequence,
+			res.Timestamp,
+		),
+	}, nil
 }
 
-func (s *Server) UpdateMyUserProfile(ctx context.Context, request *auth.UpdateUserProfileRequest) (*auth.UserProfile, error) {
-	profile, err := s.command.ChangeHumanProfile(ctx, updateProfileToDomain(ctx, request))
+func (s *Server) ListMyProjectOrgs(ctx context.Context, req *auth_pb.ListMyProjectOrgsRequest) (*auth_pb.ListMyProjectOrgsResponse, error) {
+	res, err := s.repo.SearchMyProjectOrgs(ctx, ListMyProjectOrgsRequestToModel(req))
 	if err != nil {
 		return nil, err
 	}
-	return profileFromDomain(profile), nil
+	return &auth_pb.ListMyProjectOrgsResponse{
+		//TODO: not all details
+		Details: object.ToListDetails(res.TotalResult, 0, time.Time{}),
+		Result:  org.OrgsToPb(res.Result),
+	}, nil
 }
 
-func (s *Server) ChangeMyUserName(ctx context.Context, request *auth.ChangeUserNameRequest) (*empty.Empty, error) {
-	ctxData := authz.GetCtxData(ctx)
-	return &empty.Empty{}, s.command.ChangeUsername(ctx, ctxData.ResourceOwner, ctxData.UserID, request.UserName)
-}
-
-func (s *Server) ChangeMyUserEmail(ctx context.Context, request *auth.UpdateUserEmailRequest) (*auth.UserEmail, error) {
-	email, err := s.command.ChangeHumanEmail(ctx, updateEmailToDomain(ctx, request))
-	if err != nil {
-		return nil, err
+func ListMyProjectOrgsRequestToModel(req *auth_pb.ListMyProjectOrgsRequest) *grant_model.UserGrantSearchRequest {
+	return &grant_model.UserGrantSearchRequest{
+		Offset: req.Query.Offset,
+		Limit:  uint64(req.Query.Limit),
+		Asc:    req.Query.Asc,
+		// Queries: queries,//TODO:user grant queries missing in proto
 	}
-	return emailFromDomain(email), nil
-}
-
-func (s *Server) VerifyMyUserEmail(ctx context.Context, request *auth.VerifyMyUserEmailRequest) (*empty.Empty, error) {
-	ctxData := authz.GetCtxData(ctx)
-	err := s.command.VerifyHumanEmail(ctx, ctxData.UserID, request.Code, ctxData.OrgID)
-	return &empty.Empty{}, err
-}
-
-func (s *Server) ResendMyEmailVerificationMail(ctx context.Context, _ *empty.Empty) (*empty.Empty, error) {
-	ctxData := authz.GetCtxData(ctx)
-	err := s.command.CreateHumanEmailVerificationCode(ctx, ctxData.UserID, ctxData.ResourceOwner)
-	return &empty.Empty{}, err
-}
-
-func (s *Server) ChangeMyUserPhone(ctx context.Context, request *auth.UpdateUserPhoneRequest) (*auth.UserPhone, error) {
-	phone, err := s.command.ChangeHumanPhone(ctx, updatePhoneToDomain(ctx, request))
-	if err != nil {
-		return nil, err
-	}
-	return phoneFromDomain(phone), nil
-}
-
-func (s *Server) VerifyMyUserPhone(ctx context.Context, request *auth.VerifyUserPhoneRequest) (*empty.Empty, error) {
-	ctxData := authz.GetCtxData(ctx)
-	err := s.command.VerifyHumanPhone(ctx, ctxData.UserID, request.Code, ctxData.ResourceOwner)
-	return &empty.Empty{}, err
-}
-
-func (s *Server) ResendMyPhoneVerificationCode(ctx context.Context, _ *empty.Empty) (*empty.Empty, error) {
-	ctxData := authz.GetCtxData(ctx)
-	err := s.command.CreateHumanPhoneVerificationCode(ctx, ctxData.UserID, ctxData.ResourceOwner)
-	return &empty.Empty{}, err
-}
-
-func (s *Server) UpdateMyUserAddress(ctx context.Context, request *auth.UpdateUserAddressRequest) (*auth.UserAddress, error) {
-	address, err := s.command.ChangeHumanAddress(ctx, updateAddressToDomain(ctx, request))
-	if err != nil {
-		return nil, err
-	}
-	return addressFromDomain(address), nil
-}
-
-func (s *Server) ChangeMyPassword(ctx context.Context, request *auth.PasswordChange) (*empty.Empty, error) {
-	ctxData := authz.GetCtxData(ctx)
-	err := s.command.ChangePassword(ctx, ctxData.OrgID, ctxData.UserID, request.OldPassword, request.NewPassword, "")
-	return &empty.Empty{}, err
-}
-
-func (s *Server) SearchMyExternalIDPs(ctx context.Context, request *auth.ExternalIDPSearchRequest) (*auth.ExternalIDPSearchResponse, error) {
-	externalIDP, err := s.repo.SearchMyExternalIDPs(ctx, externalIDPSearchRequestToModel(request))
-	if err != nil {
-		return nil, err
-	}
-	return externalIDPSearchResponseFromModel(externalIDP), nil
-}
-
-func (s *Server) RemoveMyExternalIDP(ctx context.Context, request *auth.ExternalIDPRemoveRequest) (*empty.Empty, error) {
-	err := s.command.RemoveHumanExternalIDP(ctx, externalIDPRemoveToDomain(ctx, request))
-	return &empty.Empty{}, err
-}
-
-func (s *Server) GetMyPasswordComplexityPolicy(ctx context.Context, _ *empty.Empty) (*auth.PasswordComplexityPolicy, error) {
-	policy, err := s.repo.GetMyPasswordComplexityPolicy(ctx)
-	if err != nil {
-		return nil, err
-	}
-	return passwordComplexityPolicyFromModel(policy), nil
-}
-
-func (s *Server) AddMfaOTP(ctx context.Context, _ *empty.Empty) (_ *auth.MfaOtpResponse, err error) {
-	ctxData := authz.GetCtxData(ctx)
-	otp, err := s.command.AddHumanOTP(ctx, ctxData.UserID, ctxData.OrgID)
-	if err != nil {
-		return nil, err
-	}
-	return otpFromDomain(otp), nil
-}
-
-func (s *Server) VerifyMfaOTP(ctx context.Context, request *auth.VerifyMfaOtp) (*empty.Empty, error) {
-	ctxData := authz.GetCtxData(ctx)
-	err := s.command.HumanCheckMFAOTPSetup(ctx, ctxData.UserID, request.Code, "", ctxData.ResourceOwner)
-	return &empty.Empty{}, err
-}
-
-func (s *Server) RemoveMfaOTP(ctx context.Context, _ *empty.Empty) (_ *empty.Empty, err error) {
-	ctxData := authz.GetCtxData(ctx)
-	err = s.command.HumanRemoveOTP(ctx, ctxData.UserID, ctxData.OrgID)
-	return &empty.Empty{}, err
-}
-
-func (s *Server) AddMyMfaU2F(ctx context.Context, _ *empty.Empty) (_ *auth.WebAuthNResponse, err error) {
-	ctxData := authz.GetCtxData(ctx)
-	u2f, err := s.command.HumanAddU2FSetup(ctx, ctxData.UserID, ctxData.ResourceOwner, false)
-	if err != nil {
-		return nil, err
-	}
-	return verifyWebAuthNFromDomain(u2f), err
-}
-
-func (s *Server) VerifyMyMfaU2F(ctx context.Context, request *auth.VerifyWebAuthN) (*empty.Empty, error) {
-	ctxData := authz.GetCtxData(ctx)
-	err := s.command.HumanVerifyU2FSetup(ctx, ctxData.UserID, ctxData.OrgID, request.TokenName, "", request.PublicKeyCredential)
-	return &empty.Empty{}, err
-}
-
-func (s *Server) RemoveMyMfaU2F(ctx context.Context, id *auth.WebAuthNTokenID) (*empty.Empty, error) {
-	ctxData := authz.GetCtxData(ctx)
-	err := s.command.HumanRemoveU2F(ctx, ctxData.UserID, id.Id, ctxData.OrgID)
-	return &empty.Empty{}, err
-}
-
-func (s *Server) GetMyPasswordless(ctx context.Context, _ *empty.Empty) (_ *auth.WebAuthNTokens, err error) {
-	tokens, err := s.repo.GetMyPasswordless(ctx)
-	if err != nil {
-		return nil, err
-	}
-	return webAuthNTokensFromModel(tokens), err
-}
-
-func (s *Server) AddMyPasswordless(ctx context.Context, _ *empty.Empty) (_ *auth.WebAuthNResponse, err error) {
-	ctxData := authz.GetCtxData(ctx)
-	u2f, err := s.command.HumanAddPasswordlessSetup(ctx, ctxData.UserID, ctxData.ResourceOwner, false)
-	if err != nil {
-		return nil, err
-	}
-	return verifyWebAuthNFromDomain(u2f), err
-}
-
-func (s *Server) VerifyMyPasswordless(ctx context.Context, request *auth.VerifyWebAuthN) (*empty.Empty, error) {
-	ctxData := authz.GetCtxData(ctx)
-	err := s.command.HumanHumanPasswordlessSetup(ctx, ctxData.UserID, ctxData.OrgID, request.TokenName, "", request.PublicKeyCredential)
-	return &empty.Empty{}, err
-}
-
-func (s *Server) RemoveMyPasswordless(ctx context.Context, id *auth.WebAuthNTokenID) (*empty.Empty, error) {
-	ctxData := authz.GetCtxData(ctx)
-	err := s.command.HumanRemovePasswordless(ctx, ctxData.UserID, id.Id, ctxData.ResourceOwner)
-	return &empty.Empty{}, err
-}
-
-func (s *Server) GetMyUserChanges(ctx context.Context, request *auth.ChangesRequest) (*auth.Changes, error) {
-	changes, err := s.repo.MyUserChanges(ctx, request.SequenceOffset, request.Limit, request.Asc)
-	if err != nil {
-		return nil, err
-	}
-	return userChangesToResponse(changes, request.GetSequenceOffset(), request.GetLimit()), nil
-}
-
-func (s *Server) SearchMyUserMemberships(ctx context.Context, in *auth.UserMembershipSearchRequest) (*auth.UserMembershipSearchResponse, error) {
-	request := userMembershipSearchRequestsToModel(in)
-	request.AppendUserIDQuery(authz.GetCtxData(ctx).UserID)
-	response, err := s.repo.SearchMyUserMemberships(ctx, request)
-	if err != nil {
-		return nil, err
-	}
-	return userMembershipSearchResponseFromModel(response), nil
 }
diff --git a/internal/api/grpc/auth/user_converter.go b/internal/api/grpc/auth/user_converter.go
deleted file mode 100644
index 85b803db20..0000000000
--- a/internal/api/grpc/auth/user_converter.go
+++ /dev/null
@@ -1,565 +0,0 @@
-package auth
-
-import (
-	"context"
-	"encoding/json"
-	"github.com/caos/logging"
-	"github.com/golang/protobuf/ptypes"
-	"golang.org/x/text/language"
-	"google.golang.org/protobuf/encoding/protojson"
-	"google.golang.org/protobuf/types/known/structpb"
-
-	"github.com/caos/zitadel/internal/api/authz"
-	"github.com/caos/zitadel/internal/domain"
-	"github.com/caos/zitadel/internal/eventstore/v1/models"
-	"github.com/caos/zitadel/internal/telemetry/tracing"
-	usr_model "github.com/caos/zitadel/internal/user/model"
-	"github.com/caos/zitadel/pkg/grpc/auth"
-	"github.com/caos/zitadel/pkg/grpc/message"
-)
-
-func userViewFromModel(user *usr_model.UserView) *auth.UserView {
-	creationDate, err := ptypes.TimestampProto(user.CreationDate)
-	logging.Log("GRPC-sd32g").OnError(err).Debug("unable to parse timestamp")
-
-	changeDate, err := ptypes.TimestampProto(user.ChangeDate)
-	logging.Log("GRPC-FJKq1").OnError(err).Debug("unable to parse timestamp")
-
-	lastLogin, err := ptypes.TimestampProto(user.LastLogin)
-	logging.Log("GRPC-Gteh2").OnError(err).Debug("unable to parse timestamp")
-
-	userView := &auth.UserView{
-		Id:                 user.ID,
-		State:              userStateFromModel(user.State),
-		CreationDate:       creationDate,
-		ChangeDate:         changeDate,
-		LastLogin:          lastLogin,
-		UserName:           user.UserName,
-		Sequence:           user.Sequence,
-		ResourceOwner:      user.ResourceOwner,
-		LoginNames:         user.LoginNames,
-		PreferredLoginName: user.PreferredLoginName,
-	}
-
-	if user.HumanView != nil {
-		userView.User = &auth.UserView_Human{Human: humanViewFromModel(user.HumanView)}
-	}
-	if user.MachineView != nil {
-		userView.User = &auth.UserView_Machine{Machine: machineViewFromModel(user.MachineView)}
-
-	}
-
-	return userView
-}
-
-func profileFromDomain(profile *domain.Profile) *auth.UserProfile {
-	creationDate, err := ptypes.TimestampProto(profile.CreationDate)
-	logging.Log("GRPC-56t5s").OnError(err).Debug("unable to parse timestamp")
-
-	changeDate, err := ptypes.TimestampProto(profile.ChangeDate)
-	logging.Log("GRPC-K58ds").OnError(err).Debug("unable to parse timestamp")
-
-	return &auth.UserProfile{
-		Id:                profile.AggregateID,
-		CreationDate:      creationDate,
-		ChangeDate:        changeDate,
-		Sequence:          profile.Sequence,
-		FirstName:         profile.FirstName,
-		LastName:          profile.LastName,
-		DisplayName:       profile.DisplayName,
-		NickName:          profile.NickName,
-		PreferredLanguage: profile.PreferredLanguage.String(),
-		Gender:            genderFromDomain(profile.Gender),
-	}
-}
-
-func profileViewFromModel(profile *usr_model.Profile) *auth.UserProfileView {
-	creationDate, err := ptypes.TimestampProto(profile.CreationDate)
-	logging.Log("GRPC-s9iKs").OnError(err).Debug("unable to parse timestamp")
-
-	changeDate, err := ptypes.TimestampProto(profile.ChangeDate)
-	logging.Log("GRPC-9sujE").OnError(err).Debug("unable to parse timestamp")
-
-	return &auth.UserProfileView{
-		Id:                 profile.AggregateID,
-		CreationDate:       creationDate,
-		ChangeDate:         changeDate,
-		Sequence:           profile.Sequence,
-		FirstName:          profile.FirstName,
-		LastName:           profile.LastName,
-		DisplayName:        profile.DisplayName,
-		NickName:           profile.NickName,
-		PreferredLanguage:  profile.PreferredLanguage.String(),
-		Gender:             genderFromModel(profile.Gender),
-		LoginNames:         profile.LoginNames,
-		PreferredLoginName: profile.PreferredLoginName,
-	}
-}
-
-func updateProfileToDomain(ctx context.Context, u *auth.UpdateUserProfileRequest) *domain.Profile {
-	preferredLanguage, err := language.Parse(u.PreferredLanguage)
-	logging.Log("GRPC-lk73L").OnError(err).WithField("traceID", tracing.TraceIDFromCtx(ctx)).Debug("language malformed")
-
-	return &domain.Profile{
-		ObjectRoot:        ctxToObjectRoot(ctx),
-		FirstName:         u.FirstName,
-		LastName:          u.LastName,
-		NickName:          u.NickName,
-		PreferredLanguage: preferredLanguage,
-		Gender:            genderToDomain(u.Gender),
-	}
-}
-
-func emailFromDomain(email *domain.Email) *auth.UserEmail {
-	creationDate, err := ptypes.TimestampProto(email.CreationDate)
-	logging.Log("GRPC-sdoi3").OnError(err).Debug("unable to parse timestamp")
-
-	changeDate, err := ptypes.TimestampProto(email.ChangeDate)
-	logging.Log("GRPC-klJK3").OnError(err).Debug("unable to parse timestamp")
-
-	return &auth.UserEmail{
-		Id:              email.AggregateID,
-		CreationDate:    creationDate,
-		ChangeDate:      changeDate,
-		Sequence:        email.Sequence,
-		Email:           email.EmailAddress,
-		IsEmailVerified: email.IsEmailVerified,
-	}
-}
-
-func emailViewFromModel(email *usr_model.Email) *auth.UserEmailView {
-	creationDate, err := ptypes.TimestampProto(email.CreationDate)
-	logging.Log("GRPC-LSp8s").OnError(err).Debug("unable to parse timestamp")
-
-	changeDate, err := ptypes.TimestampProto(email.ChangeDate)
-	logging.Log("GRPC-6szJe").OnError(err).Debug("unable to parse timestamp")
-
-	return &auth.UserEmailView{
-		Id:              email.AggregateID,
-		CreationDate:    creationDate,
-		ChangeDate:      changeDate,
-		Sequence:        email.Sequence,
-		Email:           email.EmailAddress,
-		IsEmailVerified: email.IsEmailVerified,
-	}
-}
-
-func updateEmailToDomain(ctx context.Context, e *auth.UpdateUserEmailRequest) *domain.Email {
-	return &domain.Email{
-		ObjectRoot:   ctxToObjectRoot(ctx),
-		EmailAddress: e.Email,
-	}
-}
-
-func phoneFromDomain(phone *domain.Phone) *auth.UserPhone {
-	creationDate, err := ptypes.TimestampProto(phone.CreationDate)
-	logging.Log("GRPC-kjn5J").OnError(err).Debug("unable to parse timestamp")
-
-	changeDate, err := ptypes.TimestampProto(phone.ChangeDate)
-	logging.Log("GRPC-LKA9S").OnError(err).Debug("unable to parse timestamp")
-
-	return &auth.UserPhone{
-		Id:              phone.AggregateID,
-		CreationDate:    creationDate,
-		ChangeDate:      changeDate,
-		Sequence:        phone.Sequence,
-		Phone:           phone.PhoneNumber,
-		IsPhoneVerified: phone.IsPhoneVerified,
-	}
-}
-
-func phoneViewFromModel(phone *usr_model.Phone) *auth.UserPhoneView {
-	creationDate, err := ptypes.TimestampProto(phone.CreationDate)
-	logging.Log("GRPC-s5zJS").OnError(err).Debug("unable to parse timestamp")
-
-	changeDate, err := ptypes.TimestampProto(phone.ChangeDate)
-	logging.Log("GRPC-s9kLe").OnError(err).Debug("unable to parse timestamp")
-
-	return &auth.UserPhoneView{
-		Id:              phone.AggregateID,
-		CreationDate:    creationDate,
-		ChangeDate:      changeDate,
-		Sequence:        phone.Sequence,
-		Phone:           phone.PhoneNumber,
-		IsPhoneVerified: phone.IsPhoneVerified,
-	}
-}
-
-func updatePhoneToDomain(ctx context.Context, e *auth.UpdateUserPhoneRequest) *domain.Phone {
-	return &domain.Phone{
-		ObjectRoot:  ctxToObjectRoot(ctx),
-		PhoneNumber: e.Phone,
-	}
-}
-
-func addressFromDomain(address *domain.Address) *auth.UserAddress {
-	creationDate, err := ptypes.TimestampProto(address.CreationDate)
-	logging.Log("GRPC-65FRs").OnError(err).Debug("unable to parse timestamp")
-
-	changeDate, err := ptypes.TimestampProto(address.ChangeDate)
-	logging.Log("GRPC-aslk4").OnError(err).Debug("unable to parse timestamp")
-
-	return &auth.UserAddress{
-		Id:            address.AggregateID,
-		CreationDate:  creationDate,
-		ChangeDate:    changeDate,
-		Sequence:      address.Sequence,
-		Country:       address.Country,
-		StreetAddress: address.StreetAddress,
-		Region:        address.Region,
-		PostalCode:    address.PostalCode,
-		Locality:      address.Locality,
-	}
-}
-
-func addressViewFromModel(address *usr_model.Address) *auth.UserAddressView {
-	creationDate, err := ptypes.TimestampProto(address.CreationDate)
-	logging.Log("GRPC-sk4fS").OnError(err).Debug("unable to parse timestamp")
-
-	changeDate, err := ptypes.TimestampProto(address.ChangeDate)
-	logging.Log("GRPC-9siEs").OnError(err).Debug("unable to parse timestamp")
-
-	return &auth.UserAddressView{
-		Id:            address.AggregateID,
-		CreationDate:  creationDate,
-		ChangeDate:    changeDate,
-		Sequence:      address.Sequence,
-		Country:       address.Country,
-		StreetAddress: address.StreetAddress,
-		Region:        address.Region,
-		PostalCode:    address.PostalCode,
-		Locality:      address.Locality,
-	}
-}
-
-func updateAddressToDomain(ctx context.Context, address *auth.UpdateUserAddressRequest) *domain.Address {
-	return &domain.Address{
-		ObjectRoot:    ctxToObjectRoot(ctx),
-		Country:       address.Country,
-		StreetAddress: address.StreetAddress,
-		Region:        address.Region,
-		PostalCode:    address.PostalCode,
-		Locality:      address.Locality,
-	}
-}
-
-func externalIDPSearchRequestToModel(request *auth.ExternalIDPSearchRequest) *usr_model.ExternalIDPSearchRequest {
-	return &usr_model.ExternalIDPSearchRequest{
-		Limit:  request.Limit,
-		Offset: request.Offset,
-	}
-}
-
-func externalIDPRemoveToDomain(ctx context.Context, idp *auth.ExternalIDPRemoveRequest) *domain.ExternalIDP {
-	return &domain.ExternalIDP{
-		ObjectRoot:     ctxToObjectRoot(ctx),
-		IDPConfigID:    idp.IdpConfigId,
-		ExternalUserID: idp.ExternalUserId,
-	}
-}
-
-func externalIDPResponseFromModel(idp *usr_model.ExternalIDP) *auth.ExternalIDPResponse {
-	return &auth.ExternalIDPResponse{
-		IdpConfigId: idp.IDPConfigID,
-		UserId:      idp.UserID,
-		DisplayName: idp.DisplayName,
-	}
-}
-
-func externalIDPSearchResponseFromModel(response *usr_model.ExternalIDPSearchResponse) *auth.ExternalIDPSearchResponse {
-	viewTimestamp, err := ptypes.TimestampProto(response.Timestamp)
-	logging.Log("GRPC-3h8is").OnError(err).Debug("unable to parse timestamp")
-
-	return &auth.ExternalIDPSearchResponse{
-		Offset:            response.Offset,
-		Limit:             response.Limit,
-		TotalResult:       response.TotalResult,
-		ProcessedSequence: response.Sequence,
-		ViewTimestamp:     viewTimestamp,
-		Result:            externalIDPViewsFromModel(response.Result),
-	}
-}
-
-func externalIDPViewsFromModel(externalIDPs []*usr_model.ExternalIDPView) []*auth.ExternalIDPView {
-	converted := make([]*auth.ExternalIDPView, len(externalIDPs))
-	for i, externalIDP := range externalIDPs {
-		converted[i] = externalIDPViewFromModel(externalIDP)
-	}
-	return converted
-}
-
-func externalIDPViewFromModel(externalIDP *usr_model.ExternalIDPView) *auth.ExternalIDPView {
-	creationDate, err := ptypes.TimestampProto(externalIDP.CreationDate)
-	logging.Log("GRPC-Sj8dw").OnError(err).Debug("unable to parse timestamp")
-
-	changeDate, err := ptypes.TimestampProto(externalIDP.ChangeDate)
-	logging.Log("GRPC-Nf8ue").OnError(err).Debug("unable to parse timestamp")
-
-	return &auth.ExternalIDPView{
-		UserId:                  externalIDP.UserID,
-		IdpConfigId:             externalIDP.IDPConfigID,
-		ExternalUserId:          externalIDP.ExternalUserID,
-		ExternalUserDisplayName: externalIDP.UserDisplayName,
-		IdpName:                 externalIDP.IDPName,
-		CreationDate:            creationDate,
-		ChangeDate:              changeDate,
-	}
-}
-
-func otpFromDomain(otp *domain.OTP) *auth.MfaOtpResponse {
-	return &auth.MfaOtpResponse{
-		UserId: otp.AggregateID,
-		Url:    otp.Url,
-		Secret: otp.SecretString,
-		State:  mfaStateFromDomain(otp.State),
-	}
-}
-
-func userStateFromModel(state usr_model.UserState) auth.UserState {
-	switch state {
-	case usr_model.UserStateActive:
-		return auth.UserState_USERSTATE_ACTIVE
-	case usr_model.UserStateInactive:
-		return auth.UserState_USERSTATE_INACTIVE
-	case usr_model.UserStateLocked:
-		return auth.UserState_USERSTATE_LOCKED
-	case usr_model.UserStateInitial:
-		return auth.UserState_USERSTATE_INITIAL
-	case usr_model.UserStateSuspend:
-		return auth.UserState_USERSTATE_SUSPEND
-	default:
-		return auth.UserState_USERSTATE_UNSPECIFIED
-	}
-}
-
-func genderFromDomain(gender domain.Gender) auth.Gender {
-	switch gender {
-	case domain.GenderFemale:
-		return auth.Gender_GENDER_FEMALE
-	case domain.GenderMale:
-		return auth.Gender_GENDER_MALE
-	case domain.GenderDiverse:
-		return auth.Gender_GENDER_DIVERSE
-	default:
-		return auth.Gender_GENDER_UNSPECIFIED
-	}
-}
-
-func genderFromModel(gender usr_model.Gender) auth.Gender {
-	switch gender {
-	case usr_model.GenderFemale:
-		return auth.Gender_GENDER_FEMALE
-	case usr_model.GenderMale:
-		return auth.Gender_GENDER_MALE
-	case usr_model.GenderDiverse:
-		return auth.Gender_GENDER_DIVERSE
-	default:
-		return auth.Gender_GENDER_UNSPECIFIED
-	}
-}
-
-func genderToDomain(gender auth.Gender) domain.Gender {
-	switch gender {
-	case auth.Gender_GENDER_FEMALE:
-		return domain.GenderFemale
-	case auth.Gender_GENDER_MALE:
-		return domain.GenderMale
-	case auth.Gender_GENDER_DIVERSE:
-		return domain.GenderDiverse
-	default:
-		return domain.GenderUnspecified
-	}
-}
-
-func mfaStateFromDomain(state domain.MFAState) auth.MFAState {
-	switch state {
-	case domain.MFAStateReady:
-		return auth.MFAState_MFASTATE_READY
-	case domain.MFAStateNotReady:
-		return auth.MFAState_MFASTATE_NOT_READY
-	default:
-		return auth.MFAState_MFASTATE_UNSPECIFIED
-	}
-}
-
-func mfasFromModel(mfas []*usr_model.MultiFactor) []*auth.MultiFactor {
-	converted := make([]*auth.MultiFactor, len(mfas))
-	for i, mfa := range mfas {
-		converted[i] = mfaFromModel(mfa)
-	}
-	return converted
-}
-
-func mfaFromModel(mfa *usr_model.MultiFactor) *auth.MultiFactor {
-	return &auth.MultiFactor{
-		State:     auth.MFAState(mfa.State),
-		Type:      mfaTypeFromModel(mfa.Type),
-		Attribute: mfa.Attribute,
-		Id:        mfa.ID,
-	}
-}
-
-func mfaTypeFromModel(mfaType usr_model.MFAType) auth.MfaType {
-	switch mfaType {
-	case usr_model.MFATypeOTP:
-		return auth.MfaType_MFATYPE_OTP
-	case usr_model.MFATypeU2F:
-		return auth.MfaType_MFATYPE_U2F
-	default:
-		return auth.MfaType_MFATYPE_UNSPECIFIED
-	}
-}
-
-func userChangesToResponse(response *usr_model.UserChanges, offset uint64, limit uint64) (_ *auth.Changes) {
-	return &auth.Changes{
-		Limit:   limit,
-		Offset:  offset,
-		Changes: userChangesToAPI(response),
-	}
-}
-
-func userChangesToAPI(changes *usr_model.UserChanges) (_ []*auth.Change) {
-	result := make([]*auth.Change, len(changes.Changes))
-
-	for i, change := range changes.Changes {
-		var data *structpb.Struct
-		changedData, err := json.Marshal(change.Data)
-		if err == nil {
-			data = new(structpb.Struct)
-			err = protojson.Unmarshal(changedData, data)
-			logging.Log("GRPC-0kRsY").OnError(err).Debug("unable to marshal changed data to struct")
-		}
-		result[i] = &auth.Change{
-			ChangeDate: change.ChangeDate,
-			EventType:  message.NewLocalizedEventType(change.EventType),
-			Sequence:   change.Sequence,
-			Data:       data,
-			EditorId:   change.ModifierID,
-			Editor:     change.ModifierName,
-		}
-	}
-
-	return result
-}
-
-func verifyWebAuthNFromDomain(u2f *domain.WebAuthNToken) *auth.WebAuthNResponse {
-	return &auth.WebAuthNResponse{
-		Id:        u2f.WebAuthNTokenID,
-		PublicKey: u2f.CredentialCreationData,
-		State:     mfaStateFromDomain(u2f.State),
-	}
-}
-
-func webAuthNTokensFromModel(tokens []*usr_model.WebAuthNView) *auth.WebAuthNTokens {
-	result := make([]*auth.WebAuthNToken, len(tokens))
-	for i, token := range tokens {
-		result[i] = webAuthNTokenFromModel(token)
-	}
-	return &auth.WebAuthNTokens{Tokens: result}
-}
-
-func webAuthNTokenFromModel(token *usr_model.WebAuthNView) *auth.WebAuthNToken {
-	return &auth.WebAuthNToken{
-		Id:    token.TokenID,
-		Name:  token.Name,
-		State: auth.MFAState(token.State),
-	}
-}
-
-func ctxToObjectRoot(ctx context.Context) models.ObjectRoot {
-	ctxData := authz.GetCtxData(ctx)
-	return models.ObjectRoot{
-		AggregateID:   ctxData.UserID,
-		ResourceOwner: ctxData.ResourceOwner,
-	}
-}
-
-func userMembershipSearchResponseFromModel(response *usr_model.UserMembershipSearchResponse) *auth.UserMembershipSearchResponse {
-	timestamp, err := ptypes.TimestampProto(response.Timestamp)
-	logging.Log("GRPC-Hs8jd").OnError(err).Debug("unable to parse timestamp")
-	return &auth.UserMembershipSearchResponse{
-		Offset:            response.Offset,
-		Limit:             response.Limit,
-		TotalResult:       response.TotalResult,
-		Result:            userMembershipViewsFromModel(response.Result),
-		ProcessedSequence: response.Sequence,
-		ViewTimestamp:     timestamp,
-	}
-}
-
-func userMembershipViewsFromModel(memberships []*usr_model.UserMembershipView) []*auth.UserMembershipView {
-	converted := make([]*auth.UserMembershipView, len(memberships))
-	for i, membership := range memberships {
-		converted[i] = userMembershipViewFromModel(membership)
-	}
-	return converted
-}
-
-func userMembershipViewFromModel(membership *usr_model.UserMembershipView) *auth.UserMembershipView {
-	creationDate, err := ptypes.TimestampProto(membership.CreationDate)
-	logging.Log("GRPC-Msnu8").OnError(err).Debug("unable to parse timestamp")
-
-	changeDate, err := ptypes.TimestampProto(membership.ChangeDate)
-	logging.Log("GRPC-Slco9").OnError(err).Debug("unable to parse timestamp")
-
-	return &auth.UserMembershipView{
-		UserId:        membership.UserID,
-		AggregateId:   membership.AggregateID,
-		ObjectId:      membership.ObjectID,
-		MemberType:    memberTypeFromModel(membership.MemberType),
-		DisplayName:   membership.DisplayName,
-		Roles:         membership.Roles,
-		CreationDate:  creationDate,
-		ChangeDate:    changeDate,
-		Sequence:      membership.Sequence,
-		ResourceOwner: membership.ResourceOwner,
-	}
-}
-
-func userMembershipSearchRequestsToModel(request *auth.UserMembershipSearchRequest) *usr_model.UserMembershipSearchRequest {
-	return &usr_model.UserMembershipSearchRequest{
-		Offset:  request.Offset,
-		Limit:   request.Limit,
-		Queries: userMembershipSearchQueriesToModel(request.Queries),
-	}
-}
-
-func userMembershipSearchQueriesToModel(queries []*auth.UserMembershipSearchQuery) []*usr_model.UserMembershipSearchQuery {
-	converted := make([]*usr_model.UserMembershipSearchQuery, len(queries))
-	for i, q := range queries {
-		converted[i] = userMembershipSearchQueryToModel(q)
-	}
-	return converted
-}
-
-func userMembershipSearchQueryToModel(query *auth.UserMembershipSearchQuery) *usr_model.UserMembershipSearchQuery {
-	return &usr_model.UserMembershipSearchQuery{
-		Key:    userMembershipSearchKeyToModel(query.Key),
-		Method: searchMethodToModel(query.Method),
-		Value:  query.Value,
-	}
-}
-
-func userMembershipSearchKeyToModel(key auth.UserMembershipSearchKey) usr_model.UserMembershipSearchKey {
-	switch key {
-	case auth.UserMembershipSearchKey_USERMEMBERSHIPSEARCHKEY_TYPE:
-		return usr_model.UserMembershipSearchKeyMemberType
-	case auth.UserMembershipSearchKey_USERMEMBERSHIPSEARCHKEY_OBJECT_ID:
-		return usr_model.UserMembershipSearchKeyObjectID
-	default:
-		return usr_model.UserMembershipSearchKeyUnspecified
-	}
-}
-
-func memberTypeFromModel(memberType usr_model.MemberType) auth.MemberType {
-	switch memberType {
-	case usr_model.MemberTypeOrganisation:
-		return auth.MemberType_MEMBERTYPE_ORGANISATION
-	case usr_model.MemberTypeProject:
-		return auth.MemberType_MEMBERTYPE_PROJECT
-	case usr_model.MemberTypeProjectGrant:
-		return auth.MemberType_MEMBERTYPE_PROJECT_GRANT
-	default:
-		return auth.MemberType_MEMBERTYPE_UNSPECIFIED
-	}
-}
diff --git a/internal/api/grpc/auth/user_grant.go b/internal/api/grpc/auth/user_grant.go
index 5d8a8faf4e..6dd6410ce7 100644
--- a/internal/api/grpc/auth/user_grant.go
+++ b/internal/api/grpc/auth/user_grant.go
@@ -1,41 +1,33 @@
 package auth
 
 import (
-	"context"
-
-	"github.com/golang/protobuf/ptypes/empty"
-
-	"github.com/caos/zitadel/pkg/grpc/auth"
+	"github.com/caos/zitadel/internal/usergrant/model"
+	auth_pb "github.com/caos/zitadel/pkg/grpc/auth"
 )
 
-func (s *Server) SearchMyUserGrant(ctx context.Context, in *auth.UserGrantSearchRequest) (*auth.UserGrantSearchResponse, error) {
-	response, err := s.repo.SearchMyUserGrants(ctx, userGrantSearchRequestsToModel(in))
-	if err != nil {
-		return nil, err
+func ListMyUserGrantsRequestToModel(req *auth_pb.ListMyUserGrantsRequest) *model.UserGrantSearchRequest {
+	return &model.UserGrantSearchRequest{
+		Offset: req.Query.Offset,
+		Limit:  uint64(req.Query.Limit),
+		Asc:    req.Query.Asc,
 	}
-	return userGrantSearchResponseFromModel(response), nil
 }
 
-func (s *Server) SearchMyProjectOrgs(ctx context.Context, in *auth.MyProjectOrgSearchRequest) (*auth.MyProjectOrgSearchResponse, error) {
-	response, err := s.repo.SearchMyProjectOrgs(ctx, myProjectOrgSearchRequestRequestsToModel(in))
-	if err != nil {
-		return nil, err
+func UserGrantsToPb(grants []*model.UserGrantView) []*auth_pb.UserGrant {
+	userGrants := make([]*auth_pb.UserGrant, len(grants))
+	for i, grant := range grants {
+		userGrants[i] = UserGrantToPb(grant)
 	}
-	return projectOrgSearchResponseFromModel(response), nil
+	return userGrants
 }
 
-func (s *Server) GetMyZitadelPermissions(ctx context.Context, _ *empty.Empty) (*auth.MyPermissions, error) {
-	perms, err := s.repo.SearchMyZitadelPermissions(ctx)
-	if err != nil {
-		return nil, err
+func UserGrantToPb(grant *model.UserGrantView) *auth_pb.UserGrant {
+	return &auth_pb.UserGrant{
+		GrantId:   grant.ID,
+		OrgId:     grant.ResourceOwner,
+		OrgName:   grant.OrgName,
+		ProjectId: grant.ProjectID,
+		UserId:    grant.UserID,
+		Roles:     grant.RoleKeys,
 	}
-	return &auth.MyPermissions{Permissions: perms}, nil
-}
-
-func (s *Server) GetMyProjectPermissions(ctx context.Context, _ *empty.Empty) (*auth.MyPermissions, error) {
-	perms, err := s.repo.SearchMyProjectPermissions(ctx)
-	if err != nil {
-		return nil, err
-	}
-	return &auth.MyPermissions{Permissions: perms}, nil
 }
diff --git a/internal/api/grpc/auth/user_grant_converter.go b/internal/api/grpc/auth/user_grant_converter.go
deleted file mode 100644
index 324b7bebaf..0000000000
--- a/internal/api/grpc/auth/user_grant_converter.go
+++ /dev/null
@@ -1,135 +0,0 @@
-package auth
-
-import (
-	"github.com/caos/logging"
-	grant_model "github.com/caos/zitadel/internal/usergrant/model"
-	"github.com/caos/zitadel/pkg/grpc/auth"
-	"github.com/golang/protobuf/ptypes"
-)
-
-func userGrantSearchRequestsToModel(request *auth.UserGrantSearchRequest) *grant_model.UserGrantSearchRequest {
-	return &grant_model.UserGrantSearchRequest{
-		Offset:  request.Offset,
-		Limit:   request.Limit,
-		Queries: userGrantSearchQueriesToModel(request.Queries),
-	}
-}
-
-func userGrantSearchQueriesToModel(queries []*auth.UserGrantSearchQuery) []*grant_model.UserGrantSearchQuery {
-	converted := make([]*grant_model.UserGrantSearchQuery, len(queries))
-	for i, q := range queries {
-		converted[i] = userGrantSearchQueryToModel(q)
-	}
-	return converted
-}
-
-func userGrantSearchQueryToModel(query *auth.UserGrantSearchQuery) *grant_model.UserGrantSearchQuery {
-	return &grant_model.UserGrantSearchQuery{
-		Key:    userGrantSearchKeyToModel(query.Key),
-		Method: searchMethodToModel(query.Method),
-		Value:  query.Value,
-	}
-}
-
-func userGrantSearchKeyToModel(key auth.UserGrantSearchKey) grant_model.UserGrantSearchKey {
-	switch key {
-	case auth.UserGrantSearchKey_UserGrantSearchKey_ORG_ID:
-		return grant_model.UserGrantSearchKeyResourceOwner
-	case auth.UserGrantSearchKey_UserGrantSearchKey_PROJECT_ID:
-		return grant_model.UserGrantSearchKeyProjectID
-	default:
-		return grant_model.UserGrantSearchKeyUnspecified
-	}
-}
-
-func myProjectOrgSearchRequestRequestsToModel(request *auth.MyProjectOrgSearchRequest) *grant_model.UserGrantSearchRequest {
-	return &grant_model.UserGrantSearchRequest{
-		Offset:        request.Offset,
-		Limit:         request.Limit,
-		Asc:           request.Asc,
-		SortingColumn: grant_model.UserGrantSearchKeyResourceOwner,
-		Queries:       myProjectOrgSearchQueriesToModel(request.Queries),
-	}
-}
-
-func myProjectOrgSearchQueriesToModel(queries []*auth.MyProjectOrgSearchQuery) []*grant_model.UserGrantSearchQuery {
-	converted := make([]*grant_model.UserGrantSearchQuery, len(queries))
-	for i, q := range queries {
-		converted[i] = myProjectOrgSearchQueryToModel(q)
-	}
-	return converted
-}
-
-func myProjectOrgSearchQueryToModel(query *auth.MyProjectOrgSearchQuery) *grant_model.UserGrantSearchQuery {
-	return &grant_model.UserGrantSearchQuery{
-		Key:    myProjectOrgSearchKeyToModel(query.Key),
-		Method: searchMethodToModel(query.Method),
-		Value:  query.Value,
-	}
-}
-
-func myProjectOrgSearchKeyToModel(key auth.MyProjectOrgSearchKey) grant_model.UserGrantSearchKey {
-	switch key {
-	case auth.MyProjectOrgSearchKey_MYPROJECTORGSEARCHKEY_ORG_NAME:
-		return grant_model.UserGrantSearchKeyOrgName
-	default:
-		return grant_model.UserGrantSearchKeyUnspecified
-	}
-}
-
-func userGrantSearchResponseFromModel(response *grant_model.UserGrantSearchResponse) *auth.UserGrantSearchResponse {
-	timestamp, err := ptypes.TimestampProto(response.Timestamp)
-	logging.Log("GRPC-Lsp0d").OnError(err).Debug("unable to parse timestamp")
-
-	return &auth.UserGrantSearchResponse{
-		Offset:            response.Offset,
-		Limit:             response.Limit,
-		TotalResult:       response.TotalResult,
-		Result:            userGrantViewsFromModel(response.Result),
-		ProcessedSequence: response.Sequence,
-		ViewTimestamp:     timestamp,
-	}
-}
-
-func userGrantViewsFromModel(users []*grant_model.UserGrantView) []*auth.UserGrantView {
-	converted := make([]*auth.UserGrantView, len(users))
-	for i, user := range users {
-		converted[i] = userGrantViewFromModel(user)
-	}
-	return converted
-}
-
-func userGrantViewFromModel(grant *grant_model.UserGrantView) *auth.UserGrantView {
-	return &auth.UserGrantView{
-		UserId:    grant.UserID,
-		OrgId:     grant.ResourceOwner,
-		OrgName:   grant.OrgName,
-		ProjectId: grant.ProjectID,
-		Roles:     grant.RoleKeys,
-		GrantId:   grant.GrantID,
-	}
-}
-
-func projectOrgSearchResponseFromModel(response *grant_model.ProjectOrgSearchResponse) *auth.MyProjectOrgSearchResponse {
-	return &auth.MyProjectOrgSearchResponse{
-		Offset:      response.Offset,
-		Limit:       response.Limit,
-		TotalResult: response.TotalResult,
-		Result:      projectOrgsFromModel(response.Result),
-	}
-}
-
-func projectOrgsFromModel(projectOrgs []*grant_model.Org) []*auth.Org {
-	converted := make([]*auth.Org, len(projectOrgs))
-	for i, org := range projectOrgs {
-		converted[i] = projectOrgFromModel(org)
-	}
-	return converted
-}
-
-func projectOrgFromModel(org *grant_model.Org) *auth.Org {
-	return &auth.Org{
-		Id:   org.OrgID,
-		Name: org.OrgName,
-	}
-}
diff --git a/internal/api/grpc/auth/user_human_converter.go b/internal/api/grpc/auth/user_human_converter.go
deleted file mode 100644
index 1b2a7bd72d..0000000000
--- a/internal/api/grpc/auth/user_human_converter.go
+++ /dev/null
@@ -1,32 +0,0 @@
-package auth
-
-import (
-	"github.com/caos/logging"
-	usr_model "github.com/caos/zitadel/internal/user/model"
-	"github.com/caos/zitadel/pkg/grpc/auth"
-	"github.com/golang/protobuf/ptypes"
-)
-
-func humanViewFromModel(user *usr_model.HumanView) *auth.HumanView {
-	passwordChanged, err := ptypes.TimestampProto(user.PasswordChanged)
-	logging.Log("MANAG-h4ByY").OnError(err).Debug("unable to parse date")
-
-	return &auth.HumanView{
-		FirstName:         user.FirstName,
-		LastName:          user.LastName,
-		DisplayName:       user.DisplayName,
-		NickName:          user.NickName,
-		PreferredLanguage: user.PreferredLanguage,
-		Gender:            genderFromModel(user.Gender),
-		Email:             user.Email,
-		IsEmailVerified:   user.IsEmailVerified,
-		Phone:             user.Phone,
-		IsPhoneVerified:   user.IsPhoneVerified,
-		Country:           user.Country,
-		Locality:          user.Locality,
-		PostalCode:        user.PostalCode,
-		Region:            user.Region,
-		StreetAddress:     user.StreetAddress,
-		PasswordChanged:   passwordChanged,
-	}
-}
diff --git a/internal/api/grpc/auth/user_machine_converter.go b/internal/api/grpc/auth/user_machine_converter.go
deleted file mode 100644
index 003c0eee11..0000000000
--- a/internal/api/grpc/auth/user_machine_converter.go
+++ /dev/null
@@ -1,19 +0,0 @@
-package auth
-
-import (
-	"github.com/caos/logging"
-	"github.com/golang/protobuf/ptypes"
-
-	usr_model "github.com/caos/zitadel/internal/user/model"
-	"github.com/caos/zitadel/pkg/grpc/auth"
-)
-
-func machineViewFromModel(machine *usr_model.MachineView) *auth.MachineView {
-	lastKeyAdded, err := ptypes.TimestampProto(machine.LastKeyAdded)
-	logging.Log("MANAG-wGcAQ").OnError(err).Debug("unable to parse date")
-	return &auth.MachineView{
-		Description:  machine.Description,
-		Name:         machine.Name,
-		LastKeyAdded: lastKeyAdded,
-	}
-}
diff --git a/internal/api/grpc/auth/user_session.go b/internal/api/grpc/auth/user_session.go
deleted file mode 100644
index 9ad998a823..0000000000
--- a/internal/api/grpc/auth/user_session.go
+++ /dev/null
@@ -1,17 +0,0 @@
-package auth
-
-import (
-	"context"
-
-	"github.com/golang/protobuf/ptypes/empty"
-
-	"github.com/caos/zitadel/pkg/grpc/auth"
-)
-
-func (s *Server) GetMyUserSessions(ctx context.Context, _ *empty.Empty) (_ *auth.UserSessionViews, err error) {
-	userSessions, err := s.repo.GetMyUserSessions(ctx)
-	if err != nil {
-		return nil, err
-	}
-	return &auth.UserSessionViews{UserSessions: userSessionViewsFromModel(userSessions)}, nil
-}
diff --git a/internal/api/grpc/auth/user_session_converter.go b/internal/api/grpc/auth/user_session_converter.go
deleted file mode 100644
index 9ebc7e4499..0000000000
--- a/internal/api/grpc/auth/user_session_converter.go
+++ /dev/null
@@ -1,38 +0,0 @@
-package auth
-
-import (
-	auth_req_model "github.com/caos/zitadel/internal/auth_request/model"
-	usr_model "github.com/caos/zitadel/internal/user/model"
-	"github.com/caos/zitadel/pkg/grpc/auth"
-)
-
-func userSessionViewsFromModel(userSessions []*usr_model.UserSessionView) []*auth.UserSessionView {
-	converted := make([]*auth.UserSessionView, len(userSessions))
-	for i, s := range userSessions {
-		converted[i] = userSessionViewFromModel(s)
-	}
-	return converted
-}
-
-func userSessionViewFromModel(userSession *usr_model.UserSessionView) *auth.UserSessionView {
-	return &auth.UserSessionView{
-		Sequence:    userSession.Sequence,
-		AgentId:     userSession.UserAgentID,
-		UserId:      userSession.UserID,
-		UserName:    userSession.UserName,
-		LoginName:   userSession.LoginName,
-		DisplayName: userSession.DisplayName,
-		AuthState:   userSessionStateFromModel(userSession.State),
-	}
-}
-
-func userSessionStateFromModel(state auth_req_model.UserSessionState) auth.UserSessionState {
-	switch state {
-	case auth_req_model.UserSessionStateActive:
-		return auth.UserSessionState_USERSESSIONSTATE_ACTIVE
-	case auth_req_model.UserSessionStateTerminated:
-		return auth.UserSessionState_USERSESSIONSTATE_TERMINATED
-	default:
-		return auth.UserSessionState_USERSESSIONSTATE_UNSPECIFIED
-	}
-}
diff --git a/internal/api/grpc/authn/converter.go b/internal/api/grpc/authn/converter.go
new file mode 100644
index 0000000000..591c2f5582
--- /dev/null
+++ b/internal/api/grpc/authn/converter.go
@@ -0,0 +1,69 @@
+package authn
+
+import (
+	"github.com/caos/logging"
+	"github.com/golang/protobuf/ptypes"
+
+	"github.com/caos/zitadel/internal/api/grpc/object"
+	"github.com/caos/zitadel/internal/domain"
+	key_model "github.com/caos/zitadel/internal/key/model"
+	"github.com/caos/zitadel/pkg/grpc/authn"
+)
+
+func KeyViewsToPb(keys []*key_model.AuthNKeyView) []*authn.Key {
+	k := make([]*authn.Key, len(keys))
+	for i, key := range keys {
+		k[i] = KeyViewToPb(key)
+	}
+	return k
+}
+
+func KeyViewToPb(key *key_model.AuthNKeyView) *authn.Key {
+	expDate, err := ptypes.TimestampProto(key.ExpirationDate)
+	logging.Log("AUTHN-uhYmM").OnError(err).Debug("unable to parse expiry")
+
+	return &authn.Key{
+		Id:             key.ID,
+		Type:           authn.KeyType_KEY_TYPE_JSON,
+		ExpirationDate: expDate,
+		Details: object.ToDetailsPb(
+			key.Sequence,
+			key.CreationDate,    //TODO: details
+			"key.ResourceOwner", //TODO: details
+		),
+	}
+}
+
+func KeyToPb(key *key_model.AuthNKeyView) *authn.Key {
+	expDate, err := ptypes.TimestampProto(key.ExpirationDate)
+	logging.Log("AUTHN-4n12g").OnError(err).Debug("unable to parse expiration date")
+
+	return &authn.Key{
+		Id:             key.ID,
+		Type:           KeyTypeToPb(key.Type),
+		ExpirationDate: expDate,
+		Details: object.ToDetailsPb(
+			key.Sequence,
+			key.CreationDate,    //TODO: not very pretty
+			"key.ResourceOwner", //TODO: details
+		),
+	}
+}
+
+func KeyTypeToPb(typ key_model.AuthNKeyType) authn.KeyType {
+	switch typ {
+	case key_model.AuthNKeyTypeJSON:
+		return authn.KeyType_KEY_TYPE_JSON
+	default:
+		return authn.KeyType_KEY_TYPE_UNSPECIFIED
+	}
+}
+
+func KeyTypeToDomain(typ authn.KeyType) domain.AuthNKeyType {
+	switch typ {
+	case authn.KeyType_KEY_TYPE_JSON:
+		return domain.AuthNKeyTypeJSON
+	default:
+		return domain.AuthNKeyTypeNONE
+	}
+}
diff --git a/internal/api/grpc/change/user_changes.go b/internal/api/grpc/change/user_changes.go
new file mode 100644
index 0000000000..7982f1feec
--- /dev/null
+++ b/internal/api/grpc/change/user_changes.go
@@ -0,0 +1,85 @@
+package change
+
+import (
+	org_model "github.com/caos/zitadel/internal/org/model"
+	proj_model "github.com/caos/zitadel/internal/project/model"
+	user_model "github.com/caos/zitadel/internal/user/model"
+	change_pb "github.com/caos/zitadel/pkg/grpc/change"
+	"github.com/caos/zitadel/pkg/grpc/message"
+)
+
+func UserChangesToPb(changes []*user_model.UserChange) []*change_pb.Change {
+	c := make([]*change_pb.Change, len(changes))
+	for i, change := range changes {
+		c[i] = UserChangeToPb(change)
+	}
+	return c
+}
+
+func UserChangeToPb(change *user_model.UserChange) *change_pb.Change {
+	return &change_pb.Change{
+		ChangeDate:        change.ChangeDate,
+		EventType:         message.NewLocalizedEventType(change.EventType),
+		Sequence:          change.Sequence,
+		EditorId:          change.ModifierID,
+		EditorDisplayName: change.ModifierName,
+		// ResourceOwnerId: change.,TODO: resource owner not returned
+	}
+}
+
+func OrgChangesToPb(changes []*org_model.OrgChange) []*change_pb.Change {
+	c := make([]*change_pb.Change, len(changes))
+	for i, change := range changes {
+		c[i] = OrgChangeToPb(change)
+	}
+	return c
+}
+
+func OrgChangeToPb(change *org_model.OrgChange) *change_pb.Change {
+	return &change_pb.Change{
+		ChangeDate:        change.ChangeDate,
+		EventType:         message.NewLocalizedEventType(change.EventType),
+		Sequence:          change.Sequence,
+		EditorId:          change.ModifierId,
+		EditorDisplayName: change.ModifierName,
+		// ResourceOwnerId: change.,TODO: resource owner not returned
+	}
+}
+
+func ProjectChangesToPb(changes []*proj_model.ProjectChange) []*change_pb.Change {
+	c := make([]*change_pb.Change, len(changes))
+	for i, change := range changes {
+		c[i] = ProjectChangeToPb(change)
+	}
+	return c
+}
+
+func ProjectChangeToPb(change *proj_model.ProjectChange) *change_pb.Change {
+	return &change_pb.Change{
+		ChangeDate:        change.ChangeDate,
+		EventType:         message.NewLocalizedEventType(change.EventType),
+		Sequence:          change.Sequence,
+		EditorId:          change.ModifierId,
+		EditorDisplayName: change.ModifierName,
+		// ResourceOwnerId: change.,TODO: resource owner not returned
+	}
+}
+
+func AppChangesToPb(changes []*proj_model.ApplicationChange) []*change_pb.Change {
+	c := make([]*change_pb.Change, len(changes))
+	for i, change := range changes {
+		c[i] = AppChangeToPb(change)
+	}
+	return c
+}
+
+func AppChangeToPb(change *proj_model.ApplicationChange) *change_pb.Change {
+	return &change_pb.Change{
+		ChangeDate:        change.ChangeDate,
+		EventType:         message.NewLocalizedEventType(change.EventType),
+		Sequence:          change.Sequence,
+		EditorId:          change.ModifierId,
+		EditorDisplayName: change.ModifierName,
+		// ResourceOwnerId: change.,TODO: resource owner not returned
+	}
+}
diff --git a/internal/api/grpc/idp/converter.go b/internal/api/grpc/idp/converter.go
new file mode 100644
index 0000000000..9456bfa481
--- /dev/null
+++ b/internal/api/grpc/idp/converter.go
@@ -0,0 +1,237 @@
+package idp
+
+import (
+	obj_grpc "github.com/caos/zitadel/internal/api/grpc/object"
+	"github.com/caos/zitadel/internal/domain"
+	iam_model "github.com/caos/zitadel/internal/iam/model"
+	user_model "github.com/caos/zitadel/internal/user/model"
+	idp_pb "github.com/caos/zitadel/pkg/grpc/idp"
+)
+
+func IDPViewsToPb(idps []*iam_model.IDPConfigView) []*idp_pb.IDP {
+	resp := make([]*idp_pb.IDP, len(idps))
+	for i, idp := range idps {
+		resp[i] = ModelIDPViewToPb(idp)
+	}
+	return resp
+}
+
+func ModelIDPViewToPb(idp *iam_model.IDPConfigView) *idp_pb.IDP {
+	return &idp_pb.IDP{
+		Id:          idp.IDPConfigID,
+		State:       ModelIDPStateToPb(idp.State),
+		Name:        idp.Name,
+		StylingType: ModelIDPStylingTypeToPb(idp.StylingType),
+		Owner:       ModelIDPProviderTypeToPb(idp.IDPProviderType),
+		Config:      ModelIDPViewToConfigPb(idp),
+		Details: obj_grpc.ToDetailsPb(
+			idp.Sequence,
+			idp.ChangeDate,
+			"idp.ResourceOwner", //TODO: backend
+		),
+	}
+}
+
+func IDPViewToPb(idp *domain.IDPConfigView) *idp_pb.IDP {
+	mapped := &idp_pb.IDP{
+		Id:          idp.AggregateID,
+		State:       IDPStateToPb(idp.State),
+		Name:        idp.Name,
+		StylingType: IDPStylingTypeToPb(idp.StylingType),
+		Config:      IDPViewToConfigPb(idp),
+		Details:     obj_grpc.ToDetailsPb(idp.Sequence, idp.ChangeDate, "idp.ResourceOwner"), //TODO: resource owner in view
+	}
+	return mapped
+}
+
+func ExternalIDPViewsToLoginPolicyLinkPb(links []*iam_model.IDPProviderView) []*idp_pb.IDPLoginPolicyLink {
+	l := make([]*idp_pb.IDPLoginPolicyLink, len(links))
+	for i, link := range links {
+		l[i] = ExternalIDPViewToLoginPolicyLinkPb(link)
+	}
+	return l
+}
+
+func ExternalIDPViewToLoginPolicyLinkPb(link *iam_model.IDPProviderView) *idp_pb.IDPLoginPolicyLink {
+	return &idp_pb.IDPLoginPolicyLink{
+		IdpId:   link.IDPConfigID,
+		IdpName: link.Name,
+		IdpType: idp_pb.IDPType_IDP_TYPE_OIDC,
+	}
+}
+
+func IDPsToUserLinkPb(res []*user_model.ExternalIDPView) []*idp_pb.IDPUserLink {
+	links := make([]*idp_pb.IDPUserLink, len(res))
+	for i, link := range res {
+		links[i] = ExternalIDPViewToUserLinkPb(link)
+	}
+	return links
+}
+
+func ExternalIDPViewToUserLinkPb(link *user_model.ExternalIDPView) *idp_pb.IDPUserLink {
+	return &idp_pb.IDPUserLink{
+		UserId:           link.UserID,
+		IdpId:            link.IDPConfigID,
+		IdpName:          link.IDPName,
+		ProvidedUserId:   link.ExternalUserID,
+		ProvidedUserName: link.UserDisplayName,
+		//TODO: as soon as saml is implemented we need to switch here
+		IdpType: idp_pb.IDPType_IDP_TYPE_OIDC,
+	}
+}
+
+func IDPStateToPb(state domain.IDPConfigState) idp_pb.IDPState {
+	switch state {
+	case domain.IDPConfigStateActive:
+		return idp_pb.IDPState_IDP_STATE_ACTIVE
+	case domain.IDPConfigStateInactive:
+		return idp_pb.IDPState_IDP_STATE_INACTIVE
+	default:
+		return idp_pb.IDPState_IDP_STATE_UNSPECIFIED
+	}
+}
+
+func ModelIDPStateToPb(state iam_model.IDPConfigState) idp_pb.IDPState {
+	switch state {
+	case iam_model.IDPConfigStateActive:
+		return idp_pb.IDPState_IDP_STATE_ACTIVE
+	case iam_model.IDPConfigStateInactive:
+		return idp_pb.IDPState_IDP_STATE_INACTIVE
+	default:
+		return idp_pb.IDPState_IDP_STATE_UNSPECIFIED
+	}
+}
+
+func IDPStylingTypeToDomain(stylingType idp_pb.IDPStylingType) domain.IDPConfigStylingType {
+	switch stylingType {
+	case idp_pb.IDPStylingType_STYLING_TYPE_GOOGLE:
+		return domain.IDPConfigStylingTypeGoogle
+	default:
+		return domain.IDPConfigStylingTypeUnspecified
+	}
+}
+
+func ModelIDPStylingTypeToPb(stylingType iam_model.IDPStylingType) idp_pb.IDPStylingType {
+	switch stylingType {
+	case iam_model.IDPStylingTypeGoogle:
+		return idp_pb.IDPStylingType_STYLING_TYPE_GOOGLE
+	default:
+		return idp_pb.IDPStylingType_STYLING_TYPE_UNSPECIFIED
+	}
+}
+
+func IDPStylingTypeToPb(stylingType domain.IDPConfigStylingType) idp_pb.IDPStylingType {
+	switch stylingType {
+	case domain.IDPConfigStylingTypeGoogle:
+		return idp_pb.IDPStylingType_STYLING_TYPE_GOOGLE
+	default:
+		return idp_pb.IDPStylingType_STYLING_TYPE_UNSPECIFIED
+	}
+}
+
+func ModelIDPViewToConfigPb(config *iam_model.IDPConfigView) *idp_pb.IDP_OidcConfig {
+	return &idp_pb.IDP_OidcConfig{
+		OidcConfig: &idp_pb.OIDCConfig{
+			ClientId:           config.OIDCClientID,
+			Issuer:             config.OIDCIssuer,
+			Scopes:             config.OIDCScopes,
+			DisplayNameMapping: ModelMappingFieldToPb(config.OIDCIDPDisplayNameMapping),
+			UsernameMapping:    ModelMappingFieldToPb(config.OIDCUsernameMapping),
+		},
+	}
+}
+
+func IDPViewToConfigPb(config *domain.IDPConfigView) *idp_pb.IDP_OidcConfig {
+	return &idp_pb.IDP_OidcConfig{
+		OidcConfig: &idp_pb.OIDCConfig{
+			ClientId:           config.OIDCClientID,
+			Issuer:             config.OIDCIssuer,
+			Scopes:             config.OIDCScopes,
+			DisplayNameMapping: MappingFieldToPb(config.OIDCIDPDisplayNameMapping),
+			UsernameMapping:    MappingFieldToPb(config.OIDCUsernameMapping),
+		},
+	}
+}
+
+func OIDCConfigToPb(config *domain.OIDCIDPConfig) *idp_pb.IDP_OidcConfig {
+	return &idp_pb.IDP_OidcConfig{
+		OidcConfig: &idp_pb.OIDCConfig{
+			ClientId:           config.ClientID,
+			Issuer:             config.Issuer,
+			Scopes:             config.Scopes,
+			DisplayNameMapping: MappingFieldToPb(config.IDPDisplayNameMapping),
+			UsernameMapping:    MappingFieldToPb(config.UsernameMapping),
+		},
+	}
+}
+
+func FieldNameToModel(fieldName idp_pb.IDPFieldName) iam_model.IDPConfigSearchKey {
+	switch fieldName {
+	// case admin.IdpSearchKey_IDPSEARCHKEY_IDP_CONFIG_ID: //TODO: not implemented in proto
+	// 	return iam_model.IDPConfigSearchKeyIdpConfigID
+	case idp_pb.IDPFieldName_IDP_FIELD_NAME_NAME:
+		return iam_model.IDPConfigSearchKeyName
+	default:
+		return iam_model.IDPConfigSearchKeyUnspecified
+	}
+}
+
+func ModelMappingFieldToPb(mappingField iam_model.OIDCMappingField) idp_pb.OIDCMappingField {
+	switch mappingField {
+	case iam_model.OIDCMappingFieldEmail:
+		return idp_pb.OIDCMappingField_OIDC_MAPPING_FIELD_EMAIL
+	case iam_model.OIDCMappingFieldPreferredLoginName:
+		return idp_pb.OIDCMappingField_OIDC_MAPPING_FIELD_PREFERRED_USERNAME
+	default:
+		return idp_pb.OIDCMappingField_OIDC_MAPPING_FIELD_UNSPECIFIED
+	}
+}
+
+func MappingFieldToPb(mappingField domain.OIDCMappingField) idp_pb.OIDCMappingField {
+	switch mappingField {
+	case domain.OIDCMappingFieldEmail:
+		return idp_pb.OIDCMappingField_OIDC_MAPPING_FIELD_EMAIL
+	case domain.OIDCMappingFieldPreferredLoginName:
+		return idp_pb.OIDCMappingField_OIDC_MAPPING_FIELD_PREFERRED_USERNAME
+	default:
+		return idp_pb.OIDCMappingField_OIDC_MAPPING_FIELD_UNSPECIFIED
+	}
+}
+
+func MappingFieldToDomain(mappingField idp_pb.OIDCMappingField) domain.OIDCMappingField {
+	switch mappingField {
+	case idp_pb.OIDCMappingField_OIDC_MAPPING_FIELD_EMAIL:
+		return domain.OIDCMappingFieldEmail
+	case idp_pb.OIDCMappingField_OIDC_MAPPING_FIELD_PREFERRED_USERNAME:
+		return domain.OIDCMappingFieldPreferredLoginName
+	default:
+		return domain.OIDCMappingFieldUnspecified
+	}
+}
+
+func ModelIDPProviderTypeToPb(typ iam_model.IDPProviderType) idp_pb.IDPOwnerType {
+	switch typ {
+	case iam_model.IDPProviderTypeOrg:
+		return idp_pb.IDPOwnerType_IDP_OWNER_TYPE_ORG
+	case iam_model.IDPProviderTypeSystem:
+		return idp_pb.IDPOwnerType_IDP_OWNER_TYPE_SYSTEM
+	default:
+		return idp_pb.IDPOwnerType_IDP_OWNER_TYPE_UNSPECIFIED
+	}
+}
+
+func IDPIDQueryToModel(query *idp_pb.IDPIDQuery) *iam_model.IDPConfigSearchQuery {
+	return &iam_model.IDPConfigSearchQuery{
+		Key:    iam_model.IDPConfigSearchKeyIdpConfigID, //TODO: whats the difference between idpconfigid and aggregateid search key?
+		Method: domain.SearchMethodEquals,
+		Value:  query.Id,
+	}
+}
+
+func IDPNameQueryToModel(query *idp_pb.IDPNameQuery) *iam_model.IDPConfigSearchQuery {
+	return &iam_model.IDPConfigSearchQuery{
+		Key:    iam_model.IDPConfigSearchKeyName,
+		Method: obj_grpc.TextMethodToModel(query.Method),
+		Value:  query.Name,
+	}
+}
diff --git a/internal/api/grpc/management/application.go b/internal/api/grpc/management/application.go
deleted file mode 100644
index 29250b7377..0000000000
--- a/internal/api/grpc/management/application.go
+++ /dev/null
@@ -1,135 +0,0 @@
-package management
-
-import (
-	"context"
-
-	"github.com/caos/zitadel/internal/api/authz"
-
-	"github.com/golang/protobuf/ptypes/empty"
-
-	"github.com/caos/zitadel/pkg/grpc/management"
-)
-
-func (s *Server) SearchApplications(ctx context.Context, in *management.ApplicationSearchRequest) (*management.ApplicationSearchResponse, error) {
-	response, err := s.project.SearchApplications(ctx, applicationSearchRequestsToModel(in))
-	if err != nil {
-		return nil, err
-	}
-	return applicationSearchResponseFromModel(response), nil
-}
-
-func (s *Server) ApplicationByID(ctx context.Context, in *management.ApplicationID) (*management.ApplicationView, error) {
-	app, err := s.project.ApplicationByID(ctx, in.ProjectId, in.Id)
-	if err != nil {
-		return nil, err
-	}
-	return applicationViewFromModel(app), nil
-}
-
-func (s *Server) CreateOIDCApplication(ctx context.Context, in *management.OIDCApplicationCreate) (*management.Application, error) {
-	app, err := s.command.AddOIDCApplication(ctx, oidcAppCreateToDomain(in), authz.GetCtxData(ctx).OrgID)
-	if err != nil {
-		return nil, err
-	}
-	return oidcAppFromDomain(app), nil
-}
-
-func (s *Server) CreateAPIApplication(ctx context.Context, in *management.APIApplicationCreate) (*management.Application, error) {
-	app, err := s.command.AddAPIApplication(ctx, apiAppCreateToModel(in), authz.GetCtxData(ctx).OrgID)
-	if err != nil {
-		return nil, err
-	}
-	return apiAppFromDomain(app), nil
-}
-
-func (s *Server) UpdateApplication(ctx context.Context, in *management.ApplicationUpdate) (*management.Application, error) {
-	app, err := s.command.ChangeApplication(ctx, in.ProjectId, appUpdateToDomain(in), authz.GetCtxData(ctx).OrgID)
-	if err != nil {
-		return nil, err
-	}
-	return appFromDomain(app), nil
-}
-
-func (s *Server) DeactivateApplication(ctx context.Context, in *management.ApplicationID) (*empty.Empty, error) {
-	err := s.command.DeactivateApplication(ctx, in.ProjectId, in.Id, authz.GetCtxData(ctx).OrgID)
-	return &empty.Empty{}, err
-}
-
-func (s *Server) ReactivateApplication(ctx context.Context, in *management.ApplicationID) (*empty.Empty, error) {
-	err := s.command.ReactivateApplication(ctx, in.ProjectId, in.Id, authz.GetCtxData(ctx).OrgID)
-	return &empty.Empty{}, err
-}
-
-func (s *Server) RemoveApplication(ctx context.Context, in *management.ApplicationID) (*empty.Empty, error) {
-	err := s.command.RemoveApplication(ctx, in.ProjectId, in.Id, authz.GetCtxData(ctx).OrgID)
-	return &empty.Empty{}, err
-}
-
-func (s *Server) UpdateApplicationOIDCConfig(ctx context.Context, in *management.OIDCConfigUpdate) (*management.OIDCConfig, error) {
-	config, err := s.command.ChangeOIDCApplication(ctx, oidcConfigUpdateToDomain(in), authz.GetCtxData(ctx).OrgID)
-	if err != nil {
-		return nil, err
-	}
-	return oidcConfigFromDomain(config), nil
-}
-
-func (s *Server) UpdateApplicationAPIConfig(ctx context.Context, in *management.APIConfigUpdate) (*management.APIConfig, error) {
-	config, err := s.command.ChangeAPIApplication(ctx, apiConfigUpdateToDomain(in), authz.GetCtxData(ctx).OrgID)
-	if err != nil {
-		return nil, err
-	}
-	return apiConfigFromDomain(config), nil
-}
-
-func (s *Server) RegenerateOIDCClientSecret(ctx context.Context, in *management.ApplicationID) (*management.ClientSecret, error) {
-	config, err := s.command.ChangeOIDCApplicationSecret(ctx, in.ProjectId, in.Id, authz.GetCtxData(ctx).OrgID)
-	if err != nil {
-		return nil, err
-	}
-	return &management.ClientSecret{ClientSecret: config.ClientSecretString}, nil
-}
-
-func (s *Server) RegenerateAPIClientSecret(ctx context.Context, in *management.ApplicationID) (*management.ClientSecret, error) {
-	config, err := s.command.ChangeAPIApplicationSecret(ctx, in.ProjectId, in.Id, authz.GetCtxData(ctx).OrgID)
-	if err != nil {
-		return nil, err
-	}
-	return &management.ClientSecret{ClientSecret: config.ClientSecretString}, nil
-}
-
-func (s *Server) ApplicationChanges(ctx context.Context, changesRequest *management.ChangeRequest) (*management.Changes, error) {
-	response, err := s.project.ApplicationChanges(ctx, changesRequest.Id, changesRequest.SecId, changesRequest.SequenceOffset, changesRequest.Limit, changesRequest.Asc)
-	if err != nil {
-		return nil, err
-	}
-	return appChangesToResponse(response, changesRequest.GetSequenceOffset(), changesRequest.GetLimit()), nil
-}
-
-func (s *Server) SearchClientKeys(ctx context.Context, req *management.ClientKeySearchRequest) (*management.ClientKeySearchResponse, error) {
-	result, err := s.project.SearchClientKeys(ctx, clientKeySearchRequestToModel(req))
-	if err != nil {
-		return nil, err
-	}
-	return clientKeySearchResponseFromModel(result), nil
-}
-
-func (s *Server) GetClientKey(ctx context.Context, req *management.ClientKeyIDRequest) (*management.ClientKeyView, error) {
-	key, err := s.project.GetClientKey(ctx, req.ProjectId, req.ApplicationId, req.KeyId)
-	if err != nil {
-		return nil, err
-	}
-	return clientKeyViewFromModel(key), nil
-}
-
-func (s *Server) AddClientKey(ctx context.Context, req *management.AddClientKeyRequest) (*management.AddClientKeyResponse, error) {
-	key, err := s.command.AddApplicationKey(ctx, addClientKeyToDomain(req), authz.GetCtxData(ctx).OrgID)
-	if err != nil {
-		return nil, err
-	}
-	return addClientKeyFromDomain(key), nil
-}
-
-func (s *Server) DeleteClientKey(ctx context.Context, req *management.ClientKeyIDRequest) (*empty.Empty, error) {
-	err := s.command.RemoveApplicationKey(ctx, req.ProjectId, req.ApplicationId, req.KeyId, authz.GetCtxData(ctx).OrgID)
-	return &empty.Empty{}, err
-}
diff --git a/internal/api/grpc/management/application_converter.go b/internal/api/grpc/management/application_converter.go
deleted file mode 100644
index 4627cb1a44..0000000000
--- a/internal/api/grpc/management/application_converter.go
+++ /dev/null
@@ -1,736 +0,0 @@
-package management
-
-import (
-	"encoding/json"
-	"time"
-
-	"github.com/caos/logging"
-	"github.com/golang/protobuf/ptypes"
-	"google.golang.org/protobuf/encoding/protojson"
-	"google.golang.org/protobuf/types/known/durationpb"
-	"google.golang.org/protobuf/types/known/structpb"
-	"google.golang.org/protobuf/types/known/timestamppb"
-
-	"github.com/caos/zitadel/internal/domain"
-	"github.com/caos/zitadel/internal/eventstore/v1/models"
-	key_model "github.com/caos/zitadel/internal/key/model"
-	proj_model "github.com/caos/zitadel/internal/project/model"
-	"github.com/caos/zitadel/pkg/grpc/management"
-	"github.com/caos/zitadel/pkg/grpc/message"
-)
-
-func appFromDomain(app domain.Application) *management.Application {
-	return &management.Application{
-		Id:    app.GetAppID(),
-		State: appStateFromDomain(app.GetState()),
-		Name:  app.GetApplicationName(),
-	}
-}
-func appFromModel(app *proj_model.Application) *management.Application {
-	changeDate, err := ptypes.TimestampProto(app.ChangeDate)
-	logging.Log("GRPC-di7rw").OnError(err).Debug("unable to parse timestamp")
-
-	return &management.Application{
-		Id:         app.AppID,
-		State:      appStateFromModel(app.State),
-		ChangeDate: changeDate,
-		Name:       app.Name,
-		Sequence:   app.Sequence,
-		AppConfig:  appConfigFromModel(app),
-	}
-}
-
-func appConfigFromModel(app *proj_model.Application) management.AppConfig {
-	if app.Type == proj_model.AppTypeAPI {
-		return &management.Application_ApiConfig{
-			ApiConfig: apiConfigFromModel(app.APIConfig),
-		}
-	}
-	return nil
-}
-
-func oidcAppFromDomain(app *domain.OIDCApp) *management.Application {
-	return &management.Application{
-		Id:         app.AppID,
-		State:      appStateFromDomain(app.State),
-		ChangeDate: timestamppb.New(app.ChangeDate),
-		Name:       app.AppName,
-		Sequence:   app.Sequence,
-		AppConfig:  oidcAppConfigFromDomain(app),
-	}
-}
-
-func apiAppFromDomain(app *domain.APIApp) *management.Application {
-	return &management.Application{
-		Id:         app.AppID,
-		State:      appStateFromDomain(app.State),
-		ChangeDate: timestamppb.New(app.ChangeDate),
-		Name:       app.AppName,
-		Sequence:   app.Sequence,
-		AppConfig:  apiAppConfigFromDomain(app),
-	}
-}
-
-func oidcAppConfigFromDomain(app *domain.OIDCApp) management.AppConfig {
-	return &management.Application_OidcConfig{
-		OidcConfig: oidcConfigFromDomain(app),
-	}
-}
-func apiAppConfigFromDomain(app *domain.APIApp) management.AppConfig {
-	return &management.Application_ApiConfig{
-		ApiConfig: apiConfigFromDomain(app),
-	}
-}
-
-func oidcConfigFromDomain(config *domain.OIDCApp) *management.OIDCConfig {
-	return &management.OIDCConfig{
-		RedirectUris:             config.RedirectUris,
-		ResponseTypes:            oidcResponseTypesFromDomain(config.ResponseTypes),
-		GrantTypes:               oidcGrantTypesFromDomain(config.GrantTypes),
-		ApplicationType:          oidcApplicationTypeFromDomain(config.ApplicationType),
-		ClientId:                 config.ClientID,
-		ClientSecret:             config.ClientSecretString,
-		AuthMethodType:           oidcAuthMethodTypeFromDomain(config.AuthMethodType),
-		PostLogoutRedirectUris:   config.PostLogoutRedirectUris,
-		Version:                  oidcVersionFromDomain(config.OIDCVersion),
-		NoneCompliant:            config.Compliance.NoneCompliant,
-		ComplianceProblems:       complianceProblemsToLocalizedMessages(config.Compliance.Problems),
-		DevMode:                  config.DevMode,
-		AccessTokenType:          oidcTokenTypeFromDomain(config.AccessTokenType),
-		AccessTokenRoleAssertion: config.AccessTokenRoleAssertion,
-		IdTokenRoleAssertion:     config.IDTokenRoleAssertion,
-		IdTokenUserinfoAssertion: config.IDTokenUserinfoAssertion,
-		ClockSkew:                durationpb.New(config.ClockSkew),
-	}
-}
-
-func apiConfigFromDomain(config *domain.APIApp) *management.APIConfig {
-	return &management.APIConfig{
-		ClientId:       config.ClientID,
-		ClientSecret:   config.ClientSecretString,
-		AuthMethodType: apiAuthMethodTypeFromDomain(config.AuthMethodType),
-	}
-}
-
-func apiConfigFromModel(config *proj_model.APIConfig) *management.APIConfig {
-	return &management.APIConfig{
-		ClientId:       config.ClientID,
-		ClientSecret:   config.ClientSecretString,
-		AuthMethodType: apiAuthMethodTypeFromModel(config.AuthMethodType),
-	}
-}
-
-func oidcConfigFromApplicationViewModel(app *proj_model.ApplicationView) *management.OIDCConfig {
-	return &management.OIDCConfig{
-		RedirectUris:             app.OIDCRedirectUris,
-		ResponseTypes:            oidcResponseTypesFromModel(app.OIDCResponseTypes),
-		GrantTypes:               oidcGrantTypesFromModel(app.OIDCGrantTypes),
-		ApplicationType:          oidcApplicationTypeFromModel(app.OIDCApplicationType),
-		ClientId:                 app.OIDCClientID,
-		AuthMethodType:           oidcAuthMethodTypeFromModel(app.OIDCAuthMethodType),
-		PostLogoutRedirectUris:   app.OIDCPostLogoutRedirectUris,
-		Version:                  oidcVersionFromDomain(domain.OIDCVersion(app.OIDCVersion)),
-		NoneCompliant:            app.NoneCompliant,
-		ComplianceProblems:       complianceProblemsToLocalizedMessages(app.ComplianceProblems),
-		DevMode:                  app.DevMode,
-		AccessTokenType:          oidcTokenTypeFromDomain(domain.OIDCTokenType(app.AccessTokenType)),
-		AccessTokenRoleAssertion: app.AccessTokenRoleAssertion,
-		IdTokenRoleAssertion:     app.IDTokenRoleAssertion,
-		IdTokenUserinfoAssertion: app.IDTokenUserinfoAssertion,
-		ClockSkew:                durationpb.New(app.ClockSkew),
-	}
-}
-
-func apiConfigFromApplicationViewModel(app *proj_model.ApplicationView) *management.APIConfig {
-	return &management.APIConfig{
-		ClientId:       app.OIDCClientID,
-		AuthMethodType: apiAuthMethodTypeFromModel(proj_model.APIAuthMethodType(app.OIDCAuthMethodType)),
-	}
-}
-
-func complianceProblemsToLocalizedMessages(problems []string) []*message.LocalizedMessage {
-	converted := make([]*message.LocalizedMessage, len(problems))
-	for i, p := range problems {
-		converted[i] = message.NewLocalizedMessage(p)
-	}
-	return converted
-
-}
-
-func oidcAppCreateToDomain(app *management.OIDCApplicationCreate) *domain.OIDCApp {
-	return &domain.OIDCApp{
-		ObjectRoot: models.ObjectRoot{
-			AggregateID: app.ProjectId,
-		},
-		AppName:                  app.Name,
-		OIDCVersion:              oidcVersionToDomain(app.Version),
-		RedirectUris:             app.RedirectUris,
-		ResponseTypes:            oidcResponseTypesToDomain(app.ResponseTypes),
-		GrantTypes:               oidcGrantTypesToDomain(app.GrantTypes),
-		ApplicationType:          oidcApplicationTypeToDomain(app.ApplicationType),
-		AuthMethodType:           oidcAuthMethodTypeToDomain(app.AuthMethodType),
-		PostLogoutRedirectUris:   app.PostLogoutRedirectUris,
-		DevMode:                  app.DevMode,
-		AccessTokenType:          oidcTokenTypeToDomain(app.AccessTokenType),
-		AccessTokenRoleAssertion: app.AccessTokenRoleAssertion,
-		IDTokenRoleAssertion:     app.IdTokenRoleAssertion,
-		IDTokenUserinfoAssertion: app.IdTokenUserinfoAssertion,
-		ClockSkew:                app.ClockSkew.AsDuration(),
-	}
-}
-
-func apiAppCreateToModel(app *management.APIApplicationCreate) *domain.APIApp {
-	return &domain.APIApp{
-		ObjectRoot: models.ObjectRoot{
-			AggregateID: app.ProjectId,
-		},
-		AppName:        app.Name,
-		AuthMethodType: apiAuthMethodTypeToDomain(app.AuthMethodType),
-	}
-}
-
-func appUpdateToDomain(app *management.ApplicationUpdate) domain.Application {
-	return &domain.ChangeApp{
-		AppID:   app.Id,
-		AppName: app.Name,
-	}
-}
-
-func oidcConfigUpdateToDomain(app *management.OIDCConfigUpdate) *domain.OIDCApp {
-	return &domain.OIDCApp{
-		ObjectRoot: models.ObjectRoot{
-			AggregateID: app.ProjectId,
-		},
-		AppID:                    app.ApplicationId,
-		RedirectUris:             app.RedirectUris,
-		ResponseTypes:            oidcResponseTypesToDomain(app.ResponseTypes),
-		GrantTypes:               oidcGrantTypesToDomain(app.GrantTypes),
-		ApplicationType:          oidcApplicationTypeToDomain(app.ApplicationType),
-		AuthMethodType:           oidcAuthMethodTypeToDomain(app.AuthMethodType),
-		PostLogoutRedirectUris:   app.PostLogoutRedirectUris,
-		DevMode:                  app.DevMode,
-		AccessTokenType:          oidcTokenTypeToDomain(app.AccessTokenType),
-		AccessTokenRoleAssertion: app.AccessTokenRoleAssertion,
-		IDTokenRoleAssertion:     app.IdTokenRoleAssertion,
-		IDTokenUserinfoAssertion: app.IdTokenUserinfoAssertion,
-		ClockSkew:                app.ClockSkew.AsDuration(),
-	}
-}
-
-func apiConfigUpdateToDomain(app *management.APIConfigUpdate) *domain.APIApp {
-	return &domain.APIApp{
-		ObjectRoot: models.ObjectRoot{
-			AggregateID: app.ProjectId,
-		},
-		AppID:          app.ApplicationId,
-		AuthMethodType: apiAuthMethodTypeToDomain(app.AuthMethodType),
-	}
-}
-
-func addClientKeyToDomain(key *management.AddClientKeyRequest) *domain.ApplicationKey {
-	expirationDate := time.Time{}
-	if key.ExpirationDate != nil {
-		expirationDate = key.ExpirationDate.AsTime()
-	}
-
-	return &domain.ApplicationKey{
-		ObjectRoot: models.ObjectRoot{
-			AggregateID: key.ProjectId,
-		},
-		ExpirationDate: expirationDate,
-		Type:           authNKeyTypeToDomain(key.Type),
-		ApplicationID:  key.ApplicationId,
-	}
-}
-
-func addClientKeyFromDomain(key *domain.ApplicationKey) *management.AddClientKeyResponse {
-	detail, err := key.Detail()
-	logging.Log("MANAG-adt42").OnError(err).Warn("unable to marshal key")
-
-	return &management.AddClientKeyResponse{
-		Id:             key.KeyID,
-		CreationDate:   timestamppb.New(key.CreationDate),
-		ExpirationDate: timestamppb.New(key.ExpirationDate),
-		Sequence:       key.Sequence,
-		KeyDetails:     detail,
-		Type:           authNKeyTypeFromDomain(key.Type),
-	}
-}
-
-func applicationSearchRequestsToModel(request *management.ApplicationSearchRequest) *proj_model.ApplicationSearchRequest {
-	return &proj_model.ApplicationSearchRequest{
-		Offset:  request.Offset,
-		Limit:   request.Limit,
-		Queries: applicationSearchQueriesToModel(request.ProjectId, request.Queries),
-	}
-}
-
-func applicationSearchQueriesToModel(projectID string, queries []*management.ApplicationSearchQuery) []*proj_model.ApplicationSearchQuery {
-	converted := make([]*proj_model.ApplicationSearchQuery, len(queries)+1)
-	for i, q := range queries {
-		converted[i] = applicationSearchQueryToModel(q)
-	}
-	converted[len(queries)] = &proj_model.ApplicationSearchQuery{Key: proj_model.AppSearchKeyProjectID, Method: domain.SearchMethodEquals, Value: projectID}
-
-	return converted
-}
-
-func applicationSearchQueryToModel(query *management.ApplicationSearchQuery) *proj_model.ApplicationSearchQuery {
-	return &proj_model.ApplicationSearchQuery{
-		Key:    applicationSearchKeyToModel(query.Key),
-		Method: searchMethodToModel(query.Method),
-		Value:  query.Value,
-	}
-}
-
-func applicationSearchKeyToModel(key management.ApplicationSearchKey) proj_model.AppSearchKey {
-	switch key {
-	case management.ApplicationSearchKey_APPLICATIONSEARCHKEY_APP_NAME:
-		return proj_model.AppSearchKeyName
-	default:
-		return proj_model.AppSearchKeyUnspecified
-	}
-}
-
-func applicationSearchResponseFromModel(response *proj_model.ApplicationSearchResponse) *management.ApplicationSearchResponse {
-	timestamp, err := ptypes.TimestampProto(response.Timestamp)
-	logging.Log("GRPC-Lp06f").OnError(err).Debug("unable to parse timestamp")
-	return &management.ApplicationSearchResponse{
-		Offset:            response.Offset,
-		Limit:             response.Limit,
-		TotalResult:       response.TotalResult,
-		Result:            applicationViewsFromModel(response.Result),
-		ProcessedSequence: response.Sequence,
-		ViewTimestamp:     timestamp,
-	}
-}
-
-func applicationViewsFromModel(apps []*proj_model.ApplicationView) []*management.ApplicationView {
-	converted := make([]*management.ApplicationView, len(apps))
-	for i, app := range apps {
-		converted[i] = applicationViewFromModel(app)
-	}
-	return converted
-}
-
-func applicationViewFromModel(application *proj_model.ApplicationView) *management.ApplicationView {
-	creationDate, err := ptypes.TimestampProto(application.CreationDate)
-	logging.Log("GRPC-lo9sw").OnError(err).Debug("unable to parse timestamp")
-
-	changeDate, err := ptypes.TimestampProto(application.ChangeDate)
-	logging.Log("GRPC-8uwsd").OnError(err).Debug("unable to parse timestamp")
-
-	converted := &management.ApplicationView{
-		Id:           application.ID,
-		State:        appStateFromModel(application.State),
-		CreationDate: creationDate,
-		ChangeDate:   changeDate,
-		Name:         application.Name,
-		Sequence:     application.Sequence,
-	}
-	if application.IsOIDC {
-		converted.AppConfig = &management.ApplicationView_OidcConfig{
-			OidcConfig: oidcConfigFromApplicationViewModel(application),
-		}
-	} else {
-		converted.AppConfig = &management.ApplicationView_ApiConfig{
-			ApiConfig: apiConfigFromApplicationViewModel(application),
-		}
-	}
-	return converted
-}
-
-func appStateFromDomain(state domain.AppState) management.AppState {
-	switch state {
-	case domain.AppStateActive:
-		return management.AppState_APPSTATE_ACTIVE
-	case domain.AppStateInactive:
-		return management.AppState_APPSTATE_INACTIVE
-	default:
-		return management.AppState_APPSTATE_UNSPECIFIED
-	}
-}
-
-func appStateFromModel(state proj_model.AppState) management.AppState {
-	switch state {
-	case proj_model.AppStateActive:
-		return management.AppState_APPSTATE_ACTIVE
-	case proj_model.AppStateInactive:
-		return management.AppState_APPSTATE_INACTIVE
-	default:
-		return management.AppState_APPSTATE_UNSPECIFIED
-	}
-}
-
-func oidcResponseTypesToDomain(responseTypes []management.OIDCResponseType) []domain.OIDCResponseType {
-	if responseTypes == nil || len(responseTypes) == 0 {
-		return []domain.OIDCResponseType{domain.OIDCResponseTypeCode}
-	}
-	oidcResponseTypes := make([]domain.OIDCResponseType, len(responseTypes))
-
-	for i, responseType := range responseTypes {
-		switch responseType {
-		case management.OIDCResponseType_OIDCRESPONSETYPE_CODE:
-			oidcResponseTypes[i] = domain.OIDCResponseTypeCode
-		case management.OIDCResponseType_OIDCRESPONSETYPE_ID_TOKEN:
-			oidcResponseTypes[i] = domain.OIDCResponseTypeIDToken
-		case management.OIDCResponseType_OIDCRESPONSETYPE_ID_TOKEN_TOKEN:
-			oidcResponseTypes[i] = domain.OIDCResponseTypeIDTokenToken
-		}
-	}
-
-	return oidcResponseTypes
-}
-
-func oidcResponseTypesFromDomain(responseTypes []domain.OIDCResponseType) []management.OIDCResponseType {
-	oidcResponseTypes := make([]management.OIDCResponseType, len(responseTypes))
-
-	for i, responseType := range responseTypes {
-		switch responseType {
-		case domain.OIDCResponseTypeCode:
-			oidcResponseTypes[i] = management.OIDCResponseType_OIDCRESPONSETYPE_CODE
-		case domain.OIDCResponseTypeIDToken:
-			oidcResponseTypes[i] = management.OIDCResponseType_OIDCRESPONSETYPE_ID_TOKEN
-		case domain.OIDCResponseTypeIDTokenToken:
-			oidcResponseTypes[i] = management.OIDCResponseType_OIDCRESPONSETYPE_ID_TOKEN_TOKEN
-		}
-	}
-
-	return oidcResponseTypes
-}
-func oidcResponseTypesFromModel(responseTypes []proj_model.OIDCResponseType) []management.OIDCResponseType {
-	oidcResponseTypes := make([]management.OIDCResponseType, len(responseTypes))
-
-	for i, responseType := range responseTypes {
-		switch responseType {
-		case proj_model.OIDCResponseTypeCode:
-			oidcResponseTypes[i] = management.OIDCResponseType_OIDCRESPONSETYPE_CODE
-		case proj_model.OIDCResponseTypeIDToken:
-			oidcResponseTypes[i] = management.OIDCResponseType_OIDCRESPONSETYPE_ID_TOKEN
-		case proj_model.OIDCResponseTypeIDTokenToken:
-			oidcResponseTypes[i] = management.OIDCResponseType_OIDCRESPONSETYPE_ID_TOKEN_TOKEN
-		}
-	}
-
-	return oidcResponseTypes
-}
-
-func oidcGrantTypesToDomain(grantTypes []management.OIDCGrantType) []domain.OIDCGrantType {
-	if grantTypes == nil || len(grantTypes) == 0 {
-		return []domain.OIDCGrantType{domain.OIDCGrantTypeAuthorizationCode}
-	}
-	oidcGrantTypes := make([]domain.OIDCGrantType, len(grantTypes))
-
-	for i, grantType := range grantTypes {
-		switch grantType {
-		case management.OIDCGrantType_OIDCGRANTTYPE_AUTHORIZATION_CODE:
-			oidcGrantTypes[i] = domain.OIDCGrantTypeAuthorizationCode
-		case management.OIDCGrantType_OIDCGRANTTYPE_IMPLICIT:
-			oidcGrantTypes[i] = domain.OIDCGrantTypeImplicit
-		case management.OIDCGrantType_OIDCGRANTTYPE_REFRESH_TOKEN:
-			oidcGrantTypes[i] = domain.OIDCGrantTypeRefreshToken
-		}
-	}
-	return oidcGrantTypes
-}
-
-func oidcGrantTypesFromDomain(grantTypes []domain.OIDCGrantType) []management.OIDCGrantType {
-	oidcGrantTypes := make([]management.OIDCGrantType, len(grantTypes))
-
-	for i, grantType := range grantTypes {
-		switch grantType {
-		case domain.OIDCGrantTypeAuthorizationCode:
-			oidcGrantTypes[i] = management.OIDCGrantType_OIDCGRANTTYPE_AUTHORIZATION_CODE
-		case domain.OIDCGrantTypeImplicit:
-			oidcGrantTypes[i] = management.OIDCGrantType_OIDCGRANTTYPE_IMPLICIT
-		case domain.OIDCGrantTypeRefreshToken:
-			oidcGrantTypes[i] = management.OIDCGrantType_OIDCGRANTTYPE_REFRESH_TOKEN
-		}
-	}
-	return oidcGrantTypes
-}
-
-func oidcGrantTypesFromModel(grantTypes []proj_model.OIDCGrantType) []management.OIDCGrantType {
-	oidcGrantTypes := make([]management.OIDCGrantType, len(grantTypes))
-
-	for i, grantType := range grantTypes {
-		switch grantType {
-		case proj_model.OIDCGrantTypeAuthorizationCode:
-			oidcGrantTypes[i] = management.OIDCGrantType_OIDCGRANTTYPE_AUTHORIZATION_CODE
-		case proj_model.OIDCGrantTypeImplicit:
-			oidcGrantTypes[i] = management.OIDCGrantType_OIDCGRANTTYPE_IMPLICIT
-		case proj_model.OIDCGrantTypeRefreshToken:
-			oidcGrantTypes[i] = management.OIDCGrantType_OIDCGRANTTYPE_REFRESH_TOKEN
-		}
-	}
-	return oidcGrantTypes
-}
-
-func oidcApplicationTypeToDomain(appType management.OIDCApplicationType) domain.OIDCApplicationType {
-	switch appType {
-	case management.OIDCApplicationType_OIDCAPPLICATIONTYPE_WEB:
-		return domain.OIDCApplicationTypeWeb
-	case management.OIDCApplicationType_OIDCAPPLICATIONTYPE_USER_AGENT:
-		return domain.OIDCApplicationTypeUserAgent
-	case management.OIDCApplicationType_OIDCAPPLICATIONTYPE_NATIVE:
-		return domain.OIDCApplicationTypeNative
-	}
-	return domain.OIDCApplicationTypeWeb
-}
-
-func oidcVersionToDomain(version management.OIDCVersion) domain.OIDCVersion {
-	switch version {
-	case management.OIDCVersion_OIDCV1_0:
-		return domain.OIDCVersionV1
-	}
-	return domain.OIDCVersionV1
-}
-
-func oidcApplicationTypeFromDomain(appType domain.OIDCApplicationType) management.OIDCApplicationType {
-	switch appType {
-	case domain.OIDCApplicationTypeWeb:
-		return management.OIDCApplicationType_OIDCAPPLICATIONTYPE_WEB
-	case domain.OIDCApplicationTypeUserAgent:
-		return management.OIDCApplicationType_OIDCAPPLICATIONTYPE_USER_AGENT
-	case domain.OIDCApplicationTypeNative:
-		return management.OIDCApplicationType_OIDCAPPLICATIONTYPE_NATIVE
-	default:
-		return management.OIDCApplicationType_OIDCAPPLICATIONTYPE_WEB
-	}
-}
-
-func oidcApplicationTypeFromModel(appType proj_model.OIDCApplicationType) management.OIDCApplicationType {
-	switch appType {
-	case proj_model.OIDCApplicationTypeWeb:
-		return management.OIDCApplicationType_OIDCAPPLICATIONTYPE_WEB
-	case proj_model.OIDCApplicationTypeUserAgent:
-		return management.OIDCApplicationType_OIDCAPPLICATIONTYPE_USER_AGENT
-	case proj_model.OIDCApplicationTypeNative:
-		return management.OIDCApplicationType_OIDCAPPLICATIONTYPE_NATIVE
-	default:
-		return management.OIDCApplicationType_OIDCAPPLICATIONTYPE_WEB
-	}
-}
-
-func oidcAuthMethodTypeToDomain(authType management.OIDCAuthMethodType) domain.OIDCAuthMethodType {
-	switch authType {
-	case management.OIDCAuthMethodType_OIDCAUTHMETHODTYPE_BASIC:
-		return domain.OIDCAuthMethodTypeBasic
-	case management.OIDCAuthMethodType_OIDCAUTHMETHODTYPE_POST:
-		return domain.OIDCAuthMethodTypePost
-	case management.OIDCAuthMethodType_OIDCAUTHMETHODTYPE_NONE:
-		return domain.OIDCAuthMethodTypeNone
-	case management.OIDCAuthMethodType_OIDCAUTHMETHODTYPE_PRIVATE_KEY_JWT:
-		return domain.OIDCAuthMethodTypePrivateKeyJWT
-	default:
-		return domain.OIDCAuthMethodTypeBasic
-	}
-}
-
-func oidcAuthMethodTypeFromDomain(authType domain.OIDCAuthMethodType) management.OIDCAuthMethodType {
-	switch authType {
-	case domain.OIDCAuthMethodTypeBasic:
-		return management.OIDCAuthMethodType_OIDCAUTHMETHODTYPE_BASIC
-	case domain.OIDCAuthMethodTypePost:
-		return management.OIDCAuthMethodType_OIDCAUTHMETHODTYPE_POST
-	case domain.OIDCAuthMethodTypeNone:
-		return management.OIDCAuthMethodType_OIDCAUTHMETHODTYPE_NONE
-	case domain.OIDCAuthMethodTypePrivateKeyJWT:
-		return management.OIDCAuthMethodType_OIDCAUTHMETHODTYPE_PRIVATE_KEY_JWT
-	default:
-		return management.OIDCAuthMethodType_OIDCAUTHMETHODTYPE_BASIC
-	}
-}
-
-func apiAuthMethodTypeToDomain(authType management.APIAuthMethodType) domain.APIAuthMethodType {
-	switch authType {
-	case management.APIAuthMethodType_APIAUTHMETHODTYPE_BASIC:
-		return domain.APIAuthMethodTypeBasic
-	case management.APIAuthMethodType_APIAUTHMETHODTYPE_PRIVATE_KEY_JWT:
-		return domain.APIAuthMethodTypePrivateKeyJWT
-	default:
-		return domain.APIAuthMethodTypeBasic
-	}
-}
-
-func apiAuthMethodTypeFromDomain(authType domain.APIAuthMethodType) management.APIAuthMethodType {
-	switch authType {
-	case domain.APIAuthMethodTypeBasic:
-		return management.APIAuthMethodType_APIAUTHMETHODTYPE_BASIC
-	case domain.APIAuthMethodTypePrivateKeyJWT:
-		return management.APIAuthMethodType_APIAUTHMETHODTYPE_PRIVATE_KEY_JWT
-	default:
-		return management.APIAuthMethodType_APIAUTHMETHODTYPE_BASIC
-	}
-}
-
-func oidcAuthMethodTypeFromModel(authType proj_model.OIDCAuthMethodType) management.OIDCAuthMethodType {
-	switch authType {
-	case proj_model.OIDCAuthMethodTypeBasic:
-		return management.OIDCAuthMethodType_OIDCAUTHMETHODTYPE_BASIC
-	case proj_model.OIDCAuthMethodTypePost:
-		return management.OIDCAuthMethodType_OIDCAUTHMETHODTYPE_POST
-	case proj_model.OIDCAuthMethodTypeNone:
-		return management.OIDCAuthMethodType_OIDCAUTHMETHODTYPE_NONE
-	case proj_model.OIDCAuthMethodTypePrivateKeyJWT:
-		return management.OIDCAuthMethodType_OIDCAUTHMETHODTYPE_PRIVATE_KEY_JWT
-	default:
-		return management.OIDCAuthMethodType_OIDCAUTHMETHODTYPE_BASIC
-	}
-}
-
-func oidcTokenTypeToDomain(tokenType management.OIDCTokenType) domain.OIDCTokenType {
-	switch tokenType {
-	case management.OIDCTokenType_OIDCTokenType_Bearer:
-		return domain.OIDCTokenTypeBearer
-	case management.OIDCTokenType_OIDCTokenType_JWT:
-		return domain.OIDCTokenTypeJWT
-	default:
-		return domain.OIDCTokenTypeBearer
-	}
-}
-
-func oidcTokenTypeFromDomain(tokenType domain.OIDCTokenType) management.OIDCTokenType {
-	switch tokenType {
-	case domain.OIDCTokenTypeBearer:
-		return management.OIDCTokenType_OIDCTokenType_Bearer
-	case domain.OIDCTokenTypeJWT:
-		return management.OIDCTokenType_OIDCTokenType_JWT
-	default:
-		return management.OIDCTokenType_OIDCTokenType_Bearer
-	}
-}
-
-func apiAuthMethodTypeFromModel(authType proj_model.APIAuthMethodType) management.APIAuthMethodType {
-	switch authType {
-	case proj_model.APIAuthMethodTypeBasic:
-		return management.APIAuthMethodType_APIAUTHMETHODTYPE_BASIC
-	case proj_model.APIAuthMethodTypePrivateKeyJWT:
-		return management.APIAuthMethodType_APIAUTHMETHODTYPE_PRIVATE_KEY_JWT
-	default:
-		return management.APIAuthMethodType_APIAUTHMETHODTYPE_BASIC
-	}
-}
-
-func oidcVersionFromDomain(version domain.OIDCVersion) management.OIDCVersion {
-	switch version {
-	case domain.OIDCVersionV1:
-		return management.OIDCVersion_OIDCV1_0
-	default:
-		return management.OIDCVersion_OIDCV1_0
-	}
-}
-
-func authNKeyTypeToDomain(keyType management.AuthNKeyType) domain.AuthNKeyType {
-	switch keyType {
-	case management.AuthNKeyType_AUTHNKEY_JSON:
-		return domain.AuthNKeyTypeJSON
-	default:
-		return domain.AuthNKeyTypeNONE
-	}
-}
-
-func authNKeyTypeFromDomain(typ domain.AuthNKeyType) management.AuthNKeyType {
-	switch typ {
-	case domain.AuthNKeyTypeJSON:
-		return management.AuthNKeyType_AUTHNKEY_JSON
-	default:
-		return management.AuthNKeyType_AUTHNKEY_UNSPECIFIED
-	}
-}
-
-func appChangesToResponse(response *proj_model.ApplicationChanges, offset uint64, limit uint64) (_ *management.Changes) {
-	return &management.Changes{
-		Limit:   limit,
-		Offset:  offset,
-		Changes: appChangesToMgtAPI(response),
-	}
-}
-
-func appChangesToMgtAPI(changes *proj_model.ApplicationChanges) (_ []*management.Change) {
-	result := make([]*management.Change, len(changes.Changes))
-
-	for i, change := range changes.Changes {
-		b, err := json.Marshal(change.Data)
-		data := &structpb.Struct{}
-		err = protojson.Unmarshal(b, data)
-		if err != nil {
-		}
-		result[i] = &management.Change{
-			ChangeDate: change.ChangeDate,
-			EventType:  message.NewLocalizedEventType(change.EventType),
-			Sequence:   change.Sequence,
-			Editor:     change.ModifierName,
-			EditorId:   change.ModifierId,
-			Data:       data,
-		}
-	}
-
-	return result
-}
-
-func clientKeyViewsFromModel(keys ...*key_model.AuthNKeyView) []*management.ClientKeyView {
-	keyViews := make([]*management.ClientKeyView, len(keys))
-	for i, key := range keys {
-		keyViews[i] = clientKeyViewFromModel(key)
-	}
-	return keyViews
-}
-
-func clientKeyViewFromModel(key *key_model.AuthNKeyView) *management.ClientKeyView {
-	creationDate, err := ptypes.TimestampProto(key.CreationDate)
-	logging.Log("MANAG-DAs2t").OnError(err).Debug("unable to parse timestamp")
-
-	expirationDate, err := ptypes.TimestampProto(key.ExpirationDate)
-	logging.Log("MANAG-BDgh4").OnError(err).Debug("unable to parse timestamp")
-
-	return &management.ClientKeyView{
-		Id:             key.ID,
-		CreationDate:   creationDate,
-		ExpirationDate: expirationDate,
-		Sequence:       key.Sequence,
-		Type:           authNKeyTypeFromModel(key.Type),
-	}
-}
-
-func authNKeyTypeFromModel(typ key_model.AuthNKeyType) management.AuthNKeyType {
-	switch typ {
-	case key_model.AuthNKeyTypeJSON:
-		return management.AuthNKeyType_AUTHNKEY_JSON
-	default:
-		return management.AuthNKeyType_AUTHNKEY_UNSPECIFIED
-	}
-}
-
-func clientKeySearchRequestToModel(req *management.ClientKeySearchRequest) *key_model.AuthNKeySearchRequest {
-	return &key_model.AuthNKeySearchRequest{
-		Offset: req.Offset,
-		Limit:  req.Limit,
-		Asc:    req.Asc,
-		Queries: []*key_model.AuthNKeySearchQuery{
-			{
-				Key:    key_model.AuthNKeyObjectType,
-				Method: domain.SearchMethodEquals,
-				Value:  key_model.AuthNKeyObjectTypeApplication,
-			}, {
-				Key:    key_model.AuthNKeyObjectID,
-				Method: domain.SearchMethodEquals,
-				Value:  req.ApplicationId,
-			},
-		},
-	}
-}
-
-func clientKeySearchResponseFromModel(req *key_model.AuthNKeySearchResponse) *management.ClientKeySearchResponse {
-	viewTimestamp, err := ptypes.TimestampProto(req.Timestamp)
-	logging.Log("MANAG-Sk9ds").OnError(err).Debug("unable to parse cretaion date")
-
-	return &management.ClientKeySearchResponse{
-		Offset:            req.Offset,
-		Limit:             req.Limit,
-		TotalResult:       req.TotalResult,
-		ProcessedSequence: req.Sequence,
-		ViewTimestamp:     viewTimestamp,
-		Result:            clientKeyViewsFromModel(req.Result...),
-	}
-}
diff --git a/internal/api/grpc/management/gateway.go b/internal/api/grpc/management/gateway.go
deleted file mode 100644
index d80dd3d827..0000000000
--- a/internal/api/grpc/management/gateway.go
+++ /dev/null
@@ -1,50 +0,0 @@
-package management
-
-import (
-	"strings"
-
-	"github.com/grpc-ecosystem/grpc-gateway/runtime"
-
-	grpc_util "github.com/caos/zitadel/internal/api/grpc"
-	"github.com/caos/zitadel/internal/api/grpc/server"
-	"github.com/caos/zitadel/pkg/grpc/management"
-)
-
-type Gateway struct {
-	grpcEndpoint string
-	port         string
-	cutomHeaders []string
-}
-
-func StartGateway(conf grpc_util.GatewayConfig) *Gateway {
-	return &Gateway{
-		grpcEndpoint: conf.GRPCEndpoint,
-		port:         conf.Port,
-		cutomHeaders: conf.CustomHeaders,
-	}
-}
-
-func (gw *Gateway) Gateway() server.GatewayFunc {
-	return management.RegisterManagementServiceHandlerFromEndpoint
-}
-
-func (gw *Gateway) GRPCEndpoint() string {
-	return ":" + gw.grpcEndpoint
-}
-
-func (gw *Gateway) GatewayPort() string {
-	return gw.port
-}
-
-func (gw *Gateway) GatewayServeMuxOptions() []runtime.ServeMuxOption {
-	return []runtime.ServeMuxOption{
-		runtime.WithIncomingHeaderMatcher(func(header string) (string, bool) {
-			for _, customHeader := range gw.cutomHeaders {
-				if strings.HasPrefix(strings.ToLower(header), customHeader) {
-					return header, true
-				}
-			}
-			return runtime.DefaultHeaderMatcher(header)
-		}),
-	}
-}
diff --git a/internal/api/grpc/management/iam.go b/internal/api/grpc/management/iam.go
index f8a2a14eb7..2d4e001f4c 100644
--- a/internal/api/grpc/management/iam.go
+++ b/internal/api/grpc/management/iam.go
@@ -3,15 +3,16 @@ package management
 import (
 	"context"
 
-	"github.com/golang/protobuf/ptypes/empty"
-
-	"github.com/caos/zitadel/pkg/grpc/management"
+	mgmt_pb "github.com/caos/zitadel/pkg/grpc/management"
 )
 
-func (s *Server) GetIam(ctx context.Context, _ *empty.Empty) (*management.Iam, error) {
+func (s *Server) GetIAM(ctx context.Context, req *mgmt_pb.GetIAMRequest) (*mgmt_pb.GetIAMResponse, error) {
 	iam, err := s.project.GetIAMByID(ctx)
 	if err != nil {
 		return nil, err
 	}
-	return iamFromModel(iam), nil
+	return &mgmt_pb.GetIAMResponse{
+		GlobalOrgId:  iam.GlobalOrgID,
+		IamProjectId: iam.IAMProjectID,
+	}, nil
 }
diff --git a/internal/api/grpc/management/iam_converter.go b/internal/api/grpc/management/iam_converter.go
deleted file mode 100644
index 0daa146aef..0000000000
--- a/internal/api/grpc/management/iam_converter.go
+++ /dev/null
@@ -1,36 +0,0 @@
-package management
-
-import (
-	"github.com/caos/zitadel/internal/domain"
-	iam_model "github.com/caos/zitadel/internal/iam/model"
-	"github.com/caos/zitadel/pkg/grpc/management"
-)
-
-func iamFromModel(iam *iam_model.IAM) *management.Iam {
-	return &management.Iam{
-		IamProjectId: iam.IAMProjectID,
-		GlobalOrgId:  iam.GlobalOrgID,
-		SetUpDone:    iamSetupStepFromModel(iam.SetUpDone),
-		SetUpStarted: iamSetupStepFromModel(iam.SetUpStarted),
-	}
-}
-
-func iamSetupStepFromModel(step domain.Step) management.IamSetupStep {
-	switch step {
-	case domain.Step1:
-		return management.IamSetupStep_iam_setup_step_1
-	case domain.Step2:
-		return management.IamSetupStep_iam_setup_step_2
-	// case iam_model.Step3:
-	// 	return management.IamSetupStep_iam_setup_step_3
-	// case iam_model.Step4:
-	// 	return management.IamSetupStep_iam_setup_step_4
-	// case iam_model.Step5:
-	// 	return management.IamSetupStep_iam_setup_step_5
-	// case iam_model.Step6:
-	// 	return management.IamSetupStep_iam_setup_step_6
-
-	default:
-		return management.IamSetupStep_iam_setup_step_UNDEFINED
-	}
-}
diff --git a/internal/api/grpc/management/idp.go b/internal/api/grpc/management/idp.go
new file mode 100644
index 0000000000..08e742f2c3
--- /dev/null
+++ b/internal/api/grpc/management/idp.go
@@ -0,0 +1,35 @@
+package management
+
+import (
+	"context"
+
+	"google.golang.org/grpc/codes"
+	"google.golang.org/grpc/status"
+
+	mgmt_pb "github.com/caos/zitadel/pkg/grpc/management"
+)
+
+func (s *Server) GetOrgIDPByID(ctx context.Context, req *mgmt_pb.GetOrgIDPByIDRequest) (*mgmt_pb.GetOrgIDPByIDResponse, error) {
+	return nil, status.Errorf(codes.Unimplemented, "method GetOrgIDPByID not implemented")
+}
+func (s *Server) ListOrgIDPs(ctx context.Context, req *mgmt_pb.ListOrgIDPsRequest) (*mgmt_pb.ListOrgIDPsResponse, error) {
+	return nil, status.Errorf(codes.Unimplemented, "method ListOrgIDPs not implemented")
+}
+func (s *Server) AddOrgOIDCIDP(ctx context.Context, req *mgmt_pb.AddOrgOIDCIDPRequest) (*mgmt_pb.AddOrgOIDCIDPResponse, error) {
+	return nil, status.Errorf(codes.Unimplemented, "method AddOrgOIDCIDP not implemented")
+}
+func (s *Server) DeactivateOrgIDP(ctx context.Context, req *mgmt_pb.DeactivateOrgIDPRequest) (*mgmt_pb.DeactivateOrgIDPResponse, error) {
+	return nil, status.Errorf(codes.Unimplemented, "method DeactivateOrgIDP not implemented")
+}
+func (s *Server) ReactivateOrgIDP(ctx context.Context, req *mgmt_pb.ReactivateOrgIDPRequest) (*mgmt_pb.ReactivateOrgIDPResponse, error) {
+	return nil, status.Errorf(codes.Unimplemented, "method ReactivateOrgIDP not implemented")
+}
+func (s *Server) RemoveOrgIDP(ctx context.Context, req *mgmt_pb.RemoveOrgIDPRequest) (*mgmt_pb.RemoveOrgIDPResponse, error) {
+	return nil, status.Errorf(codes.Unimplemented, "method RemoveOrgIDP not implemented")
+}
+func (s *Server) UpdateOrgIDP(ctx context.Context, req *mgmt_pb.UpdateOrgIDPRequest) (*mgmt_pb.UpdateOrgIDPResponse, error) {
+	return nil, status.Errorf(codes.Unimplemented, "method UpdateOrgIDP not implemented")
+}
+func (s *Server) UpdateOrgIDPOIDCConfig(ctx context.Context, req *mgmt_pb.UpdateOrgIDPOIDCConfigRequest) (*mgmt_pb.UpdateOrgIDPOIDCConfigResponse, error) {
+	return nil, status.Errorf(codes.Unimplemented, "method UpdateOrgIDPOIDCConfig not implemented")
+}
diff --git a/internal/api/grpc/management/idp_config.go b/internal/api/grpc/management/idp_config.go
deleted file mode 100644
index bba451f8ac..0000000000
--- a/internal/api/grpc/management/idp_config.go
+++ /dev/null
@@ -1,77 +0,0 @@
-package management
-
-import (
-	"context"
-
-	"github.com/golang/protobuf/ptypes/empty"
-
-	"github.com/caos/zitadel/internal/api/authz"
-	"github.com/caos/zitadel/pkg/grpc/management"
-)
-
-func (s *Server) IdpByID(ctx context.Context, id *management.IdpID) (*management.IdpView, error) {
-	config, err := s.org.IDPConfigByID(ctx, id.Id)
-	if err != nil {
-		return nil, err
-	}
-	return idpViewFromModel(config), nil
-}
-
-func (s *Server) CreateOidcIdp(ctx context.Context, oidcIdpConfig *management.OidcIdpConfigCreate) (*management.Idp, error) {
-	config, err := s.command.AddIDPConfig(ctx, createOidcIdpToDomain(oidcIdpConfig))
-	if err != nil {
-		return nil, err
-	}
-	return idpFromDomain(config), nil
-}
-
-func (s *Server) UpdateIdpConfig(ctx context.Context, idpConfig *management.IdpUpdate) (*management.Idp, error) {
-	config, err := s.command.ChangeIDPConfig(ctx, updateIdpToDomain(ctx, idpConfig))
-	if err != nil {
-		return nil, err
-	}
-	return idpFromDomain(config), nil
-}
-
-func (s *Server) DeactivateIdpConfig(ctx context.Context, id *management.IdpID) (*empty.Empty, error) {
-	err := s.command.DeactivateIDPConfig(ctx, id.Id, authz.GetCtxData(ctx).OrgID)
-	return &empty.Empty{}, err
-}
-
-func (s *Server) ReactivateIdpConfig(ctx context.Context, id *management.IdpID) (*empty.Empty, error) {
-	err := s.command.ReactivateIDPConfig(ctx, id.Id, authz.GetCtxData(ctx).OrgID)
-	return &empty.Empty{}, err
-}
-
-func (s *Server) RemoveIdpConfig(ctx context.Context, id *management.IdpID) (*empty.Empty, error) {
-	externalIdps, err := s.user.ExternalIDPsByIDPConfigIDAndResourceOwner(ctx, id.Id, authz.GetCtxData(ctx).OrgID)
-	if err != nil {
-		return &empty.Empty{}, err
-	}
-	providers, err := s.org.GetIDPProvidersByIDPConfigID(ctx, authz.GetCtxData(ctx).OrgID, id.Id)
-	if err != nil {
-		return &empty.Empty{}, err
-	}
-	err = s.command.RemoveIDPConfig(ctx, id.Id, authz.GetCtxData(ctx).OrgID, len(providers) > 0, externalIDPViewsToDomain(externalIdps)...)
-	return &empty.Empty{}, err
-}
-
-func (s *Server) UpdateOidcIdpConfig(ctx context.Context, request *management.OidcIdpConfigUpdate) (*management.OidcIdpConfig, error) {
-	config, err := s.command.ChangeIDPOIDCConfig(ctx, updateOidcIdpToDomain(ctx, request))
-	if err != nil {
-		return nil, err
-	}
-	return oidcIdpConfigFromDomain(config), nil
-}
-
-func (s *Server) SearchIdps(ctx context.Context, request *management.IdpSearchRequest) (*management.IdpSearchResponse, error) {
-	searchRequest, err := idpConfigSearchRequestToModel(request)
-	if err != nil {
-		return nil, err
-	}
-	response, err := s.org.SearchIDPConfigs(ctx, searchRequest)
-	if err != nil {
-		return nil, err
-	}
-	return idpConfigSearchResponseFromModel(response), nil
-}
diff --git a/internal/api/grpc/management/idp_config_converter.go b/internal/api/grpc/management/idp_config_converter.go
deleted file mode 100644
index ceff826107..0000000000
--- a/internal/api/grpc/management/idp_config_converter.go
+++ /dev/null
@@ -1,347 +0,0 @@
-package management
-
-import (
-	"context"
-	"github.com/caos/zitadel/internal/user/model"
-
-	"github.com/caos/logging"
-	"github.com/caos/zitadel/internal/api/authz"
-	"github.com/caos/zitadel/internal/domain"
-	caos_errors "github.com/caos/zitadel/internal/errors"
-	"github.com/caos/zitadel/internal/eventstore/v1/models"
-	iam_model "github.com/caos/zitadel/internal/iam/model"
-	"github.com/caos/zitadel/pkg/grpc/management"
-	"github.com/golang/protobuf/ptypes"
-	"google.golang.org/protobuf/types/known/timestamppb"
-
-	"strconv"
-)
-
-func createOidcIdpToDomain(idp *management.OidcIdpConfigCreate) *domain.IDPConfig {
-	return &domain.IDPConfig{
-		Name:        idp.Name,
-		StylingType: idpConfigStylingTypeToDomain(idp.StylingType),
-		Type:        domain.IDPConfigTypeOIDC,
-		OIDCConfig: &domain.OIDCIDPConfig{
-			ClientID:              idp.ClientId,
-			ClientSecretString:    idp.ClientSecret,
-			Issuer:                idp.Issuer,
-			Scopes:                idp.Scopes,
-			IDPDisplayNameMapping: oidcMappingFieldToDomain(idp.IdpDisplayNameMapping),
-			UsernameMapping:       oidcMappingFieldToDomain(idp.UsernameMapping),
-		},
-	}
-}
-
-func updateIdpToDomain(ctx context.Context, idp *management.IdpUpdate) *domain.IDPConfig {
-	return &domain.IDPConfig{
-		ObjectRoot: models.ObjectRoot{
-			AggregateID: authz.GetCtxData(ctx).OrgID,
-		},
-		IDPConfigID: idp.Id,
-		Name:        idp.Name,
-		StylingType: idpConfigStylingTypeToDomain(idp.StylingType),
-	}
-}
-
-func updateOidcIdpToDomain(ctx context.Context, idp *management.OidcIdpConfigUpdate) *domain.OIDCIDPConfig {
-	return &domain.OIDCIDPConfig{
-		ObjectRoot: models.ObjectRoot{
-			AggregateID: authz.GetCtxData(ctx).OrgID,
-		},
-		IDPConfigID:           idp.IdpId,
-		ClientID:              idp.ClientId,
-		ClientSecretString:    idp.ClientSecret,
-		Issuer:                idp.Issuer,
-		Scopes:                idp.Scopes,
-		IDPDisplayNameMapping: oidcMappingFieldToDomain(idp.IdpDisplayNameMapping),
-		UsernameMapping:       oidcMappingFieldToDomain(idp.UsernameMapping),
-	}
-}
-
-func idpFromDomain(idp *domain.IDPConfig) *management.Idp {
-	return &management.Idp{
-		Id:          idp.IDPConfigID,
-		ChangeDate:  timestamppb.New(idp.ChangeDate),
-		Sequence:    idp.Sequence,
-		Name:        idp.Name,
-		StylingType: idpConfigStylingTypeFromDomain(idp.StylingType),
-		State:       idpConfigStateFromDomain(idp.State),
-		IdpConfig:   idpConfigFromDomain(idp),
-	}
-}
-
-func idpViewFromModel(idp *iam_model.IDPConfigView) *management.IdpView {
-	creationDate, err := ptypes.TimestampProto(idp.CreationDate)
-	logging.Log("GRPC-8dju8").OnError(err).Debug("date parse failed")
-
-	changeDate, err := ptypes.TimestampProto(idp.ChangeDate)
-	logging.Log("GRPC-Dsj8i").OnError(err).Debug("date parse failed")
-
-	return &management.IdpView{
-		Id:            idp.IDPConfigID,
-		CreationDate:  creationDate,
-		ChangeDate:    changeDate,
-		Sequence:      idp.Sequence,
-		ProviderType:  idpProviderTypeFromModel(idp.IDPProviderType),
-		Name:          idp.Name,
-		StylingType:   idpConfigStylingTypeFromModel(idp.StylingType),
-		State:         idpConfigStateFromModel(idp.State),
-		IdpConfigView: idpConfigViewFromModel(idp),
-	}
-}
-
-func idpConfigFromDomain(idp *domain.IDPConfig) *management.Idp_OidcConfig {
-	if idp.Type == domain.IDPConfigTypeOIDC {
-		return &management.Idp_OidcConfig{
-			OidcConfig: oidcIdpConfigFromDomain(idp.OIDCConfig),
-		}
-	}
-	return nil
-}
-
-func idpConfigFromModel(idp *iam_model.IDPConfig) *management.Idp_OidcConfig {
-	if idp.Type == iam_model.IDPConfigTypeOIDC {
-		return &management.Idp_OidcConfig{
-			OidcConfig: oidcIdpConfigFromModel(idp.OIDCConfig),
-		}
-	}
-	return nil
-}
-
-func oidcIdpConfigFromDomain(idp *domain.OIDCIDPConfig) *management.OidcIdpConfig {
-	return &management.OidcIdpConfig{
-		ClientId:              idp.ClientID,
-		Issuer:                idp.Issuer,
-		Scopes:                idp.Scopes,
-		IdpDisplayNameMapping: oidcMappingFieldFromDomain(idp.IDPDisplayNameMapping),
-		UsernameMapping:       oidcMappingFieldFromDomain(idp.UsernameMapping),
-	}
-}
-
-func oidcIdpConfigFromModel(idp *iam_model.OIDCIDPConfig) *management.OidcIdpConfig {
-	return &management.OidcIdpConfig{
-		ClientId:              idp.ClientID,
-		Issuer:                idp.Issuer,
-		Scopes:                idp.Scopes,
-		IdpDisplayNameMapping: oidcMappingFieldFromModel(idp.IDPDisplayNameMapping),
-		UsernameMapping:       oidcMappingFieldFromModel(idp.UsernameMapping),
-	}
-}
-
-func idpConfigViewFromModel(idp *iam_model.IDPConfigView) *management.IdpView_OidcConfig {
-	if idp.IsOIDC {
-		return &management.IdpView_OidcConfig{
-			OidcConfig: oidcIdpConfigViewFromModel(idp),
-		}
-	}
-	return nil
-}
-
-func oidcIdpConfigViewFromModel(idp *iam_model.IDPConfigView) *management.OidcIdpConfigView {
-	return &management.OidcIdpConfigView{
-		ClientId:              idp.OIDCClientID,
-		Issuer:                idp.OIDCIssuer,
-		Scopes:                idp.OIDCScopes,
-		IdpDisplayNameMapping: oidcMappingFieldFromModel(idp.OIDCIDPDisplayNameMapping),
-		UsernameMapping:       oidcMappingFieldFromModel(idp.OIDCUsernameMapping),
-	}
-}
-
-func idpConfigStateFromDomain(state domain.IDPConfigState) management.IdpState {
-	switch state {
-	case domain.IDPConfigStateActive:
-		return management.IdpState_IDPCONFIGSTATE_ACTIVE
-	case domain.IDPConfigStateInactive:
-		return management.IdpState_IDPCONFIGSTATE_INACTIVE
-	default:
-		return management.IdpState_IDPCONFIGSTATE_UNSPECIFIED
-	}
-}
-
-func idpConfigStateFromModel(state iam_model.IDPConfigState) management.IdpState {
-	switch state {
-	case iam_model.IDPConfigStateActive:
-		return management.IdpState_IDPCONFIGSTATE_ACTIVE
-	case iam_model.IDPConfigStateInactive:
-		return management.IdpState_IDPCONFIGSTATE_INACTIVE
-	default:
-		return management.IdpState_IDPCONFIGSTATE_UNSPECIFIED
-	}
-}
-
-func idpConfigSearchRequestToModel(request *management.IdpSearchRequest) (*iam_model.IDPConfigSearchRequest, error) {
-	convertedSearchRequest := &iam_model.IDPConfigSearchRequest{
-		Limit:  request.Limit,
-		Offset: request.Offset,
-	}
-	convertedQueries, err := idpConfigSearchQueriesToModel(request.Queries)
-	if err != nil {
-		return nil, err
-	}
-	convertedSearchRequest.Queries = convertedQueries
-	return convertedSearchRequest, nil
-}
-
-func idpConfigSearchQueriesToModel(queries []*management.IdpSearchQuery) ([]*iam_model.IDPConfigSearchQuery, error) {
-	modelQueries := make([]*iam_model.IDPConfigSearchQuery, len(queries))
-	for i, query := range queries {
-		converted, err := idpConfigSearchQueryToModel(query)
-		if err != nil {
-			return nil, err
-		}
-		modelQueries[i] = converted
-	}
-
-	return modelQueries, nil
-}
-
-func idpConfigSearchQueryToModel(query *management.IdpSearchQuery) (*iam_model.IDPConfigSearchQuery, error) {
-	converted := &iam_model.IDPConfigSearchQuery{
-		Key:    idpConfigSearchKeyToModel(query.Key),
-		Method: searchMethodToModel(query.Method),
-		Value:  query.Value,
-	}
-	if query.Key != management.IdpSearchKey_IDPSEARCHKEY_PROVIDER_TYPE {
-		return converted, nil
-	}
-	value, err := idpProviderTypeStringToModel(query.Value)
-	if err != nil {
-		return nil, err
-	}
-	converted.Value = value
-	return converted, nil
-}
-
-func idpConfigSearchKeyToModel(key management.IdpSearchKey) iam_model.IDPConfigSearchKey {
-	switch key {
-	case management.IdpSearchKey_IDPSEARCHKEY_IDP_CONFIG_ID:
-		return iam_model.IDPConfigSearchKeyIdpConfigID
-	case management.IdpSearchKey_IDPSEARCHKEY_NAME:
-		return iam_model.IDPConfigSearchKeyName
-	case management.IdpSearchKey_IDPSEARCHKEY_PROVIDER_TYPE:
-		return iam_model.IDPConfigSearchKeyIdpProviderType
-	default:
-		return iam_model.IDPConfigSearchKeyUnspecified
-	}
-}
-
-func idpConfigSearchResponseFromModel(resp *iam_model.IDPConfigSearchResponse) *management.IdpSearchResponse {
-	timestamp, err := ptypes.TimestampProto(resp.Timestamp)
-	logging.Log("GRPC-KSi8c").OnError(err).Debug("date parse failed")
-	return &management.IdpSearchResponse{
-		Limit:             resp.Limit,
-		Offset:            resp.Offset,
-		TotalResult:       resp.TotalResult,
-		Result:            idpConfigsFromView(resp.Result),
-		ProcessedSequence: resp.Sequence,
-		ViewTimestamp:     timestamp,
-	}
-}
-
-func idpConfigsFromView(viewIdps []*iam_model.IDPConfigView) []*management.IdpView {
-	idps := make([]*management.IdpView, len(viewIdps))
-	for i, idp := range viewIdps {
-		idps[i] = idpViewFromModel(idp)
-	}
-	return idps
-}
-
-func oidcMappingFieldFromDomain(field domain.OIDCMappingField) management.OIDCMappingField {
-	switch field {
-	case domain.OIDCMappingFieldPreferredLoginName:
-		return management.OIDCMappingField_OIDCMAPPINGFIELD_PREFERRED_USERNAME
-	case domain.OIDCMappingFieldEmail:
-		return management.OIDCMappingField_OIDCMAPPINGFIELD_EMAIL
-	default:
-		return management.OIDCMappingField_OIDCMAPPINGFIELD_UNSPECIFIED
-	}
-}
-
-func oidcMappingFieldFromModel(field iam_model.OIDCMappingField) management.OIDCMappingField {
-	switch field {
-	case iam_model.OIDCMappingFieldPreferredLoginName:
-		return management.OIDCMappingField_OIDCMAPPINGFIELD_PREFERRED_USERNAME
-	case iam_model.OIDCMappingFieldEmail:
-		return management.OIDCMappingField_OIDCMAPPINGFIELD_EMAIL
-	default:
-		return management.OIDCMappingField_OIDCMAPPINGFIELD_UNSPECIFIED
-	}
-}
-
-func oidcMappingFieldToDomain(field management.OIDCMappingField) domain.OIDCMappingField {
-	switch field {
-	case management.OIDCMappingField_OIDCMAPPINGFIELD_PREFERRED_USERNAME:
-		return domain.OIDCMappingFieldPreferredLoginName
-	case management.OIDCMappingField_OIDCMAPPINGFIELD_EMAIL:
-		return domain.OIDCMappingFieldEmail
-	default:
-		return domain.OIDCMappingFieldUnspecified
-	}
-}
-
-func oidcMappingFieldToModel(field management.OIDCMappingField) iam_model.OIDCMappingField {
-	switch field {
-	case management.OIDCMappingField_OIDCMAPPINGFIELD_PREFERRED_USERNAME:
-		return iam_model.OIDCMappingFieldPreferredLoginName
-	case management.OIDCMappingField_OIDCMAPPINGFIELD_EMAIL:
-		return iam_model.OIDCMappingFieldEmail
-	default:
-		return iam_model.OIDCMappingFieldUnspecified
-	}
-}
-
-func idpConfigStylingTypeFromDomain(stylingType domain.IDPConfigStylingType) management.IdpStylingType {
-	switch stylingType {
-	case domain.IDPConfigStylingTypeGoogle:
-		return management.IdpStylingType_IDPSTYLINGTYPE_GOOGLE
-	default:
-		return management.IdpStylingType_IDPSTYLINGTYPE_UNSPECIFIED
-	}
-}
-
-func idpConfigStylingTypeFromModel(stylingType iam_model.IDPStylingType) management.IdpStylingType {
-	switch stylingType {
-	case iam_model.IDPStylingTypeGoogle:
-		return management.IdpStylingType_IDPSTYLINGTYPE_GOOGLE
-	default:
-		return management.IdpStylingType_IDPSTYLINGTYPE_UNSPECIFIED
-	}
-}
-
-func idpConfigStylingTypeToDomain(stylingType management.IdpStylingType) domain.IDPConfigStylingType {
-	switch stylingType {
-	case management.IdpStylingType_IDPSTYLINGTYPE_GOOGLE:
-		return domain.IDPConfigStylingTypeGoogle
-	default:
-		return domain.IDPConfigStylingTypeUnspecified
-	}
-}
-
-func idpProviderTypeStringToModel(providerType string) (iam_model.IDPProviderType, error) {
-	i, _ := strconv.ParseInt(providerType, 10, 32)
-	switch management.IdpProviderType(i) {
-	case management.IdpProviderType_IDPPROVIDERTYPE_SYSTEM:
-		return iam_model.IDPProviderTypeSystem, nil
-	case management.IdpProviderType_IDPPROVIDERTYPE_ORG:
-		return iam_model.IDPProviderTypeOrg, nil
-	default:
-		return 0, caos_errors.ThrowPreconditionFailed(nil, "MGMT-6is9f", "Errors.Org.IDP.InvalidSearchQuery")
-	}
-}
-
-func externalIDPViewsToDomain(idps []*model.ExternalIDPView) []*domain.ExternalIDP {
-	externalIDPs := make([]*domain.ExternalIDP, len(idps))
-	for i, idp := range idps {
-		externalIDPs[i] = &domain.ExternalIDP{
-			ObjectRoot: models.ObjectRoot{
-				AggregateID:   idp.UserID,
-				ResourceOwner: idp.ResourceOwner,
-			},
-			IDPConfigID:    idp.IDPConfigID,
-			ExternalUserID: idp.ExternalUserID,
-			DisplayName:    idp.UserDisplayName,
-		}
-	}
-	return externalIDPs
-}
diff --git a/internal/api/grpc/management/information.go b/internal/api/grpc/management/information.go
new file mode 100644
index 0000000000..4d8d1895fd
--- /dev/null
+++ b/internal/api/grpc/management/information.go
@@ -0,0 +1,18 @@
+package management
+
+import (
+	"context"
+
+	mgmt_pb "github.com/caos/zitadel/pkg/grpc/management"
+)
+
+func (s *Server) Healthz(context.Context, *mgmt_pb.HealthzRequest) (*mgmt_pb.HealthzResponse, error) {
+	return &mgmt_pb.HealthzResponse{}, nil
+}
+
+func (s *Server) GetOIDCInformation(ctx context.Context, req *mgmt_pb.GetOIDCInformationRequest) (*mgmt_pb.GetOIDCInformationResponse, error) {
+	return &mgmt_pb.GetOIDCInformationResponse{
+		Issuer:            s.systemDefaults.ZitadelDocs.Issuer,
+		DiscoveryEndpoint: s.systemDefaults.ZitadelDocs.DiscoveryEndpoint,
+	}, nil
+}
diff --git a/internal/api/grpc/management/login_policy.go b/internal/api/grpc/management/login_policy.go
deleted file mode 100644
index 716b736f45..0000000000
--- a/internal/api/grpc/management/login_policy.go
+++ /dev/null
@@ -1,114 +0,0 @@
-package management
-
-import (
-	"context"
-
-	"github.com/golang/protobuf/ptypes/empty"
-
-	"github.com/caos/zitadel/internal/api/authz"
-	"github.com/caos/zitadel/pkg/grpc/management"
-)
-
-func (s *Server) GetLoginPolicy(ctx context.Context, _ *empty.Empty) (*management.LoginPolicyView, error) {
-	result, err := s.org.GetLoginPolicy(ctx)
-	if err != nil {
-		return nil, err
-	}
-	return loginPolicyViewFromModel(result), nil
-}
-
-func (s *Server) GetDefaultLoginPolicy(ctx context.Context, _ *empty.Empty) (*management.LoginPolicyView, error) {
-	result, err := s.org.GetDefaultLoginPolicy(ctx)
-	if err != nil {
-		return nil, err
-	}
-	return loginPolicyViewFromModel(result), nil
-}
-
-func (s *Server) CreateLoginPolicy(ctx context.Context, policy *management.LoginPolicyRequest) (*management.LoginPolicy, error) {
-	result, err := s.command.AddLoginPolicy(ctx, authz.GetCtxData(ctx).OrgID, loginPolicyRequestToDomain(ctx, policy))
-	if err != nil {
-		return nil, err
-	}
-	return loginPolicyFromDomain(result), nil
-}
-
-func (s *Server) UpdateLoginPolicy(ctx context.Context, policy *management.LoginPolicyRequest) (*management.LoginPolicy, error) {
-	result, err := s.command.ChangeLoginPolicy(ctx, authz.GetCtxData(ctx).OrgID, loginPolicyRequestToDomain(ctx, policy))
-	if err != nil {
-		return nil, err
-	}
-	return loginPolicyFromDomain(result), nil
-}
-
-func (s *Server) RemoveLoginPolicy(ctx context.Context, _ *empty.Empty) (*empty.Empty, error) {
-	err := s.command.RemoveLoginPolicy(ctx, authz.GetCtxData(ctx).OrgID)
-	return &empty.Empty{}, err
-}
-
-func (s *Server) GetLoginPolicyIdpProviders(ctx context.Context, request *management.IdpProviderSearchRequest) (*management.IdpProviderSearchResponse, error) {
-	result, err := s.org.SearchIDPProviders(ctx, idpProviderSearchRequestToModel(request))
-	if err != nil {
-		return nil, err
-	}
-	return idpProviderSearchResponseFromModel(result), nil
-}
-
-func (s *Server) AddIdpProviderToLoginPolicy(ctx context.Context, provider *management.IdpProviderAdd) (*management.IdpProvider, error) {
-	result, err := s.command.AddIDPProviderToLoginPolicy(ctx, authz.GetCtxData(ctx).OrgID, idpProviderAddToDomain(ctx, provider))
-	if err != nil {
-		return nil, err
-	}
-	return idpProviderFromDomain(result), nil
-}
-
-func (s *Server) RemoveIdpProviderFromLoginPolicy(ctx context.Context, provider *management.IdpProviderID) (*empty.Empty, error) {
-	externalIDPs, err := s.user.ExternalIDPsByIDPConfigIDAndResourceOwner(ctx, provider.IdpConfigId, authz.GetCtxData(ctx).OrgID)
-	if err != nil {
-		return &empty.Empty{}, err
-	}
-	err = s.command.RemoveIDPProviderFromLoginPolicy(ctx, authz.GetCtxData(ctx).OrgID, idpProviderIDToDomain(ctx, provider), externalIDPViewsToDomain(externalIDPs)...)
-	return &empty.Empty{}, err
-}
-
-func (s *Server) GetLoginPolicySecondFactors(ctx context.Context, _ *empty.Empty) (*management.SecondFactorsResult, error) {
-	result, err := s.org.SearchSecondFactors(ctx)
-	if err != nil {
-		return nil, err
-	}
-	return secondFactorResultFromModel(result), nil
-}
-
-func (s *Server) AddSecondFactorToLoginPolicy(ctx context.Context, mfa *management.SecondFactor) (*management.SecondFactor, error) {
-	result, err := s.command.AddSecondFactorToLoginPolicy(ctx, secondFactorTypeToDomain(mfa), authz.GetCtxData(ctx).OrgID)
-	if err != nil {
-		return nil, err
-	}
-	return secondFactorFromDomain(result), nil
-}
-
-func (s *Server) RemoveSecondFactorFromLoginPolicy(ctx context.Context, mfa *management.SecondFactor) (*empty.Empty, error) {
-	err := s.command.RemoveSecondFactorFromLoginPolicy(ctx, secondFactorTypeToDomain(mfa), authz.GetCtxData(ctx).OrgID)
-	return &empty.Empty{}, err
-}
-
-func (s *Server) GetLoginPolicyMultiFactors(ctx context.Context, _ *empty.Empty) (*management.MultiFactorsResult, error) {
-	result, err := s.org.SearchMultiFactors(ctx)
-	if err != nil {
-		return nil, err
-	}
-	return multiFactorResultFromModel(result), nil
-}
-
-func (s *Server) AddMultiFactorToLoginPolicy(ctx context.Context, mfa *management.MultiFactor) (*management.MultiFactor, error) {
-	result, err := s.command.AddMultiFactorToLoginPolicy(ctx, multiFactorTypeToDomain(mfa), authz.GetCtxData(ctx).OrgID)
-	if err != nil {
-		return nil, err
-	}
-	return multiFactorFromDomain(result), nil
-}
-
-func (s *Server) RemoveMultiFactorFromLoginPolicy(ctx context.Context, mfa *management.MultiFactor) (*empty.Empty, error) {
-	err := s.command.RemoveMultiFactorFromLoginPolicy(ctx, multiFactorTypeToDomain(mfa), authz.GetCtxData(ctx).OrgID)
-	return &empty.Empty{}, err
-}
diff --git a/internal/api/grpc/management/login_policy_converter.go b/internal/api/grpc/management/login_policy_converter.go
deleted file mode 100644
index ea77e8de8b..0000000000
--- a/internal/api/grpc/management/login_policy_converter.go
+++ /dev/null
@@ -1,292 +0,0 @@
-package management
-
-import (
-	"context"
-
-	"github.com/caos/logging"
-	"github.com/golang/protobuf/ptypes"
-	"google.golang.org/protobuf/types/known/timestamppb"
-
-	"github.com/caos/zitadel/internal/api/authz"
-	"github.com/caos/zitadel/internal/domain"
-	"github.com/caos/zitadel/internal/eventstore/v1/models"
-	iam_model "github.com/caos/zitadel/internal/iam/model"
-	"github.com/caos/zitadel/pkg/grpc/management"
-)
-
-func loginPolicyRequestToDomain(ctx context.Context, policy *management.LoginPolicyRequest) *domain.LoginPolicy {
-	return &domain.LoginPolicy{
-		ObjectRoot: models.ObjectRoot{
-			AggregateID: authz.GetCtxData(ctx).OrgID,
-		},
-		AllowUsernamePassword: policy.AllowUsernamePassword,
-		AllowExternalIDP:      policy.AllowExternalIdp,
-		AllowRegister:         policy.AllowRegister,
-		ForceMFA:              policy.ForceMfa,
-		PasswordlessType:      passwordlessTypeToDomain(policy.PasswordlessType),
-	}
-}
-
-func loginPolicyFromDomain(policy *domain.LoginPolicy) *management.LoginPolicy {
-	return &management.LoginPolicy{
-		AllowUsernamePassword: policy.AllowUsernamePassword,
-		AllowExternalIdp:      policy.AllowExternalIDP,
-		AllowRegister:         policy.AllowRegister,
-		ChangeDate:            timestamppb.New(policy.ChangeDate),
-		ForceMfa:              policy.ForceMFA,
-		PasswordlessType:      passwordlessTypeFromDomain(policy.PasswordlessType),
-	}
-}
-
-func loginPolicyViewFromModel(policy *iam_model.LoginPolicyView) *management.LoginPolicyView {
-	creationDate, err := ptypes.TimestampProto(policy.CreationDate)
-	logging.Log("GRPC-5Tsm8").OnError(err).Debug("date parse failed")
-
-	changeDate, err := ptypes.TimestampProto(policy.ChangeDate)
-	logging.Log("GRPC-8dJgs").OnError(err).Debug("date parse failed")
-
-	return &management.LoginPolicyView{
-		Default:               policy.Default,
-		AllowUsernamePassword: policy.AllowUsernamePassword,
-		AllowExternalIdp:      policy.AllowExternalIDP,
-		AllowRegister:         policy.AllowRegister,
-		CreationDate:          creationDate,
-		ChangeDate:            changeDate,
-		ForceMfa:              policy.ForceMFA,
-		PasswordlessType:      passwordlessTypeFromModel(policy.PasswordlessType),
-	}
-}
-
-func idpProviderSearchRequestToModel(request *management.IdpProviderSearchRequest) *iam_model.IDPProviderSearchRequest {
-	return &iam_model.IDPProviderSearchRequest{
-		Limit:  request.Limit,
-		Offset: request.Offset,
-	}
-}
-
-func idpProviderSearchResponseFromModel(response *iam_model.IDPProviderSearchResponse) *management.IdpProviderSearchResponse {
-	return &management.IdpProviderSearchResponse{
-		Limit:       response.Limit,
-		Offset:      response.Offset,
-		TotalResult: response.TotalResult,
-		Result:      idpProviderViewsFromModel(response.Result),
-	}
-}
-
-func idpProviderIDToDomain(ctx context.Context, provider *management.IdpProviderID) *domain.IDPProvider {
-	return &domain.IDPProvider{
-		ObjectRoot: models.ObjectRoot{
-			AggregateID: authz.GetCtxData(ctx).OrgID,
-		},
-		IDPConfigID: provider.IdpConfigId,
-	}
-}
-
-func idpProviderAddToDomain(ctx context.Context, provider *management.IdpProviderAdd) *domain.IDPProvider {
-	return &domain.IDPProvider{
-		ObjectRoot: models.ObjectRoot{
-			AggregateID: authz.GetCtxData(ctx).OrgID,
-		},
-		IDPConfigID: provider.IdpConfigId,
-		Type:        idpProviderTypeToDomain(provider.IdpProviderType),
-	}
-}
-
-func idpProviderIDFromModel(provider *iam_model.IDPProvider) *management.IdpProviderID {
-	return &management.IdpProviderID{
-		IdpConfigId: provider.IDPConfigID,
-	}
-}
-
-func idpProviderFromDomain(provider *domain.IDPProvider) *management.IdpProvider {
-	return &management.IdpProvider{
-		IdpConfigId:      provider.IDPConfigID,
-		IdpProvider_Type: idpProviderTypeFromDomain(provider.Type),
-	}
-}
-
-func idpProviderViewsFromModel(providers []*iam_model.IDPProviderView) []*management.IdpProviderView {
-	converted := make([]*management.IdpProviderView, len(providers))
-	for i, provider := range providers {
-		converted[i] = idpProviderViewFromModel(provider)
-	}
-
-	return converted
-}
-
-func idpProviderViewFromModel(provider *iam_model.IDPProviderView) *management.IdpProviderView {
-	return &management.IdpProviderView{
-		IdpConfigId: provider.IDPConfigID,
-		Name:        provider.Name,
-		Type:        idpProviderTypeFromModel(provider.IDPProviderType),
-	}
-}
-
-func idpConfigTypeToModel(providerType iam_model.IdpConfigType) management.IdpType {
-	switch providerType {
-	case iam_model.IDPConfigTypeOIDC:
-		return management.IdpType_IDPTYPE_OIDC
-	case iam_model.IDPConfigTypeSAML:
-		return management.IdpType_IDPTYPE_SAML
-	default:
-		return management.IdpType_IDPTYPE_UNSPECIFIED
-	}
-}
-
-func idpProviderTypeToDomain(providerType management.IdpProviderType) domain.IdentityProviderType {
-	switch providerType {
-	case management.IdpProviderType_IDPPROVIDERTYPE_SYSTEM:
-		return domain.IdentityProviderTypeSystem
-	case management.IdpProviderType_IDPPROVIDERTYPE_ORG:
-		return domain.IdentityProviderTypeOrg
-	default:
-		return domain.IdentityProviderTypeSystem
-	}
-}
-
-func idpProviderTypeFromDomain(providerType domain.IdentityProviderType) management.IdpProviderType {
-	switch providerType {
-	case domain.IdentityProviderTypeSystem:
-		return management.IdpProviderType_IDPPROVIDERTYPE_SYSTEM
-	case domain.IdentityProviderTypeOrg:
-		return management.IdpProviderType_IDPPROVIDERTYPE_ORG
-	default:
-		return management.IdpProviderType_IDPPROVIDERTYPE_UNSPECIFIED
-	}
-}
-
-func idpProviderTypeFromModel(providerType iam_model.IDPProviderType) management.IdpProviderType {
-	switch providerType {
-	case iam_model.IDPProviderTypeSystem:
-		return management.IdpProviderType_IDPPROVIDERTYPE_SYSTEM
-	case iam_model.IDPProviderTypeOrg:
-		return management.IdpProviderType_IDPPROVIDERTYPE_ORG
-	default:
-		return management.IdpProviderType_IDPPROVIDERTYPE_UNSPECIFIED
-	}
-}
-
-func secondFactorResultFromModel(result *iam_model.SecondFactorsSearchResponse) *management.SecondFactorsResult {
-	converted := make([]management.SecondFactorType, len(result.Result))
-	for i, mfaType := range result.Result {
-		converted[i] = secondFactorTypeFromModel(mfaType)
-	}
-	return &management.SecondFactorsResult{
-		SecondFactors: converted,
-	}
-}
-
-func secondFactorFromDomain(mfaType domain.SecondFactorType) *management.SecondFactor {
-	return &management.SecondFactor{
-		SecondFactor: secondFactorTypeFromDomain(mfaType),
-	}
-}
-
-func secondFactorFromModel(mfaType iam_model.SecondFactorType) *management.SecondFactor {
-	return &management.SecondFactor{
-		SecondFactor: secondFactorTypeFromModel(mfaType),
-	}
-}
-
-func secondFactorTypeFromDomain(mfaType domain.SecondFactorType) management.SecondFactorType {
-	switch mfaType {
-	case domain.SecondFactorTypeOTP:
-		return management.SecondFactorType_SECONDFACTORTYPE_OTP
-	case domain.SecondFactorTypeU2F:
-		return management.SecondFactorType_SECONDFACTORTYPE_U2F
-	default:
-		return management.SecondFactorType_SECONDFACTORTYPE_UNSPECIFIED
-	}
-}
-
-func secondFactorTypeFromModel(mfaType iam_model.SecondFactorType) management.SecondFactorType {
-	switch mfaType {
-	case iam_model.SecondFactorTypeOTP:
-		return management.SecondFactorType_SECONDFACTORTYPE_OTP
-	case iam_model.SecondFactorTypeU2F:
-		return management.SecondFactorType_SECONDFACTORTYPE_U2F
-	default:
-		return management.SecondFactorType_SECONDFACTORTYPE_UNSPECIFIED
-	}
-}
-
-func secondFactorTypeToDomain(mfaType *management.SecondFactor) domain.SecondFactorType {
-	switch mfaType.SecondFactor {
-	case management.SecondFactorType_SECONDFACTORTYPE_OTP:
-		return domain.SecondFactorTypeOTP
-	case management.SecondFactorType_SECONDFACTORTYPE_U2F:
-		return domain.SecondFactorTypeU2F
-	default:
-		return domain.SecondFactorTypeUnspecified
-	}
-}
-
-func multiFactorResultFromModel(result *iam_model.MultiFactorsSearchResponse) *management.MultiFactorsResult {
-	converted := make([]management.MultiFactorType, len(result.Result))
-	for i, mfaType := range result.Result {
-		converted[i] = multiFactorTypeFromModel(mfaType)
-	}
-	return &management.MultiFactorsResult{
-		MultiFactors: converted,
-	}
-}
-
-func multiFactorFromDomain(mfaType domain.MultiFactorType) *management.MultiFactor {
-	return &management.MultiFactor{
-		MultiFactor: multiFactorTypeFromDomain(mfaType),
-	}
-}
-
-func multiFactorTypeFromDomain(mfaType domain.MultiFactorType) management.MultiFactorType {
-	switch mfaType {
-	case domain.MultiFactorTypeU2FWithPIN:
-		return management.MultiFactorType_MULTIFACTORTYPE_U2F_WITH_PIN
-	default:
-		return management.MultiFactorType_MULTIFACTORTYPE_UNSPECIFIED
-	}
-}
-
-func multiFactorTypeFromModel(mfaType iam_model.MultiFactorType) management.MultiFactorType {
-	switch mfaType {
-	case iam_model.MultiFactorTypeU2FWithPIN:
-		return management.MultiFactorType_MULTIFACTORTYPE_U2F_WITH_PIN
-	default:
-		return management.MultiFactorType_MULTIFACTORTYPE_UNSPECIFIED
-	}
-}
-
-func multiFactorTypeToDomain(mfaType *management.MultiFactor) domain.MultiFactorType {
-	switch mfaType.MultiFactor {
-	case management.MultiFactorType_MULTIFACTORTYPE_U2F_WITH_PIN:
-		return domain.MultiFactorTypeU2FWithPIN
-	default:
-		return domain.MultiFactorTypeUnspecified
-	}
-}
-
-func passwordlessTypeFromModel(passwordlessType iam_model.PasswordlessType) management.PasswordlessType {
-	switch passwordlessType {
-	case iam_model.PasswordlessTypeAllowed:
-		return management.PasswordlessType_PASSWORDLESSTYPE_ALLOWED
-	default:
-		return management.PasswordlessType_PASSWORDLESSTYPE_NOT_ALLOWED
-	}
-}
-
-func passwordlessTypeFromDomain(passwordlessType domain.PasswordlessType) management.PasswordlessType {
-	switch passwordlessType {
-	case domain.PasswordlessTypeAllowed:
-		return management.PasswordlessType_PASSWORDLESSTYPE_ALLOWED
-	default:
-		return management.PasswordlessType_PASSWORDLESSTYPE_NOT_ALLOWED
-	}
-}
-
-func passwordlessTypeToDomain(passwordlessType management.PasswordlessType) domain.PasswordlessType {
-	switch passwordlessType {
-	case management.PasswordlessType_PASSWORDLESSTYPE_ALLOWED:
-		return domain.PasswordlessTypeAllowed
-	default:
-		return domain.PasswordlessTypeNotAllowed
-	}
-}
diff --git a/internal/api/grpc/management/mail_template.go b/internal/api/grpc/management/mail_template.go
deleted file mode 100644
index 6bed0bbfc4..0000000000
--- a/internal/api/grpc/management/mail_template.go
+++ /dev/null
@@ -1,46 +0,0 @@
-package management
-
-import (
-	"context"
-	"github.com/caos/zitadel/internal/api/authz"
-
-	"github.com/caos/zitadel/pkg/grpc/management"
-	"github.com/golang/protobuf/ptypes/empty"
-)
-
-func (s *Server) GetMailTemplate(ctx context.Context, _ *empty.Empty) (*management.MailTemplateView, error) {
-	result, err := s.org.GetMailTemplate(ctx)
-	if err != nil {
-		return nil, err
-	}
-	return mailTemplateViewFromModel(result), nil
-}
-
-func (s *Server) GetDefaultMailTemplate(ctx context.Context, _ *empty.Empty) (*management.MailTemplateView, error) {
-	result, err := s.org.GetDefaultMailTemplate(ctx)
-	if err != nil {
-		return nil, err
-	}
-	return mailTemplateViewFromModel(result), nil
-}
-
-func (s *Server) CreateMailTemplate(ctx context.Context, template *management.MailTemplateUpdate) (*management.MailTemplate, error) {
-	result, err := s.command.AddMailTemplate(ctx, authz.GetCtxData(ctx).OrgID, mailTemplateRequestToDomain(template))
-	if err != nil {
-		return nil, err
-	}
-	return mailTemplateFromDomain(result), nil
-}
-
-func (s *Server) UpdateMailTemplate(ctx context.Context, template *management.MailTemplateUpdate) (*management.MailTemplate, error) {
-	result, err := s.command.ChangeMailTemplate(ctx, authz.GetCtxData(ctx).OrgID, mailTemplateRequestToDomain(template))
-	if err != nil {
-		return nil, err
-	}
-	return mailTemplateFromDomain(result), nil
-}
-
-func (s *Server) RemoveMailTemplate(ctx context.Context, _ *empty.Empty) (*empty.Empty, error) {
-	err := s.command.RemoveMailTemplate(ctx, authz.GetCtxData(ctx).OrgID)
-	return &empty.Empty{}, err
-}
diff --git a/internal/api/grpc/management/mail_template_converter.go b/internal/api/grpc/management/mail_template_converter.go
deleted file mode 100644
index 7784decebb..0000000000
--- a/internal/api/grpc/management/mail_template_converter.go
+++ /dev/null
@@ -1,31 +0,0 @@
-package management
-
-import (
-	"github.com/caos/zitadel/internal/domain"
-	iam_model "github.com/caos/zitadel/internal/iam/model"
-	"github.com/caos/zitadel/pkg/grpc/management"
-	"google.golang.org/protobuf/types/known/timestamppb"
-)
-
-func mailTemplateRequestToDomain(mailTemplate *management.MailTemplateUpdate) *domain.MailTemplate {
-	return &domain.MailTemplate{
-		Template: mailTemplate.Template,
-	}
-}
-
-func mailTemplateFromDomain(mailTemplate *domain.MailTemplate) *management.MailTemplate {
-	return &management.MailTemplate{
-		Template:     mailTemplate.Template,
-		CreationDate: timestamppb.New(mailTemplate.CreationDate),
-		ChangeDate:   timestamppb.New(mailTemplate.ChangeDate),
-	}
-}
-
-func mailTemplateViewFromModel(mailTemplate *iam_model.MailTemplateView) *management.MailTemplateView {
-	return &management.MailTemplateView{
-		Default:      mailTemplate.Default,
-		Template:     mailTemplate.Template,
-		CreationDate: timestamppb.New(mailTemplate.CreationDate),
-		ChangeDate:   timestamppb.New(mailTemplate.ChangeDate),
-	}
-}
diff --git a/internal/api/grpc/management/mail_text.go b/internal/api/grpc/management/mail_text.go
deleted file mode 100644
index 81d0dba49a..0000000000
--- a/internal/api/grpc/management/mail_text.go
+++ /dev/null
@@ -1,46 +0,0 @@
-package management
-
-import (
-	"context"
-	"github.com/caos/zitadel/internal/api/authz"
-
-	"github.com/caos/zitadel/pkg/grpc/management"
-	"github.com/golang/protobuf/ptypes/empty"
-)
-
-func (s *Server) GetMailTexts(ctx context.Context, _ *empty.Empty) (*management.MailTextsView, error) {
-	result, err := s.org.GetMailTexts(ctx)
-	if err != nil {
-		return nil, err
-	}
-	return mailTextsViewFromModel(result.Texts), nil
-}
-
-func (s *Server) GetDefaultMailTexts(ctx context.Context, _ *empty.Empty) (*management.MailTextsView, error) {
-	result, err := s.org.GetDefaultMailTexts(ctx)
-	if err != nil {
-		return nil, err
-	}
-	return mailTextsViewFromModel(result.Texts), nil
-}
-
-func (s *Server) CreateMailText(ctx context.Context, mailText *management.MailTextUpdate) (*management.MailText, error) {
-	result, err := s.command.AddMailText(ctx, authz.GetCtxData(ctx).OrgID, mailTextRequestToDomain(mailText))
-	if err != nil {
-		return nil, err
-	}
-	return mailTextFromDoamin(result), nil
-}
-
-func (s *Server) UpdateMailText(ctx context.Context, mailText *management.MailTextUpdate) (*management.MailText, error) {
-	result, err := s.command.ChangeMailText(ctx, authz.GetCtxData(ctx).OrgID, mailTextRequestToDomain(mailText))
-	if err != nil {
-		return nil, err
-	}
-	return mailTextFromDoamin(result), nil
-}
-
-func (s *Server) RemoveMailText(ctx context.Context, mailText *management.MailTextRemove) (*empty.Empty, error) {
-	err := s.command.RemoveMailText(ctx, authz.GetCtxData(ctx).OrgID, mailText.MailTextType, mailText.Language)
-	return &empty.Empty{}, err
-}
diff --git a/internal/api/grpc/management/mail_text_converter.go b/internal/api/grpc/management/mail_text_converter.go
deleted file mode 100644
index 9ba8a36f44..0000000000
--- a/internal/api/grpc/management/mail_text_converter.go
+++ /dev/null
@@ -1,71 +0,0 @@
-package management
-
-import (
-	"github.com/caos/logging"
-	"github.com/caos/zitadel/internal/domain"
-	iam_model "github.com/caos/zitadel/internal/iam/model"
-	"github.com/caos/zitadel/pkg/grpc/management"
-	"github.com/golang/protobuf/ptypes"
-	"google.golang.org/protobuf/types/known/timestamppb"
-)
-
-func mailTextRequestToDomain(mailText *management.MailTextUpdate) *domain.MailText {
-	return &domain.MailText{
-		MailTextType: mailText.MailTextType,
-		Language:     mailText.Language,
-		Title:        mailText.Title,
-		PreHeader:    mailText.PreHeader,
-		Subject:      mailText.Subject,
-		Greeting:     mailText.Greeting,
-		Text:         mailText.Text,
-		ButtonText:   mailText.ButtonText,
-	}
-}
-
-func mailTextFromDoamin(mailText *domain.MailText) *management.MailText {
-	return &management.MailText{
-		MailTextType: mailText.MailTextType,
-		Language:     mailText.Language,
-		Title:        mailText.Title,
-		PreHeader:    mailText.PreHeader,
-		Subject:      mailText.Subject,
-		Greeting:     mailText.Greeting,
-		Text:         mailText.Text,
-		ButtonText:   mailText.ButtonText,
-		CreationDate: timestamppb.New(mailText.CreationDate),
-		ChangeDate:   timestamppb.New(mailText.ChangeDate),
-	}
-}
-
-func mailTextsViewFromModel(queries []*iam_model.MailTextView) *management.MailTextsView {
-	modelQueries := make([]*management.MailTextView, len(queries))
-	for i, query := range queries {
-		modelQueries[i] = mailTextViewFromModel(query)
-	}
-
-	return &management.MailTextsView{
-		Texts: modelQueries,
-	}
-}
-
-func mailTextViewFromModel(mailText *iam_model.MailTextView) *management.MailTextView {
-	creationDate, err := ptypes.TimestampProto(mailText.CreationDate)
-	logging.Log("MANAG-koQnB").OnError(err).Debug("date parse failed")
-
-	changeDate, err := ptypes.TimestampProto(mailText.ChangeDate)
-	logging.Log("MANAG-ToDhD").OnError(err).Debug("date parse failed")
-
-	return &management.MailTextView{
-		Default:      mailText.Default,
-		MailTextType: mailText.MailTextType,
-		Language:     mailText.Language,
-		Title:        mailText.Title,
-		PreHeader:    mailText.PreHeader,
-		Subject:      mailText.Subject,
-		Greeting:     mailText.Greeting,
-		Text:         mailText.Text,
-		ButtonText:   mailText.ButtonText,
-		CreationDate: creationDate,
-		ChangeDate:   changeDate,
-	}
-}
diff --git a/internal/api/grpc/management/oneof.go b/internal/api/grpc/management/oneof.go
new file mode 100644
index 0000000000..3d6a65f0d2
--- /dev/null
+++ b/internal/api/grpc/management/oneof.go
@@ -0,0 +1,5 @@
+package management
+
+//AppConfig is a type alias of the generated isApplication_AppConfig config
+//to make it public
+// type AppConfig = isApplication_AppConfig
diff --git a/internal/api/grpc/management/org.go b/internal/api/grpc/management/org.go
index 9a38673522..c0d0a7465c 100644
--- a/internal/api/grpc/management/org.go
+++ b/internal/api/grpc/management/org.go
@@ -3,100 +3,246 @@ package management
 import (
 	"context"
 
-	"github.com/golang/protobuf/ptypes/empty"
-
 	"github.com/caos/zitadel/internal/api/authz"
-	"github.com/caos/zitadel/pkg/grpc/management"
+	change_grpc "github.com/caos/zitadel/internal/api/grpc/change"
+	member_grpc "github.com/caos/zitadel/internal/api/grpc/member"
+	"github.com/caos/zitadel/internal/api/grpc/object"
+	org_grpc "github.com/caos/zitadel/internal/api/grpc/org"
+	policy_grpc "github.com/caos/zitadel/internal/api/grpc/policy"
+	"github.com/caos/zitadel/internal/domain"
+	"github.com/caos/zitadel/internal/eventstore/v1/models"
+	org_model "github.com/caos/zitadel/internal/org/model"
+	mgmt_pb "github.com/caos/zitadel/pkg/grpc/management"
 )
 
-func (s *Server) CreateOrg(ctx context.Context, request *management.OrgCreateRequest) (_ *management.Org, err error) {
-	ctxData := authz.GetCtxData(ctx)
-	org, err := s.command.AddOrg(ctx, request.Name, ctxData.UserID, ctxData.ResourceOwner)
-	if err != nil {
-		return nil, err
-	}
-	return orgFromDomain(org), err
-}
-
-func (s *Server) GetMyOrg(ctx context.Context, _ *empty.Empty) (*management.OrgView, error) {
+func (s *Server) GetMyOrg(ctx context.Context, req *mgmt_pb.GetMyOrgRequest) (*mgmt_pb.GetMyOrgResponse, error) {
 	org, err := s.org.OrgByID(ctx, authz.GetCtxData(ctx).OrgID)
 	if err != nil {
 		return nil, err
 	}
-	return orgViewFromModel(org), nil
+	return &mgmt_pb.GetMyOrgResponse{Org: org_grpc.OrgViewToPb(org)}, nil
 }
 
-func (s *Server) GetOrgByDomainGlobal(ctx context.Context, in *management.Domain) (*management.OrgView, error) {
-	org, err := s.org.OrgByDomainGlobal(ctx, in.Domain)
+func (s *Server) GetOrgByDomainGlobal(ctx context.Context, req *mgmt_pb.GetOrgByDomainGlobalRequest) (*mgmt_pb.GetOrgByDomainGlobalResponse, error) {
+	org, err := s.org.OrgByDomainGlobal(ctx, req.Domain)
 	if err != nil {
 		return nil, err
 	}
-	return orgViewFromModel(org), nil
+	return &mgmt_pb.GetOrgByDomainGlobalResponse{Org: org_grpc.OrgViewToPb(org)}, nil
 }
 
-func (s *Server) DeactivateMyOrg(ctx context.Context, _ *empty.Empty) (*empty.Empty, error) {
-	err := s.command.DeactivateOrg(ctx, authz.GetCtxData(ctx).OrgID)
-	return &empty.Empty{}, err
-}
-
-func (s *Server) ReactivateMyOrg(ctx context.Context, _ *empty.Empty) (*empty.Empty, error) {
-	err := s.command.ReactivateOrg(ctx, authz.GetCtxData(ctx).OrgID)
-	return &empty.Empty{}, err
-}
-
-func (s *Server) SearchMyOrgDomains(ctx context.Context, in *management.OrgDomainSearchRequest) (*management.OrgDomainSearchResponse, error) {
-	domains, err := s.org.SearchMyOrgDomains(ctx, orgDomainSearchRequestToModel(in))
+func (s *Server) ListOrgChanges(ctx context.Context, req *mgmt_pb.ListOrgChangesRequest) (*mgmt_pb.ListOrgChangesResponse, error) {
+	response, err := s.org.OrgChanges(ctx, authz.GetCtxData(ctx).OrgID, req.Query.Offset, uint64(req.Query.Limit), req.Query.Asc)
 	if err != nil {
 		return nil, err
 	}
-	return orgDomainSearchResponseFromModel(domains), nil
-}
-
-func (s *Server) AddMyOrgDomain(ctx context.Context, in *management.AddOrgDomainRequest) (*management.OrgDomain, error) {
-	domain, err := s.command.AddOrgDomain(ctx, addOrgDomainToDomain(ctx, in))
-	if err != nil {
-		return nil, err
-	}
-	return orgDomainFromDomain(domain), nil
-}
-
-func (s *Server) GenerateMyOrgDomainValidation(ctx context.Context, in *management.OrgDomainValidationRequest) (*management.OrgDomainValidationResponse, error) {
-	token, url, err := s.command.GenerateOrgDomainValidation(ctx, orgDomainValidationToDomain(ctx, in))
-	if err != nil {
-		return nil, err
-	}
-	return &management.OrgDomainValidationResponse{
-		Token: token,
-		Url:   url,
+	return &mgmt_pb.ListOrgChangesResponse{
+		Result: change_grpc.OrgChangesToPb(response.Changes),
 	}, nil
 }
 
-func (s *Server) ValidateMyOrgDomain(ctx context.Context, in *management.ValidateOrgDomainRequest) (*empty.Empty, error) {
-	err := s.command.ValidateOrgDomain(ctx, validateOrgDomainToDomain(ctx, in))
-	return &empty.Empty{}, err
-}
-func (s *Server) SetMyPrimaryOrgDomain(ctx context.Context, in *management.PrimaryOrgDomainRequest) (*empty.Empty, error) {
-	err := s.command.SetPrimaryOrgDomain(ctx, primaryOrgDomainToDomain(ctx, in))
-	return &empty.Empty{}, err
-}
-
-func (s *Server) RemoveMyOrgDomain(ctx context.Context, in *management.RemoveOrgDomainRequest) (*empty.Empty, error) {
-	err := s.command.RemoveOrgDomain(ctx, removeOrgDomainToDomain(ctx, in))
-	return &empty.Empty{}, err
-}
-
-func (s *Server) OrgChanges(ctx context.Context, changesRequest *management.ChangeRequest) (*management.Changes, error) {
-	response, err := s.org.OrgChanges(ctx, changesRequest.Id, changesRequest.SequenceOffset, changesRequest.Limit, changesRequest.Asc)
+func (s *Server) AddOrg(ctx context.Context, req *mgmt_pb.AddOrgRequest) (*mgmt_pb.AddOrgResponse, error) {
+	ctxData := authz.GetCtxData(ctx)
+	org, err := s.command.AddOrg(ctx, req.Name, ctxData.UserID, ctxData.ResourceOwner)
 	if err != nil {
 		return nil, err
 	}
-	return orgChangesToResponse(response, changesRequest.GetSequenceOffset(), changesRequest.GetLimit()), nil
+	return &mgmt_pb.AddOrgResponse{
+		Id: org.AggregateID,
+		Details: object.ToDetailsPb(
+			org.Sequence,
+			org.ChangeDate,
+			org.ResourceOwner,
+		),
+	}, err
 }
 
-func (s *Server) GetMyOrgIamPolicy(ctx context.Context, _ *empty.Empty) (_ *management.OrgIamPolicyView, err error) {
+func (s *Server) DeactivateOrg(ctx context.Context, req *mgmt_pb.DeactivateOrgRequest) (*mgmt_pb.DeactivateOrgResponse, error) {
+	objectDetails, err := s.command.DeactivateOrg(ctx, authz.GetCtxData(ctx).OrgID)
+	if err != nil {
+		return nil, err
+	}
+	return &mgmt_pb.DeactivateOrgResponse{
+		Details: object.DomainToDetailsPb(objectDetails),
+	}, nil
+}
+
+func (s *Server) ReactivateOrg(ctx context.Context, req *mgmt_pb.ReactivateOrgRequest) (*mgmt_pb.ReactivateOrgResponse, error) {
+	objectDetails, err := s.command.ReactivateOrg(ctx, authz.GetCtxData(ctx).OrgID)
+	if err != nil {
+		return nil, err
+	}
+	return &mgmt_pb.ReactivateOrgResponse{
+		Details: object.DomainToDetailsPb(objectDetails),
+	}, err
+}
+
+func (s *Server) GetOrgIAMPolicy(ctx context.Context, req *mgmt_pb.GetOrgIAMPolicyRequest) (*mgmt_pb.GetOrgIAMPolicyResponse, error) {
 	policy, err := s.org.GetMyOrgIamPolicy(ctx)
 	if err != nil {
 		return nil, err
 	}
-	return orgIamPolicyViewFromModel(policy), err
+	return &mgmt_pb.GetOrgIAMPolicyResponse{
+		Policy: policy_grpc.OrgIAMPolicyToPb(policy),
+	}, nil
+}
+
+func (s *Server) ListOrgDomains(ctx context.Context, req *mgmt_pb.ListOrgDomainsRequest) (*mgmt_pb.ListOrgDomainsResponse, error) {
+	queries, err := ListOrgDomainsRequestToModel(req)
+	if err != nil {
+		return nil, err
+	}
+	domains, err := s.org.SearchMyOrgDomains(ctx, queries)
+	if err != nil {
+		return nil, err
+	}
+	return &mgmt_pb.ListOrgDomainsResponse{
+		Result: org_grpc.DomainsToPb(domains.Result),
+		Details: object.ToListDetails(
+			domains.TotalResult,
+			domains.Sequence,
+			domains.Timestamp,
+		),
+	}, nil
+}
+
+func (s *Server) AddOrgDomain(ctx context.Context, req *mgmt_pb.AddOrgDomainRequest) (*mgmt_pb.AddOrgDomainResponse, error) {
+	domain, err := s.command.AddOrgDomain(ctx, AddOrgDomainRequestToDomain(ctx, req))
+	if err != nil {
+		return nil, err
+	}
+	return &mgmt_pb.AddOrgDomainResponse{
+		Details: object.ToDetailsPb(
+			domain.Sequence,
+			domain.ChangeDate,
+			domain.ResourceOwner,
+		),
+	}, nil
+}
+
+func (s *Server) RemoveOrgDomain(ctx context.Context, req *mgmt_pb.RemoveOrgDomainRequest) (*mgmt_pb.RemoveOrgDomainResponse, error) {
+	details, err := s.command.RemoveOrgDomain(ctx, RemoveOrgDomainRequestToDomain(ctx, req))
+	if err != nil {
+		return nil, err
+	}
+	return &mgmt_pb.RemoveOrgDomainResponse{
+		Details: object.DomainToDetailsPb(details),
+	}, err
+}
+
+func (s *Server) GenerateOrgDomainValidation(ctx context.Context, req *mgmt_pb.GenerateOrgDomainValidationRequest) (*mgmt_pb.GenerateOrgDomainValidationResponse, error) {
+	token, url, err := s.command.GenerateOrgDomainValidation(ctx, GenerateOrgDomainValidationRequestToDomain(ctx, req))
+	if err != nil {
+		return nil, err
+	}
+	return &mgmt_pb.GenerateOrgDomainValidationResponse{
+		Token: token,
+		Url:   url,
+		//TODO: remove details from proto
+	}, nil
+}
+
+func GenerateOrgDomainValidationRequestToDomain(ctx context.Context, req *mgmt_pb.GenerateOrgDomainValidationRequest) *domain.OrgDomain {
+	return &domain.OrgDomain{
+		ObjectRoot: models.ObjectRoot{
+			AggregateID: authz.GetCtxData(ctx).OrgID,
+		},
+		Domain:         req.Domain,
+		ValidationType: org_grpc.DomainValidationTypeToDomain(req.Type),
+	}
+}
+
+func (s *Server) ValidateOrgDomain(ctx context.Context, req *mgmt_pb.ValidateOrgDomainRequest) (*mgmt_pb.ValidateOrgDomainResponse, error) {
+	details, err := s.command.ValidateOrgDomain(ctx, ValidateOrgDomainRequestToDomain(ctx, req))
+	if err != nil {
+		return nil, err
+	}
+	return &mgmt_pb.ValidateOrgDomainResponse{
+		Details: object.DomainToDetailsPb(details),
+	}, nil
+}
+
+func (s *Server) SetPrimaryOrgDomain(ctx context.Context, req *mgmt_pb.SetPrimaryOrgDomainRequest) (*mgmt_pb.SetPrimaryOrgDomainResponse, error) {
+	details, err := s.command.SetPrimaryOrgDomain(ctx, SetPrimaryOrgDomainRequestToDomain(ctx, req))
+	if err != nil {
+		return nil, err
+	}
+	return &mgmt_pb.SetPrimaryOrgDomainResponse{
+		Details: object.DomainToDetailsPb(details),
+	}, nil
+}
+
+func (s *Server) ListOrgMemberRoles(ctx context.Context, req *mgmt_pb.ListOrgMemberRolesRequest) (*mgmt_pb.ListOrgMemberRolesResponse, error) {
+	roles := s.org.GetOrgMemberRoles()
+	return &mgmt_pb.ListOrgMemberRolesResponse{
+		Result: roles,
+	}, nil
+}
+
+func (s *Server) ListOrgMembers(ctx context.Context, req *mgmt_pb.ListOrgMembersRequest) (*mgmt_pb.ListOrgMembersResponse, error) {
+	queries, err := ListOrgMembersRequestToModel(req)
+	if err != nil {
+		return nil, err
+	}
+	members, err := s.org.SearchMyOrgMembers(ctx, queries)
+	if err != nil {
+		return nil, err
+	}
+	return &mgmt_pb.ListOrgMembersResponse{
+		Result: member_grpc.OrgMembersToPb(members.Result),
+		Details: object.ToListDetails(
+			members.TotalResult,
+			members.Sequence,
+			members.Timestamp,
+		),
+	}, nil
+}
+
+func ListOrgMembersRequestToModel(req *mgmt_pb.ListOrgMembersRequest) (*org_model.OrgMemberSearchRequest, error) {
+	queries := member_grpc.MemberQueriesToOrgMember(req.Queries)
+	return &org_model.OrgMemberSearchRequest{
+		Offset: req.Query.Offset,
+		Limit:  uint64(req.Query.Limit),
+		Asc:    req.Query.Asc,
+		//SortingColumn: //TODO: sorting
+		Queries: queries,
+	}, nil
+}
+
+func (s *Server) AddOrgMember(ctx context.Context, req *mgmt_pb.AddOrgMemberRequest) (*mgmt_pb.AddOrgMemberResponse, error) {
+	addedMember, err := s.command.AddOrgMember(ctx, AddOrgMemberRequestToDomain(ctx, req))
+	if err != nil {
+		return nil, err
+	}
+	return &mgmt_pb.AddOrgMemberResponse{
+		Details: object.ToDetailsPb(
+			addedMember.Sequence,
+			addedMember.ChangeDate,
+			addedMember.ResourceOwner,
+		),
+	}, nil
+}
+
+func (s *Server) UpdateOrgMember(ctx context.Context, req *mgmt_pb.UpdateOrgMemberRequest) (*mgmt_pb.UpdateOrgMemberResponse, error) {
+	changedMember, err := s.command.ChangeOrgMember(ctx, UpdateOrgMemberRequestToDomain(ctx, req))
+	if err != nil {
+		return nil, err
+	}
+	return &mgmt_pb.UpdateOrgMemberResponse{
+		Details: object.ToDetailsPb(
+			changedMember.Sequence,
+			changedMember.ChangeDate,
+			changedMember.ResourceOwner,
+		),
+	}, nil
+}
+
+func (s *Server) RemoveOrgMember(ctx context.Context, req *mgmt_pb.RemoveOrgMemberRequest) (*mgmt_pb.RemoveOrgMemberResponse, error) {
+	details, err := s.command.RemoveOrgMember(ctx, authz.GetCtxData(ctx).OrgID, req.UserId)
+	if err != nil {
+		return nil, err
+	}
+	return &mgmt_pb.RemoveOrgMemberResponse{
+		Details: object.DomainToDetailsPb(details),
+	}, nil
 }
diff --git a/internal/api/grpc/management/org_converter.go b/internal/api/grpc/management/org_converter.go
index 29c698117b..b51b3a5f23 100644
--- a/internal/api/grpc/management/org_converter.go
+++ b/internal/api/grpc/management/org_converter.go
@@ -2,258 +2,69 @@ package management
 
 import (
 	"context"
-	"encoding/json"
-
-	"google.golang.org/protobuf/types/known/timestamppb"
 
 	"github.com/caos/zitadel/internal/api/authz"
+	org_grpc "github.com/caos/zitadel/internal/api/grpc/org"
 	"github.com/caos/zitadel/internal/domain"
 	"github.com/caos/zitadel/internal/eventstore/v1/models"
-	iam_model "github.com/caos/zitadel/internal/iam/model"
-
-	"github.com/caos/logging"
-	"github.com/golang/protobuf/ptypes"
-	"google.golang.org/protobuf/encoding/protojson"
-	"google.golang.org/protobuf/types/known/structpb"
-
 	org_model "github.com/caos/zitadel/internal/org/model"
-	"github.com/caos/zitadel/pkg/grpc/management"
-	"github.com/caos/zitadel/pkg/grpc/message"
+	mgmt_pb "github.com/caos/zitadel/pkg/grpc/management"
 )
 
-func orgFromDomain(org *domain.Org) *management.Org {
-	return &management.Org{
-		ChangeDate: timestamppb.New(org.ChangeDate),
-		Id:         org.AggregateID,
-		Name:       org.Name,
-		State:      orgStateFromDomain(org.State),
+func ListOrgDomainsRequestToModel(req *mgmt_pb.ListOrgDomainsRequest) (*org_model.OrgDomainSearchRequest, error) {
+	queries, err := org_grpc.DomainQueriesToModel(req.Queries)
+	if err != nil {
+		return nil, err
 	}
-}
-
-func orgViewFromModel(org *org_model.OrgView) *management.OrgView {
-	creationDate, err := ptypes.TimestampProto(org.CreationDate)
-	logging.Log("GRPC-GTHsZ").OnError(err).Debug("unable to get timestamp from time")
-
-	changeDate, err := ptypes.TimestampProto(org.ChangeDate)
-	logging.Log("GRPC-dVnoj").OnError(err).Debug("unable to get timestamp from time")
-
-	return &management.OrgView{
-		ChangeDate:   changeDate,
-		CreationDate: creationDate,
-		Id:           org.ID,
-		Name:         org.Name,
-		State:        orgStateFromModel(org.State),
-	}
-}
-
-func orgStateFromDomain(state domain.OrgState) management.OrgState {
-	switch state {
-	case domain.OrgStateActive:
-		return management.OrgState_ORGSTATE_ACTIVE
-	case domain.OrgStateInactive:
-		return management.OrgState_ORGSTATE_INACTIVE
-	default:
-		return management.OrgState_ORGSTATE_UNSPECIFIED
-	}
-}
-
-func orgStateFromModel(state org_model.OrgState) management.OrgState {
-	switch state {
-	case org_model.OrgStateActive:
-		return management.OrgState_ORGSTATE_ACTIVE
-	case org_model.OrgStateInactive:
-		return management.OrgState_ORGSTATE_INACTIVE
-	default:
-		return management.OrgState_ORGSTATE_UNSPECIFIED
-	}
-}
-
-func addOrgDomainToDomain(ctx context.Context, orgDomain *management.AddOrgDomainRequest) *domain.OrgDomain {
-	return &domain.OrgDomain{
-		ObjectRoot: models.ObjectRoot{
-			AggregateID: authz.GetCtxData(ctx).OrgID,
-		},
-		Domain: orgDomain.Domain,
-	}
-}
-
-func orgDomainValidationToDomain(ctx context.Context, orgDomain *management.OrgDomainValidationRequest) *domain.OrgDomain {
-	return &domain.OrgDomain{
-		ObjectRoot: models.ObjectRoot{
-			AggregateID: authz.GetCtxData(ctx).OrgID,
-		},
-		Domain:         orgDomain.Domain,
-		ValidationType: orgDomainValidationTypeToDomain(orgDomain.Type),
-	}
-}
-
-func validateOrgDomainToDomain(ctx context.Context, orgDomain *management.ValidateOrgDomainRequest) *domain.OrgDomain {
-	return &domain.OrgDomain{
-		ObjectRoot: models.ObjectRoot{
-			AggregateID: authz.GetCtxData(ctx).OrgID,
-		},
-		Domain: orgDomain.Domain,
-	}
-}
-
-func orgDomainValidationTypeToDomain(validationType management.OrgDomainValidationType) domain.OrgDomainValidationType {
-	switch validationType {
-	case management.OrgDomainValidationType_ORGDOMAINVALIDATIONTYPE_HTTP:
-		return domain.OrgDomainValidationTypeHTTP
-	case management.OrgDomainValidationType_ORGDOMAINVALIDATIONTYPE_DNS:
-		return domain.OrgDomainValidationTypeDNS
-	default:
-		return domain.OrgDomainValidationTypeUnspecified
-	}
-}
-
-func orgDomainValidationTypeFromModel(key org_model.OrgDomainValidationType) management.OrgDomainValidationType {
-	switch key {
-	case org_model.OrgDomainValidationTypeHTTP:
-		return management.OrgDomainValidationType_ORGDOMAINVALIDATIONTYPE_HTTP
-	case org_model.OrgDomainValidationTypeDNS:
-		return management.OrgDomainValidationType_ORGDOMAINVALIDATIONTYPE_DNS
-	default:
-		return management.OrgDomainValidationType_ORGDOMAINVALIDATIONTYPE_UNSPECIFIED
-	}
-}
-
-func primaryOrgDomainToDomain(ctx context.Context, ordDomain *management.PrimaryOrgDomainRequest) *domain.OrgDomain {
-	return &domain.OrgDomain{
-		ObjectRoot: models.ObjectRoot{
-			AggregateID: authz.GetCtxData(ctx).OrgID,
-		},
-		Domain: ordDomain.Domain,
-	}
-}
-
-func removeOrgDomainToDomain(ctx context.Context, ordDomain *management.RemoveOrgDomainRequest) *domain.OrgDomain {
-	return &domain.OrgDomain{
-		ObjectRoot: models.ObjectRoot{
-			AggregateID: authz.GetCtxData(ctx).OrgID,
-		},
-		Domain: ordDomain.Domain,
-	}
-}
-
-func orgDomainFromDomain(orgDomain *domain.OrgDomain) *management.OrgDomain {
-	return &management.OrgDomain{
-		ChangeDate: timestamppb.New(orgDomain.ChangeDate),
-		OrgId:      orgDomain.AggregateID,
-		Domain:     orgDomain.Domain,
-		Verified:   orgDomain.Verified,
-		Primary:    orgDomain.Primary,
-	}
-}
-
-func orgDomainViewFromModel(domain *org_model.OrgDomainView) *management.OrgDomainView {
-	creationDate, err := ptypes.TimestampProto(domain.CreationDate)
-	logging.Log("GRPC-7sjDs").OnError(err).Debug("unable to get timestamp from time")
-
-	changeDate, err := ptypes.TimestampProto(domain.ChangeDate)
-	logging.Log("GRPC-8iSji").OnError(err).Debug("unable to get timestamp from time")
-
-	return &management.OrgDomainView{
-		ChangeDate:     changeDate,
-		CreationDate:   creationDate,
-		OrgId:          domain.OrgID,
-		Domain:         domain.Domain,
-		Verified:       domain.Verified,
-		Primary:        domain.Primary,
-		ValidationType: orgDomainValidationTypeFromModel(domain.ValidationType),
-	}
-}
-
-func orgDomainSearchRequestToModel(request *management.OrgDomainSearchRequest) *org_model.OrgDomainSearchRequest {
 	return &org_model.OrgDomainSearchRequest{
-		Limit:   request.Limit,
-		Offset:  request.Offset,
-		Queries: orgDomainSearchQueriesToModel(request.Queries),
+		Offset: req.Query.Offset,
+		Limit:  uint64(req.Query.Limit),
+		Asc:    req.Query.Asc,
+		//SortingColumn: //TODO: sorting
+		Queries: queries,
+	}, nil
+}
+
+func AddOrgDomainRequestToDomain(ctx context.Context, req *mgmt_pb.AddOrgDomainRequest) *domain.OrgDomain {
+	return &domain.OrgDomain{
+		ObjectRoot: models.ObjectRoot{
+			AggregateID: authz.GetCtxData(ctx).OrgID,
+		},
+		Domain: req.Domain,
 	}
 }
 
-func orgDomainSearchQueriesToModel(queries []*management.OrgDomainSearchQuery) []*org_model.OrgDomainSearchQuery {
-	modelQueries := make([]*org_model.OrgDomainSearchQuery, len(queries))
-
-	for i, query := range queries {
-		modelQueries[i] = orgDomainSearchQueryToModel(query)
-	}
-
-	return modelQueries
-}
-
-func orgDomainSearchQueryToModel(query *management.OrgDomainSearchQuery) *org_model.OrgDomainSearchQuery {
-	return &org_model.OrgDomainSearchQuery{
-		Key:    orgDomainSearchKeyToModel(query.Key),
-		Method: searchMethodToModel(query.Method),
-		Value:  query.Value,
+func RemoveOrgDomainRequestToDomain(ctx context.Context, req *mgmt_pb.RemoveOrgDomainRequest) *domain.OrgDomain {
+	return &domain.OrgDomain{
+		ObjectRoot: models.ObjectRoot{
+			AggregateID: authz.GetCtxData(ctx).OrgID,
+		},
+		Domain: req.Domain,
 	}
 }
 
-func orgDomainSearchKeyToModel(key management.OrgDomainSearchKey) org_model.OrgDomainSearchKey {
-	switch key {
-	case management.OrgDomainSearchKey_ORGDOMAINSEARCHKEY_DOMAIN:
-		return org_model.OrgDomainSearchKeyDomain
-	default:
-		return org_model.OrgDomainSearchKeyUnspecified
+func ValidateOrgDomainRequestToDomain(ctx context.Context, req *mgmt_pb.ValidateOrgDomainRequest) *domain.OrgDomain {
+	return &domain.OrgDomain{
+		ObjectRoot: models.ObjectRoot{
+			AggregateID: authz.GetCtxData(ctx).OrgID,
+		},
+		Domain: req.Domain,
 	}
 }
 
-func orgDomainSearchResponseFromModel(resp *org_model.OrgDomainSearchResponse) *management.OrgDomainSearchResponse {
-	timestamp, err := ptypes.TimestampProto(resp.Timestamp)
-	logging.Log("GRPC-Mxi9w").OnError(err).Debug("unable to get timestamp from time")
-	return &management.OrgDomainSearchResponse{
-		Limit:             resp.Limit,
-		Offset:            resp.Offset,
-		TotalResult:       resp.TotalResult,
-		Result:            orgDomainsFromModel(resp.Result),
-		ProcessedSequence: resp.Sequence,
-		ViewTimestamp:     timestamp,
-	}
-}
-func orgDomainsFromModel(viewDomains []*org_model.OrgDomainView) []*management.OrgDomainView {
-	domains := make([]*management.OrgDomainView, len(viewDomains))
-
-	for i, domain := range viewDomains {
-		domains[i] = orgDomainViewFromModel(domain)
-	}
-
-	return domains
-}
-
-func orgChangesToResponse(response *org_model.OrgChanges, offset uint64, limit uint64) (_ *management.Changes) {
-	return &management.Changes{
-		Limit:   limit,
-		Offset:  offset,
-		Changes: orgChangesToMgtAPI(response),
+func SetPrimaryOrgDomainRequestToDomain(ctx context.Context, req *mgmt_pb.SetPrimaryOrgDomainRequest) *domain.OrgDomain {
+	return &domain.OrgDomain{
+		ObjectRoot: models.ObjectRoot{
+			AggregateID: authz.GetCtxData(ctx).OrgID,
+		},
+		Domain: req.Domain,
 	}
 }
 
-func orgChangesToMgtAPI(changes *org_model.OrgChanges) (_ []*management.Change) {
-	result := make([]*management.Change, len(changes.Changes))
-
-	for i, change := range changes.Changes {
-		b, err := json.Marshal(change.Data)
-		data := &structpb.Struct{}
-		err = protojson.Unmarshal(b, data)
-		if err != nil {
-		}
-		result[i] = &management.Change{
-			ChangeDate: change.ChangeDate,
-			EventType:  message.NewLocalizedEventType(change.EventType),
-			Sequence:   change.Sequence,
-			Data:       data,
-			Editor:     change.ModifierName,
-			EditorId:   change.ModifierId,
-		}
-	}
-
-	return result
+func AddOrgMemberRequestToDomain(ctx context.Context, req *mgmt_pb.AddOrgMemberRequest) *domain.Member {
+	return domain.NewMember(authz.GetCtxData(ctx).OrgID, req.UserId, req.Roles...)
 }
 
-func orgIamPolicyViewFromModel(policy *iam_model.OrgIAMPolicyView) *management.OrgIamPolicyView {
-	return &management.OrgIamPolicyView{
-		UserLoginMustBeDomain: policy.UserLoginMustBeDomain,
-		Default:               policy.Default,
-	}
+func UpdateOrgMemberRequestToDomain(ctx context.Context, req *mgmt_pb.UpdateOrgMemberRequest) *domain.Member {
+	return domain.NewMember(authz.GetCtxData(ctx).OrgID, req.UserId, req.Roles...)
 }
diff --git a/internal/api/grpc/management/org_member.go b/internal/api/grpc/management/org_member.go
deleted file mode 100644
index c4eaef9eba..0000000000
--- a/internal/api/grpc/management/org_member.go
+++ /dev/null
@@ -1,44 +0,0 @@
-package management
-
-import (
-	"context"
-
-	"github.com/golang/protobuf/ptypes/empty"
-
-	"github.com/caos/zitadel/internal/api/authz"
-	"github.com/caos/zitadel/pkg/grpc/management"
-)
-
-func (s *Server) GetOrgMemberRoles(ctx context.Context, _ *empty.Empty) (*management.OrgMemberRoles, error) {
-	return &management.OrgMemberRoles{Roles: s.org.GetOrgMemberRoles()}, nil
-}
-
-func (s *Server) SearchMyOrgMembers(ctx context.Context, in *management.OrgMemberSearchRequest) (*management.OrgMemberSearchResponse, error) {
-	members, err := s.org.SearchMyOrgMembers(ctx, orgMemberSearchRequestToModel(in))
-	if err != nil {
-		return nil, err
-	}
-	return orgMemberSearchResponseFromModel(members), nil
-}
-
-func (s *Server) AddMyOrgMember(ctx context.Context, member *management.AddOrgMemberRequest) (*management.OrgMember, error) {
-	addedMember, err := s.command.AddOrgMember(ctx, addOrgMemberToDomain(ctx, member))
-	if err != nil {
-		return nil, err
-	}
-
-	return orgMemberFromDomain(addedMember), nil
-}
-
-func (s *Server) ChangeMyOrgMember(ctx context.Context, member *management.ChangeOrgMemberRequest) (*management.OrgMember, error) {
-	changedMember, err := s.command.ChangeOrgMember(ctx, changeOrgMemberToModel(ctx, member))
-	if err != nil {
-		return nil, err
-	}
-	return orgMemberFromDomain(changedMember), nil
-}
-
-func (s *Server) RemoveMyOrgMember(ctx context.Context, member *management.RemoveOrgMemberRequest) (*empty.Empty, error) {
-	err := s.command.RemoveOrgMember(ctx, authz.GetCtxData(ctx).OrgID, member.UserId)
-	return &empty.Empty{}, err
-}
diff --git a/internal/api/grpc/management/org_member_converter.go b/internal/api/grpc/management/org_member_converter.go
deleted file mode 100644
index 0d85f1ea91..0000000000
--- a/internal/api/grpc/management/org_member_converter.go
+++ /dev/null
@@ -1,133 +0,0 @@
-package management
-
-import (
-	"context"
-
-	"github.com/caos/logging"
-	"github.com/golang/protobuf/ptypes"
-	"google.golang.org/protobuf/types/known/timestamppb"
-
-	"github.com/caos/zitadel/internal/api/authz"
-	"github.com/caos/zitadel/internal/domain"
-	org_model "github.com/caos/zitadel/internal/org/model"
-	"github.com/caos/zitadel/pkg/grpc/management"
-)
-
-func addOrgMemberToDomain(ctx context.Context, member *management.AddOrgMemberRequest) *domain.Member {
-	return domain.NewMember(authz.GetCtxData(ctx).OrgID, member.UserId, member.Roles...)
-}
-
-func changeOrgMemberToModel(ctx context.Context, member *management.ChangeOrgMemberRequest) *domain.Member {
-	return domain.NewMember(authz.GetCtxData(ctx).OrgID, member.UserId, member.Roles...)
-}
-
-func orgMemberFromDomain(member *domain.Member) *management.OrgMember {
-	return &management.OrgMember{
-		UserId:     member.UserID,
-		ChangeDate: timestamppb.New(member.ChangeDate),
-		Roles:      member.Roles,
-		Sequence:   member.Sequence,
-	}
-}
-
-func orgMemberSearchRequestToModel(request *management.OrgMemberSearchRequest) *org_model.OrgMemberSearchRequest {
-	return &org_model.OrgMemberSearchRequest{
-		Limit:   request.Limit,
-		Offset:  request.Offset,
-		Queries: orgMemberSearchQueriesToModel(request.Queries),
-	}
-}
-
-func orgMemberSearchQueriesToModel(queries []*management.OrgMemberSearchQuery) []*org_model.OrgMemberSearchQuery {
-	modelQueries := make([]*org_model.OrgMemberSearchQuery, len(queries)+1)
-
-	for i, query := range queries {
-		modelQueries[i] = orgMemberSearchQueryToModel(query)
-	}
-
-	return modelQueries
-}
-
-func orgMemberSearchQueryToModel(query *management.OrgMemberSearchQuery) *org_model.OrgMemberSearchQuery {
-	return &org_model.OrgMemberSearchQuery{
-		Key:    orgMemberSearchKeyToModel(query.Key),
-		Method: orgMemberSearchMethodToModel(query.Method),
-		Value:  query.Value,
-	}
-}
-
-func orgMemberSearchKeyToModel(key management.OrgMemberSearchKey) org_model.OrgMemberSearchKey {
-	switch key {
-	case management.OrgMemberSearchKey_ORGMEMBERSEARCHKEY_EMAIL:
-		return org_model.OrgMemberSearchKeyEmail
-	case management.OrgMemberSearchKey_ORGMEMBERSEARCHKEY_FIRST_NAME:
-		return org_model.OrgMemberSearchKeyFirstName
-	case management.OrgMemberSearchKey_ORGMEMBERSEARCHKEY_LAST_NAME:
-		return org_model.OrgMemberSearchKeyLastName
-	case management.OrgMemberSearchKey_ORGMEMBERSEARCHKEY_USER_ID:
-		return org_model.OrgMemberSearchKeyUserID
-	default:
-		return org_model.OrgMemberSearchKeyUnspecified
-	}
-}
-
-func orgMemberSearchMethodToModel(key management.SearchMethod) domain.SearchMethod {
-	switch key {
-	case management.SearchMethod_SEARCHMETHOD_CONTAINS:
-		return domain.SearchMethodContains
-	case management.SearchMethod_SEARCHMETHOD_CONTAINS_IGNORE_CASE:
-		return domain.SearchMethodContainsIgnoreCase
-	case management.SearchMethod_SEARCHMETHOD_EQUALS:
-		return domain.SearchMethodEquals
-	case management.SearchMethod_SEARCHMETHOD_EQUALS_IGNORE_CASE:
-		return domain.SearchMethodEqualsIgnoreCase
-	case management.SearchMethod_SEARCHMETHOD_STARTS_WITH:
-		return domain.SearchMethodStartsWith
-	case management.SearchMethod_SEARCHMETHOD_STARTS_WITH_IGNORE_CASE:
-		return domain.SearchMethodStartsWithIgnoreCase
-	default:
-		return -1
-	}
-}
-
-func orgMemberSearchResponseFromModel(resp *org_model.OrgMemberSearchResponse) *management.OrgMemberSearchResponse {
-	timestamp, err := ptypes.TimestampProto(resp.Timestamp)
-	logging.Log("GRPC-Swmr6").OnError(err).Debug("date parse failed")
-	return &management.OrgMemberSearchResponse{
-		Limit:             resp.Limit,
-		Offset:            resp.Offset,
-		TotalResult:       resp.TotalResult,
-		Result:            orgMembersFromView(resp.Result),
-		ProcessedSequence: resp.Sequence,
-		ViewTimestamp:     timestamp,
-	}
-}
-func orgMembersFromView(viewMembers []*org_model.OrgMemberView) []*management.OrgMemberView {
-	members := make([]*management.OrgMemberView, len(viewMembers))
-
-	for i, member := range viewMembers {
-		members[i] = orgMemberFromView(member)
-	}
-
-	return members
-}
-
-func orgMemberFromView(member *org_model.OrgMemberView) *management.OrgMemberView {
-	changeDate, err := ptypes.TimestampProto(member.ChangeDate)
-	logging.Log("GRPC-S9LAZ").OnError(err).Debug("unable to parse changedate")
-	creationDate, err := ptypes.TimestampProto(member.CreationDate)
-	logging.Log("GRPC-oJN56").OnError(err).Debug("unable to parse creation date")
-
-	return &management.OrgMemberView{
-		ChangeDate:   changeDate,
-		CreationDate: creationDate,
-		Roles:        member.Roles,
-		Sequence:     member.Sequence,
-		UserId:       member.UserID,
-		UserName:     member.UserName,
-		Email:        member.Email,
-		FirstName:    member.FirstName,
-		LastName:     member.LastName,
-		DisplayName:  member.DisplayName,
-	}
-}
diff --git a/internal/api/grpc/management/password_age_policy.go b/internal/api/grpc/management/password_age_policy.go
deleted file mode 100644
index 1248123237..0000000000
--- a/internal/api/grpc/management/password_age_policy.go
+++ /dev/null
@@ -1,45 +0,0 @@
-package management
-
-import (
-	"context"
-	"github.com/caos/zitadel/internal/api/authz"
-	"github.com/caos/zitadel/pkg/grpc/management"
-	"github.com/golang/protobuf/ptypes/empty"
-)
-
-func (s *Server) GetPasswordAgePolicy(ctx context.Context, _ *empty.Empty) (*management.PasswordAgePolicyView, error) {
-	result, err := s.org.GetPasswordAgePolicy(ctx)
-	if err != nil {
-		return nil, err
-	}
-	return passwordAgePolicyViewFromModel(result), nil
-}
-
-func (s *Server) GetDefaultPasswordAgePolicy(ctx context.Context, _ *empty.Empty) (*management.PasswordAgePolicyView, error) {
-	result, err := s.org.GetDefaultPasswordAgePolicy(ctx)
-	if err != nil {
-		return nil, err
-	}
-	return passwordAgePolicyViewFromModel(result), nil
-}
-
-func (s *Server) CreatePasswordAgePolicy(ctx context.Context, policy *management.PasswordAgePolicyRequest) (*management.PasswordAgePolicy, error) {
-	result, err := s.command.AddPasswordAgePolicy(ctx, authz.GetCtxData(ctx).OrgID, passwordAgePolicyRequestToDomain(ctx, policy))
-	if err != nil {
-		return nil, err
-	}
-	return passwordAgePolicyFromDomain(result), nil
-}
-
-func (s *Server) UpdatePasswordAgePolicy(ctx context.Context, policy *management.PasswordAgePolicyRequest) (*management.PasswordAgePolicy, error) {
-	result, err := s.command.ChangePasswordAgePolicy(ctx, authz.GetCtxData(ctx).OrgID, passwordAgePolicyRequestToDomain(ctx, policy))
-	if err != nil {
-		return nil, err
-	}
-	return passwordAgePolicyFromDomain(result), nil
-}
-
-func (s *Server) RemovePasswordAgePolicy(ctx context.Context, _ *empty.Empty) (*empty.Empty, error) {
-	err := s.command.RemovePasswordAgePolicy(ctx, authz.GetCtxData(ctx).OrgID)
-	return &empty.Empty{}, err
-}
diff --git a/internal/api/grpc/management/password_age_policy_converter.go b/internal/api/grpc/management/password_age_policy_converter.go
deleted file mode 100644
index 1656a81aa1..0000000000
--- a/internal/api/grpc/management/password_age_policy_converter.go
+++ /dev/null
@@ -1,48 +0,0 @@
-package management
-
-import (
-	"context"
-
-	"github.com/caos/logging"
-	"github.com/caos/zitadel/internal/api/authz"
-	"github.com/caos/zitadel/internal/domain"
-	"github.com/caos/zitadel/internal/eventstore/v1/models"
-	iam_model "github.com/caos/zitadel/internal/iam/model"
-	"github.com/caos/zitadel/pkg/grpc/management"
-	"github.com/golang/protobuf/ptypes"
-	"google.golang.org/protobuf/types/known/timestamppb"
-)
-
-func passwordAgePolicyRequestToDomain(ctx context.Context, policy *management.PasswordAgePolicyRequest) *domain.PasswordAgePolicy {
-	return &domain.PasswordAgePolicy{
-		ObjectRoot: models.ObjectRoot{
-			AggregateID: authz.GetCtxData(ctx).OrgID,
-		},
-		MaxAgeDays:     policy.MaxAgeDays,
-		ExpireWarnDays: policy.ExpireWarnDays,
-	}
-}
-
-func passwordAgePolicyFromDomain(policy *domain.PasswordAgePolicy) *management.PasswordAgePolicy {
-	return &management.PasswordAgePolicy{
-		MaxAgeDays:     policy.MaxAgeDays,
-		ExpireWarnDays: policy.ExpireWarnDays,
-		ChangeDate:     timestamppb.New(policy.ChangeDate),
-	}
-}
-
-func passwordAgePolicyViewFromModel(policy *iam_model.PasswordAgePolicyView) *management.PasswordAgePolicyView {
-	creationDate, err := ptypes.TimestampProto(policy.CreationDate)
-	logging.Log("GRPC-4Bms9").OnError(err).Debug("date parse failed")
-
-	changeDate, err := ptypes.TimestampProto(policy.ChangeDate)
-	logging.Log("GRPC-6Hmlo").OnError(err).Debug("date parse failed")
-
-	return &management.PasswordAgePolicyView{
-		Default:        policy.Default,
-		MaxAgeDays:     policy.MaxAgeDays,
-		ExpireWarnDays: policy.ExpireWarnDays,
-		ChangeDate:     changeDate,
-		CreationDate:   creationDate,
-	}
-}
diff --git a/internal/api/grpc/management/password_complexity_policy.go b/internal/api/grpc/management/password_complexity_policy.go
deleted file mode 100644
index b8888fc779..0000000000
--- a/internal/api/grpc/management/password_complexity_policy.go
+++ /dev/null
@@ -1,45 +0,0 @@
-package management
-
-import (
-	"context"
-	"github.com/caos/zitadel/internal/api/authz"
-	"github.com/caos/zitadel/pkg/grpc/management"
-	"github.com/golang/protobuf/ptypes/empty"
-)
-
-func (s *Server) GetPasswordComplexityPolicy(ctx context.Context, _ *empty.Empty) (*management.PasswordComplexityPolicyView, error) {
-	result, err := s.org.GetPasswordComplexityPolicy(ctx)
-	if err != nil {
-		return nil, err
-	}
-	return passwordComplexityPolicyViewFromModel(result), nil
-}
-
-func (s *Server) GetDefaultPasswordComplexityPolicy(ctx context.Context, _ *empty.Empty) (*management.PasswordComplexityPolicyView, error) {
-	result, err := s.org.GetDefaultPasswordComplexityPolicy(ctx)
-	if err != nil {
-		return nil, err
-	}
-	return passwordComplexityPolicyViewFromModel(result), nil
-}
-
-func (s *Server) CreatePasswordComplexityPolicy(ctx context.Context, policy *management.PasswordComplexityPolicyRequest) (*management.PasswordComplexityPolicy, error) {
-	result, err := s.command.AddPasswordComplexityPolicy(ctx, authz.GetCtxData(ctx).OrgID, passwordComplexityPolicyRequestToDomain(ctx, policy))
-	if err != nil {
-		return nil, err
-	}
-	return passwordComplexityPolicyFromDomain(result), nil
-}
-
-func (s *Server) UpdatePasswordComplexityPolicy(ctx context.Context, policy *management.PasswordComplexityPolicyRequest) (*management.PasswordComplexityPolicy, error) {
-	result, err := s.command.ChangePasswordComplexityPolicy(ctx, authz.GetCtxData(ctx).OrgID, passwordComplexityPolicyRequestToDomain(ctx, policy))
-	if err != nil {
-		return nil, err
-	}
-	return passwordComplexityPolicyFromDomain(result), nil
-}
-
-func (s *Server) RemovePasswordComplexityPolicy(ctx context.Context, _ *empty.Empty) (*empty.Empty, error) {
-	err := s.command.RemovePasswordComplexityPolicy(ctx, authz.GetCtxData(ctx).OrgID)
-	return &empty.Empty{}, err
-}
diff --git a/internal/api/grpc/management/password_complexity_policy_converter.go b/internal/api/grpc/management/password_complexity_policy_converter.go
deleted file mode 100644
index a745d1e386..0000000000
--- a/internal/api/grpc/management/password_complexity_policy_converter.go
+++ /dev/null
@@ -1,57 +0,0 @@
-package management
-
-import (
-	"context"
-
-	"github.com/caos/logging"
-	"github.com/caos/zitadel/internal/api/authz"
-	"github.com/caos/zitadel/internal/domain"
-	"github.com/caos/zitadel/internal/eventstore/v1/models"
-	iam_model "github.com/caos/zitadel/internal/iam/model"
-	"github.com/caos/zitadel/pkg/grpc/management"
-	"github.com/golang/protobuf/ptypes"
-	"google.golang.org/protobuf/types/known/timestamppb"
-)
-
-func passwordComplexityPolicyRequestToDomain(ctx context.Context, policy *management.PasswordComplexityPolicyRequest) *domain.PasswordComplexityPolicy {
-	return &domain.PasswordComplexityPolicy{
-		ObjectRoot: models.ObjectRoot{
-			AggregateID: authz.GetCtxData(ctx).OrgID,
-		},
-		MinLength:    policy.MinLength,
-		HasLowercase: policy.HasLowercase,
-		HasUppercase: policy.HasUppercase,
-		HasSymbol:    policy.HasSymbol,
-		HasNumber:    policy.HasNumber,
-	}
-}
-
-func passwordComplexityPolicyFromDomain(policy *domain.PasswordComplexityPolicy) *management.PasswordComplexityPolicy {
-	return &management.PasswordComplexityPolicy{
-		MinLength:    policy.MinLength,
-		HasLowercase: policy.HasLowercase,
-		HasUppercase: policy.HasUppercase,
-		HasSymbol:    policy.HasSymbol,
-		HasNumber:    policy.HasNumber,
-		ChangeDate:   timestamppb.New(policy.ChangeDate),
-	}
-}
-
-func passwordComplexityPolicyViewFromModel(policy *iam_model.PasswordComplexityPolicyView) *management.PasswordComplexityPolicyView {
-	creationDate, err := ptypes.TimestampProto(policy.CreationDate)
-	logging.Log("GRPC-wmi8f").OnError(err).Debug("date parse failed")
-
-	changeDate, err := ptypes.TimestampProto(policy.ChangeDate)
-	logging.Log("GRPC-dmOp0").OnError(err).Debug("date parse failed")
-
-	return &management.PasswordComplexityPolicyView{
-		Default:      policy.Default,
-		MinLength:    policy.MinLength,
-		HasLowercase: policy.HasLowercase,
-		HasUppercase: policy.HasUppercase,
-		HasSymbol:    policy.HasSymbol,
-		HasNumber:    policy.HasNumber,
-		CreationDate: changeDate,
-		ChangeDate:   creationDate,
-	}
-}
diff --git a/internal/api/grpc/management/password_lockout_policy.go b/internal/api/grpc/management/password_lockout_policy.go
deleted file mode 100644
index 0e4bb428a0..0000000000
--- a/internal/api/grpc/management/password_lockout_policy.go
+++ /dev/null
@@ -1,45 +0,0 @@
-package management
-
-import (
-	"context"
-	"github.com/caos/zitadel/internal/api/authz"
-	"github.com/caos/zitadel/pkg/grpc/management"
-	"github.com/golang/protobuf/ptypes/empty"
-)
-
-func (s *Server) GetPasswordLockoutPolicy(ctx context.Context, _ *empty.Empty) (*management.PasswordLockoutPolicyView, error) {
-	result, err := s.org.GetPasswordLockoutPolicy(ctx)
-	if err != nil {
-		return nil, err
-	}
-	return passwordLockoutPolicyViewFromModel(result), nil
-}
-
-func (s *Server) GetDefaultPasswordLockoutPolicy(ctx context.Context, _ *empty.Empty) (*management.PasswordLockoutPolicyView, error) {
-	result, err := s.org.GetDefaultPasswordLockoutPolicy(ctx)
-	if err != nil {
-		return nil, err
-	}
-	return passwordLockoutPolicyViewFromModel(result), nil
-}
-
-func (s *Server) CreatePasswordLockoutPolicy(ctx context.Context, policy *management.PasswordLockoutPolicyRequest) (*management.PasswordLockoutPolicy, error) {
-	result, err := s.command.AddPasswordLockoutPolicy(ctx, authz.GetCtxData(ctx).OrgID, passwordLockoutPolicyRequestToDomain(ctx, policy))
-	if err != nil {
-		return nil, err
-	}
-	return passwordLockoutPolicyFromDomain(result), nil
-}
-
-func (s *Server) UpdatePasswordLockoutPolicy(ctx context.Context, policy *management.PasswordLockoutPolicyRequest) (*management.PasswordLockoutPolicy, error) {
-	result, err := s.command.ChangePasswordLockoutPolicy(ctx, authz.GetCtxData(ctx).OrgID, passwordLockoutPolicyRequestToDomain(ctx, policy))
-	if err != nil {
-		return nil, err
-	}
-	return passwordLockoutPolicyFromDomain(result), nil
-}
-
-func (s *Server) RemovePasswordLockoutPolicy(ctx context.Context, _ *empty.Empty) (*empty.Empty, error) {
-	err := s.command.RemovePasswordLockoutPolicy(ctx, authz.GetCtxData(ctx).OrgID)
-	return &empty.Empty{}, err
-}
diff --git a/internal/api/grpc/management/password_lockout_policy_converter.go b/internal/api/grpc/management/password_lockout_policy_converter.go
deleted file mode 100644
index 2c9c59cf3f..0000000000
--- a/internal/api/grpc/management/password_lockout_policy_converter.go
+++ /dev/null
@@ -1,48 +0,0 @@
-package management
-
-import (
-	"context"
-
-	"github.com/caos/logging"
-	"github.com/caos/zitadel/internal/api/authz"
-	"github.com/caos/zitadel/internal/domain"
-	"github.com/caos/zitadel/internal/eventstore/v1/models"
-	iam_model "github.com/caos/zitadel/internal/iam/model"
-	"github.com/caos/zitadel/pkg/grpc/management"
-	"github.com/golang/protobuf/ptypes"
-	"google.golang.org/protobuf/types/known/timestamppb"
-)
-
-func passwordLockoutPolicyRequestToDomain(ctx context.Context, policy *management.PasswordLockoutPolicyRequest) *domain.PasswordLockoutPolicy {
-	return &domain.PasswordLockoutPolicy{
-		ObjectRoot: models.ObjectRoot{
-			AggregateID: authz.GetCtxData(ctx).OrgID,
-		},
-		MaxAttempts:         policy.MaxAttempts,
-		ShowLockOutFailures: policy.ShowLockoutFailure,
-	}
-}
-
-func passwordLockoutPolicyFromDomain(policy *domain.PasswordLockoutPolicy) *management.PasswordLockoutPolicy {
-	return &management.PasswordLockoutPolicy{
-		MaxAttempts:        policy.MaxAttempts,
-		ShowLockoutFailure: policy.ShowLockOutFailures,
-		ChangeDate:         timestamppb.New(policy.ChangeDate),
-	}
-}
-
-func passwordLockoutPolicyViewFromModel(policy *iam_model.PasswordLockoutPolicyView) *management.PasswordLockoutPolicyView {
-	creationDate, err := ptypes.TimestampProto(policy.CreationDate)
-	logging.Log("GRPC-4Bms9").OnError(err).Debug("date parse failed")
-
-	changeDate, err := ptypes.TimestampProto(policy.ChangeDate)
-	logging.Log("GRPC-6Hmlo").OnError(err).Debug("date parse failed")
-
-	return &management.PasswordLockoutPolicyView{
-		Default:            policy.Default,
-		MaxAttempts:        policy.MaxAttempts,
-		ShowLockoutFailure: policy.ShowLockOutFailures,
-		ChangeDate:         changeDate,
-		CreationDate:       creationDate,
-	}
-}
diff --git a/internal/api/grpc/management/policy_login.go b/internal/api/grpc/management/policy_login.go
new file mode 100644
index 0000000000..908583ce06
--- /dev/null
+++ b/internal/api/grpc/management/policy_login.go
@@ -0,0 +1,171 @@
+package management
+
+import (
+	"context"
+	"github.com/caos/zitadel/internal/api/authz"
+	"github.com/caos/zitadel/internal/api/grpc/idp"
+	"github.com/caos/zitadel/internal/api/grpc/object"
+	policy_grpc "github.com/caos/zitadel/internal/api/grpc/policy"
+	"github.com/caos/zitadel/internal/api/grpc/user"
+	"github.com/caos/zitadel/internal/domain"
+	"time"
+
+	mgmt_pb "github.com/caos/zitadel/pkg/grpc/management"
+)
+
+func (s *Server) GetLoginPolicy(ctx context.Context, req *mgmt_pb.GetLoginPolicyRequest) (*mgmt_pb.GetLoginPolicyResponse, error) {
+	policy, err := s.org.GetLoginPolicy(ctx)
+	if err != nil {
+		return nil, err
+	}
+	return &mgmt_pb.GetLoginPolicyResponse{Policy: policy_grpc.ModelLoginPolicyToPb(policy)}, nil
+}
+
+func (s *Server) GetDefaultLoginPolicy(ctx context.Context, req *mgmt_pb.GetDefaultLoginPolicyRequest) (*mgmt_pb.GetDefaultLoginPolicyResponse, error) {
+	policy, err := s.org.GetDefaultLoginPolicy(ctx)
+	if err != nil {
+		return nil, err
+	}
+	return &mgmt_pb.GetDefaultLoginPolicyResponse{Policy: policy_grpc.ModelLoginPolicyToPb(policy)}, nil
+}
+
+func (s *Server) AddCustomLoginPolicy(ctx context.Context, req *mgmt_pb.AddCustomLoginPolicyRequest) (*mgmt_pb.AddCustomLoginPolicyResponse, error) {
+	policy, err := s.command.AddLoginPolicy(ctx, authz.GetCtxData(ctx).OrgID, addLoginPolicyToDomain(req))
+	if err != nil {
+		return nil, err
+	}
+	return &mgmt_pb.AddCustomLoginPolicyResponse{
+		Details: object.ToDetailsPb(
+			policy.Sequence,
+			policy.ChangeDate,
+			policy.ResourceOwner,
+		),
+	}, nil
+}
+
+func (s *Server) UpdateCustomLoginPolicy(ctx context.Context, req *mgmt_pb.UpdateCustomLoginPolicyRequest) (*mgmt_pb.UpdateCustomLoginPolicyResponse, error) {
+	policy, err := s.command.ChangeLoginPolicy(ctx, authz.GetCtxData(ctx).OrgID, updateLoginPolicyToDomain(req))
+	if err != nil {
+		return nil, err
+	}
+	return &mgmt_pb.UpdateCustomLoginPolicyResponse{
+		Details: object.ToDetailsPb(
+			policy.Sequence,
+			policy.ChangeDate,
+			policy.ResourceOwner,
+		),
+	}, nil
+}
+
+func (s *Server) ResetLoginPolicyToDefault(ctx context.Context, req *mgmt_pb.ResetLoginPolicyToDefaultRequest) (*mgmt_pb.ResetLoginPolicyToDefaultResponse, error) {
+	objectDetails, err := s.command.RemoveLoginPolicy(ctx, authz.GetCtxData(ctx).OrgID)
+	if err != nil {
+		return nil, err
+	}
+	return &mgmt_pb.ResetLoginPolicyToDefaultResponse{
+		Details: object.DomainToDetailsPb(objectDetails),
+	}, nil
+}
+
+func (s *Server) ListLoginPolicyIDPs(ctx context.Context, req *mgmt_pb.ListLoginPolicyIDPsRequest) (*mgmt_pb.ListLoginPolicyIDPsResponse, error) {
+	res, err := s.org.SearchIDPProviders(ctx, ListLoginPolicyIDPsRequestToModel(req))
+	if err != nil {
+		return nil, err
+	}
+	return &mgmt_pb.ListLoginPolicyIDPsResponse{
+		Result:  idp.ExternalIDPViewsToLoginPolicyLinkPb(res.Result),
+		Details: object.ToListDetails(res.TotalResult, res.Sequence, res.Timestamp),
+	}, nil
+}
+
+func (s *Server) AddIDPToLoginPolicy(ctx context.Context, req *mgmt_pb.AddIDPToLoginPolicyRequest) (*mgmt_pb.AddIDPToLoginPolicyResponse, error) {
+	idp, err := s.command.AddIDPProviderToLoginPolicy(ctx, authz.GetCtxData(ctx).OrgID, &domain.IDPProvider{IDPConfigID: req.IdpId}) //TODO: old way was to also add type but this doesnt make sense in my point of view
+	if err != nil {
+		return nil, err
+	}
+	return &mgmt_pb.AddIDPToLoginPolicyResponse{
+		Details: object.ToDetailsPb(
+			idp.Sequence,
+			idp.ChangeDate,
+			idp.ResourceOwner,
+		),
+	}, nil
+}
+
+func (s *Server) RemoveIDPFromLoginPolicy(ctx context.Context, req *mgmt_pb.RemoveIDPFromLoginPolicyRequest) (*mgmt_pb.RemoveIDPFromLoginPolicyResponse, error) {
+	externalIDPs, err := s.user.ExternalIDPsByIDPConfigID(ctx, req.IdpId)
+	if err != nil {
+		return nil, err
+	}
+	objectDetails, err := s.command.RemoveIDPProviderFromLoginPolicy(ctx, authz.GetCtxData(ctx).OrgID, &domain.IDPProvider{IDPConfigID: req.IdpId}, user.ExternalIDPViewsToExternalIDPs(externalIDPs)...)
+	if err != nil {
+		return nil, err
+	}
+	return &mgmt_pb.RemoveIDPFromLoginPolicyResponse{
+		Details: object.DomainToDetailsPb(objectDetails),
+	}, nil
+}
+
+func (s *Server) ListLoginPolicySecondFactors(ctx context.Context, req *mgmt_pb.ListLoginPolicySecondFactorsRequest) (*mgmt_pb.ListLoginPolicySecondFactorsResponse, error) {
+	result, err := s.org.SearchSecondFactors(ctx)
+	if err != nil {
+		return nil, err
+	}
+	return &mgmt_pb.ListLoginPolicySecondFactorsResponse{
+		//TODO: missing values from res
+		Details: object.ToListDetails(result.TotalResult, 0, time.Time{}),
+		Result:  policy_grpc.ModelSecondFactorTypesToPb(result.Result),
+	}, nil
+}
+
+func (s *Server) AddSecondFactorToLoginPolicy(ctx context.Context, req *mgmt_pb.AddSecondFactorToLoginPolicyRequest) (*mgmt_pb.AddSecondFactorToLoginPolicyResponse, error) {
+	_, objectDetails, err := s.command.AddSecondFactorToDefaultLoginPolicy(ctx, policy_grpc.SecondFactorTypeToDomain(req.Type))
+	if err != nil {
+		return nil, err
+	}
+	return &mgmt_pb.AddSecondFactorToLoginPolicyResponse{
+		Details: object.DomainToDetailsPb(objectDetails),
+	}, nil
+}
+
+func (s *Server) RemoveSecondFactorFromLoginPolicy(ctx context.Context, req *mgmt_pb.RemoveSecondFactorFromLoginPolicyRequest) (*mgmt_pb.RemoveSecondFactorFromLoginPolicyResponse, error) {
+	objectDetails, err := s.command.RemoveSecondFactorFromDefaultLoginPolicy(ctx, policy_grpc.SecondFactorTypeToDomain(req.Type))
+	if err != nil {
+		return nil, err
+	}
+	return &mgmt_pb.RemoveSecondFactorFromLoginPolicyResponse{
+		Details: object.DomainToDetailsPb(objectDetails),
+	}, nil
+}
+
+func (s *Server) ListLoginPolicyMultiFactors(ctx context.Context, req *mgmt_pb.ListLoginPolicyMultiFactorsRequest) (*mgmt_pb.ListLoginPolicyMultiFactorsResponse, error) {
+	res, err := s.org.SearchMultiFactors(ctx)
+	if err != nil {
+		return nil, err
+	}
+	return &mgmt_pb.ListLoginPolicyMultiFactorsResponse{
+		//TODO: additional values
+		Details: object.ToListDetails(res.TotalResult, 0, time.Time{}),
+		Result:  policy_grpc.ModelMultiFactorTypesToPb(res.Result),
+	}, nil
+}
+
+func (s *Server) AddMultiFactorToLoginPolicy(ctx context.Context, req *mgmt_pb.AddMultiFactorToLoginPolicyRequest) (*mgmt_pb.AddMultiFactorToLoginPolicyResponse, error) {
+	_, objectDetails, err := s.command.AddMultiFactorToDefaultLoginPolicy(ctx, policy_grpc.MultiFactorTypeToDomain(req.Type))
+	if err != nil {
+		return nil, err
+	}
+	return &mgmt_pb.AddMultiFactorToLoginPolicyResponse{
+		Details: object.DomainToDetailsPb(objectDetails),
+	}, nil
+}
+
+func (s *Server) RemoveMultiFactorFromLoginPolicy(ctx context.Context, req *mgmt_pb.RemoveMultiFactorFromLoginPolicyRequest) (*mgmt_pb.RemoveMultiFactorFromLoginPolicyResponse, error) {
+	objectDetails, err := s.command.RemoveMultiFactorFromDefaultLoginPolicy(ctx, policy_grpc.MultiFactorTypeToDomain(req.Type))
+	if err != nil {
+		return nil, err
+	}
+	return &mgmt_pb.RemoveMultiFactorFromLoginPolicyResponse{
+		Details: object.DomainToDetailsPb(objectDetails),
+	}, nil
+}
diff --git a/internal/api/grpc/management/policy_login_converter.go b/internal/api/grpc/management/policy_login_converter.go
new file mode 100644
index 0000000000..e0386d9af4
--- /dev/null
+++ b/internal/api/grpc/management/policy_login_converter.go
@@ -0,0 +1,38 @@
+package management
+
+import (
+	policy_grpc "github.com/caos/zitadel/internal/api/grpc/policy"
+	"github.com/caos/zitadel/internal/domain"
+	"github.com/caos/zitadel/internal/iam/model"
+	mgmt_pb "github.com/caos/zitadel/pkg/grpc/management"
+)
+
+func addLoginPolicyToDomain(p *mgmt_pb.AddCustomLoginPolicyRequest) *domain.LoginPolicy {
+	return &domain.LoginPolicy{
+		AllowUsernamePassword: p.AllowUsernamePassword,
+		AllowRegister:         p.AllowRegister,
+		AllowExternalIDP:      p.AllowExternalIdp,
+		ForceMFA:              p.ForceMfa,
+		PasswordlessType:      policy_grpc.PasswordlessTypeToDomain(p.PasswordlessType),
+	}
+}
+
+func updateLoginPolicyToDomain(p *mgmt_pb.UpdateCustomLoginPolicyRequest) *domain.LoginPolicy {
+	return &domain.LoginPolicy{
+		AllowUsernamePassword: p.AllowUsernamePassword,
+		AllowRegister:         p.AllowRegister,
+		AllowExternalIDP:      p.AllowExternalIdp,
+		ForceMFA:              p.ForceMfa,
+		PasswordlessType:      policy_grpc.PasswordlessTypeToDomain(p.PasswordlessType),
+	}
+}
+
+func ListLoginPolicyIDPsRequestToModel(req *mgmt_pb.ListLoginPolicyIDPsRequest) *model.IDPProviderSearchRequest {
+	return &model.IDPProviderSearchRequest{
+		Offset: req.Query.Offset,
+		Limit:  uint64(req.Query.Limit),
+		Asc:    req.Query.Asc,
+		// SortingColumn: model.IDPProviderSearchKey, //TODO: not in proto
+		// Queries: []*model.IDPProviderSearchQuery, //TODO: not in proto
+	}
+}
diff --git a/internal/api/grpc/management/policy_password_age.go b/internal/api/grpc/management/policy_password_age.go
new file mode 100644
index 0000000000..2dec9e5c9c
--- /dev/null
+++ b/internal/api/grpc/management/policy_password_age.go
@@ -0,0 +1,67 @@
+package management
+
+import (
+	"context"
+	"github.com/caos/zitadel/internal/api/authz"
+	"github.com/caos/zitadel/internal/api/grpc/object"
+	policy_grpc "github.com/caos/zitadel/internal/api/grpc/policy"
+	mgmt_pb "github.com/caos/zitadel/pkg/grpc/management"
+)
+
+func (s *Server) GetPasswordAgePolicy(ctx context.Context, req *mgmt_pb.GetPasswordAgePolicyRequest) (*mgmt_pb.GetPasswordAgePolicyResponse, error) {
+	policy, err := s.org.GetPasswordAgePolicy(ctx)
+	if err != nil {
+		return nil, err
+	}
+	return &mgmt_pb.GetPasswordAgePolicyResponse{
+		Policy: policy_grpc.ModelPasswordAgePolicyToPb(policy),
+	}, nil
+}
+
+func (s *Server) GetDefaultPasswordAgePolicy(ctx context.Context, req *mgmt_pb.GetDefaultPasswordAgePolicyRequest) (*mgmt_pb.GetDefaultPasswordAgePolicyResponse, error) {
+	policy, err := s.org.GetDefaultPasswordAgePolicy(ctx)
+	if err != nil {
+		return nil, err
+	}
+	return &mgmt_pb.GetDefaultPasswordAgePolicyResponse{
+		Policy: policy_grpc.ModelPasswordAgePolicyToPb(policy),
+	}, nil
+}
+
+func (s *Server) AddCustomPasswordAgePolicy(ctx context.Context, req *mgmt_pb.AddCustomPasswordAgePolicyRequest) (*mgmt_pb.AddCustomPasswordAgePolicyResponse, error) {
+	result, err := s.command.AddPasswordAgePolicy(ctx, authz.GetCtxData(ctx).OrgID, AddPasswordAgePolicyToDomain(req))
+	if err != nil {
+		return nil, err
+	}
+	return &mgmt_pb.AddCustomPasswordAgePolicyResponse{
+		Details: object.ToDetailsPb(
+			result.Sequence,
+			result.ChangeDate,
+			result.ResourceOwner,
+		),
+	}, nil
+}
+
+func (s *Server) UpdateCustomPasswordAgePolicy(ctx context.Context, req *mgmt_pb.UpdateCustomPasswordAgePolicyRequest) (*mgmt_pb.UpdateCustomPasswordAgePolicyResponse, error) {
+	result, err := s.command.ChangePasswordAgePolicy(ctx, authz.GetCtxData(ctx).OrgID, UpdatePasswordAgePolicyToDomain(req))
+	if err != nil {
+		return nil, err
+	}
+	return &mgmt_pb.UpdateCustomPasswordAgePolicyResponse{
+		Details: object.ToDetailsPb(
+			result.Sequence,
+			result.ChangeDate,
+			result.ResourceOwner,
+		),
+	}, nil
+}
+
+func (s *Server) ResetPasswordAgePolicyToDefault(ctx context.Context, req *mgmt_pb.ResetPasswordAgePolicyToDefaultRequest) (*mgmt_pb.ResetPasswordAgePolicyToDefaultResponse, error) {
+	objectDetails, err := s.command.RemovePasswordAgePolicy(ctx, authz.GetCtxData(ctx).OrgID)
+	if err != nil {
+		return nil, err
+	}
+	return &mgmt_pb.ResetPasswordAgePolicyToDefaultResponse{
+		Details: object.DomainToDetailsPb(objectDetails),
+	}, nil
+}
diff --git a/internal/api/grpc/management/policy_password_age_converter.go b/internal/api/grpc/management/policy_password_age_converter.go
new file mode 100644
index 0000000000..83aba7e832
--- /dev/null
+++ b/internal/api/grpc/management/policy_password_age_converter.go
@@ -0,0 +1,20 @@
+package management
+
+import (
+	"github.com/caos/zitadel/internal/domain"
+	mgmt_pb "github.com/caos/zitadel/pkg/grpc/management"
+)
+
+func AddPasswordAgePolicyToDomain(policy *mgmt_pb.AddCustomPasswordAgePolicyRequest) *domain.PasswordAgePolicy {
+	return &domain.PasswordAgePolicy{
+		MaxAgeDays:     uint64(policy.MaxAgeDays),
+		ExpireWarnDays: uint64(policy.ExpireWarnDays),
+	}
+}
+
+func UpdatePasswordAgePolicyToDomain(policy *mgmt_pb.UpdateCustomPasswordAgePolicyRequest) *domain.PasswordAgePolicy {
+	return &domain.PasswordAgePolicy{
+		MaxAgeDays:     uint64(policy.MaxAgeDays),
+		ExpireWarnDays: uint64(policy.ExpireWarnDays),
+	}
+}
diff --git a/internal/api/grpc/management/policy_password_complexity.go b/internal/api/grpc/management/policy_password_complexity.go
new file mode 100644
index 0000000000..7158d8e857
--- /dev/null
+++ b/internal/api/grpc/management/policy_password_complexity.go
@@ -0,0 +1,63 @@
+package management
+
+import (
+	"context"
+	"github.com/caos/zitadel/internal/api/authz"
+	"github.com/caos/zitadel/internal/api/grpc/object"
+	policy_grpc "github.com/caos/zitadel/internal/api/grpc/policy"
+	mgmt_pb "github.com/caos/zitadel/pkg/grpc/management"
+)
+
+func (s *Server) GetPasswordComplexityPolicy(ctx context.Context, req *mgmt_pb.GetPasswordComplexityPolicyRequest) (*mgmt_pb.GetPasswordComplexityPolicyResponse, error) {
+	policy, err := s.org.GetPasswordComplexityPolicy(ctx)
+	if err != nil {
+		return nil, err
+	}
+	return &mgmt_pb.GetPasswordComplexityPolicyResponse{Policy: policy_grpc.ModelPasswordComplexityPolicyToPb(policy)}, nil
+}
+
+func (s *Server) GetDefaultPasswordComplexityPolicy(ctx context.Context, req *mgmt_pb.GetDefaultPasswordComplexityPolicyRequest) (*mgmt_pb.GetDefaultPasswordComplexityPolicyResponse, error) {
+	policy, err := s.org.GetDefaultPasswordComplexityPolicy(ctx)
+	if err != nil {
+		return nil, err
+	}
+	return &mgmt_pb.GetDefaultPasswordComplexityPolicyResponse{Policy: policy_grpc.ModelPasswordComplexityPolicyToPb(policy)}, nil
+}
+
+func (s *Server) AddCustomPasswordComplexityPolicy(ctx context.Context, req *mgmt_pb.AddCustomPasswordComplexityPolicyRequest) (*mgmt_pb.AddCustomPasswordComplexityPolicyResponse, error) {
+	result, err := s.command.AddPasswordComplexityPolicy(ctx, authz.GetCtxData(ctx).OrgID, AddPasswordComplexityPolicyToDomain(req))
+	if err != nil {
+		return nil, err
+	}
+	return &mgmt_pb.AddCustomPasswordComplexityPolicyResponse{
+		Details: object.ToDetailsPb(
+			result.Sequence,
+			result.ChangeDate,
+			result.ResourceOwner,
+		),
+	}, nil
+}
+
+func (s *Server) UpdateCustomPasswordComplexityPolicy(ctx context.Context, req *mgmt_pb.UpdateCustomPasswordComplexityPolicyRequest) (*mgmt_pb.UpdateCustomPasswordComplexityPolicyResponse, error) {
+	result, err := s.command.ChangePasswordComplexityPolicy(ctx, authz.GetCtxData(ctx).OrgID, UpdatePasswordComplexityPolicyToDomain(req))
+	if err != nil {
+		return nil, err
+	}
+	return &mgmt_pb.UpdateCustomPasswordComplexityPolicyResponse{
+		Details: object.ToDetailsPb(
+			result.Sequence,
+			result.ChangeDate,
+			result.ResourceOwner,
+		),
+	}, nil
+}
+
+func (s *Server) ResetPasswordComplexityPolicyToDefault(ctx context.Context, req *mgmt_pb.ResetPasswordComplexityPolicyToDefaultRequest) (*mgmt_pb.ResetPasswordComplexityPolicyToDefaultResponse, error) {
+	objectDetails, err := s.command.RemovePasswordComplexityPolicy(ctx, authz.GetCtxData(ctx).OrgID)
+	if err != nil {
+		return nil, err
+	}
+	return &mgmt_pb.ResetPasswordComplexityPolicyToDefaultResponse{
+		Details: object.DomainToDetailsPb(objectDetails),
+	}, nil
+}
diff --git a/internal/api/grpc/management/policy_password_complexity_converter.go b/internal/api/grpc/management/policy_password_complexity_converter.go
new file mode 100644
index 0000000000..de78c1f9a5
--- /dev/null
+++ b/internal/api/grpc/management/policy_password_complexity_converter.go
@@ -0,0 +1,26 @@
+package management
+
+import (
+	"github.com/caos/zitadel/internal/domain"
+	mgmt_pb "github.com/caos/zitadel/pkg/grpc/management"
+)
+
+func AddPasswordComplexityPolicyToDomain(req *mgmt_pb.AddCustomPasswordComplexityPolicyRequest) *domain.PasswordComplexityPolicy {
+	return &domain.PasswordComplexityPolicy{
+		MinLength:    req.MinLength,
+		HasLowercase: req.HasLowercase,
+		HasUppercase: req.HasUppercase,
+		HasNumber:    req.HasNumber,
+		HasSymbol:    req.HasSymbol,
+	}
+}
+
+func UpdatePasswordComplexityPolicyToDomain(req *mgmt_pb.UpdateCustomPasswordComplexityPolicyRequest) *domain.PasswordComplexityPolicy {
+	return &domain.PasswordComplexityPolicy{
+		MinLength:    req.MinLength,
+		HasLowercase: req.HasLowercase,
+		HasUppercase: req.HasUppercase,
+		HasNumber:    req.HasNumber,
+		HasSymbol:    req.HasSymbol,
+	}
+}
diff --git a/internal/api/grpc/management/policy_password_lockout.go b/internal/api/grpc/management/policy_password_lockout.go
new file mode 100644
index 0000000000..5311a7d23b
--- /dev/null
+++ b/internal/api/grpc/management/policy_password_lockout.go
@@ -0,0 +1,63 @@
+package management
+
+import (
+	"context"
+	"github.com/caos/zitadel/internal/api/authz"
+	"github.com/caos/zitadel/internal/api/grpc/object"
+	policy_grpc "github.com/caos/zitadel/internal/api/grpc/policy"
+	mgmt_pb "github.com/caos/zitadel/pkg/grpc/management"
+)
+
+func (s *Server) GetPasswordLockoutPolicy(ctx context.Context, req *mgmt_pb.GetPasswordLockoutPolicyRequest) (*mgmt_pb.GetPasswordLockoutPolicyResponse, error) {
+	policy, err := s.org.GetPasswordLockoutPolicy(ctx)
+	if err != nil {
+		return nil, err
+	}
+	return &mgmt_pb.GetPasswordLockoutPolicyResponse{Policy: policy_grpc.ModelPasswordLockoutPolicyToPb(policy)}, nil
+}
+
+func (s *Server) GetDefaultPasswordLockoutPolicy(ctx context.Context, req *mgmt_pb.GetDefaultPasswordLockoutPolicyRequest) (*mgmt_pb.GetDefaultPasswordLockoutPolicyResponse, error) {
+	policy, err := s.org.GetDefaultPasswordLockoutPolicy(ctx)
+	if err != nil {
+		return nil, err
+	}
+	return &mgmt_pb.GetDefaultPasswordLockoutPolicyResponse{Policy: policy_grpc.ModelPasswordLockoutPolicyToPb(policy)}, nil
+}
+
+func (s *Server) AddCustomPasswordLockoutPolicy(ctx context.Context, req *mgmt_pb.AddCustomPasswordLockoutPolicyRequest) (*mgmt_pb.AddCustomPasswordLockoutPolicyResponse, error) {
+	policy, err := s.command.AddPasswordLockoutPolicy(ctx, authz.GetCtxData(ctx).OrgID, AddPasswordLockoutPolicyToDomain(req))
+	if err != nil {
+		return nil, err
+	}
+	return &mgmt_pb.AddCustomPasswordLockoutPolicyResponse{
+		Details: object.ToDetailsPb(
+			policy.Sequence,
+			policy.ChangeDate,
+			policy.ResourceOwner,
+		),
+	}, nil
+}
+
+func (s *Server) UpdateCustomPasswordLockoutPolicy(ctx context.Context, req *mgmt_pb.UpdateCustomPasswordLockoutPolicyRequest) (*mgmt_pb.UpdateCustomPasswordLockoutPolicyResponse, error) {
+	policy, err := s.command.ChangePasswordLockoutPolicy(ctx, authz.GetCtxData(ctx).OrgID, UpdatePasswordLockoutPolicyToDomain(req))
+	if err != nil {
+		return nil, err
+	}
+	return &mgmt_pb.UpdateCustomPasswordLockoutPolicyResponse{
+		Details: object.ToDetailsPb(
+			policy.Sequence,
+			policy.ChangeDate,
+			policy.ResourceOwner,
+		),
+	}, nil
+}
+
+func (s *Server) ResetPasswordLockoutPolicyToDefault(ctx context.Context, req *mgmt_pb.ResetPasswordLockoutPolicyToDefaultRequest) (*mgmt_pb.ResetPasswordLockoutPolicyToDefaultResponse, error) {
+	objectDetails, err := s.command.RemovePasswordComplexityPolicy(ctx, authz.GetCtxData(ctx).OrgID)
+	if err != nil {
+		return nil, err
+	}
+	return &mgmt_pb.ResetPasswordLockoutPolicyToDefaultResponse{
+		Details: object.DomainToDetailsPb(objectDetails),
+	}, nil
+}
diff --git a/internal/api/grpc/management/policy_password_lockout_converter.go b/internal/api/grpc/management/policy_password_lockout_converter.go
new file mode 100644
index 0000000000..1b9960e7f5
--- /dev/null
+++ b/internal/api/grpc/management/policy_password_lockout_converter.go
@@ -0,0 +1,20 @@
+package management
+
+import (
+	"github.com/caos/zitadel/internal/domain"
+	mgmt "github.com/caos/zitadel/pkg/grpc/management"
+)
+
+func AddPasswordLockoutPolicyToDomain(p *mgmt.AddCustomPasswordLockoutPolicyRequest) *domain.PasswordLockoutPolicy {
+	return &domain.PasswordLockoutPolicy{
+		MaxAttempts:         uint64(p.MaxAttempts),
+		ShowLockOutFailures: p.ShowLockoutFailure,
+	}
+}
+
+func UpdatePasswordLockoutPolicyToDomain(p *mgmt.UpdateCustomPasswordLockoutPolicyRequest) *domain.PasswordLockoutPolicy {
+	return &domain.PasswordLockoutPolicy{
+		MaxAttempts:         uint64(p.MaxAttempts),
+		ShowLockOutFailures: p.ShowLockoutFailure,
+	}
+}
diff --git a/internal/api/grpc/management/probes.go b/internal/api/grpc/management/probes.go
deleted file mode 100644
index f5217f2300..0000000000
--- a/internal/api/grpc/management/probes.go
+++ /dev/null
@@ -1,10 +0,0 @@
-package management
-
-import (
-	"context"
-	"github.com/golang/protobuf/ptypes/empty"
-)
-
-func (s *Server) Healthz(_ context.Context, e *empty.Empty) (*empty.Empty, error) {
-	return &empty.Empty{}, nil
-}
diff --git a/internal/api/grpc/management/project.go b/internal/api/grpc/management/project.go
index 9287beb484..f17a60d552 100644
--- a/internal/api/grpc/management/project.go
+++ b/internal/api/grpc/management/project.go
@@ -2,131 +2,283 @@ package management
 
 import (
 	"context"
-	"github.com/golang/protobuf/ptypes/empty"
 
 	"github.com/caos/zitadel/internal/api/authz"
-	grpc_util "github.com/caos/zitadel/internal/api/grpc"
-	"github.com/caos/zitadel/internal/api/http"
-	"github.com/caos/zitadel/pkg/grpc/management"
+	change_grpc "github.com/caos/zitadel/internal/api/grpc/change"
+	member_grpc "github.com/caos/zitadel/internal/api/grpc/member"
+	object_grpc "github.com/caos/zitadel/internal/api/grpc/object"
+	project_grpc "github.com/caos/zitadel/internal/api/grpc/project"
+	mgmt_pb "github.com/caos/zitadel/pkg/grpc/management"
 )
 
-func (s *Server) CreateProject(ctx context.Context, in *management.ProjectCreateRequest) (*management.Project, error) {
+func (s *Server) GetProjectByID(ctx context.Context, req *mgmt_pb.GetProjectByIDRequest) (*mgmt_pb.GetProjectByIDResponse, error) {
+	project, err := s.project.ProjectByID(ctx, req.Id)
+	if err != nil {
+		return nil, err
+	}
+	return &mgmt_pb.GetProjectByIDResponse{
+		Project: project_grpc.ProjectToPb(project),
+	}, nil
+}
+
+func (s *Server) GetGrantedProjectByID(ctx context.Context, req *mgmt_pb.GetGrantedProjectByIDRequest) (*mgmt_pb.GetGrantedProjectByIDResponse, error) {
+	project, err := s.project.ProjectGrantViewByID(ctx, req.GrantId)
+	if err != nil {
+		return nil, err
+	}
+	return &mgmt_pb.GetGrantedProjectByIDResponse{
+		GrantedProject: project_grpc.GrantedProjectToPb(project),
+	}, nil
+}
+
+func (s *Server) ListProjects(ctx context.Context, req *mgmt_pb.ListProjectsRequest) (*mgmt_pb.ListProjectsResponse, error) {
+	queries, err := ListProjectsRequestToModel(req)
+	if err != nil {
+		return nil, err
+	}
+	domains, err := s.project.SearchProjects(ctx, queries)
+	if err != nil {
+		return nil, err
+	}
+	return &mgmt_pb.ListProjectsResponse{
+		Result: project_grpc.ProjectsToPb(domains.Result),
+		Details: object_grpc.ToListDetails(
+			domains.TotalResult,
+			domains.Sequence,
+			domains.Timestamp,
+		),
+	}, nil
+}
+
+func (s *Server) ListGrantedProjects(ctx context.Context, req *mgmt_pb.ListGrantedProjectsRequest) (*mgmt_pb.ListGrantedProjectsResponse, error) {
+	queries, err := ListGrantedProjectsRequestToModel(req)
+	if err != nil {
+		return nil, err
+	}
+	domains, err := s.project.SearchGrantedProjects(ctx, queries)
+	if err != nil {
+		return nil, err
+	}
+	return &mgmt_pb.ListGrantedProjectsResponse{
+		Result: project_grpc.GrantedProjectsToPb(domains.Result),
+		Details: object_grpc.ToListDetails(
+			domains.TotalResult,
+			domains.Sequence,
+			domains.Timestamp,
+		),
+	}, nil
+}
+
+func (s *Server) ListProjectChanges(ctx context.Context, req *mgmt_pb.ListProjectChangesRequest) (*mgmt_pb.ListProjectChangesResponse, error) {
+	res, err := s.project.ProjectChanges(ctx, req.ProjectId, req.Query.Offset, uint64(req.Query.Limit), req.Query.Asc)
+	if err != nil {
+		return nil, err
+	}
+	return &mgmt_pb.ListProjectChangesResponse{
+		Result: change_grpc.ProjectChangesToPb(res.Changes),
+	}, nil
+}
+
+func (s *Server) AddProject(ctx context.Context, req *mgmt_pb.AddProjectRequest) (*mgmt_pb.AddProjectResponse, error) {
 	ctxData := authz.GetCtxData(ctx)
-	project, err := s.command.AddProject(ctx, projectCreateToDomain(in), ctxData.ResourceOwner, ctxData.UserID)
+	project, err := s.command.AddProject(ctx, ProjectCreateToDomain(req), ctxData.ResourceOwner, ctxData.UserID)
 	if err != nil {
 		return nil, err
 	}
-	return projectFromDomain(project), nil
+	return &mgmt_pb.AddProjectResponse{
+		Id: project.AggregateID,
+		Details: object_grpc.ToDetailsPb(
+			project.Sequence,
+			project.ChangeDate,
+			project.ResourceOwner,
+		),
+	}, nil
 }
-func (s *Server) UpdateProject(ctx context.Context, in *management.ProjectUpdateRequest) (*management.Project, error) {
-	project, err := s.command.ChangeProject(ctx, projectUpdateToDomain(in), authz.GetCtxData(ctx).ResourceOwner)
+
+func (s *Server) UpdateProject(ctx context.Context, req *mgmt_pb.UpdateProjectRequest) (*mgmt_pb.UpdateProjectResponse, error) {
+	project, err := s.command.ChangeProject(ctx, ProjectUpdateToDomain(req), authz.GetCtxData(ctx).ResourceOwner)
 	if err != nil {
 		return nil, err
 	}
-	return projectFromDomain(project), nil
-}
-func (s *Server) DeactivateProject(ctx context.Context, in *management.ProjectID) (*empty.Empty, error) {
-	err := s.command.DeactivateProject(ctx, in.Id, authz.GetCtxData(ctx).ResourceOwner)
-	return &empty.Empty{}, err
-}
-func (s *Server) ReactivateProject(ctx context.Context, in *management.ProjectID) (*empty.Empty, error) {
-	err := s.command.ReactivateProject(ctx, in.Id, authz.GetCtxData(ctx).ResourceOwner)
-	return &empty.Empty{}, err
+	return &mgmt_pb.UpdateProjectResponse{
+		Details: object_grpc.ToDetailsPb(
+			project.Sequence,
+			project.ChangeDate,
+			project.ResourceOwner,
+		),
+	}, nil
 }
 
-func (s *Server) RemoveProject(ctx context.Context, in *management.ProjectID) (*empty.Empty, error) {
-	grants, err := s.usergrant.UserGrantsByProjectID(ctx, in.Id)
-	if err != nil {
-		return &empty.Empty{}, err
-	}
-	err = s.command.RemoveProject(ctx, in.Id, authz.GetCtxData(ctx).OrgID, userGrantsToIDs(grants)...)
-	return &empty.Empty{}, err
-}
-
-func (s *Server) SearchProjects(ctx context.Context, in *management.ProjectSearchRequest) (*management.ProjectSearchResponse, error) {
-	request := projectSearchRequestsToModel(in)
-	request.AppendMyResourceOwnerQuery(grpc_util.GetHeader(ctx, http.ZitadelOrgID))
-	response, err := s.project.SearchProjects(ctx, request)
+func (s *Server) DeactivateProject(ctx context.Context, req *mgmt_pb.DeactivateProjectRequest) (*mgmt_pb.DeactivateProjectResponse, error) {
+	details, err := s.command.DeactivateProject(ctx, req.Id, authz.GetCtxData(ctx).ResourceOwner)
 	if err != nil {
 		return nil, err
 	}
-	return projectSearchResponseFromModel(response), nil
+	return &mgmt_pb.DeactivateProjectResponse{
+		Details: object_grpc.DomainToDetailsPb(details),
+	}, nil
 }
 
-func (s *Server) ProjectByID(ctx context.Context, id *management.ProjectID) (*management.ProjectView, error) {
-	project, err := s.project.ProjectByID(ctx, id.Id)
+func (s *Server) ReactivateProject(ctx context.Context, req *mgmt_pb.ReactivateProjectRequest) (*mgmt_pb.ReactivateProjectResponse, error) {
+	details, err := s.command.ReactivateProject(ctx, req.Id, authz.GetCtxData(ctx).ResourceOwner)
 	if err != nil {
 		return nil, err
 	}
-	return projectViewFromModel(project), nil
+	return &mgmt_pb.ReactivateProjectResponse{
+		Details: object_grpc.DomainToDetailsPb(details),
+	}, nil
 }
 
-func (s *Server) SearchGrantedProjects(ctx context.Context, in *management.GrantedProjectSearchRequest) (*management.ProjectGrantSearchResponse, error) {
-	request := grantedProjectSearchRequestsToModel(in)
-	request.AppendMyOrgQuery(grpc_util.GetHeader(ctx, http.ZitadelOrgID))
-	response, err := s.project.SearchGrantedProjects(ctx, request)
+func (s *Server) RemoveProject(ctx context.Context, req *mgmt_pb.RemoveProjectRequest) (*mgmt_pb.RemoveProjectResponse, error) {
+	grants, err := s.usergrant.UserGrantsByProjectID(ctx, req.Id)
 	if err != nil {
 		return nil, err
 	}
-	return projectGrantSearchResponseFromModel(response), nil
-}
-
-func (s *Server) GetGrantedProjectByID(ctx context.Context, in *management.ProjectGrantID) (*management.ProjectGrantView, error) {
-	project, err := s.project.ProjectGrantViewByID(ctx, in.Id)
+	details, err := s.command.RemoveProject(ctx, req.Id, authz.GetCtxData(ctx).OrgID, userGrantsToIDs(grants)...)
 	if err != nil {
 		return nil, err
 	}
-	return projectGrantFromGrantedProjectModel(project), nil
+	return &mgmt_pb.RemoveProjectResponse{
+		Details: object_grpc.DomainToDetailsPb(details),
+	}, nil
 }
 
-func (s *Server) AddProjectRole(ctx context.Context, in *management.ProjectRoleAdd) (*management.ProjectRole, error) {
-	role, err := s.command.AddProjectRole(ctx, projectRoleAddToDomain(in), authz.GetCtxData(ctx).OrgID)
+func (s *Server) ListProjectRoles(ctx context.Context, req *mgmt_pb.ListProjectRolesRequest) (*mgmt_pb.ListProjectRolesResponse, error) {
+	queries, err := ListProjectRolesRequestToModel(req)
 	if err != nil {
 		return nil, err
 	}
-	return projectRoleFromDomain(role), nil
-}
-
-func (s *Server) BulkAddProjectRole(ctx context.Context, in *management.ProjectRoleAddBulk) (*empty.Empty, error) {
-	err := s.command.BulkAddProjectRole(ctx, in.Id, authz.GetCtxData(ctx).OrgID, projectRoleAddBulkToDomain(in))
-	return &empty.Empty{}, err
-}
-
-func (s *Server) ChangeProjectRole(ctx context.Context, in *management.ProjectRoleChange) (*management.ProjectRole, error) {
-	role, err := s.command.ChangeProjectRole(ctx, projectRoleChangeToDomain(in), authz.GetCtxData(ctx).OrgID)
+	roles, err := s.project.SearchProjectRoles(ctx, req.ProjectId, queries)
 	if err != nil {
 		return nil, err
 	}
-	return projectRoleFromDomain(role), nil
+	return &mgmt_pb.ListProjectRolesResponse{
+		Result: project_grpc.RolesToPb(roles.Result),
+		Details: object_grpc.ToListDetails(
+			roles.TotalResult,
+			roles.Sequence,
+			roles.Timestamp,
+		),
+	}, nil
 }
 
-func (s *Server) RemoveProjectRole(ctx context.Context, in *management.ProjectRoleRemove) (*empty.Empty, error) {
-	userGrants, err := s.usergrant.UserGrantsByProjectIDAndRoleKey(ctx, in.Id, in.Key)
-	if err != nil {
-		return &empty.Empty{}, err
-	}
-	projectGrants, err := s.project.ProjectGrantsByProjectIDAndRoleKey(ctx, in.Id, in.Key)
-	if err != nil {
-		return &empty.Empty{}, err
-	}
-	err = s.command.RemoveProjectRole(ctx, in.Id, in.Key, authz.GetCtxData(ctx).OrgID, projectGrantsToIDs(projectGrants), userGrantsToIDs(userGrants)...)
-	return &empty.Empty{}, err
-}
-
-func (s *Server) SearchProjectRoles(ctx context.Context, in *management.ProjectRoleSearchRequest) (*management.ProjectRoleSearchResponse, error) {
-	request := projectRoleSearchRequestsToModel(in)
-	request.AppendMyOrgQuery(authz.GetCtxData(ctx).OrgID)
-	response, err := s.project.SearchProjectRoles(ctx, in.ProjectId, request)
+func (s *Server) AddProjectRole(ctx context.Context, req *mgmt_pb.AddProjectRoleRequest) (*mgmt_pb.AddProjectRoleResponse, error) {
+	role, err := s.command.AddProjectRole(ctx, AddProjectRoleRequestToDomain(req), authz.GetCtxData(ctx).OrgID)
 	if err != nil {
 		return nil, err
 	}
-	return projectRoleSearchResponseFromModel(response), nil
+	return &mgmt_pb.AddProjectRoleResponse{
+		Details: object_grpc.ToDetailsPb(
+			role.Sequence,
+			role.ChangeDate,
+			role.ResourceOwner,
+		),
+	}, nil
 }
 
-func (s *Server) ProjectChanges(ctx context.Context, changesRequest *management.ChangeRequest) (*management.Changes, error) {
-	response, err := s.project.ProjectChanges(ctx, changesRequest.Id, changesRequest.SequenceOffset, changesRequest.Limit, changesRequest.Asc)
+func (s *Server) BulkAddProjectRoles(ctx context.Context, req *mgmt_pb.BulkAddProjectRolesRequest) (*mgmt_pb.BulkAddProjectRolesResponse, error) {
+	details, err := s.command.BulkAddProjectRole(ctx, req.ProjectId, authz.GetCtxData(ctx).OrgID, BulkAddProjectRolesRequestToDomain(req))
 	if err != nil {
 		return nil, err
 	}
-	return projectChangesToResponse(response, changesRequest.GetSequenceOffset(), changesRequest.GetLimit()), nil
+	return &mgmt_pb.BulkAddProjectRolesResponse{
+		Details: object_grpc.DomainToDetailsPb(details),
+	}, nil
+}
+
+func (s *Server) UpdateProjectRole(ctx context.Context, req *mgmt_pb.UpdateProjectRoleRequest) (*mgmt_pb.UpdateProjectRoleResponse, error) {
+	role, err := s.command.ChangeProjectRole(ctx, UpdateProjectRoleRequestToDomain(req), authz.GetCtxData(ctx).OrgID)
+	if err != nil {
+		return nil, err
+	}
+	return &mgmt_pb.UpdateProjectRoleResponse{
+		Details: object_grpc.ToDetailsPb(
+			role.Sequence,
+			role.ChangeDate,
+			role.ResourceOwner,
+		),
+	}, nil
+}
+
+func (s *Server) RemoveProjectRole(ctx context.Context, req *mgmt_pb.RemoveProjectRoleRequest) (*mgmt_pb.RemoveProjectRoleResponse, error) {
+	userGrants, err := s.usergrant.UserGrantsByProjectIDAndRoleKey(ctx, req.ProjectId, req.RoleKey)
+	if err != nil {
+		return nil, err
+	}
+	projectGrants, err := s.project.ProjectGrantsByProjectIDAndRoleKey(ctx, req.ProjectId, req.RoleKey)
+	if err != nil {
+		return nil, err
+	}
+	details, err := s.command.RemoveProjectRole(ctx, req.ProjectId, req.RoleKey, authz.GetCtxData(ctx).OrgID, ProjectGrantsToIDs(projectGrants), userGrantsToIDs(userGrants)...)
+	if err != nil {
+		return nil, err
+	}
+	return &mgmt_pb.RemoveProjectRoleResponse{
+		Details: object_grpc.DomainToDetailsPb(details),
+	}, nil
+}
+
+func (s *Server) ListProjectMemberRoles(ctx context.Context, req *mgmt_pb.ListProjectMemberRolesRequest) (*mgmt_pb.ListProjectMemberRolesResponse, error) {
+	roles, err := s.project.GetProjectMemberRoles(ctx)
+	if err != nil {
+		return nil, err
+	}
+	return &mgmt_pb.ListProjectMemberRolesResponse{Result: roles}, nil //TODO: details
+}
+
+func (s *Server) ListProjectMembers(ctx context.Context, req *mgmt_pb.ListProjectMembersRequest) (*mgmt_pb.ListProjectMembersResponse, error) {
+	queries, err := ListProjectMembersRequestToModel(req)
+	if err != nil {
+		return nil, err
+	}
+	domains, err := s.project.SearchProjectMembers(ctx, queries)
+	if err != nil {
+		return nil, err
+	}
+	return &mgmt_pb.ListProjectMembersResponse{
+		Result: member_grpc.ProjectMembersToPb(domains.Result),
+		Details: object_grpc.ToListDetails(
+			domains.TotalResult,
+			domains.Sequence,
+			domains.Timestamp,
+		),
+	}, nil
+}
+
+func (s *Server) AddProjectMember(ctx context.Context, req *mgmt_pb.AddProjectMemberRequest) (*mgmt_pb.AddProjectMemberResponse, error) {
+	member, err := s.command.AddProjectMember(ctx, AddProjectMemberRequestToDomain(req), authz.GetCtxData(ctx).OrgID)
+	if err != nil {
+		return nil, err
+	}
+	return &mgmt_pb.AddProjectMemberResponse{
+		Details: object_grpc.ToDetailsPb(
+			member.Sequence,
+			member.ChangeDate,
+			member.ResourceOwner,
+		),
+	}, nil
+}
+
+func (s *Server) UpdateProjectMember(ctx context.Context, req *mgmt_pb.UpdateProjectMemberRequest) (*mgmt_pb.UpdateProjectMemberResponse, error) {
+	member, err := s.command.ChangeProjectMember(ctx, UpdateProjectMemberRequestToDomain(req), authz.GetCtxData(ctx).OrgID)
+	if err != nil {
+		return nil, err
+	}
+	return &mgmt_pb.UpdateProjectMemberResponse{
+		Details: object_grpc.ToDetailsPb(
+			member.Sequence,
+			member.ChangeDate,
+			member.ResourceOwner,
+		),
+	}, nil
+}
+
+func (s *Server) RemoveProjectMember(ctx context.Context, req *mgmt_pb.RemoveProjectMemberRequest) (*mgmt_pb.RemoveProjectMemberResponse, error) {
+	details, err := s.command.RemoveProjectMember(ctx, req.ProjectId, req.UserId, authz.GetCtxData(ctx).OrgID)
+	if err != nil {
+		return nil, err
+	}
+	return &mgmt_pb.RemoveProjectMemberResponse{
+		Details: object_grpc.DomainToDetailsPb(details),
+	}, nil
 }
diff --git a/internal/api/grpc/management/project_application.go b/internal/api/grpc/management/project_application.go
new file mode 100644
index 0000000000..c952ba4bce
--- /dev/null
+++ b/internal/api/grpc/management/project_application.go
@@ -0,0 +1,232 @@
+package management
+
+import (
+	"context"
+
+	"github.com/caos/zitadel/internal/api/authz"
+	authn_grpc "github.com/caos/zitadel/internal/api/grpc/authn"
+	change_grpc "github.com/caos/zitadel/internal/api/grpc/change"
+	object_grpc "github.com/caos/zitadel/internal/api/grpc/object"
+	project_grpc "github.com/caos/zitadel/internal/api/grpc/project"
+	mgmt_pb "github.com/caos/zitadel/pkg/grpc/management"
+)
+
+func (s *Server) GetAppByID(ctx context.Context, req *mgmt_pb.GetAppByIDRequest) (*mgmt_pb.GetAppByIDResponse, error) {
+	app, err := s.project.ApplicationByID(ctx, req.ProjectId, req.AppId)
+	if err != nil {
+		return nil, err
+	}
+	return &mgmt_pb.GetAppByIDResponse{
+		App: project_grpc.AppToPb(app),
+	}, nil
+}
+
+func (s *Server) ListApps(ctx context.Context, req *mgmt_pb.ListAppsRequest) (*mgmt_pb.ListAppsResponse, error) {
+	queries, err := ListAppsRequestToModel(req)
+	if err != nil {
+		return nil, err
+	}
+	domains, err := s.project.SearchApplications(ctx, queries)
+	if err != nil {
+		return nil, err
+	}
+	return &mgmt_pb.ListAppsResponse{
+		Result: project_grpc.AppsToPb(domains.Result),
+		Details: object_grpc.ToListDetails(
+			domains.TotalResult,
+			domains.Sequence,
+			domains.Timestamp,
+		),
+	}, nil
+}
+
+func (s *Server) ListAppChanges(ctx context.Context, req *mgmt_pb.ListAppChangesRequest) (*mgmt_pb.ListAppChangesResponse, error) {
+	res, err := s.project.ApplicationChanges(ctx, req.ProjectId, req.AppId, req.Query.Offset, uint64(req.Query.Limit), req.Query.Asc)
+	if err != nil {
+		return nil, err
+	}
+	return &mgmt_pb.ListAppChangesResponse{
+		Result: change_grpc.AppChangesToPb(res.Changes),
+	}, nil
+}
+
+func (s *Server) AddOIDCApp(ctx context.Context, req *mgmt_pb.AddOIDCAppRequest) (*mgmt_pb.AddOIDCAppResponse, error) {
+	app, err := s.command.AddOIDCApplication(ctx, AddOIDCAppRequestToDomain(req), authz.GetCtxData(ctx).OrgID)
+	if err != nil {
+		return nil, err
+	}
+	return &mgmt_pb.AddOIDCAppResponse{
+		AppId:              app.AppID,
+		Details:            object_grpc.ToDetailsPb(app.Sequence, app.ChangeDate, app.ResourceOwner),
+		ClientId:           app.ClientID,
+		ClientSecret:       app.ClientSecretString,
+		NoneCompliant:      app.Compliance.NoneCompliant,
+		ComplianceProblems: project_grpc.ComplianceProblemsToLocalizedMessages(app.Compliance.Problems),
+	}, nil
+}
+
+func (s *Server) AddAPIApp(ctx context.Context, req *mgmt_pb.AddAPIAppRequest) (*mgmt_pb.AddAPIAppResponse, error) {
+	app, err := s.command.AddAPIApplication(ctx, AddAPIAppRequestToDomain(req), authz.GetCtxData(ctx).OrgID)
+	if err != nil {
+		return nil, err
+	}
+	return &mgmt_pb.AddAPIAppResponse{
+		AppId:        app.AppID,
+		Details:      object_grpc.ToDetailsPb(app.Sequence, app.ChangeDate, app.ResourceOwner),
+		ClientId:     app.ClientID,
+		ClientSecret: app.ClientSecretString,
+	}, nil
+}
+
+func (s *Server) UpdateApp(ctx context.Context, req *mgmt_pb.UpdateAppRequest) (*mgmt_pb.UpdateAppResponse, error) {
+	details, err := s.command.ChangeApplication(ctx, req.ProjectId, UpdateAppRequestToDomain(req), authz.GetCtxData(ctx).OrgID)
+	if err != nil {
+		return nil, err
+	}
+	return &mgmt_pb.UpdateAppResponse{
+		Details: object_grpc.DomainToDetailsPb(details),
+	}, nil
+}
+
+func (s *Server) UpdateOIDCAppConfig(ctx context.Context, req *mgmt_pb.UpdateOIDCAppConfigRequest) (*mgmt_pb.UpdateOIDCAppConfigResponse, error) {
+	config, err := s.command.ChangeOIDCApplication(ctx, UpdateOIDCAppConfigRequestToDomain(req), authz.GetCtxData(ctx).OrgID)
+	if err != nil {
+		return nil, err
+	}
+	return &mgmt_pb.UpdateOIDCAppConfigResponse{
+		Details: object_grpc.ToDetailsPb(
+			config.Sequence,
+			config.ChangeDate,
+			config.ResourceOwner,
+		),
+	}, nil
+}
+
+func (s *Server) UpdateAPIAppConfig(ctx context.Context, req *mgmt_pb.UpdateAPIAppConfigRequest) (*mgmt_pb.UpdateAPIAppConfigResponse, error) {
+	config, err := s.command.ChangeAPIApplication(ctx, UpdateAPIAppConfigRequestToDomain(req), authz.GetCtxData(ctx).OrgID)
+	if err != nil {
+		return nil, err
+	}
+	return &mgmt_pb.UpdateAPIAppConfigResponse{
+		Details: object_grpc.ToDetailsPb(
+			config.Sequence,
+			config.ChangeDate,
+			config.ResourceOwner,
+		),
+	}, nil
+}
+
+func (s *Server) DeactivateApp(ctx context.Context, req *mgmt_pb.DeactivateAppRequest) (*mgmt_pb.DeactivateAppResponse, error) {
+	details, err := s.command.DeactivateApplication(ctx, req.ProjectId, req.AppId, authz.GetCtxData(ctx).OrgID)
+	if err != nil {
+		return nil, err
+	}
+	return &mgmt_pb.DeactivateAppResponse{
+		Details: object_grpc.DomainToDetailsPb(details),
+	}, nil
+}
+
+func (s *Server) ReactivateApp(ctx context.Context, req *mgmt_pb.ReactivateAppRequest) (*mgmt_pb.ReactivateAppResponse, error) {
+	details, err := s.command.ReactivateApplication(ctx, req.ProjectId, req.AppId, authz.GetCtxData(ctx).OrgID)
+	if err != nil {
+		return nil, err
+	}
+	return &mgmt_pb.ReactivateAppResponse{
+		Details: object_grpc.DomainToDetailsPb(details),
+	}, nil
+}
+
+func (s *Server) RemoveApp(ctx context.Context, req *mgmt_pb.RemoveAppRequest) (*mgmt_pb.RemoveAppResponse, error) {
+	details, err := s.command.RemoveApplication(ctx, req.ProjectId, req.AppId, authz.GetCtxData(ctx).OrgID)
+	if err != nil {
+		return nil, err
+	}
+	return &mgmt_pb.RemoveAppResponse{
+		Details: object_grpc.DomainToDetailsPb(details),
+	}, nil
+}
+
+func (s *Server) RegenerateOIDCClientSecret(ctx context.Context, req *mgmt_pb.RegenerateOIDCClientSecretRequest) (*mgmt_pb.RegenerateOIDCClientSecretResponse, error) {
+	config, err := s.command.ChangeOIDCApplicationSecret(ctx, req.ProjectId, req.AppId, authz.GetCtxData(ctx).OrgID)
+	if err != nil {
+		return nil, err
+	}
+	return &mgmt_pb.RegenerateOIDCClientSecretResponse{
+		ClientSecret: config.ClientSecretString,
+		Details: object_grpc.ToDetailsPb(
+			config.Sequence,
+			config.ChangeDate,
+			config.ResourceOwner,
+		),
+	}, nil
+}
+
+func (s *Server) RegenerateAPIClientSecret(ctx context.Context, req *mgmt_pb.RegenerateAPIClientSecretRequest) (*mgmt_pb.RegenerateAPIClientSecretResponse, error) {
+	config, err := s.command.ChangeAPIApplicationSecret(ctx, req.ProjectId, req.AppId, authz.GetCtxData(ctx).OrgID)
+	if err != nil {
+		return nil, err
+	}
+	return &mgmt_pb.RegenerateAPIClientSecretResponse{
+		ClientSecret: config.ClientSecretString,
+		Details: object_grpc.ToDetailsPb(
+			config.Sequence,
+			config.ChangeDate,
+			config.ResourceOwner,
+		),
+	}, nil
+}
+
+func (s *Server) GetAppKey(ctx context.Context, req *mgmt_pb.GetAppKeyRequest) (*mgmt_pb.GetAppKeyResponse, error) {
+	key, err := s.project.GetClientKey(ctx, req.ProjectId, req.AppId, req.KeyId)
+	if err != nil {
+		return nil, err
+	}
+	return &mgmt_pb.GetAppKeyResponse{
+		Key: authn_grpc.KeyToPb(key),
+	}, nil
+}
+
+func (s *Server) ListAppKeys(ctx context.Context, req *mgmt_pb.ListAppKeysRequest) (*mgmt_pb.ListAppKeysResponse, error) {
+	queries, err := ListAPIClientKeysRequestToModel(req)
+	if err != nil {
+		return nil, err
+	}
+	domains, err := s.project.SearchClientKeys(ctx, queries)
+	if err != nil {
+		return nil, err
+	}
+	return &mgmt_pb.ListAppKeysResponse{
+		Result: authn_grpc.KeyViewsToPb(domains.Result),
+		Details: object_grpc.ToListDetails(
+			domains.TotalResult,
+			domains.Sequence,
+			domains.Timestamp,
+		),
+	}, nil
+}
+
+func (s *Server) AddAppKey(ctx context.Context, req *mgmt_pb.AddAppKeyRequest) (*mgmt_pb.AddAppKeyResponse, error) {
+	key, err := s.command.AddApplicationKey(ctx, AddAPIClientKeyRequestToDomain(req), authz.GetCtxData(ctx).OrgID)
+	if err != nil {
+		return nil, err
+	}
+	keyDetails, err := key.Detail()
+	if err != nil {
+		return nil, err
+	}
+	return &mgmt_pb.AddAppKeyResponse{
+		Id:         key.KeyID,
+		Details:    object_grpc.ToDetailsPb(key.Sequence, key.ChangeDate, key.ResourceOwner),
+		KeyDetails: keyDetails,
+	}, nil
+}
+
+func (s *Server) RemoveAppKey(ctx context.Context, req *mgmt_pb.RemoveAppKeyRequest) (*mgmt_pb.RemoveAppKeyResponse, error) {
+	details, err := s.command.RemoveApplicationKey(ctx, req.ProjectId, req.AppId, req.KeyId, authz.GetCtxData(ctx).OrgID)
+	if err != nil {
+		return nil, err
+	}
+	return &mgmt_pb.RemoveAppKeyResponse{
+		Details: object_grpc.DomainToDetailsPb(details),
+	}, nil
+}
diff --git a/internal/api/grpc/management/project_application_converter.go b/internal/api/grpc/management/project_application_converter.go
new file mode 100644
index 0000000000..0ca7e576fa
--- /dev/null
+++ b/internal/api/grpc/management/project_application_converter.go
@@ -0,0 +1,134 @@
+package management
+
+import (
+	"time"
+
+	authn_grpc "github.com/caos/zitadel/internal/api/grpc/authn"
+	app_grpc "github.com/caos/zitadel/internal/api/grpc/project"
+	"github.com/caos/zitadel/internal/domain"
+	"github.com/caos/zitadel/internal/eventstore/v1/models"
+	key_model "github.com/caos/zitadel/internal/key/model"
+	proj_model "github.com/caos/zitadel/internal/project/model"
+	mgmt_pb "github.com/caos/zitadel/pkg/grpc/management"
+)
+
+func ListAppsRequestToModel(req *mgmt_pb.ListAppsRequest) (*proj_model.ApplicationSearchRequest, error) {
+	queries, err := app_grpc.AppQueriesToModel(req.Queries)
+	if err != nil {
+		return nil, err
+	}
+	queries = append(queries, &proj_model.ApplicationSearchQuery{
+		Key:    proj_model.AppSearchKeyProjectID,
+		Method: domain.SearchMethodEquals,
+		Value:  req.ProjectId,
+	})
+	return &proj_model.ApplicationSearchRequest{
+		Offset: req.Query.Offset,
+		Limit:  uint64(req.Query.Limit),
+		Asc:    req.Query.Asc,
+		//SortingColumn: //TODO: sorting
+		Queries: queries,
+	}, nil
+}
+
+func AddOIDCAppRequestToDomain(req *mgmt_pb.AddOIDCAppRequest) *domain.OIDCApp {
+	return &domain.OIDCApp{
+		ObjectRoot: models.ObjectRoot{
+			AggregateID: req.ProjectId,
+		},
+		AppName:                  req.Name,
+		OIDCVersion:              app_grpc.OIDCVersionToDomain(req.Version),
+		RedirectUris:             req.RedirectUris,
+		ResponseTypes:            app_grpc.OIDCResponseTypesToDomain(req.ResponseTypes),
+		GrantTypes:               app_grpc.OIDCGrantTypesToDomain(req.GrantTypes),
+		ApplicationType:          app_grpc.OIDCApplicationTypeToDomain(req.AppType),
+		AuthMethodType:           app_grpc.OIDCAuthMethodTypeToDomain(req.AuthMethodType),
+		PostLogoutRedirectUris:   req.PostLogoutRedirectUris,
+		DevMode:                  req.DevMode,
+		AccessTokenType:          app_grpc.OIDCTokenTypeToDomain(req.AccessTokenType),
+		AccessTokenRoleAssertion: req.AccessTokenRoleAssertion,
+		IDTokenRoleAssertion:     req.IdTokenRoleAssertion,
+		IDTokenUserinfoAssertion: req.IdTokenUserinfoAssertion,
+		ClockSkew:                req.ClockSkew.AsDuration(),
+	}
+}
+
+func AddAPIAppRequestToDomain(app *mgmt_pb.AddAPIAppRequest) *domain.APIApp {
+	return &domain.APIApp{
+		ObjectRoot: models.ObjectRoot{
+			AggregateID: app.ProjectId,
+		},
+		AppName:        app.Name,
+		AuthMethodType: app_grpc.APIAuthMethodTypeToDomain(app.AuthMethodType),
+	}
+}
+
+func UpdateAppRequestToDomain(app *mgmt_pb.UpdateAppRequest) domain.Application {
+	return &domain.ChangeApp{
+		AppID:   app.AppId,
+		AppName: app.Name,
+	}
+}
+
+func UpdateOIDCAppConfigRequestToDomain(app *mgmt_pb.UpdateOIDCAppConfigRequest) *domain.OIDCApp {
+	return &domain.OIDCApp{
+		ObjectRoot: models.ObjectRoot{
+			AggregateID: app.ProjectId,
+		},
+		AppID:                    app.AppId,
+		RedirectUris:             app.RedirectUris,
+		ResponseTypes:            app_grpc.OIDCResponseTypesToDomain(app.ResponseTypes),
+		GrantTypes:               app_grpc.OIDCGrantTypesToDomain(app.GrantTypes),
+		ApplicationType:          app_grpc.OIDCApplicationTypeToDomain(app.AppType),
+		AuthMethodType:           app_grpc.OIDCAuthMethodTypeToDomain(app.AuthMethodType),
+		PostLogoutRedirectUris:   app.PostLogoutRedirectUris,
+		DevMode:                  app.DevMode,
+		AccessTokenType:          app_grpc.OIDCTokenTypeToDomain(app.AccessTokenType),
+		AccessTokenRoleAssertion: app.AccessTokenRoleAssertion,
+		IDTokenRoleAssertion:     app.IdTokenRoleAssertion,
+		IDTokenUserinfoAssertion: app.IdTokenUserinfoAssertion,
+		ClockSkew:                app.ClockSkew.AsDuration(),
+	}
+}
+
+func UpdateAPIAppConfigRequestToDomain(app *mgmt_pb.UpdateAPIAppConfigRequest) *domain.APIApp {
+	return &domain.APIApp{
+		ObjectRoot: models.ObjectRoot{
+			AggregateID: app.ProjectId,
+		},
+		AppID:          app.AppId,
+		AuthMethodType: app_grpc.APIAuthMethodTypeToDomain(app.AuthMethodType),
+	}
+}
+
+func AddAPIClientKeyRequestToDomain(key *mgmt_pb.AddAppKeyRequest) *domain.ApplicationKey {
+	expirationDate := time.Time{}
+	if key.ExpirationDate != nil {
+		expirationDate = key.ExpirationDate.AsTime()
+	}
+
+	return &domain.ApplicationKey{
+		ObjectRoot: models.ObjectRoot{
+			AggregateID: key.ProjectId,
+		},
+		ExpirationDate: expirationDate,
+		Type:           authn_grpc.KeyTypeToDomain(key.Type),
+		ApplicationID:  key.AppId,
+	}
+}
+
+func ListAPIClientKeysRequestToModel(req *mgmt_pb.ListAppKeysRequest) (*key_model.AuthNKeySearchRequest, error) {
+	queries := make([]*key_model.AuthNKeySearchQuery, 2)
+	queries = append(queries, &key_model.AuthNKeySearchQuery{
+		Key:    key_model.AuthNKeyObjectID,
+		Method: domain.SearchMethodEquals,
+		Value:  req.AppId,
+	})
+	return &key_model.AuthNKeySearchRequest{
+		Offset: req.Query.Offset,
+		Limit:  uint64(req.Query.Limit),
+		Asc:    req.Query.Asc,
+		//SortingColumn: //TODO: sorting
+		Queries: queries,
+	}, nil
+}
diff --git a/internal/api/grpc/management/project_converter.go b/internal/api/grpc/management/project_converter.go
index 896d8efee7..890da5b7ce 100644
--- a/internal/api/grpc/management/project_converter.go
+++ b/internal/api/grpc/management/project_converter.go
@@ -1,170 +1,50 @@
 package management
 
 import (
-	"encoding/json"
+	member_grpc "github.com/caos/zitadel/internal/api/grpc/member"
+	proj_grpc "github.com/caos/zitadel/internal/api/grpc/project"
 	"github.com/caos/zitadel/internal/domain"
-	"google.golang.org/protobuf/types/known/timestamppb"
-
-	"github.com/caos/logging"
-	"github.com/golang/protobuf/ptypes"
-	"google.golang.org/protobuf/encoding/protojson"
-	"google.golang.org/protobuf/types/known/structpb"
-
 	"github.com/caos/zitadel/internal/eventstore/v1/models"
 	proj_model "github.com/caos/zitadel/internal/project/model"
-	"github.com/caos/zitadel/pkg/grpc/management"
-	"github.com/caos/zitadel/pkg/grpc/message"
+	mgmt_pb "github.com/caos/zitadel/pkg/grpc/management"
 )
 
-func projectFromDomain(project *domain.Project) *management.Project {
-	return &management.Project{
-		Id:                   project.AggregateID,
-		State:                projectStateFromDomain(project.State),
-		ChangeDate:           timestamppb.New(project.ChangeDate),
-		Name:                 project.Name,
-		Sequence:             project.Sequence,
-		ProjectRoleAssertion: project.ProjectRoleAssertion,
-		ProjectRoleCheck:     project.ProjectRoleCheck,
-	}
-}
-
-func projectSearchResponseFromModel(response *proj_model.ProjectViewSearchResponse) *management.ProjectSearchResponse {
-	timestamp, err := ptypes.TimestampProto(response.Timestamp)
-	logging.Log("GRPC-iejs3").OnError(err).Debug("unable to parse timestamp")
-	return &management.ProjectSearchResponse{
-		Offset:            response.Offset,
-		Limit:             response.Limit,
-		TotalResult:       response.TotalResult,
-		Result:            projectViewsFromModel(response.Result),
-		ProcessedSequence: response.Sequence,
-		ViewTimestamp:     timestamp,
-	}
-}
-
-func projectViewsFromModel(projects []*proj_model.ProjectView) []*management.ProjectView {
-	converted := make([]*management.ProjectView, len(projects))
-	for i, project := range projects {
-		converted[i] = projectViewFromModel(project)
-	}
-	return converted
-}
-
-func projectViewFromModel(project *proj_model.ProjectView) *management.ProjectView {
-	creationDate, err := ptypes.TimestampProto(project.CreationDate)
-	logging.Log("GRPC-dlso3").OnError(err).Debug("unable to parse timestamp")
-
-	changeDate, err := ptypes.TimestampProto(project.ChangeDate)
-	logging.Log("GRPC-sope3").OnError(err).Debug("unable to parse timestamp")
-
-	return &management.ProjectView{
-		ProjectId:            project.ProjectID,
-		State:                projectStateFromModel(project.State),
-		CreationDate:         creationDate,
-		ChangeDate:           changeDate,
-		Name:                 project.Name,
-		Sequence:             project.Sequence,
-		ResourceOwner:        project.ResourceOwner,
-		ProjectRoleAssertion: project.ProjectRoleAssertion,
-		ProjectRoleCheck:     project.ProjectRoleCheck,
-	}
-}
-
-func projectRoleSearchResponseFromModel(response *proj_model.ProjectRoleSearchResponse) *management.ProjectRoleSearchResponse {
-	timestamp, err := ptypes.TimestampProto(response.Timestamp)
-	logging.Log("GRPC-Lps0c").OnError(err).Debug("unable to parse timestamp")
-
-	return &management.ProjectRoleSearchResponse{
-		Offset:            response.Offset,
-		Limit:             response.Limit,
-		TotalResult:       response.TotalResult,
-		Result:            projectRoleViewsFromModel(response.Result),
-		ProcessedSequence: response.Sequence,
-		ViewTimestamp:     timestamp,
-	}
-}
-
-func projectRoleViewsFromModel(roles []*proj_model.ProjectRoleView) []*management.ProjectRoleView {
-	converted := make([]*management.ProjectRoleView, len(roles))
-	for i, role := range roles {
-		converted[i] = projectRoleViewFromModel(role)
-	}
-	return converted
-}
-
-func projectRoleViewFromModel(role *proj_model.ProjectRoleView) *management.ProjectRoleView {
-	creationDate, err := ptypes.TimestampProto(role.CreationDate)
-	logging.Log("GRPC-dlso3").OnError(err).Debug("unable to parse timestamp")
-	changeDate, err := ptypes.TimestampProto(role.ChangeDate)
-	logging.Log("MANAG-BRr8Y").OnError(err).Debug("unable to parse timestamp")
-
-	return &management.ProjectRoleView{
-		ProjectId:    role.ProjectID,
-		CreationDate: creationDate,
-		ChangeDate:   changeDate,
-		Key:          role.Key,
-		Group:        role.Group,
-		DisplayName:  role.DisplayName,
-		Sequence:     role.Sequence,
-	}
-}
-
-func projectStateFromDomain(state domain.ProjectState) management.ProjectState {
-	switch state {
-	case domain.ProjectStateActive:
-		return management.ProjectState_PROJECTSTATE_ACTIVE
-	case domain.ProjectStateInactive:
-		return management.ProjectState_PROJECTSTATE_INACTIVE
-	default:
-		return management.ProjectState_PROJECTSTATE_UNSPECIFIED
-	}
-}
-
-func projectStateFromModel(state proj_model.ProjectState) management.ProjectState {
-	switch state {
-	case proj_model.ProjectStateActive:
-		return management.ProjectState_PROJECTSTATE_ACTIVE
-	case proj_model.ProjectStateInactive:
-		return management.ProjectState_PROJECTSTATE_INACTIVE
-	default:
-		return management.ProjectState_PROJECTSTATE_UNSPECIFIED
-	}
-}
-
-func projectCreateToDomain(project *management.ProjectCreateRequest) *domain.Project {
+func ProjectCreateToDomain(req *mgmt_pb.AddProjectRequest) *domain.Project {
 	return &domain.Project{
-		Name:                 project.Name,
-		ProjectRoleAssertion: project.ProjectRoleAssertion,
-		ProjectRoleCheck:     project.ProjectRoleCheck,
+		Name:                 req.Name,
+		ProjectRoleAssertion: req.ProjectRoleAssertion,
+		ProjectRoleCheck:     req.ProjectRoleCheck,
 	}
 }
 
-func projectUpdateToDomain(project *management.ProjectUpdateRequest) *domain.Project {
+func ProjectUpdateToDomain(req *mgmt_pb.UpdateProjectRequest) *domain.Project {
 	return &domain.Project{
 		ObjectRoot: models.ObjectRoot{
-			AggregateID: project.Id,
+			AggregateID: req.Id,
 		},
-		Name:                 project.Name,
-		ProjectRoleAssertion: project.ProjectRoleAssertion,
-		ProjectRoleCheck:     project.ProjectRoleCheck,
+		Name:                 req.Name,
+		ProjectRoleAssertion: req.ProjectRoleAssertion,
+		ProjectRoleCheck:     req.ProjectRoleCheck,
 	}
 }
 
-func projectRoleFromDomain(role *domain.ProjectRole) *management.ProjectRole {
-	return &management.ProjectRole{
-		ChangeDate:  timestamppb.New(role.ChangeDate),
-		Sequence:    role.Sequence,
-		Key:         role.Key,
-		DisplayName: role.DisplayName,
-		Group:       role.Group,
+func AddProjectRoleRequestToDomain(req *mgmt_pb.AddProjectRoleRequest) *domain.ProjectRole {
+	return &domain.ProjectRole{
+		ObjectRoot: models.ObjectRoot{
+			AggregateID: req.ProjectId,
+		},
+		Key:         req.RoleKey,
+		DisplayName: req.DisplayName,
+		Group:       req.Group,
 	}
 }
 
-func projectRoleAddBulkToDomain(bulk *management.ProjectRoleAddBulk) []*domain.ProjectRole {
-	roles := make([]*domain.ProjectRole, len(bulk.ProjectRoles))
-	for i, role := range bulk.ProjectRoles {
+func BulkAddProjectRolesRequestToDomain(req *mgmt_pb.BulkAddProjectRolesRequest) []*domain.ProjectRole {
+	roles := make([]*domain.ProjectRole, len(req.Roles))
+	for i, role := range req.Roles {
 		roles[i] = &domain.ProjectRole{
 			ObjectRoot: models.ObjectRoot{
-				AggregateID: bulk.Id,
+				AggregateID: req.ProjectId,
 			},
 			Key:         role.Key,
 			DisplayName: role.DisplayName,
@@ -174,154 +54,91 @@ func projectRoleAddBulkToDomain(bulk *management.ProjectRoleAddBulk) []*domain.P
 	return roles
 }
 
-func projectRoleAddToDomain(role *management.ProjectRoleAdd) *domain.ProjectRole {
+func UpdateProjectRoleRequestToDomain(req *mgmt_pb.UpdateProjectRoleRequest) *domain.ProjectRole {
 	return &domain.ProjectRole{
 		ObjectRoot: models.ObjectRoot{
-			AggregateID: role.Id,
+			AggregateID: req.ProjectId,
 		},
-		Key:         role.Key,
-		DisplayName: role.DisplayName,
-		Group:       role.Group,
+		Key:         req.RoleKey,
+		DisplayName: req.DisplayName,
+		Group:       req.Group,
 	}
 }
 
-func projectRoleChangeToDomain(role *management.ProjectRoleChange) *domain.ProjectRole {
-	return &domain.ProjectRole{
-		ObjectRoot: models.ObjectRoot{
-			AggregateID: role.Id,
-		},
-		Key:         role.Key,
-		DisplayName: role.DisplayName,
-		Group:       role.Group,
+func ProjectGrantsToIDs(projectGrants []*proj_model.ProjectGrantView) []string {
+	converted := make([]string, len(projectGrants))
+	for i, grant := range projectGrants {
+		converted[i] = grant.GrantID
 	}
+	return converted
 }
 
-func projectSearchRequestsToModel(project *management.ProjectSearchRequest) *proj_model.ProjectViewSearchRequest {
+func AddProjectMemberRequestToDomain(req *mgmt_pb.AddProjectMemberRequest) *domain.Member {
+	return domain.NewMember(req.ProjectId, req.UserId, req.Roles...)
+}
+
+func UpdateProjectMemberRequestToDomain(req *mgmt_pb.UpdateProjectMemberRequest) *domain.Member {
+	return domain.NewMember(req.ProjectId, req.UserId, req.Roles...)
+}
+
+func ListProjectsRequestToModel(req *mgmt_pb.ListProjectsRequest) (*proj_model.ProjectViewSearchRequest, error) {
+	queries, err := proj_grpc.ProjectQueriesToModel(req.Queries)
+	if err != nil {
+		return nil, err
+	}
 	return &proj_model.ProjectViewSearchRequest{
-		Offset:  project.Offset,
-		Limit:   project.Limit,
-		Queries: projectSearchQueriesToModel(project.Queries),
-	}
+		Offset: req.Query.Offset,
+		Limit:  uint64(req.Query.Limit),
+		Asc:    req.Query.Asc,
+		//SortingColumn: //TODO: sorting
+		Queries: queries,
+	}, nil
 }
-func grantedProjectSearchRequestsToModel(request *management.GrantedProjectSearchRequest) *proj_model.ProjectGrantViewSearchRequest {
+
+func ListGrantedProjectsRequestToModel(req *mgmt_pb.ListGrantedProjectsRequest) (*proj_model.ProjectGrantViewSearchRequest, error) {
+	queries, err := proj_grpc.GrantedProjectQueriesToModel(req.Queries)
+	if err != nil {
+		return nil, err
+	}
 	return &proj_model.ProjectGrantViewSearchRequest{
-		Offset:  request.Offset,
-		Limit:   request.Limit,
-		Queries: grantedPRojectSearchQueriesToModel(request.Queries),
-	}
+		Offset: req.Query.Offset,
+		Limit:  uint64(req.Query.Limit),
+		Asc:    req.Query.Asc,
+		//SortingColumn: //TODO: sorting
+		Queries: queries,
+	}, nil
 }
-
-func projectSearchQueriesToModel(queries []*management.ProjectSearchQuery) []*proj_model.ProjectViewSearchQuery {
-	converted := make([]*proj_model.ProjectViewSearchQuery, len(queries))
-	for i, q := range queries {
-		converted[i] = projectSearchQueryToModel(q)
+func ListProjectRolesRequestToModel(req *mgmt_pb.ListProjectRolesRequest) (*proj_model.ProjectRoleSearchRequest, error) {
+	queries, err := proj_grpc.RoleQueriesToModel(req.Queries)
+	if err != nil {
+		return nil, err
 	}
-	return converted
-}
-
-func projectSearchQueryToModel(query *management.ProjectSearchQuery) *proj_model.ProjectViewSearchQuery {
-	return &proj_model.ProjectViewSearchQuery{
-		Key:    projectSearchKeyToModel(query.Key),
-		Method: searchMethodToModel(query.Method),
-		Value:  query.Value,
-	}
-}
-
-func projectSearchKeyToModel(key management.ProjectSearchKey) proj_model.ProjectViewSearchKey {
-	switch key {
-	case management.ProjectSearchKey_PROJECTSEARCHKEY_PROJECT_NAME:
-		return proj_model.ProjectViewSearchKeyName
-	default:
-		return proj_model.ProjectViewSearchKeyUnspecified
-	}
-}
-
-func grantedPRojectSearchQueriesToModel(queries []*management.ProjectSearchQuery) []*proj_model.ProjectGrantViewSearchQuery {
-	converted := make([]*proj_model.ProjectGrantViewSearchQuery, len(queries))
-	for i, q := range queries {
-		converted[i] = grantedProjectSearchQueryToModel(q)
-	}
-	return converted
-}
-
-func grantedProjectSearchQueryToModel(query *management.ProjectSearchQuery) *proj_model.ProjectGrantViewSearchQuery {
-	return &proj_model.ProjectGrantViewSearchQuery{
-		Key:    projectGrantSearchKeyToModel(query.Key),
-		Method: searchMethodToModel(query.Method),
-		Value:  query.Value,
-	}
-}
-
-func projectGrantSearchKeyToModel(key management.ProjectSearchKey) proj_model.ProjectGrantViewSearchKey {
-	switch key {
-	case management.ProjectSearchKey_PROJECTSEARCHKEY_PROJECT_NAME:
-		return proj_model.GrantedProjectSearchKeyName
-	default:
-		return proj_model.GrantedProjectSearchKeyUnspecified
-	}
-}
-
-func projectRoleSearchRequestsToModel(role *management.ProjectRoleSearchRequest) *proj_model.ProjectRoleSearchRequest {
+	queries = append(queries, &proj_model.ProjectRoleSearchQuery{
+		Key:    proj_model.ProjectRoleSearchKeyProjectID,
+		Method: domain.SearchMethodEquals,
+		Value:  req.ProjectId,
+	})
 	return &proj_model.ProjectRoleSearchRequest{
-		Offset:  role.Offset,
-		Limit:   role.Limit,
-		Queries: projectRoleSearchQueriesToModel(role.Queries),
-	}
+		Offset: req.Query.Offset,
+		Limit:  uint64(req.Query.Limit),
+		Asc:    req.Query.Asc,
+		//SortingColumn: //TODO: sorting
+		Queries: queries,
+	}, nil
 }
 
-func projectRoleSearchQueriesToModel(queries []*management.ProjectRoleSearchQuery) []*proj_model.ProjectRoleSearchQuery {
-	converted := make([]*proj_model.ProjectRoleSearchQuery, len(queries))
-	for i, q := range queries {
-		converted[i] = projectRoleSearchQueryToModel(q)
-	}
-	return converted
-}
-
-func projectRoleSearchQueryToModel(query *management.ProjectRoleSearchQuery) *proj_model.ProjectRoleSearchQuery {
-	return &proj_model.ProjectRoleSearchQuery{
-		Key:    projectRoleSearchKeyToModel(query.Key),
-		Method: searchMethodToModel(query.Method),
-		Value:  query.Value,
-	}
-}
-
-func projectRoleSearchKeyToModel(key management.ProjectRoleSearchKey) proj_model.ProjectRoleSearchKey {
-	switch key {
-	case management.ProjectRoleSearchKey_PROJECTROLESEARCHKEY_KEY:
-		return proj_model.ProjectRoleSearchKeyKey
-	case management.ProjectRoleSearchKey_PROJECTROLESEARCHKEY_DISPLAY_NAME:
-		return proj_model.ProjectRoleSearchKeyDisplayName
-	default:
-		return proj_model.ProjectRoleSearchKeyUnspecified
-	}
-}
-
-func projectChangesToResponse(response *proj_model.ProjectChanges, offset uint64, limit uint64) (_ *management.Changes) {
-	return &management.Changes{
-		Limit:   limit,
-		Offset:  offset,
-		Changes: projectChangesToMgtAPI(response),
-	}
-}
-
-func projectChangesToMgtAPI(changes *proj_model.ProjectChanges) (_ []*management.Change) {
-	result := make([]*management.Change, len(changes.Changes))
-
-	for i, change := range changes.Changes {
-		b, err := json.Marshal(change.Data)
-		data := &structpb.Struct{}
-		err = protojson.Unmarshal(b, data)
-		if err != nil {
-		}
-		result[i] = &management.Change{
-			ChangeDate: change.ChangeDate,
-			EventType:  message.NewLocalizedEventType(change.EventType),
-			Sequence:   change.Sequence,
-			Editor:     change.ModifierName,
-			EditorId:   change.ModifierId,
-			Data:       data,
-		}
-	}
-
-	return result
+func ListProjectMembersRequestToModel(req *mgmt_pb.ListProjectMembersRequest) (*proj_model.ProjectMemberSearchRequest, error) {
+	queries := member_grpc.MemberQueriesToProjectMember(req.Queries)
+	queries = append(queries, &proj_model.ProjectMemberSearchQuery{
+		Key:    proj_model.ProjectMemberSearchKeyProjectID,
+		Method: domain.SearchMethodEquals,
+		Value:  req.ProjectId,
+	})
+	return &proj_model.ProjectMemberSearchRequest{
+		Offset: req.Query.Offset,
+		Limit:  uint64(req.Query.Limit),
+		Asc:    req.Query.Asc,
+		//SortingColumn: //TODO: sorting
+		Queries: queries,
+	}, nil
 }
diff --git a/internal/api/grpc/management/project_grant.go b/internal/api/grpc/management/project_grant.go
index 44fe000035..8b2c4d17e3 100644
--- a/internal/api/grpc/management/project_grant.go
+++ b/internal/api/grpc/management/project_grant.go
@@ -2,61 +2,163 @@ package management
 
 import (
 	"context"
+
 	"github.com/caos/zitadel/internal/api/authz"
-
-	"github.com/golang/protobuf/ptypes/empty"
-
-	"github.com/caos/zitadel/pkg/grpc/management"
+	member_grpc "github.com/caos/zitadel/internal/api/grpc/member"
+	object_grpc "github.com/caos/zitadel/internal/api/grpc/object"
+	proj_grpc "github.com/caos/zitadel/internal/api/grpc/project"
+	mgmt_pb "github.com/caos/zitadel/pkg/grpc/management"
 )
 
-func (s *Server) SearchProjectGrants(ctx context.Context, in *management.ProjectGrantSearchRequest) (*management.ProjectGrantSearchResponse, error) {
-	request := projectGrantSearchRequestsToModel(in)
-	ctxData := authz.GetCtxData(ctx)
-	request.AppendMyResourceOwnerQuery(ctxData.OrgID)
-	response, err := s.project.SearchProjectGrants(ctx, request)
+func (s *Server) GetProjectGrantByID(ctx context.Context, req *mgmt_pb.GetProjectGrantByIDRequest) (*mgmt_pb.GetProjectGrantByIDResponse, error) {
+	grant, err := s.project.ProjectGrantByID(ctx, req.GrantId)
 	if err != nil {
 		return nil, err
 	}
-	return projectGrantSearchResponseFromModel(response), nil
+	return &mgmt_pb.GetProjectGrantByIDResponse{
+		ProjectGrant: proj_grpc.GrantedProjectToPb(grant),
+	}, nil
 }
 
-func (s *Server) ProjectGrantByID(ctx context.Context, in *management.ProjectGrantID) (*management.ProjectGrantView, error) {
-	grant, err := s.project.ProjectGrantByID(ctx, in.Id)
+func (s *Server) ListProjectGrants(ctx context.Context, req *mgmt_pb.ListProjectGrantsRequest) (*mgmt_pb.ListProjectGrantsResponse, error) {
+	queries, err := ListProjectGrantsRequestToModel(req)
 	if err != nil {
 		return nil, err
 	}
-	return projectGrantFromGrantedProjectModel(grant), nil
+	domains, err := s.project.SearchProjectGrants(ctx, queries)
+	if err != nil {
+		return nil, err
+	}
+	return &mgmt_pb.ListProjectGrantsResponse{
+		Result: proj_grpc.GrantedProjectsToPb(domains.Result),
+		Details: object_grpc.ToListDetails(
+			domains.TotalResult,
+			domains.Sequence,
+			domains.Timestamp,
+		),
+	}, nil
 }
 
-func (s *Server) CreateProjectGrant(ctx context.Context, in *management.ProjectGrantCreate) (*management.ProjectGrant, error) {
-	grant, err := s.command.AddProjectGrant(ctx, projectGrantCreateToDomain(in), authz.GetCtxData(ctx).OrgID)
+func (s *Server) AddProjectGrant(ctx context.Context, req *mgmt_pb.AddProjectGrantRequest) (*mgmt_pb.AddProjectGrantResponse, error) {
+	grant, err := s.command.AddProjectGrant(ctx, AddProjectGrantRequestToDomain(req), authz.GetCtxData(ctx).OrgID)
 	if err != nil {
 		return nil, err
 	}
-	return projectGrantFromDomain(grant), nil
-}
-func (s *Server) UpdateProjectGrant(ctx context.Context, in *management.ProjectGrantUpdate) (*management.ProjectGrant, error) {
-	userGrants, err := s.usergrant.UserGrantsByProjectAndGrantID(ctx, in.ProjectId, in.Id)
-	if err != nil {
-		return nil, err
-	}
-	grant, err := s.command.ChangeProjectGrant(ctx, projectGrantUpdateToDomain(in), authz.GetCtxData(ctx).OrgID, userGrantsToIDs(userGrants)...)
-	if err != nil {
-		return nil, err
-	}
-	return projectGrantFromDomain(grant), nil
-}
-func (s *Server) DeactivateProjectGrant(ctx context.Context, in *management.ProjectGrantID) (*empty.Empty, error) {
-	err := s.command.DeactivateProjectGrant(ctx, in.ProjectId, in.Id, authz.GetCtxData(ctx).OrgID)
-	return &empty.Empty{}, err
+	return &mgmt_pb.AddProjectGrantResponse{
+		GrantId: grant.GrantID,
+		Details: object_grpc.ToDetailsPb(
+			grant.Sequence,
+			grant.ChangeDate,
+			grant.ResourceOwner,
+		),
+	}, nil
 }
 
-func (s *Server) ReactivateProjectGrant(ctx context.Context, in *management.ProjectGrantID) (*empty.Empty, error) {
-	err := s.command.ReactivateProjectGrant(ctx, in.ProjectId, in.Id, authz.GetCtxData(ctx).OrgID)
-	return &empty.Empty{}, err
+func (s *Server) UpdateProjectGrant(ctx context.Context, req *mgmt_pb.UpdateProjectGrantRequest) (*mgmt_pb.UpdateProjectGrantResponse, error) {
+	userGrants, err := s.usergrant.UserGrantsByProjectAndGrantID(ctx, req.ProjectId, req.GrantId)
+	if err != nil {
+		return nil, err
+	}
+	grant, err := s.command.ChangeProjectGrant(ctx, UpdateProjectGrantRequestToDomain(req), authz.GetCtxData(ctx).OrgID, userGrantsToIDs(userGrants)...)
+	if err != nil {
+		return nil, err
+	}
+	return &mgmt_pb.UpdateProjectGrantResponse{
+		Details: object_grpc.ToDetailsPb(
+			grant.Sequence,
+			grant.ChangeDate,
+			grant.ResourceOwner,
+		),
+	}, nil
 }
 
-func (s *Server) RemoveProjectGrant(ctx context.Context, in *management.ProjectGrantID) (*empty.Empty, error) {
-	err := s.command.RemoveProjectGrant(ctx, in.ProjectId, in.Id, authz.GetCtxData(ctx).OrgID)
-	return &empty.Empty{}, err
+func (s *Server) DeactivateProjectGrant(ctx context.Context, req *mgmt_pb.DeactivateProjectGrantRequest) (*mgmt_pb.DeactivateProjectGrantResponse, error) {
+	details, err := s.command.DeactivateProjectGrant(ctx, req.ProjectId, req.GrantId, authz.GetCtxData(ctx).OrgID)
+	if err != nil {
+		return nil, err
+	}
+	return &mgmt_pb.DeactivateProjectGrantResponse{
+		Details: object_grpc.DomainToDetailsPb(details),
+	}, nil
+}
+
+func (s *Server) ReactivateProjectGrant(ctx context.Context, req *mgmt_pb.ReactivateProjectGrantRequest) (*mgmt_pb.ReactivateProjectGrantResponse, error) {
+	details, err := s.command.ReactivateProjectGrant(ctx, req.ProjectId, req.GrantId, authz.GetCtxData(ctx).OrgID)
+	if err != nil {
+		return nil, err
+	}
+	return &mgmt_pb.ReactivateProjectGrantResponse{
+		Details: object_grpc.DomainToDetailsPb(details),
+	}, nil
+}
+
+func (s *Server) RemoveProjectGrant(ctx context.Context, req *mgmt_pb.RemoveProjectGrantRequest) (*mgmt_pb.RemoveProjectGrantResponse, error) {
+	details, err := s.command.RemoveProjectGrant(ctx, req.ProjectId, req.GrantId, authz.GetCtxData(ctx).OrgID)
+	if err != nil {
+		return nil, err
+	}
+	return &mgmt_pb.RemoveProjectGrantResponse{
+		Details: object_grpc.DomainToDetailsPb(details),
+	}, nil
+}
+
+func (s *Server) ListProjectGrantMemberRoles(ctx context.Context, req *mgmt_pb.ListProjectGrantMemberRolesRequest) (*mgmt_pb.ListProjectGrantMemberRolesResponse, error) {
+	roles := s.project.GetProjectGrantMemberRoles()
+	return &mgmt_pb.ListProjectGrantMemberRolesResponse{
+		Result: roles,
+		//TODO: metadata
+	}, nil
+}
+
+func (s *Server) ListProjectGrantMembers(ctx context.Context, req *mgmt_pb.ListProjectGrantMembersRequest) (*mgmt_pb.ListProjectGrantMembersResponse, error) {
+	response, err := s.project.SearchProjectGrantMembers(ctx, ListProjectGrantMembersRequestToModel(req))
+	if err != nil {
+		return nil, err
+	}
+	return &mgmt_pb.ListProjectGrantMembersResponse{
+		Result: member_grpc.ProjectGrantMembersToPb(response.Result),
+		Details: object_grpc.ToListDetails(
+			response.TotalResult,
+			response.Sequence,
+			response.Timestamp,
+		),
+	}, nil
+}
+
+func (s *Server) AddProjectGrantMember(ctx context.Context, req *mgmt_pb.AddProjectGrantMemberRequest) (*mgmt_pb.AddProjectGrantMemberResponse, error) {
+	member, err := s.command.AddProjectGrantMember(ctx, AddProjectGrantMemberRequestToDomain(req), authz.GetCtxData(ctx).OrgID)
+	if err != nil {
+		return nil, err
+	}
+	return &mgmt_pb.AddProjectGrantMemberResponse{
+		Details: object_grpc.ToDetailsPb(
+			member.Sequence,
+			member.ChangeDate,
+			member.ResourceOwner,
+		),
+	}, nil
+}
+
+func (s *Server) UpdateProjectGrantMember(ctx context.Context, req *mgmt_pb.UpdateProjectGrantMemberRequest) (*mgmt_pb.UpdateProjectGrantMemberResponse, error) {
+	member, err := s.command.ChangeProjectGrantMember(ctx, UpdateProjectGrantMemberRequestToDomain(req), authz.GetCtxData(ctx).OrgID)
+	if err != nil {
+		return nil, err
+	}
+	return &mgmt_pb.UpdateProjectGrantMemberResponse{
+		Details: object_grpc.ToDetailsPb(
+			member.Sequence,
+			member.ChangeDate,
+			member.ResourceOwner,
+		),
+	}, nil
+}
+
+func (s *Server) RemoveProjectGrantMember(ctx context.Context, req *mgmt_pb.RemoveProjectGrantMemberRequest) (*mgmt_pb.RemoveProjectGrantMemberResponse, error) {
+	details, err := s.command.RemoveProjectGrantMember(ctx, req.ProjectId, req.UserId, req.GrantId, authz.GetCtxData(ctx).OrgID)
+	if err != nil {
+		return nil, err
+	}
+	return &mgmt_pb.RemoveProjectGrantMemberResponse{
+		Details: object_grpc.DomainToDetailsPb(details),
+	}, nil
 }
diff --git a/internal/api/grpc/management/project_grant_converter.go b/internal/api/grpc/management/project_grant_converter.go
index 10f0f9db32..d9597ebb89 100644
--- a/internal/api/grpc/management/project_grant_converter.go
+++ b/internal/api/grpc/management/project_grant_converter.go
@@ -1,189 +1,84 @@
 package management
 
 import (
-	"github.com/caos/logging"
+	member_grpc "github.com/caos/zitadel/internal/api/grpc/member"
+	proj_grpc "github.com/caos/zitadel/internal/api/grpc/project"
 	"github.com/caos/zitadel/internal/domain"
-	"google.golang.org/protobuf/types/known/timestamppb"
-
-	"github.com/golang/protobuf/ptypes"
-
 	"github.com/caos/zitadel/internal/eventstore/v1/models"
 	proj_model "github.com/caos/zitadel/internal/project/model"
-	"github.com/caos/zitadel/pkg/grpc/management"
+	mgmt_pb "github.com/caos/zitadel/pkg/grpc/management"
 )
 
-func projectGrantFromDomain(grant *domain.ProjectGrant) *management.ProjectGrant {
-	return &management.ProjectGrant{
-		Id:           grant.GrantID,
-		State:        projectGrantStateFromDomain(grant.State),
-		CreationDate: timestamppb.New(grant.CreationDate),
-		ChangeDate:   timestamppb.New(grant.ChangeDate),
-		GrantedOrgId: grant.GrantedOrgID,
-		RoleKeys:     grant.RoleKeys,
-		Sequence:     grant.Sequence,
-		ProjectId:    grant.AggregateID,
-	}
-}
-
-func projectGrantFromModel(grant *proj_model.ProjectGrant) *management.ProjectGrant {
-	creationDate, err := ptypes.TimestampProto(grant.CreationDate)
-	logging.Log("GRPC-8d73s").OnError(err).Debug("unable to parse timestamp")
-
-	changeDate, err := ptypes.TimestampProto(grant.ChangeDate)
-	logging.Log("GRPC-dlso3").OnError(err).Debug("unable to parse timestamp")
-
-	return &management.ProjectGrant{
-		Id:           grant.GrantID,
-		State:        projectGrantStateFromModel(grant.State),
-		CreationDate: creationDate,
-		ChangeDate:   changeDate,
-		GrantedOrgId: grant.GrantedOrgID,
-		RoleKeys:     grant.RoleKeys,
-		Sequence:     grant.Sequence,
-		ProjectId:    grant.AggregateID,
-	}
-}
-
-func projectGrantCreateToDomain(grant *management.ProjectGrantCreate) *domain.ProjectGrant {
-	return &domain.ProjectGrant{
-		ObjectRoot: models.ObjectRoot{
-			AggregateID: grant.ProjectId,
-		},
-		GrantedOrgID: grant.GrantedOrgId,
-		RoleKeys:     grant.RoleKeys,
-	}
-}
-
-func projectGrantUpdateToDomain(grant *management.ProjectGrantUpdate) *domain.ProjectGrant {
-	return &domain.ProjectGrant{
-		ObjectRoot: models.ObjectRoot{
-			AggregateID: grant.ProjectId,
-		},
-		GrantID:  grant.Id,
-		RoleKeys: grant.RoleKeys,
-	}
-}
-
-func projectGrantSearchRequestsToModel(request *management.ProjectGrantSearchRequest) *proj_model.ProjectGrantViewSearchRequest {
-	return &proj_model.ProjectGrantViewSearchRequest{
-		Offset:  request.Offset,
-		Limit:   request.Limit,
-		Queries: projectGrantSearchQueriesToModel(request.ProjectId, request.Queries),
-	}
-}
-
-func projectGrantSearchQueriesToModel(projectId string, queries []*management.ProjectGrantSearchQuery) []*proj_model.ProjectGrantViewSearchQuery {
-	converted := make([]*proj_model.ProjectGrantViewSearchQuery, 0)
-	converted = append(converted, &proj_model.ProjectGrantViewSearchQuery{
+func ListProjectGrantsRequestToModel(req *mgmt_pb.ListProjectGrantsRequest) (*proj_model.ProjectGrantViewSearchRequest, error) {
+	queries := proj_grpc.ProjectGrantQueriesToModel(req.Queries)
+	queries = append(queries, &proj_model.ProjectGrantViewSearchQuery{
 		Key:    proj_model.GrantedProjectSearchKeyProjectID,
 		Method: domain.SearchMethodEquals,
-		Value:  projectId,
+		Value:  req.ProjectId,
 	})
-	for i, query := range queries {
-		converted[i] = projectGrantSearchQueryToModel(query)
-	}
-	return converted
+	return &proj_model.ProjectGrantViewSearchRequest{
+		Offset: req.Query.Offset,
+		Limit:  uint64(req.Query.Limit),
+		Asc:    req.Query.Asc,
+		//SortingColumn: //TODO: sorting
+		Queries: queries,
+	}, nil
 }
 
-func projectGrantSearchQueryToModel(query *management.ProjectGrantSearchQuery) *proj_model.ProjectGrantViewSearchQuery {
-	return &proj_model.ProjectGrantViewSearchQuery{
-		Key:    projectGrantViewSearchKeyToModel(query.Key),
-		Method: searchMethodToModel(query.Method),
-		Value:  query.Value,
+func AddProjectGrantRequestToDomain(req *mgmt_pb.AddProjectGrantRequest) *domain.ProjectGrant {
+	return &domain.ProjectGrant{
+		ObjectRoot: models.ObjectRoot{
+			AggregateID: req.ProjectId,
+		},
+		GrantedOrgID: req.GrantedOrgId,
+		RoleKeys:     req.RoleKeys,
 	}
 }
 
-func projectGrantViewSearchKeyToModel(key management.ProjectGrantSearchKey) proj_model.ProjectGrantViewSearchKey {
-	switch key {
-	case management.ProjectGrantSearchKey_PROJECTGRANTSEARCHKEY_PROJECT_NAME:
-		return proj_model.GrantedProjectSearchKeyProjectID
-	case management.ProjectGrantSearchKey_PROJECTGRANTSEARCHKEY_ROLE_KEY:
-		return proj_model.GrantedProjectSearchKeyRoleKeys
-	default:
-		return proj_model.GrantedProjectSearchKeyUnspecified
+func UpdateProjectGrantRequestToDomain(req *mgmt_pb.UpdateProjectGrantRequest) *domain.ProjectGrant {
+	return &domain.ProjectGrant{
+		ObjectRoot: models.ObjectRoot{
+			AggregateID: req.ProjectId,
+		},
+		GrantID:  req.GrantId,
+		RoleKeys: req.RoleKeys,
 	}
 }
 
-func projectGrantSearchResponseFromModel(response *proj_model.ProjectGrantViewSearchResponse) *management.ProjectGrantSearchResponse {
-	timestamp, err := ptypes.TimestampProto(response.Timestamp)
-	logging.Log("GRPC-MCjs7").OnError(err).Debug("unable to parse timestamp")
-	return &management.ProjectGrantSearchResponse{
-		Offset:            response.Offset,
-		Limit:             response.Limit,
-		TotalResult:       response.TotalResult,
-		Result:            projectGrantsFromGrantedProjectModel(response.Result),
-		ViewTimestamp:     timestamp,
-		ProcessedSequence: response.Sequence,
+func ListProjectGrantMembersRequestToModel(req *mgmt_pb.ListProjectGrantMembersRequest) *proj_model.ProjectGrantMemberSearchRequest {
+	queries := member_grpc.MemberQueriesToProjectGrantMember(req.Queries)
+	queries = append(queries, &proj_model.ProjectGrantMemberSearchQuery{
+		Key:    proj_model.ProjectGrantMemberSearchKeyProjectID,
+		Method: domain.SearchMethodEquals,
+		Value:  req.ProjectId,
+	})
+	return &proj_model.ProjectGrantMemberSearchRequest{
+		Offset: req.Query.Offset,
+		Limit:  uint64(req.Query.Limit),
+		Asc:    req.Query.Asc,
+		//SortingColumn: //TODO: sorting
+		Queries: queries,
 	}
 }
 
-func projectGrantsFromGrantedProjectModel(projects []*proj_model.ProjectGrantView) []*management.ProjectGrantView {
-	converted := make([]*management.ProjectGrantView, len(projects))
-	for i, project := range projects {
-		converted[i] = projectGrantFromGrantedProjectModel(project)
-	}
-	return converted
-}
-
-func projectGrantFromGrantedProjectModel(project *proj_model.ProjectGrantView) *management.ProjectGrantView {
-	creationDate, err := ptypes.TimestampProto(project.CreationDate)
-	logging.Log("GRPC-dlso3").OnError(err).Debug("unable to parse timestamp")
-
-	changeDate, err := ptypes.TimestampProto(project.ChangeDate)
-	logging.Log("GRPC-sope3").OnError(err).Debug("unable to parse timestamp")
-
-	return &management.ProjectGrantView{
-		ProjectId:         project.ProjectID,
-		State:             projectGrantStateFromProjectStateModel(project.State),
-		CreationDate:      creationDate,
-		ChangeDate:        changeDate,
-		ProjectName:       project.Name,
-		Sequence:          project.Sequence,
-		GrantedOrgId:      project.OrgID,
-		GrantedOrgName:    project.OrgName,
-		Id:                project.GrantID,
-		RoleKeys:          project.GrantedRoleKeys,
-		ResourceOwner:     project.ResourceOwner,
-		ResourceOwnerName: project.ResourceOwnerName,
+func AddProjectGrantMemberRequestToDomain(req *mgmt_pb.AddProjectGrantMemberRequest) *domain.ProjectGrantMember {
+	return &domain.ProjectGrantMember{
+		ObjectRoot: models.ObjectRoot{
+			AggregateID: req.ProjectId,
+		},
+		GrantID: req.GrantId,
+		UserID:  req.UserId,
+		Roles:   req.Roles,
 	}
 }
 
-func projectGrantStateFromDomain(state domain.ProjectGrantState) management.ProjectGrantState {
-	switch state {
-	case domain.ProjectGrantStateActive:
-		return management.ProjectGrantState_PROJECTGRANTSTATE_ACTIVE
-	case domain.ProjectGrantStateInactive:
-		return management.ProjectGrantState_PROJECTGRANTSTATE_INACTIVE
-	default:
-		return management.ProjectGrantState_PROJECTGRANTSTATE_UNSPECIFIED
+func UpdateProjectGrantMemberRequestToDomain(req *mgmt_pb.UpdateProjectGrantMemberRequest) *domain.ProjectGrantMember {
+	return &domain.ProjectGrantMember{
+		ObjectRoot: models.ObjectRoot{
+			AggregateID: req.ProjectId,
+		},
+		GrantID: req.GrantId,
+		UserID:  req.UserId,
+		Roles:   req.Roles,
 	}
 }
-func projectGrantStateFromModel(state proj_model.ProjectGrantState) management.ProjectGrantState {
-	switch state {
-	case proj_model.ProjectGrantStateActive:
-		return management.ProjectGrantState_PROJECTGRANTSTATE_ACTIVE
-	case proj_model.ProjectGrantStateInactive:
-		return management.ProjectGrantState_PROJECTGRANTSTATE_INACTIVE
-	default:
-		return management.ProjectGrantState_PROJECTGRANTSTATE_UNSPECIFIED
-	}
-}
-
-func projectGrantStateFromProjectStateModel(state proj_model.ProjectState) management.ProjectGrantState {
-	switch state {
-	case proj_model.ProjectStateActive:
-		return management.ProjectGrantState_PROJECTGRANTSTATE_ACTIVE
-	case proj_model.ProjectStateInactive:
-		return management.ProjectGrantState_PROJECTGRANTSTATE_INACTIVE
-	default:
-		return management.ProjectGrantState_PROJECTGRANTSTATE_UNSPECIFIED
-	}
-}
-
-func projectGrantsToIDs(projectGrants []*proj_model.ProjectGrantView) []string {
-	converted := make([]string, len(projectGrants))
-	for i, grant := range projectGrants {
-		converted[i] = grant.GrantID
-	}
-	return converted
-}
diff --git a/internal/api/grpc/management/project_grant_member.go b/internal/api/grpc/management/project_grant_member.go
deleted file mode 100644
index f676133d6d..0000000000
--- a/internal/api/grpc/management/project_grant_member.go
+++ /dev/null
@@ -1,43 +0,0 @@
-package management
-
-import (
-	"context"
-	"github.com/caos/zitadel/internal/api/authz"
-
-	"github.com/golang/protobuf/ptypes/empty"
-
-	"github.com/caos/zitadel/pkg/grpc/management"
-)
-
-func (s *Server) GetProjectGrantMemberRoles(ctx context.Context, _ *empty.Empty) (*management.ProjectGrantMemberRoles, error) {
-	return &management.ProjectGrantMemberRoles{Roles: s.project.GetProjectGrantMemberRoles()}, nil
-}
-
-func (s *Server) SearchProjectGrantMembers(ctx context.Context, in *management.ProjectGrantMemberSearchRequest) (*management.ProjectGrantMemberSearchResponse, error) {
-	response, err := s.project.SearchProjectGrantMembers(ctx, projectGrantMemberSearchRequestsToModel(in))
-	if err != nil {
-		return nil, err
-	}
-	return projectGrantMemberSearchResponseFromModel(response), nil
-}
-
-func (s *Server) AddProjectGrantMember(ctx context.Context, in *management.ProjectGrantMemberAdd) (*management.ProjectGrantMember, error) {
-	member, err := s.command.AddProjectGrantMember(ctx, projectGrantMemberAddToDomain(in), authz.GetCtxData(ctx).OrgID)
-	if err != nil {
-		return nil, err
-	}
-	return projectGrantMemberFromDomain(member), nil
-}
-
-func (s *Server) ChangeProjectGrantMember(ctx context.Context, in *management.ProjectGrantMemberChange) (*management.ProjectGrantMember, error) {
-	member, err := s.command.ChangeProjectGrantMember(ctx, projectGrantMemberChangeToDomain(in), authz.GetCtxData(ctx).OrgID)
-	if err != nil {
-		return nil, err
-	}
-	return projectGrantMemberFromDomain(member), nil
-}
-
-func (s *Server) RemoveProjectGrantMember(ctx context.Context, in *management.ProjectGrantMemberRemove) (*empty.Empty, error) {
-	err := s.command.RemoveProjectGrantMember(ctx, in.ProjectId, in.UserId, in.GrantId, authz.GetCtxData(ctx).OrgID)
-	return &empty.Empty{}, err
-}
diff --git a/internal/api/grpc/management/project_grant_member_converter.go b/internal/api/grpc/management/project_grant_member_converter.go
deleted file mode 100644
index 99db5ae4ab..0000000000
--- a/internal/api/grpc/management/project_grant_member_converter.go
+++ /dev/null
@@ -1,144 +0,0 @@
-package management
-
-import (
-	"github.com/caos/logging"
-	"github.com/caos/zitadel/internal/domain"
-	"github.com/golang/protobuf/ptypes"
-	"google.golang.org/protobuf/types/known/timestamppb"
-
-	"github.com/caos/zitadel/internal/eventstore/v1/models"
-	proj_model "github.com/caos/zitadel/internal/project/model"
-	"github.com/caos/zitadel/pkg/grpc/management"
-)
-
-func projectGrantMemberFromDomain(member *domain.ProjectGrantMember) *management.ProjectGrantMember {
-	return &management.ProjectGrantMember{
-		CreationDate: timestamppb.New(member.CreationDate),
-		ChangeDate:   timestamppb.New(member.ChangeDate),
-		Sequence:     member.Sequence,
-		UserId:       member.UserID,
-		Roles:        member.Roles,
-	}
-}
-
-func projectGrantMemberFromModel(member *proj_model.ProjectGrantMember) *management.ProjectGrantMember {
-	creationDate, err := ptypes.TimestampProto(member.CreationDate)
-	logging.Log("GRPC-7du3s").OnError(err).Debug("unable to parse timestamp")
-
-	changeDate, err := ptypes.TimestampProto(member.ChangeDate)
-	logging.Log("GRPC-8duew").OnError(err).Debug("unable to parse timestamp")
-
-	return &management.ProjectGrantMember{
-		CreationDate: creationDate,
-		ChangeDate:   changeDate,
-		Sequence:     member.Sequence,
-		UserId:       member.UserID,
-		Roles:        member.Roles,
-	}
-}
-
-func projectGrantMemberAddToDomain(member *management.ProjectGrantMemberAdd) *domain.ProjectGrantMember {
-	return &domain.ProjectGrantMember{
-		ObjectRoot: models.ObjectRoot{
-			AggregateID: member.ProjectId,
-		},
-		GrantID: member.GrantId,
-		UserID:  member.UserId,
-		Roles:   member.Roles,
-	}
-}
-
-func projectGrantMemberChangeToDomain(member *management.ProjectGrantMemberChange) *domain.ProjectGrantMember {
-	return &domain.ProjectGrantMember{
-		ObjectRoot: models.ObjectRoot{
-			AggregateID: member.ProjectId,
-		},
-		GrantID: member.GrantId,
-		UserID:  member.UserId,
-		Roles:   member.Roles,
-	}
-}
-
-func projectGrantMemberSearchRequestsToModel(memberSearch *management.ProjectGrantMemberSearchRequest) *proj_model.ProjectGrantMemberSearchRequest {
-	request := &proj_model.ProjectGrantMemberSearchRequest{
-		Offset:  memberSearch.Offset,
-		Limit:   memberSearch.Limit,
-		Queries: projectGrantMemberSearchQueriesToModel(memberSearch.Queries),
-	}
-	request.Queries = append(request.Queries, &proj_model.ProjectGrantMemberSearchQuery{Key: proj_model.ProjectGrantMemberSearchKeyProjectID, Method: domain.SearchMethodEquals, Value: memberSearch.ProjectId})
-	request.Queries = append(request.Queries, &proj_model.ProjectGrantMemberSearchQuery{Key: proj_model.ProjectGrantMemberSearchKeyGrantID, Method: domain.SearchMethodEquals, Value: memberSearch.GrantId})
-	return request
-}
-
-func projectGrantMemberSearchQueriesToModel(queries []*management.ProjectGrantMemberSearchQuery) []*proj_model.ProjectGrantMemberSearchQuery {
-	converted := make([]*proj_model.ProjectGrantMemberSearchQuery, len(queries))
-	for i, q := range queries {
-		converted[i] = projectGrantMemberSearchQueryToModel(q)
-	}
-	return converted
-}
-
-func projectGrantMemberSearchQueryToModel(query *management.ProjectGrantMemberSearchQuery) *proj_model.ProjectGrantMemberSearchQuery {
-	return &proj_model.ProjectGrantMemberSearchQuery{
-		Key:    projectGrantMemberSearchKeyToModel(query.Key),
-		Method: searchMethodToModel(query.Method),
-		Value:  query.Value,
-	}
-}
-
-func projectGrantMemberSearchKeyToModel(key management.ProjectGrantMemberSearchKey) proj_model.ProjectGrantMemberSearchKey {
-	switch key {
-	case management.ProjectGrantMemberSearchKey_PROJECTGRANTMEMBERSEARCHKEY_EMAIL:
-		return proj_model.ProjectGrantMemberSearchKeyEmail
-	case management.ProjectGrantMemberSearchKey_PROJECTGRANTMEMBERSEARCHKEY_FIRST_NAME:
-		return proj_model.ProjectGrantMemberSearchKeyFirstName
-	case management.ProjectGrantMemberSearchKey_PROJECTGRANTMEMBERSEARCHKEY_LAST_NAME:
-		return proj_model.ProjectGrantMemberSearchKeyLastName
-	case management.ProjectGrantMemberSearchKey_PROJECTGRANTMEMBERSEARCHKEY_USER_NAME:
-		return proj_model.ProjectGrantMemberSearchKeyUserName
-	default:
-		return proj_model.ProjectGrantMemberSearchKeyUnspecified
-	}
-}
-
-func projectGrantMemberSearchResponseFromModel(response *proj_model.ProjectGrantMemberSearchResponse) *management.ProjectGrantMemberSearchResponse {
-	timestamp, err := ptypes.TimestampProto(response.Timestamp)
-	logging.Log("GRPC-MSn6g").OnError(err).Debug("unable to parse timestamp")
-	return &management.ProjectGrantMemberSearchResponse{
-		Offset:            response.Offset,
-		Limit:             response.Limit,
-		TotalResult:       response.TotalResult,
-		Result:            projectGrantMemberViewsFromModel(response.Result),
-		ProcessedSequence: response.Sequence,
-		ViewTimestamp:     timestamp,
-	}
-}
-
-func projectGrantMemberViewsFromModel(roles []*proj_model.ProjectGrantMemberView) []*management.ProjectGrantMemberView {
-	converted := make([]*management.ProjectGrantMemberView, len(roles))
-	for i, role := range roles {
-		converted[i] = projectGrantMemberViewFromModel(role)
-	}
-	return converted
-}
-
-func projectGrantMemberViewFromModel(member *proj_model.ProjectGrantMemberView) *management.ProjectGrantMemberView {
-	creationDate, err := ptypes.TimestampProto(member.CreationDate)
-	logging.Log("GRPC-los93").OnError(err).Debug("unable to parse timestamp")
-
-	changeDate, err := ptypes.TimestampProto(member.ChangeDate)
-	logging.Log("GRPC-ski4e").OnError(err).Debug("unable to parse timestamp")
-
-	return &management.ProjectGrantMemberView{
-		UserId:       member.UserID,
-		UserName:     member.UserName,
-		Email:        member.Email,
-		FirstName:    member.FirstName,
-		LastName:     member.LastName,
-		DisplayName:  member.DisplayName,
-		Roles:        member.Roles,
-		CreationDate: creationDate,
-		ChangeDate:   changeDate,
-		Sequence:     member.Sequence,
-	}
-}
diff --git a/internal/api/grpc/management/project_member.go b/internal/api/grpc/management/project_member.go
deleted file mode 100644
index c3a83b53b3..0000000000
--- a/internal/api/grpc/management/project_member.go
+++ /dev/null
@@ -1,49 +0,0 @@
-package management
-
-import (
-	"context"
-	"github.com/caos/zitadel/internal/api/authz"
-
-	"github.com/golang/protobuf/ptypes/empty"
-
-	"github.com/caos/zitadel/pkg/grpc/management"
-)
-
-func (s *Server) GetProjectMemberRoles(ctx context.Context, _ *empty.Empty) (*management.ProjectMemberRoles, error) {
-	roles, err := s.project.GetProjectMemberRoles(ctx)
-	if err != nil {
-		return nil, err
-	}
-	return &management.ProjectMemberRoles{Roles: roles}, nil
-}
-
-func (s *Server) SearchProjectMembers(ctx context.Context, in *management.ProjectMemberSearchRequest) (*management.ProjectMemberSearchResponse, error) {
-	request := projectMemberSearchRequestsToModel(in)
-	request.AppendProjectQuery(in.ProjectId)
-	response, err := s.project.SearchProjectMembers(ctx, request)
-	if err != nil {
-		return nil, err
-	}
-	return projectMemberSearchResponseFromModel(response), nil
-}
-
-func (s *Server) AddProjectMember(ctx context.Context, in *management.ProjectMemberAdd) (*management.ProjectMember, error) {
-	member, err := s.command.AddProjectMember(ctx, projectMemberAddToDomain(in), authz.GetCtxData(ctx).OrgID)
-	if err != nil {
-		return nil, err
-	}
-	return projectMemberFromDomain(member), nil
-}
-
-func (s *Server) ChangeProjectMember(ctx context.Context, in *management.ProjectMemberChange) (*management.ProjectMember, error) {
-	member, err := s.command.ChangeProjectMember(ctx, projectMemberChangeToDomain(in), authz.GetCtxData(ctx).OrgID)
-	if err != nil {
-		return nil, err
-	}
-	return projectMemberFromDomain(member), nil
-}
-
-func (s *Server) RemoveProjectMember(ctx context.Context, in *management.ProjectMemberRemove) (*empty.Empty, error) {
-	err := s.command.RemoveProjectMember(ctx, in.Id, in.UserId, authz.GetCtxData(ctx).OrgID)
-	return &empty.Empty{}, err
-}
diff --git a/internal/api/grpc/management/project_member_converter.go b/internal/api/grpc/management/project_member_converter.go
deleted file mode 100644
index 0b610669a0..0000000000
--- a/internal/api/grpc/management/project_member_converter.go
+++ /dev/null
@@ -1,123 +0,0 @@
-package management
-
-import (
-	"github.com/caos/logging"
-	"github.com/caos/zitadel/internal/domain"
-	"github.com/golang/protobuf/ptypes"
-	"google.golang.org/protobuf/types/known/timestamppb"
-
-	"github.com/caos/zitadel/internal/eventstore/v1/models"
-	proj_model "github.com/caos/zitadel/internal/project/model"
-	"github.com/caos/zitadel/pkg/grpc/management"
-)
-
-func projectMemberFromDomain(member *domain.Member) *management.ProjectMember {
-	return &management.ProjectMember{
-		CreationDate: timestamppb.New(member.CreationDate),
-		ChangeDate:   timestamppb.New(member.ChangeDate),
-		Sequence:     member.Sequence,
-		UserId:       member.UserID,
-		Roles:        member.Roles,
-	}
-}
-
-func projectMemberAddToDomain(member *management.ProjectMemberAdd) *domain.Member {
-	return &domain.Member{
-		ObjectRoot: models.ObjectRoot{
-			AggregateID: member.Id,
-		},
-		UserID: member.UserId,
-		Roles:  member.Roles,
-	}
-}
-
-func projectMemberChangeToDomain(member *management.ProjectMemberChange) *domain.Member {
-	return &domain.Member{
-		ObjectRoot: models.ObjectRoot{
-			AggregateID: member.Id,
-		},
-		UserID: member.UserId,
-		Roles:  member.Roles,
-	}
-}
-
-func projectMemberSearchRequestsToModel(member *management.ProjectMemberSearchRequest) *proj_model.ProjectMemberSearchRequest {
-	return &proj_model.ProjectMemberSearchRequest{
-		Offset:  member.Offset,
-		Limit:   member.Limit,
-		Queries: projectMemberSearchQueriesToModel(member.Queries),
-	}
-}
-
-func projectMemberSearchQueriesToModel(queries []*management.ProjectMemberSearchQuery) []*proj_model.ProjectMemberSearchQuery {
-	converted := make([]*proj_model.ProjectMemberSearchQuery, len(queries))
-	for i, q := range queries {
-		converted[i] = projectMemberSearchQueryToModel(q)
-	}
-	return converted
-}
-
-func projectMemberSearchQueryToModel(query *management.ProjectMemberSearchQuery) *proj_model.ProjectMemberSearchQuery {
-	return &proj_model.ProjectMemberSearchQuery{
-		Key:    projectMemberSearchKeyToModel(query.Key),
-		Method: searchMethodToModel(query.Method),
-		Value:  query.Value,
-	}
-}
-
-func projectMemberSearchKeyToModel(key management.ProjectMemberSearchKey) proj_model.ProjectMemberSearchKey {
-	switch key {
-	case management.ProjectMemberSearchKey_PROJECTMEMBERSEARCHKEY_EMAIL:
-		return proj_model.ProjectMemberSearchKeyEmail
-	case management.ProjectMemberSearchKey_PROJECTMEMBERSEARCHKEY_FIRST_NAME:
-		return proj_model.ProjectMemberSearchKeyFirstName
-	case management.ProjectMemberSearchKey_PROJECTMEMBERSEARCHKEY_LAST_NAME:
-		return proj_model.ProjectMemberSearchKeyLastName
-	case management.ProjectMemberSearchKey_PROJECTMEMBERSEARCHKEY_USER_NAME:
-		return proj_model.ProjectMemberSearchKeyUserName
-	default:
-		return proj_model.ProjectMemberSearchKeyUnspecified
-	}
-}
-
-func projectMemberSearchResponseFromModel(response *proj_model.ProjectMemberSearchResponse) *management.ProjectMemberSearchResponse {
-	timestamp, err := ptypes.TimestampProto(response.Timestamp)
-	logging.Log("GRPC-LSo9j").OnError(err).Debug("unable to parse timestamp")
-	return &management.ProjectMemberSearchResponse{
-		Offset:            response.Offset,
-		Limit:             response.Limit,
-		TotalResult:       response.TotalResult,
-		Result:            projectMemberViewsFromModel(response.Result),
-		ViewTimestamp:     timestamp,
-		ProcessedSequence: response.Sequence,
-	}
-}
-
-func projectMemberViewsFromModel(members []*proj_model.ProjectMemberView) []*management.ProjectMemberView {
-	converted := make([]*management.ProjectMemberView, len(members))
-	for i, member := range members {
-		converted[i] = projectMemberViewFromModel(member)
-	}
-	return converted
-}
-
-func projectMemberViewFromModel(member *proj_model.ProjectMemberView) *management.ProjectMemberView {
-	creationDate, err := ptypes.TimestampProto(member.CreationDate)
-	logging.Log("GRPC-sl9cs").OnError(err).Debug("unable to parse timestamp")
-
-	changeDate, err := ptypes.TimestampProto(member.ChangeDate)
-	logging.Log("GRPC-8iw2d").OnError(err).Debug("unable to parse timestamp")
-
-	return &management.ProjectMemberView{
-		UserId:       member.UserID,
-		UserName:     member.UserName,
-		Email:        member.Email,
-		FirstName:    member.FirstName,
-		LastName:     member.LastName,
-		DisplayName:  member.DisplayName,
-		Roles:        member.Roles,
-		CreationDate: creationDate,
-		ChangeDate:   changeDate,
-		Sequence:     member.Sequence,
-	}
-}
diff --git a/internal/api/grpc/management/replacer.md b/internal/api/grpc/management/replacer.md
new file mode 100644
index 0000000000..66c6c19254
--- /dev/null
+++ b/internal/api/grpc/management/replacer.md
@@ -0,0 +1 @@
+` | sed -e "s/UnimplementedManagementServiceServer/s *Server/" -e "s/(context.Context, \*/(ctx context.Context, req *mgmt_pb./" -e "s/) (\*/) (*mgmt_pb./" -e "s/return .*/ return nil,nil/"`
\ No newline at end of file
diff --git a/internal/api/grpc/management/search_converter.go b/internal/api/grpc/management/search_converter.go
deleted file mode 100644
index 217b1b149f..0000000000
--- a/internal/api/grpc/management/search_converter.go
+++ /dev/null
@@ -1,31 +0,0 @@
-package management
-
-import (
-	"github.com/caos/zitadel/internal/domain"
-	"github.com/caos/zitadel/pkg/grpc/management"
-)
-
-func searchMethodToModel(method management.SearchMethod) domain.SearchMethod {
-	switch method {
-	case management.SearchMethod_SEARCHMETHOD_EQUALS:
-		return domain.SearchMethodEquals
-	case management.SearchMethod_SEARCHMETHOD_CONTAINS:
-		return domain.SearchMethodContains
-	case management.SearchMethod_SEARCHMETHOD_STARTS_WITH:
-		return domain.SearchMethodStartsWith
-	case management.SearchMethod_SEARCHMETHOD_EQUALS_IGNORE_CASE:
-		return domain.SearchMethodEqualsIgnoreCase
-	case management.SearchMethod_SEARCHMETHOD_CONTAINS_IGNORE_CASE:
-		return domain.SearchMethodContainsIgnoreCase
-	case management.SearchMethod_SEARCHMETHOD_STARTS_WITH_IGNORE_CASE:
-		return domain.SearchMethodStartsWithIgnoreCase
-	case management.SearchMethod_SEARCHMETHOD_NOT_EQUALS:
-		return domain.SearchMethodNotEquals
-	case management.SearchMethod_SEARCHMETHOD_IS_ONE_OF:
-		return domain.SearchMethodIsOneOf
-	case management.SearchMethod_SEARCHMETHOD_LIST_CONTAINS:
-		return domain.SearchMethodListContains
-	default:
-		return domain.SearchMethodEquals
-	}
-}
diff --git a/internal/api/grpc/management/server.go b/internal/api/grpc/management/server.go
index f2001d5bce..c628f12f5d 100644
--- a/internal/api/grpc/management/server.go
+++ b/internal/api/grpc/management/server.go
@@ -1,16 +1,15 @@
 package management
 
 import (
-	"github.com/caos/zitadel/internal/command"
-	"github.com/caos/zitadel/internal/query"
-	"google.golang.org/grpc"
-
 	"github.com/caos/zitadel/internal/api/authz"
 	"github.com/caos/zitadel/internal/api/grpc/server"
+	"github.com/caos/zitadel/internal/command"
 	"github.com/caos/zitadel/internal/config/systemdefaults"
 	"github.com/caos/zitadel/internal/management/repository"
 	"github.com/caos/zitadel/internal/management/repository/eventsourcing"
+	"github.com/caos/zitadel/internal/query"
 	"github.com/caos/zitadel/pkg/grpc/management"
+	"google.golang.org/grpc"
 )
 
 const (
@@ -20,6 +19,7 @@ const (
 var _ management.ManagementServiceServer = (*Server)(nil)
 
 type Server struct {
+	management.UnimplementedManagementServiceServer
 	command        *command.Commands
 	query          *query.Queries
 	project        repository.ProjectRepository
diff --git a/internal/api/grpc/management/user.go b/internal/api/grpc/management/user.go
index fc74160e6c..880ee27071 100644
--- a/internal/api/grpc/management/user.go
+++ b/internal/api/grpc/management/user.go
@@ -3,249 +3,481 @@ package management
 import (
 	"context"
 
-	"github.com/golang/protobuf/ptypes/empty"
-
 	"github.com/caos/zitadel/internal/api/authz"
-	"github.com/caos/zitadel/pkg/grpc/management"
+	"github.com/caos/zitadel/internal/api/grpc/authn"
+	change_grpc "github.com/caos/zitadel/internal/api/grpc/change"
+	idp_grpc "github.com/caos/zitadel/internal/api/grpc/idp"
+	"github.com/caos/zitadel/internal/api/grpc/object"
+	obj_grpc "github.com/caos/zitadel/internal/api/grpc/object"
+	"github.com/caos/zitadel/internal/api/grpc/user"
+	user_grpc "github.com/caos/zitadel/internal/api/grpc/user"
+	grant_model "github.com/caos/zitadel/internal/usergrant/model"
+	mgmt_pb "github.com/caos/zitadel/pkg/grpc/management"
 )
 
-func (s *Server) GetUserByID(ctx context.Context, id *management.UserID) (*management.UserView, error) {
-	user, err := s.user.UserByID(ctx, id.Id)
+func (s *Server) GetUserByID(ctx context.Context, req *mgmt_pb.GetUserByIDRequest) (*mgmt_pb.GetUserByIDResponse, error) {
+	user, err := s.user.UserByID(ctx, req.Id)
 	if err != nil {
 		return nil, err
 	}
-	return userViewFromModel(user), nil
+	return &mgmt_pb.GetUserByIDResponse{
+		User: user_grpc.UserToPb(user),
+	}, nil
 }
 
-func (s *Server) GetUserByLoginNameGlobal(ctx context.Context, loginName *management.LoginName) (*management.UserView, error) {
-	user, err := s.user.GetUserByLoginNameGlobal(ctx, loginName.LoginName)
+func (s *Server) GetUserByLoginNameGlobal(ctx context.Context, req *mgmt_pb.GetUserByLoginNameGlobalRequest) (*mgmt_pb.GetUserByLoginNameGlobalResponse, error) {
+	user, err := s.user.GetUserByLoginNameGlobal(ctx, req.LoginName)
 	if err != nil {
 		return nil, err
 	}
-	return userViewFromModel(user), nil
+	return &mgmt_pb.GetUserByLoginNameGlobalResponse{
+		User: user_grpc.UserToPb(user),
+	}, nil
 }
 
-func (s *Server) SearchUsers(ctx context.Context, in *management.UserSearchRequest) (*management.UserSearchResponse, error) {
-	request := userSearchRequestsToModel(in)
-	request.AppendMyOrgQuery(authz.GetCtxData(ctx).OrgID)
-	response, err := s.user.SearchUsers(ctx, request)
+func (s *Server) ListUsers(ctx context.Context, req *mgmt_pb.ListUsersRequest) (*mgmt_pb.ListUsersResponse, error) {
+	r := ListUsersRequestToModel(ctx, req)
+	res, err := s.user.SearchUsers(ctx, r)
 	if err != nil {
 		return nil, err
 	}
-	return userSearchResponseFromModel(response), nil
+	return &mgmt_pb.ListUsersResponse{
+		Result: user_grpc.UsersToPb(res.Result),
+		Details: obj_grpc.ToListDetails(
+			res.TotalResult,
+			res.Sequence,
+			res.Timestamp,
+		),
+	}, nil
 }
 
-func (s *Server) UserChanges(ctx context.Context, changesRequest *management.ChangeRequest) (*management.Changes, error) {
-	response, err := s.user.UserChanges(ctx, changesRequest.Id, changesRequest.SequenceOffset, changesRequest.Limit, changesRequest.Asc)
+func (s *Server) ListUserChanges(ctx context.Context, req *mgmt_pb.ListUserChangesRequest) (*mgmt_pb.ListUserChangesResponse, error) {
+	res, err := s.user.UserChanges(ctx, req.UserId, req.Query.Offset, uint64(req.Query.Limit), req.Query.Asc)
 	if err != nil {
 		return nil, err
 	}
-	return userChangesToResponse(response, changesRequest.GetSequenceOffset(), changesRequest.GetLimit()), nil
+	return &mgmt_pb.ListUserChangesResponse{
+		Result: change_grpc.UserChangesToPb(res.Changes),
+	}, nil
 }
 
-func (s *Server) IsUserUnique(ctx context.Context, request *management.UniqueUserRequest) (*management.UniqueUserResponse, error) {
-	unique, err := s.user.IsUserUnique(ctx, request.UserName, request.Email)
+func (s *Server) IsUserUnique(ctx context.Context, req *mgmt_pb.IsUserUniqueRequest) (*mgmt_pb.IsUserUniqueResponse, error) {
+	unique, err := s.user.IsUserUnique(ctx, req.UserName, req.Email)
 	if err != nil {
 		return nil, err
 	}
-	return &management.UniqueUserResponse{IsUnique: unique}, nil
+	return &mgmt_pb.IsUserUniqueResponse{
+		IsUnique: unique,
+	}, nil
 }
 
-func (s *Server) CreateUser(ctx context.Context, in *management.CreateUserRequest) (*management.UserResponse, error) {
-	human, machine := userCreateToDomain(in)
-	if human != nil {
-		h, err := s.command.AddHuman(ctx, authz.GetCtxData(ctx).OrgID, human)
-		if err != nil {
-			return nil, err
-		}
-		return userHumanFromDomain(h), nil
-	}
-	m, err := s.command.AddMachine(ctx, authz.GetCtxData(ctx).OrgID, machine)
+func (s *Server) AddHumanUser(ctx context.Context, req *mgmt_pb.AddHumanUserRequest) (*mgmt_pb.AddHumanUserResponse, error) {
+	human, err := s.command.AddHuman(ctx, authz.GetCtxData(ctx).OrgID, AddHumanUserRequestToDomain(req))
 	if err != nil {
 		return nil, err
 	}
-	return userMachineFromDomain(m), nil
+	return &mgmt_pb.AddHumanUserResponse{
+		UserId: human.AggregateID,
+		Details: obj_grpc.ToDetailsPb(
+			human.Sequence,
+			human.ChangeDate,
+			human.ResourceOwner,
+		),
+	}, nil
 }
 
-func (s *Server) DeactivateUser(ctx context.Context, in *management.UserID) (*empty.Empty, error) {
-	err := s.command.DeactivateUser(ctx, in.Id, authz.GetCtxData(ctx).OrgID)
-	return &empty.Empty{}, err
-}
-
-func (s *Server) ReactivateUser(ctx context.Context, in *management.UserID) (*empty.Empty, error) {
-	err := s.command.ReactivateUser(ctx, in.Id, authz.GetCtxData(ctx).OrgID)
-	return &empty.Empty{}, err
-}
-
-func (s *Server) LockUser(ctx context.Context, in *management.UserID) (*empty.Empty, error) {
-	err := s.command.LockUser(ctx, in.Id, authz.GetCtxData(ctx).OrgID)
-	return &empty.Empty{}, err
-}
-
-func (s *Server) UnlockUser(ctx context.Context, in *management.UserID) (*empty.Empty, error) {
-	err := s.command.UnlockUser(ctx, in.Id, authz.GetCtxData(ctx).OrgID)
-	return &empty.Empty{}, err
-}
-
-func (s *Server) DeleteUser(ctx context.Context, in *management.UserID) (*empty.Empty, error) {
-	grants, err := s.usergrant.UserGrantsByUserID(ctx, in.Id)
-	if err != nil {
-		return &empty.Empty{}, err
-	}
-	err = s.command.RemoveUser(ctx, in.Id, authz.GetCtxData(ctx).OrgID, userGrantsToIDs(grants)...)
-	return &empty.Empty{}, err
-}
-
-func (s *Server) UpdateUserMachine(ctx context.Context, in *management.UpdateMachineRequest) (*management.MachineResponse, error) {
-	machine, err := s.command.ChangeMachine(ctx, updateMachineToDomain(authz.GetCtxData(ctx), in))
+func (s *Server) AddMachineUser(ctx context.Context, req *mgmt_pb.AddMachineUserRequest) (*mgmt_pb.AddMachineUserResponse, error) {
+	machine, err := s.command.AddMachine(ctx, authz.GetCtxData(ctx).OrgID, AddMachineUserRequestToDomain(req))
 	if err != nil {
 		return nil, err
 	}
-	return machineFromDomain(machine), nil
+	return &mgmt_pb.AddMachineUserResponse{
+		UserId: machine.AggregateID,
+		Details: obj_grpc.ToDetailsPb(
+			machine.Sequence,
+			machine.ChangeDate,
+			machine.ResourceOwner,
+		),
+	}, nil
 }
 
-func (s *Server) GetUserProfile(ctx context.Context, in *management.UserID) (*management.UserProfileView, error) {
-	profile, err := s.user.ProfileByID(ctx, in.Id)
+func (s *Server) DeactivateUser(ctx context.Context, req *mgmt_pb.DeactivateUserRequest) (*mgmt_pb.DeactivateUserResponse, error) {
+	objectDetails, err := s.command.DeactivateUser(ctx, req.Id, authz.GetCtxData(ctx).OrgID)
 	if err != nil {
 		return nil, err
 	}
-	return profileViewFromModel(profile), nil
+	return &mgmt_pb.DeactivateUserResponse{
+		Details: obj_grpc.DomainToDetailsPb(objectDetails),
+	}, nil
 }
 
-func (s *Server) ChangeUserUserName(ctx context.Context, request *management.UpdateUserUserNameRequest) (*empty.Empty, error) {
-	return &empty.Empty{}, s.command.ChangeUsername(ctx, authz.GetCtxData(ctx).OrgID, request.Id, request.UserName)
-}
-
-func (s *Server) UpdateUserProfile(ctx context.Context, request *management.UpdateUserProfileRequest) (*management.UserProfile, error) {
-	profile, err := s.command.ChangeHumanProfile(ctx, updateProfileToDomain(request))
+func (s *Server) ReactivateUser(ctx context.Context, req *mgmt_pb.ReactivateUserRequest) (*mgmt_pb.ReactivateUserResponse, error) {
+	objectDetails, err := s.command.ReactivateUser(ctx, req.Id, authz.GetCtxData(ctx).OrgID)
 	if err != nil {
 		return nil, err
 	}
-	return profileFromDomain(profile), nil
+	return &mgmt_pb.ReactivateUserResponse{
+		Details: obj_grpc.DomainToDetailsPb(objectDetails),
+	}, nil
 }
 
-func (s *Server) GetUserEmail(ctx context.Context, in *management.UserID) (*management.UserEmailView, error) {
-	email, err := s.user.EmailByID(ctx, in.Id)
+func (s *Server) LockUser(ctx context.Context, req *mgmt_pb.LockUserRequest) (*mgmt_pb.LockUserResponse, error) {
+	objectDetails, err := s.command.LockUser(ctx, req.Id, authz.GetCtxData(ctx).OrgID)
 	if err != nil {
 		return nil, err
 	}
-	return emailViewFromModel(email), nil
+	return &mgmt_pb.LockUserResponse{
+		Details: obj_grpc.DomainToDetailsPb(objectDetails),
+	}, nil
 }
 
-func (s *Server) ChangeUserEmail(ctx context.Context, request *management.UpdateUserEmailRequest) (*management.UserEmail, error) {
-	email, err := s.command.ChangeHumanEmail(ctx, updateEmailToDomain(request))
+func (s *Server) UnlockUser(ctx context.Context, req *mgmt_pb.UnlockUserRequest) (*mgmt_pb.UnlockUserResponse, error) {
+	objectDetails, err := s.command.UnlockUser(ctx, req.Id, authz.GetCtxData(ctx).OrgID)
 	if err != nil {
 		return nil, err
 	}
-	return emailFromDomain(email), nil
+	return &mgmt_pb.UnlockUserResponse{
+		Details: obj_grpc.DomainToDetailsPb(objectDetails),
+	}, nil
 }
 
-func (s *Server) ResendEmailVerificationMail(ctx context.Context, in *management.UserID) (*empty.Empty, error) {
-	err := s.command.CreateHumanEmailVerificationCode(ctx, in.Id, authz.GetCtxData(ctx).OrgID)
-	return &empty.Empty{}, err
-}
-
-func (s *Server) GetUserPhone(ctx context.Context, in *management.UserID) (*management.UserPhoneView, error) {
-	phone, err := s.user.PhoneByID(ctx, in.Id)
+func (s *Server) RemoveUser(ctx context.Context, req *mgmt_pb.RemoveUserRequest) (*mgmt_pb.RemoveUserResponse, error) {
+	grants, err := s.usergrant.UserGrantsByUserID(ctx, req.Id)
 	if err != nil {
 		return nil, err
 	}
-	return phoneViewFromModel(phone), nil
-}
-
-func (s *Server) ChangeUserPhone(ctx context.Context, request *management.UpdateUserPhoneRequest) (*management.UserPhone, error) {
-	phone, err := s.command.ChangeHumanPhone(ctx, updatePhoneToDomain(request))
+	objectDetails, err := s.command.RemoveUser(ctx, req.Id, authz.GetCtxData(ctx).OrgID, userGrantsToIDs(grants)...)
 	if err != nil {
 		return nil, err
 	}
-	return phoneFromDomain(phone), nil
+	return &mgmt_pb.RemoveUserResponse{
+		Details: obj_grpc.DomainToDetailsPb(objectDetails),
+	}, nil
 }
 
-func (s *Server) RemoveUserPhone(ctx context.Context, userID *management.UserID) (*empty.Empty, error) {
-	err := s.command.RemoveHumanPhone(ctx, userID.Id, authz.GetCtxData(ctx).OrgID)
-	return &empty.Empty{}, err
+func userGrantsToIDs(userGrants []*grant_model.UserGrantView) []string {
+	converted := make([]string, len(userGrants))
+	for i, grant := range userGrants {
+		converted[i] = grant.ID
+	}
+	return converted
 }
 
-func (s *Server) ResendPhoneVerificationCode(ctx context.Context, in *management.UserID) (*empty.Empty, error) {
-	err := s.command.CreateHumanPhoneVerificationCode(ctx, in.Id, authz.GetCtxData(ctx).OrgID)
-	return &empty.Empty{}, err
-}
-
-func (s *Server) GetUserAddress(ctx context.Context, in *management.UserID) (*management.UserAddressView, error) {
-	address, err := s.user.AddressByID(ctx, in.Id)
+func (s *Server) UpdateUserName(ctx context.Context, req *mgmt_pb.UpdateUserNameRequest) (*mgmt_pb.UpdateUserNameResponse, error) {
+	objectDetails, err := s.command.ChangeUsername(ctx, authz.GetCtxData(ctx).OrgID, req.UserId, req.UserName)
 	if err != nil {
 		return nil, err
 	}
-	return addressViewFromModel(address), nil
+	return &mgmt_pb.UpdateUserNameResponse{
+		Details: obj_grpc.DomainToDetailsPb(objectDetails),
+	}, nil
 }
 
-func (s *Server) UpdateUserAddress(ctx context.Context, request *management.UpdateUserAddressRequest) (*management.UserAddress, error) {
-	address, err := s.command.ChangeHumanAddress(ctx, updateAddressToDomain(authz.GetCtxData(ctx), request))
+func (s *Server) GetHumanProfile(ctx context.Context, req *mgmt_pb.GetHumanProfileRequest) (*mgmt_pb.GetHumanProfileResponse, error) {
+	profile, err := s.user.ProfileByID(ctx, req.UserId)
 	if err != nil {
 		return nil, err
 	}
-	return addressFromDomain(address), nil
+	return &mgmt_pb.GetHumanProfileResponse{
+		Profile: user_grpc.ProfileToPb(profile),
+		Details: obj_grpc.ToDetailsPb(
+			profile.Sequence,
+			profile.ChangeDate,
+			profile.ResourceOwner,
+		),
+	}, nil
 }
 
-func (s *Server) SendSetPasswordNotification(ctx context.Context, request *management.SetPasswordNotificationRequest) (*empty.Empty, error) {
-	err := s.command.RequestSetPassword(ctx, request.Id, authz.GetCtxData(ctx).OrgID, notifyTypeToDomain(request.Type))
-	return &empty.Empty{}, err
-}
-
-func (s *Server) SetInitialPassword(ctx context.Context, request *management.PasswordRequest) (*empty.Empty, error) {
-	return &empty.Empty{}, s.command.SetOneTimePassword(ctx, authz.GetCtxData(ctx).OrgID, request.Id, request.Password)
-}
-
-func (s *Server) ResendInitialMail(ctx context.Context, request *management.InitialMailRequest) (*empty.Empty, error) {
-	return &empty.Empty{}, s.command.ResendInitialMail(ctx, request.Id, request.Email, authz.GetCtxData(ctx).OrgID)
-}
-
-func (s *Server) SearchUserExternalIDPs(ctx context.Context, request *management.ExternalIDPSearchRequest) (*management.ExternalIDPSearchResponse, error) {
-	externalIDP, err := s.user.SearchExternalIDPs(ctx, externalIDPSearchRequestToModel(request))
+func (s *Server) UpdateHumanProfile(ctx context.Context, req *mgmt_pb.UpdateHumanProfileRequest) (*mgmt_pb.UpdateHumanProfileResponse, error) {
+	profile, err := s.command.ChangeHumanProfile(ctx, UpdateHumanProfileRequestToDomain(req))
 	if err != nil {
 		return nil, err
 	}
-	return externalIDPSearchResponseFromModel(externalIDP), nil
+	return &mgmt_pb.UpdateHumanProfileResponse{
+		Details: obj_grpc.ToDetailsPb(
+			profile.Sequence,
+			profile.ChangeDate,
+			profile.ResourceOwner,
+		),
+	}, nil
 }
 
-func (s *Server) RemoveExternalIDP(ctx context.Context, request *management.ExternalIDPRemoveRequest) (*empty.Empty, error) {
-	return &empty.Empty{}, s.command.RemoveHumanExternalIDP(ctx, externalIDPRemoveToDomain(authz.GetCtxData(ctx), request))
-}
-
-func (s *Server) GetUserMfas(ctx context.Context, userID *management.UserID) (*management.UserMultiFactors, error) {
-	mfas, err := s.user.UserMFAs(ctx, userID.Id)
+func (s *Server) GetHumanEmail(ctx context.Context, req *mgmt_pb.GetHumanEmailRequest) (*mgmt_pb.GetHumanEmailResponse, error) {
+	email, err := s.user.EmailByID(ctx, req.UserId)
 	if err != nil {
 		return nil, err
 	}
-	return &management.UserMultiFactors{Mfas: mfasFromModel(mfas)}, nil
+	return &mgmt_pb.GetHumanEmailResponse{
+		Email: user_grpc.EmailToPb(email),
+		Details: obj_grpc.ToDetailsPb(
+			email.Sequence,
+			email.ChangeDate,
+			email.ResourceOwner,
+		),
+	}, nil
 }
 
-func (s *Server) RemoveMfaOTP(ctx context.Context, userID *management.UserID) (*empty.Empty, error) {
-	return &empty.Empty{}, s.command.HumanRemoveOTP(ctx, userID.Id, authz.GetCtxData(ctx).OrgID)
-}
-
-func (s *Server) RemoveMfaU2F(ctx context.Context, webAuthNTokenID *management.WebAuthNTokenID) (*empty.Empty, error) {
-	return &empty.Empty{}, s.command.HumanRemoveU2F(ctx, webAuthNTokenID.UserId, webAuthNTokenID.Id, authz.GetCtxData(ctx).OrgID)
-}
-
-func (s *Server) GetPasswordless(ctx context.Context, userID *management.UserID) (_ *management.WebAuthNTokens, err error) {
-	tokens, err := s.user.GetPasswordless(ctx, userID.Id)
+func (s *Server) UpdateHumanEmail(ctx context.Context, req *mgmt_pb.UpdateHumanEmailRequest) (*mgmt_pb.UpdateHumanEmailResponse, error) {
+	email, err := s.command.ChangeHumanEmail(ctx, UpdateHumanEmailRequestToDomain(req))
 	if err != nil {
 		return nil, err
 	}
-	return webAuthNTokensFromModel(tokens), err
+	return &mgmt_pb.UpdateHumanEmailResponse{
+		Details: obj_grpc.ToDetailsPb(
+			email.Sequence,
+			email.ChangeDate,
+			email.ResourceOwner,
+		),
+	}, nil
 }
 
-func (s *Server) RemovePasswordless(ctx context.Context, id *management.WebAuthNTokenID) (*empty.Empty, error) {
-	return &empty.Empty{}, s.command.HumanRemovePasswordless(ctx, id.UserId, id.Id, authz.GetCtxData(ctx).OrgID)
+func (s *Server) ResendHumanInitialization(ctx context.Context, req *mgmt_pb.ResendHumanInitializationRequest) (*mgmt_pb.ResendHumanInitializationResponse, error) {
+	details, err := s.command.ResendInitialMail(ctx, req.UserId, req.Email, authz.GetCtxData(ctx).OrgID)
+	if err != nil {
+		return nil, err
+	}
+	return &mgmt_pb.ResendHumanInitializationResponse{
+		Details: obj_grpc.DomainToDetailsPb(details),
+	}, nil
 }
 
-func (s *Server) SearchUserMemberships(ctx context.Context, in *management.UserMembershipSearchRequest) (*management.UserMembershipSearchResponse, error) {
-	request := userMembershipSearchRequestsToModel(in)
-	request.AppendUserIDQuery(in.UserId)
+func (s *Server) ResendHumanEmailVerification(ctx context.Context, req *mgmt_pb.ResendHumanEmailVerificationRequest) (*mgmt_pb.ResendHumanEmailVerificationResponse, error) {
+	objectDetails, err := s.command.CreateHumanEmailVerificationCode(ctx, req.UserId, authz.GetCtxData(ctx).OrgID)
+	if err != nil {
+		return nil, err
+	}
+	return &mgmt_pb.ResendHumanEmailVerificationResponse{
+		Details: obj_grpc.DomainToDetailsPb(objectDetails),
+	}, nil
+}
+
+func (s *Server) GetHumanPhone(ctx context.Context, req *mgmt_pb.GetHumanPhoneRequest) (*mgmt_pb.GetHumanPhoneResponse, error) {
+	phone, err := s.user.PhoneByID(ctx, req.UserId)
+	if err != nil {
+		return nil, err
+	}
+	return &mgmt_pb.GetHumanPhoneResponse{
+		Phone: user_grpc.PhoneToPb(phone),
+		Details: obj_grpc.ToDetailsPb(
+			phone.Sequence,
+			phone.ChangeDate,
+			phone.ResourceOwner,
+		),
+	}, nil
+}
+
+func (s *Server) UpdateHumanPhone(ctx context.Context, req *mgmt_pb.UpdateHumanPhoneRequest) (*mgmt_pb.UpdateHumanPhoneResponse, error) {
+	phone, err := s.command.ChangeHumanPhone(ctx, UpdateHumanPhoneRequestToDomain(req))
+	if err != nil {
+		return nil, err
+	}
+	return &mgmt_pb.UpdateHumanPhoneResponse{
+		Details: obj_grpc.ToDetailsPb(
+			phone.Sequence,
+			phone.ChangeDate,
+			phone.ResourceOwner,
+		),
+	}, nil
+}
+
+func (s *Server) RemoveHumanPhone(ctx context.Context, req *mgmt_pb.RemoveHumanPhoneRequest) (*mgmt_pb.RemoveHumanPhoneResponse, error) {
+	objectDetails, err := s.command.RemoveHumanPhone(ctx, req.UserId, authz.GetCtxData(ctx).OrgID)
+	if err != nil {
+		return nil, err
+	}
+	return &mgmt_pb.RemoveHumanPhoneResponse{
+		Details: obj_grpc.DomainToDetailsPb(objectDetails),
+	}, nil
+}
+
+func (s *Server) ResendHumanPhoneVerification(ctx context.Context, req *mgmt_pb.ResendHumanPhoneVerificationRequest) (*mgmt_pb.ResendHumanPhoneVerificationResponse, error) {
+	objectDetails, err := s.command.CreateHumanPhoneVerificationCode(ctx, req.UserId, authz.GetCtxData(ctx).OrgID)
+	if err != nil {
+		return nil, err
+	}
+	return &mgmt_pb.ResendHumanPhoneVerificationResponse{
+		Details: obj_grpc.DomainToDetailsPb(objectDetails),
+	}, nil
+}
+
+func (s *Server) SetHumanInitialPassword(ctx context.Context, req *mgmt_pb.SetHumanInitialPasswordRequest) (*mgmt_pb.SetHumanInitialPasswordResponse, error) {
+	objectDetails, err := s.command.SetOneTimePassword(ctx, authz.GetCtxData(ctx).OrgID, req.UserId, req.Password)
+	if err != nil {
+		return nil, err
+	}
+	return &mgmt_pb.SetHumanInitialPasswordResponse{
+		Details: obj_grpc.DomainToDetailsPb(objectDetails),
+	}, nil
+}
+
+func (s *Server) SendHumanResetPasswordNotification(ctx context.Context, req *mgmt_pb.SendHumanResetPasswordNotificationRequest) (*mgmt_pb.SendHumanResetPasswordNotificationResponse, error) {
+	objectDetails, err := s.command.RequestSetPassword(ctx, req.UserId, authz.GetCtxData(ctx).OrgID, notifyTypeToDomain(req.Type))
+	if err != nil {
+		return nil, err
+	}
+	return &mgmt_pb.SendHumanResetPasswordNotificationResponse{
+		Details: obj_grpc.DomainToDetailsPb(objectDetails),
+	}, nil
+}
+
+func (s *Server) ListHumanAuthFactors(ctx context.Context, req *mgmt_pb.ListHumanAuthFactorsRequest) (*mgmt_pb.ListHumanAuthFactorsResponse, error) {
+	mfas, err := s.user.UserMFAs(ctx, req.UserId)
+	if err != nil {
+		return nil, err
+	}
+	return &mgmt_pb.ListHumanAuthFactorsResponse{
+		Result: user_grpc.AuthFactorsToPb(mfas),
+	}, nil
+}
+
+func (s *Server) RemoveHumanAuthFactorOTP(ctx context.Context, req *mgmt_pb.RemoveHumanAuthFactorOTPRequest) (*mgmt_pb.RemoveHumanAuthFactorOTPResponse, error) {
+	objectDetails, err := s.command.HumanRemoveOTP(ctx, req.UserId, authz.GetCtxData(ctx).OrgID)
+	if err != nil {
+		return nil, err
+	}
+	return &mgmt_pb.RemoveHumanAuthFactorOTPResponse{
+		Details: obj_grpc.DomainToDetailsPb(objectDetails),
+	}, nil
+}
+
+func (s *Server) RemoveHumanAuthFactorU2F(ctx context.Context, req *mgmt_pb.RemoveHumanAuthFactorU2FRequest) (*mgmt_pb.RemoveHumanAuthFactorU2FResponse, error) {
+	objectDetails, err := s.command.HumanRemoveU2F(ctx, req.UserId, req.TokenId, authz.GetCtxData(ctx).OrgID)
+	if err != nil {
+		return nil, err
+	}
+	return &mgmt_pb.RemoveHumanAuthFactorU2FResponse{
+		Details: obj_grpc.DomainToDetailsPb(objectDetails),
+	}, nil
+}
+
+func (s *Server) ListHumanPasswordless(ctx context.Context, req *mgmt_pb.ListHumanPasswordlessRequest) (*mgmt_pb.ListHumanPasswordlessResponse, error) {
+	tokens, err := s.user.GetPasswordless(ctx, req.UserId)
+	if err != nil {
+		return nil, err
+	}
+	return &mgmt_pb.ListHumanPasswordlessResponse{
+		Result: user.WebAuthNTokensViewToPb(tokens),
+	}, nil
+}
+
+func (s *Server) RemoveHumanPasswordless(ctx context.Context, req *mgmt_pb.RemoveHumanPasswordlessRequest) (*mgmt_pb.RemoveHumanPasswordlessResponse, error) {
+	objectDetails, err := s.command.HumanRemovePasswordless(ctx, req.UserId, req.TokenId, authz.GetCtxData(ctx).OrgID)
+	if err != nil {
+		return nil, err
+	}
+	return &mgmt_pb.RemoveHumanPasswordlessResponse{
+		Details: obj_grpc.DomainToDetailsPb(objectDetails),
+	}, nil
+}
+
+func (s *Server) UpdateMachine(ctx context.Context, req *mgmt_pb.UpdateMachineRequest) (*mgmt_pb.UpdateMachineResponse, error) {
+	machine, err := s.command.ChangeMachine(ctx, UpdateMachineRequestToDomain(ctx, req))
+	if err != nil {
+		return nil, err
+	}
+	return &mgmt_pb.UpdateMachineResponse{
+		Details: obj_grpc.ToDetailsPb(
+			machine.Sequence,
+			machine.ChangeDate,
+			machine.ResourceOwner,
+		),
+	}, nil
+}
+
+func (s *Server) GetMachineKeyByIDs(ctx context.Context, req *mgmt_pb.GetMachineKeyByIDsRequest) (*mgmt_pb.GetMachineKeyByIDsResponse, error) {
+	key, err := s.user.GetMachineKey(ctx, req.UserId, req.KeyId)
+	if err != nil {
+		return nil, err
+	}
+	return &mgmt_pb.GetMachineKeyByIDsResponse{
+		Key: authn.KeyToPb(key),
+	}, nil
+}
+
+func (s *Server) ListMachineKeys(ctx context.Context, req *mgmt_pb.ListMachineKeysRequest) (*mgmt_pb.ListMachineKeysResponse, error) {
+	result, err := s.user.SearchMachineKeys(ctx, ListMachineKeysRequestToModel(req))
+	if err != nil {
+		return nil, err
+	}
+	return &mgmt_pb.ListMachineKeysResponse{
+		Result: authn.KeyViewsToPb(result.Result),
+		Details: obj_grpc.ToListDetails(
+			result.TotalResult,
+			result.Sequence,
+			result.Timestamp,
+		),
+	}, nil
+}
+
+func (s *Server) AddMachineKey(ctx context.Context, req *mgmt_pb.AddMachineKeyRequest) (*mgmt_pb.AddMachineKeyResponse, error) {
+	key, err := s.command.AddUserMachineKey(ctx, AddMachineKeyRequestToDomain(req), authz.GetCtxData(ctx).OrgID)
+	if err != nil {
+		return nil, err
+	}
+	keyDetails, err := key.Detail()
+	if err != nil {
+		return nil, err
+	}
+	return &mgmt_pb.AddMachineKeyResponse{
+		KeyId:      key.KeyID,
+		KeyDetails: keyDetails,
+		Details: object.ToDetailsPb(
+			key.Sequence,
+			key.ChangeDate,
+			key.ResourceOwner,
+		),
+	}, nil
+}
+
+func (s *Server) RemoveMachineKey(ctx context.Context, req *mgmt_pb.RemoveMachineKeyRequest) (*mgmt_pb.RemoveMachineKeyResponse, error) {
+	objectDetails, err := s.command.RemoveUserMachineKey(ctx, req.UserId, req.KeyId, authz.GetCtxData(ctx).OrgID)
+	if err != nil {
+		return nil, err
+	}
+	return &mgmt_pb.RemoveMachineKeyResponse{
+		Details: obj_grpc.DomainToDetailsPb(objectDetails),
+	}, nil
+}
+
+func (s *Server) ListHumanLinkedIDPs(ctx context.Context, req *mgmt_pb.ListHumanLinkedIDPsRequest) (*mgmt_pb.ListHumanLinkedIDPsResponse, error) {
+	res, err := s.user.SearchExternalIDPs(ctx, ListHumanLinkedIDPsRequestToModel(req))
+	if err != nil {
+		return nil, err
+	}
+	return &mgmt_pb.ListHumanLinkedIDPsResponse{
+		Result: idp_grpc.IDPsToUserLinkPb(res.Result),
+		Details: obj_grpc.ToListDetails(
+			res.TotalResult,
+			res.Sequence,
+			res.Timestamp,
+		),
+	}, nil
+}
+func (s *Server) RemoveHumanLinkedIDP(ctx context.Context, req *mgmt_pb.RemoveHumanLinkedIDPRequest) (*mgmt_pb.RemoveHumanLinkedIDPResponse, error) {
+	objectDetails, err := s.command.RemoveHumanExternalIDP(ctx, RemoveHumanLinkedIDPRequestToDomain(ctx, req))
+	if err != nil {
+		return nil, err
+	}
+	return &mgmt_pb.RemoveHumanLinkedIDPResponse{
+		Details: obj_grpc.DomainToDetailsPb(objectDetails),
+	}, nil
+}
+
+func (s *Server) ListUserMemberships(ctx context.Context, req *mgmt_pb.ListUserMembershipsRequest) (*mgmt_pb.ListUserMembershipsResponse, error) {
+	request, err := ListUserMembershipsRequestToModel(req)
+	if err != nil {
+		return nil, err
+	}
 	response, err := s.user.SearchUserMemberships(ctx, request)
 	if err != nil {
 		return nil, err
 	}
-	return userMembershipSearchResponseFromModel(response), nil
+	return &mgmt_pb.ListUserMembershipsResponse{
+		Result: user_grpc.MembershipsToMembershipsPb(response.Result),
+		Details: obj_grpc.ToListDetails(
+			response.TotalResult,
+			response.Sequence,
+			response.Timestamp,
+		),
+	}, nil
 }
diff --git a/internal/api/grpc/management/user_converter.go b/internal/api/grpc/management/user_converter.go
index bf31585ae1..23f36059f1 100644
--- a/internal/api/grpc/management/user_converter.go
+++ b/internal/api/grpc/management/user_converter.go
@@ -1,653 +1,200 @@
 package management
 
 import (
-	"encoding/json"
+	"context"
+	"time"
 
 	"github.com/caos/logging"
 	"github.com/golang/protobuf/ptypes"
 	"golang.org/x/text/language"
-	"google.golang.org/protobuf/encoding/protojson"
-	"google.golang.org/protobuf/types/known/structpb"
 
 	"github.com/caos/zitadel/internal/api/authz"
+	"github.com/caos/zitadel/internal/api/grpc/authn"
+	user_grpc "github.com/caos/zitadel/internal/api/grpc/user"
 	"github.com/caos/zitadel/internal/domain"
-
 	"github.com/caos/zitadel/internal/eventstore/v1/models"
-	usr_model "github.com/caos/zitadel/internal/user/model"
-	"github.com/caos/zitadel/pkg/grpc/management"
-	"github.com/caos/zitadel/pkg/grpc/message"
+	key_model "github.com/caos/zitadel/internal/key/model"
+	user_model "github.com/caos/zitadel/internal/user/model"
+	mgmt_pb "github.com/caos/zitadel/pkg/grpc/management"
+	user_pb "github.com/caos/zitadel/pkg/grpc/user"
 )
 
-func userMachineFromDomain(machine *domain.Machine) *management.UserResponse {
-	changeDate, err := ptypes.TimestampProto(machine.ChangeDate)
-	logging.Log("GRPC-ckoe3d").OnError(err).Debug("unable to parse timestamp")
-
-	userResp := &management.UserResponse{
-		Id:         machine.AggregateID,
-		State:      userStateFromDomain(machine.GetState()),
-		ChangeDate: changeDate,
-		Sequence:   machine.Sequence,
-		UserName:   machine.GetUsername(),
-	}
-	userResp.User = &management.UserResponse_Machine{Machine: machineFromDomain(machine)}
-	return userResp
-}
-
-func userHumanFromDomain(human *domain.Human) *management.UserResponse {
-	changeDate, err := ptypes.TimestampProto(human.ChangeDate)
-	logging.Log("GRPC-ckoe3d").OnError(err).Debug("unable to parse timestamp")
-
-	userResp := &management.UserResponse{
-		Id:         human.AggregateID,
-		State:      userStateFromDomain(human.GetState()),
-		ChangeDate: changeDate,
-		Sequence:   human.Sequence,
-		UserName:   human.GetUsername(),
-	}
-	userResp.User = &management.UserResponse_Human{Human: humanFromDomain(human)}
-	return userResp
-}
-
-func userCreateToDomain(user *management.CreateUserRequest) (*domain.Human, *domain.Machine) {
-	if h := user.GetHuman(); h != nil {
-		human := humanCreateToDomain(h)
-		human.Username = user.UserName
-		return human, nil
-	}
-	if m := user.GetMachine(); m != nil {
-		machine := machineCreateToDomain(m)
-		machine.Username = user.UserName
-		return nil, machine
-	}
-	return nil, nil
-}
-
-func passwordRequestToModel(r *management.PasswordRequest) *usr_model.Password {
-	return &usr_model.Password{
-		ObjectRoot:   models.ObjectRoot{AggregateID: r.Id},
-		SecretString: r.Password,
-	}
-}
-
-func externalIDPSearchRequestToModel(request *management.ExternalIDPSearchRequest) *usr_model.ExternalIDPSearchRequest {
-	return &usr_model.ExternalIDPSearchRequest{
-		Limit:   request.Limit,
-		Offset:  request.Offset,
-		Queries: []*usr_model.ExternalIDPSearchQuery{{Key: usr_model.ExternalIDPSearchKeyUserID, Method: domain.SearchMethodEquals, Value: request.UserId}},
-	}
-}
-
-func externalIDPRemoveToDomain(ctxData authz.CtxData, idp *management.ExternalIDPRemoveRequest) *domain.ExternalIDP {
-	return &domain.ExternalIDP{
-		ObjectRoot: models.ObjectRoot{
-			AggregateID:   idp.UserId,
-			ResourceOwner: ctxData.ResourceOwner,
+func ListUsersRequestToModel(ctx context.Context, req *mgmt_pb.ListUsersRequest) *user_model.UserSearchRequest {
+	req.Queries = append(req.Queries, &user_pb.SearchQuery{
+		Query: &user_pb.SearchQuery_ResourceOwner{
+			ResourceOwner: &user_pb.ResourceOwnerQuery{
+				OrgID: authz.GetCtxData(ctx).OrgID,
+			},
 		},
-		IDPConfigID:    idp.IdpConfigId,
-		ExternalUserID: idp.ExternalUserId,
+	})
+
+	return &user_model.UserSearchRequest{
+		Offset:  req.Query.Offset,
+		Limit:   uint64(req.Query.Limit),
+		Asc:     req.Query.Asc,
+		Queries: user_grpc.UserQueriesToModel(req.Queries),
 	}
 }
 
-func externalIDPSearchResponseFromModel(response *usr_model.ExternalIDPSearchResponse) *management.ExternalIDPSearchResponse {
-	viewTimestamp, err := ptypes.TimestampProto(response.Timestamp)
-	logging.Log("GRPC-3h8is").OnError(err).Debug("unable to parse timestamp")
-
-	return &management.ExternalIDPSearchResponse{
-		Offset:            response.Offset,
-		Limit:             response.Limit,
-		TotalResult:       response.TotalResult,
-		ProcessedSequence: response.Sequence,
-		ViewTimestamp:     viewTimestamp,
-		Result:            externalIDPViewsFromModel(response.Result),
+func AddHumanUserRequestToDomain(req *mgmt_pb.AddHumanUserRequest) *domain.Human {
+	h := &domain.Human{
+		Username: req.UserName,
 	}
-}
-
-func externalIDPViewsFromModel(externalIDPs []*usr_model.ExternalIDPView) []*management.ExternalIDPView {
-	converted := make([]*management.ExternalIDPView, len(externalIDPs))
-	for i, externalIDP := range externalIDPs {
-		converted[i] = externalIDPViewFromModel(externalIDP)
-	}
-	return converted
-}
-
-func externalIDPViewFromModel(externalIDP *usr_model.ExternalIDPView) *management.ExternalIDPView {
-	creationDate, err := ptypes.TimestampProto(externalIDP.CreationDate)
-	logging.Log("GRPC-Fdu8s").OnError(err).Debug("unable to parse timestamp")
-
-	changeDate, err := ptypes.TimestampProto(externalIDP.ChangeDate)
-	logging.Log("GRPC-Was7u").OnError(err).Debug("unable to parse timestamp")
-
-	return &management.ExternalIDPView{
-		UserId:                  externalIDP.UserID,
-		IdpConfigId:             externalIDP.IDPConfigID,
-		ExternalUserId:          externalIDP.ExternalUserID,
-		ExternalUserDisplayName: externalIDP.UserDisplayName,
-		IdpName:                 externalIDP.IDPName,
-		CreationDate:            creationDate,
-		ChangeDate:              changeDate,
-	}
-}
-
-func userSearchRequestsToModel(project *management.UserSearchRequest) *usr_model.UserSearchRequest {
-	return &usr_model.UserSearchRequest{
-		Offset:  project.Offset,
-		Limit:   project.Limit,
-		Queries: userSearchQueriesToModel(project.Queries),
-	}
-}
-
-func userSearchQueriesToModel(queries []*management.UserSearchQuery) []*usr_model.UserSearchQuery {
-	converted := make([]*usr_model.UserSearchQuery, len(queries))
-	for i, q := range queries {
-		converted[i] = userSearchQueryToModel(q)
-	}
-	return converted
-}
-
-func userSearchQueryToModel(query *management.UserSearchQuery) *usr_model.UserSearchQuery {
-	return &usr_model.UserSearchQuery{
-		Key:    userSearchKeyToModel(query.Key),
-		Method: searchMethodToModel(query.Method),
-		Value:  query.Value,
-	}
-}
-
-func userSearchKeyToModel(key management.UserSearchKey) usr_model.UserSearchKey {
-	switch key {
-	case management.UserSearchKey_USERSEARCHKEY_USER_NAME:
-		return usr_model.UserSearchKeyUserName
-	case management.UserSearchKey_USERSEARCHKEY_FIRST_NAME:
-		return usr_model.UserSearchKeyFirstName
-	case management.UserSearchKey_USERSEARCHKEY_LAST_NAME:
-		return usr_model.UserSearchKeyLastName
-	case management.UserSearchKey_USERSEARCHKEY_NICK_NAME:
-		return usr_model.UserSearchKeyNickName
-	case management.UserSearchKey_USERSEARCHKEY_DISPLAY_NAME:
-		return usr_model.UserSearchKeyDisplayName
-	case management.UserSearchKey_USERSEARCHKEY_EMAIL:
-		return usr_model.UserSearchKeyEmail
-	case management.UserSearchKey_USERSEARCHKEY_STATE:
-		return usr_model.UserSearchKeyState
-	case management.UserSearchKey_USERSEARCHKEY_TYPE:
-		return usr_model.UserSearchKeyType
-	default:
-		return usr_model.UserSearchKeyUnspecified
-	}
-}
-
-func userMembershipSearchRequestsToModel(request *management.UserMembershipSearchRequest) *usr_model.UserMembershipSearchRequest {
-	return &usr_model.UserMembershipSearchRequest{
-		Offset:  request.Offset,
-		Limit:   request.Limit,
-		Queries: userMembershipSearchQueriesToModel(request.Queries),
-	}
-}
-
-func userMembershipSearchQueriesToModel(queries []*management.UserMembershipSearchQuery) []*usr_model.UserMembershipSearchQuery {
-	converted := make([]*usr_model.UserMembershipSearchQuery, len(queries))
-	for i, q := range queries {
-		converted[i] = userMembershipSearchQueryToModel(q)
-	}
-	return converted
-}
-
-func userMembershipSearchQueryToModel(query *management.UserMembershipSearchQuery) *usr_model.UserMembershipSearchQuery {
-	return &usr_model.UserMembershipSearchQuery{
-		Key:    userMembershipSearchKeyToModel(query.Key),
-		Method: searchMethodToModel(query.Method),
-		Value:  query.Value,
-	}
-}
-
-func userMembershipSearchKeyToModel(key management.UserMembershipSearchKey) usr_model.UserMembershipSearchKey {
-	switch key {
-	case management.UserMembershipSearchKey_USERMEMBERSHIPSEARCHKEY_TYPE:
-		return usr_model.UserMembershipSearchKeyMemberType
-	case management.UserMembershipSearchKey_USERMEMBERSHIPSEARCHKEY_OBJECT_ID:
-		return usr_model.UserMembershipSearchKeyObjectID
-	default:
-		return usr_model.UserMembershipSearchKeyUnspecified
-	}
-}
-
-func profileFromDomain(profile *domain.Profile) *management.UserProfile {
-	changeDate, err := ptypes.TimestampProto(profile.ChangeDate)
-	logging.Log("GRPC-ski8d").OnError(err).Debug("unable to parse timestamp")
-
-	return &management.UserProfile{
-		Id:                profile.AggregateID,
-		ChangeDate:        changeDate,
-		Sequence:          profile.Sequence,
-		FirstName:         profile.FirstName,
-		LastName:          profile.LastName,
-		DisplayName:       profile.DisplayName,
-		NickName:          profile.NickName,
-		PreferredLanguage: profile.PreferredLanguage.String(),
-		Gender:            management.Gender(profile.Gender),
-	}
-}
-
-func profileViewFromModel(profile *usr_model.Profile) *management.UserProfileView {
-	creationDate, err := ptypes.TimestampProto(profile.CreationDate)
-	logging.Log("GRPC-sk8sk").OnError(err).Debug("unable to parse timestamp")
-
-	changeDate, err := ptypes.TimestampProto(profile.ChangeDate)
-	logging.Log("GRPC-s30Ks'").OnError(err).Debug("unable to parse timestamp")
-
-	return &management.UserProfileView{
-		Id:                 profile.AggregateID,
-		CreationDate:       creationDate,
-		ChangeDate:         changeDate,
-		Sequence:           profile.Sequence,
-		FirstName:          profile.FirstName,
-		LastName:           profile.LastName,
-		DisplayName:        profile.DisplayName,
-		NickName:           profile.NickName,
-		PreferredLanguage:  profile.PreferredLanguage.String(),
-		Gender:             management.Gender(profile.Gender),
-		LoginNames:         profile.LoginNames,
-		PreferredLoginName: profile.PreferredLoginName,
-	}
-}
-
-func updateProfileToDomain(u *management.UpdateUserProfileRequest) *domain.Profile {
-	preferredLanguage, err := language.Parse(u.PreferredLanguage)
-	logging.Log("GRPC-d8k2s").OnError(err).Debug("language malformed")
-
-	return &domain.Profile{
-		ObjectRoot:        models.ObjectRoot{AggregateID: u.Id},
-		FirstName:         u.FirstName,
-		LastName:          u.LastName,
-		NickName:          u.NickName,
+	preferredLanguage, err := language.Parse(req.Profile.PreferredLanguage)
+	logging.Log("MANAG-3GUFJ").OnError(err).Debug("language malformed")
+	h.Profile = &domain.Profile{
+		FirstName:         req.Profile.FirstName,
+		LastName:          req.Profile.LastName,
+		NickName:          req.Profile.NickName,
+		DisplayName:       req.Profile.DisplayName,
 		PreferredLanguage: preferredLanguage,
-		Gender:            genderToDomain(u.Gender),
+		Gender:            user_grpc.GenderToDomain(req.Profile.Gender),
+	}
+	h.Email = &domain.Email{
+		EmailAddress:    req.Email.Email,
+		IsEmailVerified: req.Email.IsEmailVerified,
+	}
+	if req.Phone != nil {
+		h.Phone = &domain.Phone{
+			PhoneNumber:     req.Phone.Phone,
+			IsPhoneVerified: req.Phone.IsPhoneVerified,
+		}
+	}
+	if req.InitialPassword != "" {
+		h.Password = &domain.Password{SecretString: req.InitialPassword}
+	}
+
+	return h
+}
+
+func AddMachineUserRequestToDomain(req *mgmt_pb.AddMachineUserRequest) *domain.Machine {
+	return &domain.Machine{
+		Username:    req.UserName,
+		Name:        req.Name,
+		Description: req.Description,
 	}
 }
 
-func emailFromDomain(email *domain.Email) *management.UserEmail {
-	changeDate, err := ptypes.TimestampProto(email.ChangeDate)
-	logging.Log("GRPC-s0dkw").OnError(err).Debug("unable to parse timestamp")
-
-	return &management.UserEmail{
-		Id:              email.AggregateID,
-		ChangeDate:      changeDate,
-		Sequence:        email.Sequence,
-		Email:           email.EmailAddress,
-		IsEmailVerified: email.IsEmailVerified,
+func UpdateHumanProfileRequestToDomain(req *mgmt_pb.UpdateHumanProfileRequest) *domain.Profile {
+	preferredLanguage, err := language.Parse(req.PreferredLanguage)
+	logging.Log("MANAG-GPcYv").OnError(err).Debug("language malformed")
+	return &domain.Profile{
+		ObjectRoot:        models.ObjectRoot{AggregateID: req.UserId},
+		FirstName:         req.FirstName,
+		LastName:          req.LastName,
+		NickName:          req.NickName,
+		DisplayName:       req.DisplayName,
+		PreferredLanguage: preferredLanguage,
+		Gender:            user_grpc.GenderToDomain(req.Gender),
 	}
 }
 
-func emailViewFromModel(email *usr_model.Email) *management.UserEmailView {
-	creationDate, err := ptypes.TimestampProto(email.CreationDate)
-	logging.Log("GRPC-sKefs").OnError(err).Debug("unable to parse timestamp")
-
-	changeDate, err := ptypes.TimestampProto(email.ChangeDate)
-	logging.Log("GRPC-0isjD").OnError(err).Debug("unable to parse timestamp")
-
-	return &management.UserEmailView{
-		Id:              email.AggregateID,
-		CreationDate:    creationDate,
-		ChangeDate:      changeDate,
-		Sequence:        email.Sequence,
-		Email:           email.EmailAddress,
-		IsEmailVerified: email.IsEmailVerified,
-	}
-}
-
-func updateEmailToDomain(e *management.UpdateUserEmailRequest) *domain.Email {
+func UpdateHumanEmailRequestToDomain(req *mgmt_pb.UpdateHumanEmailRequest) *domain.Email {
 	return &domain.Email{
-		ObjectRoot:      models.ObjectRoot{AggregateID: e.Id},
-		EmailAddress:    e.Email,
-		IsEmailVerified: e.IsEmailVerified,
+		EmailAddress:    req.Email,
+		IsEmailVerified: req.IsEmailVerified,
 	}
 }
 
-func phoneFromDomain(phone *domain.Phone) *management.UserPhone {
-	changeDate, err := ptypes.TimestampProto(phone.ChangeDate)
-	logging.Log("GRPC-09ewq").OnError(err).Debug("unable to parse timestamp")
-
-	return &management.UserPhone{
-		Id:              phone.AggregateID,
-		ChangeDate:      changeDate,
-		Sequence:        phone.Sequence,
-		Phone:           phone.PhoneNumber,
-		IsPhoneVerified: phone.IsPhoneVerified,
-	}
-}
-
-func phoneViewFromModel(phone *usr_model.Phone) *management.UserPhoneView {
-	creationDate, err := ptypes.TimestampProto(phone.CreationDate)
-	logging.Log("GRPC-6gSj").OnError(err).Debug("unable to parse timestamp")
-
-	changeDate, err := ptypes.TimestampProto(phone.ChangeDate)
-	logging.Log("GRPC-lKs8f").OnError(err).Debug("unable to parse timestamp")
-
-	return &management.UserPhoneView{
-		Id:              phone.AggregateID,
-		CreationDate:    creationDate,
-		ChangeDate:      changeDate,
-		Sequence:        phone.Sequence,
-		Phone:           phone.PhoneNumber,
-		IsPhoneVerified: phone.IsPhoneVerified,
-	}
-}
-func updatePhoneToDomain(e *management.UpdateUserPhoneRequest) *domain.Phone {
+func UpdateHumanPhoneRequestToDomain(req *mgmt_pb.UpdateHumanPhoneRequest) *domain.Phone {
 	return &domain.Phone{
-		ObjectRoot:      models.ObjectRoot{AggregateID: e.Id},
-		PhoneNumber:     e.Phone,
-		IsPhoneVerified: e.IsPhoneVerified,
+		PhoneNumber:     req.Phone,
+		IsPhoneVerified: req.IsPhoneVerified,
 	}
 }
 
-func addressFromDomain(address *domain.Address) *management.UserAddress {
-	changeDate, err := ptypes.TimestampProto(address.ChangeDate)
-	logging.Log("GRPC-si9ws").OnError(err).Debug("unable to parse timestamp")
-
-	return &management.UserAddress{
-		Id:            address.AggregateID,
-		ChangeDate:    changeDate,
-		Sequence:      address.Sequence,
-		Country:       address.Country,
-		StreetAddress: address.StreetAddress,
-		Region:        address.Region,
-		PostalCode:    address.PostalCode,
-		Locality:      address.Locality,
-	}
-}
-
-func addressViewFromModel(address *usr_model.Address) *management.UserAddressView {
-	creationDate, err := ptypes.TimestampProto(address.CreationDate)
-	logging.Log("GRPC-67stC").OnError(err).Debug("unable to parse timestamp")
-
-	changeDate, err := ptypes.TimestampProto(address.ChangeDate)
-	logging.Log("GRPC-0jSfs").OnError(err).Debug("unable to parse timestamp")
-
-	return &management.UserAddressView{
-		Id:            address.AggregateID,
-		CreationDate:  creationDate,
-		ChangeDate:    changeDate,
-		Sequence:      address.Sequence,
-		Country:       address.Country,
-		StreetAddress: address.StreetAddress,
-		Region:        address.Region,
-		PostalCode:    address.PostalCode,
-		Locality:      address.Locality,
-	}
-}
-
-func updateAddressToDomain(ctxData authz.CtxData, address *management.UpdateUserAddressRequest) *domain.Address {
-	return &domain.Address{
-		ObjectRoot: models.ObjectRoot{
-			AggregateID:   address.Id,
-			ResourceOwner: ctxData.OrgID,
-		},
-		Country:       address.Country,
-		StreetAddress: address.StreetAddress,
-		Region:        address.Region,
-		PostalCode:    address.PostalCode,
-		Locality:      address.Locality,
-	}
-}
-
-func userSearchResponseFromModel(response *usr_model.UserSearchResponse) *management.UserSearchResponse {
-	timestamp, err := ptypes.TimestampProto(response.Timestamp)
-	logging.Log("GRPC-aBezr").OnError(err).Debug("unable to parse timestamp")
-	return &management.UserSearchResponse{
-		Offset:            response.Offset,
-		Limit:             response.Limit,
-		TotalResult:       response.TotalResult,
-		Result:            userViewsFromModel(response.Result),
-		ProcessedSequence: response.Sequence,
-		ViewTimestamp:     timestamp,
-	}
-}
-
-func userViewsFromModel(users []*usr_model.UserView) []*management.UserView {
-	converted := make([]*management.UserView, len(users))
-	for i, user := range users {
-		converted[i] = userViewFromModel(user)
-	}
-	return converted
-}
-
-func userViewFromModel(user *usr_model.UserView) *management.UserView {
-	creationDate, err := ptypes.TimestampProto(user.CreationDate)
-	logging.Log("GRPC-dl9we").OnError(err).Debug("unable to parse timestamp")
-
-	changeDate, err := ptypes.TimestampProto(user.ChangeDate)
-	logging.Log("GRPC-lpsg5").OnError(err).Debug("unable to parse timestamp")
-
-	lastLogin, err := ptypes.TimestampProto(user.LastLogin)
-	logging.Log("GRPC-dksi3").OnError(err).Debug("unable to parse timestamp")
-
-	userView := &management.UserView{
-		Id:                 user.ID,
-		State:              management.UserState(user.State),
-		CreationDate:       creationDate,
-		ChangeDate:         changeDate,
-		LastLogin:          lastLogin,
-		Sequence:           user.Sequence,
-		ResourceOwner:      user.ResourceOwner,
-		LoginNames:         user.LoginNames,
-		PreferredLoginName: user.PreferredLoginName,
-		UserName:           user.UserName,
-	}
-	if user.HumanView != nil {
-		userView.User = &management.UserView_Human{Human: humanViewFromModel(user.HumanView)}
-	}
-	if user.MachineView != nil {
-		userView.User = &management.UserView_Machine{Machine: machineViewFromModel(user.MachineView)}
-
-	}
-	return userView
-}
-
-func userMembershipSearchResponseFromModel(response *usr_model.UserMembershipSearchResponse) *management.UserMembershipSearchResponse {
-	timestamp, err := ptypes.TimestampProto(response.Timestamp)
-	logging.Log("GRPC-Hs8jd").OnError(err).Debug("unable to parse timestamp")
-	return &management.UserMembershipSearchResponse{
-		Offset:            response.Offset,
-		Limit:             response.Limit,
-		TotalResult:       response.TotalResult,
-		Result:            userMembershipViewsFromModel(response.Result),
-		ProcessedSequence: response.Sequence,
-		ViewTimestamp:     timestamp,
-	}
-}
-
-func userMembershipViewsFromModel(memberships []*usr_model.UserMembershipView) []*management.UserMembershipView {
-	converted := make([]*management.UserMembershipView, len(memberships))
-	for i, membership := range memberships {
-		converted[i] = userMembershipViewFromModel(membership)
-	}
-	return converted
-}
-
-func userMembershipViewFromModel(membership *usr_model.UserMembershipView) *management.UserMembershipView {
-	creationDate, err := ptypes.TimestampProto(membership.CreationDate)
-	logging.Log("GRPC-Msnu8").OnError(err).Debug("unable to parse timestamp")
-
-	changeDate, err := ptypes.TimestampProto(membership.ChangeDate)
-	logging.Log("GRPC-Slco9").OnError(err).Debug("unable to parse timestamp")
-
-	return &management.UserMembershipView{
-		UserId:        membership.UserID,
-		AggregateId:   membership.AggregateID,
-		ObjectId:      membership.ObjectID,
-		MemberType:    memberTypeFromModel(membership.MemberType),
-		DisplayName:   membership.DisplayName,
-		Roles:         membership.Roles,
-		CreationDate:  creationDate,
-		ChangeDate:    changeDate,
-		Sequence:      membership.Sequence,
-		ResourceOwner: membership.ResourceOwner,
-	}
-}
-
-func mfasFromModel(mfas []*usr_model.MultiFactor) []*management.UserMultiFactor {
-	converted := make([]*management.UserMultiFactor, len(mfas))
-	for i, mfa := range mfas {
-		converted[i] = mfaFromModel(mfa)
-	}
-	return converted
-}
-
-func mfaFromModel(mfa *usr_model.MultiFactor) *management.UserMultiFactor {
-	return &management.UserMultiFactor{
-		State:     mfaStateFromModel(mfa.State),
-		Type:      mfaTypeFromModel(mfa.Type),
-		Attribute: mfa.Attribute,
-		Id:        mfa.ID,
-	}
-}
-
-func notifyTypeToDomain(state management.NotificationType) domain.NotificationType {
+func notifyTypeToDomain(state mgmt_pb.SendHumanResetPasswordNotificationRequest_Type) domain.NotificationType {
 	switch state {
-	case management.NotificationType_NOTIFICATIONTYPE_EMAIL:
+	case mgmt_pb.SendHumanResetPasswordNotificationRequest_TYPE_EMAIL:
 		return domain.NotificationTypeEmail
-	case management.NotificationType_NOTIFICATIONTYPE_SMS:
+	case mgmt_pb.SendHumanResetPasswordNotificationRequest_TYPE_SMS:
 		return domain.NotificationTypeSms
 	default:
 		return domain.NotificationTypeEmail
 	}
 }
 
-func userStateFromDomain(state domain.UserState) management.UserState {
-	switch state {
-	case domain.UserStateActive:
-		return management.UserState_USERSTATE_ACTIVE
-	case domain.UserStateInactive:
-		return management.UserState_USERSTATE_INACTIVE
-	case domain.UserStateLocked:
-		return management.UserState_USERSTATE_LOCKED
-	case domain.UserStateInitial:
-		return management.UserState_USERSTATE_INITIAL
-	case domain.UserStateSuspend:
-		return management.UserState_USERSTATE_SUSPEND
-	default:
-		return management.UserState_USERSTATE_UNSPECIFIED
+func UpdateMachineRequestToDomain(ctx context.Context, req *mgmt_pb.UpdateMachineRequest) *domain.Machine {
+	return &domain.Machine{
+		ObjectRoot: models.ObjectRoot{
+			AggregateID:   req.UserId,
+			ResourceOwner: authz.GetCtxData(ctx).OrgID,
+		},
+		Name:        req.Name,
+		Description: req.Description,
 	}
 }
 
-func genderFromDomain(gender domain.Gender) management.Gender {
-	switch gender {
-	case domain.GenderFemale:
-		return management.Gender_GENDER_FEMALE
-	case domain.GenderMale:
-		return management.Gender_GENDER_MALE
-	case domain.GenderDiverse:
-		return management.Gender_GENDER_DIVERSE
-	default:
-		return management.Gender_GENDER_UNSPECIFIED
+func ListMachineKeysRequestToModel(req *mgmt_pb.ListMachineKeysRequest) *key_model.AuthNKeySearchRequest {
+	return &key_model.AuthNKeySearchRequest{
+		Offset: req.Query.Offset,
+		Limit:  uint64(req.Query.Limit),
+		Asc:    req.Query.Asc,
+		Queries: []*key_model.AuthNKeySearchQuery{
+			{
+				Key:    key_model.AuthNKeyObjectType,
+				Method: domain.SearchMethodEquals,
+				Value:  key_model.AuthNKeyObjectTypeUser,
+			}, {
+				Key:    key_model.AuthNKeyObjectID,
+				Method: domain.SearchMethodEquals,
+				Value:  req.UserId,
+			},
+		},
 	}
 }
 
-func genderFromModel(gender usr_model.Gender) management.Gender {
-	switch gender {
-	case usr_model.GenderFemale:
-		return management.Gender_GENDER_FEMALE
-	case usr_model.GenderMale:
-		return management.Gender_GENDER_MALE
-	case usr_model.GenderDiverse:
-		return management.Gender_GENDER_DIVERSE
-	default:
-		return management.Gender_GENDER_UNSPECIFIED
+func AddMachineKeyRequestToDomain(req *mgmt_pb.AddMachineKeyRequest) *domain.MachineKey {
+	expDate := time.Time{}
+	if req.ExpirationDate != nil {
+		var err error
+		expDate, err = ptypes.Timestamp(req.ExpirationDate)
+		logging.Log("MANAG-iNshR").OnError(err).Debug("unable to parse expiration date")
+	}
+
+	return &domain.MachineKey{
+		ObjectRoot: models.ObjectRoot{
+			AggregateID: req.UserId,
+		},
+		ExpirationDate: expDate,
+		Type:           authn.KeyTypeToDomain(req.Type),
 	}
 }
 
-func memberTypeFromModel(memberType usr_model.MemberType) management.MemberType {
-	switch memberType {
-	case usr_model.MemberTypeOrganisation:
-		return management.MemberType_MEMBERTYPE_ORGANISATION
-	case usr_model.MemberTypeProject:
-		return management.MemberType_MEMBERTYPE_PROJECT
-	case usr_model.MemberTypeProjectGrant:
-		return management.MemberType_MEMBERTYPE_PROJECT_GRANT
-	default:
-		return management.MemberType_MEMBERTYPE_UNSPECIFIED
+func RemoveHumanLinkedIDPRequestToDomain(ctx context.Context, req *mgmt_pb.RemoveHumanLinkedIDPRequest) *domain.ExternalIDP {
+	return &domain.ExternalIDP{
+		ObjectRoot: models.ObjectRoot{
+			AggregateID:   req.UserId,
+			ResourceOwner: authz.GetCtxData(ctx).OrgID,
+		},
+		IDPConfigID:    req.IdpId,
+		ExternalUserID: req.LinkedUserId,
 	}
 }
 
-func genderToDomain(gender management.Gender) domain.Gender {
-	switch gender {
-	case management.Gender_GENDER_FEMALE:
-		return domain.GenderFemale
-	case management.Gender_GENDER_MALE:
-		return domain.GenderMale
-	case management.Gender_GENDER_DIVERSE:
-		return domain.GenderDiverse
-	default:
-		return domain.GenderUnspecified
+func ListHumanLinkedIDPsRequestToModel(req *mgmt_pb.ListHumanLinkedIDPsRequest) *user_model.ExternalIDPSearchRequest {
+	return &user_model.ExternalIDPSearchRequest{
+		Limit:   uint64(req.Query.Limit),
+		Offset:  req.Query.Offset,
+		Queries: []*user_model.ExternalIDPSearchQuery{{Key: user_model.ExternalIDPSearchKeyUserID, Method: domain.SearchMethodEquals, Value: req.UserId}},
 	}
 }
 
-func mfaTypeFromModel(mfatype usr_model.MFAType) management.MfaType {
-	switch mfatype {
-	case usr_model.MFATypeOTP:
-		return management.MfaType_MFATYPE_OTP
-	case usr_model.MFATypeU2F:
-		return management.MfaType_MFATYPE_U2F
-	default:
-		return management.MfaType_MFATYPE_UNSPECIFIED
-	}
-}
-
-func mfaStateFromModel(state usr_model.MFAState) management.MFAState {
-	switch state {
-	case usr_model.MFAStateReady:
-		return management.MFAState_MFASTATE_READY
-	case usr_model.MFAStateNotReady:
-		return management.MFAState_MFASTATE_NOT_READY
-	default:
-		return management.MFAState_MFASTATE_UNSPECIFIED
-	}
-}
-
-func userChangesToResponse(response *usr_model.UserChanges, offset uint64, limit uint64) (_ *management.Changes) {
-	return &management.Changes{
-		Limit:   limit,
-		Offset:  offset,
-		Changes: userChangesToMgtAPI(response),
-	}
-}
-
-func userChangesToMgtAPI(changes *usr_model.UserChanges) (_ []*management.Change) {
-	result := make([]*management.Change, len(changes.Changes))
-
-	for i, change := range changes.Changes {
-		var data *structpb.Struct
-		changedData, err := json.Marshal(change.Data)
-		if err == nil {
-			data = new(structpb.Struct)
-			err = protojson.Unmarshal(changedData, data)
-			logging.Log("GRPC-a7F54").OnError(err).Debug("unable to marshal changed data to struct")
-		}
-
-		result[i] = &management.Change{
-			ChangeDate: change.ChangeDate,
-			EventType:  message.NewLocalizedEventType(change.EventType),
-			Sequence:   change.Sequence,
-			Data:       data,
-			EditorId:   change.ModifierID,
-			Editor:     change.ModifierName,
-		}
-	}
-
-	return result
-}
-
-func webAuthNTokensFromModel(tokens []*usr_model.WebAuthNView) *management.WebAuthNTokens {
-	result := make([]*management.WebAuthNToken, len(tokens))
-	for i, token := range tokens {
-		result[i] = webAuthNTokenFromModel(token)
-	}
-	return &management.WebAuthNTokens{Tokens: result}
-}
-
-func webAuthNTokenFromModel(token *usr_model.WebAuthNView) *management.WebAuthNToken {
-	return &management.WebAuthNToken{
-		Id:    token.TokenID,
-		Name:  token.Name,
-		State: mfaStateFromModel(token.State),
+func ListUserMembershipsRequestToModel(req *mgmt_pb.ListUserMembershipsRequest) (*user_model.UserMembershipSearchRequest, error) {
+	queries, err := user_grpc.MembershipQueriesToModel(req.Queries)
+	if err != nil {
+		return nil, err
 	}
+	queries = append(queries, &user_model.UserMembershipSearchQuery{
+		Key:    user_model.UserMembershipSearchKeyUserID,
+		Method: domain.SearchMethodEquals,
+		Value:  req.UserId,
+	})
+	return &user_model.UserMembershipSearchRequest{
+		Offset: req.Query.Offset,
+		Limit:  uint64(req.Query.Limit),
+		Asc:    req.Query.Asc,
+		//SortingColumn: //TODO: sorting
+		Queries: queries,
+	}, nil
 }
diff --git a/internal/api/grpc/management/user_grant.go b/internal/api/grpc/management/user_grant.go
index 29d14d936d..bcf5ac4f09 100644
--- a/internal/api/grpc/management/user_grant.go
+++ b/internal/api/grpc/management/user_grant.go
@@ -2,61 +2,104 @@ package management
 
 import (
 	"context"
-	"github.com/golang/protobuf/ptypes/empty"
-
 	"github.com/caos/zitadel/internal/api/authz"
-	"github.com/caos/zitadel/pkg/grpc/management"
+	obj_grpc "github.com/caos/zitadel/internal/api/grpc/object"
+	"github.com/caos/zitadel/internal/api/grpc/user"
+
+	mgmt_pb "github.com/caos/zitadel/pkg/grpc/management"
 )
 
-func (s *Server) SearchUserGrants(ctx context.Context, in *management.UserGrantSearchRequest) (*management.UserGrantSearchResponse, error) {
-	request := userGrantSearchRequestsToModel(in)
-	request.AppendMyOrgQuery(authz.GetCtxData(ctx).OrgID)
-	response, err := s.usergrant.SearchUserGrants(ctx, request)
+func (s *Server) GetUserGrantByID(ctx context.Context, req *mgmt_pb.GetUserGrantByIDRequest) (*mgmt_pb.GetUserGrantByIDResponse, error) {
+	grant, err := s.usergrant.UserGrantByID(ctx, req.GrantId)
 	if err != nil {
 		return nil, err
 	}
-	return userGrantSearchResponseFromModel(response), nil
+	return &mgmt_pb.GetUserGrantByIDResponse{
+		UserGrant: user.UserGrantToPb(grant),
+	}, nil
 }
 
-func (s *Server) UserGrantByID(ctx context.Context, request *management.UserGrantID) (*management.UserGrantView, error) {
-	user, err := s.usergrant.UserGrantByID(ctx, request.Id)
+func (s *Server) ListUserGrants(ctx context.Context, req *mgmt_pb.ListUserGrantRequest) (*mgmt_pb.ListUserGrantResponse, error) {
+	r := ListUserGrantsRequestToModel(ctx, req)
+	res, err := s.usergrant.SearchUserGrants(ctx, r)
 	if err != nil {
 		return nil, err
 	}
-	return userGrantViewFromModel(user), nil
+	return &mgmt_pb.ListUserGrantResponse{
+		Result: user.UserGrantsToPb(res.Result),
+		Details: obj_grpc.ToListDetails(
+			res.TotalResult,
+			res.Sequence,
+			res.Timestamp,
+		),
+	}, nil
 }
 
-func (s *Server) CreateUserGrant(ctx context.Context, in *management.UserGrantCreate) (*management.UserGrant, error) {
-	user, err := s.command.AddUserGrant(ctx, userGrantCreateToDomain(in), authz.GetCtxData(ctx).OrgID)
+func (s *Server) AddUserGrant(ctx context.Context, req *mgmt_pb.AddUserGrantRequest) (*mgmt_pb.AddUserGrantResponse, error) {
+	grant, err := s.command.AddUserGrant(ctx, AddUserGrantRequestToDomain(req), authz.GetCtxData(ctx).OrgID)
 	if err != nil {
 		return nil, err
 	}
-	return userGrantFromDomain(user), nil
+	return &mgmt_pb.AddUserGrantResponse{
+		UserGrantId: grant.AggregateID,
+		Details: obj_grpc.ToDetailsPb(
+			grant.Sequence,
+			grant.ChangeDate,
+			grant.ResourceOwner,
+		),
+	}, nil
 }
 
-func (s *Server) UpdateUserGrant(ctx context.Context, in *management.UserGrantUpdate) (*management.UserGrant, error) {
-	user, err := s.command.ChangeUserGrant(ctx, userGrantUpdateToDomain(in), authz.GetCtxData(ctx).OrgID)
+func (s *Server) UpdateUserGrant(ctx context.Context, req *mgmt_pb.UpdateUserGrantRequest) (*mgmt_pb.UpdateUserGrantResponse, error) {
+	grant, err := s.command.ChangeUserGrant(ctx, UpdateUserGrantRequestToDomain(req), authz.GetCtxData(ctx).OrgID)
 	if err != nil {
 		return nil, err
 	}
-	return userGrantFromDomain(user), nil
+	return &mgmt_pb.UpdateUserGrantResponse{
+		Details: obj_grpc.ToDetailsPb(
+			grant.Sequence,
+			grant.ChangeDate,
+			grant.ResourceOwner,
+		),
+	}, nil
 }
 
-func (s *Server) DeactivateUserGrant(ctx context.Context, in *management.UserGrantID) (*empty.Empty, error) {
-	err := s.command.DeactivateUserGrant(ctx, in.Id, authz.GetCtxData(ctx).OrgID)
-	return &empty.Empty{}, err
-}
-func (s *Server) ReactivateUserGrant(ctx context.Context, in *management.UserGrantID) (*empty.Empty, error) {
-	err := s.command.ReactivateUserGrant(ctx, in.Id, authz.GetCtxData(ctx).OrgID)
-	return &empty.Empty{}, err
+func (s *Server) DeactivateUserGrant(ctx context.Context, req *mgmt_pb.DeactivateUserGrantRequest) (*mgmt_pb.DeactivateUserGrantResponse, error) {
+	objectDetails, err := s.command.DeactivateUserGrant(ctx, req.GrantId, authz.GetCtxData(ctx).OrgID)
+	if err != nil {
+		return nil, err
+	}
+	return &mgmt_pb.DeactivateUserGrantResponse{
+		Details: obj_grpc.DomainToDetailsPb(objectDetails),
+	}, nil
 }
 
-func (s *Server) RemoveUserGrant(ctx context.Context, in *management.UserGrantID) (*empty.Empty, error) {
-	err := s.command.RemoveUserGrant(ctx, in.Id, authz.GetCtxData(ctx).OrgID)
-	return &empty.Empty{}, err
+func (s *Server) ReactivateUserGrant(ctx context.Context, req *mgmt_pb.ReactivateUserGrantRequest) (*mgmt_pb.ReactivateUserGrantResponse, error) {
+	objectDetails, err := s.command.ReactivateUserGrant(ctx, req.GrantId, authz.GetCtxData(ctx).OrgID)
+	if err != nil {
+		return nil, err
+	}
+	return &mgmt_pb.ReactivateUserGrantResponse{
+		Details: obj_grpc.DomainToDetailsPb(objectDetails),
+	}, nil
 }
 
-func (s *Server) BulkRemoveUserGrant(ctx context.Context, in *management.UserGrantRemoveBulk) (*empty.Empty, error) {
-	err := s.command.BulkRemoveUserGrant(ctx, userGrantRemoveBulkToModel(in), authz.GetCtxData(ctx).OrgID)
-	return &empty.Empty{}, err
+func (s *Server) RemoveUserGrant(ctx context.Context, req *mgmt_pb.RemoveUserGrantRequest) (*mgmt_pb.RemoveUserGrantResponse, error) {
+	objectDetails, err := s.command.RemoveUserGrant(ctx, req.GrantId, authz.GetCtxData(ctx).OrgID)
+	if err != nil {
+		return nil, err
+	}
+	return &mgmt_pb.RemoveUserGrantResponse{
+		Details: obj_grpc.DomainToDetailsPb(objectDetails),
+	}, nil
+}
+
+func (s *Server) BulkRemoveUserGrant(ctx context.Context, req *mgmt_pb.BulkRemoveUserGrantRequest) (*mgmt_pb.BulkRemoveUserGrantResponse, error) {
+	err := s.command.BulkRemoveUserGrant(ctx, req.GrantId, authz.GetCtxData(ctx).OrgID)
+	if err != nil {
+		return nil, err
+	}
+	return &mgmt_pb.BulkRemoveUserGrantResponse{
+		//TODO: Do we need details here?
+	}, nil
 }
diff --git a/internal/api/grpc/management/user_grant_converter.go b/internal/api/grpc/management/user_grant_converter.go
index 664c28feac..cbada44019 100644
--- a/internal/api/grpc/management/user_grant_converter.go
+++ b/internal/api/grpc/management/user_grant_converter.go
@@ -1,187 +1,46 @@
 package management
 
 import (
-	"github.com/caos/logging"
+	"context"
+	"github.com/caos/zitadel/internal/api/authz"
+	user_grpc "github.com/caos/zitadel/internal/api/grpc/user"
 	"github.com/caos/zitadel/internal/domain"
-	"github.com/golang/protobuf/ptypes"
-	"google.golang.org/protobuf/types/known/timestamppb"
-
 	"github.com/caos/zitadel/internal/eventstore/v1/models"
-	grant_model "github.com/caos/zitadel/internal/usergrant/model"
-	"github.com/caos/zitadel/pkg/grpc/management"
+	"github.com/caos/zitadel/internal/usergrant/model"
+	mgmt_pb "github.com/caos/zitadel/pkg/grpc/management"
 )
 
-func userGrantFromDomain(grant *domain.UserGrant) *management.UserGrant {
-	return &management.UserGrant{
-		Id:         grant.AggregateID,
-		UserId:     grant.UserID,
-		State:      usergrantStateFromDomain(grant.State),
-		ChangeDate: timestamppb.New(grant.ChangeDate),
-		Sequence:   grant.Sequence,
-		ProjectId:  grant.ProjectID,
-		RoleKeys:   grant.RoleKeys,
+func ListUserGrantsRequestToModel(ctx context.Context, req *mgmt_pb.ListUserGrantRequest) *model.UserGrantSearchRequest {
+	request := &model.UserGrantSearchRequest{
+		Offset:  req.Query.Offset,
+		Limit:   uint64(req.Query.Limit),
+		Asc:     req.Query.Asc,
+		Queries: user_grpc.UserGrantQueriesToModel(req.Queries),
 	}
+	request.Queries = append(request.Queries, &model.UserGrantSearchQuery{
+		Key:    model.UserGrantSearchKeyResourceOwner,
+		Method: domain.SearchMethodEquals,
+		Value:  authz.GetCtxData(ctx).OrgID,
+	})
+	return request
 }
 
-func userGrantCreateToDomain(u *management.UserGrantCreate) *domain.UserGrant {
+func AddUserGrantRequestToDomain(req *mgmt_pb.AddUserGrantRequest) *domain.UserGrant {
 	return &domain.UserGrant{
-		ObjectRoot:     models.ObjectRoot{AggregateID: u.UserId},
-		UserID:         u.UserId,
-		ProjectID:      u.ProjectId,
-		RoleKeys:       u.RoleKeys,
-		ProjectGrantID: u.GrantId,
+		UserID:         req.UserId,
+		ProjectID:      req.ProjectId,
+		ProjectGrantID: req.ProjectGrantId,
+		RoleKeys:       req.RoleKeys,
 	}
 }
 
-func userGrantUpdateToDomain(u *management.UserGrantUpdate) *domain.UserGrant {
+func UpdateUserGrantRequestToDomain(req *mgmt_pb.UpdateUserGrantRequest) *domain.UserGrant {
 	return &domain.UserGrant{
-		ObjectRoot: models.ObjectRoot{AggregateID: u.Id},
-		RoleKeys:   u.RoleKeys,
+		ObjectRoot: models.ObjectRoot{
+			AggregateID: req.GrantId,
+		},
+		UserID:   req.UserId,
+		RoleKeys: req.RoleKeys,
 	}
-}
-
-func userGrantRemoveBulkToModel(u *management.UserGrantRemoveBulk) []string {
-	ids := make([]string, len(u.Ids))
-	for i, id := range u.Ids {
-		ids[i] = id
-	}
-	return ids
-}
-
-func userGrantSearchRequestsToModel(project *management.UserGrantSearchRequest) *grant_model.UserGrantSearchRequest {
-	return &grant_model.UserGrantSearchRequest{
-		Offset:  project.Offset,
-		Limit:   project.Limit,
-		Queries: userGrantSearchQueriesToModel(project.Queries),
-	}
-}
-
-func userGrantSearchQueriesToModel(queries []*management.UserGrantSearchQuery) []*grant_model.UserGrantSearchQuery {
-	converted := make([]*grant_model.UserGrantSearchQuery, len(queries))
-	for i, q := range queries {
-		converted[i] = userGrantSearchQueryToModel(q)
-	}
-	return converted
-}
-
-func userGrantSearchQueryToModel(query *management.UserGrantSearchQuery) *grant_model.UserGrantSearchQuery {
-	return &grant_model.UserGrantSearchQuery{
-		Key:    userGrantSearchKeyToModel(query.Key),
-		Method: searchMethodToModel(query.Method),
-		Value:  query.Value,
-	}
-}
-
-func userGrantSearchKeyToModel(key management.UserGrantSearchKey) grant_model.UserGrantSearchKey {
-	switch key {
-	case management.UserGrantSearchKey_USERGRANTSEARCHKEY_WITH_GRANTED:
-		return grant_model.UserGrantSearchKeyWithGranted
-	case management.UserGrantSearchKey_USERGRANTSEARCHKEY_PROJECT_ID:
-		return grant_model.UserGrantSearchKeyProjectID
-	case management.UserGrantSearchKey_USERGRANTSEARCHKEY_USER_ID:
-		return grant_model.UserGrantSearchKeyUserID
-	case management.UserGrantSearchKey_USERGRANTSEARCHKEY_ROLE_KEY:
-		return grant_model.UserGrantSearchKeyRoleKey
-	case management.UserGrantSearchKey_USERGRANTSEARCHKEY_GRANT_ID:
-		return grant_model.UserGrantSearchKeyGrantID
-	case management.UserGrantSearchKey_USERGRANTSEARCHKEY_USER_NAME:
-		return grant_model.UserGrantSearchKeyUserName
-	case management.UserGrantSearchKey_USERGRANTSEARCHKEY_FIRST_NAME:
-		return grant_model.UserGrantSearchKeyFirstName
-	case management.UserGrantSearchKey_USERGRANTSEARCHKEY_LAST_NAME:
-		return grant_model.UserGrantSearchKeyLastName
-	case management.UserGrantSearchKey_USERGRANTSEARCHKEY_EMAIL:
-		return grant_model.UserGrantSearchKeyEmail
-	case management.UserGrantSearchKey_USERGRANTSEARCHKEY_ORG_NAME:
-		return grant_model.UserGrantSearchKeyOrgName
-	case management.UserGrantSearchKey_USERGRANTSEARCHKEY_ORG_DOMAIN:
-		return grant_model.UserGrantSearchKeyOrgDomain
-	case management.UserGrantSearchKey_USERGRANTSEARCHKEY_PROJECT_NAME:
-		return grant_model.UserGrantSearchKeyProjectName
-	case management.UserGrantSearchKey_USERGRANTSEARCHKEY_DISPLAY_NAME:
-		return grant_model.UserGrantSearchKeyDisplayName
-	default:
-		return grant_model.UserGrantSearchKeyUnspecified
-	}
-}
-
-func userGrantSearchResponseFromModel(response *grant_model.UserGrantSearchResponse) *management.UserGrantSearchResponse {
-	timestamp, err := ptypes.TimestampProto(response.Timestamp)
-	logging.Log("GRPC-Wd7hs").OnError(err).Debug("unable to parse timestamp")
-	return &management.UserGrantSearchResponse{
-		Offset:            response.Offset,
-		Limit:             response.Limit,
-		TotalResult:       response.TotalResult,
-		Result:            userGrantViewsFromModel(response.Result),
-		ProcessedSequence: response.Sequence,
-		ViewTimestamp:     timestamp,
-	}
-}
-
-func userGrantViewsFromModel(users []*grant_model.UserGrantView) []*management.UserGrantView {
-	converted := make([]*management.UserGrantView, len(users))
-	for i, user := range users {
-		converted[i] = userGrantViewFromModel(user)
-	}
-	return converted
-}
-
-func userGrantViewFromModel(grant *grant_model.UserGrantView) *management.UserGrantView {
-	creationDate, err := ptypes.TimestampProto(grant.CreationDate)
-	logging.Log("GRPC-dl9we").OnError(err).Debug("unable to parse timestamp")
-
-	changeDate, err := ptypes.TimestampProto(grant.ChangeDate)
-	logging.Log("GRPC-lpsg5").OnError(err).Debug("unable to parse timestamp")
-
-	return &management.UserGrantView{
-		Id:            grant.ID,
-		State:         usergrantStateFromModel(grant.State),
-		CreationDate:  creationDate,
-		ChangeDate:    changeDate,
-		Sequence:      grant.Sequence,
-		ResourceOwner: grant.ResourceOwner,
-		UserName:      grant.UserName,
-		FirstName:     grant.FirstName,
-		LastName:      grant.LastName,
-		Email:         grant.Email,
-		ProjectName:   grant.ProjectName,
-		OrgName:       grant.OrgName,
-		OrgDomain:     grant.OrgPrimaryDomain,
-		RoleKeys:      grant.RoleKeys,
-		UserId:        grant.UserID,
-		ProjectId:     grant.ProjectID,
-		OrgId:         grant.ResourceOwner,
-		DisplayName:   grant.DisplayName,
-		GrantId:       grant.GrantID,
-	}
-}
-
-func usergrantStateFromModel(state grant_model.UserGrantState) management.UserGrantState {
-	switch state {
-	case grant_model.UserGrantStateActive:
-		return management.UserGrantState_USERGRANTSTATE_ACTIVE
-	case grant_model.UserGrantStateInactive:
-		return management.UserGrantState_USERGRANTSTATE_INACTIVE
-	default:
-		return management.UserGrantState_USERGRANTSTATE_UNSPECIFIED
-	}
-}
-
-func usergrantStateFromDomain(state domain.UserGrantState) management.UserGrantState {
-	switch state {
-	case domain.UserGrantStateActive:
-		return management.UserGrantState_USERGRANTSTATE_ACTIVE
-	case domain.UserGrantStateInactive:
-		return management.UserGrantState_USERGRANTSTATE_INACTIVE
-	default:
-		return management.UserGrantState_USERGRANTSTATE_UNSPECIFIED
-	}
-}
-
-func userGrantsToIDs(userGrants []*grant_model.UserGrantView) []string {
-	converted := make([]string, len(userGrants))
-	for i, grant := range userGrants {
-		converted[i] = grant.ID
-	}
-	return converted
+
 }
diff --git a/internal/api/grpc/management/user_human_converter.go b/internal/api/grpc/management/user_human_converter.go
deleted file mode 100644
index 315c68678e..0000000000
--- a/internal/api/grpc/management/user_human_converter.go
+++ /dev/null
@@ -1,95 +0,0 @@
-package management
-
-import (
-	"github.com/caos/logging"
-	"github.com/caos/zitadel/internal/domain"
-	usr_model "github.com/caos/zitadel/internal/user/model"
-	"github.com/caos/zitadel/pkg/grpc/management"
-	"github.com/golang/protobuf/ptypes"
-	"golang.org/x/text/language"
-)
-
-func humanFromDomain(user *domain.Human) *management.HumanResponse {
-	human := &management.HumanResponse{
-		FirstName:         user.FirstName,
-		LastName:          user.LastName,
-		DisplayName:       user.DisplayName,
-		NickName:          user.NickName,
-		PreferredLanguage: user.PreferredLanguage.String(),
-		Gender:            genderFromDomain(user.Gender),
-	}
-
-	if user.Email != nil {
-		human.Email = user.EmailAddress
-		human.IsEmailVerified = user.IsEmailVerified
-	}
-	if user.Phone != nil {
-		human.Phone = user.PhoneNumber
-		human.IsPhoneVerified = user.IsPhoneVerified
-	}
-	if user.Address != nil {
-		human.Country = user.Country
-		human.Locality = user.Locality
-		human.PostalCode = user.PostalCode
-		human.Region = user.Region
-		human.StreetAddress = user.StreetAddress
-	}
-	return human
-}
-
-func humanViewFromModel(user *usr_model.HumanView) *management.HumanView {
-	passwordChanged, err := ptypes.TimestampProto(user.PasswordChanged)
-	logging.Log("MANAG-h4ByY").OnError(err).Debug("unable to parse date")
-
-	return &management.HumanView{
-		FirstName:         user.FirstName,
-		LastName:          user.LastName,
-		DisplayName:       user.DisplayName,
-		NickName:          user.NickName,
-		PreferredLanguage: user.PreferredLanguage,
-		Gender:            genderFromModel(user.Gender),
-		Email:             user.Email,
-		IsEmailVerified:   user.IsEmailVerified,
-		Phone:             user.Phone,
-		IsPhoneVerified:   user.IsPhoneVerified,
-		Country:           user.Country,
-		Locality:          user.Locality,
-		PostalCode:        user.PostalCode,
-		Region:            user.Region,
-		StreetAddress:     user.StreetAddress,
-		PasswordChanged:   passwordChanged,
-	}
-}
-
-func humanCreateToDomain(u *management.CreateHumanRequest) *domain.Human {
-	preferredLanguage, err := language.Parse(u.PreferredLanguage)
-	logging.Log("GRPC-cK5k2").OnError(err).Debug("language malformed")
-
-	human := &domain.Human{
-		Profile: &domain.Profile{
-			FirstName:         u.FirstName,
-			LastName:          u.LastName,
-			NickName:          u.NickName,
-			PreferredLanguage: preferredLanguage,
-			Gender:            genderToDomain(u.Gender),
-		},
-		Email: &domain.Email{
-			EmailAddress:    u.Email,
-			IsEmailVerified: u.IsEmailVerified,
-		},
-		Address: &domain.Address{
-			Country:       u.Country,
-			Locality:      u.Locality,
-			PostalCode:    u.PostalCode,
-			Region:        u.Region,
-			StreetAddress: u.StreetAddress,
-		},
-	}
-	if u.Password != "" {
-		human.Password = &domain.Password{SecretString: u.Password}
-	}
-	if u.Phone != "" {
-		human.Phone = &domain.Phone{PhoneNumber: u.Phone, IsPhoneVerified: u.IsPhoneVerified}
-	}
-	return human
-}
diff --git a/internal/api/grpc/management/user_machine.go b/internal/api/grpc/management/user_machine.go
deleted file mode 100644
index 6368e5fdf1..0000000000
--- a/internal/api/grpc/management/user_machine.go
+++ /dev/null
@@ -1,38 +0,0 @@
-package management
-
-import (
-	"context"
-	"github.com/caos/zitadel/internal/api/authz"
-
-	"github.com/caos/zitadel/pkg/grpc/management"
-	"github.com/golang/protobuf/ptypes/empty"
-)
-
-func (s *Server) AddMachineKey(ctx context.Context, req *management.AddMachineKeyRequest) (*management.AddMachineKeyResponse, error) {
-	key, err := s.command.AddUserMachineKey(ctx, addMachineKeyToDomain(req), authz.GetCtxData(ctx).OrgID)
-	if err != nil {
-		return nil, err
-	}
-	return addMachineKeyFromDomain(key), nil
-}
-
-func (s *Server) DeleteMachineKey(ctx context.Context, req *management.MachineKeyIDRequest) (*empty.Empty, error) {
-	err := s.command.RemoveUserMachineKey(ctx, req.UserId, req.KeyId, authz.GetCtxData(ctx).OrgID)
-	return &empty.Empty{}, err
-}
-
-func (s *Server) GetMachineKey(ctx context.Context, req *management.MachineKeyIDRequest) (*management.MachineKeyView, error) {
-	key, err := s.user.GetMachineKey(ctx, req.UserId, req.KeyId)
-	if err != nil {
-		return nil, err
-	}
-	return machineKeyViewFromModel(key), nil
-}
-
-func (s *Server) SearchMachineKeys(ctx context.Context, req *management.MachineKeySearchRequest) (*management.MachineKeySearchResponse, error) {
-	result, err := s.user.SearchMachineKeys(ctx, machineKeySearchRequestToModel(req))
-	if err != nil {
-		return nil, err
-	}
-	return machineKeySearchResponseFromModel(result), nil
-}
diff --git a/internal/api/grpc/management/user_machine_converter.go b/internal/api/grpc/management/user_machine_converter.go
deleted file mode 100644
index 278576d261..0000000000
--- a/internal/api/grpc/management/user_machine_converter.go
+++ /dev/null
@@ -1,176 +0,0 @@
-package management
-
-import (
-	"encoding/json"
-	"google.golang.org/protobuf/types/known/timestamppb"
-	"time"
-
-	"github.com/caos/zitadel/internal/api/authz"
-	"github.com/caos/zitadel/internal/domain"
-
-	"github.com/caos/logging"
-	"github.com/golang/protobuf/ptypes"
-
-	"github.com/caos/zitadel/internal/eventstore/v1/models"
-	key_model "github.com/caos/zitadel/internal/key/model"
-	usr_model "github.com/caos/zitadel/internal/user/model"
-	"github.com/caos/zitadel/pkg/grpc/management"
-)
-
-func machineCreateToDomain(machine *management.CreateMachineRequest) *domain.Machine {
-	return &domain.Machine{
-		Name:        machine.Name,
-		Description: machine.Description,
-	}
-}
-
-func updateMachineToDomain(ctxData authz.CtxData, machine *management.UpdateMachineRequest) *domain.Machine {
-	return &domain.Machine{
-		ObjectRoot: models.ObjectRoot{
-			AggregateID:   machine.Id,
-			ResourceOwner: ctxData.ResourceOwner,
-		},
-		Name:        machine.Name,
-		Description: machine.Description,
-	}
-}
-
-func machineFromDomain(account *domain.Machine) *management.MachineResponse {
-	return &management.MachineResponse{
-		Name:        account.Name,
-		Description: account.Description,
-	}
-}
-
-func machineViewFromModel(machine *usr_model.MachineView) *management.MachineView {
-	lastKeyAdded, err := ptypes.TimestampProto(machine.LastKeyAdded)
-	logging.Log("MANAG-wGcAQ").OnError(err).Debug("unable to parse date")
-	return &management.MachineView{
-		Description:  machine.Description,
-		Name:         machine.Name,
-		LastKeyAdded: lastKeyAdded,
-	}
-}
-
-func authnKeyViewsFromModel(keys ...*key_model.AuthNKeyView) []*management.MachineKeyView {
-	keyViews := make([]*management.MachineKeyView, len(keys))
-	for i, key := range keys {
-		keyViews[i] = machineKeyViewFromModel(key)
-	}
-	return keyViews
-}
-
-func machineKeyViewFromModel(key *key_model.AuthNKeyView) *management.MachineKeyView {
-	creationDate, err := ptypes.TimestampProto(key.CreationDate)
-	logging.Log("MANAG-gluk7").OnError(err).Debug("unable to parse timestamp")
-
-	expirationDate, err := ptypes.TimestampProto(key.ExpirationDate)
-	logging.Log("MANAG-gluk7").OnError(err).Debug("unable to parse timestamp")
-
-	return &management.MachineKeyView{
-		Id:             key.ID,
-		CreationDate:   creationDate,
-		ExpirationDate: expirationDate,
-		Sequence:       key.Sequence,
-		Type:           machineKeyTypeFromModel(key.Type),
-	}
-}
-
-func addMachineKeyToDomain(key *management.AddMachineKeyRequest) *domain.MachineKey {
-	expirationDate := time.Time{}
-	if key.ExpirationDate != nil {
-		var err error
-		expirationDate, err = ptypes.Timestamp(key.ExpirationDate)
-		logging.Log("MANAG-iNshR").OnError(err).Debug("unable to parse expiration date")
-	}
-
-	return &domain.MachineKey{
-		ExpirationDate: expirationDate,
-		Type:           machineKeyTypeToDomain(key.Type),
-		ObjectRoot:     models.ObjectRoot{AggregateID: key.UserId},
-	}
-}
-
-func addMachineKeyFromDomain(key *domain.MachineKey) *management.AddMachineKeyResponse {
-	detail, err := json.Marshal(struct {
-		Type   string `json:"type"`
-		KeyID  string `json:"keyId"`
-		Key    string `json:"key"`
-		UserID string `json:"userId"`
-	}{
-		Type:   "serviceaccount",
-		KeyID:  key.KeyID,
-		Key:    string(key.PrivateKey),
-		UserID: key.AggregateID,
-	})
-	logging.Log("MANAG-lFQ2g").OnError(err).Warn("unable to marshall key")
-
-	return &management.AddMachineKeyResponse{
-		Id:             key.KeyID,
-		CreationDate:   timestamppb.New(key.CreationDate),
-		ExpirationDate: timestamppb.New(key.ExpirationDate),
-		Sequence:       key.Sequence,
-		KeyDetails:     detail,
-		Type:           machineKeyTypeFromDomain(key.Type),
-	}
-}
-
-func machineKeyTypeToDomain(typ management.MachineKeyType) domain.AuthNKeyType {
-	switch typ {
-	case management.MachineKeyType_MACHINEKEY_JSON:
-		return domain.AuthNKeyTypeJSON
-	default:
-		return domain.AuthNKeyTypeNONE
-	}
-}
-
-func machineKeyTypeFromDomain(typ domain.AuthNKeyType) management.MachineKeyType {
-	switch typ {
-	case domain.AuthNKeyTypeJSON:
-		return management.MachineKeyType_MACHINEKEY_JSON
-	default:
-		return management.MachineKeyType_MACHINEKEY_UNSPECIFIED
-	}
-}
-
-func machineKeyTypeFromModel(typ key_model.AuthNKeyType) management.MachineKeyType {
-	switch typ {
-	case key_model.AuthNKeyTypeJSON:
-		return management.MachineKeyType_MACHINEKEY_JSON
-	default:
-		return management.MachineKeyType_MACHINEKEY_UNSPECIFIED
-	}
-}
-
-func machineKeySearchRequestToModel(req *management.MachineKeySearchRequest) *key_model.AuthNKeySearchRequest {
-	return &key_model.AuthNKeySearchRequest{
-		Offset: req.Offset,
-		Limit:  req.Limit,
-		Asc:    req.Asc,
-		Queries: []*key_model.AuthNKeySearchQuery{
-			{
-				Key:    key_model.AuthNKeyObjectType,
-				Method: domain.SearchMethodEquals,
-				Value:  key_model.AuthNKeyObjectTypeUser,
-			}, {
-				Key:    key_model.AuthNKeyObjectID,
-				Method: domain.SearchMethodEquals,
-				Value:  req.UserId,
-			},
-		},
-	}
-}
-
-func machineKeySearchResponseFromModel(req *key_model.AuthNKeySearchResponse) *management.MachineKeySearchResponse {
-	viewTimestamp, err := ptypes.TimestampProto(req.Timestamp)
-	logging.Log("MANAG-Sk9ds").OnError(err).Debug("unable to parse cretaion date")
-
-	return &management.MachineKeySearchResponse{
-		Offset:            req.Offset,
-		Limit:             req.Limit,
-		TotalResult:       req.TotalResult,
-		ProcessedSequence: req.Sequence,
-		ViewTimestamp:     viewTimestamp,
-		Result:            authnKeyViewsFromModel(req.Result...),
-	}
-}
diff --git a/internal/api/grpc/management/zitadel_docs.go b/internal/api/grpc/management/zitadel_docs.go
deleted file mode 100644
index 79bb576e58..0000000000
--- a/internal/api/grpc/management/zitadel_docs.go
+++ /dev/null
@@ -1,14 +0,0 @@
-package management
-
-import (
-	"context"
-	"github.com/caos/zitadel/pkg/grpc/management"
-	"github.com/golang/protobuf/ptypes/empty"
-)
-
-func (s *Server) GetZitadelDocs(ctx context.Context, _ *empty.Empty) (*management.ZitadelDocs, error) {
-	return &management.ZitadelDocs{
-		Issuer:            s.systemDefaults.ZitadelDocs.Issuer,
-		DiscoveryEndpoint: s.systemDefaults.ZitadelDocs.DiscoveryEndpoint,
-	}, nil
-}
diff --git a/internal/api/grpc/member/converter.go b/internal/api/grpc/member/converter.go
new file mode 100644
index 0000000000..970aa4ed0a
--- /dev/null
+++ b/internal/api/grpc/member/converter.go
@@ -0,0 +1,13 @@
+package member
+
+import (
+	"github.com/caos/zitadel/internal/domain"
+	member_pb "github.com/caos/zitadel/pkg/grpc/member"
+)
+
+func MemberToDomain(member *member_pb.Member) *domain.Member {
+	return &domain.Member{
+		UserID: member.UserId,
+		Roles:  member.Roles,
+	}
+}
diff --git a/internal/api/grpc/member/iam_member.go b/internal/api/grpc/member/iam_member.go
new file mode 100644
index 0000000000..4e3b9c73ef
--- /dev/null
+++ b/internal/api/grpc/member/iam_member.go
@@ -0,0 +1,88 @@
+package member
+
+import (
+	"github.com/caos/zitadel/internal/api/grpc/object"
+	"github.com/caos/zitadel/internal/domain"
+	iam_model "github.com/caos/zitadel/internal/iam/model"
+	member_pb "github.com/caos/zitadel/pkg/grpc/member"
+)
+
+func IAMMembersToPb(members []*iam_model.IAMMemberView) []*member_pb.Member {
+	m := make([]*member_pb.Member, len(members))
+	for i, member := range members {
+		m[i] = IAMMemberToPb(member)
+	}
+	return m
+}
+
+func IAMMemberToPb(m *iam_model.IAMMemberView) *member_pb.Member {
+	return &member_pb.Member{
+		UserId: m.UserID,
+		Roles:  m.Roles,
+		// PreferredLoginName: //TODO: not implemented in be
+		Email:       m.Email,
+		FirstName:   m.FirstName,
+		LastName:    m.LastName,
+		DisplayName: m.DisplayName,
+		Details: object.ToDetailsPb(
+			m.Sequence,
+			m.ChangeDate,
+			"m.ResourceOwner", //TODO: not returnd
+		),
+	}
+}
+
+func MemberQueriesToIAMMember(queries []*member_pb.SearchQuery) []*iam_model.IAMMemberSearchQuery {
+	q := make([]*iam_model.IAMMemberSearchQuery, len(queries))
+	for i, query := range queries {
+		q[i] = MemberQueryToIAMMember(query)
+	}
+	return q
+}
+
+func MemberQueryToIAMMember(query *member_pb.SearchQuery) *iam_model.IAMMemberSearchQuery {
+	switch q := query.Query.(type) {
+	case *member_pb.SearchQuery_EmailQuery:
+		return EmailQueryToIAMMemberQuery(q.EmailQuery)
+	case *member_pb.SearchQuery_FirstNameQuery:
+		return FirstNameQueryToIAMMemberQuery(q.FirstNameQuery)
+	case *member_pb.SearchQuery_LastNameQuery:
+		return LastNameQueryToIAMMemberQuery(q.LastNameQuery)
+	case *member_pb.SearchQuery_UserIdQuery:
+		return UserIDQueryToIAMMemberQuery(q.UserIdQuery)
+	default:
+		return nil
+	}
+}
+
+func FirstNameQueryToIAMMemberQuery(query *member_pb.FirstNameQuery) *iam_model.IAMMemberSearchQuery {
+	return &iam_model.IAMMemberSearchQuery{
+		Key:    iam_model.IAMMemberSearchKeyFirstName,
+		Method: object.TextMethodToModel(query.Method),
+		Value:  query.FirstName,
+	}
+}
+
+func LastNameQueryToIAMMemberQuery(query *member_pb.LastNameQuery) *iam_model.IAMMemberSearchQuery {
+	return &iam_model.IAMMemberSearchQuery{
+		Key:    iam_model.IAMMemberSearchKeyLastName,
+		Method: object.TextMethodToModel(query.Method),
+		Value:  query.LastName,
+	}
+}
+
+func EmailQueryToIAMMemberQuery(query *member_pb.EmailQuery) *iam_model.IAMMemberSearchQuery {
+	return &iam_model.IAMMemberSearchQuery{
+		Key:    iam_model.IAMMemberSearchKeyEmail,
+		Method: object.TextMethodToModel(query.Method),
+		Value:  query.Email,
+	}
+}
+
+func UserIDQueryToIAMMemberQuery(query *member_pb.UserIDQuery) *iam_model.IAMMemberSearchQuery {
+	return &iam_model.IAMMemberSearchQuery{
+		Key:    iam_model.IAMMemberSearchKeyUserID,
+		Method: domain.SearchMethodEquals,
+		Value:  query.UserId,
+	}
+}
diff --git a/internal/api/grpc/member/org_member.go b/internal/api/grpc/member/org_member.go
new file mode 100644
index 0000000000..ed12765fa8
--- /dev/null
+++ b/internal/api/grpc/member/org_member.go
@@ -0,0 +1,88 @@
+package member
+
+import (
+	"github.com/caos/zitadel/internal/api/grpc/object"
+	"github.com/caos/zitadel/internal/domain"
+	org_model "github.com/caos/zitadel/internal/org/model"
+	member_pb "github.com/caos/zitadel/pkg/grpc/member"
+)
+
+func OrgMembersToPb(members []*org_model.OrgMemberView) []*member_pb.Member {
+	m := make([]*member_pb.Member, len(members))
+	for i, member := range members {
+		m[i] = OrgMemberToPb(member)
+	}
+	return m
+}
+
+func OrgMemberToPb(m *org_model.OrgMemberView) *member_pb.Member {
+	return &member_pb.Member{
+		UserId: m.UserID,
+		Roles:  m.Roles,
+		// PreferredLoginName: //TODO: not implemented in be
+		Email:       m.Email,
+		FirstName:   m.FirstName,
+		LastName:    m.LastName,
+		DisplayName: m.DisplayName,
+		Details: object.ToDetailsPb(
+			m.Sequence,
+			m.ChangeDate,
+			"m.ResourceOwner", //TODO: not returnd
+		),
+	}
+}
+
+func MemberQueriesToOrgMember(queries []*member_pb.SearchQuery) []*org_model.OrgMemberSearchQuery {
+	q := make([]*org_model.OrgMemberSearchQuery, len(queries))
+	for i, query := range queries {
+		q[i] = MemberQueryToOrgMember(query)
+	}
+	return q
+}
+
+func MemberQueryToOrgMember(query *member_pb.SearchQuery) *org_model.OrgMemberSearchQuery {
+	switch q := query.Query.(type) {
+	case *member_pb.SearchQuery_EmailQuery:
+		return EmailQueryToOrgMemberQuery(q.EmailQuery)
+	case *member_pb.SearchQuery_FirstNameQuery:
+		return FirstNameQueryToOrgMemberQuery(q.FirstNameQuery)
+	case *member_pb.SearchQuery_LastNameQuery:
+		return LastNameQueryToOrgMemberQuery(q.LastNameQuery)
+	case *member_pb.SearchQuery_UserIdQuery:
+		return UserIDQueryToOrgMemberQuery(q.UserIdQuery)
+	default:
+		return nil
+	}
+}
+
+func FirstNameQueryToOrgMemberQuery(query *member_pb.FirstNameQuery) *org_model.OrgMemberSearchQuery {
+	return &org_model.OrgMemberSearchQuery{
+		Key:    org_model.OrgMemberSearchKeyFirstName,
+		Method: object.TextMethodToModel(query.Method),
+		Value:  query.FirstName,
+	}
+}
+
+func LastNameQueryToOrgMemberQuery(query *member_pb.LastNameQuery) *org_model.OrgMemberSearchQuery {
+	return &org_model.OrgMemberSearchQuery{
+		Key:    org_model.OrgMemberSearchKeyLastName,
+		Method: object.TextMethodToModel(query.Method),
+		Value:  query.LastName,
+	}
+}
+
+func EmailQueryToOrgMemberQuery(query *member_pb.EmailQuery) *org_model.OrgMemberSearchQuery {
+	return &org_model.OrgMemberSearchQuery{
+		Key:    org_model.OrgMemberSearchKeyEmail,
+		Method: object.TextMethodToModel(query.Method),
+		Value:  query.Email,
+	}
+}
+
+func UserIDQueryToOrgMemberQuery(query *member_pb.UserIDQuery) *org_model.OrgMemberSearchQuery {
+	return &org_model.OrgMemberSearchQuery{
+		Key:    org_model.OrgMemberSearchKeyUserID,
+		Method: domain.SearchMethodEquals,
+		Value:  query.UserId,
+	}
+}
diff --git a/internal/api/grpc/member/project_grant_member.go b/internal/api/grpc/member/project_grant_member.go
new file mode 100644
index 0000000000..87cf344b95
--- /dev/null
+++ b/internal/api/grpc/member/project_grant_member.go
@@ -0,0 +1,88 @@
+package member
+
+import (
+	"github.com/caos/zitadel/internal/api/grpc/object"
+	"github.com/caos/zitadel/internal/domain"
+	proj_model "github.com/caos/zitadel/internal/project/model"
+	member_pb "github.com/caos/zitadel/pkg/grpc/member"
+)
+
+func ProjectGrantMembersToPb(members []*proj_model.ProjectGrantMemberView) []*member_pb.Member {
+	m := make([]*member_pb.Member, len(members))
+	for i, member := range members {
+		m[i] = ProjectGrantMemberToPb(member)
+	}
+	return m
+}
+
+func ProjectGrantMemberToPb(m *proj_model.ProjectGrantMemberView) *member_pb.Member {
+	return &member_pb.Member{
+		UserId: m.UserID,
+		Roles:  m.Roles,
+		// PreferredLoginName: //TODO: not implemented in be
+		Email:       m.Email,
+		FirstName:   m.FirstName,
+		LastName:    m.LastName,
+		DisplayName: m.DisplayName,
+		Details: object.ToDetailsPb(
+			m.Sequence,
+			m.ChangeDate,
+			"m.ResourceOwner", //TODO: not returnd
+		),
+	}
+}
+
+func MemberQueriesToProjectGrantMember(queries []*member_pb.SearchQuery) []*proj_model.ProjectGrantMemberSearchQuery {
+	q := make([]*proj_model.ProjectGrantMemberSearchQuery, len(queries))
+	for i, query := range queries {
+		q[i] = MemberQueryToProjectGrantMember(query)
+	}
+	return q
+}
+
+func MemberQueryToProjectGrantMember(query *member_pb.SearchQuery) *proj_model.ProjectGrantMemberSearchQuery {
+	switch q := query.Query.(type) {
+	case *member_pb.SearchQuery_EmailQuery:
+		return EmailQueryToProjectGrantMemberQuery(q.EmailQuery)
+	case *member_pb.SearchQuery_FirstNameQuery:
+		return FirstNameQueryToProjectGrantMemberQuery(q.FirstNameQuery)
+	case *member_pb.SearchQuery_LastNameQuery:
+		return LastNameQueryToProjectGrantMemberQuery(q.LastNameQuery)
+	case *member_pb.SearchQuery_UserIdQuery:
+		return UserIDQueryToProjectGrantMemberQuery(q.UserIdQuery)
+	default:
+		return nil
+	}
+}
+
+func FirstNameQueryToProjectGrantMemberQuery(query *member_pb.FirstNameQuery) *proj_model.ProjectGrantMemberSearchQuery {
+	return &proj_model.ProjectGrantMemberSearchQuery{
+		Key:    proj_model.ProjectGrantMemberSearchKeyFirstName,
+		Method: object.TextMethodToModel(query.Method),
+		Value:  query.FirstName,
+	}
+}
+
+func LastNameQueryToProjectGrantMemberQuery(query *member_pb.LastNameQuery) *proj_model.ProjectGrantMemberSearchQuery {
+	return &proj_model.ProjectGrantMemberSearchQuery{
+		Key:    proj_model.ProjectGrantMemberSearchKeyLastName,
+		Method: object.TextMethodToModel(query.Method),
+		Value:  query.LastName,
+	}
+}
+
+func EmailQueryToProjectGrantMemberQuery(query *member_pb.EmailQuery) *proj_model.ProjectGrantMemberSearchQuery {
+	return &proj_model.ProjectGrantMemberSearchQuery{
+		Key:    proj_model.ProjectGrantMemberSearchKeyEmail,
+		Method: object.TextMethodToModel(query.Method),
+		Value:  query.Email,
+	}
+}
+
+func UserIDQueryToProjectGrantMemberQuery(query *member_pb.UserIDQuery) *proj_model.ProjectGrantMemberSearchQuery {
+	return &proj_model.ProjectGrantMemberSearchQuery{
+		Key:    proj_model.ProjectGrantMemberSearchKeyUserID,
+		Method: domain.SearchMethodEquals,
+		Value:  query.UserId,
+	}
+}
diff --git a/internal/api/grpc/member/project_member.go b/internal/api/grpc/member/project_member.go
new file mode 100644
index 0000000000..f770970fe3
--- /dev/null
+++ b/internal/api/grpc/member/project_member.go
@@ -0,0 +1,88 @@
+package member
+
+import (
+	"github.com/caos/zitadel/internal/api/grpc/object"
+	"github.com/caos/zitadel/internal/domain"
+	proj_model "github.com/caos/zitadel/internal/project/model"
+	member_pb "github.com/caos/zitadel/pkg/grpc/member"
+)
+
+func ProjectMembersToPb(members []*proj_model.ProjectMemberView) []*member_pb.Member {
+	m := make([]*member_pb.Member, len(members))
+	for i, member := range members {
+		m[i] = ProjectMemberToPb(member)
+	}
+	return m
+}
+
+func ProjectMemberToPb(m *proj_model.ProjectMemberView) *member_pb.Member {
+	return &member_pb.Member{
+		UserId: m.UserID,
+		Roles:  m.Roles,
+		// PreferredLoginName: //TODO: not implemented in be
+		Email:       m.Email,
+		FirstName:   m.FirstName,
+		LastName:    m.LastName,
+		DisplayName: m.DisplayName,
+		Details: object.ToDetailsPb(
+			m.Sequence,
+			m.ChangeDate,
+			"m.ResourceOwner", //TODO: not returnd
+		),
+	}
+}
+
+func MemberQueriesToProjectMember(queries []*member_pb.SearchQuery) []*proj_model.ProjectMemberSearchQuery {
+	q := make([]*proj_model.ProjectMemberSearchQuery, len(queries))
+	for i, query := range queries {
+		q[i] = MemberQueryToProjectMember(query)
+	}
+	return q
+}
+
+func MemberQueryToProjectMember(query *member_pb.SearchQuery) *proj_model.ProjectMemberSearchQuery {
+	switch q := query.Query.(type) {
+	case *member_pb.SearchQuery_EmailQuery:
+		return EmailQueryToProjectMemberQuery(q.EmailQuery)
+	case *member_pb.SearchQuery_FirstNameQuery:
+		return FirstNameQueryToProjectMemberQuery(q.FirstNameQuery)
+	case *member_pb.SearchQuery_LastNameQuery:
+		return LastNameQueryToProjectMemberQuery(q.LastNameQuery)
+	case *member_pb.SearchQuery_UserIdQuery:
+		return UserIDQueryToProjectMemberQuery(q.UserIdQuery)
+	default:
+		return nil
+	}
+}
+
+func FirstNameQueryToProjectMemberQuery(query *member_pb.FirstNameQuery) *proj_model.ProjectMemberSearchQuery {
+	return &proj_model.ProjectMemberSearchQuery{
+		Key:    proj_model.ProjectMemberSearchKeyFirstName,
+		Method: object.TextMethodToModel(query.Method),
+		Value:  query.FirstName,
+	}
+}
+
+func LastNameQueryToProjectMemberQuery(query *member_pb.LastNameQuery) *proj_model.ProjectMemberSearchQuery {
+	return &proj_model.ProjectMemberSearchQuery{
+		Key:    proj_model.ProjectMemberSearchKeyLastName,
+		Method: object.TextMethodToModel(query.Method),
+		Value:  query.LastName,
+	}
+}
+
+func EmailQueryToProjectMemberQuery(query *member_pb.EmailQuery) *proj_model.ProjectMemberSearchQuery {
+	return &proj_model.ProjectMemberSearchQuery{
+		Key:    proj_model.ProjectMemberSearchKeyEmail,
+		Method: object.TextMethodToModel(query.Method),
+		Value:  query.Email,
+	}
+}
+
+func UserIDQueryToProjectMemberQuery(query *member_pb.UserIDQuery) *proj_model.ProjectMemberSearchQuery {
+	return &proj_model.ProjectMemberSearchQuery{
+		Key:    proj_model.ProjectMemberSearchKeyUserID,
+		Method: domain.SearchMethodEquals,
+		Value:  query.UserId,
+	}
+}
diff --git a/internal/api/grpc/object/converter.go b/internal/api/grpc/object/converter.go
new file mode 100644
index 0000000000..504b627d4d
--- /dev/null
+++ b/internal/api/grpc/object/converter.go
@@ -0,0 +1,66 @@
+package object
+
+import (
+	"time"
+
+	"google.golang.org/protobuf/types/known/timestamppb"
+
+	"github.com/caos/zitadel/internal/domain"
+	"github.com/caos/zitadel/pkg/grpc/object"
+	object_pb "github.com/caos/zitadel/pkg/grpc/object"
+)
+
+func DomainToDetailsPb(objectDetail *domain.ObjectDetails) *object_pb.ObjectDetails {
+	return &object_pb.ObjectDetails{
+		Sequence:      objectDetail.Sequence,
+		ChangeDate:    timestamppb.New(objectDetail.ChangeDate),
+		ResourceOwner: objectDetail.ResourceOwner,
+	}
+}
+
+func ToDetailsPb(
+	sequence uint64,
+	changeDate time.Time,
+	resourceOwner string,
+) *object_pb.ObjectDetails {
+	return &object_pb.ObjectDetails{
+		Sequence:      sequence,
+		ChangeDate:    timestamppb.New(changeDate),
+		ResourceOwner: resourceOwner,
+	}
+}
+
+func ToListDetails(
+	totalResult,
+	processedSequence uint64,
+	viewTimestamp time.Time,
+) *object.ListDetails {
+	return &object_pb.ListDetails{
+		TotalResult:       totalResult,
+		ProcessedSequence: processedSequence,
+		ViewTimestamp:     timestamppb.New(viewTimestamp),
+	}
+}
+
+func TextMethodToModel(method object_pb.TextQueryMethod) domain.SearchMethod {
+	switch method {
+	case object.TextQueryMethod_TEXT_QUERY_METHOD_EQUALS:
+		return domain.SearchMethodEquals
+	case object.TextQueryMethod_TEXT_QUERY_METHOD_EQUALS_IGNORE_CASE:
+		return domain.SearchMethodEqualsIgnoreCase
+	case object.TextQueryMethod_TEXT_QUERY_METHOD_STARTS_WITH:
+		return domain.SearchMethodStartsWith
+	case object.TextQueryMethod_TEXT_QUERY_METHOD_STARTS_WITH_IGNORE_CASE:
+		return domain.SearchMethodStartsWithIgnoreCase
+	case object.TextQueryMethod_TEXT_QUERY_METHOD_CONTAINS:
+		return domain.SearchMethodContains
+	case object.TextQueryMethod_TEXT_QUERY_METHOD_CONTAINS_IGNORE_CASE:
+		return domain.SearchMethodContainsIgnoreCase
+	case object.TextQueryMethod_TEXT_QUERY_METHOD_ENDS_WITH:
+		return domain.SearchMethodEndsWith
+	case object.TextQueryMethod_TEXT_QUERY_METHOD_ENDS_WITH_IGNORE_CASE:
+		return domain.SearchMethodEndsWithIgnoreCase
+	default:
+		return -1
+	}
+}
diff --git a/internal/api/grpc/org/converter.go b/internal/api/grpc/org/converter.go
new file mode 100644
index 0000000000..799ff733d8
--- /dev/null
+++ b/internal/api/grpc/org/converter.go
@@ -0,0 +1,164 @@
+package org
+
+import (
+	"github.com/caos/zitadel/internal/api/grpc/object"
+	"github.com/caos/zitadel/internal/domain"
+	"github.com/caos/zitadel/internal/errors"
+	org_model "github.com/caos/zitadel/internal/org/model"
+	grant_model "github.com/caos/zitadel/internal/usergrant/model"
+	org_pb "github.com/caos/zitadel/pkg/grpc/org"
+)
+
+func OrgQueriesToModel(queries []*org_pb.OrgQuery) (_ []*org_model.OrgSearchQuery, err error) {
+	q := make([]*org_model.OrgSearchQuery, len(queries))
+	for i, query := range queries {
+		q[i], err = OrgQueryToModel(query)
+		if err != nil {
+			return nil, err
+		}
+	}
+	return q, nil
+}
+
+func OrgQueryToModel(query *org_pb.OrgQuery) (*org_model.OrgSearchQuery, error) {
+	switch q := query.Query.(type) {
+	case *org_pb.OrgQuery_DomainQuery:
+		return &org_model.OrgSearchQuery{
+			Key:    org_model.OrgSearchKeyOrgDomain,
+			Method: object.TextMethodToModel(q.DomainQuery.Method),
+			Value:  q.DomainQuery.Domain,
+		}, nil
+	case *org_pb.OrgQuery_NameQuery:
+		//TODO: implement name in backend
+		return nil, errors.ThrowUnimplemented(nil, "ADMIN-KGXnX", "name query not implemented")
+	default:
+		return nil, errors.ThrowInvalidArgument(nil, "ADMIN-vR9nC", "List.Query.Invalid")
+	}
+}
+
+func OrgViewsToPb(orgs []*org_model.OrgView) []*org_pb.Org {
+	o := make([]*org_pb.Org, len(orgs))
+	for i, org := range orgs {
+		o[i] = OrgViewToPb(org)
+	}
+	return o
+}
+
+func OrgViewToPb(org *org_model.OrgView) *org_pb.Org {
+	return &org_pb.Org{
+		Id:    org.ID,
+		State: OrgStateToPb(org.State),
+		Name:  org.Name,
+		Details: object.ToDetailsPb(
+			org.Sequence,
+			org.ChangeDate,
+			org.ResourceOwner,
+		),
+	}
+}
+
+func OrgsToPb(orgs []*grant_model.Org) []*org_pb.Org {
+	o := make([]*org_pb.Org, len(orgs))
+	for i, org := range orgs {
+		o[i] = OrgToPb(org)
+	}
+	return o
+}
+
+func OrgToPb(org *grant_model.Org) *org_pb.Org {
+	return &org_pb.Org{
+		Id:   org.OrgID,
+		Name: org.OrgName,
+		// State: OrgStateToPb(org.State), //TODO: not provided
+		// Details: object.ToDetailsPb(//TODO: not provided
+		// 	org.Sequence,//TODO: not provided
+		// 	org.CreationDate,//TODO: not provided
+		// 	org.ChangeDate,//TODO: not provided
+		// 	org.ResourceOwner,//TODO: not provided
+		// ),//TODO: not provided
+	}
+}
+
+func OrgStateToPb(state org_model.OrgState) org_pb.OrgState {
+	switch state {
+	case org_model.OrgStateActive:
+		return org_pb.OrgState_ORG_STATE_ACTIVE
+	case org_model.OrgStateInactive:
+		return org_pb.OrgState_ORG_STATE_INACTIVE
+	default:
+		return org_pb.OrgState_ORG_STATE_UNSPECIFIED
+	}
+}
+
+func DomainQueriesToModel(queries []*org_pb.DomainSearchQuery) (_ []*org_model.OrgDomainSearchQuery, err error) {
+	q := make([]*org_model.OrgDomainSearchQuery, len(queries))
+	for i, query := range queries {
+		q[i], err = DomainQueryToModel(query)
+		if err != nil {
+			return nil, err
+		}
+	}
+	return q, nil
+}
+
+func DomainQueryToModel(query *org_pb.DomainSearchQuery) (*org_model.OrgDomainSearchQuery, error) {
+	switch q := query.Query.(type) {
+	case *org_pb.DomainSearchQuery_DomainNameQuery:
+		return DomainNameQueryToModel(q.DomainNameQuery)
+	default:
+		return nil, errors.ThrowInvalidArgument(nil, "ORG-Ags42", "List.Query.Invalid")
+	}
+}
+
+func DomainNameQueryToModel(query *org_pb.DomainNameQuery) (*org_model.OrgDomainSearchQuery, error) {
+	return &org_model.OrgDomainSearchQuery{
+		Key:    org_model.OrgDomainSearchKeyDomain,
+		Method: object.TextMethodToModel(query.Method),
+		Value:  query.Name,
+	}, nil
+}
+
+func DomainsToPb(domains []*org_model.OrgDomainView) []*org_pb.Domain {
+	d := make([]*org_pb.Domain, len(domains))
+	for i, domain := range domains {
+		d[i] = DomainToPb(domain)
+	}
+	return d
+}
+
+func DomainToPb(domain *org_model.OrgDomainView) *org_pb.Domain {
+	return &org_pb.Domain{
+		OrgId:          domain.OrgID,
+		DomainName:     domain.Domain,
+		IsVerified:     domain.Verified,
+		IsPrimary:      domain.Primary,
+		ValidationType: DomainValidationTypeFromModel(domain.ValidationType),
+		Details: object.ToDetailsPb(
+			0,
+			domain.ChangeDate,
+			"",
+		),
+	}
+}
+
+func DomainValidationTypeToDomain(validationType org_pb.DomainValidationType) domain.OrgDomainValidationType {
+	switch validationType {
+	case org_pb.DomainValidationType_DOMAIN_VALIDATION_TYPE_HTTP:
+		return domain.OrgDomainValidationTypeHTTP
+	case org_pb.DomainValidationType_DOMAIN_VALIDATION_TYPE_DNS:
+		return domain.OrgDomainValidationTypeDNS
+	default:
+		return domain.OrgDomainValidationTypeUnspecified
+	}
+}
+
+func DomainValidationTypeFromModel(validationType org_model.OrgDomainValidationType) org_pb.DomainValidationType {
+	switch validationType {
+	case org_model.OrgDomainValidationTypeDNS:
+		return org_pb.DomainValidationType_DOMAIN_VALIDATION_TYPE_DNS
+	case org_model.OrgDomainValidationTypeHTTP:
+		return org_pb.DomainValidationType_DOMAIN_VALIDATION_TYPE_HTTP
+	default:
+		return org_pb.DomainValidationType_DOMAIN_VALIDATION_TYPE_UNSPECIFIED
+	}
+}
diff --git a/internal/api/grpc/policy/label_policy.go b/internal/api/grpc/policy/label_policy.go
new file mode 100644
index 0000000000..a3699eac2c
--- /dev/null
+++ b/internal/api/grpc/policy/label_policy.go
@@ -0,0 +1,19 @@
+package policy
+
+import (
+	"github.com/caos/zitadel/internal/api/grpc/object"
+	"github.com/caos/zitadel/internal/iam/model"
+	policy_pb "github.com/caos/zitadel/pkg/grpc/policy"
+)
+
+func ModelLabelPolicyToPb(policy *model.LabelPolicyView) *policy_pb.LabelPolicy {
+	return &policy_pb.LabelPolicy{
+		PrimaryColor:   policy.PrimaryColor,
+		SecondaryColor: policy.SecondaryColor,
+		Details: object.ToDetailsPb(
+			policy.Sequence,
+			policy.ChangeDate,
+			"policy.ResourceOwner", //TODO: für da haui öppert
+		),
+	}
+}
diff --git a/internal/api/grpc/policy/login_policy.go b/internal/api/grpc/policy/login_policy.go
new file mode 100644
index 0000000000..93a7584f11
--- /dev/null
+++ b/internal/api/grpc/policy/login_policy.go
@@ -0,0 +1,39 @@
+package policy
+
+import (
+	"github.com/caos/zitadel/internal/domain"
+	"github.com/caos/zitadel/internal/iam/model"
+	policy_pb "github.com/caos/zitadel/pkg/grpc/policy"
+)
+
+func ModelLoginPolicyToPb(policy *model.LoginPolicyView) *policy_pb.LoginPolicy {
+	return &policy_pb.LoginPolicy{
+		AllowUsernamePassword: policy.AllowUsernamePassword,
+		AllowRegister:         policy.AllowRegister,
+		AllowExternalIdp:      policy.AllowRegister,
+		ForceMfa:              policy.ForceMFA,
+		PasswordlessType:      ModelPasswordlessTypeToPb(policy.PasswordlessType),
+	}
+}
+
+func PasswordlessTypeToDomain(passwordlessType policy_pb.PasswordlessType) domain.PasswordlessType {
+	switch passwordlessType {
+	case policy_pb.PasswordlessType_PASSWORDLESS_TYPE_ALLOWED:
+		return domain.PasswordlessTypeAllowed
+	case policy_pb.PasswordlessType_PASSWORDLESS_TYPE_NOT_ALLOWED:
+		return domain.PasswordlessTypeNotAllowed
+	default:
+		return -1
+	}
+}
+
+func ModelPasswordlessTypeToPb(passwordlessType model.PasswordlessType) policy_pb.PasswordlessType {
+	switch passwordlessType {
+	case model.PasswordlessTypeAllowed:
+		return policy_pb.PasswordlessType_PASSWORDLESS_TYPE_ALLOWED
+	case model.PasswordlessTypeNotAllowed:
+		return policy_pb.PasswordlessType_PASSWORDLESS_TYPE_NOT_ALLOWED
+	default:
+		return policy_pb.PasswordlessType_PASSWORDLESS_TYPE_NOT_ALLOWED
+	}
+}
diff --git a/internal/api/grpc/policy/multi_factor.go b/internal/api/grpc/policy/multi_factor.go
new file mode 100644
index 0000000000..b1cda04c03
--- /dev/null
+++ b/internal/api/grpc/policy/multi_factor.go
@@ -0,0 +1,14 @@
+package policy
+
+import (
+	"github.com/caos/zitadel/internal/domain"
+	policy_pb "github.com/caos/zitadel/pkg/grpc/policy"
+)
+
+func MultiFactorTypeToDomain(multiFactorType policy_pb.MultiFactorType) domain.MultiFactorType {
+	switch multiFactorType {
+	//TODO: gap between proto and backend
+	default:
+		return domain.MultiFactorTypeUnspecified
+	}
+}
diff --git a/internal/api/grpc/policy/org_iam_policy.go b/internal/api/grpc/policy/org_iam_policy.go
new file mode 100644
index 0000000000..30a8dde3ae
--- /dev/null
+++ b/internal/api/grpc/policy/org_iam_policy.go
@@ -0,0 +1,19 @@
+package policy
+
+import (
+	"github.com/caos/zitadel/internal/api/grpc/object"
+	"github.com/caos/zitadel/internal/iam/model"
+	policy_pb "github.com/caos/zitadel/pkg/grpc/policy"
+)
+
+func OrgIAMPolicyToPb(policy *model.OrgIAMPolicyView) *policy_pb.OrgIAMPolicy {
+	return &policy_pb.OrgIAMPolicy{
+		UserLoginMustBeDomain: policy.UserLoginMustBeDomain,
+		IsDefault:             policy.Default,
+		Details: object.ToDetailsPb(
+			policy.Sequence,
+			policy.ChangeDate,
+			"policy.ResourceOwner", //TODO: resource owner
+		),
+	}
+}
diff --git a/internal/api/grpc/policy/password_age_policy.go b/internal/api/grpc/policy/password_age_policy.go
new file mode 100644
index 0000000000..6a9714782e
--- /dev/null
+++ b/internal/api/grpc/policy/password_age_policy.go
@@ -0,0 +1,19 @@
+package policy
+
+import (
+	"github.com/caos/zitadel/internal/api/grpc/object"
+	"github.com/caos/zitadel/internal/iam/model"
+	policy_pb "github.com/caos/zitadel/pkg/grpc/policy"
+)
+
+func ModelPasswordAgePolicyToPb(policy *model.PasswordAgePolicyView) *policy_pb.PasswordAgePolicy {
+	return &policy_pb.PasswordAgePolicy{
+		MaxAgeDays:     policy.MaxAgeDays,
+		ExpireWarnDays: policy.ExpireWarnDays,
+		Details: object.ToDetailsPb(
+			policy.Sequence,
+			policy.ChangeDate,
+			"policy.ResourceOwner", //TODO: uueli
+		),
+	}
+}
diff --git a/internal/api/grpc/policy/password_complexity_policy.go b/internal/api/grpc/policy/password_complexity_policy.go
new file mode 100644
index 0000000000..19dd15f4e8
--- /dev/null
+++ b/internal/api/grpc/policy/password_complexity_policy.go
@@ -0,0 +1,22 @@
+package policy
+
+import (
+	"github.com/caos/zitadel/internal/api/grpc/object"
+	"github.com/caos/zitadel/internal/iam/model"
+	policy_pb "github.com/caos/zitadel/pkg/grpc/policy"
+)
+
+func ModelPasswordComplexityPolicyToPb(policy *model.PasswordComplexityPolicyView) *policy_pb.PasswordComplexityPolicy {
+	return &policy_pb.PasswordComplexityPolicy{
+		MinLength:    policy.MinLength,
+		HasUppercase: policy.HasUppercase,
+		HasLowercase: policy.HasLowercase,
+		HasNumber:    policy.HasNumber,
+		HasSymbol:    policy.HasSymbol,
+		Details: object.ToDetailsPb(
+			policy.Sequence,
+			policy.ChangeDate,
+			"policy.ResourceOwner", //TODO: ro
+		),
+	}
+}
diff --git a/internal/api/grpc/policy/password_lockout_policy.go b/internal/api/grpc/policy/password_lockout_policy.go
new file mode 100644
index 0000000000..5ce319e435
--- /dev/null
+++ b/internal/api/grpc/policy/password_lockout_policy.go
@@ -0,0 +1,32 @@
+package policy
+
+import (
+	"github.com/caos/zitadel/internal/api/grpc/object"
+	"github.com/caos/zitadel/internal/domain"
+	"github.com/caos/zitadel/internal/iam/model"
+	policy_pb "github.com/caos/zitadel/pkg/grpc/policy"
+)
+
+func ModelPasswordLockoutPolicyToPb(policy *model.PasswordLockoutPolicyView) *policy_pb.PasswordLockoutPolicy {
+	return &policy_pb.PasswordLockoutPolicy{
+		MaxAttempts:        policy.MaxAttempts,
+		ShowLockoutFailure: policy.ShowLockOutFailures,
+		Details: object.ToDetailsPb(
+			policy.Sequence,
+			policy.ChangeDate,
+			"policy.ResourceOwner", //TODO: uuueli
+		),
+	}
+}
+
+func PasswordLockoutPolicyToDomain(policy *domain.PasswordLockoutPolicy) *policy_pb.PasswordLockoutPolicy {
+	return &policy_pb.PasswordLockoutPolicy{
+		MaxAttempts:        policy.MaxAttempts,
+		ShowLockoutFailure: policy.ShowLockOutFailures,
+		Details: object.ToDetailsPb(
+			policy.Sequence,
+			policy.ChangeDate,
+			policy.ResourceOwner,
+		),
+	}
+}
diff --git a/internal/api/grpc/policy/second_factor.go b/internal/api/grpc/policy/second_factor.go
new file mode 100644
index 0000000000..830456e89f
--- /dev/null
+++ b/internal/api/grpc/policy/second_factor.go
@@ -0,0 +1,54 @@
+package policy
+
+import (
+	"github.com/caos/zitadel/internal/domain"
+	"github.com/caos/zitadel/internal/iam/model"
+	policy_pb "github.com/caos/zitadel/pkg/grpc/policy"
+)
+
+func SecondFactorTypeToDomain(secondFactorType policy_pb.SecondFactorType) domain.SecondFactorType {
+	switch secondFactorType {
+	case policy_pb.SecondFactorType_SECOND_FACTOR_TYPE_OTP:
+		return domain.SecondFactorTypeOTP
+	case policy_pb.SecondFactorType_SECOND_FACTOR_TYPE_U2F:
+		return domain.SecondFactorTypeU2F
+	default:
+		return domain.SecondFactorTypeUnspecified
+	}
+}
+
+func ModelSecondFactorTypesToPb(types []model.SecondFactorType) []policy_pb.SecondFactorType {
+	t := make([]policy_pb.SecondFactorType, len(types))
+	for i, typ := range types {
+		t[i] = ModelSecondFactorTypeToPb(typ)
+	}
+	return t
+}
+
+func ModelSecondFactorTypeToPb(secondFactorType model.SecondFactorType) policy_pb.SecondFactorType {
+	switch secondFactorType {
+	case model.SecondFactorTypeOTP:
+		return policy_pb.SecondFactorType_SECOND_FACTOR_TYPE_OTP
+	case model.SecondFactorTypeU2F:
+		return policy_pb.SecondFactorType_SECOND_FACTOR_TYPE_U2F
+	default:
+		return policy_pb.SecondFactorType_SECOND_FACTOR_TYPE_UNSPECIFIED
+	}
+}
+
+func ModelMultiFactorTypesToPb(types []model.MultiFactorType) []policy_pb.MultiFactorType {
+	t := make([]policy_pb.MultiFactorType, len(types))
+	for i, typ := range types {
+		t[i] = ModelMultiFactorTypeToPb(typ)
+	}
+	return t
+}
+
+func ModelMultiFactorTypeToPb(typ model.MultiFactorType) policy_pb.MultiFactorType {
+	switch typ {
+	case model.MultiFactorTypeU2FWithPIN:
+		return policy_pb.MultiFactorType_MULTI_FACTOR_TYPE_U2F_WITH_VERIFICATION
+	default:
+		return policy_pb.MultiFactorType_MULTI_FACTOR_TYPE_UNSPECIFIED
+	}
+}
diff --git a/internal/api/grpc/project/application.go b/internal/api/grpc/project/application.go
new file mode 100644
index 0000000000..fd2728822c
--- /dev/null
+++ b/internal/api/grpc/project/application.go
@@ -0,0 +1,299 @@
+package project
+
+import (
+	"google.golang.org/protobuf/types/known/durationpb"
+
+	object_grpc "github.com/caos/zitadel/internal/api/grpc/object"
+	"github.com/caos/zitadel/internal/domain"
+	"github.com/caos/zitadel/internal/errors"
+	proj_model "github.com/caos/zitadel/internal/project/model"
+	app_pb "github.com/caos/zitadel/pkg/grpc/app"
+	message_pb "github.com/caos/zitadel/pkg/grpc/message"
+)
+
+func AppsToPb(apps []*proj_model.ApplicationView) []*app_pb.App {
+	a := make([]*app_pb.App, len(apps))
+	for i, app := range apps {
+		a[i] = AppToPb(app)
+	}
+	return a
+}
+
+func AppToPb(app *proj_model.ApplicationView) *app_pb.App {
+	return &app_pb.App{
+		Id:      app.ID,
+		Details: object_grpc.ToDetailsPb(app.Sequence, app.CreationDate, "app.ResourceOwner"), //TODO: RO
+		State:   AppStateToPb(app.State),
+		Name:    app.Name,
+		Config:  AppConfigToPb(app),
+	}
+}
+
+func AppConfigToPb(app *proj_model.ApplicationView) app_pb.AppConfig {
+	if app.IsOIDC {
+		return AppOIDCConfigToPb(app)
+	}
+	return AppAPIConfigToPb(app)
+}
+
+func AppOIDCConfigToPb(app *proj_model.ApplicationView) *app_pb.App_OidcConfig {
+	return &app_pb.App_OidcConfig{
+		OidcConfig: &app_pb.OIDCConfig{
+			RedirectUris:             app.OIDCRedirectUris,
+			ResponseTypes:            OIDCResponseTypesFromModel(app.OIDCResponseTypes),
+			GrantTypes:               OIDCGrantTypesFromModel(app.OIDCGrantTypes),
+			AppType:                  OIDCApplicationTypeToPb(domain.OIDCApplicationType(app.OIDCApplicationType)),
+			ClientId:                 app.OIDCClientID,
+			AuthMethodType:           OIDCAuthMethodTypeToPb(domain.OIDCAuthMethodType(app.OIDCAuthMethodType)),
+			PostLogoutRedirectUris:   app.OIDCPostLogoutRedirectUris,
+			Version:                  OIDCVersionToPb(domain.OIDCVersion(app.OIDCVersion)),
+			NoneCompliant:            app.NoneCompliant,
+			ComplianceProblems:       ComplianceProblemsToLocalizedMessages(app.ComplianceProblems),
+			DevMode:                  app.DevMode,
+			AccessTokenType:          oidcTokenTypeToPb(domain.OIDCTokenType(app.AccessTokenType)),
+			AccessTokenRoleAssertion: app.AccessTokenRoleAssertion,
+			IdTokenRoleAssertion:     app.IDTokenRoleAssertion,
+			IdTokenUserinfoAssertion: app.IDTokenUserinfoAssertion,
+			ClockSkew:                durationpb.New(app.ClockSkew),
+		},
+	}
+}
+
+func AppAPIConfigToPb(app *proj_model.ApplicationView) app_pb.AppConfig {
+	return &app_pb.App_ApiConfig{
+		ApiConfig: &app_pb.APIConfig{
+			ClientId:       app.OIDCClientID,
+			ClientSecret:   "", //TODO: remove from proto
+			AuthMethodType: APIAuthMethodeTypeToPb(domain.APIAuthMethodType(app.OIDCAuthMethodType)),
+		},
+	}
+}
+
+func AppStateToPb(state proj_model.AppState) app_pb.AppState {
+	switch state {
+	case proj_model.AppStateActive:
+		return app_pb.AppState_APP_STATE_ACTIVE
+	case proj_model.AppStateInactive:
+		return app_pb.AppState_APP_STATE_INACTIVE
+	default:
+		return app_pb.AppState_APP_STATE_UNSPECIFIED
+	}
+}
+
+func OIDCResponseTypesFromModel(responseTypes []proj_model.OIDCResponseType) []app_pb.OIDCResponseType {
+	oidcResponseTypes := make([]app_pb.OIDCResponseType, len(responseTypes))
+	for i, responseType := range responseTypes {
+		switch responseType {
+		case proj_model.OIDCResponseTypeCode:
+			oidcResponseTypes[i] = app_pb.OIDCResponseType_OIDC_RESPONSE_TYPE_CODE
+		case proj_model.OIDCResponseTypeIDToken:
+			oidcResponseTypes[i] = app_pb.OIDCResponseType_OIDC_RESPONSE_TYPE_ID_TOKEN
+		case proj_model.OIDCResponseTypeIDTokenToken:
+			oidcResponseTypes[i] = app_pb.OIDCResponseType_OIDC_RESPONSE_TYPE_ID_TOKEN_TOKEN
+		}
+	}
+	return oidcResponseTypes
+}
+
+func OIDCResponseTypesToDomain(responseTypes []app_pb.OIDCResponseType) []domain.OIDCResponseType {
+	if responseTypes == nil || len(responseTypes) == 0 {
+		return []domain.OIDCResponseType{domain.OIDCResponseTypeCode}
+	}
+	oidcResponseTypes := make([]domain.OIDCResponseType, len(responseTypes))
+	for i, responseType := range responseTypes {
+		switch responseType {
+		case app_pb.OIDCResponseType_OIDC_RESPONSE_TYPE_CODE:
+			oidcResponseTypes[i] = domain.OIDCResponseTypeCode
+		case app_pb.OIDCResponseType_OIDC_RESPONSE_TYPE_ID_TOKEN:
+			oidcResponseTypes[i] = domain.OIDCResponseTypeIDToken
+		case app_pb.OIDCResponseType_OIDC_RESPONSE_TYPE_ID_TOKEN_TOKEN:
+			oidcResponseTypes[i] = domain.OIDCResponseTypeIDTokenToken
+		}
+	}
+	return oidcResponseTypes
+}
+
+func OIDCGrantTypesFromModel(grantTypes []proj_model.OIDCGrantType) []app_pb.OIDCGrantType {
+	oidcGrantTypes := make([]app_pb.OIDCGrantType, len(grantTypes))
+	for i, grantType := range grantTypes {
+		switch grantType {
+		case proj_model.OIDCGrantTypeAuthorizationCode:
+			oidcGrantTypes[i] = app_pb.OIDCGrantType_OIDC_GRANT_TYPE_AUTHORIZATION_CODE
+		case proj_model.OIDCGrantTypeImplicit:
+			oidcGrantTypes[i] = app_pb.OIDCGrantType_OIDC_GRANT_TYPE_IMPLICIT
+		case proj_model.OIDCGrantTypeRefreshToken:
+			oidcGrantTypes[i] = app_pb.OIDCGrantType_OIDC_GRANT_TYPE_REFRESH_TOKEN
+		}
+	}
+	return oidcGrantTypes
+}
+
+func OIDCGrantTypesToDomain(grantTypes []app_pb.OIDCGrantType) []domain.OIDCGrantType {
+	if grantTypes == nil || len(grantTypes) == 0 {
+		return []domain.OIDCGrantType{domain.OIDCGrantTypeAuthorizationCode}
+	}
+	oidcGrantTypes := make([]domain.OIDCGrantType, len(grantTypes))
+	for i, grantType := range grantTypes {
+		switch grantType {
+		case app_pb.OIDCGrantType_OIDC_GRANT_TYPE_AUTHORIZATION_CODE:
+			oidcGrantTypes[i] = domain.OIDCGrantTypeAuthorizationCode
+		case app_pb.OIDCGrantType_OIDC_GRANT_TYPE_IMPLICIT:
+			oidcGrantTypes[i] = domain.OIDCGrantTypeImplicit
+		case app_pb.OIDCGrantType_OIDC_GRANT_TYPE_REFRESH_TOKEN:
+			oidcGrantTypes[i] = domain.OIDCGrantTypeRefreshToken
+		}
+	}
+	return oidcGrantTypes
+}
+
+func OIDCApplicationTypeToPb(appType domain.OIDCApplicationType) app_pb.OIDCAppType {
+	switch appType {
+	case domain.OIDCApplicationTypeWeb:
+		return app_pb.OIDCAppType_OIDC_APP_TYPE_WEB
+	case domain.OIDCApplicationTypeUserAgent:
+		return app_pb.OIDCAppType_OIDC_APP_TYPE_USER_AGENT
+	case domain.OIDCApplicationTypeNative:
+		return app_pb.OIDCAppType_OIDC_APP_TYPE_NATIVE
+	default:
+		return app_pb.OIDCAppType_OIDC_APP_TYPE_WEB
+	}
+}
+
+func OIDCApplicationTypeToDomain(appType app_pb.OIDCAppType) domain.OIDCApplicationType {
+	switch appType {
+	case app_pb.OIDCAppType_OIDC_APP_TYPE_WEB:
+		return domain.OIDCApplicationTypeWeb
+	case app_pb.OIDCAppType_OIDC_APP_TYPE_USER_AGENT:
+		return domain.OIDCApplicationTypeUserAgent
+	case app_pb.OIDCAppType_OIDC_APP_TYPE_NATIVE:
+		return domain.OIDCApplicationTypeNative
+	}
+	return domain.OIDCApplicationTypeWeb
+}
+
+func OIDCAuthMethodTypeToPb(authType domain.OIDCAuthMethodType) app_pb.OIDCAuthMethodType {
+	switch authType {
+	case domain.OIDCAuthMethodTypeBasic:
+		return app_pb.OIDCAuthMethodType_OIDC_AUTH_METHOD_TYPE_BASIC
+	case domain.OIDCAuthMethodTypePost:
+		return app_pb.OIDCAuthMethodType_OIDC_AUTH_METHOD_TYPE_POST
+	case domain.OIDCAuthMethodTypeNone:
+		return app_pb.OIDCAuthMethodType_OIDC_AUTH_METHOD_TYPE_NONE
+	case domain.OIDCAuthMethodTypePrivateKeyJWT:
+		return app_pb.OIDCAuthMethodType_OIDC_AUTH_METHOD_TYPE_PRIVATE_KEY_JWT
+	default:
+		return app_pb.OIDCAuthMethodType_OIDC_AUTH_METHOD_TYPE_BASIC
+	}
+}
+
+func OIDCAuthMethodTypeToDomain(authType app_pb.OIDCAuthMethodType) domain.OIDCAuthMethodType {
+	switch authType {
+	case app_pb.OIDCAuthMethodType_OIDC_AUTH_METHOD_TYPE_BASIC:
+		return domain.OIDCAuthMethodTypeBasic
+	case app_pb.OIDCAuthMethodType_OIDC_AUTH_METHOD_TYPE_POST:
+		return domain.OIDCAuthMethodTypePost
+	case app_pb.OIDCAuthMethodType_OIDC_AUTH_METHOD_TYPE_NONE:
+		return domain.OIDCAuthMethodTypeNone
+	case app_pb.OIDCAuthMethodType_OIDC_AUTH_METHOD_TYPE_PRIVATE_KEY_JWT:
+		return domain.OIDCAuthMethodTypePrivateKeyJWT
+	default:
+		return domain.OIDCAuthMethodTypeBasic
+	}
+}
+
+func OIDCVersionToPb(version domain.OIDCVersion) app_pb.OIDCVersion {
+	switch version {
+	case domain.OIDCVersionV1:
+		return app_pb.OIDCVersion_OIDC_VERSION_1_0
+	}
+	return app_pb.OIDCVersion_OIDC_VERSION_1_0
+}
+
+func OIDCVersionToDomain(version app_pb.OIDCVersion) domain.OIDCVersion {
+	switch version {
+	case app_pb.OIDCVersion_OIDC_VERSION_1_0:
+		return domain.OIDCVersionV1
+	}
+	return domain.OIDCVersionV1
+}
+
+func oidcTokenTypeToPb(tokenType domain.OIDCTokenType) app_pb.OIDCTokenType {
+	switch tokenType {
+	case domain.OIDCTokenTypeBearer:
+		return app_pb.OIDCTokenType_OIDC_TOKEN_TYPE_BEARER
+	case domain.OIDCTokenTypeJWT:
+		return app_pb.OIDCTokenType_OIDC_TOKEN_TYPE_JWT
+	default:
+		return app_pb.OIDCTokenType_OIDC_TOKEN_TYPE_BEARER
+	}
+}
+
+func OIDCTokenTypeToDomain(tokenType app_pb.OIDCTokenType) domain.OIDCTokenType {
+	switch tokenType {
+	case app_pb.OIDCTokenType_OIDC_TOKEN_TYPE_BEARER:
+		return domain.OIDCTokenTypeBearer
+	case app_pb.OIDCTokenType_OIDC_TOKEN_TYPE_JWT:
+		return domain.OIDCTokenTypeJWT
+	default:
+		return domain.OIDCTokenTypeBearer
+	}
+}
+
+func ComplianceProblemsToLocalizedMessages(problems []string) []*message_pb.LocalizedMessage {
+	converted := make([]*message_pb.LocalizedMessage, len(problems))
+	for i, p := range problems {
+		converted[i] = message_pb.NewLocalizedMessage(p)
+	}
+	return converted
+
+}
+
+func APIAuthMethodeTypeToPb(methodType domain.APIAuthMethodType) app_pb.APIAuthMethodType {
+	switch methodType {
+	case domain.APIAuthMethodTypeBasic:
+		return app_pb.APIAuthMethodType_API_AUTH_METHOD_TYPE_BASIC
+	case domain.APIAuthMethodTypePrivateKeyJWT:
+		return app_pb.APIAuthMethodType_API_AUTH_METHOD_TYPE_PRIVATE_KEY_JWT
+	default:
+		return app_pb.APIAuthMethodType_API_AUTH_METHOD_TYPE_BASIC
+	}
+}
+
+func APIAuthMethodTypeToDomain(authType app_pb.APIAuthMethodType) domain.APIAuthMethodType {
+	switch authType {
+	case app_pb.APIAuthMethodType_API_AUTH_METHOD_TYPE_BASIC:
+		return domain.APIAuthMethodTypeBasic
+	case app_pb.APIAuthMethodType_API_AUTH_METHOD_TYPE_PRIVATE_KEY_JWT:
+		return domain.APIAuthMethodTypePrivateKeyJWT
+	default:
+		return domain.APIAuthMethodTypeBasic
+	}
+}
+
+func AppQueriesToModel(queries []*app_pb.AppQuery) (_ []*proj_model.ApplicationSearchQuery, err error) {
+	q := make([]*proj_model.ApplicationSearchQuery, len(queries))
+	for i, query := range queries {
+		q[i], err = AppQueryToModel(query)
+		if err != nil {
+			return nil, err
+		}
+	}
+	return q, nil
+}
+
+func AppQueryToModel(query *app_pb.AppQuery) (*proj_model.ApplicationSearchQuery, error) {
+	switch q := query.Query.(type) {
+	case *app_pb.AppQuery_NameQuery:
+		return AppQueryNameToModel(q.NameQuery), nil
+	default:
+		return nil, errors.ThrowInvalidArgument(nil, "APP-Add46", "List.Query.Invalid")
+	}
+}
+
+func AppQueryNameToModel(query *app_pb.AppNameQuery) *proj_model.ApplicationSearchQuery {
+	return &proj_model.ApplicationSearchQuery{
+		Key:    proj_model.AppSearchKeyName,
+		Method: object_grpc.TextMethodToModel(query.Method),
+		Value:  query.Name,
+	}
+}
diff --git a/internal/api/grpc/project/converter.go b/internal/api/grpc/project/converter.go
new file mode 100644
index 0000000000..561e4abd5f
--- /dev/null
+++ b/internal/api/grpc/project/converter.go
@@ -0,0 +1,183 @@
+package project
+
+import (
+	object_grpc "github.com/caos/zitadel/internal/api/grpc/object"
+	"github.com/caos/zitadel/internal/errors"
+	proj_model "github.com/caos/zitadel/internal/project/model"
+	proj_pb "github.com/caos/zitadel/pkg/grpc/project"
+)
+
+func ProjectToPb(project *proj_model.ProjectView) *proj_pb.Project {
+	return &proj_pb.Project{
+		Id:                   project.ProjectID,
+		Details:              object_grpc.ToDetailsPb(project.Sequence, project.ChangeDate, project.ResourceOwner),
+		Name:                 project.Name,
+		State:                projectStateToPb(project.State),
+		ProjectRoleAssertion: project.ProjectRoleAssertion,
+		ProjectRoleCheck:     project.ProjectRoleCheck,
+	}
+}
+
+func GrantedProjectToPb(project *proj_model.ProjectGrantView) *proj_pb.GrantedProject {
+	return &proj_pb.GrantedProject{
+		GrantId:          project.GrantID,
+		ProjectId:        project.ProjectID,
+		Details:          object_grpc.ToDetailsPb(project.Sequence, project.ChangeDate, project.ResourceOwner),
+		ProjectName:      project.Name,
+		State:            grantedProjectStateToPb(project.State),
+		ProjectOwnerId:   project.ResourceOwner,
+		ProjectOwnerName: project.ResourceOwnerName,
+		GrantedOrgId:     project.OrgID,
+		GrantedOrgName:   project.OrgName,
+		GrantedRoleKeys:  project.GrantedRoleKeys,
+	}
+}
+
+func ProjectsToPb(projects []*proj_model.ProjectView) []*proj_pb.Project {
+	p := make([]*proj_pb.Project, len(projects))
+	for i, project := range projects {
+		p[i] = ProjectToPb(project)
+	}
+	return p
+}
+
+func GrantedProjectsToPb(projects []*proj_model.ProjectGrantView) []*proj_pb.GrantedProject {
+	p := make([]*proj_pb.GrantedProject, len(projects))
+	for i, project := range projects {
+		p[i] = GrantedProjectToPb(project)
+	}
+	return p
+}
+
+func projectStateToPb(state proj_model.ProjectState) proj_pb.ProjectState {
+	switch state {
+	case proj_model.ProjectStateActive:
+		return proj_pb.ProjectState_PROJECT_STATE_ACTIVE
+	case proj_model.ProjectStateInactive:
+		return proj_pb.ProjectState_PROJECT_STATE_INACTIVE
+	default:
+		return proj_pb.ProjectState_PROJECT_STATE_UNSPECIFIED
+	}
+}
+
+func grantedProjectStateToPb(state proj_model.ProjectState) proj_pb.ProjectGrantState {
+	switch state {
+	case proj_model.ProjectStateActive:
+		return proj_pb.ProjectGrantState_PROJECT_GRANT_STATE_ACTIVE
+	case proj_model.ProjectStateInactive:
+		return proj_pb.ProjectGrantState_PROJECT_GRANT_STATE_INACTIVE
+	default:
+		return proj_pb.ProjectGrantState_PROJECT_GRANT_STATE_UNSPECIFIED
+	}
+}
+
+func ProjectQueriesToModel(queries []*proj_pb.ProjectQuery) (_ []*proj_model.ProjectViewSearchQuery, err error) {
+	q := make([]*proj_model.ProjectViewSearchQuery, len(queries))
+	for i, query := range queries {
+		q[i], err = ProjectQueryToModel(query)
+		if err != nil {
+			return nil, err
+		}
+	}
+	return q, nil
+}
+
+func ProjectQueryToModel(query *proj_pb.ProjectQuery) (*proj_model.ProjectViewSearchQuery, error) {
+	switch q := query.Query.(type) {
+	case *proj_pb.ProjectQuery_NameQuery:
+		return ProjectQueryNameToModel(q.NameQuery), nil
+	default:
+		return nil, errors.ThrowInvalidArgument(nil, "ORG-Ags42", "List.Query.Invalid")
+	}
+}
+
+func ProjectQueryNameToModel(query *proj_pb.ProjectNameQuery) *proj_model.ProjectViewSearchQuery {
+	return &proj_model.ProjectViewSearchQuery{
+		Key:    proj_model.ProjectViewSearchKeyName,
+		Method: object_grpc.TextMethodToModel(query.Method),
+		Value:  query.Name,
+	}
+}
+
+func GrantedProjectQueriesToModel(queries []*proj_pb.ProjectQuery) (_ []*proj_model.ProjectGrantViewSearchQuery, err error) {
+	q := make([]*proj_model.ProjectGrantViewSearchQuery, len(queries))
+	for i, query := range queries {
+		q[i], err = GrantedProjectQueryToModel(query)
+		if err != nil {
+			return nil, err
+		}
+	}
+	return q, nil
+}
+
+func GrantedProjectQueryToModel(query *proj_pb.ProjectQuery) (*proj_model.ProjectGrantViewSearchQuery, error) {
+	switch q := query.Query.(type) {
+	case *proj_pb.ProjectQuery_NameQuery:
+		return GrantedProjectQueryNameToModel(q.NameQuery), nil
+	default:
+		return nil, errors.ThrowInvalidArgument(nil, "ORG-Ags42", "List.Query.Invalid")
+	}
+}
+
+func GrantedProjectQueryNameToModel(query *proj_pb.ProjectNameQuery) *proj_model.ProjectGrantViewSearchQuery {
+	return &proj_model.ProjectGrantViewSearchQuery{
+		Key:    proj_model.GrantedProjectSearchKeyName,
+		Method: object_grpc.TextMethodToModel(query.Method),
+		Value:  query.Name,
+	}
+}
+
+func RoleQueriesToModel(queries []*proj_pb.RoleQuery) (_ []*proj_model.ProjectRoleSearchQuery, err error) {
+	q := make([]*proj_model.ProjectRoleSearchQuery, len(queries))
+	for i, query := range queries {
+		q[i], err = RoleQueryToModel(query)
+		if err != nil {
+			return nil, err
+		}
+	}
+	return q, nil
+}
+
+func RoleQueryToModel(query *proj_pb.RoleQuery) (*proj_model.ProjectRoleSearchQuery, error) {
+	switch q := query.Query.(type) {
+	case *proj_pb.RoleQuery_KeyQuery:
+		return RoleQueryKeyToModel(q.KeyQuery), nil
+	case *proj_pb.RoleQuery_DisplayNameQuery:
+		return RoleQueryDisplayNameToModel(q.DisplayNameQuery), nil
+	default:
+		return nil, errors.ThrowInvalidArgument(nil, "ORG-Ags42", "List.Query.Invalid")
+	}
+}
+
+func RoleQueryKeyToModel(query *proj_pb.RoleKeyQuery) *proj_model.ProjectRoleSearchQuery {
+	return &proj_model.ProjectRoleSearchQuery{
+		Key:    proj_model.ProjectRoleSearchKeyKey,
+		Method: object_grpc.TextMethodToModel(query.Method),
+		Value:  query.Key,
+	}
+}
+
+func RoleQueryDisplayNameToModel(query *proj_pb.RoleDisplayNameQuery) *proj_model.ProjectRoleSearchQuery {
+	return &proj_model.ProjectRoleSearchQuery{
+		Key:    proj_model.ProjectRoleSearchKeyDisplayName,
+		Method: object_grpc.TextMethodToModel(query.Method),
+		Value:  query.DisplayName,
+	}
+}
+
+func RolesToPb(roles []*proj_model.ProjectRoleView) []*proj_pb.Role {
+	r := make([]*proj_pb.Role, len(roles))
+	for i, role := range roles {
+		r[i] = RoleToPb(role)
+	}
+	return r
+}
+
+func RoleToPb(role *proj_model.ProjectRoleView) *proj_pb.Role {
+	return &proj_pb.Role{
+		Key:         role.Key,
+		Details:     object_grpc.ToDetailsPb(role.Sequence, role.ChangeDate, role.ResourceOwner),
+		DisplayName: role.DisplayName,
+		Group:       role.Group,
+	}
+}
diff --git a/internal/api/grpc/project/project_grant.go b/internal/api/grpc/project/project_grant.go
new file mode 100644
index 0000000000..d97c01b983
--- /dev/null
+++ b/internal/api/grpc/project/project_grant.go
@@ -0,0 +1,43 @@
+package project
+
+import (
+	object_grpc "github.com/caos/zitadel/internal/api/grpc/object"
+	proj_model "github.com/caos/zitadel/internal/project/model"
+	"github.com/caos/zitadel/pkg/grpc/project"
+	proj_pb "github.com/caos/zitadel/pkg/grpc/project"
+)
+
+func ProjectGrantQueriesToModel(queries []*project.ProjectGrantQuery) []*proj_model.ProjectGrantViewSearchQuery {
+	q := make([]*proj_model.ProjectGrantViewSearchQuery, len(queries))
+	for i, query := range queries {
+		q[i] = ProjectGrantQueryToModel(query)
+	}
+	return q
+}
+
+func ProjectGrantQueryToModel(query *project.ProjectGrantQuery) *proj_model.ProjectGrantViewSearchQuery {
+	switch q := query.Query.(type) {
+	case *proj_pb.ProjectGrantQuery_ProjectNameQuery:
+		return ProjectGrantNameToProjectQuery(q.ProjectNameQuery)
+	case *proj_pb.ProjectGrantQuery_RoleKeyQuery:
+		return ProjectGrantRoleToProjectQuery(q.RoleKeyQuery)
+	default:
+		return nil
+	}
+}
+
+func ProjectGrantNameToProjectQuery(query *proj_pb.GrantProjectNameQuery) *proj_model.ProjectGrantViewSearchQuery {
+	return &proj_model.ProjectGrantViewSearchQuery{
+		Key:    proj_model.GrantedProjectSearchKeyName,
+		Method: object_grpc.TextMethodToModel(query.Method),
+		Value:  query.Name,
+	}
+}
+
+func ProjectGrantRoleToProjectQuery(query *proj_pb.GrantRoleKeyQuery) *proj_model.ProjectGrantViewSearchQuery {
+	return &proj_model.ProjectGrantViewSearchQuery{
+		Key:    proj_model.GrantedProjectSearchKeyRoleKeys,
+		Method: object_grpc.TextMethodToModel(query.Method),
+		Value:  query.RoleKey,
+	}
+}
diff --git a/internal/api/grpc/server/gateway.go b/internal/api/grpc/server/gateway.go
index 675b0b41a9..e5c88a652f 100644
--- a/internal/api/grpc/server/gateway.go
+++ b/internal/api/grpc/server/gateway.go
@@ -5,16 +5,14 @@ import (
 	"net/http"
 	"strings"
 
-	"github.com/grpc-ecosystem/grpc-gateway/runtime"
-	"google.golang.org/grpc"
-
 	"github.com/caos/logging"
-
 	grpc_util "github.com/caos/zitadel/internal/api/grpc"
 	client_middleware "github.com/caos/zitadel/internal/api/grpc/client/middleware"
 	http_util "github.com/caos/zitadel/internal/api/http"
 	http_mw "github.com/caos/zitadel/internal/api/http/middleware"
 	"github.com/caos/zitadel/internal/telemetry/tracing"
+	"github.com/grpc-ecosystem/grpc-gateway/v2/runtime"
+	"google.golang.org/grpc"
 )
 
 const (
@@ -23,11 +21,11 @@ const (
 )
 
 var (
-	DefaultJSONMarshaler = &runtime.JSONPb{OrigName: false, EmitDefaults: false}
+	DefaultJSONMarshaler = &runtime.JSONPb{}
 
 	DefaultServeMuxOptions = func(customHeaders ...string) []runtime.ServeMuxOption {
 		return []runtime.ServeMuxOption{
-			runtime.WithMarshalerOption(DefaultJSONMarshaler.ContentType(), DefaultJSONMarshaler),
+			runtime.WithMarshalerOption(DefaultJSONMarshaler.ContentType(nil), DefaultJSONMarshaler),
 			runtime.WithMarshalerOption(mimeWildcard, DefaultJSONMarshaler),
 			runtime.WithMarshalerOption(runtime.MIMEWildcard, DefaultJSONMarshaler),
 			runtime.WithIncomingHeaderMatcher(DefaultHeaderMatcher(customHeaders...)),
diff --git a/internal/api/grpc/user/converter.go b/internal/api/grpc/user/converter.go
new file mode 100644
index 0000000000..f29f05665b
--- /dev/null
+++ b/internal/api/grpc/user/converter.go
@@ -0,0 +1,215 @@
+package user
+
+import (
+	"github.com/caos/zitadel/internal/api/grpc/object"
+	"github.com/caos/zitadel/internal/domain"
+	"github.com/caos/zitadel/internal/eventstore/v1/models"
+	"github.com/caos/zitadel/internal/user/model"
+	usr_grant_model "github.com/caos/zitadel/internal/usergrant/model"
+	user_pb "github.com/caos/zitadel/pkg/grpc/user"
+)
+
+func UsersToPb(users []*model.UserView) []*user_pb.User {
+	u := make([]*user_pb.User, len(users))
+	for i, user := range users {
+		u[i] = UserToPb(user)
+	}
+	return u
+}
+func UserToPb(user *model.UserView) *user_pb.User {
+	return &user_pb.User{
+		Id:                 user.ID,
+		State:              ModelUserStateToPb(user.State),
+		UserName:           user.UserName,
+		LoginNames:         user.LoginNames,
+		PreferredLoginName: user.PreferredLoginName,
+		Details: object.ToDetailsPb(
+			user.Sequence,
+			user.ChangeDate,
+			user.ResourceOwner,
+		),
+	}
+}
+
+func ProfileToPb(profile *model.Profile) *user_pb.Profile {
+	return &user_pb.Profile{
+		FirstName:         profile.FirstName,
+		LastName:          profile.LastName,
+		NickName:          profile.NickName,
+		DisplayName:       profile.DisplayName,
+		PreferredLanguage: profile.PreferredLanguage.String(),
+		Gender:            GenderToPb(profile.Gender),
+	}
+}
+
+func EmailToPb(email *model.Email) *user_pb.Email {
+	return &user_pb.Email{
+		Email:           email.EmailAddress,
+		IsEmailVerified: email.IsEmailVerified,
+	}
+}
+
+func PhoneToPb(phone *model.Phone) *user_pb.Phone {
+	return &user_pb.Phone{
+		Phone:           phone.PhoneNumber,
+		IsPhoneVerified: phone.IsPhoneVerified,
+	}
+}
+
+func ModelEmailToPb(email *model.Email) *user_pb.Email {
+	return &user_pb.Email{
+		Email:           email.EmailAddress,
+		IsEmailVerified: email.IsEmailVerified,
+	}
+}
+
+func ModelPhoneToPb(phone *model.Phone) *user_pb.Phone {
+	return &user_pb.Phone{
+		Phone:           phone.PhoneNumber,
+		IsPhoneVerified: phone.IsPhoneVerified,
+	}
+}
+
+func ModelAddressToPb(address *model.Address) *user_pb.Address {
+	return &user_pb.Address{
+		Country:       address.Country,
+		Locality:      address.Locality,
+		PostalCode:    address.PostalCode,
+		Region:        address.Region,
+		StreetAddress: address.StreetAddress,
+	}
+}
+
+func GenderToDomain(gender user_pb.Gender) domain.Gender {
+	switch gender {
+	case user_pb.Gender_GENDER_DIVERSE:
+		return domain.GenderDiverse
+	case user_pb.Gender_GENDER_MALE:
+		return domain.GenderMale
+	case user_pb.Gender_GENDER_FEMALE:
+		return domain.GenderFemale
+	default:
+		return -1
+	}
+}
+
+func ModelUserStateToPb(state model.UserState) user_pb.UserState {
+	switch state {
+	case model.UserStateActive:
+		return user_pb.UserState_USER_STATE_ACTIVE
+	case model.UserStateInactive:
+		return user_pb.UserState_USER_STATE_INACTIVE
+	case model.UserStateDeleted:
+		return user_pb.UserState_USER_STATE_DELETED
+	case model.UserStateInitial:
+		return user_pb.UserState_USER_STATE_INITIAL
+	case model.UserStateLocked:
+		return user_pb.UserState_USER_STATE_LOCKED
+	case model.UserStateSuspend:
+		return user_pb.UserState_USER_STATE_SUSPEND
+	default:
+		return user_pb.UserState_USER_STATE_UNSPECIFIED
+	}
+}
+
+func ModelUserGrantStateToPb(state usr_grant_model.UserGrantState) user_pb.UserGrantState {
+	switch state {
+	case usr_grant_model.UserGrantStateActive:
+		return user_pb.UserGrantState_USER_GRANT_STATE_ACTIVE
+	case usr_grant_model.UserGrantStateInactive:
+		return user_pb.UserGrantState_USER_GRANT_STATE_INACTIVE
+	default:
+		return user_pb.UserGrantState_USER_GRANT_STATE_UNSPECIFIED
+	}
+}
+
+func GenderToPb(gender model.Gender) user_pb.Gender {
+	switch gender {
+	case model.GenderDiverse:
+		return user_pb.Gender_GENDER_DIVERSE
+	case model.GenderFemale:
+		return user_pb.Gender_GENDER_FEMALE
+	case model.GenderMale:
+		return user_pb.Gender_GENDER_MALE
+	default:
+		return user_pb.Gender_GENDER_UNSPECIFIED
+	}
+}
+
+func AuthFactorsToPb(mfas []*model.MultiFactor) []*user_pb.AuthFactor {
+	factors := make([]*user_pb.AuthFactor, len(mfas))
+	for i, mfa := range mfas {
+		factors[i] = AuthFactorToPb(mfa)
+	}
+	return factors
+}
+
+func AuthFactorToPb(mfa *model.MultiFactor) *user_pb.AuthFactor {
+	factor := &user_pb.AuthFactor{
+		State: MFAStateToPb(mfa.State),
+	}
+	switch mfa.Type {
+	case model.MFATypeOTP:
+		factor.Type = &user_pb.AuthFactor_Otp{
+			Otp: &user_pb.AuthFactorOTP{},
+		}
+	case model.MFATypeU2F:
+		factor.Type = &user_pb.AuthFactor_U2F{
+			U2F: &user_pb.AuthFactorU2F{
+				Id:   mfa.ID,
+				Name: mfa.Attribute,
+			},
+		}
+	}
+	return factor
+}
+
+func MFAStateToPb(state model.MFAState) user_pb.AuthFactorState {
+	switch state {
+	case model.MFAStateNotReady:
+		return user_pb.AuthFactorState_AUTH_FACTOR_STATE_NOT_READY
+	case model.MFAStateReady:
+		return user_pb.AuthFactorState_AUTH_FACTOR_STATE_READY
+	default:
+		return user_pb.AuthFactorState_AUTH_FACTOR_STATE_UNSPECIFIED
+	}
+}
+
+func WebAuthNTokensViewToPb(tokens []*model.WebAuthNView) []*user_pb.WebAuthNToken {
+	t := make([]*user_pb.WebAuthNToken, len(tokens))
+	for i, token := range tokens {
+		t[i] = WebAuthNTokenViewToPb(token)
+	}
+	return t
+}
+
+func WebAuthNTokenViewToPb(token *model.WebAuthNView) *user_pb.WebAuthNToken {
+	return &user_pb.WebAuthNToken{
+		Id:    token.TokenID,
+		State: MFAStateToPb(token.State),
+		Name:  token.Name,
+	}
+}
+
+func WebAuthNTokenToWebAuthNKeyPb(token *domain.WebAuthNToken) *user_pb.WebAuthNKey {
+	return &user_pb.WebAuthNKey{
+		Id:        string(token.KeyID), //TODO: ask if it's the correct id?
+		PublicKey: token.PublicKey,
+	}
+}
+
+func ExternalIDPViewsToExternalIDPs(externalIDPs []*model.ExternalIDPView) []*domain.ExternalIDP {
+	idps := make([]*domain.ExternalIDP, len(externalIDPs))
+	for i, idp := range externalIDPs {
+		idps[i] = &domain.ExternalIDP{
+			ObjectRoot: models.ObjectRoot{
+				AggregateID:   idp.UserID,
+				ResourceOwner: idp.ResourceOwner,
+			},
+			IDPConfigID:    idp.IDPConfigID,
+			ExternalUserID: idp.ExternalUserID,
+			DisplayName:    idp.UserDisplayName,
+		}
+	}
+	return idps
+}
diff --git a/internal/api/grpc/user/membership.go b/internal/api/grpc/user/membership.go
new file mode 100644
index 0000000000..afdd144fa7
--- /dev/null
+++ b/internal/api/grpc/user/membership.go
@@ -0,0 +1,137 @@
+package user
+
+import (
+	"github.com/caos/zitadel/internal/api/grpc/object"
+	"github.com/caos/zitadel/internal/domain"
+	"github.com/caos/zitadel/internal/errors"
+	user_model "github.com/caos/zitadel/internal/user/model"
+	user_pb "github.com/caos/zitadel/pkg/grpc/user"
+)
+
+func MembershipQueriesToModel(queries []*user_pb.MembershipQuery) (_ []*user_model.UserMembershipSearchQuery, err error) {
+	q := make([]*user_model.UserMembershipSearchQuery, 0)
+	for _, query := range queries {
+		qs, err := MembershipQueryToModel(query)
+		if err != nil {
+			return nil, err
+		}
+		q = append(q, qs...)
+	}
+	return q, nil
+}
+
+func MembershipQueryToModel(query *user_pb.MembershipQuery) ([]*user_model.UserMembershipSearchQuery, error) {
+	switch q := query.Query.(type) {
+	case *user_pb.MembershipQuery_OrgQuery:
+		return MembershipOrgQueryToModel(q.OrgQuery), nil
+	case *user_pb.MembershipQuery_ProjectQuery:
+		return MembershipProjectQueryToModel(q.ProjectQuery), nil
+	case *user_pb.MembershipQuery_ProjectGrantQuery:
+		return MembershipProjectGrantQueryToModel(q.ProjectGrantQuery), nil
+	case *user_pb.MembershipQuery_IamQuery:
+		return MembershipIAMQueryToModel(q.IamQuery), nil
+	default:
+		return nil, errors.ThrowInvalidArgument(nil, "USER-dsg3z", "List.Query.Invalid")
+	}
+}
+
+func MembershipIAMQueryToModel(q *user_pb.MembershipIAMQuery) []*user_model.UserMembershipSearchQuery {
+	return []*user_model.UserMembershipSearchQuery{
+		{
+			Key:    user_model.UserMembershipSearchKeyMemberType,
+			Method: domain.SearchMethodEquals,
+			Value:  user_model.MemberTypeIam,
+		},
+		//TODO: q.IAM?
+	}
+}
+
+func MembershipOrgQueryToModel(q *user_pb.MembershipOrgQuery) []*user_model.UserMembershipSearchQuery {
+	return []*user_model.UserMembershipSearchQuery{
+		{
+			Key:    user_model.UserMembershipSearchKeyMemberType,
+			Method: domain.SearchMethodEquals,
+			Value:  user_model.MemberTypeOrganisation,
+		},
+		{
+			Key:    user_model.UserMembershipSearchKeyObjectID,
+			Method: domain.SearchMethodEquals,
+			Value:  q.OrgId,
+		},
+	}
+}
+
+func MembershipProjectQueryToModel(q *user_pb.MembershipProjectQuery) []*user_model.UserMembershipSearchQuery {
+	return []*user_model.UserMembershipSearchQuery{
+		{
+			Key:    user_model.UserMembershipSearchKeyMemberType,
+			Method: domain.SearchMethodEquals,
+			Value:  user_model.MemberTypeProject,
+		},
+		{
+			Key:    user_model.UserMembershipSearchKeyObjectID,
+			Method: domain.SearchMethodEquals,
+			Value:  q.ProjectId,
+		},
+	}
+}
+
+func MembershipProjectGrantQueryToModel(q *user_pb.MembershipProjectGrantQuery) []*user_model.UserMembershipSearchQuery {
+	return []*user_model.UserMembershipSearchQuery{
+		{
+			Key:    user_model.UserMembershipSearchKeyMemberType,
+			Method: domain.SearchMethodEquals,
+			Value:  user_model.MemberTypeProjectGrant,
+		},
+		{
+			Key:    user_model.UserMembershipSearchKeyObjectID,
+			Method: domain.SearchMethodEquals,
+			Value:  q.ProjectGrantId,
+		},
+	}
+}
+
+func MembershipsToMembershipsPb(memberships []*user_model.UserMembershipView) []*user_pb.Membership {
+	converted := make([]*user_pb.Membership, len(memberships))
+	for i, membership := range memberships {
+		converted[i] = MembershipToMembershipPb(membership)
+	}
+	return converted
+}
+
+func MembershipToMembershipPb(membership *user_model.UserMembershipView) *user_pb.Membership {
+	return &user_pb.Membership{
+		UserId:      membership.UserID,
+		Type:        memberTypeToPb(membership),
+		DisplayName: membership.DisplayName,
+		Roles:       membership.Roles,
+		Details: object.ToDetailsPb(
+			membership.Sequence,
+			membership.ChangeDate,
+			membership.ResourceOwner,
+		),
+	}
+}
+
+func memberTypeToPb(membership *user_model.UserMembershipView) user_pb.MembershipType {
+	switch membership.MemberType {
+	case user_model.MemberTypeOrganisation:
+		return &user_pb.Membership_OrgId{
+			OrgId: membership.AggregateID,
+		}
+	case user_model.MemberTypeProject:
+		return &user_pb.Membership_ProjectId{
+			ProjectId: membership.AggregateID,
+		}
+	case user_model.MemberTypeProjectGrant:
+		return &user_pb.Membership_ProjectGrantId{
+			ProjectGrantId: membership.ObjectID,
+		}
+	case user_model.MemberTypeIam:
+		return &user_pb.Membership_Iam{
+			Iam: true, //TODO: ?
+		}
+	default:
+		return nil //TODO: ?
+	}
+}
diff --git a/internal/api/grpc/user/query.go b/internal/api/grpc/user/query.go
new file mode 100644
index 0000000000..8b5afc7c29
--- /dev/null
+++ b/internal/api/grpc/user/query.go
@@ -0,0 +1,113 @@
+package user
+
+import (
+	"github.com/caos/zitadel/internal/api/grpc/object"
+	"github.com/caos/zitadel/internal/domain"
+	user_model "github.com/caos/zitadel/internal/user/model"
+	user_pb "github.com/caos/zitadel/pkg/grpc/user"
+)
+
+func UserQueriesToModel(queries []*user_pb.SearchQuery) []*user_model.UserSearchQuery {
+	q := make([]*user_model.UserSearchQuery, len(queries))
+	for i, query := range queries {
+		q[i] = UserQueryToModel(query)
+	}
+	return q
+}
+
+func UserQueryToModel(query *user_pb.SearchQuery) *user_model.UserSearchQuery {
+	switch q := query.Query.(type) {
+	case *user_pb.SearchQuery_UserNameQuery:
+		return UserNameQueryToModel(q.UserNameQuery)
+	case *user_pb.SearchQuery_FirstNameQuery:
+		return FirstNameQueryToModel(q.FirstNameQuery)
+	case *user_pb.SearchQuery_LastNameQuery:
+		return LastNameQueryToModel(q.LastNameQuery)
+	case *user_pb.SearchQuery_NickNameQuery:
+		return NickNameQueryToModel(q.NickNameQuery)
+	case *user_pb.SearchQuery_DisplayNameQuery:
+		return DisplayNameQueryToModel(q.DisplayNameQuery)
+	case *user_pb.SearchQuery_EmailQuery:
+		return EmailQueryToModel(q.EmailQuery)
+	case *user_pb.SearchQuery_StateQuery:
+		return StateQueryToModel(q.StateQuery)
+	case *user_pb.SearchQuery_TypeQuery:
+		return TypeQueryToModel(q.TypeQuery)
+	case *user_pb.SearchQuery_ResourceOwner:
+		return ResourceOwnerQueryToModel(q.ResourceOwner)
+	default:
+		return nil
+	}
+}
+
+func UserNameQueryToModel(q *user_pb.UserNameQuery) *user_model.UserSearchQuery {
+	return &user_model.UserSearchQuery{
+		Key:    user_model.UserSearchKeyUserName,
+		Method: object.TextMethodToModel(q.Method),
+		Value:  q.UserName,
+	}
+}
+
+func FirstNameQueryToModel(q *user_pb.FirstNameQuery) *user_model.UserSearchQuery {
+	return &user_model.UserSearchQuery{
+		Key:    user_model.UserSearchKeyFirstName,
+		Method: object.TextMethodToModel(q.Method),
+		Value:  q.FirstName,
+	}
+}
+
+func LastNameQueryToModel(q *user_pb.LastNameQuery) *user_model.UserSearchQuery {
+	return &user_model.UserSearchQuery{
+		Key:    user_model.UserSearchKeyLastName,
+		Method: object.TextMethodToModel(q.Method),
+		Value:  q.LastName,
+	}
+}
+
+func NickNameQueryToModel(q *user_pb.NickNameQuery) *user_model.UserSearchQuery {
+	return &user_model.UserSearchQuery{
+		Key:    user_model.UserSearchKeyNickName,
+		Method: object.TextMethodToModel(q.Method),
+		Value:  q.NickName,
+	}
+}
+
+func DisplayNameQueryToModel(q *user_pb.DisplayNameQuery) *user_model.UserSearchQuery {
+	return &user_model.UserSearchQuery{
+		Key:    user_model.UserSearchKeyDisplayName,
+		Method: object.TextMethodToModel(q.Method),
+		Value:  q.DisplayName,
+	}
+}
+
+func EmailQueryToModel(q *user_pb.EmailQuery) *user_model.UserSearchQuery {
+	return &user_model.UserSearchQuery{
+		Key:    user_model.UserSearchKeyEmail,
+		Method: object.TextMethodToModel(q.Method),
+		Value:  q.EmailAddress,
+	}
+}
+
+func StateQueryToModel(q *user_pb.StateQuery) *user_model.UserSearchQuery {
+	return &user_model.UserSearchQuery{
+		Key:    user_model.UserSearchKeyState,
+		Method: domain.SearchMethodEquals,
+		Value:  q.State,
+	}
+}
+
+func TypeQueryToModel(q *user_pb.TypeQuery) *user_model.UserSearchQuery {
+	return &user_model.UserSearchQuery{
+		Key:    user_model.UserSearchKeyType,
+		Method: domain.SearchMethodEquals,
+		Value:  q.Type,
+	}
+}
+
+func ResourceOwnerQueryToModel(q *user_pb.ResourceOwnerQuery) *user_model.UserSearchQuery {
+	return &user_model.UserSearchQuery{
+		Key:    user_model.UserSearchKeyResourceOwner,
+		Method: domain.SearchMethodEquals,
+		Value:  q.OrgID,
+	}
+}
diff --git a/internal/api/grpc/user/session.go b/internal/api/grpc/user/session.go
new file mode 100644
index 0000000000..5af58a945b
--- /dev/null
+++ b/internal/api/grpc/user/session.go
@@ -0,0 +1,44 @@
+package user
+
+import (
+	"github.com/caos/zitadel/internal/api/grpc/object"
+	auth_req_model "github.com/caos/zitadel/internal/auth_request/model"
+	user_model "github.com/caos/zitadel/internal/user/model"
+	"github.com/caos/zitadel/pkg/grpc/user"
+)
+
+func UserSessionsToPb(sessions []*user_model.UserSessionView) []*user.Session {
+	s := make([]*user.Session, len(sessions))
+	for i, session := range sessions {
+		s[i] = UserSessionToPb(session)
+	}
+	return s
+}
+
+func UserSessionToPb(session *user_model.UserSessionView) *user.Session {
+	return &user.Session{
+		// SessionId: session.,//TOOD: not return from be
+		AgentId:     session.UserAgentID,
+		UserId:      session.UserID,
+		UserName:    session.UserName,
+		LoginName:   session.LoginName,
+		DisplayName: session.DisplayName,
+		AuthState:   SessionStateToPb(session.State),
+		Details: object.ToDetailsPb(
+			session.Sequence,
+			session.ChangeDate,
+			session.ResourceOwner,
+		),
+	}
+}
+
+func SessionStateToPb(state auth_req_model.UserSessionState) user.SessionState {
+	switch state {
+	case auth_req_model.UserSessionStateActive:
+		return user.SessionState_SESSION_STATE_ACTIVE
+	case auth_req_model.UserSessionStateTerminated:
+		return user.SessionState_SESSION_STATE_TERMINATED
+	default:
+		return user.SessionState_SESSION_STATE_UNSPECIFIED
+	}
+}
diff --git a/internal/api/grpc/user/user_grant.go b/internal/api/grpc/user/user_grant.go
new file mode 100644
index 0000000000..c2bf5cd797
--- /dev/null
+++ b/internal/api/grpc/user/user_grant.go
@@ -0,0 +1,185 @@
+package user
+
+import (
+	"github.com/caos/zitadel/internal/api/grpc/object"
+	"github.com/caos/zitadel/internal/domain"
+	usr_grant_model "github.com/caos/zitadel/internal/usergrant/model"
+	user_pb "github.com/caos/zitadel/pkg/grpc/user"
+)
+
+func UserGrantsToPb(grants []*usr_grant_model.UserGrantView) []*user_pb.UserGrant {
+	u := make([]*user_pb.UserGrant, len(grants))
+	for i, grant := range grants {
+		u[i] = UserGrantToPb(grant)
+	}
+	return u
+}
+
+func UserGrantToPb(grant *usr_grant_model.UserGrantView) *user_pb.UserGrant {
+	return &user_pb.UserGrant{
+		GrantId:     grant.ID,
+		UserId:      grant.UserID,
+		State:       ModelUserGrantStateToPb(grant.State),
+		RoleKeys:    grant.RoleKeys,
+		UserName:    grant.UserName,
+		FirstName:   grant.FirstName,
+		LastName:    grant.LastName,
+		Email:       grant.Email,
+		DisplayName: grant.DisplayName,
+		OrgId:       grant.ResourceOwner,
+		OrgDomain:   grant.OrgPrimaryDomain,
+		OrgName:     grant.OrgName,
+		ProjectId:   grant.ProjectID,
+		ProjectName: grant.ProjectName,
+		Details: object.ToDetailsPb(
+			grant.Sequence,
+			grant.ChangeDate,
+			grant.ResourceOwner,
+		),
+	}
+}
+
+func UserGrantQueriesToModel(queries []*user_pb.UserGrantQuery) []*usr_grant_model.UserGrantSearchQuery {
+	q := make([]*usr_grant_model.UserGrantSearchQuery, len(queries))
+	for i, query := range queries {
+		q[i] = UserGrantQueryToModel(query)
+	}
+	return q
+}
+
+func UserGrantQueryToModel(query *user_pb.UserGrantQuery) *usr_grant_model.UserGrantSearchQuery {
+	switch q := query.Query.(type) {
+	case *user_pb.UserGrantQuery_DisplayNameQuery:
+		return UserGrantDisplayNameQueryToModel(q.DisplayNameQuery)
+	case *user_pb.UserGrantQuery_EmailQuery:
+		return UserGrantEmailQueryToModel(q.EmailQuery)
+	case *user_pb.UserGrantQuery_FirstNameQuery:
+		return UserGrantFirstNameQueryToModel(q.FirstNameQuery)
+	case *user_pb.UserGrantQuery_LastNameQuery:
+		return UserGrantLastNameQueryToModel(q.LastNameQuery)
+	case *user_pb.UserGrantQuery_OrgDomainQuery:
+		return UserGrantOrgDomainQueryToModel(q.OrgDomainQuery)
+	case *user_pb.UserGrantQuery_OrgNameQuery:
+		return UserGrantOrgNameQueryToModel(q.OrgNameQuery)
+	case *user_pb.UserGrantQuery_ProjectGrantIdQuery:
+		return UserGrantProjectGrantIDQueryToModel(q.ProjectGrantIdQuery)
+	case *user_pb.UserGrantQuery_ProjectIdQuery:
+		return UserGrantProjectIDQueryToModel(q.ProjectIdQuery)
+	case *user_pb.UserGrantQuery_ProjectNameQuery:
+		return UserGrantProjectNameQueryToModel(q.ProjectNameQuery)
+	case *user_pb.UserGrantQuery_RoleKeyQuery:
+		return UserGrantRoleKeyQueryToModel(q.RoleKeyQuery)
+	case *user_pb.UserGrantQuery_UserIdQuery:
+		return UserGrantUserIDQueryToModel(q.UserIdQuery)
+	case *user_pb.UserGrantQuery_UserNameQuery:
+		return UserGrantUserNameQueryToModel(q.UserNameQuery)
+	case *user_pb.UserGrantQuery_WithGrantedQuery:
+		return UserGrantWithGrantedQueryToModel(q.WithGrantedQuery)
+	default:
+		return nil
+	}
+}
+
+func UserGrantDisplayNameQueryToModel(q *user_pb.UserGrantDisplayNameQuery) *usr_grant_model.UserGrantSearchQuery {
+	return &usr_grant_model.UserGrantSearchQuery{
+		Key:    usr_grant_model.UserGrantSearchKeyDisplayName,
+		Method: object.TextMethodToModel(q.Method),
+		Value:  q.DisplayName,
+	}
+}
+
+func UserGrantEmailQueryToModel(q *user_pb.UserGrantEmailQuery) *usr_grant_model.UserGrantSearchQuery {
+	return &usr_grant_model.UserGrantSearchQuery{
+		Key:    usr_grant_model.UserGrantSearchKeyEmail,
+		Method: object.TextMethodToModel(q.Method),
+		Value:  q.Email,
+	}
+}
+
+func UserGrantFirstNameQueryToModel(q *user_pb.UserGrantFirstNameQuery) *usr_grant_model.UserGrantSearchQuery {
+	return &usr_grant_model.UserGrantSearchQuery{
+		Key:    usr_grant_model.UserGrantSearchKeyFirstName,
+		Method: object.TextMethodToModel(q.Method),
+		Value:  q.FirstName,
+	}
+}
+
+func UserGrantLastNameQueryToModel(q *user_pb.UserGrantLastNameQuery) *usr_grant_model.UserGrantSearchQuery {
+	return &usr_grant_model.UserGrantSearchQuery{
+		Key:    usr_grant_model.UserGrantSearchKeyLastName,
+		Method: object.TextMethodToModel(q.Method),
+		Value:  q.LastName,
+	}
+}
+
+func UserGrantOrgDomainQueryToModel(q *user_pb.UserGrantOrgDomainQuery) *usr_grant_model.UserGrantSearchQuery {
+	return &usr_grant_model.UserGrantSearchQuery{
+		Key:    usr_grant_model.UserGrantSearchKeyOrgDomain,
+		Method: object.TextMethodToModel(q.Method),
+		Value:  q.OrgDomain,
+	}
+}
+
+func UserGrantOrgNameQueryToModel(q *user_pb.UserGrantOrgNameQuery) *usr_grant_model.UserGrantSearchQuery {
+	return &usr_grant_model.UserGrantSearchQuery{
+		Key:    usr_grant_model.UserGrantSearchKeyOrgName,
+		Method: object.TextMethodToModel(q.Method),
+		Value:  q.OrgName,
+	}
+}
+
+func UserGrantProjectIDQueryToModel(q *user_pb.UserGrantProjectIDQuery) *usr_grant_model.UserGrantSearchQuery {
+	return &usr_grant_model.UserGrantSearchQuery{
+		Key:    usr_grant_model.UserGrantSearchKeyProjectID,
+		Method: domain.SearchMethodEquals,
+		Value:  q.ProjectId,
+	}
+}
+
+func UserGrantProjectGrantIDQueryToModel(q *user_pb.UserGrantProjectGrantIDQuery) *usr_grant_model.UserGrantSearchQuery {
+	return &usr_grant_model.UserGrantSearchQuery{
+		Key:    usr_grant_model.UserGrantSearchKeyGrantID,
+		Method: domain.SearchMethodEquals,
+		Value:  q.ProjectGrantId,
+	}
+}
+
+func UserGrantProjectNameQueryToModel(q *user_pb.UserGrantProjectNameQuery) *usr_grant_model.UserGrantSearchQuery {
+	return &usr_grant_model.UserGrantSearchQuery{
+		Key:    usr_grant_model.UserGrantSearchKeyProjectName,
+		Method: object.TextMethodToModel(q.Method),
+		Value:  q.ProjectName,
+	}
+}
+
+func UserGrantRoleKeyQueryToModel(q *user_pb.UserGrantRoleKeyQuery) *usr_grant_model.UserGrantSearchQuery {
+	return &usr_grant_model.UserGrantSearchQuery{
+		Key:    usr_grant_model.UserGrantSearchKeyRoleKey,
+		Method: domain.SearchMethodListContains,
+		Value:  q.RoleKey,
+	}
+}
+
+func UserGrantUserIDQueryToModel(q *user_pb.UserGrantUserIDQuery) *usr_grant_model.UserGrantSearchQuery {
+	return &usr_grant_model.UserGrantSearchQuery{
+		Key:    usr_grant_model.UserGrantSearchKeyUserID,
+		Method: domain.SearchMethodEquals,
+		Value:  q.UserId,
+	}
+}
+
+func UserGrantUserNameQueryToModel(q *user_pb.UserGrantUserNameQuery) *usr_grant_model.UserGrantSearchQuery {
+	return &usr_grant_model.UserGrantSearchQuery{
+		Key:    usr_grant_model.UserGrantSearchKeyUserName,
+		Method: object.TextMethodToModel(q.Method),
+		Value:  q.UserName,
+	}
+}
+
+func UserGrantWithGrantedQueryToModel(q *user_pb.UserGrantWithGrantedQuery) *usr_grant_model.UserGrantSearchQuery {
+	return &usr_grant_model.UserGrantSearchQuery{
+		Key:    usr_grant_model.UserGrantSearchKeyWithGranted,
+		Method: domain.SearchMethodEquals,
+		Value:  q.WithGranted,
+	}
+}
diff --git a/internal/command/converter.go b/internal/command/converter.go
new file mode 100644
index 0000000000..7058201abd
--- /dev/null
+++ b/internal/command/converter.go
@@ -0,0 +1,14 @@
+package command
+
+import (
+	"github.com/caos/zitadel/internal/domain"
+	"github.com/caos/zitadel/internal/eventstore"
+)
+
+func writeModelToObjectDetails(writeModel *eventstore.WriteModel) *domain.ObjectDetails {
+	return &domain.ObjectDetails{
+		Sequence:      writeModel.ProcessedSequence,
+		ResourceOwner: writeModel.ResourceOwner,
+		ChangeDate:    writeModel.ChangeDate,
+	}
+}
diff --git a/internal/command/iam_idp_config.go b/internal/command/iam_idp_config.go
index fc5d432de7..50f35b7e4e 100644
--- a/internal/command/iam_idp_config.go
+++ b/internal/command/iam_idp_config.go
@@ -87,39 +87,53 @@ func (c *Commands) ChangeDefaultIDPConfig(ctx context.Context, config *domain.ID
 	return writeModelToIDPConfig(&existingIDP.IDPConfigWriteModel), nil
 }
 
-func (c *Commands) DeactivateDefaultIDPConfig(ctx context.Context, idpID string) error {
+func (c *Commands) DeactivateDefaultIDPConfig(ctx context.Context, idpID string) (*domain.ObjectDetails, error) {
 	existingIDP, err := c.iamIDPConfigWriteModelByID(ctx, idpID)
 	if err != nil {
-		return err
+		return nil, err
 	}
 	if existingIDP.State != domain.IDPConfigStateActive {
-		return caos_errs.ThrowPreconditionFailed(nil, "IAM-4M9so", "Errors.IAM.IDPConfig.NotActive")
+		return nil, caos_errs.ThrowPreconditionFailed(nil, "IAM-4M9so", "Errors.IAM.IDPConfig.NotActive")
 	}
 	iamAgg := IAMAggregateFromWriteModel(&existingIDP.WriteModel)
-	_, err = c.eventstore.PushEvents(ctx, iam_repo.NewIDPConfigDeactivatedEvent(ctx, iamAgg, idpID))
-	return err
+	pushedEvents, err := c.eventstore.PushEvents(ctx, iam_repo.NewIDPConfigDeactivatedEvent(ctx, iamAgg, idpID))
+	if err != nil {
+		return nil, err
+	}
+	err = AppendAndReduce(existingIDP, pushedEvents...)
+	if err != nil {
+		return nil, err
+	}
+	return writeModelToObjectDetails(&existingIDP.IDPConfigWriteModel.WriteModel), nil
 }
 
-func (c *Commands) ReactivateDefaultIDPConfig(ctx context.Context, idpID string) error {
+func (c *Commands) ReactivateDefaultIDPConfig(ctx context.Context, idpID string) (*domain.ObjectDetails, error) {
 	existingIDP, err := c.iamIDPConfigWriteModelByID(ctx, idpID)
 	if err != nil {
-		return err
+		return nil, err
 	}
 	if existingIDP.State != domain.IDPConfigStateInactive {
-		return caos_errs.ThrowPreconditionFailed(nil, "IAM-5Mo0d", "Errors.IAM.IDPConfig.NotInactive")
+		return nil, caos_errs.ThrowPreconditionFailed(nil, "IAM-5Mo0d", "Errors.IAM.IDPConfig.NotInactive")
 	}
 	iamAgg := IAMAggregateFromWriteModel(&existingIDP.WriteModel)
-	_, err = c.eventstore.PushEvents(ctx, iam_repo.NewIDPConfigReactivatedEvent(ctx, iamAgg, idpID))
-	return err
+	pushedEvents, err := c.eventstore.PushEvents(ctx, iam_repo.NewIDPConfigReactivatedEvent(ctx, iamAgg, idpID))
+	if err != nil {
+		return nil, err
+	}
+	err = AppendAndReduce(existingIDP, pushedEvents...)
+	if err != nil {
+		return nil, err
+	}
+	return writeModelToObjectDetails(&existingIDP.IDPConfigWriteModel.WriteModel), nil
 }
 
-func (c *Commands) RemoveDefaultIDPConfig(ctx context.Context, idpID string, idpProviders []*domain.IDPProvider, externalIDPs ...*domain.ExternalIDP) error {
+func (c *Commands) RemoveDefaultIDPConfig(ctx context.Context, idpID string, idpProviders []*domain.IDPProvider, externalIDPs ...*domain.ExternalIDP) (*domain.ObjectDetails, error) {
 	existingIDP, err := c.iamIDPConfigWriteModelByID(ctx, idpID)
 	if err != nil {
-		return err
+		return nil, err
 	}
 	if existingIDP.State == domain.IDPConfigStateRemoved || existingIDP.State == domain.IDPConfigStateUnspecified {
-		return caos_errs.ThrowNotFound(nil, "IAM-4M0xy", "Errors.IAM.IDPConfig.NotExisting")
+		return nil, caos_errs.ThrowNotFound(nil, "IAM-4M0xy", "Errors.IAM.IDPConfig.NotExisting")
 	}
 
 	iamAgg := IAMAggregateFromWriteModel(&existingIDP.WriteModel)
@@ -137,8 +151,15 @@ func (c *Commands) RemoveDefaultIDPConfig(ctx context.Context, idpID string, idp
 		events = append(events, orgEvents...)
 	}
 
-	_, err = c.eventstore.PushEvents(ctx, events...)
-	return err
+	pushedEvents, err := c.eventstore.PushEvents(ctx, events...)
+	if err != nil {
+		return nil, err
+	}
+	err = AppendAndReduce(existingIDP, pushedEvents...)
+	if err != nil {
+		return nil, err
+	}
+	return writeModelToObjectDetails(&existingIDP.IDPConfigWriteModel.WriteModel), nil
 }
 
 func (c *Commands) getIAMIDPConfigByID(ctx context.Context, idpID string) (*domain.IDPConfig, error) {
diff --git a/internal/command/iam_member.go b/internal/command/iam_member.go
index 5ab91bd275..6021ecf9bf 100644
--- a/internal/command/iam_member.go
+++ b/internal/command/iam_member.go
@@ -80,18 +80,26 @@ func (c *Commands) ChangeIAMMember(ctx context.Context, member *domain.Member) (
 	return memberWriteModelToMember(&existingMember.MemberWriteModel), nil
 }
 
-func (c *Commands) RemoveIAMMember(ctx context.Context, userID string) error {
-	m, err := c.iamMemberWriteModelByID(ctx, userID)
+func (c *Commands) RemoveIAMMember(ctx context.Context, userID string) (*domain.ObjectDetails, error) {
+	memberWriteModel, err := c.iamMemberWriteModelByID(ctx, userID)
 	if err != nil && !errors.IsNotFound(err) {
-		return err
+		return nil, err
 	}
 	if errors.IsNotFound(err) {
-		return nil
+		return nil, nil
 	}
 
-	iamAgg := IAMAggregateFromWriteModel(&m.MemberWriteModel.WriteModel)
-	_, err = c.eventstore.PushEvents(ctx, iam_repo.NewMemberRemovedEvent(ctx, iamAgg, userID))
-	return err
+	iamAgg := IAMAggregateFromWriteModel(&memberWriteModel.MemberWriteModel.WriteModel)
+	pushedEvents, err := c.eventstore.PushEvents(ctx, iam_repo.NewMemberRemovedEvent(ctx, iamAgg, userID))
+	if err != nil {
+		return nil, err
+	}
+	err = AppendAndReduce(memberWriteModel, pushedEvents...)
+	if err != nil {
+		return nil, err
+	}
+
+	return writeModelToObjectDetails(&memberWriteModel.MemberWriteModel.WriteModel), nil
 }
 
 func (c *Commands) iamMemberWriteModelByID(ctx context.Context, userID string) (member *IAMMemberWriteModel, err error) {
diff --git a/internal/command/iam_policy_login.go b/internal/command/iam_policy_login.go
index bd15d932a0..6f7a05740d 100644
--- a/internal/command/iam_policy_login.go
+++ b/internal/command/iam_policy_login.go
@@ -103,14 +103,14 @@ func (c *Commands) AddIDPProviderToDefaultLoginPolicy(ctx context.Context, idpPr
 	return writeModelToIDPProvider(&idpModel.IdentityProviderWriteModel), nil
 }
 
-func (c *Commands) RemoveIDPProviderFromDefaultLoginPolicy(ctx context.Context, idpProvider *domain.IDPProvider, cascadeExternalIDPs ...*domain.ExternalIDP) error {
+func (c *Commands) RemoveIDPProviderFromDefaultLoginPolicy(ctx context.Context, idpProvider *domain.IDPProvider, cascadeExternalIDPs ...*domain.ExternalIDP) (*domain.ObjectDetails, error) {
 	idpModel := NewIAMIdentityProviderWriteModel(idpProvider.IDPConfigID)
 	err := c.eventstore.FilterToQueryReducer(ctx, idpModel)
 	if err != nil {
-		return err
+		return nil, err
 	}
 	if idpModel.State == domain.IdentityProviderStateUnspecified || idpModel.State == domain.IdentityProviderStateRemoved {
-		return caos_errs.ThrowNotFound(nil, "IAM-39fjs", "Errors.IAM.LoginPolicy.IDP.NotExisting")
+		return nil, caos_errs.ThrowNotFound(nil, "IAM-39fjs", "Errors.IAM.LoginPolicy.IDP.NotExisting")
 	}
 
 	iamAgg := IAMAggregateFromWriteModel(&idpModel.IdentityProviderWriteModel.WriteModel)
@@ -120,8 +120,15 @@ func (c *Commands) RemoveIDPProviderFromDefaultLoginPolicy(ctx context.Context,
 
 	userEvents := c.removeIDPProviderFromDefaultLoginPolicy(ctx, iamAgg, idpProvider, false, cascadeExternalIDPs...)
 	events = append(events, userEvents...)
-	_, err = c.eventstore.PushEvents(ctx, events...)
-	return err
+	pushedEvents, err := c.eventstore.PushEvents(ctx, events...)
+	if err != nil {
+		return nil, err
+	}
+	err = AppendAndReduce(idpModel, pushedEvents...)
+	if err != nil {
+		return nil, err
+	}
+	return writeModelToObjectDetails(&idpModel.IdentityProviderWriteModel.WriteModel), nil
 }
 
 func (c *Commands) removeIDPProviderFromDefaultLoginPolicy(ctx context.Context, iamAgg *eventstore.Aggregate, idpProvider *domain.IDPProvider, cascade bool, cascadeExternalIDPs ...*domain.ExternalIDP) []eventstore.EventPusher {
@@ -133,7 +140,7 @@ func (c *Commands) removeIDPProviderFromDefaultLoginPolicy(ctx context.Context,
 	}
 
 	for _, idp := range cascadeExternalIDPs {
-		userEvent, err := c.removeHumanExternalIDP(ctx, idp, true)
+		userEvent, _, err := c.removeHumanExternalIDP(ctx, idp, true)
 		if err != nil {
 			logging.LogWithFields("COMMAND-4nfsf", "userid", idp.AggregateID, "idp-id", idp.IDPConfigID).WithError(err).Warn("could not cascade remove externalidp in remove provider from policy")
 			continue
@@ -143,19 +150,23 @@ func (c *Commands) removeIDPProviderFromDefaultLoginPolicy(ctx context.Context,
 	return events
 }
 
-func (c *Commands) AddSecondFactorToDefaultLoginPolicy(ctx context.Context, secondFactor domain.SecondFactorType) (domain.SecondFactorType, error) {
+func (c *Commands) AddSecondFactorToDefaultLoginPolicy(ctx context.Context, secondFactor domain.SecondFactorType) (domain.SecondFactorType, *domain.ObjectDetails, error) {
 	secondFactorModel := NewIAMSecondFactorWriteModel()
 	iamAgg := IAMAggregateFromWriteModel(&secondFactorModel.SecondFactorWriteModel.WriteModel)
 	event, err := c.addSecondFactorToDefaultLoginPolicy(ctx, iamAgg, secondFactorModel, secondFactor)
 	if err != nil {
-		return domain.SecondFactorTypeUnspecified, err
+		return domain.SecondFactorTypeUnspecified, nil, err
 	}
 
-	if _, err = c.eventstore.PushEvents(ctx, event); err != nil {
-		return domain.SecondFactorTypeUnspecified, err
+	pushedEvents, err := c.eventstore.PushEvents(ctx, event)
+	if err != nil {
+		return domain.SecondFactorTypeUnspecified, nil, err
 	}
-
-	return secondFactorModel.MFAType, nil
+	err = AppendAndReduce(secondFactorModel, pushedEvents...)
+	if err != nil {
+		return domain.SecondFactorTypeUnspecified, nil, err
+	}
+	return secondFactorModel.MFAType, writeModelToObjectDetails(&secondFactorModel.WriteModel), nil
 }
 
 func (c *Commands) addSecondFactorToDefaultLoginPolicy(ctx context.Context, iamAgg *eventstore.Aggregate, secondFactorModel *IAMSecondFactorWriteModel, secondFactor domain.SecondFactorType) (eventstore.EventPusher, error) {
@@ -170,33 +181,44 @@ func (c *Commands) addSecondFactorToDefaultLoginPolicy(ctx context.Context, iamA
 	return iam_repo.NewLoginPolicySecondFactorAddedEvent(ctx, iamAgg, secondFactor), nil
 }
 
-func (c *Commands) RemoveSecondFactorFromDefaultLoginPolicy(ctx context.Context, secondFactor domain.SecondFactorType) error {
+func (c *Commands) RemoveSecondFactorFromDefaultLoginPolicy(ctx context.Context, secondFactor domain.SecondFactorType) (*domain.ObjectDetails, error) {
 	secondFactorModel := NewIAMSecondFactorWriteModel()
 	err := c.eventstore.FilterToQueryReducer(ctx, secondFactorModel)
 	if err != nil {
-		return err
+		return nil, err
 	}
 	if secondFactorModel.State == domain.FactorStateUnspecified || secondFactorModel.State == domain.FactorStateRemoved {
-		return caos_errs.ThrowNotFound(nil, "IAM-3M9od", "Errors.IAM.LoginPolicy.MFA.NotExisting")
+		return nil, caos_errs.ThrowNotFound(nil, "IAM-3M9od", "Errors.IAM.LoginPolicy.MFA.NotExisting")
 	}
 	iamAgg := IAMAggregateFromWriteModel(&secondFactorModel.SecondFactorWriteModel.WriteModel)
-	_, err = c.eventstore.PushEvents(ctx, iam_repo.NewLoginPolicySecondFactorRemovedEvent(ctx, iamAgg, secondFactor))
-	return err
+	pushedEvents, err := c.eventstore.PushEvents(ctx, iam_repo.NewLoginPolicySecondFactorRemovedEvent(ctx, iamAgg, secondFactor))
+	if err != nil {
+		return nil, err
+	}
+	err = AppendAndReduce(secondFactorModel, pushedEvents...)
+	if err != nil {
+		return nil, err
+	}
+	return writeModelToObjectDetails(&secondFactorModel.WriteModel), nil
 }
 
-func (c *Commands) AddMultiFactorToDefaultLoginPolicy(ctx context.Context, multiFactor domain.MultiFactorType) (domain.MultiFactorType, error) {
+func (c *Commands) AddMultiFactorToDefaultLoginPolicy(ctx context.Context, multiFactor domain.MultiFactorType) (domain.MultiFactorType, *domain.ObjectDetails, error) {
 	multiFactorModel := NewIAMMultiFactorWriteModel()
 	iamAgg := IAMAggregateFromWriteModel(&multiFactorModel.MultiFactoryWriteModel.WriteModel)
 	event, err := c.addMultiFactorToDefaultLoginPolicy(ctx, iamAgg, multiFactorModel, multiFactor)
 	if err != nil {
-		return domain.MultiFactorTypeUnspecified, err
+		return domain.MultiFactorTypeUnspecified, nil, err
 	}
 
-	if _, err = c.eventstore.PushEvents(ctx, event); err != nil {
-		return domain.MultiFactorTypeUnspecified, err
+	pushedEvents, err := c.eventstore.PushEvents(ctx, event)
+	if err != nil {
+		return domain.MultiFactorTypeUnspecified, nil, err
 	}
-
-	return multiFactorModel.MultiFactoryWriteModel.MFAType, nil
+	err = AppendAndReduce(multiFactorModel, pushedEvents...)
+	if err != nil {
+		return domain.MultiFactorTypeUnspecified, nil, err
+	}
+	return multiFactorModel.MultiFactoryWriteModel.MFAType, writeModelToObjectDetails(&multiFactorModel.WriteModel), nil
 }
 
 func (c *Commands) addMultiFactorToDefaultLoginPolicy(ctx context.Context, iamAgg *eventstore.Aggregate, multiFactorModel *IAMMultiFactorWriteModel, multiFactor domain.MultiFactorType) (eventstore.EventPusher, error) {
@@ -211,18 +233,25 @@ func (c *Commands) addMultiFactorToDefaultLoginPolicy(ctx context.Context, iamAg
 	return iam_repo.NewLoginPolicyMultiFactorAddedEvent(ctx, iamAgg, multiFactor), nil
 }
 
-func (c *Commands) RemoveMultiFactorFromDefaultLoginPolicy(ctx context.Context, multiFactor domain.MultiFactorType) error {
+func (c *Commands) RemoveMultiFactorFromDefaultLoginPolicy(ctx context.Context, multiFactor domain.MultiFactorType) (*domain.ObjectDetails, error) {
 	multiFactorModel := NewIAMMultiFactorWriteModel()
 	err := c.eventstore.FilterToQueryReducer(ctx, multiFactorModel)
 	if err != nil {
-		return err
+		return nil, err
 	}
 	if multiFactorModel.State == domain.FactorStateUnspecified || multiFactorModel.State == domain.FactorStateRemoved {
-		return caos_errs.ThrowNotFound(nil, "IAM-3M9df", "Errors.IAM.LoginPolicy.MFA.NotExisting")
+		return nil, caos_errs.ThrowNotFound(nil, "IAM-3M9df", "Errors.IAM.LoginPolicy.MFA.NotExisting")
 	}
 	iamAgg := IAMAggregateFromWriteModel(&multiFactorModel.MultiFactoryWriteModel.WriteModel)
-	_, err = c.eventstore.PushEvents(ctx, iam_repo.NewLoginPolicyMultiFactorRemovedEvent(ctx, iamAgg, multiFactor))
-	return err
+	pushedEvents, err := c.eventstore.PushEvents(ctx, iam_repo.NewLoginPolicyMultiFactorRemovedEvent(ctx, iamAgg, multiFactor))
+	if err != nil {
+		return nil, err
+	}
+	err = AppendAndReduce(multiFactorModel, pushedEvents...)
+	if err != nil {
+		return nil, err
+	}
+	return writeModelToObjectDetails(&multiFactorModel.WriteModel), nil
 }
 
 func (c *Commands) defaultLoginPolicyWriteModelByID(ctx context.Context, writeModel *IAMLoginPolicyWriteModel) (err error) {
diff --git a/internal/command/org.go b/internal/command/org.go
index 25d3db63e9..1cd4334b76 100644
--- a/internal/command/org.go
+++ b/internal/command/org.go
@@ -30,13 +30,20 @@ func (c *Commands) checkOrgExists(ctx context.Context, orgID string) error {
 	return nil
 }
 
-func (c *Commands) SetUpOrg(ctx context.Context, organisation *domain.Org, admin *domain.Human) error {
-	_, _, _, events, err := c.setUpOrg(ctx, organisation, admin)
+func (c *Commands) SetUpOrg(ctx context.Context, organisation *domain.Org, admin *domain.Human) (*domain.ObjectDetails, error) {
+	_, orgWriteModel, _, _, events, err := c.setUpOrg(ctx, organisation, admin)
 	if err != nil {
-		return err
+		return nil, err
 	}
-	_, err = c.eventstore.PushEvents(ctx, events...)
-	return err
+	pushedEvents, err := c.eventstore.PushEvents(ctx, events...)
+	if err != nil {
+		return nil, err
+	}
+	err = AppendAndReduce(orgWriteModel, pushedEvents...)
+	if err != nil {
+		return nil, err
+	}
+	return writeModelToObjectDetails(&orgWriteModel.WriteModel), nil
 }
 
 func (c *Commands) AddOrg(ctx context.Context, name, userID, resourceOwner string) (*domain.Org, error) {
@@ -66,47 +73,61 @@ func (c *Commands) AddOrg(ctx context.Context, name, userID, resourceOwner strin
 	return orgWriteModelToOrg(addedOrg), nil
 }
 
-func (c *Commands) DeactivateOrg(ctx context.Context, orgID string) error {
+func (c *Commands) DeactivateOrg(ctx context.Context, orgID string) (*domain.ObjectDetails, error) {
 	orgWriteModel, err := c.getOrgWriteModelByID(ctx, orgID)
 	if err != nil {
-		return err
+		return nil, err
 	}
 	if orgWriteModel.State == domain.OrgStateUnspecified || orgWriteModel.State == domain.OrgStateRemoved {
-		return caos_errs.ThrowNotFound(nil, "ORG-oL9nT", "Errors.Org.NotFound")
+		return nil, caos_errs.ThrowNotFound(nil, "ORG-oL9nT", "Errors.Org.NotFound")
 	}
 	if orgWriteModel.State == domain.OrgStateInactive {
-		return caos_errs.ThrowInvalidArgument(nil, "EVENT-Dbs2g", "Errors.Org.AlreadyDeactivated")
+		return nil, caos_errs.ThrowInvalidArgument(nil, "EVENT-Dbs2g", "Errors.Org.AlreadyDeactivated")
 	}
 	orgAgg := OrgAggregateFromWriteModel(&orgWriteModel.WriteModel)
-	_, err = c.eventstore.PushEvents(ctx, org.NewOrgDeactivatedEvent(ctx, orgAgg))
-	return err
+	pushedEvents, err := c.eventstore.PushEvents(ctx, org.NewOrgDeactivatedEvent(ctx, orgAgg))
+	if err != nil {
+		return nil, err
+	}
+	err = AppendAndReduce(orgWriteModel, pushedEvents...)
+	if err != nil {
+		return nil, err
+	}
+	return writeModelToObjectDetails(&orgWriteModel.WriteModel), nil
 }
 
-func (c *Commands) ReactivateOrg(ctx context.Context, orgID string) error {
+func (c *Commands) ReactivateOrg(ctx context.Context, orgID string) (*domain.ObjectDetails, error) {
 	orgWriteModel, err := c.getOrgWriteModelByID(ctx, orgID)
 	if err != nil {
-		return err
+		return nil, err
 	}
 	if orgWriteModel.State == domain.OrgStateUnspecified || orgWriteModel.State == domain.OrgStateRemoved {
-		return caos_errs.ThrowNotFound(nil, "ORG-Dgf3g", "Errors.Org.NotFound")
+		return nil, caos_errs.ThrowNotFound(nil, "ORG-Dgf3g", "Errors.Org.NotFound")
 	}
 	if orgWriteModel.State == domain.OrgStateActive {
-		return caos_errs.ThrowInvalidArgument(nil, "EVENT-bfnrh", "Errors.Org.AlreadyActive")
+		return nil, caos_errs.ThrowInvalidArgument(nil, "EVENT-bfnrh", "Errors.Org.AlreadyActive")
 	}
 	orgAgg := OrgAggregateFromWriteModel(&orgWriteModel.WriteModel)
-	_, err = c.eventstore.PushEvents(ctx, org.NewOrgReactivatedEvent(ctx, orgAgg))
-	return err
+	pushedEvents, err := c.eventstore.PushEvents(ctx, org.NewOrgReactivatedEvent(ctx, orgAgg))
+	if err != nil {
+		return nil, err
+	}
+	err = AppendAndReduce(orgWriteModel, pushedEvents...)
+	if err != nil {
+		return nil, err
+	}
+	return writeModelToObjectDetails(&orgWriteModel.WriteModel), nil
 }
 
-func (c *Commands) setUpOrg(ctx context.Context, organisation *domain.Org, admin *domain.Human) (orgAgg *eventstore.Aggregate, human *HumanWriteModel, orgMember *OrgMemberWriteModel, events []eventstore.EventPusher, err error) {
-	orgAgg, _, addOrgEvents, err := c.addOrg(ctx, organisation)
+func (c *Commands) setUpOrg(ctx context.Context, organisation *domain.Org, admin *domain.Human) (orgAgg *eventstore.Aggregate, org *OrgWriteModel, human *HumanWriteModel, orgMember *OrgMemberWriteModel, events []eventstore.EventPusher, err error) {
+	orgAgg, orgWriteModel, addOrgEvents, err := c.addOrg(ctx, organisation)
 	if err != nil {
-		return nil, nil, nil, nil, err
+		return nil, nil, nil, nil, nil, err
 	}
 
 	userEvents, human, err := c.addHuman(ctx, orgAgg.ID, admin)
 	if err != nil {
-		return nil, nil, nil, nil, err
+		return nil, nil, nil, nil, nil, err
 	}
 	addOrgEvents = append(addOrgEvents, userEvents...)
 
@@ -114,10 +135,10 @@ func (c *Commands) setUpOrg(ctx context.Context, organisation *domain.Org, admin
 	orgMemberAgg := OrgAggregateFromWriteModel(&addedMember.WriteModel)
 	orgMemberEvent, err := c.addOrgMember(ctx, orgMemberAgg, addedMember, domain.NewMember(orgMemberAgg.ID, human.AggregateID, domain.RoleOrgOwner))
 	if err != nil {
-		return nil, nil, nil, nil, err
+		return nil, nil, nil, nil, nil, err
 	}
 	addOrgEvents = append(addOrgEvents, orgMemberEvent)
-	return orgAgg, human, addedMember, addOrgEvents, nil
+	return orgAgg, orgWriteModel, human, addedMember, addOrgEvents, nil
 }
 
 func (c *Commands) addOrg(ctx context.Context, organisation *domain.Org, claimedUserIDs ...string) (_ *eventstore.Aggregate, _ *OrgWriteModel, _ []eventstore.EventPusher, err error) {
diff --git a/internal/command/org_domain.go b/internal/command/org_domain.go
index 32f5f93a6b..e17ded8765 100644
--- a/internal/command/org_domain.go
+++ b/internal/command/org_domain.go
@@ -68,27 +68,27 @@ func (c *Commands) GenerateOrgDomainValidation(ctx context.Context, orgDomain *d
 	return token, url, nil
 }
 
-func (c *Commands) ValidateOrgDomain(ctx context.Context, orgDomain *domain.OrgDomain, claimedUserIDs ...string) error {
+func (c *Commands) ValidateOrgDomain(ctx context.Context, orgDomain *domain.OrgDomain, claimedUserIDs ...string) (*domain.ObjectDetails, error) {
 	if orgDomain == nil || !orgDomain.IsValid() {
-		return caos_errs.ThrowPreconditionFailed(nil, "ORG-R24hb", "Errors.Org.InvalidDomain")
+		return nil, caos_errs.ThrowPreconditionFailed(nil, "ORG-R24hb", "Errors.Org.InvalidDomain")
 	}
 	domainWriteModel, err := c.getOrgDomainWriteModel(ctx, orgDomain.AggregateID, orgDomain.Domain)
 	if err != nil {
-		return err
+		return nil, err
 	}
 	if domainWriteModel.State != domain.OrgDomainStateActive {
-		return caos_errs.ThrowPreconditionFailed(nil, "ORG-Sjdi3", "Errors.Org.DomainNotOnOrg")
+		return nil, caos_errs.ThrowPreconditionFailed(nil, "ORG-Sjdi3", "Errors.Org.DomainNotOnOrg")
 	}
 	if domainWriteModel.Verified {
-		return caos_errs.ThrowPreconditionFailed(nil, "ORG-HGw21", "Errors.Org.DomainAlreadyVerified")
+		return nil, caos_errs.ThrowPreconditionFailed(nil, "ORG-HGw21", "Errors.Org.DomainAlreadyVerified")
 	}
 	if domainWriteModel.ValidationCode == nil || domainWriteModel.ValidationType == domain.OrgDomainValidationTypeUnspecified {
-		return caos_errs.ThrowPreconditionFailed(nil, "ORG-SFBB3", "Errors.Org.DomainVerificationMissing")
+		return nil, caos_errs.ThrowPreconditionFailed(nil, "ORG-SFBB3", "Errors.Org.DomainVerificationMissing")
 	}
 
 	validationCode, err := crypto.DecryptString(domainWriteModel.ValidationCode, c.domainVerificationAlg)
 	if err != nil {
-		return err
+		return nil, err
 	}
 	checkType, _ := domainWriteModel.ValidationType.CheckType()
 	err = c.domainVerificationValidator(domainWriteModel.Domain, validationCode, validationCode, checkType)
@@ -105,51 +105,72 @@ func (c *Commands) ValidateOrgDomain(ctx context.Context, orgDomain *domain.OrgD
 			}
 			events = append(events, userEvents...)
 		}
-		_, err = c.eventstore.PushEvents(ctx, events...)
-		return err
+		pushedEvents, err := c.eventstore.PushEvents(ctx, events...)
+		if err != nil {
+			return nil, err
+		}
+		err = AppendAndReduce(domainWriteModel, pushedEvents...)
+		if err != nil {
+			return nil, err
+		}
+		return writeModelToObjectDetails(&domainWriteModel.WriteModel), nil
 	}
 	events = append(events, org.NewDomainVerificationFailedEvent(ctx, orgAgg, orgDomain.Domain))
 	_, err = c.eventstore.PushEvents(ctx, events...)
 	logging.LogWithFields("ORG-dhTE", "orgID", orgAgg.ID, "domain", orgDomain.Domain).OnError(err).Error("NewDomainVerificationFailedEvent push failed")
-	return caos_errs.ThrowInvalidArgument(err, "ORG-GH3s", "Errors.Org.DomainVerificationFailed")
+	return nil, caos_errs.ThrowInvalidArgument(err, "ORG-GH3s", "Errors.Org.DomainVerificationFailed")
 }
 
-func (c *Commands) SetPrimaryOrgDomain(ctx context.Context, orgDomain *domain.OrgDomain) error {
+func (c *Commands) SetPrimaryOrgDomain(ctx context.Context, orgDomain *domain.OrgDomain) (*domain.ObjectDetails, error) {
 	if orgDomain == nil || !orgDomain.IsValid() {
-		return caos_errs.ThrowPreconditionFailed(nil, "ORG-SsDG2", "Errors.Org.InvalidDomain")
+		return nil, caos_errs.ThrowPreconditionFailed(nil, "ORG-SsDG2", "Errors.Org.InvalidDomain")
 	}
 	domainWriteModel, err := c.getOrgDomainWriteModel(ctx, orgDomain.AggregateID, orgDomain.Domain)
 	if err != nil {
-		return err
+		return nil, err
 	}
 	if domainWriteModel.State != domain.OrgDomainStateActive {
-		return caos_errs.ThrowPreconditionFailed(nil, "ORG-GDfA3", "Errors.Org.DomainNotOnOrg")
+		return nil, caos_errs.ThrowPreconditionFailed(nil, "ORG-GDfA3", "Errors.Org.DomainNotOnOrg")
 	}
 	if !domainWriteModel.Verified {
-		return caos_errs.ThrowPreconditionFailed(nil, "ORG-Ggd32", "Errors.Org.DomainNotVerified")
+		return nil, caos_errs.ThrowPreconditionFailed(nil, "ORG-Ggd32", "Errors.Org.DomainNotVerified")
 	}
 	orgAgg := OrgAggregateFromWriteModel(&domainWriteModel.WriteModel)
-	_, err = c.eventstore.PushEvents(ctx, org.NewDomainPrimarySetEvent(ctx, orgAgg, orgDomain.Domain))
-	return err
+	pushedEvents, err := c.eventstore.PushEvents(ctx, org.NewDomainPrimarySetEvent(ctx, orgAgg, orgDomain.Domain))
+	if err != nil {
+		return nil, err
+	}
+	err = AppendAndReduce(domainWriteModel, pushedEvents...)
+	if err != nil {
+		return nil, err
+	}
+	return writeModelToObjectDetails(&domainWriteModel.WriteModel), nil
 }
 
-func (c *Commands) RemoveOrgDomain(ctx context.Context, orgDomain *domain.OrgDomain) error {
+func (c *Commands) RemoveOrgDomain(ctx context.Context, orgDomain *domain.OrgDomain) (*domain.ObjectDetails, error) {
 	if orgDomain == nil || !orgDomain.IsValid() {
-		return caos_errs.ThrowPreconditionFailed(nil, "ORG-SJsK3", "Errors.Org.InvalidDomain")
+		return nil, caos_errs.ThrowPreconditionFailed(nil, "ORG-SJsK3", "Errors.Org.InvalidDomain")
 	}
 	domainWriteModel, err := c.getOrgDomainWriteModel(ctx, orgDomain.AggregateID, orgDomain.Domain)
 	if err != nil {
-		return err
+		return nil, err
 	}
 	if domainWriteModel.State != domain.OrgDomainStateActive {
-		return caos_errs.ThrowPreconditionFailed(nil, "ORG-GDfA3", "Errors.Org.DomainNotOnOrg")
+		return nil, caos_errs.ThrowPreconditionFailed(nil, "ORG-GDfA3", "Errors.Org.DomainNotOnOrg")
 	}
 	if domainWriteModel.Primary {
-		return caos_errs.ThrowPreconditionFailed(nil, "ORG-Sjdi3", "Errors.Org.PrimaryDomainNotDeletable")
+		return nil, caos_errs.ThrowPreconditionFailed(nil, "ORG-Sjdi3", "Errors.Org.PrimaryDomainNotDeletable")
 	}
 	orgAgg := OrgAggregateFromWriteModel(&domainWriteModel.WriteModel)
-	_, err = c.eventstore.PushEvents(ctx, org.NewDomainRemovedEvent(ctx, orgAgg, orgDomain.Domain))
-	return err
+	pushedEvents, err := c.eventstore.PushEvents(ctx, org.NewDomainRemovedEvent(ctx, orgAgg, orgDomain.Domain))
+	if err != nil {
+		return nil, err
+	}
+	err = AppendAndReduce(domainWriteModel, pushedEvents...)
+	if err != nil {
+		return nil, err
+	}
+	return writeModelToObjectDetails(&domainWriteModel.WriteModel), nil
 }
 
 func (c *Commands) addOrgDomain(ctx context.Context, orgAgg *eventstore.Aggregate, addedDomain *OrgDomainWriteModel, orgDomain *domain.OrgDomain, claimedUserIDs ...string) ([]eventstore.EventPusher, error) {
diff --git a/internal/command/org_member.go b/internal/command/org_member.go
index a99dbb78fd..62b4156c61 100644
--- a/internal/command/org_member.go
+++ b/internal/command/org_member.go
@@ -77,18 +77,25 @@ func (c *Commands) ChangeOrgMember(ctx context.Context, member *domain.Member) (
 	return memberWriteModelToMember(&existingMember.MemberWriteModel), nil
 }
 
-func (c *Commands) RemoveOrgMember(ctx context.Context, orgID, userID string) error {
+func (c *Commands) RemoveOrgMember(ctx context.Context, orgID, userID string) (*domain.ObjectDetails, error) {
 	m, err := c.orgMemberWriteModelByID(ctx, orgID, userID)
 	if err != nil && !errors.IsNotFound(err) {
-		return err
+		return nil, err
 	}
 	if errors.IsNotFound(err) {
-		return nil
+		return nil, nil
 	}
 
 	orgAgg := OrgAggregateFromWriteModel(&m.MemberWriteModel.WriteModel)
-	_, err = c.eventstore.PushEvents(ctx, org.NewMemberRemovedEvent(ctx, orgAgg, userID))
-	return err
+	pushedEvents, err := c.eventstore.PushEvents(ctx, org.NewMemberRemovedEvent(ctx, orgAgg, userID))
+	if err != nil {
+		return nil, err
+	}
+	err = AppendAndReduce(m, pushedEvents...)
+	if err != nil {
+		return nil, err
+	}
+	return writeModelToObjectDetails(&m.WriteModel), nil
 }
 
 func (c *Commands) orgMemberWriteModelByID(ctx context.Context, orgID, userID string) (member *OrgMemberWriteModel, err error) {
diff --git a/internal/command/org_policy_login.go b/internal/command/org_policy_login.go
index 5df979ad4b..7f4e8ffcb6 100644
--- a/internal/command/org_policy_login.go
+++ b/internal/command/org_policy_login.go
@@ -66,18 +66,25 @@ func (c *Commands) ChangeLoginPolicy(ctx context.Context, resourceOwner string,
 	return writeModelToLoginPolicy(&existingPolicy.LoginPolicyWriteModel), nil
 }
 
-func (c *Commands) RemoveLoginPolicy(ctx context.Context, orgID string) error {
+func (c *Commands) RemoveLoginPolicy(ctx context.Context, orgID string) (*domain.ObjectDetails, error) {
 	existingPolicy := NewOrgLoginPolicyWriteModel(orgID)
 	err := c.eventstore.FilterToQueryReducer(ctx, existingPolicy)
 	if err != nil {
-		return err
+		return nil, err
 	}
 	if existingPolicy.State == domain.PolicyStateUnspecified || existingPolicy.State == domain.PolicyStateRemoved {
-		return caos_errs.ThrowNotFound(nil, "Org-GHB37", "Errors.Org.LoginPolicy.NotFound")
+		return nil, caos_errs.ThrowNotFound(nil, "Org-GHB37", "Errors.Org.LoginPolicy.NotFound")
 	}
 	orgAgg := OrgAggregateFromWriteModel(&existingPolicy.LoginPolicyWriteModel.WriteModel)
-	_, err = c.eventstore.PushEvents(ctx, org.NewLoginPolicyRemovedEvent(ctx, orgAgg))
-	return err
+	pushedEvents, err := c.eventstore.PushEvents(ctx, org.NewLoginPolicyRemovedEvent(ctx, orgAgg))
+	if err != nil {
+		return nil, err
+	}
+	err = AppendAndReduce(existingPolicy, pushedEvents...)
+	if err != nil {
+		return nil, err
+	}
+	return writeModelToObjectDetails(&existingPolicy.LoginPolicyWriteModel.WriteModel), nil
 }
 
 func (c *Commands) AddIDPProviderToLoginPolicy(ctx context.Context, resourceOwner string, idpProvider *domain.IDPProvider) (*domain.IDPProvider, error) {
@@ -102,21 +109,28 @@ func (c *Commands) AddIDPProviderToLoginPolicy(ctx context.Context, resourceOwne
 	return writeModelToIDPProvider(&idpModel.IdentityProviderWriteModel), nil
 }
 
-func (c *Commands) RemoveIDPProviderFromLoginPolicy(ctx context.Context, resourceOwner string, idpProvider *domain.IDPProvider, cascadeExternalIDPs ...*domain.ExternalIDP) error {
+func (c *Commands) RemoveIDPProviderFromLoginPolicy(ctx context.Context, resourceOwner string, idpProvider *domain.IDPProvider, cascadeExternalIDPs ...*domain.ExternalIDP) (*domain.ObjectDetails, error) {
 	idpModel := NewOrgIdentityProviderWriteModel(resourceOwner, idpProvider.IDPConfigID)
 	err := c.eventstore.FilterToQueryReducer(ctx, idpModel)
 	if err != nil {
-		return err
+		return nil, err
 	}
 	if idpModel.State == domain.IdentityProviderStateUnspecified || idpModel.State == domain.IdentityProviderStateRemoved {
-		return caos_errs.ThrowNotFound(nil, "Org-39fjs", "Errors.Org.LoginPolicy.IDP.NotExisting")
+		return nil, caos_errs.ThrowNotFound(nil, "Org-39fjs", "Errors.Org.LoginPolicy.IDP.NotExisting")
 	}
 
 	orgAgg := OrgAggregateFromWriteModel(&idpModel.IdentityProviderWriteModel.WriteModel)
 	events := c.removeIDPProviderFromLoginPolicy(ctx, orgAgg, idpProvider.IDPConfigID, false, cascadeExternalIDPs...)
 
-	_, err = c.eventstore.PushEvents(ctx, events...)
-	return err
+	pushedEvents, err := c.eventstore.PushEvents(ctx, events...)
+	if err != nil {
+		return nil, err
+	}
+	err = AppendAndReduce(idpModel, pushedEvents...)
+	if err != nil {
+		return nil, err
+	}
+	return writeModelToObjectDetails(&idpModel.WriteModel), nil
 }
 
 func (c *Commands) removeIDPProviderFromLoginPolicy(ctx context.Context, orgAgg *eventstore.Aggregate, idpConfigID string, cascade bool, cascadeExternalIDPs ...*domain.ExternalIDP) []eventstore.EventPusher {
@@ -128,7 +142,7 @@ func (c *Commands) removeIDPProviderFromLoginPolicy(ctx context.Context, orgAgg
 	}
 
 	for _, idp := range cascadeExternalIDPs {
-		event, err := c.removeHumanExternalIDP(ctx, idp, true)
+		event, _, err := c.removeHumanExternalIDP(ctx, idp, true)
 		if err != nil {
 			logging.LogWithFields("COMMAND-n8RRf", "userid", idp.AggregateID, "idpconfigid", idp.IDPConfigID).WithError(err).Warn("could not cascade remove external idp")
 			continue
diff --git a/internal/command/org_policy_password_age.go b/internal/command/org_policy_password_age.go
index 7a7899578f..7fee2a7254 100644
--- a/internal/command/org_policy_password_age.go
+++ b/internal/command/org_policy_password_age.go
@@ -57,16 +57,23 @@ func (c *Commands) ChangePasswordAgePolicy(ctx context.Context, resourceOwner st
 	return writeModelToPasswordAgePolicy(&existingPolicy.PasswordAgePolicyWriteModel), nil
 }
 
-func (c *Commands) RemovePasswordAgePolicy(ctx context.Context, orgID string) error {
+func (c *Commands) RemovePasswordAgePolicy(ctx context.Context, orgID string) (*domain.ObjectDetails, error) {
 	existingPolicy := NewOrgPasswordAgePolicyWriteModel(orgID)
 	err := c.eventstore.FilterToQueryReducer(ctx, existingPolicy)
 	if err != nil {
-		return err
+		return nil, err
 	}
 	if existingPolicy.State == domain.PolicyStateUnspecified || existingPolicy.State == domain.PolicyStateRemoved {
-		return caos_errs.ThrowNotFound(nil, "ORG-Dgs1g", "Errors.Org.PasswordAgePolicy.NotFound")
+		return nil, caos_errs.ThrowNotFound(nil, "ORG-Dgs1g", "Errors.Org.PasswordAgePolicy.NotFound")
 	}
 	orgAgg := OrgAggregateFromWriteModel(&existingPolicy.WriteModel)
-	_, err = c.eventstore.PushEvents(ctx, org.NewPasswordAgePolicyRemovedEvent(ctx, orgAgg))
-	return err
+	pushedEvents, err := c.eventstore.PushEvents(ctx, org.NewPasswordAgePolicyRemovedEvent(ctx, orgAgg))
+	if err != nil {
+		return nil, err
+	}
+	err = AppendAndReduce(existingPolicy, pushedEvents...)
+	if err != nil {
+		return nil, err
+	}
+	return writeModelToObjectDetails(&existingPolicy.PasswordAgePolicyWriteModel.WriteModel), nil
 }
diff --git a/internal/command/org_policy_password_complexity.go b/internal/command/org_policy_password_complexity.go
index 6631d1560d..d9db695ea6 100644
--- a/internal/command/org_policy_password_complexity.go
+++ b/internal/command/org_policy_password_complexity.go
@@ -85,16 +85,23 @@ func (c *Commands) ChangePasswordComplexityPolicy(ctx context.Context, resourceO
 	return writeModelToPasswordComplexityPolicy(&existingPolicy.PasswordComplexityPolicyWriteModel), nil
 }
 
-func (c *Commands) RemovePasswordComplexityPolicy(ctx context.Context, orgID string) error {
+func (c *Commands) RemovePasswordComplexityPolicy(ctx context.Context, orgID string) (*domain.ObjectDetails, error) {
 	existingPolicy := NewOrgPasswordComplexityPolicyWriteModel(orgID)
 	err := c.eventstore.FilterToQueryReducer(ctx, existingPolicy)
 	if err != nil {
-		return err
+		return nil, err
 	}
 	if existingPolicy.State == domain.PolicyStateUnspecified || existingPolicy.State == domain.PolicyStateRemoved {
-		return caos_errs.ThrowNotFound(nil, "ORG-ADgs2", "Errors.Org.PasswordComplexityPolicy.NotFound")
+		return nil, caos_errs.ThrowNotFound(nil, "ORG-ADgs2", "Errors.Org.PasswordComplexityPolicy.NotFound")
 	}
 	orgAgg := OrgAggregateFromWriteModel(&existingPolicy.WriteModel)
-	_, err = c.eventstore.PushEvents(ctx, org.NewPasswordComplexityPolicyRemovedEvent(ctx, orgAgg))
-	return err
+	pushedEvents, err := c.eventstore.PushEvents(ctx, org.NewPasswordComplexityPolicyRemovedEvent(ctx, orgAgg))
+	if err != nil {
+		return nil, err
+	}
+	err = AppendAndReduce(existingPolicy, pushedEvents...)
+	if err != nil {
+		return nil, err
+	}
+	return writeModelToObjectDetails(&existingPolicy.PasswordComplexityPolicyWriteModel.WriteModel), nil
 }
diff --git a/internal/command/project.go b/internal/command/project.go
index ca1fab9512..505d029bb5 100644
--- a/internal/command/project.go
+++ b/internal/command/project.go
@@ -105,59 +105,73 @@ func (c *Commands) ChangeProject(ctx context.Context, projectChange *domain.Proj
 	return projectWriteModelToProject(existingProject), nil
 }
 
-func (c *Commands) DeactivateProject(ctx context.Context, projectID string, resourceOwner string) error {
+func (c *Commands) DeactivateProject(ctx context.Context, projectID string, resourceOwner string) (*domain.ObjectDetails, error) {
 	if projectID == "" || resourceOwner == "" {
-		return caos_errs.ThrowPreconditionFailed(nil, "COMMAND-88iF0", "Errors.Project.ProjectIDMissing")
+		return nil, caos_errs.ThrowPreconditionFailed(nil, "COMMAND-88iF0", "Errors.Project.ProjectIDMissing")
 	}
 
 	existingProject, err := c.getProjectWriteModelByID(ctx, projectID, resourceOwner)
 	if err != nil {
-		return err
+		return nil, err
 	}
 	if existingProject.State == domain.ProjectStateUnspecified || existingProject.State == domain.ProjectStateRemoved {
-		return caos_errs.ThrowNotFound(nil, "COMMAND-112M9", "Errors.Project.NotFound")
+		return nil, caos_errs.ThrowNotFound(nil, "COMMAND-112M9", "Errors.Project.NotFound")
 	}
 	if existingProject.State != domain.ProjectStateActive {
-		return caos_errs.ThrowPreconditionFailed(nil, "COMMAND-mki55", "Errors.Project.NotActive")
+		return nil, caos_errs.ThrowPreconditionFailed(nil, "COMMAND-mki55", "Errors.Project.NotActive")
 	}
 
 	projectAgg := ProjectAggregateFromWriteModel(&existingProject.WriteModel)
-	_, err = c.eventstore.PushEvents(ctx, project.NewProjectDeactivatedEvent(ctx, projectAgg))
-	return err
+	pushedEvents, err := c.eventstore.PushEvents(ctx, project.NewProjectDeactivatedEvent(ctx, projectAgg))
+	if err != nil {
+		return nil, err
+	}
+	err = AppendAndReduce(existingProject, pushedEvents...)
+	if err != nil {
+		return nil, err
+	}
+	return writeModelToObjectDetails(&existingProject.WriteModel), nil
 }
 
-func (c *Commands) ReactivateProject(ctx context.Context, projectID string, resourceOwner string) error {
+func (c *Commands) ReactivateProject(ctx context.Context, projectID string, resourceOwner string) (*domain.ObjectDetails, error) {
 	if projectID == "" || resourceOwner == "" {
-		return caos_errs.ThrowPreconditionFailed(nil, "COMMAND-4m9vS", "Errors.Project.ProjectIDMissing")
+		return nil, caos_errs.ThrowPreconditionFailed(nil, "COMMAND-4m9vS", "Errors.Project.ProjectIDMissing")
 	}
 
 	existingProject, err := c.getProjectWriteModelByID(ctx, projectID, resourceOwner)
 	if err != nil {
-		return err
+		return nil, err
 	}
 	if existingProject.State == domain.ProjectStateUnspecified || existingProject.State == domain.ProjectStateRemoved {
-		return caos_errs.ThrowNotFound(nil, "COMMAND-3M9sd", "Errors.Project.NotFound")
+		return nil, caos_errs.ThrowNotFound(nil, "COMMAND-3M9sd", "Errors.Project.NotFound")
 	}
 	if existingProject.State != domain.ProjectStateInactive {
-		return caos_errs.ThrowPreconditionFailed(nil, "COMMAND-5M9bs", "Errors.Project.NotInctive")
+		return nil, caos_errs.ThrowPreconditionFailed(nil, "COMMAND-5M9bs", "Errors.Project.NotInctive")
 	}
 
 	projectAgg := ProjectAggregateFromWriteModel(&existingProject.WriteModel)
-	_, err = c.eventstore.PushEvents(ctx, project.NewProjectReactivatedEvent(ctx, projectAgg))
-	return err
+	pushedEvents, err := c.eventstore.PushEvents(ctx, project.NewProjectReactivatedEvent(ctx, projectAgg))
+	if err != nil {
+		return nil, err
+	}
+	err = AppendAndReduce(existingProject, pushedEvents...)
+	if err != nil {
+		return nil, err
+	}
+	return writeModelToObjectDetails(&existingProject.WriteModel), nil
 }
 
-func (c *Commands) RemoveProject(ctx context.Context, projectID, resourceOwner string, cascadingUserGrantIDs ...string) error {
+func (c *Commands) RemoveProject(ctx context.Context, projectID, resourceOwner string, cascadingUserGrantIDs ...string) (*domain.ObjectDetails, error) {
 	if projectID == "" || resourceOwner == "" {
-		return caos_errs.ThrowPreconditionFailed(nil, "COMMAND-66hM9", "Errors.Project.ProjectIDMissing")
+		return nil, caos_errs.ThrowPreconditionFailed(nil, "COMMAND-66hM9", "Errors.Project.ProjectIDMissing")
 	}
 
 	existingProject, err := c.getProjectWriteModelByID(ctx, projectID, resourceOwner)
 	if err != nil {
-		return err
+		return nil, err
 	}
 	if existingProject.State == domain.ProjectStateUnspecified || existingProject.State == domain.ProjectStateRemoved {
-		return caos_errs.ThrowNotFound(nil, "COMMAND-3M9sd", "Errors.Project.NotFound")
+		return nil, caos_errs.ThrowNotFound(nil, "COMMAND-3M9sd", "Errors.Project.NotFound")
 	}
 	projectAgg := ProjectAggregateFromWriteModel(&existingProject.WriteModel)
 	events := []eventstore.EventPusher{
@@ -165,7 +179,7 @@ func (c *Commands) RemoveProject(ctx context.Context, projectID, resourceOwner s
 	}
 
 	for _, grantID := range cascadingUserGrantIDs {
-		event, err := c.removeUserGrant(ctx, grantID, "", true)
+		event, _, err := c.removeUserGrant(ctx, grantID, "", true)
 		if err != nil {
 			logging.LogWithFields("COMMAND-b8Djf", "usergrantid", grantID).WithError(err).Warn("could not cascade remove user grant")
 			continue
@@ -173,8 +187,15 @@ func (c *Commands) RemoveProject(ctx context.Context, projectID, resourceOwner s
 		events = append(events, event)
 	}
 
-	_, err = c.eventstore.PushEvents(ctx, events...)
-	return err
+	pushedEvents, err := c.eventstore.PushEvents(ctx, events...)
+	if err != nil {
+		return nil, err
+	}
+	err = AppendAndReduce(existingProject, pushedEvents...)
+	if err != nil {
+		return nil, err
+	}
+	return writeModelToObjectDetails(&existingProject.WriteModel), nil
 }
 
 func (c *Commands) getProjectWriteModelByID(ctx context.Context, projectID, resourceOwner string) (*ProjectWriteModel, error) {
diff --git a/internal/command/project_application.go b/internal/command/project_application.go
index 69acacb8be..4b7ceacf1b 100644
--- a/internal/command/project_application.go
+++ b/internal/command/project_application.go
@@ -7,7 +7,7 @@ import (
 	"github.com/caos/zitadel/internal/repository/project"
 )
 
-func (c *Commands) ChangeApplication(ctx context.Context, projectID string, appChange domain.Application, resourceOwner string) (domain.Application, error) {
+func (c *Commands) ChangeApplication(ctx context.Context, projectID string, appChange domain.Application, resourceOwner string) (*domain.ObjectDetails, error) {
 	if appChange.GetAppID() == "" || appChange.GetApplicationName() == "" {
 		return nil, caos_errs.ThrowPreconditionFailed(nil, "COMMAND-4m9vS", "Errors.Project.App.Invalid")
 	}
@@ -33,66 +33,87 @@ func (c *Commands) ChangeApplication(ctx context.Context, projectID string, appC
 	if err != nil {
 		return nil, err
 	}
-	return applicationWriteModelToApplication(existingApp), nil
+	return writeModelToObjectDetails(&existingApp.WriteModel), nil
 }
 
-func (c *Commands) DeactivateApplication(ctx context.Context, projectID, appID, resourceOwner string) error {
+func (c *Commands) DeactivateApplication(ctx context.Context, projectID, appID, resourceOwner string) (*domain.ObjectDetails, error) {
 	if projectID == "" || appID == "" {
-		return caos_errs.ThrowPreconditionFailed(nil, "COMMAND-88fi0", "Errors.IDMissing")
+		return nil, caos_errs.ThrowPreconditionFailed(nil, "COMMAND-88fi0", "Errors.IDMissing")
 	}
 
 	existingApp, err := c.getApplicationWriteModel(ctx, projectID, appID, resourceOwner)
 	if err != nil {
-		return err
+		return nil, err
 	}
 	if existingApp.State == domain.AppStateUnspecified || existingApp.State == domain.AppStateRemoved {
-		return caos_errs.ThrowNotFound(nil, "COMMAND-ov9d3", "Errors.Project.App.NotExisting")
+		return nil, caos_errs.ThrowNotFound(nil, "COMMAND-ov9d3", "Errors.Project.App.NotExisting")
 	}
 	if existingApp.State != domain.AppStateActive {
-		return caos_errs.ThrowPreconditionFailed(nil, "COMMAND-dsh35", "Errors.Project.App.NotActive")
+		return nil, caos_errs.ThrowPreconditionFailed(nil, "COMMAND-dsh35", "Errors.Project.App.NotActive")
 	}
 	projectAgg := ProjectAggregateFromWriteModel(&existingApp.WriteModel)
-	_, err = c.eventstore.PushEvents(ctx, project.NewApplicationDeactivatedEvent(ctx, projectAgg, appID))
-	return err
+	pushedEvents, err := c.eventstore.PushEvents(ctx, project.NewApplicationDeactivatedEvent(ctx, projectAgg, appID))
+	if err != nil {
+		return nil, err
+	}
+	err = AppendAndReduce(existingApp, pushedEvents...)
+	if err != nil {
+		return nil, err
+	}
+	return writeModelToObjectDetails(&existingApp.WriteModel), nil
 }
 
-func (c *Commands) ReactivateApplication(ctx context.Context, projectID, appID, resourceOwner string) error {
+func (c *Commands) ReactivateApplication(ctx context.Context, projectID, appID, resourceOwner string) (*domain.ObjectDetails, error) {
 	if projectID == "" || appID == "" {
-		return caos_errs.ThrowPreconditionFailed(nil, "COMMAND-983dF", "Errors.IDMissing")
+		return nil, caos_errs.ThrowPreconditionFailed(nil, "COMMAND-983dF", "Errors.IDMissing")
 	}
 
 	existingApp, err := c.getApplicationWriteModel(ctx, projectID, appID, resourceOwner)
 	if err != nil {
-		return err
+		return nil, err
 	}
 	if existingApp.State == domain.AppStateUnspecified || existingApp.State == domain.AppStateRemoved {
-		return caos_errs.ThrowNotFound(nil, "COMMAND-ov9d3", "Errors.Project.App.NotExisting")
+		return nil, caos_errs.ThrowNotFound(nil, "COMMAND-ov9d3", "Errors.Project.App.NotExisting")
 	}
 	if existingApp.State != domain.AppStateInactive {
-		return caos_errs.ThrowPreconditionFailed(nil, "COMMAND-1n8cM", "Errors.Project.App.NotInactive")
+		return nil, caos_errs.ThrowPreconditionFailed(nil, "COMMAND-1n8cM", "Errors.Project.App.NotInactive")
 	}
 	projectAgg := ProjectAggregateFromWriteModel(&existingApp.WriteModel)
 
-	_, err = c.eventstore.PushEvents(ctx, project.NewApplicationReactivatedEvent(ctx, projectAgg, appID))
-	return err
+	pushedEvents, err := c.eventstore.PushEvents(ctx, project.NewApplicationReactivatedEvent(ctx, projectAgg, appID))
+	if err != nil {
+		return nil, err
+	}
+	err = AppendAndReduce(existingApp, pushedEvents...)
+	if err != nil {
+		return nil, err
+	}
+	return writeModelToObjectDetails(&existingApp.WriteModel), nil
 }
 
-func (c *Commands) RemoveApplication(ctx context.Context, projectID, appID, resourceOwner string) error {
+func (c *Commands) RemoveApplication(ctx context.Context, projectID, appID, resourceOwner string) (*domain.ObjectDetails, error) {
 	if projectID == "" || appID == "" {
-		return caos_errs.ThrowPreconditionFailed(nil, "COMMAND-1b7Jf", "Errors.IDMissing")
+		return nil, caos_errs.ThrowPreconditionFailed(nil, "COMMAND-1b7Jf", "Errors.IDMissing")
 	}
 
 	existingApp, err := c.getApplicationWriteModel(ctx, projectID, appID, resourceOwner)
 	if err != nil {
-		return err
+		return nil, err
 	}
 	if existingApp.State == domain.AppStateUnspecified || existingApp.State == domain.AppStateRemoved {
-		return caos_errs.ThrowNotFound(nil, "COMMAND-0po9s", "Errors.Project.App.NotExisting")
+		return nil, caos_errs.ThrowNotFound(nil, "COMMAND-0po9s", "Errors.Project.App.NotExisting")
 	}
 	projectAgg := ProjectAggregateFromWriteModel(&existingApp.WriteModel)
 
-	_, err = c.eventstore.PushEvents(ctx, project.NewApplicationRemovedEvent(ctx, projectAgg, appID, existingApp.Name, projectID))
-	return err
+	pushedEvents, err := c.eventstore.PushEvents(ctx, project.NewApplicationRemovedEvent(ctx, projectAgg, appID, existingApp.Name, projectID))
+	if err != nil {
+		return nil, err
+	}
+	err = AppendAndReduce(existingApp, pushedEvents...)
+	if err != nil {
+		return nil, err
+	}
+	return writeModelToObjectDetails(&existingApp.WriteModel), nil
 }
 
 func (c *Commands) getApplicationWriteModel(ctx context.Context, projectID, appID, resourceOwner string) (*ApplicationWriteModel, error) {
diff --git a/internal/command/project_application_key.go b/internal/command/project_application_key.go
index e12e1d302d..1edf9323c0 100644
--- a/internal/command/project_application_key.go
+++ b/internal/command/project_application_key.go
@@ -62,16 +62,23 @@ func (c *Commands) AddApplicationKey(ctx context.Context, key *domain.Applicatio
 	return result, nil
 }
 
-func (c *Commands) RemoveApplicationKey(ctx context.Context, projectID, applicationID, keyID, resourceOwner string) error {
+func (c *Commands) RemoveApplicationKey(ctx context.Context, projectID, applicationID, keyID, resourceOwner string) (*domain.ObjectDetails, error) {
 	keyWriteModel := NewApplicationKeyWriteModel(projectID, applicationID, keyID, resourceOwner)
 	err := c.eventstore.FilterToQueryReducer(ctx, keyWriteModel)
 	if err != nil {
-		return err
+		return nil, err
 	}
 	if !keyWriteModel.State.Exists() {
-		return errors.ThrowNotFound(nil, "COMMAND-4m77G", "Errors.Application.Key.NotFound")
+		return nil, errors.ThrowNotFound(nil, "COMMAND-4m77G", "Errors.Application.Key.NotFound")
 	}
 
-	_, err = c.eventstore.PushEvents(ctx, project.NewApplicationKeyRemovedEvent(ctx, ProjectAggregateFromWriteModel(&keyWriteModel.WriteModel), keyID))
-	return err
+	pushedEvents, err := c.eventstore.PushEvents(ctx, project.NewApplicationKeyRemovedEvent(ctx, ProjectAggregateFromWriteModel(&keyWriteModel.WriteModel), keyID))
+	if err != nil {
+		return nil, err
+	}
+	err = AppendAndReduce(keyWriteModel, pushedEvents...)
+	if err != nil {
+		return nil, err
+	}
+	return writeModelToObjectDetails(&keyWriteModel.WriteModel), nil
 }
diff --git a/internal/command/project_grant.go b/internal/command/project_grant.go
index 211caa47b3..30cd372cc7 100644
--- a/internal/command/project_grant.go
+++ b/internal/command/project_grant.go
@@ -125,73 +125,94 @@ func (c *Commands) removeRoleFromProjectGrant(ctx context.Context, projectAgg *e
 	return project.NewGrantChangedEvent(ctx, projectAgg, projectGrantID, existingProjectGrant.RoleKeys), changedProjectGrant, nil
 }
 
-func (c *Commands) DeactivateProjectGrant(ctx context.Context, projectID, grantID, resourceOwner string) (err error) {
+func (c *Commands) DeactivateProjectGrant(ctx context.Context, projectID, grantID, resourceOwner string) (details *domain.ObjectDetails, err error) {
 	if grantID == "" || projectID == "" {
-		return caos_errs.ThrowPreconditionFailed(nil, "PROJECT-p0s4V", "Errors.IDMissing")
+		return details, caos_errs.ThrowPreconditionFailed(nil, "PROJECT-p0s4V", "Errors.IDMissing")
 	}
 	err = c.checkProjectExists(ctx, projectID, resourceOwner)
 	if err != nil {
-		return err
+		return details, err
 	}
 	existingGrant, err := c.projectGrantWriteModelByID(ctx, grantID, projectID, resourceOwner)
 	if err != nil {
-		return err
+		return details, err
 	}
 	if existingGrant.State != domain.ProjectGrantStateActive {
-		return caos_errs.ThrowPreconditionFailed(nil, "PROJECT-47fu8", "Errors.Project.Grant.NotActive")
+		return details, caos_errs.ThrowPreconditionFailed(nil, "PROJECT-47fu8", "Errors.Project.Grant.NotActive")
 	}
 	projectAgg := ProjectAggregateFromWriteModel(&existingGrant.WriteModel)
 
-	_, err = c.eventstore.PushEvents(ctx, project.NewGrantDeactivateEvent(ctx, projectAgg, grantID))
-	return err
+	pushedEvents, err := c.eventstore.PushEvents(ctx, project.NewGrantDeactivateEvent(ctx, projectAgg, grantID))
+	if err != nil {
+		return nil, err
+	}
+	err = AppendAndReduce(existingGrant, pushedEvents...)
+	if err != nil {
+		return nil, err
+	}
+	return writeModelToObjectDetails(&existingGrant.WriteModel), nil
 }
 
-func (c *Commands) ReactivateProjectGrant(ctx context.Context, projectID, grantID, resourceOwner string) (err error) {
+func (c *Commands) ReactivateProjectGrant(ctx context.Context, projectID, grantID, resourceOwner string) (details *domain.ObjectDetails, err error) {
 	if grantID == "" || projectID == "" {
-		return caos_errs.ThrowPreconditionFailed(nil, "PROJECT-p0s4V", "Errors.IDMissing")
+		return details, caos_errs.ThrowPreconditionFailed(nil, "PROJECT-p0s4V", "Errors.IDMissing")
 	}
 	err = c.checkProjectExists(ctx, projectID, resourceOwner)
 	if err != nil {
-		return err
+		return details, err
 	}
 	existingGrant, err := c.projectGrantWriteModelByID(ctx, grantID, projectID, resourceOwner)
 	if err != nil {
-		return err
+		return details, err
 	}
 	if existingGrant.State != domain.ProjectGrantStateInactive {
-		return caos_errs.ThrowPreconditionFailed(nil, "PROJECT-47fu8", "Errors.Project.Grant.NotInactive")
+		return details, caos_errs.ThrowPreconditionFailed(nil, "PROJECT-47fu8", "Errors.Project.Grant.NotInactive")
 	}
 	projectAgg := ProjectAggregateFromWriteModel(&existingGrant.WriteModel)
-	_, err = c.eventstore.PushEvents(ctx, project.NewGrantReactivatedEvent(ctx, projectAgg, grantID))
-	return err
+	pushedEvents, err := c.eventstore.PushEvents(ctx, project.NewGrantReactivatedEvent(ctx, projectAgg, grantID))
+	if err != nil {
+		return nil, err
+	}
+	err = AppendAndReduce(existingGrant, pushedEvents...)
+	if err != nil {
+		return nil, err
+	}
+	return writeModelToObjectDetails(&existingGrant.WriteModel), nil
 }
 
-func (c *Commands) RemoveProjectGrant(ctx context.Context, projectID, grantID, resourceOwner string, cascadeUserGrantIDs ...string) (err error) {
+func (c *Commands) RemoveProjectGrant(ctx context.Context, projectID, grantID, resourceOwner string, cascadeUserGrantIDs ...string) (details *domain.ObjectDetails, err error) {
 	if grantID == "" || projectID == "" {
-		return caos_errs.ThrowPreconditionFailed(nil, "PROJECT-1m9fJ", "Errors.IDMissing")
+		return details, caos_errs.ThrowPreconditionFailed(nil, "PROJECT-1m9fJ", "Errors.IDMissing")
 	}
 	err = c.checkProjectExists(ctx, projectID, resourceOwner)
 	if err != nil {
-		return err
+		return details, err
 	}
 	existingGrant, err := c.projectGrantWriteModelByID(ctx, grantID, projectID, resourceOwner)
 	if err != nil {
-		return err
+		return details, err
 	}
 	events := make([]eventstore.EventPusher, 0)
 	projectAgg := ProjectAggregateFromWriteModel(&existingGrant.WriteModel)
 	events = append(events, project.NewGrantRemovedEvent(ctx, projectAgg, grantID, existingGrant.GrantedOrgID, projectID))
 
 	for _, userGrantID := range cascadeUserGrantIDs {
-		event, err := c.removeUserGrant(ctx, userGrantID, "", true)
+		event, _, err := c.removeUserGrant(ctx, userGrantID, "", true)
 		if err != nil {
 			logging.LogWithFields("COMMAND-3m8sG", "usergrantid", grantID).WithError(err).Warn("could not cascade remove user grant")
 			continue
 		}
 		events = append(events, event)
 	}
-	_, err = c.eventstore.PushEvents(ctx, events...)
-	return err
+	pushedEvents, err := c.eventstore.PushEvents(ctx, events...)
+	if err != nil {
+		return nil, err
+	}
+	err = AppendAndReduce(existingGrant, pushedEvents...)
+	if err != nil {
+		return nil, err
+	}
+	return writeModelToObjectDetails(&existingGrant.WriteModel), nil
 }
 
 func (c *Commands) projectGrantWriteModelByID(ctx context.Context, grantID, projectID, resourceOwner string) (member *ProjectGrantWriteModel, err error) {
diff --git a/internal/command/project_grant_member.go b/internal/command/project_grant_member.go
index d0f3dcf95c..81e1918e41 100644
--- a/internal/command/project_grant_member.go
+++ b/internal/command/project_grant_member.go
@@ -74,15 +74,22 @@ func (c *Commands) ChangeProjectGrantMember(ctx context.Context, member *domain.
 	return memberWriteModelToProjectGrantMember(existingMember), nil
 }
 
-func (c *Commands) RemoveProjectGrantMember(ctx context.Context, projectID, userID, grantID, resourceOwner string) error {
+func (c *Commands) RemoveProjectGrantMember(ctx context.Context, projectID, userID, grantID, resourceOwner string) (*domain.ObjectDetails, error) {
 	m, err := c.projectGrantMemberWriteModelByID(ctx, projectID, userID, grantID)
 	if err != nil {
-		return err
+		return nil, err
 	}
 
 	projectAgg := ProjectAggregateFromWriteModel(&m.WriteModel)
-	_, err = c.eventstore.PushEvents(ctx, project.NewProjectGrantMemberRemovedEvent(ctx, projectAgg, projectID, userID, grantID))
-	return err
+	pushedEvents, err := c.eventstore.PushEvents(ctx, project.NewProjectGrantMemberRemovedEvent(ctx, projectAgg, projectID, userID, grantID))
+	if err != nil {
+		return nil, err
+	}
+	err = AppendAndReduce(m, pushedEvents...)
+	if err != nil {
+		return nil, err
+	}
+	return writeModelToObjectDetails(&m.WriteModel), nil
 }
 
 func (c *Commands) projectGrantMemberWriteModelByID(ctx context.Context, projectID, userID, grantID string) (member *ProjectGrantMemberWriteModel, err error) {
diff --git a/internal/command/project_member.go b/internal/command/project_member.go
index 321899dbc0..7d1536b5f5 100644
--- a/internal/command/project_member.go
+++ b/internal/command/project_member.go
@@ -86,18 +86,25 @@ func (c *Commands) ChangeProjectMember(ctx context.Context, member *domain.Membe
 	return memberWriteModelToMember(&existingMember.MemberWriteModel), nil
 }
 
-func (c *Commands) RemoveProjectMember(ctx context.Context, projectID, userID, resourceOwner string) error {
+func (c *Commands) RemoveProjectMember(ctx context.Context, projectID, userID, resourceOwner string) (*domain.ObjectDetails, error) {
 	m, err := c.projectMemberWriteModelByID(ctx, projectID, userID, resourceOwner)
 	if err != nil && !errors.IsNotFound(err) {
-		return err
+		return nil, err
 	}
 	if errors.IsNotFound(err) {
-		return nil
+		return nil, nil
 	}
 
 	projectAgg := ProjectAggregateFromWriteModel(&m.MemberWriteModel.WriteModel)
-	_, err = c.eventstore.PushEvents(ctx, project.NewProjectMemberRemovedEvent(ctx, projectAgg, userID))
-	return err
+	pushedEvents, err := c.eventstore.PushEvents(ctx, project.NewProjectMemberRemovedEvent(ctx, projectAgg, userID))
+	if err != nil {
+		return nil, err
+	}
+	err = AppendAndReduce(m, pushedEvents...)
+	if err != nil {
+		return nil, err
+	}
+	return writeModelToObjectDetails(&m.WriteModel), nil
 }
 
 func (c *Commands) projectMemberWriteModelByID(ctx context.Context, projectID, userID, resourceOwner string) (member *ProjectMemberWriteModel, err error) {
diff --git a/internal/command/project_role.go b/internal/command/project_role.go
index adb0e62a75..d80b074ccc 100644
--- a/internal/command/project_role.go
+++ b/internal/command/project_role.go
@@ -32,21 +32,28 @@ func (c *Commands) AddProjectRole(ctx context.Context, projectRole *domain.Proje
 	return roleWriteModelToRole(roleWriteModel), nil
 }
 
-func (c *Commands) BulkAddProjectRole(ctx context.Context, projectID, resourceOwner string, projectRoles []*domain.ProjectRole) (err error) {
+func (c *Commands) BulkAddProjectRole(ctx context.Context, projectID, resourceOwner string, projectRoles []*domain.ProjectRole) (details *domain.ObjectDetails, err error) {
 	err = c.checkProjectExists(ctx, projectID, resourceOwner)
 	if err != nil {
-		return err
+		return details, err
 	}
 
 	roleWriteModel := NewProjectRoleWriteModel(projectID, resourceOwner)
 	projectAgg := ProjectAggregateFromWriteModel(&roleWriteModel.WriteModel)
 	events, err := c.addProjectRoles(ctx, projectAgg, projectID, projectRoles...)
 	if err != nil {
-		return err
+		return details, err
 	}
 
-	_, err = c.eventstore.PushEvents(ctx, events...)
-	return err
+	pushedEvents, err := c.eventstore.PushEvents(ctx, events...)
+	if err != nil {
+		return nil, err
+	}
+	err = AppendAndReduce(roleWriteModel, pushedEvents...)
+	if err != nil {
+		return nil, err
+	}
+	return writeModelToObjectDetails(&roleWriteModel.WriteModel), nil
 }
 
 func (c *Commands) addProjectRoles(ctx context.Context, projectAgg *eventstore.Aggregate, projectID string, projectRoles ...*domain.ProjectRole) ([]eventstore.EventPusher, error) {
@@ -106,16 +113,16 @@ func (c *Commands) ChangeProjectRole(ctx context.Context, projectRole *domain.Pr
 	return roleWriteModelToRole(existingRole), nil
 }
 
-func (c *Commands) RemoveProjectRole(ctx context.Context, projectID, key, resourceOwner string, cascadingProjectGrantIds []string, cascadeUserGrantIDs ...string) (err error) {
+func (c *Commands) RemoveProjectRole(ctx context.Context, projectID, key, resourceOwner string, cascadingProjectGrantIds []string, cascadeUserGrantIDs ...string) (details *domain.ObjectDetails, err error) {
 	if projectID == "" || key == "" {
-		return caos_errs.ThrowPreconditionFailed(nil, "COMMAND-4m9vS", "Errors.Project.Role.Invalid")
+		return details, caos_errs.ThrowPreconditionFailed(nil, "COMMAND-4m9vS", "Errors.Project.Role.Invalid")
 	}
 	existingRole, err := c.getProjectRoleWriteModelByID(ctx, key, projectID, resourceOwner)
 	if err != nil {
-		return err
+		return details, err
 	}
 	if existingRole.State == domain.ProjectRoleStateUnspecified || existingRole.State == domain.ProjectRoleStateRemoved {
-		return caos_errs.ThrowNotFound(nil, "COMMAND-m9vMf", "Errors.Project.Role.NotExisting")
+		return details, caos_errs.ThrowNotFound(nil, "COMMAND-m9vMf", "Errors.Project.Role.NotExisting")
 	}
 	projectAgg := ProjectAggregateFromWriteModel(&existingRole.WriteModel)
 	events := []eventstore.EventPusher{
@@ -140,8 +147,15 @@ func (c *Commands) RemoveProjectRole(ctx context.Context, projectID, key, resour
 		events = append(events, event)
 	}
 
-	_, err = c.eventstore.PushEvents(ctx, events...)
-	return err
+	pushedEvents, err := c.eventstore.PushEvents(ctx, events...)
+	if err != nil {
+		return nil, err
+	}
+	err = AppendAndReduce(existingRole, pushedEvents...)
+	if err != nil {
+		return nil, err
+	}
+	return writeModelToObjectDetails(&existingRole.WriteModel), nil
 }
 
 func (c *Commands) getProjectRoleWriteModelByID(ctx context.Context, key, projectID, resourceOwner string) (*ProjectRoleWriteModel, error) {
diff --git a/internal/command/setup_step1.go b/internal/command/setup_step1.go
index a44f6bb487..db16d44f0a 100644
--- a/internal/command/setup_step1.go
+++ b/internal/command/setup_step1.go
@@ -101,7 +101,7 @@ func (c *Commands) SetupStep1(ctx context.Context, step1 *Step1) error {
 	logging.Log("SETUP-sd2hj").Info("default login policy set up")
 	//create orgs
 	for _, organisation := range step1.Orgs {
-		orgAgg, humanWriteModel, _, setUpOrgEvents, err := c.setUpOrg(ctx,
+		orgAgg, _, humanWriteModel, _, setUpOrgEvents, err := c.setUpOrg(ctx,
 			&domain.Org{
 				Name:    organisation.Name,
 				Domains: []*domain.OrgDomain{{Domain: organisation.Domain}},
diff --git a/internal/command/user.go b/internal/command/user.go
index 6f1cdaf32a..652e55621b 100644
--- a/internal/command/user.go
+++ b/internal/command/user.go
@@ -15,147 +15,181 @@ import (
 	"github.com/caos/zitadel/internal/telemetry/tracing"
 )
 
-func (c *Commands) ChangeUsername(ctx context.Context, orgID, userID, userName string) error {
+func (c *Commands) ChangeUsername(ctx context.Context, orgID, userID, userName string) (*domain.ObjectDetails, error) {
 	if orgID == "" || userID == "" || userName == "" {
-		return caos_errs.ThrowPreconditionFailed(nil, "COMMAND-2N9fs", "Errors.IDMissing")
+		return nil, caos_errs.ThrowPreconditionFailed(nil, "COMMAND-2N9fs", "Errors.IDMissing")
 	}
 
 	existingUser, err := c.userWriteModelByID(ctx, userID, orgID)
 	if err != nil {
-		return err
+		return nil, err
 	}
 
 	if !isUserStateExists(existingUser.UserState) {
-		return caos_errs.ThrowNotFound(nil, "COMMAND-5N9ds", "Errors.User.NotFound")
+		return nil, caos_errs.ThrowNotFound(nil, "COMMAND-5N9ds", "Errors.User.NotFound")
 	}
 
 	if existingUser.UserName == userName {
-		return caos_errs.ThrowPreconditionFailed(nil, "COMMAND-6m9gs", "Errors.User.UsernameNotChanged")
+		return nil, caos_errs.ThrowPreconditionFailed(nil, "COMMAND-6m9gs", "Errors.User.UsernameNotChanged")
 	}
 
 	orgIAMPolicy, err := c.getOrgIAMPolicy(ctx, orgID)
 	if err != nil {
-		return err
+		return nil, err
 	}
 
 	if err := CheckOrgIAMPolicyForUserName(userName, orgIAMPolicy); err != nil {
-		return err
+		return nil, err
 	}
 	userAgg := UserAggregateFromWriteModel(&existingUser.WriteModel)
 
-	_, err = c.eventstore.PushEvents(ctx,
+	pushedEvents, err := c.eventstore.PushEvents(ctx,
 		user.NewUsernameChangedEvent(ctx, userAgg, existingUser.UserName, userName, orgIAMPolicy.UserLoginMustBeDomain))
-
-	return err
+	if err != nil {
+		return nil, err
+	}
+	err = AppendAndReduce(existingUser, pushedEvents...)
+	if err != nil {
+		return nil, err
+	}
+	return writeModelToObjectDetails(&existingUser.WriteModel), nil
 }
 
-func (c *Commands) DeactivateUser(ctx context.Context, userID, resourceOwner string) error {
+func (c *Commands) DeactivateUser(ctx context.Context, userID, resourceOwner string) (*domain.ObjectDetails, error) {
 	if userID == "" {
-		return caos_errs.ThrowPreconditionFailed(nil, "COMMAND-m0gDf", "Errors.User.UserIDMissing")
+		return nil, caos_errs.ThrowPreconditionFailed(nil, "COMMAND-m0gDf", "Errors.User.UserIDMissing")
 	}
 
 	existingUser, err := c.userWriteModelByID(ctx, userID, resourceOwner)
 	if err != nil {
-		return err
+		return nil, err
 	}
 	if !isUserStateExists(existingUser.UserState) {
-		return caos_errs.ThrowNotFound(nil, "COMMAND-3M9ds", "Errors.User.NotFound")
+		return nil, caos_errs.ThrowNotFound(nil, "COMMAND-3M9ds", "Errors.User.NotFound")
 	}
 	if isUserStateInactive(existingUser.UserState) {
-		return caos_errs.ThrowPreconditionFailed(nil, "COMMAND-5M0sf", "Errors.User.AlreadyInactive")
+		return nil, caos_errs.ThrowPreconditionFailed(nil, "COMMAND-5M0sf", "Errors.User.AlreadyInactive")
 	}
 
-	_, err = c.eventstore.PushEvents(ctx,
+	pushedEvents, err := c.eventstore.PushEvents(ctx,
 		user.NewUserDeactivatedEvent(ctx, UserAggregateFromWriteModel(&existingUser.WriteModel)))
-	return err
+	if err != nil {
+		return nil, err
+	}
+	err = AppendAndReduce(existingUser, pushedEvents...)
+	if err != nil {
+		return nil, err
+	}
+	return writeModelToObjectDetails(&existingUser.WriteModel), nil
 }
 
-func (c *Commands) ReactivateUser(ctx context.Context, userID, resourceOwner string) error {
+func (c *Commands) ReactivateUser(ctx context.Context, userID, resourceOwner string) (*domain.ObjectDetails, error) {
 	if userID == "" {
-		return caos_errs.ThrowPreconditionFailed(nil, "COMMAND-4M9ds", "Errors.User.UserIDMissing")
+		return nil, caos_errs.ThrowPreconditionFailed(nil, "COMMAND-4M9ds", "Errors.User.UserIDMissing")
 	}
 
 	existingUser, err := c.userWriteModelByID(ctx, userID, resourceOwner)
 	if err != nil {
-		return err
+		return nil, err
 	}
 	if !isUserStateExists(existingUser.UserState) {
-		return caos_errs.ThrowNotFound(nil, "COMMAND-4M0sd", "Errors.User.NotFound")
+		return nil, caos_errs.ThrowNotFound(nil, "COMMAND-4M0sd", "Errors.User.NotFound")
 	}
 	if !isUserStateInactive(existingUser.UserState) {
-		return caos_errs.ThrowPreconditionFailed(nil, "COMMAND-6M0sf", "Errors.User.NotInactive")
+		return nil, caos_errs.ThrowPreconditionFailed(nil, "COMMAND-6M0sf", "Errors.User.NotInactive")
 	}
 
-	_, err = c.eventstore.PushEvents(ctx,
+	pushedEvents, err := c.eventstore.PushEvents(ctx,
 		user.NewUserReactivatedEvent(ctx, UserAggregateFromWriteModel(&existingUser.WriteModel)))
-	return err
+	if err != nil {
+		return nil, err
+	}
+	err = AppendAndReduce(existingUser, pushedEvents...)
+	if err != nil {
+		return nil, err
+	}
+	return writeModelToObjectDetails(&existingUser.WriteModel), nil
 }
 
-func (c *Commands) LockUser(ctx context.Context, userID, resourceOwner string) error {
+func (c *Commands) LockUser(ctx context.Context, userID, resourceOwner string) (*domain.ObjectDetails, error) {
 	if userID == "" {
-		return caos_errs.ThrowPreconditionFailed(nil, "COMMAND-2M0sd", "Errors.User.UserIDMissing")
+		return nil, caos_errs.ThrowPreconditionFailed(nil, "COMMAND-2M0sd", "Errors.User.UserIDMissing")
 	}
 
 	existingUser, err := c.userWriteModelByID(ctx, userID, resourceOwner)
 	if err != nil {
-		return err
+		return nil, err
 	}
 	if !isUserStateExists(existingUser.UserState) {
-		return caos_errs.ThrowNotFound(nil, "COMMAND-5M9fs", "Errors.User.NotFound")
+		return nil, caos_errs.ThrowNotFound(nil, "COMMAND-5M9fs", "Errors.User.NotFound")
 	}
 	if !hasUserState(existingUser.UserState, domain.UserStateActive, domain.UserStateInitial) {
-		return caos_errs.ThrowPreconditionFailed(nil, "COMMAND-3NN8v", "Errors.User.ShouldBeActiveOrInitial")
+		return nil, caos_errs.ThrowPreconditionFailed(nil, "COMMAND-3NN8v", "Errors.User.ShouldBeActiveOrInitial")
 	}
 
-	_, err = c.eventstore.PushEvents(ctx,
+	pushedEvents, err := c.eventstore.PushEvents(ctx,
 		user.NewUserLockedEvent(ctx, UserAggregateFromWriteModel(&existingUser.WriteModel)))
-	return err
+	if err != nil {
+		return nil, err
+	}
+	err = AppendAndReduce(existingUser, pushedEvents...)
+	if err != nil {
+		return nil, err
+	}
+	return writeModelToObjectDetails(&existingUser.WriteModel), nil
 }
 
-func (c *Commands) UnlockUser(ctx context.Context, userID, resourceOwner string) error {
+func (c *Commands) UnlockUser(ctx context.Context, userID, resourceOwner string) (*domain.ObjectDetails, error) {
 	if userID == "" {
-		return caos_errs.ThrowPreconditionFailed(nil, "COMMAND-M0dse", "Errors.User.UserIDMissing")
+		return nil, caos_errs.ThrowPreconditionFailed(nil, "COMMAND-M0dse", "Errors.User.UserIDMissing")
 	}
 
 	existingUser, err := c.userWriteModelByID(ctx, userID, resourceOwner)
 	if err != nil {
-		return err
+		return nil, err
 	}
 	if !isUserStateExists(existingUser.UserState) {
-		return caos_errs.ThrowNotFound(nil, "COMMAND-M0dos", "Errors.User.NotFound")
+		return nil, caos_errs.ThrowNotFound(nil, "COMMAND-M0dos", "Errors.User.NotFound")
 	}
 	if !hasUserState(existingUser.UserState, domain.UserStateLocked) {
-		return caos_errs.ThrowPreconditionFailed(nil, "COMMAND-4M0ds", "Errors.User.NotLocked")
+		return nil, caos_errs.ThrowPreconditionFailed(nil, "COMMAND-4M0ds", "Errors.User.NotLocked")
 	}
 
-	_, err = c.eventstore.PushEvents(ctx,
+	pushedEvents, err := c.eventstore.PushEvents(ctx,
 		user.NewUserUnlockedEvent(ctx, UserAggregateFromWriteModel(&existingUser.WriteModel)))
-	return err
+	if err != nil {
+		return nil, err
+	}
+	err = AppendAndReduce(existingUser, pushedEvents...)
+	if err != nil {
+		return nil, err
+	}
+	return writeModelToObjectDetails(&existingUser.WriteModel), nil
 }
 
-func (c *Commands) RemoveUser(ctx context.Context, userID, resourceOwner string, cascadingGrantIDs ...string) error {
+func (c *Commands) RemoveUser(ctx context.Context, userID, resourceOwner string, cascadingGrantIDs ...string) (*domain.ObjectDetails, error) {
 	if userID == "" {
-		return caos_errs.ThrowPreconditionFailed(nil, "COMMAND-2M0ds", "Errors.User.UserIDMissing")
+		return nil, caos_errs.ThrowPreconditionFailed(nil, "COMMAND-2M0ds", "Errors.User.UserIDMissing")
 	}
 
 	existingUser, err := c.userWriteModelByID(ctx, userID, resourceOwner)
 	if err != nil {
-		return err
+		return nil, err
 	}
 	if !isUserStateExists(existingUser.UserState) {
-		return caos_errs.ThrowNotFound(nil, "COMMAND-5M0od", "Errors.User.NotFound")
+		return nil, caos_errs.ThrowNotFound(nil, "COMMAND-5M0od", "Errors.User.NotFound")
 	}
 
 	orgIAMPolicy, err := c.getOrgIAMPolicy(ctx, existingUser.ResourceOwner)
 	if err != nil {
-		return err
+		return nil, err
 	}
 	var events []eventstore.EventPusher
 	userAgg := UserAggregateFromWriteModel(&existingUser.WriteModel)
 	events = append(events, user.NewUserRemovedEvent(ctx, userAgg, existingUser.UserName, orgIAMPolicy.UserLoginMustBeDomain))
 
 	for _, grantID := range cascadingGrantIDs {
-		removeEvent, err := c.removeUserGrant(ctx, grantID, "", true)
+		removeEvent, _, err := c.removeUserGrant(ctx, grantID, "", true)
 		if err != nil {
 			logging.LogWithFields("COMMAND-5m9oL", "usergrantid", grantID).WithError(err).Warn("could not cascade remove role on user grant")
 			continue
@@ -163,8 +197,15 @@ func (c *Commands) RemoveUser(ctx context.Context, userID, resourceOwner string,
 		events = append(events, removeEvent)
 	}
 
-	_, err = c.eventstore.PushEvents(ctx, events...)
-	return err
+	pushedEvents, err := c.eventstore.PushEvents(ctx, events...)
+	if err != nil {
+		return nil, err
+	}
+	err = AppendAndReduce(existingUser, pushedEvents...)
+	if err != nil {
+		return nil, err
+	}
+	return writeModelToObjectDetails(&existingUser.WriteModel), nil
 }
 
 func (c *Commands) AddUserToken(ctx context.Context, orgID, agentID, clientID, userID string, audience, scopes []string, lifetime time.Duration) (*domain.Token, error) {
diff --git a/internal/command/user_grant.go b/internal/command/user_grant.go
index 7ec36b78c4..94e2600c61 100644
--- a/internal/command/user_grant.go
+++ b/internal/command/user_grant.go
@@ -140,72 +140,93 @@ func (c *Commands) removeRoleFromUserGrant(ctx context.Context, userGrantID stri
 	return usergrant.NewUserGrantChangedEvent(ctx, userGrantAgg, existingUserGrant.RoleKeys), nil
 }
 
-func (c *Commands) DeactivateUserGrant(ctx context.Context, grantID, resourceOwner string) (err error) {
+func (c *Commands) DeactivateUserGrant(ctx context.Context, grantID, resourceOwner string) (objectDetails *domain.ObjectDetails, err error) {
 	if grantID == "" || resourceOwner == "" {
-		return caos_errs.ThrowPreconditionFailed(nil, "COMMAND-M0dsf", "Errors.UserGrant.IDMissing")
+		return nil, caos_errs.ThrowPreconditionFailed(nil, "COMMAND-M0dsf", "Errors.UserGrant.IDMissing")
 	}
 
 	existingUserGrant, err := c.userGrantWriteModelByID(ctx, grantID, resourceOwner)
 	if err != nil {
-		return err
+		return nil, err
 	}
 	err = checkExplicitProjectPermission(ctx, existingUserGrant.ProjectGrantID, existingUserGrant.ProjectID)
 	if err != nil {
-		return err
+		return nil, err
 	}
 	if existingUserGrant.State == domain.UserGrantStateUnspecified || existingUserGrant.State == domain.UserGrantStateRemoved {
-		return caos_errs.ThrowNotFound(nil, "COMMAND-3M9sd", "Errors.UserGrant.NotFound")
+		return nil, caos_errs.ThrowNotFound(nil, "COMMAND-3M9sd", "Errors.UserGrant.NotFound")
 	}
 	if existingUserGrant.State != domain.UserGrantStateActive {
-		return caos_errs.ThrowNotFound(nil, "COMMAND-1S9gx", "Errors.UserGrant.NotActive")
+		return nil, caos_errs.ThrowNotFound(nil, "COMMAND-1S9gx", "Errors.UserGrant.NotActive")
 	}
 
 	deactivateUserGrant := NewUserGrantWriteModel(grantID, resourceOwner)
 	userGrantAgg := UserGrantAggregateFromWriteModel(&deactivateUserGrant.WriteModel)
-	_, err = c.eventstore.PushEvents(ctx, usergrant.NewUserGrantDeactivatedEvent(ctx, userGrantAgg))
-	return err
+	pushedEvents, err := c.eventstore.PushEvents(ctx, usergrant.NewUserGrantDeactivatedEvent(ctx, userGrantAgg))
+	if err != nil {
+		return nil, err
+	}
+	err = AppendAndReduce(existingUserGrant, pushedEvents...)
+	if err != nil {
+		return nil, err
+	}
+	return writeModelToObjectDetails(&existingUserGrant.WriteModel), nil
 }
 
-func (c *Commands) ReactivateUserGrant(ctx context.Context, grantID, resourceOwner string) (err error) {
+func (c *Commands) ReactivateUserGrant(ctx context.Context, grantID, resourceOwner string) (objectDetails *domain.ObjectDetails, err error) {
 	if grantID == "" || resourceOwner == "" {
-		return caos_errs.ThrowPreconditionFailed(nil, "COMMAND-Qxy8v", "Errors.UserGrant.IDMissing")
+		return nil, caos_errs.ThrowPreconditionFailed(nil, "COMMAND-Qxy8v", "Errors.UserGrant.IDMissing")
 	}
 
 	existingUserGrant, err := c.userGrantWriteModelByID(ctx, grantID, resourceOwner)
 	if err != nil {
-		return err
+		return nil, err
 	}
 	err = checkExplicitProjectPermission(ctx, existingUserGrant.ProjectGrantID, existingUserGrant.ProjectID)
 	if err != nil {
-		return err
+		return nil, err
 	}
 	if existingUserGrant.State == domain.UserGrantStateUnspecified || existingUserGrant.State == domain.UserGrantStateRemoved {
-		return caos_errs.ThrowNotFound(nil, "COMMAND-Lp0gs", "Errors.UserGrant.NotFound")
+		return nil, caos_errs.ThrowNotFound(nil, "COMMAND-Lp0gs", "Errors.UserGrant.NotFound")
 	}
 	if existingUserGrant.State != domain.UserGrantStateInactive {
-		return caos_errs.ThrowNotFound(nil, "COMMAND-1ML0v", "Errors.UserGrant.NotInactive")
+		return nil, caos_errs.ThrowNotFound(nil, "COMMAND-1ML0v", "Errors.UserGrant.NotInactive")
 	}
 
 	deactivateUserGrant := NewUserGrantWriteModel(grantID, resourceOwner)
 	userGrantAgg := UserGrantAggregateFromWriteModel(&deactivateUserGrant.WriteModel)
-	_, err = c.eventstore.PushEvents(ctx, usergrant.NewUserGrantReactivatedEvent(ctx, userGrantAgg))
-	return err
+	pushedEvents, err := c.eventstore.PushEvents(ctx, usergrant.NewUserGrantReactivatedEvent(ctx, userGrantAgg))
+	if err != nil {
+		return nil, err
+	}
+	err = AppendAndReduce(existingUserGrant, pushedEvents...)
+	if err != nil {
+		return nil, err
+	}
+	return writeModelToObjectDetails(&existingUserGrant.WriteModel), nil
 }
 
-func (c *Commands) RemoveUserGrant(ctx context.Context, grantID, resourceOwner string) (err error) {
-	event, err := c.removeUserGrant(ctx, grantID, resourceOwner, false)
+func (c *Commands) RemoveUserGrant(ctx context.Context, grantID, resourceOwner string) (objectDetails *domain.ObjectDetails, err error) {
+	event, existingUserGrant, err := c.removeUserGrant(ctx, grantID, resourceOwner, false)
 	if err != nil {
-		return nil
+		return nil, err
 	}
 
-	_, err = c.eventstore.PushEvents(ctx, event)
-	return err
+	pushedEvents, err := c.eventstore.PushEvents(ctx, event)
+	if err != nil {
+		return nil, err
+	}
+	err = AppendAndReduce(existingUserGrant, pushedEvents...)
+	if err != nil {
+		return nil, err
+	}
+	return writeModelToObjectDetails(&existingUserGrant.WriteModel), nil
 }
 
 func (c *Commands) BulkRemoveUserGrant(ctx context.Context, grantIDs []string, resourceOwner string) (err error) {
 	events := make([]eventstore.EventPusher, len(grantIDs))
 	for i, grantID := range grantIDs {
-		event, err := c.removeUserGrant(ctx, grantID, resourceOwner, false)
+		event, _, err := c.removeUserGrant(ctx, grantID, resourceOwner, false)
 		if err != nil {
 			return nil
 		}
@@ -215,24 +236,24 @@ func (c *Commands) BulkRemoveUserGrant(ctx context.Context, grantIDs []string, r
 	return err
 }
 
-func (c *Commands) removeUserGrant(ctx context.Context, grantID, resourceOwner string, cascade bool) (_ eventstore.EventPusher, err error) {
+func (c *Commands) removeUserGrant(ctx context.Context, grantID, resourceOwner string, cascade bool) (_ eventstore.EventPusher, writeModel *UserGrantWriteModel, err error) {
 	if grantID == "" {
-		return nil, caos_errs.ThrowPreconditionFailed(nil, "COMMAND-J9sc5", "Errors.UserGrant.IDMissing")
+		return nil, nil, caos_errs.ThrowPreconditionFailed(nil, "COMMAND-J9sc5", "Errors.UserGrant.IDMissing")
 	}
 
 	existingUserGrant, err := c.userGrantWriteModelByID(ctx, grantID, resourceOwner)
 	if err != nil {
-		return nil, err
+		return nil, nil, err
 	}
 	if !cascade {
 		err = checkExplicitProjectPermission(ctx, existingUserGrant.ProjectGrantID, existingUserGrant.ProjectID)
 		if err != nil {
-			return nil, err
+			return nil, nil, err
 		}
 	}
 
 	if existingUserGrant.State == domain.UserGrantStateUnspecified || existingUserGrant.State == domain.UserGrantStateRemoved {
-		return nil, caos_errs.ThrowNotFound(nil, "COMMAND-1My0t", "Errors.UserGrant.NotFound")
+		return nil, nil, caos_errs.ThrowNotFound(nil, "COMMAND-1My0t", "Errors.UserGrant.NotFound")
 	}
 
 	removeUserGrant := NewUserGrantWriteModel(grantID, resourceOwner)
@@ -243,14 +264,14 @@ func (c *Commands) removeUserGrant(ctx context.Context, grantID, resourceOwner s
 			userGrantAgg,
 			existingUserGrant.UserID,
 			existingUserGrant.ProjectID,
-			existingUserGrant.ProjectGrantID), nil
+			existingUserGrant.ProjectGrantID), existingUserGrant, nil
 	}
 	return usergrant.NewUserGrantRemovedEvent(
 		ctx,
 		userGrantAgg,
 		existingUserGrant.UserID,
 		existingUserGrant.ProjectID,
-		existingUserGrant.ProjectGrantID), nil
+		existingUserGrant.ProjectGrantID), existingUserGrant, nil
 }
 func (c *Commands) userGrantWriteModelByID(ctx context.Context, userGrantID, resourceOwner string) (writeModel *UserGrantWriteModel, err error) {
 	ctx, span := tracing.NewSpan(ctx)
diff --git a/internal/command/user_human_email.go b/internal/command/user_human_email.go
index 1348ee0370..02bdab3748 100644
--- a/internal/command/user_human_email.go
+++ b/internal/command/user_human_email.go
@@ -52,59 +52,73 @@ func (c *Commands) ChangeHumanEmail(ctx context.Context, email *domain.Email) (*
 	return writeModelToEmail(existingEmail), nil
 }
 
-func (c *Commands) VerifyHumanEmail(ctx context.Context, userID, code, resourceowner string) error {
+func (c *Commands) VerifyHumanEmail(ctx context.Context, userID, code, resourceowner string) (*domain.ObjectDetails, error) {
 	if userID == "" {
-		return caos_errs.ThrowPreconditionFailed(nil, "COMMAND-4M0ds", "Errors.User.UserIDMissing")
+		return nil, caos_errs.ThrowPreconditionFailed(nil, "COMMAND-4M0ds", "Errors.User.UserIDMissing")
 	}
 	if code == "" {
-		return caos_errs.ThrowPreconditionFailed(nil, "COMMAND-çm0ds", "Errors.User.Code.Empty")
+		return nil, caos_errs.ThrowPreconditionFailed(nil, "COMMAND-çm0ds", "Errors.User.Code.Empty")
 	}
 
 	existingCode, err := c.emailWriteModel(ctx, userID, resourceowner)
 	if err != nil {
-		return err
+		return nil, err
 	}
 	if existingCode.Code == nil || existingCode.UserState == domain.UserStateUnspecified || existingCode.UserState == domain.UserStateDeleted {
-		return caos_errs.ThrowNotFound(nil, "COMMAND-3n8ud", "Errors.User.Code.NotFound")
+		return nil, caos_errs.ThrowNotFound(nil, "COMMAND-3n8ud", "Errors.User.Code.NotFound")
 	}
 
 	userAgg := UserAggregateFromWriteModel(&existingCode.WriteModel)
 	err = crypto.VerifyCode(existingCode.CodeCreationDate, existingCode.CodeExpiry, existingCode.Code, code, c.emailVerificationCode)
 	if err == nil {
-		_, err = c.eventstore.PushEvents(ctx, user.NewHumanEmailVerifiedEvent(ctx, userAgg))
-		return err
+		pushedEvents, err := c.eventstore.PushEvents(ctx, user.NewHumanEmailVerifiedEvent(ctx, userAgg))
+		if err != nil {
+			return nil, err
+		}
+		err = AppendAndReduce(existingCode, pushedEvents...)
+		if err != nil {
+			return nil, err
+		}
+		return writeModelToObjectDetails(&existingCode.WriteModel), nil
 	}
 
 	_, err = c.eventstore.PushEvents(ctx, user.NewHumanEmailVerificationFailedEvent(ctx, userAgg))
 	logging.LogWithFields("COMMAND-Dg2z5", "userID", userAgg.ID).OnError(err).Error("NewHumanEmailVerificationFailedEvent push failed")
-	return caos_errs.ThrowInvalidArgument(err, "COMMAND-Gdsgs", "Errors.User.Code.Invalid")
+	return nil, caos_errs.ThrowInvalidArgument(err, "COMMAND-Gdsgs", "Errors.User.Code.Invalid")
 }
 
-func (c *Commands) CreateHumanEmailVerificationCode(ctx context.Context, userID, resourceOwner string) error {
+func (c *Commands) CreateHumanEmailVerificationCode(ctx context.Context, userID, resourceOwner string) (*domain.ObjectDetails, error) {
 	if userID == "" {
-		return caos_errs.ThrowPreconditionFailed(nil, "COMMAND-4M0ds", "Errors.User.UserIDMissing")
+		return nil, caos_errs.ThrowPreconditionFailed(nil, "COMMAND-4M0ds", "Errors.User.UserIDMissing")
 	}
 
 	existingEmail, err := c.emailWriteModel(ctx, userID, resourceOwner)
 	if err != nil {
-		return err
+		return nil, err
 	}
 	if existingEmail.UserState == domain.UserStateUnspecified || existingEmail.UserState == domain.UserStateDeleted {
-		return caos_errs.ThrowNotFound(nil, "COMMAND-0Pe4r", "Errors.User.Email.NotFound")
+		return nil, caos_errs.ThrowNotFound(nil, "COMMAND-0Pe4r", "Errors.User.Email.NotFound")
 	}
 	if existingEmail.UserState == domain.UserStateInitial {
-		return caos_errs.ThrowPreconditionFailed(nil, "COMMAND-E3fbw", "Errors.User.NotInitialised")
+		return nil, caos_errs.ThrowPreconditionFailed(nil, "COMMAND-E3fbw", "Errors.User.NotInitialised")
 	}
 	if existingEmail.IsEmailVerified {
-		return caos_errs.ThrowPreconditionFailed(nil, "COMMAND-3M9ds", "Errors.User.Email.AlreadyVerified")
+		return nil, caos_errs.ThrowPreconditionFailed(nil, "COMMAND-3M9ds", "Errors.User.Email.AlreadyVerified")
 	}
 	userAgg := UserAggregateFromWriteModel(&existingEmail.WriteModel)
 	emailCode, err := domain.NewEmailCode(c.emailVerificationCode)
 	if err != nil {
-		return err
+		return nil, err
 	}
-	_, err = c.eventstore.PushEvents(ctx, user.NewHumanEmailCodeAddedEvent(ctx, userAgg, emailCode.Code, emailCode.Expiry))
-	return err
+	pushedEvents, err := c.eventstore.PushEvents(ctx, user.NewHumanEmailCodeAddedEvent(ctx, userAgg, emailCode.Code, emailCode.Expiry))
+	if err != nil {
+		return nil, err
+	}
+	err = AppendAndReduce(existingEmail, pushedEvents...)
+	if err != nil {
+		return nil, err
+	}
+	return writeModelToObjectDetails(&existingEmail.WriteModel), nil
 }
 
 func (c *Commands) HumanEmailVerificationCodeSent(ctx context.Context, orgID, userID string) (err error) {
diff --git a/internal/command/user_human_externalidp.go b/internal/command/user_human_externalidp.go
index 2e8f533df2..636dfd785e 100644
--- a/internal/command/user_human_externalidp.go
+++ b/internal/command/user_human_externalidp.go
@@ -44,32 +44,39 @@ func (c *Commands) addHumanExternalIDP(ctx context.Context, humanAgg *eventstore
 	return user.NewHumanExternalIDPAddedEvent(ctx, humanAgg, externalIDP.IDPConfigID, externalIDP.DisplayName, externalIDP.ExternalUserID), nil
 }
 
-func (c *Commands) RemoveHumanExternalIDP(ctx context.Context, externalIDP *domain.ExternalIDP) error {
-	event, err := c.removeHumanExternalIDP(ctx, externalIDP, false)
+func (c *Commands) RemoveHumanExternalIDP(ctx context.Context, externalIDP *domain.ExternalIDP) (*domain.ObjectDetails, error) {
+	event, externalIDPWriteModel, err := c.removeHumanExternalIDP(ctx, externalIDP, false)
 	if err != nil {
-		return err
+		return nil, err
 	}
-	_, err = c.eventstore.PushEvents(ctx, event)
-	return err
+	pushedEvents, err := c.eventstore.PushEvents(ctx, event)
+	if err != nil {
+		return nil, err
+	}
+	err = AppendAndReduce(externalIDPWriteModel, pushedEvents...)
+	if err != nil {
+		return nil, err
+	}
+	return writeModelToObjectDetails(&externalIDPWriteModel.WriteModel), nil
 }
 
-func (c *Commands) removeHumanExternalIDP(ctx context.Context, externalIDP *domain.ExternalIDP, cascade bool) (eventstore.EventPusher, error) {
+func (c *Commands) removeHumanExternalIDP(ctx context.Context, externalIDP *domain.ExternalIDP, cascade bool) (eventstore.EventPusher, *HumanExternalIDPWriteModel, error) {
 	if externalIDP.IsValid() {
-		return nil, caos_errs.ThrowPreconditionFailed(nil, "COMMAND-3M9ds", "Errors.IDMissing")
+		return nil, nil, caos_errs.ThrowPreconditionFailed(nil, "COMMAND-3M9ds", "Errors.IDMissing")
 	}
 
 	existingExternalIDP, err := c.externalIDPWriteModelByID(ctx, externalIDP.AggregateID, externalIDP.IDPConfigID, externalIDP.ExternalUserID, externalIDP.ResourceOwner)
 	if err != nil {
-		return nil, err
+		return nil, nil, err
 	}
 	if existingExternalIDP.State == domain.ExternalIDPStateUnspecified || existingExternalIDP.State == domain.ExternalIDPStateRemoved {
-		return nil, caos_errs.ThrowNotFound(nil, "COMMAND-1M9xR", "Errors.User.ExternalIDP.NotFound")
+		return nil, nil, caos_errs.ThrowNotFound(nil, "COMMAND-1M9xR", "Errors.User.ExternalIDP.NotFound")
 	}
 	userAgg := UserAggregateFromWriteModel(&existingExternalIDP.WriteModel)
 	if cascade {
-		return user.NewHumanExternalIDPCascadeRemovedEvent(ctx, userAgg, externalIDP.IDPConfigID, externalIDP.ExternalUserID), nil
+		return user.NewHumanExternalIDPCascadeRemovedEvent(ctx, userAgg, externalIDP.IDPConfigID, externalIDP.ExternalUserID), existingExternalIDP, nil
 	}
-	return user.NewHumanExternalIDPRemovedEvent(ctx, userAgg, externalIDP.IDPConfigID, externalIDP.ExternalUserID), nil
+	return user.NewHumanExternalIDPRemovedEvent(ctx, userAgg, externalIDP.IDPConfigID, externalIDP.ExternalUserID), existingExternalIDP, nil
 }
 
 func (c *Commands) HumanExternalLoginChecked(ctx context.Context, orgID, userID string, authRequest *domain.AuthRequest) (err error) {
diff --git a/internal/command/user_human_init.go b/internal/command/user_human_init.go
index f80f26528f..4916fac724 100644
--- a/internal/command/user_human_init.go
+++ b/internal/command/user_human_init.go
@@ -11,20 +11,20 @@ import (
 )
 
 //ResendInitialMail resend inital mail and changes email if provided
-func (c *Commands) ResendInitialMail(ctx context.Context, userID, email, resourceOwner string) (err error) {
+func (c *Commands) ResendInitialMail(ctx context.Context, userID, email, resourceOwner string) (objectDetails *domain.ObjectDetails, err error) {
 	if userID == "" {
-		return caos_errs.ThrowPreconditionFailed(nil, "COMMAND-2n8vs", "Errors.User.UserIDMissing")
+		return nil, caos_errs.ThrowPreconditionFailed(nil, "COMMAND-2n8vs", "Errors.User.UserIDMissing")
 	}
 
 	existingCode, err := c.getHumanInitWriteModelByID(ctx, userID, resourceOwner)
 	if err != nil {
-		return err
+		return nil, err
 	}
 	if existingCode.UserState == domain.UserStateUnspecified || existingCode.UserState == domain.UserStateDeleted {
-		return caos_errs.ThrowNotFound(nil, "COMMAND-2M9df", "Errors.User.NotFound")
+		return nil, caos_errs.ThrowNotFound(nil, "COMMAND-2M9df", "Errors.User.NotFound")
 	}
 	if existingCode.UserState != domain.UserStateInitial {
-		return caos_errs.ThrowPreconditionFailed(nil, "COMMAND-2M9sd", "Errors.User.AlreadyInitialised")
+		return nil, caos_errs.ThrowPreconditionFailed(nil, "COMMAND-2M9sd", "Errors.User.AlreadyInitialised")
 	}
 	var events []eventstore.EventPusher
 	userAgg := UserAggregateFromWriteModel(&existingCode.WriteModel)
@@ -34,11 +34,18 @@ func (c *Commands) ResendInitialMail(ctx context.Context, userID, email, resourc
 	}
 	initCode, err := domain.NewInitUserCode(c.initializeUserCode)
 	if err != nil {
-		return err
+		return nil, err
 	}
 	events = append(events, user.NewHumanInitialCodeAddedEvent(ctx, userAgg, initCode.Code, initCode.Expiry))
-	_, err = c.eventstore.PushEvents(ctx, events...)
-	return err
+	pushedEvents, err := c.eventstore.PushEvents(ctx, events...)
+	if err != nil {
+		return nil, err
+	}
+	err = AppendAndReduce(existingCode, pushedEvents...)
+	if err != nil {
+		return nil, err
+	}
+	return writeModelToObjectDetails(&existingCode.WriteModel), nil
 }
 
 func (c *Commands) HumanVerifyInitCode(ctx context.Context, userID, resourceOwner, code, passwordString string) error {
diff --git a/internal/command/user_human_otp.go b/internal/command/user_human_otp.go
index 4f6367d06b..e34d573a85 100644
--- a/internal/command/user_human_otp.go
+++ b/internal/command/user_human_otp.go
@@ -59,28 +59,35 @@ func (c *Commands) AddHumanOTP(ctx context.Context, userID, resourceowner string
 	}, nil
 }
 
-func (c *Commands) HumanCheckMFAOTPSetup(ctx context.Context, userID, code, userAgentID, resourceowner string) error {
+func (c *Commands) HumanCheckMFAOTPSetup(ctx context.Context, userID, code, userAgentID, resourceowner string) (*domain.ObjectDetails, error) {
 	if userID == "" {
-		return caos_errs.ThrowPreconditionFailed(nil, "COMMAND-8N9ds", "Errors.User.UserIDMissing")
+		return nil, caos_errs.ThrowPreconditionFailed(nil, "COMMAND-8N9ds", "Errors.User.UserIDMissing")
 	}
 
 	existingOTP, err := c.otpWriteModelByID(ctx, userID, resourceowner)
 	if err != nil {
-		return err
+		return nil, err
 	}
 	if existingOTP.State == domain.MFAStateUnspecified || existingOTP.State == domain.MFAStateRemoved {
-		return caos_errs.ThrowNotFound(nil, "COMMAND-3Mif9s", "Errors.User.MFA.OTP.NotExisting")
+		return nil, caos_errs.ThrowNotFound(nil, "COMMAND-3Mif9s", "Errors.User.MFA.OTP.NotExisting")
 	}
 	if existingOTP.State == domain.MFAStateReady {
-		return caos_errs.ThrowPreconditionFailed(nil, "COMMAND-qx4ls", "Errors.Users.MFA.OTP.AlreadyReady")
+		return nil, caos_errs.ThrowPreconditionFailed(nil, "COMMAND-qx4ls", "Errors.Users.MFA.OTP.AlreadyReady")
 	}
 	if err := domain.VerifyMFAOTP(code, existingOTP.Secret, c.multifactors.OTP.CryptoMFA); err != nil {
-		return err
+		return nil, err
 	}
 	userAgg := UserAggregateFromWriteModel(&existingOTP.WriteModel)
 
-	_, err = c.eventstore.PushEvents(ctx, user.NewHumanOTPVerifiedEvent(ctx, userAgg, userAgentID))
-	return err
+	pushedEvents, err := c.eventstore.PushEvents(ctx, user.NewHumanOTPVerifiedEvent(ctx, userAgg, userAgentID))
+	if err != nil {
+		return nil, err
+	}
+	err = AppendAndReduce(existingOTP, pushedEvents...)
+	if err != nil {
+		return nil, err
+	}
+	return writeModelToObjectDetails(&existingOTP.WriteModel), nil
 }
 
 func (c *Commands) HumanCheckMFAOTP(ctx context.Context, userID, code, resourceowner string, authRequest *domain.AuthRequest) error {
@@ -105,21 +112,28 @@ func (c *Commands) HumanCheckMFAOTP(ctx context.Context, userID, code, resourceo
 	return err
 }
 
-func (c *Commands) HumanRemoveOTP(ctx context.Context, userID, resourceOwner string) error {
+func (c *Commands) HumanRemoveOTP(ctx context.Context, userID, resourceOwner string) (*domain.ObjectDetails, error) {
 	if userID == "" {
-		return caos_errs.ThrowPreconditionFailed(nil, "COMMAND-5M0sd", "Errors.User.UserIDMissing")
+		return nil, caos_errs.ThrowPreconditionFailed(nil, "COMMAND-5M0sd", "Errors.User.UserIDMissing")
 	}
 
 	existingOTP, err := c.otpWriteModelByID(ctx, userID, resourceOwner)
 	if err != nil {
-		return err
+		return nil, err
 	}
 	if existingOTP.State == domain.MFAStateUnspecified || existingOTP.State == domain.MFAStateRemoved {
-		return caos_errs.ThrowNotFound(nil, "COMMAND-Hd9sd", "Errors.User.MFA.OTP.NotExisting")
+		return nil, caos_errs.ThrowNotFound(nil, "COMMAND-Hd9sd", "Errors.User.MFA.OTP.NotExisting")
 	}
 	userAgg := UserAggregateFromWriteModel(&existingOTP.WriteModel)
-	_, err = c.eventstore.PushEvents(ctx, user.NewHumanOTPRemovedEvent(ctx, userAgg))
-	return err
+	pushedEvents, err := c.eventstore.PushEvents(ctx, user.NewHumanOTPRemovedEvent(ctx, userAgg))
+	if err != nil {
+		return nil, err
+	}
+	err = AppendAndReduce(existingOTP, pushedEvents...)
+	if err != nil {
+		return nil, err
+	}
+	return writeModelToObjectDetails(&existingOTP.WriteModel), nil
 }
 
 func (c *Commands) otpWriteModelByID(ctx context.Context, userID, resourceOwner string) (writeModel *HumanOTPWriteModel, err error) {
diff --git a/internal/command/user_human_password.go b/internal/command/user_human_password.go
index cca6e1d970..1051127132 100644
--- a/internal/command/user_human_password.go
+++ b/internal/command/user_human_password.go
@@ -11,13 +11,13 @@ import (
 	"github.com/caos/zitadel/internal/telemetry/tracing"
 )
 
-func (c *Commands) SetOneTimePassword(ctx context.Context, orgID, userID, passwordString string) (err error) {
+func (c *Commands) SetOneTimePassword(ctx context.Context, orgID, userID, passwordString string) (objectDetails *domain.ObjectDetails, err error) {
 	ctx, span := tracing.NewSpan(ctx)
 	defer func() { span.EndWithError(err) }()
 
 	existingPassword, err := c.passwordWriteModel(ctx, userID, orgID)
 	if err != nil {
-		return err
+		return nil, err
 	}
 	password := &domain.Password{
 		SecretString:   passwordString,
@@ -26,10 +26,17 @@ func (c *Commands) SetOneTimePassword(ctx context.Context, orgID, userID, passwo
 	userAgg := UserAggregateFromWriteModel(&existingPassword.WriteModel)
 	passwordEvent, err := c.changePassword(ctx, "", password, userAgg, existingPassword)
 	if err != nil {
-		return err
+		return nil, err
 	}
-	_, err = c.eventstore.PushEvents(ctx, passwordEvent)
-	return err
+	pushedEvents, err := c.eventstore.PushEvents(ctx, passwordEvent)
+	if err != nil {
+		return nil, err
+	}
+	err = AppendAndReduce(existingPassword, pushedEvents...)
+	if err != nil {
+		return nil, err
+	}
+	return writeModelToObjectDetails(&existingPassword.WriteModel), nil
 }
 
 func (c *Commands) SetPassword(ctx context.Context, orgID, userID, code, passwordString, userAgentID string) (err error) {
@@ -63,23 +70,23 @@ func (c *Commands) SetPassword(ctx context.Context, orgID, userID, code, passwor
 	return err
 }
 
-func (c *Commands) ChangePassword(ctx context.Context, orgID, userID, oldPassword, newPassword, userAgentID string) (err error) {
+func (c *Commands) ChangePassword(ctx context.Context, orgID, userID, oldPassword, newPassword, userAgentID string) (objectDetails *domain.ObjectDetails, err error) {
 	ctx, span := tracing.NewSpan(ctx)
 	defer func() { span.EndWithError(err) }()
 
 	existingPassword, err := c.passwordWriteModel(ctx, userID, orgID)
 	if err != nil {
-		return err
+		return nil, err
 	}
 	if existingPassword.Secret == nil {
-		return caos_errs.ThrowPreconditionFailed(nil, "COMMAND-Fds3s", "Errors.User.Password.Empty")
+		return nil, caos_errs.ThrowPreconditionFailed(nil, "COMMAND-Fds3s", "Errors.User.Password.Empty")
 	}
 	ctx, spanPasswordComparison := tracing.NewNamedSpan(ctx, "crypto.CompareHash")
 	err = crypto.CompareHash(existingPassword.Secret, []byte(oldPassword), c.userPasswordAlg)
 	spanPasswordComparison.EndWithError(err)
 
 	if err != nil {
-		return caos_errs.ThrowInvalidArgument(nil, "COMMAND-3M0fs", "Errors.User.Password.Invalid")
+		return nil, caos_errs.ThrowInvalidArgument(nil, "COMMAND-3M0fs", "Errors.User.Password.Invalid")
 	}
 	password := &domain.Password{
 		SecretString:   newPassword,
@@ -89,10 +96,17 @@ func (c *Commands) ChangePassword(ctx context.Context, orgID, userID, oldPasswor
 	userAgg := UserAggregateFromWriteModel(&existingPassword.WriteModel)
 	eventPusher, err := c.changePassword(ctx, userAgentID, password, userAgg, existingPassword)
 	if err != nil {
-		return err
+		return nil, err
 	}
-	_, err = c.eventstore.PushEvents(ctx, eventPusher)
-	return err
+	pushedEvents, err := c.eventstore.PushEvents(ctx, eventPusher)
+	if err != nil {
+		return nil, err
+	}
+	err = AppendAndReduce(existingPassword, pushedEvents...)
+	if err != nil {
+		return nil, err
+	}
+	return writeModelToObjectDetails(&existingPassword.WriteModel), nil
 }
 
 func (c *Commands) changePassword(ctx context.Context, userAgentID string, password *domain.Password, userAgg *eventstore.Aggregate, existingPassword *HumanPasswordWriteModel) (event eventstore.EventPusher, err error) {
@@ -115,24 +129,31 @@ func (c *Commands) changePassword(ctx context.Context, userAgentID string, passw
 	return user.NewHumanPasswordChangedEvent(ctx, userAgg, password.SecretCrypto, password.ChangeRequired, userAgentID), nil
 }
 
-func (c *Commands) RequestSetPassword(ctx context.Context, userID, resourceOwner string, notifyType domain.NotificationType) (err error) {
+func (c *Commands) RequestSetPassword(ctx context.Context, userID, resourceOwner string, notifyType domain.NotificationType) (objectDetails *domain.ObjectDetails, err error) {
 	existingHuman, err := c.userWriteModelByID(ctx, userID, resourceOwner)
 	if err != nil {
-		return err
+		return nil, err
 	}
 	if existingHuman.UserState == domain.UserStateUnspecified || existingHuman.UserState == domain.UserStateDeleted {
-		return caos_errs.ThrowNotFound(nil, "COMMAND-Hj9ds", "Errors.User.NotFound")
+		return nil, caos_errs.ThrowNotFound(nil, "COMMAND-Hj9ds", "Errors.User.NotFound")
 	}
 	if existingHuman.UserState == domain.UserStateInitial {
-		return caos_errs.ThrowPreconditionFailed(nil, "COMMAND-2M9sd", "Errors.User.NotInitialised")
+		return nil, caos_errs.ThrowPreconditionFailed(nil, "COMMAND-2M9sd", "Errors.User.NotInitialised")
 	}
 	userAgg := UserAggregateFromWriteModel(&existingHuman.WriteModel)
 	passwordCode, err := domain.NewPasswordCode(c.passwordVerificationCode)
 	if err != nil {
-		return err
+		return nil, err
 	}
-	_, err = c.eventstore.PushEvents(ctx, user.NewHumanPasswordCodeAddedEvent(ctx, userAgg, passwordCode.Code, passwordCode.Expiry, notifyType))
-	return err
+	pushedEvents, err := c.eventstore.PushEvents(ctx, user.NewHumanPasswordCodeAddedEvent(ctx, userAgg, passwordCode.Code, passwordCode.Expiry, notifyType))
+	if err != nil {
+		return nil, err
+	}
+	err = AppendAndReduce(existingHuman, pushedEvents...)
+	if err != nil {
+		return nil, err
+	}
+	return writeModelToObjectDetails(&existingHuman.WriteModel), nil
 }
 
 func (c *Commands) PasswordCodeSent(ctx context.Context, orgID, userID string) (err error) {
diff --git a/internal/command/user_human_phone.go b/internal/command/user_human_phone.go
index dbbfa45240..5554055e0c 100644
--- a/internal/command/user_human_phone.go
+++ b/internal/command/user_human_phone.go
@@ -54,59 +54,72 @@ func (c *Commands) ChangeHumanPhone(ctx context.Context, phone *domain.Phone) (*
 	return writeModelToPhone(existingPhone), nil
 }
 
-func (c *Commands) VerifyHumanPhone(ctx context.Context, userID, code, resourceowner string) error {
+func (c *Commands) VerifyHumanPhone(ctx context.Context, userID, code, resourceowner string) (*domain.ObjectDetails, error) {
 	if userID == "" {
-		return caos_errs.ThrowPreconditionFailed(nil, "COMMAND-Km9ds", "Errors.User.UserIDMissing")
+		return nil, caos_errs.ThrowPreconditionFailed(nil, "COMMAND-Km9ds", "Errors.User.UserIDMissing")
 	}
 	if code == "" {
-		return caos_errs.ThrowPreconditionFailed(nil, "COMMAND-wMe9f", "Errors.User.Code.Empty")
+		return nil, caos_errs.ThrowPreconditionFailed(nil, "COMMAND-wMe9f", "Errors.User.Code.Empty")
 	}
 
 	existingCode, err := c.phoneWriteModelByID(ctx, userID, resourceowner)
 	if err != nil {
-		return err
+		return nil, err
 	}
 	if !existingCode.State.Exists() {
-		return caos_errs.ThrowNotFound(nil, "COMMAND-Rsj8c", "Errors.User.Code.NotFound")
+		return nil, caos_errs.ThrowNotFound(nil, "COMMAND-Rsj8c", "Errors.User.Code.NotFound")
 	}
 
 	userAgg := UserAggregateFromWriteModel(&existingCode.WriteModel)
 	err = crypto.VerifyCode(existingCode.CodeCreationDate, existingCode.CodeExpiry, existingCode.Code, code, c.phoneVerificationCode)
 	if err == nil {
-		_, err = c.eventstore.PushEvents(ctx, user.NewHumanPhoneVerifiedEvent(ctx, userAgg))
-		return err
+		pushedEvents, err := c.eventstore.PushEvents(ctx, user.NewHumanPhoneVerifiedEvent(ctx, userAgg))
+		if err != nil {
+			return nil, err
+		}
+		err = AppendAndReduce(existingCode, pushedEvents...)
+		if err != nil {
+			return nil, err
+		}
+		return writeModelToObjectDetails(&existingCode.WriteModel), nil
 	}
 	_, err = c.eventstore.PushEvents(ctx, user.NewHumanPhoneVerificationFailedEvent(ctx, userAgg))
-
 	logging.LogWithFields("COMMAND-5M9ds", "userID", userAgg.ID).OnError(err).Error("NewHumanPhoneVerificationFailedEvent push failed")
-	return caos_errs.ThrowInvalidArgument(err, "COMMAND-sM0cs", "Errors.User.Code.Invalid")
+	return nil, caos_errs.ThrowInvalidArgument(err, "COMMAND-sM0cs", "Errors.User.Code.Invalid")
 }
 
-func (c *Commands) CreateHumanPhoneVerificationCode(ctx context.Context, userID, resourceowner string) error {
+func (c *Commands) CreateHumanPhoneVerificationCode(ctx context.Context, userID, resourceowner string) (*domain.ObjectDetails, error) {
 	if userID == "" {
-		return caos_errs.ThrowPreconditionFailed(nil, "COMMAND-4M0ds", "Errors.User.UserIDMissing")
+		return nil, caos_errs.ThrowPreconditionFailed(nil, "COMMAND-4M0ds", "Errors.User.UserIDMissing")
 	}
 
 	existingPhone, err := c.phoneWriteModelByID(ctx, userID, resourceowner)
 	if err != nil {
-		return err
+		return nil, err
 	}
 
 	if !existingPhone.State.Exists() {
-		return caos_errs.ThrowNotFound(nil, "COMMAND-2b7Hf", "Errors.User.Phone.NotFound")
+		return nil, caos_errs.ThrowNotFound(nil, "COMMAND-2b7Hf", "Errors.User.Phone.NotFound")
 	}
 	if existingPhone.IsPhoneVerified {
-		return caos_errs.ThrowPreconditionFailed(nil, "COMMAND-2M9sf", "Errors.User.Phone.AlreadyVerified")
+		return nil, caos_errs.ThrowPreconditionFailed(nil, "COMMAND-2M9sf", "Errors.User.Phone.AlreadyVerified")
 	}
 
 	phoneCode, err := domain.NewPhoneCode(c.phoneVerificationCode)
 	if err != nil {
-		return err
+		return nil, err
 	}
 
 	userAgg := UserAggregateFromWriteModel(&existingPhone.WriteModel)
-	_, err = c.eventstore.PushEvents(ctx, user.NewHumanPhoneCodeAddedEvent(ctx, userAgg, phoneCode.Code, phoneCode.Expiry))
-	return err
+	pushedEvents, err := c.eventstore.PushEvents(ctx, user.NewHumanPhoneCodeAddedEvent(ctx, userAgg, phoneCode.Code, phoneCode.Expiry))
+	if err != nil {
+		return nil, err
+	}
+	err = AppendAndReduce(existingPhone, pushedEvents...)
+	if err != nil {
+		return nil, err
+	}
+	return writeModelToObjectDetails(&existingPhone.WriteModel), nil
 }
 
 func (c *Commands) HumanPhoneVerificationCodeSent(ctx context.Context, orgID, userID string) (err error) {
@@ -123,22 +136,29 @@ func (c *Commands) HumanPhoneVerificationCodeSent(ctx context.Context, orgID, us
 	return err
 }
 
-func (c *Commands) RemoveHumanPhone(ctx context.Context, userID, resourceOwner string) error {
+func (c *Commands) RemoveHumanPhone(ctx context.Context, userID, resourceOwner string) (*domain.ObjectDetails, error) {
 	if userID == "" {
-		return caos_errs.ThrowPreconditionFailed(nil, "COMMAND-6M0ds", "Errors.User.UserIDMissing")
+		return nil, caos_errs.ThrowPreconditionFailed(nil, "COMMAND-6M0ds", "Errors.User.UserIDMissing")
 	}
 
 	existingPhone, err := c.phoneWriteModelByID(ctx, userID, resourceOwner)
 	if err != nil {
-		return err
+		return nil, err
 	}
 	if !existingPhone.State.Exists() {
-		return caos_errs.ThrowNotFound(nil, "COMMAND-p6rsc", "Errors.User.Phone.NotFound")
+		return nil, caos_errs.ThrowNotFound(nil, "COMMAND-p6rsc", "Errors.User.Phone.NotFound")
 	}
 
 	userAgg := UserAggregateFromWriteModel(&existingPhone.WriteModel)
-	_, err = c.eventstore.PushEvents(ctx, user.NewHumanPhoneRemovedEvent(ctx, userAgg))
-	return err
+	pushedEvents, err := c.eventstore.PushEvents(ctx, user.NewHumanPhoneRemovedEvent(ctx, userAgg))
+	if err != nil {
+		return nil, err
+	}
+	err = AppendAndReduce(existingPhone, pushedEvents...)
+	if err != nil {
+		return nil, err
+	}
+	return writeModelToObjectDetails(&existingPhone.WriteModel), nil
 }
 
 func (c *Commands) phoneWriteModelByID(ctx context.Context, userID, resourceOwner string) (writeModel *HumanPhoneWriteModel, err error) {
diff --git a/internal/command/user_human_webauthn.go b/internal/command/user_human_webauthn.go
index 1cbf924b8e..5193599eb8 100644
--- a/internal/command/user_human_webauthn.go
+++ b/internal/command/user_human_webauthn.go
@@ -152,17 +152,17 @@ func (c *Commands) addHumanWebAuthN(ctx context.Context, userID, resourceowner s
 	return addWebAuthN, userAgg, webAuthN, nil
 }
 
-func (c *Commands) HumanVerifyU2FSetup(ctx context.Context, userID, resourceowner, tokenName, userAgentID string, credentialData []byte) error {
+func (c *Commands) HumanVerifyU2FSetup(ctx context.Context, userID, resourceowner, tokenName, userAgentID string, credentialData []byte) (*domain.ObjectDetails, error) {
 	u2fTokens, err := c.getHumanU2FTokens(ctx, userID, resourceowner)
 	if err != nil {
-		return err
+		return nil, err
 	}
 	userAgg, webAuthN, verifyWebAuthN, err := c.verifyHumanWebAuthN(ctx, userID, resourceowner, tokenName, userAgentID, credentialData, u2fTokens)
 	if err != nil {
-		return err
+		return nil, err
 	}
 
-	_, err = c.eventstore.PushEvents(ctx,
+	pushedEvents, err := c.eventstore.PushEvents(ctx,
 		usr_repo.NewHumanU2FVerifiedEvent(
 			ctx,
 			userAgg,
@@ -175,20 +175,27 @@ func (c *Commands) HumanVerifyU2FSetup(ctx context.Context, userID, resourceowne
 			webAuthN.SignCount,
 		),
 	)
-	return err
+	if err != nil {
+		return nil, err
+	}
+	err = AppendAndReduce(verifyWebAuthN, pushedEvents...)
+	if err != nil {
+		return nil, err
+	}
+	return writeModelToObjectDetails(&verifyWebAuthN.WriteModel), nil
 }
 
-func (c *Commands) HumanHumanPasswordlessSetup(ctx context.Context, userID, resourceowner, tokenName, userAgentID string, credentialData []byte) error {
+func (c *Commands) HumanHumanPasswordlessSetup(ctx context.Context, userID, resourceowner, tokenName, userAgentID string, credentialData []byte) (*domain.ObjectDetails, error) {
 	u2fTokens, err := c.getHumanPasswordlessTokens(ctx, userID, resourceowner)
 	if err != nil {
-		return err
+		return nil, err
 	}
 	userAgg, webAuthN, verifyWebAuthN, err := c.verifyHumanWebAuthN(ctx, userID, resourceowner, tokenName, userAgentID, credentialData, u2fTokens)
 	if err != nil {
-		return err
+		return nil, err
 	}
 
-	_, err = c.eventstore.PushEvents(ctx,
+	pushedEvents, err := c.eventstore.PushEvents(ctx,
 		usr_repo.NewHumanPasswordlessVerifiedEvent(
 			ctx,
 			userAgg,
@@ -201,7 +208,14 @@ func (c *Commands) HumanHumanPasswordlessSetup(ctx context.Context, userID, reso
 			webAuthN.SignCount,
 		),
 	)
-	return err
+	if err != nil {
+		return nil, err
+	}
+	err = AppendAndReduce(verifyWebAuthN, pushedEvents...)
+	if err != nil {
+		return nil, err
+	}
+	return writeModelToObjectDetails(&verifyWebAuthN.WriteModel), nil
 }
 
 func (c *Commands) verifyHumanWebAuthN(ctx context.Context, userID, resourceowner, tokenName, userAgentID string, credentialData []byte, tokens []*domain.WebAuthNToken) (*eventstore.Aggregate, *domain.WebAuthNToken, *HumanWebAuthNWriteModel, error) {
@@ -402,32 +416,39 @@ func (c *Commands) finishWebAuthNLogin(ctx context.Context, userID, resourceOwne
 	return userAgg, token, signCount, nil
 }
 
-func (c *Commands) HumanRemoveU2F(ctx context.Context, userID, webAuthNID, resourceOwner string) error {
+func (c *Commands) HumanRemoveU2F(ctx context.Context, userID, webAuthNID, resourceOwner string) (*domain.ObjectDetails, error) {
 	event := usr_repo.PrepareHumanU2FRemovedEvent(ctx, webAuthNID)
 	return c.removeHumanWebAuthN(ctx, userID, webAuthNID, resourceOwner, event)
 }
 
-func (c *Commands) HumanRemovePasswordless(ctx context.Context, userID, webAuthNID, resourceOwner string) error {
+func (c *Commands) HumanRemovePasswordless(ctx context.Context, userID, webAuthNID, resourceOwner string) (*domain.ObjectDetails, error) {
 	event := usr_repo.PrepareHumanPasswordlessRemovedEvent(ctx, webAuthNID)
 	return c.removeHumanWebAuthN(ctx, userID, webAuthNID, resourceOwner, event)
 }
 
-func (c *Commands) removeHumanWebAuthN(ctx context.Context, userID, webAuthNID, resourceOwner string, preparedEvent func(*eventstore.Aggregate) eventstore.EventPusher) error {
+func (c *Commands) removeHumanWebAuthN(ctx context.Context, userID, webAuthNID, resourceOwner string, preparedEvent func(*eventstore.Aggregate) eventstore.EventPusher) (*domain.ObjectDetails, error) {
 	if userID == "" || webAuthNID == "" {
-		return caos_errs.ThrowPreconditionFailed(nil, "COMMAND-6M9de", "Errors.IDMissing")
+		return nil, caos_errs.ThrowPreconditionFailed(nil, "COMMAND-6M9de", "Errors.IDMissing")
 	}
 
 	existingWebAuthN, err := c.webauthNWriteModelByID(ctx, userID, webAuthNID, resourceOwner)
 	if err != nil {
-		return err
+		return nil, err
 	}
 	if existingWebAuthN.State == domain.MFAStateUnspecified || existingWebAuthN.State == domain.MFAStateRemoved {
-		return caos_errs.ThrowNotFound(nil, "COMMAND-2M9ds", "Errors.User.ExternalIDP.NotFound")
+		return nil, caos_errs.ThrowNotFound(nil, "COMMAND-2M9ds", "Errors.User.ExternalIDP.NotFound")
 	}
 
 	userAgg := UserAggregateFromWriteModel(&existingWebAuthN.WriteModel)
-	_, err = c.eventstore.PushEvents(ctx, preparedEvent(userAgg))
-	return err
+	pushedEvents, err := c.eventstore.PushEvents(ctx, preparedEvent(userAgg))
+	if err != nil {
+		return nil, err
+	}
+	err = AppendAndReduce(existingWebAuthN, pushedEvents...)
+	if err != nil {
+		return nil, err
+	}
+	return writeModelToObjectDetails(&existingWebAuthN.WriteModel), nil
 }
 
 func (c *Commands) webauthNWriteModelByID(ctx context.Context, userID, webAuthNID, resourceOwner string) (writeModel *HumanWebAuthNWriteModel, err error) {
diff --git a/internal/command/user_machine_key.go b/internal/command/user_machine_key.go
index 2333dd87c9..6586ccc418 100644
--- a/internal/command/user_machine_key.go
+++ b/internal/command/user_machine_key.go
@@ -53,18 +53,25 @@ func (c *Commands) AddUserMachineKey(ctx context.Context, machineKey *domain.Mac
 	return key, nil
 }
 
-func (c *Commands) RemoveUserMachineKey(ctx context.Context, userID, keyID, resourceOwner string) error {
+func (c *Commands) RemoveUserMachineKey(ctx context.Context, userID, keyID, resourceOwner string) (*domain.ObjectDetails, error) {
 	keyWriteModel, err := c.machineKeyWriteModelByID(ctx, userID, keyID, resourceOwner)
 	if err != nil {
-		return err
+		return nil, err
 	}
 	if !keyWriteModel.Exists() {
-		return errors.ThrowNotFound(nil, "COMMAND-4m77G", "Errors.User.Machine.Key.NotFound")
+		return nil, errors.ThrowNotFound(nil, "COMMAND-4m77G", "Errors.User.Machine.Key.NotFound")
 	}
 
-	_, err = c.eventstore.PushEvents(ctx,
+	pushedEvents, err := c.eventstore.PushEvents(ctx,
 		user.NewMachineKeyRemovedEvent(ctx, UserAggregateFromWriteModel(&keyWriteModel.WriteModel), keyID))
-	return err
+	if err != nil {
+		return nil, err
+	}
+	err = AppendAndReduce(keyWriteModel, pushedEvents...)
+	if err != nil {
+		return nil, err
+	}
+	return writeModelToObjectDetails(&keyWriteModel.WriteModel), nil
 }
 
 func (c *Commands) machineKeyWriteModelByID(ctx context.Context, userID, keyID, resourceOwner string) (writeModel *MachineKeyWriteModel, err error) {
diff --git a/internal/domain/application.go b/internal/domain/application.go
index 1f6125a62c..4d7e32b999 100644
--- a/internal/domain/application.go
+++ b/internal/domain/application.go
@@ -4,6 +4,9 @@ type Application interface {
 	GetAppID() string
 	GetApplicationName() string
 	GetState() AppState
+	//GetSequence() uint64
+	//GetChangeDate() time.Time
+	//GetResourceOwner() string
 }
 
 type AppState int32
diff --git a/internal/domain/machine_key.go b/internal/domain/machine_key.go
index e0dbdf4c37..c3583bc006 100644
--- a/internal/domain/machine_key.go
+++ b/internal/domain/machine_key.go
@@ -1,8 +1,10 @@
 package domain
 
 import (
+	"encoding/json"
 	"time"
 
+	"github.com/caos/zitadel/internal/errors"
 	"github.com/caos/zitadel/internal/eventstore/v1/models"
 )
 
@@ -32,6 +34,27 @@ func (key *MachineKey) setExpirationDate(expiration time.Time) {
 	key.ExpirationDate = expiration
 }
 
+func (key *MachineKey) Detail() ([]byte, error) {
+	if key.Type == AuthNKeyTypeJSON {
+		return key.MarshalJSON()
+	}
+	return nil, errors.ThrowPreconditionFailed(nil, "KEY-dsg52", "Errors.Internal")
+}
+
+func (key *MachineKey) MarshalJSON() ([]byte, error) {
+	return json.Marshal(struct {
+		Type   string `json:"type"`
+		KeyID  string `json:"keyId"`
+		Key    string `json:"key"`
+		UserID string `json:"userId"`
+	}{
+		Type:   "serviceaccount",
+		KeyID:  key.KeyID,
+		Key:    string(key.PrivateKey),
+		UserID: key.AggregateID,
+	})
+}
+
 type MachineKeyState int32
 
 const (
diff --git a/internal/domain/object.go b/internal/domain/object.go
new file mode 100644
index 0000000000..e53a8571ab
--- /dev/null
+++ b/internal/domain/object.go
@@ -0,0 +1,9 @@
+package domain
+
+import "time"
+
+type ObjectDetails struct {
+	Sequence      uint64
+	ChangeDate    time.Time
+	ResourceOwner string
+}
diff --git a/internal/management/repository/project.go b/internal/management/repository/project.go
index 67685996d7..c91f8b3d6d 100644
--- a/internal/management/repository/project.go
+++ b/internal/management/repository/project.go
@@ -26,7 +26,7 @@ type ProjectRepository interface {
 
 	ApplicationByID(ctx context.Context, projectID, appID string) (*model.ApplicationView, error)
 	SearchApplications(ctx context.Context, request *model.ApplicationSearchRequest) (*model.ApplicationSearchResponse, error)
-	ApplicationChanges(ctx context.Context, id string, secId string, lastSequence uint64, limit uint64, sortAscending bool) (*model.ApplicationChanges, error)
+	ApplicationChanges(ctx context.Context, projectID string, appID string, lastSequence uint64, limit uint64, sortAscending bool) (*model.ApplicationChanges, error)
 	SearchClientKeys(ctx context.Context, request *key_model.AuthNKeySearchRequest) (*key_model.AuthNKeySearchResponse, error)
 	GetClientKey(ctx context.Context, projectID, applicationID, keyID string) (*key_model.AuthNKeyView, error)
 
diff --git a/internal/protoc/protoc-base/protoc_helper.go b/internal/protoc/protoc-base/protoc_helper.go
index c664a53d68..ecf9150c83 100644
--- a/internal/protoc/protoc-base/protoc_helper.go
+++ b/internal/protoc/protoc-base/protoc_helper.go
@@ -22,7 +22,7 @@ type ProtocGenerator interface {
 }
 
 func (f GeneratorFunc) Generate(target string, registry *descriptor.Registry, file *descriptor.File) (string, string, error) {
-	return f(target, registry, file)
+	return f(target, registry, file) //TODO: in my opinion we should use file.GoPkg here analog https://github.com/grpc-ecosystem/grpc-gateway/blob/0cc2680a4990244dcc7602bad34fef935310c0e8/protoc-gen-grpc-gateway/internal/gengateway/generator.go#L111
 }
 
 func parseReq(r io.Reader) (*plugin.CodeGeneratorRequest, error) {
diff --git a/internal/protoc/protoc-gen-authoption/authoption/generate.go b/internal/protoc/protoc-gen-authoption/authoption/generate.go
index 55f6b5dab4..24ab586e35 100644
--- a/internal/protoc/protoc-gen-authoption/authoption/generate.go
+++ b/internal/protoc/protoc-gen-authoption/authoption/generate.go
@@ -1,3 +1,3 @@
 package authoption
 
-//go:generate protoc -I. -I$GOPATH/src --go_out=plugins=grpc:$GOPATH/src options.proto
+//go:generate protoc -I. -I$GOPATH/src --go-grpc_out=plugins=grpc:$GOPATH/src options.proto
diff --git a/internal/protoc/protoc-gen-authoption/authoption/options.pb.go b/internal/protoc/protoc-gen-authoption/authoption/options.pb.go
deleted file mode 100644
index 159df24947..0000000000
--- a/internal/protoc/protoc-gen-authoption/authoption/options.pb.go
+++ /dev/null
@@ -1,105 +0,0 @@
-// Code generated by protoc-gen-go. DO NOT EDIT.
-// source: options.proto
-
-package authoption
-
-import (
-	fmt "fmt"
-	proto "github.com/golang/protobuf/proto"
-	descriptor "github.com/golang/protobuf/protoc-gen-go/descriptor"
-	math "math"
-)
-
-// Reference imports to suppress errors if they are not otherwise used.
-var _ = proto.Marshal
-var _ = fmt.Errorf
-var _ = math.Inf
-
-// This is a compile-time assertion to ensure that this generated file
-// is compatible with the proto package it is being compiled against.
-// A compilation error at this line likely means your copy of the
-// proto package needs to be updated.
-const _ = proto.ProtoPackageIsVersion3 // please upgrade the proto package
-
-type AuthOption struct {
-	Permission           string   `protobuf:"bytes,1,opt,name=permission,proto3" json:"permission,omitempty"`
-	CheckFieldName       string   `protobuf:"bytes,2,opt,name=check_field_name,json=checkFieldName,proto3" json:"check_field_name,omitempty"`
-	XXX_NoUnkeyedLiteral struct{} `json:"-"`
-	XXX_unrecognized     []byte   `json:"-"`
-	XXX_sizecache        int32    `json:"-"`
-}
-
-func (m *AuthOption) Reset()         { *m = AuthOption{} }
-func (m *AuthOption) String() string { return proto.CompactTextString(m) }
-func (*AuthOption) ProtoMessage()    {}
-func (*AuthOption) Descriptor() ([]byte, []int) {
-	return fileDescriptor_110d40819f1994f9, []int{0}
-}
-
-func (m *AuthOption) XXX_Unmarshal(b []byte) error {
-	return xxx_messageInfo_AuthOption.Unmarshal(m, b)
-}
-func (m *AuthOption) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	return xxx_messageInfo_AuthOption.Marshal(b, m, deterministic)
-}
-func (m *AuthOption) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_AuthOption.Merge(m, src)
-}
-func (m *AuthOption) XXX_Size() int {
-	return xxx_messageInfo_AuthOption.Size(m)
-}
-func (m *AuthOption) XXX_DiscardUnknown() {
-	xxx_messageInfo_AuthOption.DiscardUnknown(m)
-}
-
-var xxx_messageInfo_AuthOption proto.InternalMessageInfo
-
-func (m *AuthOption) GetPermission() string {
-	if m != nil {
-		return m.Permission
-	}
-	return ""
-}
-
-func (m *AuthOption) GetCheckFieldName() string {
-	if m != nil {
-		return m.CheckFieldName
-	}
-	return ""
-}
-
-var E_AuthOption = &proto.ExtensionDesc{
-	ExtendedType:  (*descriptor.MethodOptions)(nil),
-	ExtensionType: (*AuthOption)(nil),
-	Field:         50000,
-	Name:          "caos.zitadel.utils.v1.auth_option",
-	Tag:           "bytes,50000,opt,name=auth_option",
-	Filename:      "options.proto",
-}
-
-func init() {
-	proto.RegisterType((*AuthOption)(nil), "caos.zitadel.utils.v1.AuthOption")
-	proto.RegisterExtension(E_AuthOption)
-}
-
-func init() { proto.RegisterFile("options.proto", fileDescriptor_110d40819f1994f9) }
-
-var fileDescriptor_110d40819f1994f9 = []byte{
-	// 252 bytes of a gzipped FileDescriptorProto
-	0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0x6c, 0x8f, 0x31, 0x4b, 0xc5, 0x30,
-	0x14, 0x85, 0x79, 0x0a, 0x82, 0x79, 0x28, 0x52, 0x10, 0x8a, 0x83, 0x54, 0xa7, 0x2e, 0xef, 0x06,
-	0x75, 0x73, 0xd3, 0x41, 0x44, 0x50, 0xe1, 0x0d, 0x0e, 0x2e, 0x25, 0x4d, 0xef, 0x6b, 0x83, 0x6d,
-	0x6e, 0x49, 0x6e, 0x1c, 0xfc, 0x01, 0xfe, 0x3e, 0x7f, 0x92, 0x34, 0xa9, 0x3e, 0x07, 0xa7, 0x5c,
-	0x0e, 0xe7, 0x9c, 0x7c, 0x47, 0x1c, 0xd0, 0xc8, 0x86, 0xac, 0x87, 0xd1, 0x11, 0x53, 0x76, 0xac,
-	0x15, 0x79, 0xf8, 0x30, 0xac, 0x1a, 0xec, 0x21, 0xb0, 0xe9, 0x3d, 0xbc, 0x5f, 0x9c, 0x14, 0x2d,
-	0x51, 0xdb, 0xa3, 0x8c, 0xa6, 0x3a, 0x6c, 0x64, 0x83, 0x5e, 0x3b, 0x33, 0x32, 0xb9, 0x14, 0x3c,
-	0x7f, 0x11, 0xe2, 0x26, 0x70, 0xf7, 0x1c, 0xdb, 0xb2, 0x53, 0x21, 0x46, 0x74, 0x83, 0xf1, 0xde,
-	0x90, 0xcd, 0x17, 0xc5, 0xa2, 0xdc, 0x5f, 0xff, 0x51, 0xb2, 0x52, 0x1c, 0xe9, 0x0e, 0xf5, 0x5b,
-	0xb5, 0x31, 0xd8, 0x37, 0x95, 0x55, 0x03, 0xe6, 0x3b, 0xd1, 0x75, 0x18, 0xf5, 0xbb, 0x49, 0x7e,
-	0x52, 0x03, 0x5e, 0x37, 0x62, 0xa9, 0x02, 0x77, 0x15, 0xcd, 0xc5, 0x90, 0x48, 0xe0, 0x87, 0x04,
-	0x1e, 0x91, 0x3b, 0x6a, 0xd2, 0xbf, 0x3e, 0xff, 0xfa, 0xdc, 0x2d, 0x16, 0xe5, 0xf2, 0xf2, 0x0c,
-	0xfe, 0x1d, 0x02, 0x5b, 0xc6, 0xb5, 0x50, 0xbf, 0xf7, 0xed, 0xc3, 0xeb, 0x7d, 0x6b, 0xb8, 0x0b,
-	0x35, 0x68, 0x1a, 0xe4, 0x14, 0x95, 0x73, 0x54, 0x1a, 0xcb, 0xe8, 0xac, 0xea, 0xd3, 0x76, 0x3d,
-	0x3f, 0xab, 0x16, 0xed, 0x6a, 0x2a, 0x48, 0x5c, 0x72, 0x7b, 0xd6, 0x7b, 0xd1, 0x71, 0xf5, 0x1d,
-	0x00, 0x00, 0xff, 0xff, 0xd2, 0xa7, 0xf7, 0xca, 0x5a, 0x01, 0x00, 0x00,
-}
diff --git a/internal/protoc/protoc-gen-authoption/generate.go b/internal/protoc/protoc-gen-authoption/generate.go
index e07d52c3dc..3278b63e6f 100644
--- a/internal/protoc/protoc-gen-authoption/generate.go
+++ b/internal/protoc/protoc-gen-authoption/generate.go
@@ -1,4 +1,4 @@
 package main
 
-//go:generate go-bindata -pkg main -o templates.go templates
+//go:generate go-bindata -pkg main -o templates.gen.go templates
 //go:generate go install
diff --git a/internal/protoc/protoc-gen-authoption/templates.go b/internal/protoc/protoc-gen-authoption/templates.go
deleted file mode 100644
index 80828012b1..0000000000
--- a/internal/protoc/protoc-gen-authoption/templates.go
+++ /dev/null
@@ -1,237 +0,0 @@
-// Code generated by go-bindata.
-// sources:
-// templates/auth_method_mapping.go.tmpl
-// DO NOT EDIT!
-
-package main
-
-import (
-	"bytes"
-	"compress/gzip"
-	"fmt"
-	"io"
-	"io/ioutil"
-	"os"
-	"path/filepath"
-	"strings"
-	"time"
-)
-
-func bindataRead(data []byte, name string) ([]byte, error) {
-	gz, err := gzip.NewReader(bytes.NewBuffer(data))
-	if err != nil {
-		return nil, fmt.Errorf("Read %q: %v", name, err)
-	}
-
-	var buf bytes.Buffer
-	_, err = io.Copy(&buf, gz)
-	clErr := gz.Close()
-
-	if err != nil {
-		return nil, fmt.Errorf("Read %q: %v", name, err)
-	}
-	if clErr != nil {
-		return nil, err
-	}
-
-	return buf.Bytes(), nil
-}
-
-type asset struct {
-	bytes []byte
-	info  os.FileInfo
-}
-
-type bindataFileInfo struct {
-	name    string
-	size    int64
-	mode    os.FileMode
-	modTime time.Time
-}
-
-func (fi bindataFileInfo) Name() string {
-	return fi.name
-}
-func (fi bindataFileInfo) Size() int64 {
-	return fi.size
-}
-func (fi bindataFileInfo) Mode() os.FileMode {
-	return fi.mode
-}
-func (fi bindataFileInfo) ModTime() time.Time {
-	return fi.modTime
-}
-func (fi bindataFileInfo) IsDir() bool {
-	return false
-}
-func (fi bindataFileInfo) Sys() interface{} {
-	return nil
-}
-
-var _templatesAuth_method_mappingGoTmpl = []byte("\x1f\x8b\x08\x00\x00\x00\x00\x00\x00\xff\x8c\x92\x4f\x6f\xdc\x2c\x10\xc6\xcf\x2f\x9f\x62\x84\x7c\x78\xbb\x4a\x40\xbd\xae\xb4\x87\x2a\x69\xaa\x1e\x92\xb5\xd4\xdc\x23\x62\x26\x18\xad\xf9\x23\x60\xb7\x6d\x10\xdf\xbd\x02\x7b\x1b\x6f\x5b\x55\xe5\x04\xe6\x99\x67\x9e\xf9\x19\xce\xe1\xc6\x49\x04\x85\x16\x83\x48\x28\xe1\xf9\x3b\xf8\xe0\x92\x1b\xae\x15\xda\x6b\x71\x4c\xa3\xc1\x34\x3a\xc9\xe0\x76\x0f\x0f\xfb\x47\xf8\x78\xfb\xf9\x91\x11\xe2\xc5\x70\x10\x0a\x21\x67\x76\xa7\x27\x64\x9f\x5c\x7f\x50\xec\x41\x18\x2c\x85\x10\xa2\x8d\x77\x21\xc1\xff\x04\x00\x80\x2a\xe7\xd4\x84\x4c\xb9\x49\x58\xc5\x5c\x50\x5c\x05\x3f\xd0\x76\x49\xfe\xa3\x4a\xa7\xf1\xf8\xcc\x06\x67\xf8\x20\x5c\xe4\xaf\x3a\x09\x89\x13\xd7\x36\x61\xb0\x62\xe2\xc2\x6b\x5e\xa3\xbc\xd2\x7f\x55\x57\x7f\x1e\x31\x9c\x30\x70\xa3\xa5\x9c\xf0\xab\x08\x48\xc9\x3b\x42\x72\x86\x20\xac\x42\xe8\x22\x6c\x77\x30\xc7\xff\x82\xe1\xa4\x07\x8c\x50\xd3\xf3\xcd\x86\xc0\x06\x72\xee\xe2\x79\x22\xd8\x70\x42\x06\x67\x63\x5a\x7f\x7e\xba\x6f\x6c\xfa\x80\x2f\xfa\x1b\xec\x80\xe6\xdc\xcd\x7e\xfd\x8c\xa7\x14\xb6\x92\x53\x42\x4e\x22\x5c\x18\x7c\x38\xa6\x71\x36\x89\xb0\x83\x36\x23\x9b\xcf\xf7\xc2\x7b\x6d\x15\xe4\x46\xe9\x2d\xb4\xa9\xa1\xbb\xb8\xa8\x6a\xb4\x65\xe5\x0c\x9d\xa9\x7e\x7b\x9f\xaa\xc6\xf9\xa4\x9d\x85\xce\xb0\x7d\xdb\x45\xa0\x95\x17\x5b\x78\xb1\x63\xd2\x53\x64\xa7\xf7\xac\x76\x7d\x9a\xd5\x14\x2e\x0d\xf5\x0b\x08\x2b\x57\xbe\x3f\x77\xac\xc7\x60\x74\x8c\xb5\xc5\xaa\xa6\xfd\x6e\xfe\x77\x0c\x3c\xe7\x33\x90\xed\x32\xf2\x9c\x30\x5f\xd8\xd4\xf5\xd6\x64\xdb\xe0\xfe\xa1\x7b\x29\xf4\xea\xb7\xba\x9b\x11\x87\x43\x2f\x82\x30\xbf\xd4\xb5\x8b\x3b\x8d\x93\x5c\x12\x5c\xd6\x96\xab\xd5\xf4\x68\xcf\x78\x73\x86\xf9\x50\xda\xf3\x41\x2b\xa1\x94\x1f\x01\x00\x00\xff\xff\xf7\x3b\xde\xd5\x3c\x03\x00\x00")
-
-func templatesAuth_method_mappingGoTmplBytes() ([]byte, error) {
-	return bindataRead(
-		_templatesAuth_method_mappingGoTmpl,
-		"templates/auth_method_mapping.go.tmpl",
-	)
-}
-
-func templatesAuth_method_mappingGoTmpl() (*asset, error) {
-	bytes, err := templatesAuth_method_mappingGoTmplBytes()
-	if err != nil {
-		return nil, err
-	}
-
-	info := bindataFileInfo{name: "templates/auth_method_mapping.go.tmpl", size: 828, mode: os.FileMode(420), modTime: time.Unix(1594709815, 0)}
-	a := &asset{bytes: bytes, info: info}
-	return a, nil
-}
-
-// Asset loads and returns the asset for the given name.
-// It returns an error if the asset could not be found or
-// could not be loaded.
-func Asset(name string) ([]byte, error) {
-	cannonicalName := strings.Replace(name, "\\", "/", -1)
-	if f, ok := _bindata[cannonicalName]; ok {
-		a, err := f()
-		if err != nil {
-			return nil, fmt.Errorf("Asset %s can't read by error: %v", name, err)
-		}
-		return a.bytes, nil
-	}
-	return nil, fmt.Errorf("Asset %s not found", name)
-}
-
-// MustAsset is like Asset but panics when Asset would return an error.
-// It simplifies safe initialization of global variables.
-func MustAsset(name string) []byte {
-	a, err := Asset(name)
-	if err != nil {
-		panic("asset: Asset(" + name + "): " + err.Error())
-	}
-
-	return a
-}
-
-// AssetInfo loads and returns the asset info for the given name.
-// It returns an error if the asset could not be found or
-// could not be loaded.
-func AssetInfo(name string) (os.FileInfo, error) {
-	cannonicalName := strings.Replace(name, "\\", "/", -1)
-	if f, ok := _bindata[cannonicalName]; ok {
-		a, err := f()
-		if err != nil {
-			return nil, fmt.Errorf("AssetInfo %s can't read by error: %v", name, err)
-		}
-		return a.info, nil
-	}
-	return nil, fmt.Errorf("AssetInfo %s not found", name)
-}
-
-// AssetNames returns the names of the assets.
-func AssetNames() []string {
-	names := make([]string, 0, len(_bindata))
-	for name := range _bindata {
-		names = append(names, name)
-	}
-	return names
-}
-
-// _bindata is a table, holding each asset generator, mapped to its name.
-var _bindata = map[string]func() (*asset, error){
-	"templates/auth_method_mapping.go.tmpl": templatesAuth_method_mappingGoTmpl,
-}
-
-// AssetDir returns the file names below a certain
-// directory embedded in the file by go-bindata.
-// For example if you run go-bindata on data/... and data contains the
-// following hierarchy:
-//     data/
-//       foo.txt
-//       img/
-//         a.png
-//         b.png
-// then AssetDir("data") would return []string{"foo.txt", "img"}
-// AssetDir("data/img") would return []string{"a.png", "b.png"}
-// AssetDir("foo.txt") and AssetDir("notexist") would return an error
-// AssetDir("") will return []string{"data"}.
-func AssetDir(name string) ([]string, error) {
-	node := _bintree
-	if len(name) != 0 {
-		cannonicalName := strings.Replace(name, "\\", "/", -1)
-		pathList := strings.Split(cannonicalName, "/")
-		for _, p := range pathList {
-			node = node.Children[p]
-			if node == nil {
-				return nil, fmt.Errorf("Asset %s not found", name)
-			}
-		}
-	}
-	if node.Func != nil {
-		return nil, fmt.Errorf("Asset %s not found", name)
-	}
-	rv := make([]string, 0, len(node.Children))
-	for childName := range node.Children {
-		rv = append(rv, childName)
-	}
-	return rv, nil
-}
-
-type bintree struct {
-	Func     func() (*asset, error)
-	Children map[string]*bintree
-}
-var _bintree = &bintree{nil, map[string]*bintree{
-	"templates": &bintree{nil, map[string]*bintree{
-		"auth_method_mapping.go.tmpl": &bintree{templatesAuth_method_mappingGoTmpl, map[string]*bintree{}},
-	}},
-}}
-
-// RestoreAsset restores an asset under the given directory
-func RestoreAsset(dir, name string) error {
-	data, err := Asset(name)
-	if err != nil {
-		return err
-	}
-	info, err := AssetInfo(name)
-	if err != nil {
-		return err
-	}
-	err = os.MkdirAll(_filePath(dir, filepath.Dir(name)), os.FileMode(0755))
-	if err != nil {
-		return err
-	}
-	err = ioutil.WriteFile(_filePath(dir, name), data, info.Mode())
-	if err != nil {
-		return err
-	}
-	err = os.Chtimes(_filePath(dir, name), info.ModTime(), info.ModTime())
-	if err != nil {
-		return err
-	}
-	return nil
-}
-
-// RestoreAssets restores an asset under the given directory recursively
-func RestoreAssets(dir, name string) error {
-	children, err := AssetDir(name)
-	// File
-	if err != nil {
-		return RestoreAsset(dir, name)
-	}
-	// Dir
-	for _, child := range children {
-		err = RestoreAssets(dir, filepath.Join(name, child))
-		if err != nil {
-			return err
-		}
-	}
-	return nil
-}
-
-func _filePath(dir, name string) string {
-	cannonicalName := strings.Replace(name, "\\", "/", -1)
-	return filepath.Join(append([]string{dir}, strings.Split(cannonicalName, "/")...)...)
-}
-
diff --git a/internal/protoc/protoc-gen-authoption/templates/auth_method_mapping.go.tmpl b/internal/protoc/protoc-gen-authoption/templates/auth_method_mapping.go.tmpl
index dfd890b5a3..0f54c222e3 100644
--- a/internal/protoc/protoc-gen-authoption/templates/auth_method_mapping.go.tmpl
+++ b/internal/protoc/protoc-gen-authoption/templates/auth_method_mapping.go.tmpl
@@ -20,7 +20,7 @@ const {{$s.Name}}_MethodPrefix = "{{$.File.Package}}.{{$s.Name}}"
 
 var {{$s.Name}}_AuthMethods = authz.MethodMapping {
     {{ range $m := $s.Method}}
-        {{ $mAuthOpt := option $m.Options "caos.zitadel.utils.v1.auth_option" }}
+        {{ $mAuthOpt := option $m.Options "zitadel.v1.auth_option" }}
         {{ if and $mAuthOpt $mAuthOpt.Permission }}
             "/{{$.File.Package}}.{{$s.Name}}/{{.Name}}": authz.Option{
                 Permission: "{{$mAuthOpt.Permission}}",
diff --git a/internal/test/filled_checker.go b/internal/test/filled_checker.go
new file mode 100644
index 0000000000..f889f3635b
--- /dev/null
+++ b/internal/test/filled_checker.go
@@ -0,0 +1,168 @@
+package test
+
+import (
+	"reflect"
+	"sort"
+	"strings"
+)
+
+//testingT is a wrapper for testing.T
+//
+// this wrapper is needed for internal testing
+type testingT interface {
+	Errorf(format string, args ...interface{})
+	Helper()
+}
+
+func AssertFieldsMapped(t testingT, object interface{}, ignoreFields ...string) (failed bool) {
+	t.Helper()
+	val := reflect.ValueOf(object)
+
+	fields := BuildList(val)
+
+	notEmptyFields := validateEmptyFields(fields, ignoreFields)
+	if len(notEmptyFields) > 0 {
+		sort.Strings(notEmptyFields)
+		t.Errorf("expected fields are not empty:\n\t%s\n", strings.Join(notEmptyFields, ",\n\t"))
+	}
+
+	notFilledFields := validateFilledFields(fields)
+	if len(notFilledFields) > 0 {
+		sort.Strings(notFilledFields)
+		t.Errorf("unexpected empty fields:\n\t%s\n", strings.Join(notFilledFields, ",\n\t"))
+	}
+
+	return len(notEmptyFields) > 0 || len(notFilledFields) > 0
+}
+
+func BuildList(val reflect.Value) map[string]bool {
+	if val.Kind() == reflect.Ptr {
+		if val.IsNil() {
+			return nil
+		}
+		val = reflect.Indirect(val)
+	}
+
+	fields := map[string]bool{}
+
+	for i := 0; i < val.NumField(); i++ {
+		if !isPublicField(val.Type().Field(i).Name) {
+			continue
+		}
+
+		if val.Field(i).Kind() == reflect.Struct || val.Field(i).Kind() == reflect.Ptr {
+			fieldName := val.Type().Field(i).Name
+			fields[fieldName] = false
+			subFields := BuildList(val.Field(i))
+			for k, v := range subFields {
+				fields[fieldName+"."+k] = v
+				fields[fieldName] = fields[val.Type().Field(i).Name] || v
+			}
+			if len(subFields) == 0 &&
+				((val.Field(i).Kind() == reflect.Ptr && !val.Field(i).IsNil()) ||
+					val.Field(i).Kind() == reflect.Struct && !val.Field(i).IsZero()) {
+
+				fields[fieldName] = true
+			}
+		} else {
+			fields[val.Type().Field(i).Name] = isFieldFilled(val.Field(i))
+		}
+	}
+
+	return fields
+}
+
+func isPublicField(fieldName string) bool {
+	return fieldName[0] >= 'A' && fieldName[0] <= 'Z'
+}
+
+func isFieldFilled(val reflect.Value) bool {
+	if isLengthMeasurable(val) {
+		switch val.Kind() {
+		case reflect.Slice:
+			if val.IsNil() {
+				return false
+			}
+			fallthrough
+		case reflect.Array:
+			if val.Len() == 0 {
+				return false
+			}
+			for i := 0; i < val.Len(); i++ {
+				if val.Index(i).IsZero() {
+					return false
+				}
+			}
+			return true
+		case reflect.Map:
+			if val.Len() == 0 {
+				return false
+			}
+			for _, key := range val.MapKeys() {
+				if val.MapIndex(key).IsZero() {
+					return false
+				}
+			}
+			return true
+		}
+	}
+
+	return !val.IsZero()
+}
+
+func isLengthMeasurable(val reflect.Value) bool {
+	return val.Kind() == reflect.Slice ||
+		val.Kind() == reflect.Array ||
+		val.Kind() == reflect.Map
+}
+
+func validateEmptyFields(fields map[string]bool, emptyFields []string) (notEmptyFields []string) {
+	for _, emptyField := range emptyFields {
+		isFilled := fields[emptyField]
+		subs := subFields(fields, emptyField)
+		if isFilled {
+			filledFields := filledSubFields(fields, subs)
+			if len(filledFields) == 0 {
+				filledFields = append(filledFields, emptyField)
+			}
+			notEmptyFields = append(notEmptyFields, filledFields...)
+		}
+		fields = removeFields(fields, append([]string{emptyField}, subs...))
+	}
+	return notEmptyFields
+}
+
+func filledSubFields(fields map[string]bool, subFields []string) (filledSubs []string) {
+	for _, subField := range subFields {
+		if fields[subField] {
+			filledSubs = append(filledSubs, subField)
+		}
+	}
+	return filledSubs
+}
+
+func subFields(fields map[string]bool, parentName string) (subs []string) {
+	for fieldName := range fields {
+		if strings.HasPrefix(fieldName, parentName+".") {
+			subs = append(subs, fieldName)
+		}
+	}
+	return subs
+}
+
+func removeFields(fields map[string]bool, fieldNames []string) map[string]bool {
+	for _, fieldName := range fieldNames {
+		delete(fields, fieldName)
+	}
+	return fields
+}
+
+func validateFilledFields(fields map[string]bool) (emptyFields []string) {
+	for fieldName, isFilled := range fields {
+		if !isFilled {
+			emptyFields = append(emptyFields, fieldName)
+		}
+	}
+
+	return emptyFields
+}
diff --git a/internal/test/filled_checker_test.go b/internal/test/filled_checker_test.go
new file mode 100644
index 0000000000..96673bf24a
--- /dev/null
+++ b/internal/test/filled_checker_test.go
@@ -0,0 +1,306 @@
+package test
+
+import (
+	"sort"
+	"strings"
+	"testing"
+	"time"
+)
+
+func TestCheckAllFieldsIgnores(t *testing.T) {
+	type args struct {
+		object        interface{}
+		ignoredFields []string
+	}
+	type res struct {
+		mock *mappedExpecter
+	}
+	tests := []struct {
+		name string
+		args args
+		res  res
+	}{
+		{
+			name: "simple struct",
+			args: args{
+				object: &struct {
+					Company string
+				}{
+					Company: "caos AG",
+				},
+				ignoredFields: []string{"Company"},
+			},
+			res: res{
+				mock: newMappedExpeter(
+					[]string{"Company"},
+					nil,
+				),
+			},
+		},
+		{
+			name: "simple struct with private",
+			args: args{
+				object: &struct {
+					Company string
+					priv    bool
+				}{
+					Company: "caos AG",
+					priv:    true,
+				},
+				ignoredFields: []string{"Company"},
+			},
+			res: res{
+				mock: newMappedExpeter(
+					[]string{"Company"},
+					nil,
+				),
+			},
+		},
+		{
+			name: "simple struct length",
+			args: args{
+				object: &struct {
+					Company map[string]string
+					priv    bool
+				}{
+					Company: map[string]string{"caos AG": "ZITADEL"},
+					priv:    true,
+				},
+				ignoredFields: []string{"Company"},
+			},
+			res: res{
+				mock: newMappedExpeter(
+					[]string{"Company"},
+					nil,
+				),
+			},
+		},
+		{
+			name: "ignore empty nested field",
+			args: args{
+				object: &struct {
+					Company *struct {
+						Name    string
+						Founded time.Time
+					}
+					priv bool
+				}{
+					Company: &struct {
+						Name    string
+						Founded time.Time
+					}{},
+					priv: true,
+				},
+				ignoredFields: []string{"Company"},
+			},
+
+			res: res{
+				mock: newMappedExpeter(
+					nil,
+					nil,
+				),
+			},
+		},
+		{
+			name: "ignore nested field",
+			args: args{
+				object: &struct {
+					Company *struct {
+						Name    string
+						Founded time.Time
+					}
+					priv bool
+				}{
+					Company: &struct {
+						Name    string
+						Founded time.Time
+					}{
+						Founded: time.Date(2019, time.April, 1, 1, 1, 1, 1, time.Local),
+					},
+					priv: true,
+				},
+				ignoredFields: []string{"Company.Founded"},
+			},
+
+			res: res{
+				mock: newMappedExpeter(
+					[]string{"Company.Founded"},
+					[]string{"Company.Name"},
+				),
+			},
+		},
+		{
+			name: "ignore nested fields",
+			args: args{
+				object: &struct {
+					Company *struct {
+						Name    string
+						Founded time.Time
+					}
+					priv bool
+				}{
+					Company: &struct {
+						Name    string
+						Founded time.Time
+					}{
+						Name:    "caos AG",
+						Founded: time.Date(2019, time.April, 1, 1, 1, 1, 1, time.Local),
+					},
+					priv: true,
+				},
+				ignoredFields: []string{"Company"},
+			},
+
+			res: res{
+				mock: newMappedExpeter(
+					[]string{"Company.Name", "Company.Founded"},
+					nil,
+				),
+			},
+		},
+		{
+			name: "ignore nested struct first field filled",
+			args: args{
+				object: &struct {
+					Nested
+					Priv bool
+				}{
+					Nested: Nested{
+						ID: "1",
+					},
+					Priv: true,
+				},
+				ignoredFields: []string{"Nested"},
+			},
+			res: res{
+				mock: newMappedExpeter(
+					[]string{"Nested.ID"},
+					nil,
+				),
+			},
+		},
+		{
+			name: "ignore nested struct second field filled",
+			args: args{
+				object: &struct {
+					Nested
+					Priv bool
+				}{
+					Nested: Nested{
+						ID:  "",
+						Seq: 134,
+					},
+					Priv: true,
+				},
+				ignoredFields: []string{"Nested"},
+			},
+			res: res{
+				mock: newMappedExpeter(
+					[]string{"Nested.Seq"},
+					nil,
+				),
+			},
+		},
+		{
+			name: "ignore nested struct last field filled",
+			args: args{
+				object: &struct {
+					Nested
+					Priv bool
+				}{
+					Nested: Nested{
+						Seq2: 134,
+					},
+					Priv: true,
+				},
+				ignoredFields: []string{"Nested"},
+			},
+			res: res{
+				mock: newMappedExpeter(
+					[]string{"Nested.Seq2"},
+					nil,
+				),
+			},
+		},
+		{
+			name: "ignore not nested field",
+			args: args{
+				object: &struct {
+					Number  int
+					Company *struct {
+						Name    string
+						Founded time.Time
+					}
+					priv bool
+				}{
+					Number: 13,
+					Company: &struct {
+						Name    string
+						Founded time.Time
+					}{
+						Name:    "caos AG",
+						Founded: time.Date(2019, time.April, 1, 0, 0, 0, 0, time.Local),
+					},
+					priv: true,
+				},
+				ignoredFields: []string{"Number"},
+			},
+			res: res{
+				mock: newMappedExpeter(
+					[]string{"Number"},
+					nil,
+				),
+			},
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			AssertFieldsMapped(tt.res.mock, tt.args.object, tt.args.ignoredFields...)
+			tt.res.mock.expectationsMet(t)
+		})
+	}
+}
+
+type Nested struct {
+	ID   string
+	Seq  uint64
+	Seq2 uint64
+}
+
+func newMappedExpeter(expectedNotEmptyFields, expectedNotFilledFields []string) *mappedExpecter {
+	sort.Strings(expectedNotEmptyFields)
+	sort.Strings(expectedNotFilledFields)
+	return &mappedExpecter{
+		expectedNotEmptyFields:  strings.Join(expectedNotEmptyFields, ",\n\t"),
+		expectedNotFilledFields: strings.Join(expectedNotFilledFields, ",\n\t"),
+	}
+}
+
+type mappedExpecter struct {
+	expectedNotEmptyFields  string
+	expectedNotFilledFields string
+
+	notEmptyFields  string
+	notFilledFields string
+}
+
+func (e *mappedExpecter) Errorf(format string, args ...interface{}) {
+	if format == "expected fields are not empty:\n\t%s\n" {
+		e.notEmptyFields = args[0].(string)
+	}
+	if format == "unexpected empty fields:\n\t%s\n" {
+		e.notFilledFields = args[0].(string)
+	}
+}
+
+func (e *mappedExpecter) Helper() {}
+
+func (e *mappedExpecter) expectationsMet(t *testing.T) {
+	if e.notEmptyFields != e.expectedNotEmptyFields {
+		t.Errorf("not empty fields not matched: \n expected:\n\t%s\n got:\n\t%s", e.expectedNotEmptyFields, e.notEmptyFields)
+	}
+
+	if e.notFilledFields != e.expectedNotFilledFields {
+		t.Errorf("not filled fields not matched: \n expected:\n\t%s\n got:\n\t%s", e.expectedNotFilledFields, e.notFilledFields)
+	}
+}
diff --git a/internal/ui/login/handler/change_password_handler.go b/internal/ui/login/handler/change_password_handler.go
index 3987fe3051..f15ddf91f4 100644
--- a/internal/ui/login/handler/change_password_handler.go
+++ b/internal/ui/login/handler/change_password_handler.go
@@ -26,7 +26,7 @@ func (l *Login) handleChangePassword(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 	userAgentID, _ := http_mw.UserAgentIDFromCtx(r.Context())
-	err = l.command.ChangePassword(setContext(r.Context(), authReq.UserOrgID), authReq.UserOrgID, authReq.UserID, data.OldPassword, data.NewPassword, userAgentID)
+	_, err = l.command.ChangePassword(setContext(r.Context(), authReq.UserOrgID), authReq.UserOrgID, authReq.UserID, data.OldPassword, data.NewPassword, userAgentID)
 	if err != nil {
 		l.renderChangePassword(w, r, authReq, err)
 		return
diff --git a/internal/ui/login/handler/init_password_handler.go b/internal/ui/login/handler/init_password_handler.go
index c938d1f1ae..ef57df9423 100644
--- a/internal/ui/login/handler/init_password_handler.go
+++ b/internal/ui/login/handler/init_password_handler.go
@@ -91,7 +91,7 @@ func (l *Login) resendPasswordSet(w http.ResponseWriter, r *http.Request, authRe
 		l.renderInitPassword(w, r, authReq, authReq.UserID, "", err)
 		return
 	}
-	err = l.command.RequestSetPassword(setContext(r.Context(), userOrg), user.ID, user.ResourceOwner, domain.NotificationTypeEmail)
+	_, err = l.command.RequestSetPassword(setContext(r.Context(), userOrg), user.ID, user.ResourceOwner, domain.NotificationTypeEmail)
 	l.renderInitPassword(w, r, authReq, authReq.UserID, "", err)
 }
 
diff --git a/internal/ui/login/handler/init_user_handler.go b/internal/ui/login/handler/init_user_handler.go
index 8c006e75a5..b4a32692d7 100644
--- a/internal/ui/login/handler/init_user_handler.go
+++ b/internal/ui/login/handler/init_user_handler.go
@@ -85,7 +85,7 @@ func (l *Login) resendUserInit(w http.ResponseWriter, r *http.Request, authReq *
 	if authReq != nil {
 		userOrgID = authReq.UserOrgID
 	}
-	err := l.command.ResendInitialMail(setContext(r.Context(), userOrgID), userID, "", userOrgID)
+	_, err := l.command.ResendInitialMail(setContext(r.Context(), userOrgID), userID, "", userOrgID)
 	l.renderInitUser(w, r, authReq, userID, "", showPassword, err)
 }
 
diff --git a/internal/ui/login/handler/mail_verify_handler.go b/internal/ui/login/handler/mail_verify_handler.go
index b0cec21c13..9b3c47772c 100644
--- a/internal/ui/login/handler/mail_verify_handler.go
+++ b/internal/ui/login/handler/mail_verify_handler.go
@@ -50,7 +50,7 @@ func (l *Login) handleMailVerificationCheck(w http.ResponseWriter, r *http.Reque
 	if authReq != nil {
 		userOrg = authReq.UserOrgID
 	}
-	err = l.command.CreateHumanEmailVerificationCode(setContext(r.Context(), userOrg), data.UserID, userOrg)
+	_, err = l.command.CreateHumanEmailVerificationCode(setContext(r.Context(), userOrg), data.UserID, userOrg)
 	l.renderMailVerification(w, r, authReq, data.UserID, err)
 }
 
@@ -60,7 +60,7 @@ func (l *Login) checkMailCode(w http.ResponseWriter, r *http.Request, authReq *d
 		userID = authReq.UserID
 		userOrg = authReq.UserOrgID
 	}
-	err := l.command.VerifyHumanEmail(setContext(r.Context(), userOrg), userID, code, userOrg)
+	_, err := l.command.VerifyHumanEmail(setContext(r.Context(), userOrg), userID, code, userOrg)
 	if err != nil {
 		l.renderMailVerification(w, r, authReq, userID, err)
 		return
diff --git a/internal/ui/login/handler/mfa_init_u2f.go b/internal/ui/login/handler/mfa_init_u2f.go
index 6a96d0406f..9859909e86 100644
--- a/internal/ui/login/handler/mfa_init_u2f.go
+++ b/internal/ui/login/handler/mfa_init_u2f.go
@@ -54,7 +54,7 @@ func (l *Login) handleRegisterU2F(w http.ResponseWriter, r *http.Request) {
 	}
 
 	userAgentID, _ := http_mw.UserAgentIDFromCtx(r.Context())
-	if err = l.command.HumanVerifyU2FSetup(setContext(r.Context(), authReq.UserOrgID), authReq.UserID, authReq.UserOrgID, data.Name, userAgentID, credData); err != nil {
+	if _, err = l.command.HumanVerifyU2FSetup(setContext(r.Context(), authReq.UserOrgID), authReq.UserID, authReq.UserOrgID, data.Name, userAgentID, credData); err != nil {
 		l.renderRegisterU2F(w, r, authReq, err)
 		return
 	}
diff --git a/internal/ui/login/handler/mfa_init_verify_handler.go b/internal/ui/login/handler/mfa_init_verify_handler.go
index 1292951b7b..14f85be166 100644
--- a/internal/ui/login/handler/mfa_init_verify_handler.go
+++ b/internal/ui/login/handler/mfa_init_verify_handler.go
@@ -49,7 +49,7 @@ func (l *Login) handleMFAInitVerify(w http.ResponseWriter, r *http.Request) {
 
 func (l *Login) handleOTPVerify(w http.ResponseWriter, r *http.Request, authReq *domain.AuthRequest, data *mfaInitVerifyData) *mfaVerifyData {
 	userAgentID, _ := http_mw.UserAgentIDFromCtx(r.Context())
-	err := l.command.HumanCheckMFAOTPSetup(setContext(r.Context(), authReq.UserOrgID), authReq.UserID, data.Code, userAgentID, authReq.UserOrgID)
+	_, err := l.command.HumanCheckMFAOTPSetup(setContext(r.Context(), authReq.UserOrgID), authReq.UserID, data.Code, userAgentID, authReq.UserOrgID)
 	if err == nil {
 		return nil
 	}
diff --git a/internal/ui/login/handler/password_reset_handler.go b/internal/ui/login/handler/password_reset_handler.go
index 7a4d360999..6379f950f9 100644
--- a/internal/ui/login/handler/password_reset_handler.go
+++ b/internal/ui/login/handler/password_reset_handler.go
@@ -20,7 +20,7 @@ func (l *Login) handlePasswordReset(w http.ResponseWriter, r *http.Request) {
 		l.renderPasswordResetDone(w, r, authReq, err)
 		return
 	}
-	err = l.command.RequestSetPassword(setContext(r.Context(), authReq.UserOrgID), user.ID, authReq.UserOrgID, domain.NotificationTypeEmail)
+	_, err = l.command.RequestSetPassword(setContext(r.Context(), authReq.UserOrgID), user.ID, authReq.UserOrgID, domain.NotificationTypeEmail)
 	l.renderPasswordResetDone(w, r, authReq, err)
 }
 
diff --git a/internal/ui/login/handler/register_org_handler.go b/internal/ui/login/handler/register_org_handler.go
index ced56aa6b7..18a1afd324 100644
--- a/internal/ui/login/handler/register_org_handler.go
+++ b/internal/ui/login/handler/register_org_handler.go
@@ -58,7 +58,7 @@ func (l *Login) handleRegisterOrgCheck(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
-	err = l.command.SetUpOrg(setContext(r.Context(), ""), data.toOrgDomain(), data.toUserDomain())
+	_, err = l.command.SetUpOrg(setContext(r.Context(), ""), data.toOrgDomain(), data.toUserDomain())
 	if err != nil {
 		l.renderRegisterOrg(w, r, authRequest, data, err)
 		return
diff --git a/internal/ui/login/handler/username_change_handler.go b/internal/ui/login/handler/username_change_handler.go
index c0e237b8ec..526a41fc0c 100644
--- a/internal/ui/login/handler/username_change_handler.go
+++ b/internal/ui/login/handler/username_change_handler.go
@@ -30,7 +30,7 @@ func (l *Login) handleChangeUsername(w http.ResponseWriter, r *http.Request) {
 		l.renderError(w, r, authReq, err)
 		return
 	}
-	err = l.command.ChangeUsername(setContext(r.Context(), authReq.UserOrgID), authReq.UserOrgID, authReq.UserID, data.Username)
+	_, err = l.command.ChangeUsername(setContext(r.Context(), authReq.UserOrgID), authReq.UserOrgID, authReq.UserID, data.Username)
 	if err != nil {
 		l.renderChangeUsername(w, r, authReq, err)
 		return
diff --git a/internal/user/repository/eventsourcing/model/otp.go b/internal/user/repository/eventsourcing/model/otp.go
index d07638d8a3..7c4509fc5d 100644
--- a/internal/user/repository/eventsourcing/model/otp.go
+++ b/internal/user/repository/eventsourcing/model/otp.go
@@ -2,6 +2,7 @@ package model
 
 import (
 	"encoding/json"
+
 	"github.com/caos/logging"
 
 	"github.com/caos/zitadel/internal/crypto"
diff --git a/internal/user/repository/eventsourcing/model/web_auth_n_test.go b/internal/user/repository/eventsourcing/model/web_auth_n_test.go
index 1a2495567d..65942c6983 100644
--- a/internal/user/repository/eventsourcing/model/web_auth_n_test.go
+++ b/internal/user/repository/eventsourcing/model/web_auth_n_test.go
@@ -2,10 +2,10 @@ package model
 
 import (
 	"encoding/json"
-	"github.com/caos/zitadel/pkg/grpc/auth"
 	"testing"
 
 	es_models "github.com/caos/zitadel/internal/eventstore/v1/models"
+	"github.com/caos/zitadel/pkg/grpc/user"
 )
 
 func TestAppendMFAU2FAddedEvent(t *testing.T) {
@@ -28,7 +28,7 @@ func TestAppendMFAU2FAddedEvent(t *testing.T) {
 			},
 			result: &Human{
 				U2FTokens: []*WebAuthNToken{
-					{WebauthNTokenID: "WebauthNTokenID", Challenge: "Challenge", State: int32(auth.MFAState_MFASTATE_NOT_READY)},
+					{WebauthNTokenID: "WebauthNTokenID", Challenge: "Challenge", State: int32(user.MultiFactorState_MULTI_FACTOR_STATE_NOT_READY)},
 				},
 			},
 		},
@@ -63,7 +63,7 @@ func TestAppendMFAU2FVerifyEvent(t *testing.T) {
 			args: args{
 				user: &Human{
 					U2FTokens: []*WebAuthNToken{
-						{WebauthNTokenID: "WebauthNTokenID", Challenge: "Challenge", State: int32(auth.MFAState_MFASTATE_NOT_READY)},
+						{WebauthNTokenID: "WebauthNTokenID", Challenge: "Challenge", State: int32(user.MultiFactorState_MULTI_FACTOR_STATE_NOT_READY)},
 					},
 				},
 				u2f:   &WebAuthNVerify{WebAuthNTokenID: "WebauthNTokenID", KeyID: []byte("KeyID"), PublicKey: []byte("PublicKey"), AttestationType: "AttestationType", AAGUID: []byte("AAGUID"), SignCount: 1},
@@ -74,7 +74,7 @@ func TestAppendMFAU2FVerifyEvent(t *testing.T) {
 					{
 						WebauthNTokenID: "WebauthNTokenID",
 						Challenge:       "Challenge",
-						State:           int32(auth.MFAState_MFASTATE_READY),
+						State:           int32(user.MultiFactorState_MULTI_FACTOR_STATE_READY),
 						KeyID:           []byte("KeyID"),
 						PublicKey:       []byte("PublicKey"),
 						AttestationType: "AttestationType",
@@ -121,7 +121,7 @@ func TestAppendMFAU2FRemoveEvent(t *testing.T) {
 						{
 							WebauthNTokenID: "WebauthNTokenID",
 							Challenge:       "Challenge",
-							State:           int32(auth.MFAState_MFASTATE_NOT_READY),
+							State:           int32(user.MultiFactorState_MULTI_FACTOR_STATE_NOT_READY),
 							KeyID:           []byte("KeyID"),
 							PublicKey:       []byte("PublicKey"),
 							AttestationType: "AttestationType",
diff --git a/pkg/grpc/admin/mock/admin.proto.mock.go b/pkg/grpc/admin/mock/admin.proto.mock.go
deleted file mode 100644
index f53311642b..0000000000
--- a/pkg/grpc/admin/mock/admin.proto.mock.go
+++ /dev/null
@@ -1,1057 +0,0 @@
-// Code generated by MockGen. DO NOT EDIT.
-// Source: github.com/caos/zitadel/pkg/grpc/admin (interfaces: AdminServiceClient)
-
-// Package api is a generated GoMock package.
-package api
-
-import (
-	context "context"
-	admin "github.com/caos/zitadel/pkg/grpc/admin"
-	gomock "github.com/golang/mock/gomock"
-	grpc "google.golang.org/grpc"
-	emptypb "google.golang.org/protobuf/types/known/emptypb"
-	reflect "reflect"
-)
-
-// MockAdminServiceClient is a mock of AdminServiceClient interface
-type MockAdminServiceClient struct {
-	ctrl     *gomock.Controller
-	recorder *MockAdminServiceClientMockRecorder
-}
-
-// MockAdminServiceClientMockRecorder is the mock recorder for MockAdminServiceClient
-type MockAdminServiceClientMockRecorder struct {
-	mock *MockAdminServiceClient
-}
-
-// NewMockAdminServiceClient creates a new mock instance
-func NewMockAdminServiceClient(ctrl *gomock.Controller) *MockAdminServiceClient {
-	mock := &MockAdminServiceClient{ctrl: ctrl}
-	mock.recorder = &MockAdminServiceClientMockRecorder{mock}
-	return mock
-}
-
-// EXPECT returns an object that allows the caller to indicate expected use
-func (m *MockAdminServiceClient) EXPECT() *MockAdminServiceClientMockRecorder {
-	return m.recorder
-}
-
-// AddIamMember mocks base method
-func (m *MockAdminServiceClient) AddIamMember(arg0 context.Context, arg1 *admin.AddIamMemberRequest, arg2 ...grpc.CallOption) (*admin.IamMember, error) {
-	m.ctrl.T.Helper()
-	varargs := []interface{}{arg0, arg1}
-	for _, a := range arg2 {
-		varargs = append(varargs, a)
-	}
-	ret := m.ctrl.Call(m, "AddIamMember", varargs...)
-	ret0, _ := ret[0].(*admin.IamMember)
-	ret1, _ := ret[1].(error)
-	return ret0, ret1
-}
-
-// AddIamMember indicates an expected call of AddIamMember
-func (mr *MockAdminServiceClientMockRecorder) AddIamMember(arg0, arg1 interface{}, arg2 ...interface{}) *gomock.Call {
-	mr.mock.ctrl.T.Helper()
-	varargs := append([]interface{}{arg0, arg1}, arg2...)
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "AddIamMember", reflect.TypeOf((*MockAdminServiceClient)(nil).AddIamMember), varargs...)
-}
-
-// AddIdpProviderToDefaultLoginPolicy mocks base method
-func (m *MockAdminServiceClient) AddIdpProviderToDefaultLoginPolicy(arg0 context.Context, arg1 *admin.IdpProviderID, arg2 ...grpc.CallOption) (*admin.IdpProviderID, error) {
-	m.ctrl.T.Helper()
-	varargs := []interface{}{arg0, arg1}
-	for _, a := range arg2 {
-		varargs = append(varargs, a)
-	}
-	ret := m.ctrl.Call(m, "AddIdpProviderToDefaultLoginPolicy", varargs...)
-	ret0, _ := ret[0].(*admin.IdpProviderID)
-	ret1, _ := ret[1].(error)
-	return ret0, ret1
-}
-
-// AddIdpProviderToDefaultLoginPolicy indicates an expected call of AddIdpProviderToDefaultLoginPolicy
-func (mr *MockAdminServiceClientMockRecorder) AddIdpProviderToDefaultLoginPolicy(arg0, arg1 interface{}, arg2 ...interface{}) *gomock.Call {
-	mr.mock.ctrl.T.Helper()
-	varargs := append([]interface{}{arg0, arg1}, arg2...)
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "AddIdpProviderToDefaultLoginPolicy", reflect.TypeOf((*MockAdminServiceClient)(nil).AddIdpProviderToDefaultLoginPolicy), varargs...)
-}
-
-// AddMultiFactorToDefaultLoginPolicy mocks base method
-func (m *MockAdminServiceClient) AddMultiFactorToDefaultLoginPolicy(arg0 context.Context, arg1 *admin.MultiFactor, arg2 ...grpc.CallOption) (*admin.MultiFactor, error) {
-	m.ctrl.T.Helper()
-	varargs := []interface{}{arg0, arg1}
-	for _, a := range arg2 {
-		varargs = append(varargs, a)
-	}
-	ret := m.ctrl.Call(m, "AddMultiFactorToDefaultLoginPolicy", varargs...)
-	ret0, _ := ret[0].(*admin.MultiFactor)
-	ret1, _ := ret[1].(error)
-	return ret0, ret1
-}
-
-// AddMultiFactorToDefaultLoginPolicy indicates an expected call of AddMultiFactorToDefaultLoginPolicy
-func (mr *MockAdminServiceClientMockRecorder) AddMultiFactorToDefaultLoginPolicy(arg0, arg1 interface{}, arg2 ...interface{}) *gomock.Call {
-	mr.mock.ctrl.T.Helper()
-	varargs := append([]interface{}{arg0, arg1}, arg2...)
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "AddMultiFactorToDefaultLoginPolicy", reflect.TypeOf((*MockAdminServiceClient)(nil).AddMultiFactorToDefaultLoginPolicy), varargs...)
-}
-
-// AddSecondFactorToDefaultLoginPolicy mocks base method
-func (m *MockAdminServiceClient) AddSecondFactorToDefaultLoginPolicy(arg0 context.Context, arg1 *admin.SecondFactor, arg2 ...grpc.CallOption) (*admin.SecondFactor, error) {
-	m.ctrl.T.Helper()
-	varargs := []interface{}{arg0, arg1}
-	for _, a := range arg2 {
-		varargs = append(varargs, a)
-	}
-	ret := m.ctrl.Call(m, "AddSecondFactorToDefaultLoginPolicy", varargs...)
-	ret0, _ := ret[0].(*admin.SecondFactor)
-	ret1, _ := ret[1].(error)
-	return ret0, ret1
-}
-
-// AddSecondFactorToDefaultLoginPolicy indicates an expected call of AddSecondFactorToDefaultLoginPolicy
-func (mr *MockAdminServiceClientMockRecorder) AddSecondFactorToDefaultLoginPolicy(arg0, arg1 interface{}, arg2 ...interface{}) *gomock.Call {
-	mr.mock.ctrl.T.Helper()
-	varargs := append([]interface{}{arg0, arg1}, arg2...)
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "AddSecondFactorToDefaultLoginPolicy", reflect.TypeOf((*MockAdminServiceClient)(nil).AddSecondFactorToDefaultLoginPolicy), varargs...)
-}
-
-// ChangeIamMember mocks base method
-func (m *MockAdminServiceClient) ChangeIamMember(arg0 context.Context, arg1 *admin.ChangeIamMemberRequest, arg2 ...grpc.CallOption) (*admin.IamMember, error) {
-	m.ctrl.T.Helper()
-	varargs := []interface{}{arg0, arg1}
-	for _, a := range arg2 {
-		varargs = append(varargs, a)
-	}
-	ret := m.ctrl.Call(m, "ChangeIamMember", varargs...)
-	ret0, _ := ret[0].(*admin.IamMember)
-	ret1, _ := ret[1].(error)
-	return ret0, ret1
-}
-
-// ChangeIamMember indicates an expected call of ChangeIamMember
-func (mr *MockAdminServiceClientMockRecorder) ChangeIamMember(arg0, arg1 interface{}, arg2 ...interface{}) *gomock.Call {
-	mr.mock.ctrl.T.Helper()
-	varargs := append([]interface{}{arg0, arg1}, arg2...)
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "ChangeIamMember", reflect.TypeOf((*MockAdminServiceClient)(nil).ChangeIamMember), varargs...)
-}
-
-// ClearView mocks base method
-func (m *MockAdminServiceClient) ClearView(arg0 context.Context, arg1 *admin.ViewID, arg2 ...grpc.CallOption) (*emptypb.Empty, error) {
-	m.ctrl.T.Helper()
-	varargs := []interface{}{arg0, arg1}
-	for _, a := range arg2 {
-		varargs = append(varargs, a)
-	}
-	ret := m.ctrl.Call(m, "ClearView", varargs...)
-	ret0, _ := ret[0].(*emptypb.Empty)
-	ret1, _ := ret[1].(error)
-	return ret0, ret1
-}
-
-// ClearView indicates an expected call of ClearView
-func (mr *MockAdminServiceClientMockRecorder) ClearView(arg0, arg1 interface{}, arg2 ...interface{}) *gomock.Call {
-	mr.mock.ctrl.T.Helper()
-	varargs := append([]interface{}{arg0, arg1}, arg2...)
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "ClearView", reflect.TypeOf((*MockAdminServiceClient)(nil).ClearView), varargs...)
-}
-
-// CreateOidcIdp mocks base method
-func (m *MockAdminServiceClient) CreateOidcIdp(arg0 context.Context, arg1 *admin.OidcIdpConfigCreate, arg2 ...grpc.CallOption) (*admin.Idp, error) {
-	m.ctrl.T.Helper()
-	varargs := []interface{}{arg0, arg1}
-	for _, a := range arg2 {
-		varargs = append(varargs, a)
-	}
-	ret := m.ctrl.Call(m, "CreateOidcIdp", varargs...)
-	ret0, _ := ret[0].(*admin.Idp)
-	ret1, _ := ret[1].(error)
-	return ret0, ret1
-}
-
-// CreateOidcIdp indicates an expected call of CreateOidcIdp
-func (mr *MockAdminServiceClientMockRecorder) CreateOidcIdp(arg0, arg1 interface{}, arg2 ...interface{}) *gomock.Call {
-	mr.mock.ctrl.T.Helper()
-	varargs := append([]interface{}{arg0, arg1}, arg2...)
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "CreateOidcIdp", reflect.TypeOf((*MockAdminServiceClient)(nil).CreateOidcIdp), varargs...)
-}
-
-// CreateOrgIamPolicy mocks base method
-func (m *MockAdminServiceClient) CreateOrgIamPolicy(arg0 context.Context, arg1 *admin.OrgIamPolicyRequest, arg2 ...grpc.CallOption) (*admin.OrgIamPolicy, error) {
-	m.ctrl.T.Helper()
-	varargs := []interface{}{arg0, arg1}
-	for _, a := range arg2 {
-		varargs = append(varargs, a)
-	}
-	ret := m.ctrl.Call(m, "CreateOrgIamPolicy", varargs...)
-	ret0, _ := ret[0].(*admin.OrgIamPolicy)
-	ret1, _ := ret[1].(error)
-	return ret0, ret1
-}
-
-// CreateOrgIamPolicy indicates an expected call of CreateOrgIamPolicy
-func (mr *MockAdminServiceClientMockRecorder) CreateOrgIamPolicy(arg0, arg1 interface{}, arg2 ...interface{}) *gomock.Call {
-	mr.mock.ctrl.T.Helper()
-	varargs := append([]interface{}{arg0, arg1}, arg2...)
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "CreateOrgIamPolicy", reflect.TypeOf((*MockAdminServiceClient)(nil).CreateOrgIamPolicy), varargs...)
-}
-
-// DeactivateIdpConfig mocks base method
-func (m *MockAdminServiceClient) DeactivateIdpConfig(arg0 context.Context, arg1 *admin.IdpID, arg2 ...grpc.CallOption) (*admin.Idp, error) {
-	m.ctrl.T.Helper()
-	varargs := []interface{}{arg0, arg1}
-	for _, a := range arg2 {
-		varargs = append(varargs, a)
-	}
-	ret := m.ctrl.Call(m, "DeactivateIdpConfig", varargs...)
-	ret0, _ := ret[0].(*admin.Idp)
-	ret1, _ := ret[1].(error)
-	return ret0, ret1
-}
-
-// DeactivateIdpConfig indicates an expected call of DeactivateIdpConfig
-func (mr *MockAdminServiceClientMockRecorder) DeactivateIdpConfig(arg0, arg1 interface{}, arg2 ...interface{}) *gomock.Call {
-	mr.mock.ctrl.T.Helper()
-	varargs := append([]interface{}{arg0, arg1}, arg2...)
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "DeactivateIdpConfig", reflect.TypeOf((*MockAdminServiceClient)(nil).DeactivateIdpConfig), varargs...)
-}
-
-// GetDefaultLabelPolicy mocks base method
-func (m *MockAdminServiceClient) GetDefaultLabelPolicy(arg0 context.Context, arg1 *emptypb.Empty, arg2 ...grpc.CallOption) (*admin.DefaultLabelPolicyView, error) {
-	m.ctrl.T.Helper()
-	varargs := []interface{}{arg0, arg1}
-	for _, a := range arg2 {
-		varargs = append(varargs, a)
-	}
-	ret := m.ctrl.Call(m, "GetDefaultLabelPolicy", varargs...)
-	ret0, _ := ret[0].(*admin.DefaultLabelPolicyView)
-	ret1, _ := ret[1].(error)
-	return ret0, ret1
-}
-
-// GetDefaultLabelPolicy indicates an expected call of GetDefaultLabelPolicy
-func (mr *MockAdminServiceClientMockRecorder) GetDefaultLabelPolicy(arg0, arg1 interface{}, arg2 ...interface{}) *gomock.Call {
-	mr.mock.ctrl.T.Helper()
-	varargs := append([]interface{}{arg0, arg1}, arg2...)
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "GetDefaultLabelPolicy", reflect.TypeOf((*MockAdminServiceClient)(nil).GetDefaultLabelPolicy), varargs...)
-}
-
-// GetDefaultLoginPolicy mocks base method
-func (m *MockAdminServiceClient) GetDefaultLoginPolicy(arg0 context.Context, arg1 *emptypb.Empty, arg2 ...grpc.CallOption) (*admin.DefaultLoginPolicyView, error) {
-	m.ctrl.T.Helper()
-	varargs := []interface{}{arg0, arg1}
-	for _, a := range arg2 {
-		varargs = append(varargs, a)
-	}
-	ret := m.ctrl.Call(m, "GetDefaultLoginPolicy", varargs...)
-	ret0, _ := ret[0].(*admin.DefaultLoginPolicyView)
-	ret1, _ := ret[1].(error)
-	return ret0, ret1
-}
-
-// GetDefaultLoginPolicy indicates an expected call of GetDefaultLoginPolicy
-func (mr *MockAdminServiceClientMockRecorder) GetDefaultLoginPolicy(arg0, arg1 interface{}, arg2 ...interface{}) *gomock.Call {
-	mr.mock.ctrl.T.Helper()
-	varargs := append([]interface{}{arg0, arg1}, arg2...)
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "GetDefaultLoginPolicy", reflect.TypeOf((*MockAdminServiceClient)(nil).GetDefaultLoginPolicy), varargs...)
-}
-
-// GetDefaultLoginPolicyIdpProviders mocks base method
-func (m *MockAdminServiceClient) GetDefaultLoginPolicyIdpProviders(arg0 context.Context, arg1 *admin.IdpProviderSearchRequest, arg2 ...grpc.CallOption) (*admin.IdpProviderSearchResponse, error) {
-	m.ctrl.T.Helper()
-	varargs := []interface{}{arg0, arg1}
-	for _, a := range arg2 {
-		varargs = append(varargs, a)
-	}
-	ret := m.ctrl.Call(m, "GetDefaultLoginPolicyIdpProviders", varargs...)
-	ret0, _ := ret[0].(*admin.IdpProviderSearchResponse)
-	ret1, _ := ret[1].(error)
-	return ret0, ret1
-}
-
-// GetDefaultLoginPolicyIdpProviders indicates an expected call of GetDefaultLoginPolicyIdpProviders
-func (mr *MockAdminServiceClientMockRecorder) GetDefaultLoginPolicyIdpProviders(arg0, arg1 interface{}, arg2 ...interface{}) *gomock.Call {
-	mr.mock.ctrl.T.Helper()
-	varargs := append([]interface{}{arg0, arg1}, arg2...)
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "GetDefaultLoginPolicyIdpProviders", reflect.TypeOf((*MockAdminServiceClient)(nil).GetDefaultLoginPolicyIdpProviders), varargs...)
-}
-
-// GetDefaultLoginPolicyMultiFactors mocks base method
-func (m *MockAdminServiceClient) GetDefaultLoginPolicyMultiFactors(arg0 context.Context, arg1 *emptypb.Empty, arg2 ...grpc.CallOption) (*admin.MultiFactorsResult, error) {
-	m.ctrl.T.Helper()
-	varargs := []interface{}{arg0, arg1}
-	for _, a := range arg2 {
-		varargs = append(varargs, a)
-	}
-	ret := m.ctrl.Call(m, "GetDefaultLoginPolicyMultiFactors", varargs...)
-	ret0, _ := ret[0].(*admin.MultiFactorsResult)
-	ret1, _ := ret[1].(error)
-	return ret0, ret1
-}
-
-// GetDefaultLoginPolicyMultiFactors indicates an expected call of GetDefaultLoginPolicyMultiFactors
-func (mr *MockAdminServiceClientMockRecorder) GetDefaultLoginPolicyMultiFactors(arg0, arg1 interface{}, arg2 ...interface{}) *gomock.Call {
-	mr.mock.ctrl.T.Helper()
-	varargs := append([]interface{}{arg0, arg1}, arg2...)
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "GetDefaultLoginPolicyMultiFactors", reflect.TypeOf((*MockAdminServiceClient)(nil).GetDefaultLoginPolicyMultiFactors), varargs...)
-}
-
-// GetDefaultLoginPolicySecondFactors mocks base method
-func (m *MockAdminServiceClient) GetDefaultLoginPolicySecondFactors(arg0 context.Context, arg1 *emptypb.Empty, arg2 ...grpc.CallOption) (*admin.SecondFactorsResult, error) {
-	m.ctrl.T.Helper()
-	varargs := []interface{}{arg0, arg1}
-	for _, a := range arg2 {
-		varargs = append(varargs, a)
-	}
-	ret := m.ctrl.Call(m, "GetDefaultLoginPolicySecondFactors", varargs...)
-	ret0, _ := ret[0].(*admin.SecondFactorsResult)
-	ret1, _ := ret[1].(error)
-	return ret0, ret1
-}
-
-// GetDefaultLoginPolicySecondFactors indicates an expected call of GetDefaultLoginPolicySecondFactors
-func (mr *MockAdminServiceClientMockRecorder) GetDefaultLoginPolicySecondFactors(arg0, arg1 interface{}, arg2 ...interface{}) *gomock.Call {
-	mr.mock.ctrl.T.Helper()
-	varargs := append([]interface{}{arg0, arg1}, arg2...)
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "GetDefaultLoginPolicySecondFactors", reflect.TypeOf((*MockAdminServiceClient)(nil).GetDefaultLoginPolicySecondFactors), varargs...)
-}
-
-// GetDefaultMailTemplate mocks base method
-func (m *MockAdminServiceClient) GetDefaultMailTemplate(arg0 context.Context, arg1 *emptypb.Empty, arg2 ...grpc.CallOption) (*admin.DefaultMailTemplateView, error) {
-	m.ctrl.T.Helper()
-	varargs := []interface{}{arg0, arg1}
-	for _, a := range arg2 {
-		varargs = append(varargs, a)
-	}
-	ret := m.ctrl.Call(m, "GetDefaultMailTemplate", varargs...)
-	ret0, _ := ret[0].(*admin.DefaultMailTemplateView)
-	ret1, _ := ret[1].(error)
-	return ret0, ret1
-}
-
-// GetDefaultMailTemplate indicates an expected call of GetDefaultMailTemplate
-func (mr *MockAdminServiceClientMockRecorder) GetDefaultMailTemplate(arg0, arg1 interface{}, arg2 ...interface{}) *gomock.Call {
-	mr.mock.ctrl.T.Helper()
-	varargs := append([]interface{}{arg0, arg1}, arg2...)
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "GetDefaultMailTemplate", reflect.TypeOf((*MockAdminServiceClient)(nil).GetDefaultMailTemplate), varargs...)
-}
-
-// GetDefaultMailTexts mocks base method
-func (m *MockAdminServiceClient) GetDefaultMailTexts(arg0 context.Context, arg1 *emptypb.Empty, arg2 ...grpc.CallOption) (*admin.DefaultMailTextsView, error) {
-	m.ctrl.T.Helper()
-	varargs := []interface{}{arg0, arg1}
-	for _, a := range arg2 {
-		varargs = append(varargs, a)
-	}
-	ret := m.ctrl.Call(m, "GetDefaultMailTexts", varargs...)
-	ret0, _ := ret[0].(*admin.DefaultMailTextsView)
-	ret1, _ := ret[1].(error)
-	return ret0, ret1
-}
-
-// GetDefaultMailTexts indicates an expected call of GetDefaultMailTexts
-func (mr *MockAdminServiceClientMockRecorder) GetDefaultMailTexts(arg0, arg1 interface{}, arg2 ...interface{}) *gomock.Call {
-	mr.mock.ctrl.T.Helper()
-	varargs := append([]interface{}{arg0, arg1}, arg2...)
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "GetDefaultMailTexts", reflect.TypeOf((*MockAdminServiceClient)(nil).GetDefaultMailTexts), varargs...)
-}
-
-// GetDefaultOrgIamPolicy mocks base method
-func (m *MockAdminServiceClient) GetDefaultOrgIamPolicy(arg0 context.Context, arg1 *emptypb.Empty, arg2 ...grpc.CallOption) (*admin.OrgIamPolicyView, error) {
-	m.ctrl.T.Helper()
-	varargs := []interface{}{arg0, arg1}
-	for _, a := range arg2 {
-		varargs = append(varargs, a)
-	}
-	ret := m.ctrl.Call(m, "GetDefaultOrgIamPolicy", varargs...)
-	ret0, _ := ret[0].(*admin.OrgIamPolicyView)
-	ret1, _ := ret[1].(error)
-	return ret0, ret1
-}
-
-// GetDefaultOrgIamPolicy indicates an expected call of GetDefaultOrgIamPolicy
-func (mr *MockAdminServiceClientMockRecorder) GetDefaultOrgIamPolicy(arg0, arg1 interface{}, arg2 ...interface{}) *gomock.Call {
-	mr.mock.ctrl.T.Helper()
-	varargs := append([]interface{}{arg0, arg1}, arg2...)
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "GetDefaultOrgIamPolicy", reflect.TypeOf((*MockAdminServiceClient)(nil).GetDefaultOrgIamPolicy), varargs...)
-}
-
-// GetDefaultPasswordAgePolicy mocks base method
-func (m *MockAdminServiceClient) GetDefaultPasswordAgePolicy(arg0 context.Context, arg1 *emptypb.Empty, arg2 ...grpc.CallOption) (*admin.DefaultPasswordAgePolicyView, error) {
-	m.ctrl.T.Helper()
-	varargs := []interface{}{arg0, arg1}
-	for _, a := range arg2 {
-		varargs = append(varargs, a)
-	}
-	ret := m.ctrl.Call(m, "GetDefaultPasswordAgePolicy", varargs...)
-	ret0, _ := ret[0].(*admin.DefaultPasswordAgePolicyView)
-	ret1, _ := ret[1].(error)
-	return ret0, ret1
-}
-
-// GetDefaultPasswordAgePolicy indicates an expected call of GetDefaultPasswordAgePolicy
-func (mr *MockAdminServiceClientMockRecorder) GetDefaultPasswordAgePolicy(arg0, arg1 interface{}, arg2 ...interface{}) *gomock.Call {
-	mr.mock.ctrl.T.Helper()
-	varargs := append([]interface{}{arg0, arg1}, arg2...)
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "GetDefaultPasswordAgePolicy", reflect.TypeOf((*MockAdminServiceClient)(nil).GetDefaultPasswordAgePolicy), varargs...)
-}
-
-// GetDefaultPasswordComplexityPolicy mocks base method
-func (m *MockAdminServiceClient) GetDefaultPasswordComplexityPolicy(arg0 context.Context, arg1 *emptypb.Empty, arg2 ...grpc.CallOption) (*admin.DefaultPasswordComplexityPolicyView, error) {
-	m.ctrl.T.Helper()
-	varargs := []interface{}{arg0, arg1}
-	for _, a := range arg2 {
-		varargs = append(varargs, a)
-	}
-	ret := m.ctrl.Call(m, "GetDefaultPasswordComplexityPolicy", varargs...)
-	ret0, _ := ret[0].(*admin.DefaultPasswordComplexityPolicyView)
-	ret1, _ := ret[1].(error)
-	return ret0, ret1
-}
-
-// GetDefaultPasswordComplexityPolicy indicates an expected call of GetDefaultPasswordComplexityPolicy
-func (mr *MockAdminServiceClientMockRecorder) GetDefaultPasswordComplexityPolicy(arg0, arg1 interface{}, arg2 ...interface{}) *gomock.Call {
-	mr.mock.ctrl.T.Helper()
-	varargs := append([]interface{}{arg0, arg1}, arg2...)
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "GetDefaultPasswordComplexityPolicy", reflect.TypeOf((*MockAdminServiceClient)(nil).GetDefaultPasswordComplexityPolicy), varargs...)
-}
-
-// GetDefaultPasswordLockoutPolicy mocks base method
-func (m *MockAdminServiceClient) GetDefaultPasswordLockoutPolicy(arg0 context.Context, arg1 *emptypb.Empty, arg2 ...grpc.CallOption) (*admin.DefaultPasswordLockoutPolicyView, error) {
-	m.ctrl.T.Helper()
-	varargs := []interface{}{arg0, arg1}
-	for _, a := range arg2 {
-		varargs = append(varargs, a)
-	}
-	ret := m.ctrl.Call(m, "GetDefaultPasswordLockoutPolicy", varargs...)
-	ret0, _ := ret[0].(*admin.DefaultPasswordLockoutPolicyView)
-	ret1, _ := ret[1].(error)
-	return ret0, ret1
-}
-
-// GetDefaultPasswordLockoutPolicy indicates an expected call of GetDefaultPasswordLockoutPolicy
-func (mr *MockAdminServiceClientMockRecorder) GetDefaultPasswordLockoutPolicy(arg0, arg1 interface{}, arg2 ...interface{}) *gomock.Call {
-	mr.mock.ctrl.T.Helper()
-	varargs := append([]interface{}{arg0, arg1}, arg2...)
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "GetDefaultPasswordLockoutPolicy", reflect.TypeOf((*MockAdminServiceClient)(nil).GetDefaultPasswordLockoutPolicy), varargs...)
-}
-
-// GetFailedEvents mocks base method
-func (m *MockAdminServiceClient) GetFailedEvents(arg0 context.Context, arg1 *emptypb.Empty, arg2 ...grpc.CallOption) (*admin.FailedEvents, error) {
-	m.ctrl.T.Helper()
-	varargs := []interface{}{arg0, arg1}
-	for _, a := range arg2 {
-		varargs = append(varargs, a)
-	}
-	ret := m.ctrl.Call(m, "GetFailedEvents", varargs...)
-	ret0, _ := ret[0].(*admin.FailedEvents)
-	ret1, _ := ret[1].(error)
-	return ret0, ret1
-}
-
-// GetFailedEvents indicates an expected call of GetFailedEvents
-func (mr *MockAdminServiceClientMockRecorder) GetFailedEvents(arg0, arg1 interface{}, arg2 ...interface{}) *gomock.Call {
-	mr.mock.ctrl.T.Helper()
-	varargs := append([]interface{}{arg0, arg1}, arg2...)
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "GetFailedEvents", reflect.TypeOf((*MockAdminServiceClient)(nil).GetFailedEvents), varargs...)
-}
-
-// GetIamMemberRoles mocks base method
-func (m *MockAdminServiceClient) GetIamMemberRoles(arg0 context.Context, arg1 *emptypb.Empty, arg2 ...grpc.CallOption) (*admin.IamMemberRoles, error) {
-	m.ctrl.T.Helper()
-	varargs := []interface{}{arg0, arg1}
-	for _, a := range arg2 {
-		varargs = append(varargs, a)
-	}
-	ret := m.ctrl.Call(m, "GetIamMemberRoles", varargs...)
-	ret0, _ := ret[0].(*admin.IamMemberRoles)
-	ret1, _ := ret[1].(error)
-	return ret0, ret1
-}
-
-// GetIamMemberRoles indicates an expected call of GetIamMemberRoles
-func (mr *MockAdminServiceClientMockRecorder) GetIamMemberRoles(arg0, arg1 interface{}, arg2 ...interface{}) *gomock.Call {
-	mr.mock.ctrl.T.Helper()
-	varargs := append([]interface{}{arg0, arg1}, arg2...)
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "GetIamMemberRoles", reflect.TypeOf((*MockAdminServiceClient)(nil).GetIamMemberRoles), varargs...)
-}
-
-// GetOrgByID mocks base method
-func (m *MockAdminServiceClient) GetOrgByID(arg0 context.Context, arg1 *admin.OrgID, arg2 ...grpc.CallOption) (*admin.Org, error) {
-	m.ctrl.T.Helper()
-	varargs := []interface{}{arg0, arg1}
-	for _, a := range arg2 {
-		varargs = append(varargs, a)
-	}
-	ret := m.ctrl.Call(m, "GetOrgByID", varargs...)
-	ret0, _ := ret[0].(*admin.Org)
-	ret1, _ := ret[1].(error)
-	return ret0, ret1
-}
-
-// GetOrgByID indicates an expected call of GetOrgByID
-func (mr *MockAdminServiceClientMockRecorder) GetOrgByID(arg0, arg1 interface{}, arg2 ...interface{}) *gomock.Call {
-	mr.mock.ctrl.T.Helper()
-	varargs := append([]interface{}{arg0, arg1}, arg2...)
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "GetOrgByID", reflect.TypeOf((*MockAdminServiceClient)(nil).GetOrgByID), varargs...)
-}
-
-// GetOrgIamPolicy mocks base method
-func (m *MockAdminServiceClient) GetOrgIamPolicy(arg0 context.Context, arg1 *admin.OrgIamPolicyID, arg2 ...grpc.CallOption) (*admin.OrgIamPolicyView, error) {
-	m.ctrl.T.Helper()
-	varargs := []interface{}{arg0, arg1}
-	for _, a := range arg2 {
-		varargs = append(varargs, a)
-	}
-	ret := m.ctrl.Call(m, "GetOrgIamPolicy", varargs...)
-	ret0, _ := ret[0].(*admin.OrgIamPolicyView)
-	ret1, _ := ret[1].(error)
-	return ret0, ret1
-}
-
-// GetOrgIamPolicy indicates an expected call of GetOrgIamPolicy
-func (mr *MockAdminServiceClientMockRecorder) GetOrgIamPolicy(arg0, arg1 interface{}, arg2 ...interface{}) *gomock.Call {
-	mr.mock.ctrl.T.Helper()
-	varargs := append([]interface{}{arg0, arg1}, arg2...)
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "GetOrgIamPolicy", reflect.TypeOf((*MockAdminServiceClient)(nil).GetOrgIamPolicy), varargs...)
-}
-
-// GetViews mocks base method
-func (m *MockAdminServiceClient) GetViews(arg0 context.Context, arg1 *emptypb.Empty, arg2 ...grpc.CallOption) (*admin.Views, error) {
-	m.ctrl.T.Helper()
-	varargs := []interface{}{arg0, arg1}
-	for _, a := range arg2 {
-		varargs = append(varargs, a)
-	}
-	ret := m.ctrl.Call(m, "GetViews", varargs...)
-	ret0, _ := ret[0].(*admin.Views)
-	ret1, _ := ret[1].(error)
-	return ret0, ret1
-}
-
-// GetViews indicates an expected call of GetViews
-func (mr *MockAdminServiceClientMockRecorder) GetViews(arg0, arg1 interface{}, arg2 ...interface{}) *gomock.Call {
-	mr.mock.ctrl.T.Helper()
-	varargs := append([]interface{}{arg0, arg1}, arg2...)
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "GetViews", reflect.TypeOf((*MockAdminServiceClient)(nil).GetViews), varargs...)
-}
-
-// Healthz mocks base method
-func (m *MockAdminServiceClient) Healthz(arg0 context.Context, arg1 *emptypb.Empty, arg2 ...grpc.CallOption) (*emptypb.Empty, error) {
-	m.ctrl.T.Helper()
-	varargs := []interface{}{arg0, arg1}
-	for _, a := range arg2 {
-		varargs = append(varargs, a)
-	}
-	ret := m.ctrl.Call(m, "Healthz", varargs...)
-	ret0, _ := ret[0].(*emptypb.Empty)
-	ret1, _ := ret[1].(error)
-	return ret0, ret1
-}
-
-// Healthz indicates an expected call of Healthz
-func (mr *MockAdminServiceClientMockRecorder) Healthz(arg0, arg1 interface{}, arg2 ...interface{}) *gomock.Call {
-	mr.mock.ctrl.T.Helper()
-	varargs := append([]interface{}{arg0, arg1}, arg2...)
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "Healthz", reflect.TypeOf((*MockAdminServiceClient)(nil).Healthz), varargs...)
-}
-
-// IdpByID mocks base method
-func (m *MockAdminServiceClient) IdpByID(arg0 context.Context, arg1 *admin.IdpID, arg2 ...grpc.CallOption) (*admin.IdpView, error) {
-	m.ctrl.T.Helper()
-	varargs := []interface{}{arg0, arg1}
-	for _, a := range arg2 {
-		varargs = append(varargs, a)
-	}
-	ret := m.ctrl.Call(m, "IdpByID", varargs...)
-	ret0, _ := ret[0].(*admin.IdpView)
-	ret1, _ := ret[1].(error)
-	return ret0, ret1
-}
-
-// IdpByID indicates an expected call of IdpByID
-func (mr *MockAdminServiceClientMockRecorder) IdpByID(arg0, arg1 interface{}, arg2 ...interface{}) *gomock.Call {
-	mr.mock.ctrl.T.Helper()
-	varargs := append([]interface{}{arg0, arg1}, arg2...)
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "IdpByID", reflect.TypeOf((*MockAdminServiceClient)(nil).IdpByID), varargs...)
-}
-
-// IsOrgUnique mocks base method
-func (m *MockAdminServiceClient) IsOrgUnique(arg0 context.Context, arg1 *admin.UniqueOrgRequest, arg2 ...grpc.CallOption) (*admin.UniqueOrgResponse, error) {
-	m.ctrl.T.Helper()
-	varargs := []interface{}{arg0, arg1}
-	for _, a := range arg2 {
-		varargs = append(varargs, a)
-	}
-	ret := m.ctrl.Call(m, "IsOrgUnique", varargs...)
-	ret0, _ := ret[0].(*admin.UniqueOrgResponse)
-	ret1, _ := ret[1].(error)
-	return ret0, ret1
-}
-
-// IsOrgUnique indicates an expected call of IsOrgUnique
-func (mr *MockAdminServiceClientMockRecorder) IsOrgUnique(arg0, arg1 interface{}, arg2 ...interface{}) *gomock.Call {
-	mr.mock.ctrl.T.Helper()
-	varargs := append([]interface{}{arg0, arg1}, arg2...)
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "IsOrgUnique", reflect.TypeOf((*MockAdminServiceClient)(nil).IsOrgUnique), varargs...)
-}
-
-// ReactivateIdpConfig mocks base method
-func (m *MockAdminServiceClient) ReactivateIdpConfig(arg0 context.Context, arg1 *admin.IdpID, arg2 ...grpc.CallOption) (*admin.Idp, error) {
-	m.ctrl.T.Helper()
-	varargs := []interface{}{arg0, arg1}
-	for _, a := range arg2 {
-		varargs = append(varargs, a)
-	}
-	ret := m.ctrl.Call(m, "ReactivateIdpConfig", varargs...)
-	ret0, _ := ret[0].(*admin.Idp)
-	ret1, _ := ret[1].(error)
-	return ret0, ret1
-}
-
-// ReactivateIdpConfig indicates an expected call of ReactivateIdpConfig
-func (mr *MockAdminServiceClientMockRecorder) ReactivateIdpConfig(arg0, arg1 interface{}, arg2 ...interface{}) *gomock.Call {
-	mr.mock.ctrl.T.Helper()
-	varargs := append([]interface{}{arg0, arg1}, arg2...)
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "ReactivateIdpConfig", reflect.TypeOf((*MockAdminServiceClient)(nil).ReactivateIdpConfig), varargs...)
-}
-
-// RemoveFailedEvent mocks base method
-func (m *MockAdminServiceClient) RemoveFailedEvent(arg0 context.Context, arg1 *admin.FailedEventID, arg2 ...grpc.CallOption) (*emptypb.Empty, error) {
-	m.ctrl.T.Helper()
-	varargs := []interface{}{arg0, arg1}
-	for _, a := range arg2 {
-		varargs = append(varargs, a)
-	}
-	ret := m.ctrl.Call(m, "RemoveFailedEvent", varargs...)
-	ret0, _ := ret[0].(*emptypb.Empty)
-	ret1, _ := ret[1].(error)
-	return ret0, ret1
-}
-
-// RemoveFailedEvent indicates an expected call of RemoveFailedEvent
-func (mr *MockAdminServiceClientMockRecorder) RemoveFailedEvent(arg0, arg1 interface{}, arg2 ...interface{}) *gomock.Call {
-	mr.mock.ctrl.T.Helper()
-	varargs := append([]interface{}{arg0, arg1}, arg2...)
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "RemoveFailedEvent", reflect.TypeOf((*MockAdminServiceClient)(nil).RemoveFailedEvent), varargs...)
-}
-
-// RemoveIamMember mocks base method
-func (m *MockAdminServiceClient) RemoveIamMember(arg0 context.Context, arg1 *admin.RemoveIamMemberRequest, arg2 ...grpc.CallOption) (*emptypb.Empty, error) {
-	m.ctrl.T.Helper()
-	varargs := []interface{}{arg0, arg1}
-	for _, a := range arg2 {
-		varargs = append(varargs, a)
-	}
-	ret := m.ctrl.Call(m, "RemoveIamMember", varargs...)
-	ret0, _ := ret[0].(*emptypb.Empty)
-	ret1, _ := ret[1].(error)
-	return ret0, ret1
-}
-
-// RemoveIamMember indicates an expected call of RemoveIamMember
-func (mr *MockAdminServiceClientMockRecorder) RemoveIamMember(arg0, arg1 interface{}, arg2 ...interface{}) *gomock.Call {
-	mr.mock.ctrl.T.Helper()
-	varargs := append([]interface{}{arg0, arg1}, arg2...)
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "RemoveIamMember", reflect.TypeOf((*MockAdminServiceClient)(nil).RemoveIamMember), varargs...)
-}
-
-// RemoveIdpConfig mocks base method
-func (m *MockAdminServiceClient) RemoveIdpConfig(arg0 context.Context, arg1 *admin.IdpID, arg2 ...grpc.CallOption) (*emptypb.Empty, error) {
-	m.ctrl.T.Helper()
-	varargs := []interface{}{arg0, arg1}
-	for _, a := range arg2 {
-		varargs = append(varargs, a)
-	}
-	ret := m.ctrl.Call(m, "RemoveIdpConfig", varargs...)
-	ret0, _ := ret[0].(*emptypb.Empty)
-	ret1, _ := ret[1].(error)
-	return ret0, ret1
-}
-
-// RemoveIdpConfig indicates an expected call of RemoveIdpConfig
-func (mr *MockAdminServiceClientMockRecorder) RemoveIdpConfig(arg0, arg1 interface{}, arg2 ...interface{}) *gomock.Call {
-	mr.mock.ctrl.T.Helper()
-	varargs := append([]interface{}{arg0, arg1}, arg2...)
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "RemoveIdpConfig", reflect.TypeOf((*MockAdminServiceClient)(nil).RemoveIdpConfig), varargs...)
-}
-
-// RemoveIdpProviderFromDefaultLoginPolicy mocks base method
-func (m *MockAdminServiceClient) RemoveIdpProviderFromDefaultLoginPolicy(arg0 context.Context, arg1 *admin.IdpProviderID, arg2 ...grpc.CallOption) (*emptypb.Empty, error) {
-	m.ctrl.T.Helper()
-	varargs := []interface{}{arg0, arg1}
-	for _, a := range arg2 {
-		varargs = append(varargs, a)
-	}
-	ret := m.ctrl.Call(m, "RemoveIdpProviderFromDefaultLoginPolicy", varargs...)
-	ret0, _ := ret[0].(*emptypb.Empty)
-	ret1, _ := ret[1].(error)
-	return ret0, ret1
-}
-
-// RemoveIdpProviderFromDefaultLoginPolicy indicates an expected call of RemoveIdpProviderFromDefaultLoginPolicy
-func (mr *MockAdminServiceClientMockRecorder) RemoveIdpProviderFromDefaultLoginPolicy(arg0, arg1 interface{}, arg2 ...interface{}) *gomock.Call {
-	mr.mock.ctrl.T.Helper()
-	varargs := append([]interface{}{arg0, arg1}, arg2...)
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "RemoveIdpProviderFromDefaultLoginPolicy", reflect.TypeOf((*MockAdminServiceClient)(nil).RemoveIdpProviderFromDefaultLoginPolicy), varargs...)
-}
-
-// RemoveMultiFactorFromDefaultLoginPolicy mocks base method
-func (m *MockAdminServiceClient) RemoveMultiFactorFromDefaultLoginPolicy(arg0 context.Context, arg1 *admin.MultiFactor, arg2 ...grpc.CallOption) (*emptypb.Empty, error) {
-	m.ctrl.T.Helper()
-	varargs := []interface{}{arg0, arg1}
-	for _, a := range arg2 {
-		varargs = append(varargs, a)
-	}
-	ret := m.ctrl.Call(m, "RemoveMultiFactorFromDefaultLoginPolicy", varargs...)
-	ret0, _ := ret[0].(*emptypb.Empty)
-	ret1, _ := ret[1].(error)
-	return ret0, ret1
-}
-
-// RemoveMultiFactorFromDefaultLoginPolicy indicates an expected call of RemoveMultiFactorFromDefaultLoginPolicy
-func (mr *MockAdminServiceClientMockRecorder) RemoveMultiFactorFromDefaultLoginPolicy(arg0, arg1 interface{}, arg2 ...interface{}) *gomock.Call {
-	mr.mock.ctrl.T.Helper()
-	varargs := append([]interface{}{arg0, arg1}, arg2...)
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "RemoveMultiFactorFromDefaultLoginPolicy", reflect.TypeOf((*MockAdminServiceClient)(nil).RemoveMultiFactorFromDefaultLoginPolicy), varargs...)
-}
-
-// RemoveOrgIamPolicy mocks base method
-func (m *MockAdminServiceClient) RemoveOrgIamPolicy(arg0 context.Context, arg1 *admin.OrgIamPolicyID, arg2 ...grpc.CallOption) (*emptypb.Empty, error) {
-	m.ctrl.T.Helper()
-	varargs := []interface{}{arg0, arg1}
-	for _, a := range arg2 {
-		varargs = append(varargs, a)
-	}
-	ret := m.ctrl.Call(m, "RemoveOrgIamPolicy", varargs...)
-	ret0, _ := ret[0].(*emptypb.Empty)
-	ret1, _ := ret[1].(error)
-	return ret0, ret1
-}
-
-// RemoveOrgIamPolicy indicates an expected call of RemoveOrgIamPolicy
-func (mr *MockAdminServiceClientMockRecorder) RemoveOrgIamPolicy(arg0, arg1 interface{}, arg2 ...interface{}) *gomock.Call {
-	mr.mock.ctrl.T.Helper()
-	varargs := append([]interface{}{arg0, arg1}, arg2...)
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "RemoveOrgIamPolicy", reflect.TypeOf((*MockAdminServiceClient)(nil).RemoveOrgIamPolicy), varargs...)
-}
-
-// RemoveSecondFactorFromDefaultLoginPolicy mocks base method
-func (m *MockAdminServiceClient) RemoveSecondFactorFromDefaultLoginPolicy(arg0 context.Context, arg1 *admin.SecondFactor, arg2 ...grpc.CallOption) (*emptypb.Empty, error) {
-	m.ctrl.T.Helper()
-	varargs := []interface{}{arg0, arg1}
-	for _, a := range arg2 {
-		varargs = append(varargs, a)
-	}
-	ret := m.ctrl.Call(m, "RemoveSecondFactorFromDefaultLoginPolicy", varargs...)
-	ret0, _ := ret[0].(*emptypb.Empty)
-	ret1, _ := ret[1].(error)
-	return ret0, ret1
-}
-
-// RemoveSecondFactorFromDefaultLoginPolicy indicates an expected call of RemoveSecondFactorFromDefaultLoginPolicy
-func (mr *MockAdminServiceClientMockRecorder) RemoveSecondFactorFromDefaultLoginPolicy(arg0, arg1 interface{}, arg2 ...interface{}) *gomock.Call {
-	mr.mock.ctrl.T.Helper()
-	varargs := append([]interface{}{arg0, arg1}, arg2...)
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "RemoveSecondFactorFromDefaultLoginPolicy", reflect.TypeOf((*MockAdminServiceClient)(nil).RemoveSecondFactorFromDefaultLoginPolicy), varargs...)
-}
-
-// SearchIamMembers mocks base method
-func (m *MockAdminServiceClient) SearchIamMembers(arg0 context.Context, arg1 *admin.IamMemberSearchRequest, arg2 ...grpc.CallOption) (*admin.IamMemberSearchResponse, error) {
-	m.ctrl.T.Helper()
-	varargs := []interface{}{arg0, arg1}
-	for _, a := range arg2 {
-		varargs = append(varargs, a)
-	}
-	ret := m.ctrl.Call(m, "SearchIamMembers", varargs...)
-	ret0, _ := ret[0].(*admin.IamMemberSearchResponse)
-	ret1, _ := ret[1].(error)
-	return ret0, ret1
-}
-
-// SearchIamMembers indicates an expected call of SearchIamMembers
-func (mr *MockAdminServiceClientMockRecorder) SearchIamMembers(arg0, arg1 interface{}, arg2 ...interface{}) *gomock.Call {
-	mr.mock.ctrl.T.Helper()
-	varargs := append([]interface{}{arg0, arg1}, arg2...)
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "SearchIamMembers", reflect.TypeOf((*MockAdminServiceClient)(nil).SearchIamMembers), varargs...)
-}
-
-// SearchIdps mocks base method
-func (m *MockAdminServiceClient) SearchIdps(arg0 context.Context, arg1 *admin.IdpSearchRequest, arg2 ...grpc.CallOption) (*admin.IdpSearchResponse, error) {
-	m.ctrl.T.Helper()
-	varargs := []interface{}{arg0, arg1}
-	for _, a := range arg2 {
-		varargs = append(varargs, a)
-	}
-	ret := m.ctrl.Call(m, "SearchIdps", varargs...)
-	ret0, _ := ret[0].(*admin.IdpSearchResponse)
-	ret1, _ := ret[1].(error)
-	return ret0, ret1
-}
-
-// SearchIdps indicates an expected call of SearchIdps
-func (mr *MockAdminServiceClientMockRecorder) SearchIdps(arg0, arg1 interface{}, arg2 ...interface{}) *gomock.Call {
-	mr.mock.ctrl.T.Helper()
-	varargs := append([]interface{}{arg0, arg1}, arg2...)
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "SearchIdps", reflect.TypeOf((*MockAdminServiceClient)(nil).SearchIdps), varargs...)
-}
-
-// SearchOrgs mocks base method
-func (m *MockAdminServiceClient) SearchOrgs(arg0 context.Context, arg1 *admin.OrgSearchRequest, arg2 ...grpc.CallOption) (*admin.OrgSearchResponse, error) {
-	m.ctrl.T.Helper()
-	varargs := []interface{}{arg0, arg1}
-	for _, a := range arg2 {
-		varargs = append(varargs, a)
-	}
-	ret := m.ctrl.Call(m, "SearchOrgs", varargs...)
-	ret0, _ := ret[0].(*admin.OrgSearchResponse)
-	ret1, _ := ret[1].(error)
-	return ret0, ret1
-}
-
-// SearchOrgs indicates an expected call of SearchOrgs
-func (mr *MockAdminServiceClientMockRecorder) SearchOrgs(arg0, arg1 interface{}, arg2 ...interface{}) *gomock.Call {
-	mr.mock.ctrl.T.Helper()
-	varargs := append([]interface{}{arg0, arg1}, arg2...)
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "SearchOrgs", reflect.TypeOf((*MockAdminServiceClient)(nil).SearchOrgs), varargs...)
-}
-
-// SetUpOrg mocks base method
-func (m *MockAdminServiceClient) SetUpOrg(arg0 context.Context, arg1 *admin.OrgSetUpRequest, arg2 ...grpc.CallOption) (*admin.OrgSetUpResponse, error) {
-	m.ctrl.T.Helper()
-	varargs := []interface{}{arg0, arg1}
-	for _, a := range arg2 {
-		varargs = append(varargs, a)
-	}
-	ret := m.ctrl.Call(m, "SetUpOrg", varargs...)
-	ret0, _ := ret[0].(*admin.OrgSetUpResponse)
-	ret1, _ := ret[1].(error)
-	return ret0, ret1
-}
-
-// SetUpOrg indicates an expected call of SetUpOrg
-func (mr *MockAdminServiceClientMockRecorder) SetUpOrg(arg0, arg1 interface{}, arg2 ...interface{}) *gomock.Call {
-	mr.mock.ctrl.T.Helper()
-	varargs := append([]interface{}{arg0, arg1}, arg2...)
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "SetUpOrg", reflect.TypeOf((*MockAdminServiceClient)(nil).SetUpOrg), varargs...)
-}
-
-// UpdateDefaultLabelPolicy mocks base method
-func (m *MockAdminServiceClient) UpdateDefaultLabelPolicy(arg0 context.Context, arg1 *admin.DefaultLabelPolicyUpdate, arg2 ...grpc.CallOption) (*admin.DefaultLabelPolicy, error) {
-	m.ctrl.T.Helper()
-	varargs := []interface{}{arg0, arg1}
-	for _, a := range arg2 {
-		varargs = append(varargs, a)
-	}
-	ret := m.ctrl.Call(m, "UpdateDefaultLabelPolicy", varargs...)
-	ret0, _ := ret[0].(*admin.DefaultLabelPolicy)
-	ret1, _ := ret[1].(error)
-	return ret0, ret1
-}
-
-// UpdateDefaultLabelPolicy indicates an expected call of UpdateDefaultLabelPolicy
-func (mr *MockAdminServiceClientMockRecorder) UpdateDefaultLabelPolicy(arg0, arg1 interface{}, arg2 ...interface{}) *gomock.Call {
-	mr.mock.ctrl.T.Helper()
-	varargs := append([]interface{}{arg0, arg1}, arg2...)
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "UpdateDefaultLabelPolicy", reflect.TypeOf((*MockAdminServiceClient)(nil).UpdateDefaultLabelPolicy), varargs...)
-}
-
-// UpdateDefaultLoginPolicy mocks base method
-func (m *MockAdminServiceClient) UpdateDefaultLoginPolicy(arg0 context.Context, arg1 *admin.DefaultLoginPolicyRequest, arg2 ...grpc.CallOption) (*admin.DefaultLoginPolicy, error) {
-	m.ctrl.T.Helper()
-	varargs := []interface{}{arg0, arg1}
-	for _, a := range arg2 {
-		varargs = append(varargs, a)
-	}
-	ret := m.ctrl.Call(m, "UpdateDefaultLoginPolicy", varargs...)
-	ret0, _ := ret[0].(*admin.DefaultLoginPolicy)
-	ret1, _ := ret[1].(error)
-	return ret0, ret1
-}
-
-// UpdateDefaultLoginPolicy indicates an expected call of UpdateDefaultLoginPolicy
-func (mr *MockAdminServiceClientMockRecorder) UpdateDefaultLoginPolicy(arg0, arg1 interface{}, arg2 ...interface{}) *gomock.Call {
-	mr.mock.ctrl.T.Helper()
-	varargs := append([]interface{}{arg0, arg1}, arg2...)
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "UpdateDefaultLoginPolicy", reflect.TypeOf((*MockAdminServiceClient)(nil).UpdateDefaultLoginPolicy), varargs...)
-}
-
-// UpdateDefaultMailTemplate mocks base method
-func (m *MockAdminServiceClient) UpdateDefaultMailTemplate(arg0 context.Context, arg1 *admin.DefaultMailTemplateUpdate, arg2 ...grpc.CallOption) (*admin.DefaultMailTemplate, error) {
-	m.ctrl.T.Helper()
-	varargs := []interface{}{arg0, arg1}
-	for _, a := range arg2 {
-		varargs = append(varargs, a)
-	}
-	ret := m.ctrl.Call(m, "UpdateDefaultMailTemplate", varargs...)
-	ret0, _ := ret[0].(*admin.DefaultMailTemplate)
-	ret1, _ := ret[1].(error)
-	return ret0, ret1
-}
-
-// UpdateDefaultMailTemplate indicates an expected call of UpdateDefaultMailTemplate
-func (mr *MockAdminServiceClientMockRecorder) UpdateDefaultMailTemplate(arg0, arg1 interface{}, arg2 ...interface{}) *gomock.Call {
-	mr.mock.ctrl.T.Helper()
-	varargs := append([]interface{}{arg0, arg1}, arg2...)
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "UpdateDefaultMailTemplate", reflect.TypeOf((*MockAdminServiceClient)(nil).UpdateDefaultMailTemplate), varargs...)
-}
-
-// UpdateDefaultMailText mocks base method
-func (m *MockAdminServiceClient) UpdateDefaultMailText(arg0 context.Context, arg1 *admin.DefaultMailTextUpdate, arg2 ...grpc.CallOption) (*admin.DefaultMailText, error) {
-	m.ctrl.T.Helper()
-	varargs := []interface{}{arg0, arg1}
-	for _, a := range arg2 {
-		varargs = append(varargs, a)
-	}
-	ret := m.ctrl.Call(m, "UpdateDefaultMailText", varargs...)
-	ret0, _ := ret[0].(*admin.DefaultMailText)
-	ret1, _ := ret[1].(error)
-	return ret0, ret1
-}
-
-// UpdateDefaultMailText indicates an expected call of UpdateDefaultMailText
-func (mr *MockAdminServiceClientMockRecorder) UpdateDefaultMailText(arg0, arg1 interface{}, arg2 ...interface{}) *gomock.Call {
-	mr.mock.ctrl.T.Helper()
-	varargs := append([]interface{}{arg0, arg1}, arg2...)
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "UpdateDefaultMailText", reflect.TypeOf((*MockAdminServiceClient)(nil).UpdateDefaultMailText), varargs...)
-}
-
-// UpdateDefaultOrgIamPolicy mocks base method
-func (m *MockAdminServiceClient) UpdateDefaultOrgIamPolicy(arg0 context.Context, arg1 *admin.OrgIamPolicyRequest, arg2 ...grpc.CallOption) (*admin.OrgIamPolicy, error) {
-	m.ctrl.T.Helper()
-	varargs := []interface{}{arg0, arg1}
-	for _, a := range arg2 {
-		varargs = append(varargs, a)
-	}
-	ret := m.ctrl.Call(m, "UpdateDefaultOrgIamPolicy", varargs...)
-	ret0, _ := ret[0].(*admin.OrgIamPolicy)
-	ret1, _ := ret[1].(error)
-	return ret0, ret1
-}
-
-// UpdateDefaultOrgIamPolicy indicates an expected call of UpdateDefaultOrgIamPolicy
-func (mr *MockAdminServiceClientMockRecorder) UpdateDefaultOrgIamPolicy(arg0, arg1 interface{}, arg2 ...interface{}) *gomock.Call {
-	mr.mock.ctrl.T.Helper()
-	varargs := append([]interface{}{arg0, arg1}, arg2...)
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "UpdateDefaultOrgIamPolicy", reflect.TypeOf((*MockAdminServiceClient)(nil).UpdateDefaultOrgIamPolicy), varargs...)
-}
-
-// UpdateDefaultPasswordAgePolicy mocks base method
-func (m *MockAdminServiceClient) UpdateDefaultPasswordAgePolicy(arg0 context.Context, arg1 *admin.DefaultPasswordAgePolicyRequest, arg2 ...grpc.CallOption) (*admin.DefaultPasswordAgePolicy, error) {
-	m.ctrl.T.Helper()
-	varargs := []interface{}{arg0, arg1}
-	for _, a := range arg2 {
-		varargs = append(varargs, a)
-	}
-	ret := m.ctrl.Call(m, "UpdateDefaultPasswordAgePolicy", varargs...)
-	ret0, _ := ret[0].(*admin.DefaultPasswordAgePolicy)
-	ret1, _ := ret[1].(error)
-	return ret0, ret1
-}
-
-// UpdateDefaultPasswordAgePolicy indicates an expected call of UpdateDefaultPasswordAgePolicy
-func (mr *MockAdminServiceClientMockRecorder) UpdateDefaultPasswordAgePolicy(arg0, arg1 interface{}, arg2 ...interface{}) *gomock.Call {
-	mr.mock.ctrl.T.Helper()
-	varargs := append([]interface{}{arg0, arg1}, arg2...)
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "UpdateDefaultPasswordAgePolicy", reflect.TypeOf((*MockAdminServiceClient)(nil).UpdateDefaultPasswordAgePolicy), varargs...)
-}
-
-// UpdateDefaultPasswordComplexityPolicy mocks base method
-func (m *MockAdminServiceClient) UpdateDefaultPasswordComplexityPolicy(arg0 context.Context, arg1 *admin.DefaultPasswordComplexityPolicyRequest, arg2 ...grpc.CallOption) (*admin.DefaultPasswordComplexityPolicy, error) {
-	m.ctrl.T.Helper()
-	varargs := []interface{}{arg0, arg1}
-	for _, a := range arg2 {
-		varargs = append(varargs, a)
-	}
-	ret := m.ctrl.Call(m, "UpdateDefaultPasswordComplexityPolicy", varargs...)
-	ret0, _ := ret[0].(*admin.DefaultPasswordComplexityPolicy)
-	ret1, _ := ret[1].(error)
-	return ret0, ret1
-}
-
-// UpdateDefaultPasswordComplexityPolicy indicates an expected call of UpdateDefaultPasswordComplexityPolicy
-func (mr *MockAdminServiceClientMockRecorder) UpdateDefaultPasswordComplexityPolicy(arg0, arg1 interface{}, arg2 ...interface{}) *gomock.Call {
-	mr.mock.ctrl.T.Helper()
-	varargs := append([]interface{}{arg0, arg1}, arg2...)
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "UpdateDefaultPasswordComplexityPolicy", reflect.TypeOf((*MockAdminServiceClient)(nil).UpdateDefaultPasswordComplexityPolicy), varargs...)
-}
-
-// UpdateDefaultPasswordLockoutPolicy mocks base method
-func (m *MockAdminServiceClient) UpdateDefaultPasswordLockoutPolicy(arg0 context.Context, arg1 *admin.DefaultPasswordLockoutPolicyRequest, arg2 ...grpc.CallOption) (*admin.DefaultPasswordLockoutPolicy, error) {
-	m.ctrl.T.Helper()
-	varargs := []interface{}{arg0, arg1}
-	for _, a := range arg2 {
-		varargs = append(varargs, a)
-	}
-	ret := m.ctrl.Call(m, "UpdateDefaultPasswordLockoutPolicy", varargs...)
-	ret0, _ := ret[0].(*admin.DefaultPasswordLockoutPolicy)
-	ret1, _ := ret[1].(error)
-	return ret0, ret1
-}
-
-// UpdateDefaultPasswordLockoutPolicy indicates an expected call of UpdateDefaultPasswordLockoutPolicy
-func (mr *MockAdminServiceClientMockRecorder) UpdateDefaultPasswordLockoutPolicy(arg0, arg1 interface{}, arg2 ...interface{}) *gomock.Call {
-	mr.mock.ctrl.T.Helper()
-	varargs := append([]interface{}{arg0, arg1}, arg2...)
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "UpdateDefaultPasswordLockoutPolicy", reflect.TypeOf((*MockAdminServiceClient)(nil).UpdateDefaultPasswordLockoutPolicy), varargs...)
-}
-
-// UpdateIdpConfig mocks base method
-func (m *MockAdminServiceClient) UpdateIdpConfig(arg0 context.Context, arg1 *admin.IdpUpdate, arg2 ...grpc.CallOption) (*admin.Idp, error) {
-	m.ctrl.T.Helper()
-	varargs := []interface{}{arg0, arg1}
-	for _, a := range arg2 {
-		varargs = append(varargs, a)
-	}
-	ret := m.ctrl.Call(m, "UpdateIdpConfig", varargs...)
-	ret0, _ := ret[0].(*admin.Idp)
-	ret1, _ := ret[1].(error)
-	return ret0, ret1
-}
-
-// UpdateIdpConfig indicates an expected call of UpdateIdpConfig
-func (mr *MockAdminServiceClientMockRecorder) UpdateIdpConfig(arg0, arg1 interface{}, arg2 ...interface{}) *gomock.Call {
-	mr.mock.ctrl.T.Helper()
-	varargs := append([]interface{}{arg0, arg1}, arg2...)
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "UpdateIdpConfig", reflect.TypeOf((*MockAdminServiceClient)(nil).UpdateIdpConfig), varargs...)
-}
-
-// UpdateOidcIdpConfig mocks base method
-func (m *MockAdminServiceClient) UpdateOidcIdpConfig(arg0 context.Context, arg1 *admin.OidcIdpConfigUpdate, arg2 ...grpc.CallOption) (*admin.OidcIdpConfig, error) {
-	m.ctrl.T.Helper()
-	varargs := []interface{}{arg0, arg1}
-	for _, a := range arg2 {
-		varargs = append(varargs, a)
-	}
-	ret := m.ctrl.Call(m, "UpdateOidcIdpConfig", varargs...)
-	ret0, _ := ret[0].(*admin.OidcIdpConfig)
-	ret1, _ := ret[1].(error)
-	return ret0, ret1
-}
-
-// UpdateOidcIdpConfig indicates an expected call of UpdateOidcIdpConfig
-func (mr *MockAdminServiceClientMockRecorder) UpdateOidcIdpConfig(arg0, arg1 interface{}, arg2 ...interface{}) *gomock.Call {
-	mr.mock.ctrl.T.Helper()
-	varargs := append([]interface{}{arg0, arg1}, arg2...)
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "UpdateOidcIdpConfig", reflect.TypeOf((*MockAdminServiceClient)(nil).UpdateOidcIdpConfig), varargs...)
-}
-
-// UpdateOrgIamPolicy mocks base method
-func (m *MockAdminServiceClient) UpdateOrgIamPolicy(arg0 context.Context, arg1 *admin.OrgIamPolicyRequest, arg2 ...grpc.CallOption) (*admin.OrgIamPolicy, error) {
-	m.ctrl.T.Helper()
-	varargs := []interface{}{arg0, arg1}
-	for _, a := range arg2 {
-		varargs = append(varargs, a)
-	}
-	ret := m.ctrl.Call(m, "UpdateOrgIamPolicy", varargs...)
-	ret0, _ := ret[0].(*admin.OrgIamPolicy)
-	ret1, _ := ret[1].(error)
-	return ret0, ret1
-}
-
-// UpdateOrgIamPolicy indicates an expected call of UpdateOrgIamPolicy
-func (mr *MockAdminServiceClientMockRecorder) UpdateOrgIamPolicy(arg0, arg1 interface{}, arg2 ...interface{}) *gomock.Call {
-	mr.mock.ctrl.T.Helper()
-	varargs := append([]interface{}{arg0, arg1}, arg2...)
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "UpdateOrgIamPolicy", reflect.TypeOf((*MockAdminServiceClient)(nil).UpdateOrgIamPolicy), varargs...)
-}
diff --git a/pkg/grpc/admin/oneof.go b/pkg/grpc/admin/oneof.go
index 4ef1c0ce29..b6d73310e6 100644
--- a/pkg/grpc/admin/oneof.go
+++ b/pkg/grpc/admin/oneof.go
@@ -2,5 +2,5 @@ package admin
 
 //IdpConfig is a type alias of the generated isIdp_IdpConfig config
 //to make it public
-type IdpConfig = isIdp_IdpConfig
-type IdpConfigView = isIdpView_IdpConfigView
+// type IdpConfig = isIdp_IdpConfig
+// type IdpConfigView = isIdpView_IdpConfigView
diff --git a/pkg/grpc/admin/proto/admin.proto b/pkg/grpc/admin/proto/admin.proto
deleted file mode 100644
index f74c509eb2..0000000000
--- a/pkg/grpc/admin/proto/admin.proto
+++ /dev/null
@@ -1,1239 +0,0 @@
-
-syntax = "proto3";
-
-import "google/api/annotations.proto";
-import "google/protobuf/empty.proto";
-import "google/protobuf/timestamp.proto";
-import "validate/validate.proto";
-import "protoc-gen-swagger/options/annotations.proto";
-import "authoption/options.proto";
-
-package caos.zitadel.admin.api.v1;
-
-option go_package ="github.com/caos/zitadel/pkg/grpc/admin";
-
-option (grpc.gateway.protoc_gen_swagger.options.openapiv2_swagger) = {
-    info: {
-        title: "admin service";
-        version: "0.1";
-        contact:{
-            url: "https://github.com/caos/zitadel/pkg/admin"
-        };
-    };
-
-    schemes: HTTPS;
-
-    consumes: "application/json";
-    consumes: "application/grpc";
-
-    produces: "application/json";
-    produces: "application/grpc";
-};
-
-service AdminService {
-    // ---------
-    // Probes
-    // ---------
-
-    // Healthz returns status OK as soon as the service started
-    rpc Healthz(google.protobuf.Empty) returns (google.protobuf.Empty) {
-        option (google.api.http) = {
-           get: "/healthz"
-        };
-    }
-
-//ORG
-    rpc IsOrgUnique(UniqueOrgRequest) returns (UniqueOrgResponse) {
-        option (google.api.http) = {
-            get: "/orgs/_isunique"
-        };
-
-        option (caos.zitadel.utils.v1.auth_option) = {
-            permission: "iam.read"
-        };
-    }
-
-    rpc GetOrgByID(OrgID) returns (Org) {
-        option (google.api.http) = {
-            get: "/orgs/{id}"
-        };
-
-        option (caos.zitadel.utils.v1.auth_option) = {
-            permission: "iam.read"
-        };
-    }
-
-    rpc SearchOrgs(OrgSearchRequest) returns (OrgSearchResponse) {
-        option (google.api.http) = {
-            post: "/orgs/_search"
-            body: "*"
-        };
-
-        option (caos.zitadel.utils.v1.auth_option) = {
-            permission: "iam.read"
-        };
-    }
-
-    rpc SetUpOrg(OrgSetUpRequest) returns (google.protobuf.Empty) {
-        option (google.api.http) = {
-            post: "/orgs/_setup"
-            body: "*"
-        };
-
-        option (caos.zitadel.utils.v1.auth_option) = {
-            permission: "iam.write"
-        };
-    }
-
-    //ORG_IAM_POLICY
-    rpc GetDefaultOrgIamPolicy(google.protobuf.Empty) returns (OrgIamPolicyView) {
-        option (google.api.http) = {
-            get: "/orgs/default/policies/orgiam"
-        };
-
-        option (caos.zitadel.utils.v1.auth_option) = {
-            permission: "iam.policy.read"
-        };
-    }
-
-    rpc UpdateDefaultOrgIamPolicy(OrgIamPolicyRequest) returns (OrgIamPolicy) {
-        option (google.api.http) = {
-            put: "/orgs/default/policies/orgiam"
-            body: "*"
-        };
-
-        option (caos.zitadel.utils.v1.auth_option) = {
-            permission: "iam.policy.write"
-        };
-    }
-
-    rpc GetOrgIamPolicy(OrgIamPolicyID) returns (OrgIamPolicyView) {
-        option (google.api.http) = {
-            get: "/orgs/{org_id}/policies/orgiam"
-        };
-
-        option (caos.zitadel.utils.v1.auth_option) = {
-            permission: "iam.policy.read"
-        };
-    }
-
-    rpc CreateOrgIamPolicy(OrgIamPolicyRequest) returns (OrgIamPolicy) {
-        option (google.api.http) = {
-            post: "/orgs/{org_id}/policies/orgiam"
-            body: "*"
-        };
-
-        option (caos.zitadel.utils.v1.auth_option) = {
-            permission: "iam.policy.write"
-        };
-    }
-
-    rpc UpdateOrgIamPolicy(OrgIamPolicyRequest) returns (OrgIamPolicy) {
-        option (google.api.http) = {
-            put: "/orgs/{org_id}/policies/orgiam"
-            body: "*"
-        };
-
-        option (caos.zitadel.utils.v1.auth_option) = {
-            permission: "iam.policy.write"
-        };
-    }
-
-    rpc RemoveOrgIamPolicy(OrgIamPolicyID) returns (google.protobuf.Empty) {
-        option (google.api.http) = {
-            delete: "/orgs/{org_id}/policies/orgiam"
-        };
-
-        option (caos.zitadel.utils.v1.auth_option) = {
-            permission: "iam.policy.delete"
-        };
-    }
-
-    rpc GetIamMemberRoles(google.protobuf.Empty) returns (IamMemberRoles) {
-        option (google.api.http) = {
-            get: "/members/roles"
-        };
-
-        option (caos.zitadel.utils.v1.auth_option) = {
-            permission: "iam.member.read"
-        };
-    }
-
-    rpc AddIamMember(AddIamMemberRequest) returns (IamMember) {
-        option (google.api.http) = {
-            post: "/members"
-            body: "*"
-        };
-
-        option (caos.zitadel.utils.v1.auth_option) = {
-            permission: "iam.member.write"
-        };
-    }
-
-    rpc ChangeIamMember(ChangeIamMemberRequest) returns (IamMember) {
-        option (google.api.http) = {
-            put: "/members/{user_id}"
-            body: "*"
-        };
-
-        option (caos.zitadel.utils.v1.auth_option) = {
-            permission: "iam.member.write"
-        };
-    }
-
-    rpc RemoveIamMember(RemoveIamMemberRequest) returns (google.protobuf.Empty) {
-        option (google.api.http) = {
-            delete: "/members/{user_id}"
-        };
-
-        option (caos.zitadel.utils.v1.auth_option) = {
-            permission: "iam.member.delete"
-        };
-    }
-
-    rpc SearchIamMembers(IamMemberSearchRequest) returns (IamMemberSearchResponse) {
-        option (google.api.http) = {
-            post: "/members/_search"
-            body: "*"
-        };
-
-        option (caos.zitadel.utils.v1.auth_option) = {
-            permission: "iam.member.read"
-        };
-    }
-
-    rpc GetViews(google.protobuf.Empty) returns (Views) {
-        option (google.api.http) = {
-            get: "/views"
-        };
-
-        option (caos.zitadel.utils.v1.auth_option) = {
-            permission: "iam.read"
-        };
-    }
-
-    rpc ClearView(ViewID) returns (google.protobuf.Empty) {
-        option (google.api.http) = {
-            post: "/views/{database}/{view_name}"
-        };
-
-        option (caos.zitadel.utils.v1.auth_option) = {
-            permission: "iam.write"
-        };
-    }
-
-    rpc GetFailedEvents(google.protobuf.Empty) returns (FailedEvents) {
-        option (google.api.http) = {
-            get: "/failedevents"
-        };
-
-        option (caos.zitadel.utils.v1.auth_option) = {
-            permission: "iam.read"
-        };
-    }
-
-    rpc RemoveFailedEvent(FailedEventID) returns (google.protobuf.Empty) {
-        option (google.api.http) = {
-            delete: "/failedevents/{database}/{view_name}/{failed_sequence}"
-        };
-
-        option (caos.zitadel.utils.v1.auth_option) = {
-            permission: "iam.write"
-        };
-    }
-
-    rpc IdpByID(IdpID) returns (IdpView) {
-        option (google.api.http) = {
-            get: "/idps/{id}"
-        };
-
-        option (caos.zitadel.utils.v1.auth_option) = {
-            permission: "iam.idp.read"
-        };
-    }
-
-    rpc CreateOidcIdp(OidcIdpConfigCreate) returns (Idp) {
-        option (google.api.http) = {
-            post: "/idps/oidc"
-            body: "*"
-        };
-
-        option (caos.zitadel.utils.v1.auth_option) = {
-            permission: "iam.idp.write"
-        };
-    }
-
-    rpc UpdateIdpConfig(IdpUpdate) returns (Idp) {
-        option (google.api.http) = {
-            put: "/idps/{id}"
-            body: "*"
-        };
-
-        option (caos.zitadel.utils.v1.auth_option) = {
-            permission: "iam.idp.write"
-        };
-    }
-
-    rpc DeactivateIdpConfig(IdpID) returns (google.protobuf.Empty) {
-        option (google.api.http) = {
-            put: "/idps/{id}/_deactivate"
-            body: "*"
-        };
-
-        option (caos.zitadel.utils.v1.auth_option) = {
-            permission: "iam.idp.write"
-        };
-    }
-
-    rpc ReactivateIdpConfig(IdpID) returns (google.protobuf.Empty) {
-        option (google.api.http) = {
-            put: "/idps/{id}/_reactivate"
-            body: "*"
-        };
-
-        option (caos.zitadel.utils.v1.auth_option) = {
-            permission: "iam.idp.write"
-        };
-    }
-
-    rpc RemoveIdpConfig(IdpID) returns (google.protobuf.Empty) {
-        option (google.api.http) = {
-            delete: "/idps/{id}"
-        };
-
-        option (caos.zitadel.utils.v1.auth_option) = {
-            permission: "iam.idp.write"
-        };
-    }
-
-    rpc UpdateOidcIdpConfig(OidcIdpConfigUpdate) returns (OidcIdpConfig) {
-        option (google.api.http) = {
-            put: "/idps/{idp_id}/oidcconfig"
-            body: "*"
-        };
-
-        option (caos.zitadel.utils.v1.auth_option) = {
-            permission: "iam.idp.write"
-        };
-    }
-
-    rpc SearchIdps(IdpSearchRequest) returns (IdpSearchResponse) {
-        option (google.api.http) = {
-            post: "/idps/_search"
-            body: "*"
-        };
-
-        option (caos.zitadel.utils.v1.auth_option) = {
-            permission: "iam.idp.read"
-        };
-    }
-
-    rpc GetDefaultLabelPolicy(google.protobuf.Empty) returns (DefaultLabelPolicyView) {
-        option (google.api.http) = {
-            get: "/policies/label"
-        };
-
-        option (caos.zitadel.utils.v1.auth_option) = {
-            permission: "iam.policy.read"
-        };
-    }
-
-    rpc UpdateDefaultLabelPolicy(DefaultLabelPolicyUpdate) returns (DefaultLabelPolicy) {
-        option (google.api.http) = {
-            put: "/policies/label"
-            body: "*"
-        };
-
-        option (caos.zitadel.utils.v1.auth_option) = {
-            permission: "iam.policy.write"
-        };
-    }
-
-    rpc GetDefaultMailTemplate(google.protobuf.Empty) returns (DefaultMailTemplateView) {
-        option (google.api.http) = {
-            get: "/policies/mailtemplate"
-        };
-
-        option (caos.zitadel.utils.v1.auth_option) = {
-            permission: "iam.policy.read"
-        };
-    }
-
-    rpc UpdateDefaultMailTemplate(DefaultMailTemplateUpdate) returns (DefaultMailTemplate) {
-        option (google.api.http) = {
-            put: "/policies/mailtemplate"
-            body: "*"
-        };
-
-        option (caos.zitadel.utils.v1.auth_option) = {
-            permission: "iam.policy.write"
-        };
-    }
-
-    rpc GetDefaultMailTexts(google.protobuf.Empty) returns (DefaultMailTextsView) {
-        option (google.api.http) = {
-            get: "/policies/mailtexts"
-        };
-
-        option (caos.zitadel.utils.v1.auth_option) = {
-            permission: "iam.policy.read"
-        };
-    }
-
-    rpc UpdateDefaultMailText(DefaultMailTextUpdate) returns (DefaultMailText) {
-        option (google.api.http) = {
-            put: "/policies/mailtext"
-            body: "*"
-        };
-
-        option (caos.zitadel.utils.v1.auth_option) = {
-            permission: "iam.policy.write"
-        };
-    }
-
-    rpc GetDefaultLoginPolicy(google.protobuf.Empty) returns (DefaultLoginPolicyView) {
-        option (google.api.http) = {
-            get: "/policies/login"
-        };
-
-        option (caos.zitadel.utils.v1.auth_option) = {
-            permission: "iam.policy.read"
-        };
-    }
-
-    rpc UpdateDefaultLoginPolicy(DefaultLoginPolicyRequest) returns (DefaultLoginPolicy) {
-        option (google.api.http) = {
-            put: "/policies/login"
-            body: "*"
-        };
-
-        option (caos.zitadel.utils.v1.auth_option) = {
-            permission: "iam.policy.write"
-        };
-    }
-
-    rpc GetDefaultLoginPolicyIdpProviders(IdpProviderSearchRequest) returns (IdpProviderSearchResponse) {
-        option (google.api.http) = {
-            post: "/policies/login/idpproviders/_search"
-            body: "*"
-        };
-
-        option (caos.zitadel.utils.v1.auth_option) = {
-            permission: "iam.policy.read"
-        };
-    }
-
-    rpc AddIdpProviderToDefaultLoginPolicy(IdpProviderID) returns (IdpProviderID) {
-        option (google.api.http) = {
-            post: "/policies/login/idpproviders"
-            body: "*"
-        };
-
-        option (caos.zitadel.utils.v1.auth_option) = {
-            permission: "iam.policy.write"
-        };
-    }
-
-    rpc RemoveIdpProviderFromDefaultLoginPolicy(IdpProviderID) returns (google.protobuf.Empty) {
-        option (google.api.http) = {
-            delete: "/policies/login/idpproviders/{idp_config_id}"
-        };
-
-        option (caos.zitadel.utils.v1.auth_option) = {
-            permission: "iam.policy.write"
-        };
-    }
-
-    rpc GetDefaultLoginPolicySecondFactors(google.protobuf.Empty) returns (SecondFactorsResult) {
-        option (google.api.http) = {
-            get: "/policies/login/secondfactors/_search"
-        };
-
-        option (caos.zitadel.utils.v1.auth_option) = {
-            permission: "iam.policy.read"
-        };
-    }
-
-    rpc AddSecondFactorToDefaultLoginPolicy(SecondFactor) returns (SecondFactor) {
-        option (google.api.http) = {
-            post: "/policies/login/secondfactors"
-            body: "*"
-        };
-
-        option (caos.zitadel.utils.v1.auth_option) = {
-            permission: "iam.policy.write"
-        };
-    }
-
-    rpc RemoveSecondFactorFromDefaultLoginPolicy(SecondFactor) returns (google.protobuf.Empty) {
-        option (google.api.http) = {
-            delete: "/policies/login/secondfactors/{second_factor}"
-        };
-
-        option (caos.zitadel.utils.v1.auth_option) = {
-            permission: "iam.policy.write"
-        };
-    }
-
-    rpc GetDefaultLoginPolicyMultiFactors(google.protobuf.Empty) returns (MultiFactorsResult) {
-        option (google.api.http) = {
-            get: "/policies/login/multifactors/_search"
-        };
-
-        option (caos.zitadel.utils.v1.auth_option) = {
-            permission: "iam.policy.read"
-        };
-    }
-
-    rpc AddMultiFactorToDefaultLoginPolicy(MultiFactor) returns (MultiFactor) {
-        option (google.api.http) = {
-            post: "/policies/login/multifactors"
-            body: "*"
-        };
-
-        option (caos.zitadel.utils.v1.auth_option) = {
-            permission: "iam.policy.write"
-        };
-    }
-
-    rpc RemoveMultiFactorFromDefaultLoginPolicy(MultiFactor) returns (google.protobuf.Empty) {
-        option (google.api.http) = {
-            delete: "/policies/login/multifactors/{multi_factor}"
-        };
-
-        option (caos.zitadel.utils.v1.auth_option) = {
-            permission: "iam.policy.write"
-        };
-    }
-
-    rpc GetDefaultPasswordComplexityPolicy(google.protobuf.Empty) returns (DefaultPasswordComplexityPolicyView) {
-        option (google.api.http) = {
-            get: "/policies/password/complexity"
-        };
-
-        option (caos.zitadel.utils.v1.auth_option) = {
-            permission: "iam.policy.read"
-        };
-    }
-
-    rpc UpdateDefaultPasswordComplexityPolicy(DefaultPasswordComplexityPolicyRequest) returns (DefaultPasswordComplexityPolicy) {
-        option (google.api.http) = {
-            put: "/policies/password/complexity"
-            body: "*"
-        };
-
-        option (caos.zitadel.utils.v1.auth_option) = {
-            permission: "iam.policy.write"
-        };
-    }
-
-    rpc GetDefaultPasswordAgePolicy(google.protobuf.Empty) returns (DefaultPasswordAgePolicyView) {
-        option (google.api.http) = {
-            get: "/policies/password/age"
-        };
-
-        option (caos.zitadel.utils.v1.auth_option) = {
-            permission: "iam.policy.read"
-        };
-    }
-
-    rpc UpdateDefaultPasswordAgePolicy(DefaultPasswordAgePolicyRequest) returns (DefaultPasswordAgePolicy) {
-        option (google.api.http) = {
-            put: "/policies/password/age"
-            body: "*"
-        };
-
-        option (caos.zitadel.utils.v1.auth_option) = {
-            permission: "iam.policy.write"
-        };
-    }
-
-    rpc GetDefaultPasswordLockoutPolicy(google.protobuf.Empty) returns (DefaultPasswordLockoutPolicyView) {
-        option (google.api.http) = {
-            get: "/policies/password/lockout"
-        };
-
-        option (caos.zitadel.utils.v1.auth_option) = {
-            permission: "iam.policy.read"
-        };
-    }
-
-    rpc UpdateDefaultPasswordLockoutPolicy(DefaultPasswordLockoutPolicyRequest) returns (DefaultPasswordLockoutPolicy) {
-        option (google.api.http) = {
-            put: "/policies/password/lockout"
-            body: "*"
-        };
-
-        option (caos.zitadel.utils.v1.auth_option) = {
-            permission: "iam.policy.write"
-        };
-    }
-}
-
-message OrgID {
-    string id = 1 [(validate.rules).string = {min_len: 1}];
-}
-
-message UniqueOrgRequest {
-    string name = 1 [(validate.rules).string.min_len = 1];
-    string domain = 2 [(validate.rules).string.min_len = 1];
-}
-
-message UniqueOrgResponse {
-    bool is_unique = 1;
-}
-
-message Org {
-    string id = 1;
-    OrgState state = 2;
-    google.protobuf.Timestamp change_date = 3;
-    string name = 4;
-    string domain = 5;
-}
-
-enum OrgState {
-    ORGSTATE_UNSPECIFIED = 0;
-    ORGSTATE_ACTIVE = 1;
-    ORGSTATE_INACTIVE = 2;
-}
-
-message OrgSearchRequest {
-    uint64 offset = 1;
-    uint64 limit = 2;
-    OrgSearchKey sorting_column = 3 [(validate.rules).enum = {not_in: [0]}];;
-    bool asc = 4;
-    repeated OrgSearchQuery queries = 5;
-}
-
-message OrgSearchQuery {
-    OrgSearchKey key = 1 [(validate.rules).enum = {not_in: [0]}];;
-    OrgSearchMethod method = 2;
-    string value = 3;
-}
-
-enum OrgSearchKey {
-    ORGSEARCHKEY_UNSPECIFIED = 0;
-    ORGSEARCHKEY_NAME = 1;
-    ORGSEARCHKEY_DOMAIN = 2;
-    ORGSEARCHKEY_STATE = 3;
-}
-
-message OrgSearchResponse {
-    uint64 offset = 1;
-    uint64 limit = 2;
-    uint64 total_result = 3;
-    repeated Org result = 4;
-    uint64 processed_sequence = 5;
-    google.protobuf.Timestamp view_timestamp = 6;
-}
-
-enum OrgSearchMethod {
-    ORGSEARCHMETHOD_EQUALS = 0;
-    ORGSEARCHMETHOD_STARTS_WITH = 1;
-    ORGSEARCHMETHOD_CONTAINS = 2;
-}
-
-message OrgSetUpRequest {
-    CreateOrgRequest org = 1 [(validate.rules).message.required = true];
-    CreateUserRequest user = 2 [(validate.rules).message.required = true];
-}
-
-message OrgSetUpResponse {
-    Org org = 1;
-    UserResponse user = 2;
-}
-
-message CreateUserRequest {
-    string user_name = 1 [(validate.rules).string.pattern = "^[^[:space:]]{1,200}$"];
-
-    oneof user {
-      option (validate.required) = true;
-  
-      CreateHumanRequest human = 2;
-      CreateMachineRequest machine = 3;
-    }
-}
-
-message CreateHumanRequest {
-    string first_name = 1 [(validate.rules).string = {min_len: 1, max_len: 200}];
-    string last_name = 2 [(validate.rules).string = {min_len: 1, max_len: 200}];
-    string nick_name = 3 [(validate.rules).string = {max_len: 200}];
-    string preferred_language = 4 [(validate.rules).string = {max_len: 200}];
-    Gender gender = 5;
-    string email = 6 [(validate.rules).string = {min_len: 1, max_len: 200, email: true}];
-    bool is_email_verified = 7;
-    string phone = 8 [(validate.rules).string = {max_len: 20}];
-    bool is_phone_verified = 9;
-    string country = 10 [(validate.rules).string = {max_len: 200}];
-    string locality = 11 [(validate.rules).string = {max_len: 200}];
-    string postal_code = 12 [(validate.rules).string = {max_len: 200}];
-    string region = 13 [(validate.rules).string = {max_len: 200}];
-    string street_address = 14 [(validate.rules).string = {max_len: 200}];
-    string password = 15 [(validate.rules).string = {max_len: 72}];
-}
-
-message CreateMachineRequest {
-    string name = 1 [(validate.rules).string = {min_len: 1, max_len: 200}];
-    string description = 2 [(validate.rules).string = {max_len: 500}];
-  }
-
-message UserResponse {
-    string id = 1;
-    UserState state = 2;
-    google.protobuf.Timestamp creation_date = 3;
-    google.protobuf.Timestamp change_date = 4;
-    uint64 sequence = 5;
-    string user_name = 6;
-  
-    oneof user {
-      option (validate.required) = true;
-  
-      HumanResponse human = 7;
-      MachineResponse machine = 8;
-    }
-}
-
-enum UserState {
-    USERSTATE_UNSPECIFIED = 0;
-    USERSTATE_ACTIVE = 1;
-    USERSTATE_INACTIVE = 2;
-    USERSTATE_DELETED = 3;
-    USERSTATE_LOCKED = 4;
-    USERSTATE_SUSPEND = 5;
-    USERSTATE_INITIAL= 6;
-}
-
-enum Gender {
-    GENDER_UNSPECIFIED = 0;
-    GENDER_FEMALE = 1;
-    GENDER_MALE = 2;
-    GENDER_DIVERSE = 3;
-}
-
-message HumanResponse {
-    string first_name = 1;
-    string last_name = 2;
-    string display_name = 3;
-    string nick_name = 4;
-    string preferred_language = 5;
-    Gender gender = 6;
-    string email = 7;
-    bool is_email_verified = 8;
-    string phone = 9;
-    bool is_phone_verified = 10;
-    string country = 11;
-    string locality = 12;
-    string postal_code = 13;
-    string region = 14;
-    string street_address = 15;
-  }
-
-  message MachineResponse {
-    string name = 1;
-    string description = 2;
-    repeated MachineKeyResponse keys = 3;
-  }
-
-  message MachineKeyResponse {
-    string id = 1;
-    MachineKeyType type = 2;
-    uint64 sequence = 3;
-  
-    google.protobuf.Timestamp creation_date = 4;
-    google.protobuf.Timestamp expiration_date = 5;
-  }
-
-  enum MachineKeyType {
-    MACHINEKEY_UNSPECIFIED = 0;
-    MACHINEKEY_JSON = 1;
-  }
-
-message CreateOrgRequest {
-    string name = 1 [(validate.rules).string.min_len = 1];
-    string domain = 2;
-}
-
-message OrgIamPolicy {
-    string org_id = 1;
-    bool user_login_must_be_domain = 2;
-    bool default = 3;
-    uint64 sequence = 4;
-    google.protobuf.Timestamp change_date = 5;
-}
-
-message OrgIamPolicyView {
-    string org_id = 1;
-    bool user_login_must_be_domain = 2;
-    bool default = 3;
-    uint64 sequence = 4;
-    google.protobuf.Timestamp creation_date = 5;
-    google.protobuf.Timestamp change_date = 6;
-}
-
-message OrgIamPolicyRequest {
-    string org_id = 1 [(validate.rules).string = {min_len: 1}];
-    string description = 2;
-    bool user_login_must_be_domain = 3;
-}
-
-message OrgIamPolicyID {
-    string org_id = 1 [(validate.rules).string = {min_len: 1}];
-}
-
-message IamMemberRoles {
-    repeated string roles = 1;
-}
-
-message IamMember {
-    string user_id = 1;
-    repeated string roles = 2;
-    google.protobuf.Timestamp change_date = 3;
-    uint64 sequence = 4;
-}
-
-message AddIamMemberRequest {
-    string user_id = 1 [(validate.rules).string = {min_len: 1}];
-    repeated string roles = 2;
-}
-
-message ChangeIamMemberRequest {
-    string user_id = 1 [(validate.rules).string = {min_len: 1}];
-    repeated string roles = 2;
-}
-
-message RemoveIamMemberRequest {
-    string user_id = 1 [(validate.rules).string = {min_len: 1}];
-}
-
-message IamMemberSearchResponse {
-    uint64 offset = 1;
-    uint64 limit = 2;
-    uint64 total_result = 3;
-    repeated IamMemberView result = 4;
-    uint64 processed_sequence = 5;
-    google.protobuf.Timestamp view_timestamp = 6;
-}
-
-message IamMemberView {
-    string user_id = 1;
-    repeated string roles = 2;
-    google.protobuf.Timestamp change_date = 3;
-    google.protobuf.Timestamp creation_date = 4;
-    uint64 sequence = 5;
-    string user_name = 6;
-    string email = 7;
-    string first_name = 8;
-    string last_name = 9;
-    string display_name = 10;
-}
-
-message IamMemberSearchRequest {
-    uint64 offset = 1;
-    uint64 limit = 2;
-    repeated IamMemberSearchQuery queries = 3;
-}
-
-message IamMemberSearchQuery {
-    IamMemberSearchKey key = 1 [(validate.rules).enum = {not_in: [0]}];
-    SearchMethod method = 2;
-    string value = 3;
-}
-
-enum IamMemberSearchKey {
-    IAMMEMBERSEARCHKEY_UNSPECIFIED = 0;
-    IAMMEMBERSEARCHKEY_FIRST_NAME = 1;
-    IAMMEMBERSEARCHKEY_LAST_NAME = 2;
-    IAMMEMBERSEARCHKEY_EMAIL = 3;
-    IAMMEMBERSEARCHKEY_USER_ID = 4;
-}
-
-enum SearchMethod {
-    SEARCHMETHOD_EQUALS = 0;
-    SEARCHMETHOD_STARTS_WITH = 1;
-    SEARCHMETHOD_CONTAINS = 2;
-    SEARCHMETHOD_EQUALS_IGNORE_CASE = 3;
-    SEARCHMETHOD_STARTS_WITH_IGNORE_CASE = 4;
-    SEARCHMETHOD_CONTAINS_IGNORE_CASE = 5;
-    SEARCHMETHOD_NOT_EQUALS = 6;
-    SEARCHMETHOD_GREATER_THAN = 7;
-    SEARCHMETHOD_LESS_THAN = 8;
-    SEARCHMETHOD_IS_ONE_OF = 9;
-    SEARCHMETHOD_LIST_CONTAINS = 10;
-}
-
-message FailedEventID {
-    string database = 1 [(validate.rules).string = {min_len: 1}];
-    string view_name = 2 [(validate.rules).string = {min_len: 1}];
-    uint64 failed_sequence = 3;
-}
-
-message FailedEvents {
-    repeated FailedEvent failed_events = 1;
-}
-
-message FailedEvent {
-    string database = 1;
-    string view_name = 2;
-    uint64 failed_sequence = 3;
-    uint64 failure_count = 4;
-    string error_message = 5;
-}
-
-message ViewID {
-    string database = 1 [(validate.rules).string = {min_len: 1}];
-    string view_name = 2 [(validate.rules).string = {min_len: 1}];
-}
-
-message Views {
-    repeated View views = 1;
-}
-
-message View {
-    string database = 1;
-    string view_name = 2;
-    uint64 processed_sequence = 3;
-    google.protobuf.Timestamp event_timestamp = 4;
-    google.protobuf.Timestamp last_successful_spooler_run = 5;
-}
-
-message IdpID {
-    string id = 1 [(validate.rules).string = {min_len: 1}];
-}
-
-message Idp {
-    string id = 1;
-    IdpState state = 2;
-    google.protobuf.Timestamp change_date = 3;
-    string name = 4;
-    IdpStylingType styling_type = 5;
-    oneof idp_config {
-        OidcIdpConfig oidc_config = 6;
-    }
-    uint64 sequence = 7;
-}
-
-message IdpUpdate {
-    string id = 1 [(validate.rules).string = {min_len: 1}];
-    string name = 2;
-    IdpStylingType styling_type = 3;
-}
-
-message OidcIdpConfig {
-    string client_id = 1;
-    string client_secret = 2;
-    string issuer = 3;
-    repeated string scopes = 4;
-}
-
-enum IdpStylingType {
-    IDPSTYLINGTYPE_UNSPECIFIED = 0;
-    IDPSTYLINGTYPE_GOOGLE = 1;
-}
-
-enum IdpState {
-    IDPCONFIGSTATE_UNSPECIFIED = 0;
-    IDPCONFIGSTATE_ACTIVE = 1;
-    IDPCONFIGSTATE_INACTIVE = 2;
-}
-
-enum OIDCMappingField {
-    OIDCMAPPINGFIELD_UNSPECIFIED = 0;
-    OIDCMAPPINGFIELD_PREFERRED_USERNAME = 1;
-    OIDCMAPPINGFIELD_EMAIL = 2;
-}
-
-message OidcIdpConfigCreate {
-    string name = 1 [(validate.rules).string = {min_len: 1, max_len: 200}];
-    IdpStylingType styling_type = 2;
-    string client_id = 3 [(validate.rules).string = {min_len: 1, max_len: 200}];
-    string client_secret = 4 [(validate.rules).string = {min_len: 1, max_len: 200}];
-    string issuer = 5 [(validate.rules).string = {min_len: 1, max_len: 200}];
-    repeated string scopes = 6;
-    OIDCMappingField idp_display_name_mapping = 7;
-    OIDCMappingField username_mapping = 8;
-}
-
-message OidcIdpConfigUpdate {
-    string idp_id = 1 [(validate.rules).string = {min_len: 1}];
-    string client_id = 2 [(validate.rules).string = {min_len: 1, max_len: 200}];
-    string client_secret = 3;
-    string issuer = 4 [(validate.rules).string = {min_len: 1, max_len: 200}];
-    repeated string scopes = 5;
-    OIDCMappingField idp_display_name_mapping = 6;
-    OIDCMappingField username_mapping = 7;
-}
-
-message IdpSearchResponse {
-    uint64 offset = 1;
-    uint64 limit = 2;
-    uint64 total_result = 3;
-    repeated IdpView result = 4;
-    uint64 processed_sequence = 5;
-    google.protobuf.Timestamp view_timestamp = 6;
-}
-
-message IdpView {
-    string id = 1;
-    IdpState state = 2;
-    google.protobuf.Timestamp creation_date = 3;
-    google.protobuf.Timestamp change_date = 4;
-    string name = 5;
-    IdpStylingType styling_type = 6;
-    oneof idp_config_view {
-        OidcIdpConfigView oidc_config = 7;
-    }
-    uint64 sequence = 8;
-}
-
-message OidcIdpConfigView {
-    string client_id = 1;
-    string issuer = 2;
-    repeated string scopes = 3;
-    OIDCMappingField idp_display_name_mapping = 4;
-    OIDCMappingField username_mapping = 5;
-}
-
-message IdpSearchRequest {
-    uint64 offset = 1;
-    uint64 limit = 2;
-    repeated IdpSearchQuery queries = 3;
-}
-
-message IdpSearchQuery {
-    IdpSearchKey key = 1 [(validate.rules).enum = {not_in: [0]}];
-    SearchMethod method = 2;
-    string value = 3;
-}
-
-enum IdpSearchKey {
-    IDPSEARCHKEY_UNSPECIFIED = 0;
-    IDPSEARCHKEY_IDP_CONFIG_ID = 1;
-    IDPSEARCHKEY_NAME = 2;
-}
-
-message DefaultLabelPolicy {
-    string primary_color = 1;
-    string secondary_color = 2;
-    google.protobuf.Timestamp change_date = 3;
-}
-
-message DefaultLabelPolicyUpdate {
-    string primary_color = 1;
-    string secondary_color = 2;
-}
-
-message DefaultLabelPolicyView {
-    string primary_color = 1;
-    string secondary_color = 2;
-    google.protobuf.Timestamp creation_date = 3;
-    google.protobuf.Timestamp change_date = 4;
-}
-
-message DefaultMailTemplate {
-    bytes template = 1;
-    google.protobuf.Timestamp creation_date = 2;
-    google.protobuf.Timestamp change_date = 3;
-}
-
-message DefaultMailTemplateUpdate {
-    bytes template = 1;
-}
-
-message DefaultMailTemplateView {
-    bytes template = 1;
-    google.protobuf.Timestamp creation_date = 2;
-    google.protobuf.Timestamp change_date = 3;
-}
-
-message DefaultMailText {
-	string mail_text_type = 1;
-	string language = 2;
-	string title = 3;
-	string pre_header = 4;
-	string subject = 5;
-	string greeting = 6;
-	string text = 7;
-	string button_text = 8;
-    google.protobuf.Timestamp creation_date = 9;
-    google.protobuf.Timestamp change_date = 10;
-}
-
-message DefaultMailTextUpdate {   
-	string mail_text_type = 1;
-	string language = 2;
-	string title = 3;
-	string pre_header = 4;
-	string subject = 5;
-	string greeting = 6;
-	string text = 7;
-	string button_text = 8;
-}
-
-message DefaultMailTextsView{
-    repeated DefaultMailTextView texts = 1;
-}
-
-message DefaultMailTextView {
-	string mail_text_type = 1;
-	string language = 2;
-	string title = 3;
-	string pre_header = 4;
-	string subject = 5;
-	string greeting = 6;
-	string text = 7;
-	string button_text = 8;
-    google.protobuf.Timestamp creation_date = 9;
-    google.protobuf.Timestamp change_date = 10;
-}
-
-message DefaultLoginPolicy {
-    bool allow_username_password = 1;
-    bool allow_register = 2;
-    bool allow_external_idp = 3;
-    google.protobuf.Timestamp change_date = 4;
-    bool force_mfa = 5;
-    PasswordlessType passwordless_type = 6;
-}
-
-message DefaultLoginPolicyRequest {
-    bool allow_username_password = 1;
-    bool allow_register = 2;
-    bool allow_external_idp = 3;
-    bool force_mfa = 4;
-    PasswordlessType passwordless_type = 5;
-}
-
-enum PasswordlessType {
-    PASSWORDLESSTYPE_NOT_ALLOWED = 0;
-    PASSWORDLESSTYPE_ALLOWED = 1;
-}
-
-message IdpProviderID {
-    string idp_config_id = 1 [(validate.rules).string = {min_len: 1}];
-}
-
-message DefaultLoginPolicyView {
-    bool allow_username_password = 1;
-    bool allow_register = 2;
-    bool allow_external_idp = 3;
-    google.protobuf.Timestamp creation_date = 4;
-    google.protobuf.Timestamp change_date = 5;
-    bool force_mfa = 6;
-    PasswordlessType passwordless_type = 7;
-}
-
-message IdpProviderView {
-    string idp_config_id = 1;
-    string name = 2;
-    IdpType type = 3;
-}
-
-enum IdpType {
-    IDPTYPE_UNSPECIFIED = 0;
-    IDPTYPE_OIDC = 1;
-    IDPTYPE_SAML = 2;
-}
-
-message IdpProviderSearchResponse {
-    uint64 offset = 1;
-    uint64 limit = 2;
-    uint64 total_result = 3;
-    repeated IdpProviderView result = 4;
-    uint64 processed_sequence = 5;
-    google.protobuf.Timestamp view_timestamp = 6;
-}
-
-message IdpProviderSearchRequest {
-    uint64 offset = 1;
-    uint64 limit = 2;
-}
-
-message SecondFactorsResult {
-    repeated SecondFactorType second_factors = 1;
-}
-
-message SecondFactor {
-    SecondFactorType second_factor = 1;
-}
-
-enum SecondFactorType {
-    SECONDFACTORTYPE_UNSPECIFIED = 0;
-    SECONDFACTORTYPE_OTP = 1;
-    SECONDFACTORTYPE_U2F = 2;
-}
-
-message MultiFactorsResult {
-    repeated MultiFactorType multi_factors = 1;
-}
-
-message MultiFactor {
-    MultiFactorType multi_factor = 1;
-}
-
-enum MultiFactorType {
-    MULTIFACTORTYPE_UNSPECIFIED = 0;
-    MULTIFACTORTYPE_U2F_WITH_PIN = 1;
-}
-
-message DefaultPasswordComplexityPolicy {
-    uint64 min_length = 1;
-    bool has_uppercase = 2;
-    bool has_lowercase = 3;
-    bool has_number = 4;
-    bool has_symbol = 5;
-    google.protobuf.Timestamp change_date = 6;
-}
-
-message DefaultPasswordComplexityPolicyRequest {
-    uint64 min_length = 1;
-    bool has_uppercase = 2;
-    bool has_lowercase = 3;
-    bool has_number = 4;
-    bool has_symbol = 5;
-}
-
-message DefaultPasswordComplexityPolicyView {
-    uint64 min_length = 1;
-    bool has_uppercase = 2;
-    bool has_lowercase = 3;
-    bool has_number = 4;
-    bool has_symbol = 5;
-    google.protobuf.Timestamp creation_date = 6;
-    google.protobuf.Timestamp change_date = 7;
-}
-
-message DefaultPasswordAgePolicy {
-    uint64 max_age_days = 1;
-    uint64 expire_warn_days = 2;
-    google.protobuf.Timestamp change_date = 3;
-}
-
-message DefaultPasswordAgePolicyRequest {
-    uint64 max_age_days = 1;
-    uint64 expire_warn_days = 2;
-}
-
-message DefaultPasswordAgePolicyView {
-    uint64 max_age_days = 1;
-    uint64 expire_warn_days = 2;
-    google.protobuf.Timestamp creation_date = 3;
-    google.protobuf.Timestamp change_date = 4;
-}
-
-message DefaultPasswordLockoutPolicy {
-    uint64 max_attempts = 1;
-    bool show_lockout_failure = 2;
-    google.protobuf.Timestamp change_date = 3;
-}
-
-message DefaultPasswordLockoutPolicyRequest {
-    uint64 max_attempts = 1;
-    bool show_lockout_failure = 2;
-}
-
-message DefaultPasswordLockoutPolicyView {
-    uint64 max_attempts = 1;
-    bool show_lockout_failure = 2;
-    google.protobuf.Timestamp creation_date = 3;
-    google.protobuf.Timestamp change_date = 4;
-}
\ No newline at end of file
diff --git a/pkg/grpc/admin/proto/generate.go b/pkg/grpc/admin/proto/generate.go
deleted file mode 100644
index 48a0259c55..0000000000
--- a/pkg/grpc/admin/proto/generate.go
+++ /dev/null
@@ -1,4 +0,0 @@
-package proto
-
-//go:generate protoc -I$GOPATH/src -I../proto -I$GOPATH/src/github.com/grpc-ecosystem/grpc-gateway -I$GOPATH/src/github.com/grpc-ecosystem/grpc-gateway/third_party/googleapis -I$GOPATH/src/github.com/envoyproxy/protoc-gen-validate -I$GOPATH/src/github.com/caos/zitadel/internal/protoc/protoc-gen-authoption --go_out=plugins=grpc:$GOPATH/src --grpc-gateway_out=logtostderr=true:$GOPATH/src --swagger_out=logtostderr=true:.. --authoption_out=.. --validate_out=lang=go:${GOPATH}/src admin.proto
-//go:generate mockgen -package api -destination ../mock/admin.proto.mock.go github.com/caos/zitadel/pkg/grpc/admin AdminServiceClient
diff --git a/pkg/grpc/management/application.go b/pkg/grpc/app/application.go
similarity index 71%
rename from pkg/grpc/management/application.go
rename to pkg/grpc/app/application.go
index c727711978..7d35bddafb 100644
--- a/pkg/grpc/management/application.go
+++ b/pkg/grpc/app/application.go
@@ -1,16 +1,16 @@
-package management
+package app
 
 import (
 	"github.com/caos/zitadel/internal/api/grpc/server/middleware"
 )
 
-func (a *ApplicationView) Localizers() []middleware.Localizer {
+func (a *App) Localizers() []middleware.Localizer {
 	if a == nil {
 		return nil
 	}
 
-	switch configType := a.AppConfig.(type) {
-	case *ApplicationView_OidcConfig:
+	switch configType := a.Config.(type) {
+	case *App_OidcConfig:
 		if !configType.OidcConfig.NoneCompliant {
 			return nil
 		}
@@ -22,3 +22,5 @@ func (a *ApplicationView) Localizers() []middleware.Localizer {
 	}
 	return nil
 }
+
+type AppConfig = isApp_Config
diff --git a/pkg/grpc/auth/changes.go b/pkg/grpc/auth/changes.go
index 30a71b5cc6..884c044fb0 100644
--- a/pkg/grpc/auth/changes.go
+++ b/pkg/grpc/auth/changes.go
@@ -2,12 +2,12 @@ package auth
 
 import "github.com/caos/zitadel/internal/api/grpc/server/middleware"
 
-func (c *Changes) Localizers() []middleware.Localizer {
+func (c *ListMyUserChangesResponse) Localizers() []middleware.Localizer {
 	if c == nil {
 		return nil
 	}
-	localizers := make([]middleware.Localizer, len(c.Changes))
-	for i, change := range c.Changes {
+	localizers := make([]middleware.Localizer, len(c.Result))
+	for i, change := range c.Result {
 		localizers[i] = change.EventType
 	}
 	return localizers
diff --git a/pkg/grpc/auth/proto/auth.proto b/pkg/grpc/auth/proto/auth.proto
deleted file mode 100644
index bb5ca291ae..0000000000
--- a/pkg/grpc/auth/proto/auth.proto
+++ /dev/null
@@ -1,918 +0,0 @@
-syntax = "proto3";
-
-import "google/api/annotations.proto";
-import "google/protobuf/empty.proto";
-import "google/protobuf/struct.proto";
-import "google/protobuf/timestamp.proto";
-import "validate/validate.proto";
-import "protoc-gen-swagger/options/annotations.proto";
-import "authoption/options.proto";
-import "proto/message.proto";
-
-package caos.zitadel.auth.api.v1;
-
-option go_package = "github.com/caos/zitadel/pkg/grpc/auth";
-
-option (grpc.gateway.protoc_gen_swagger.options.openapiv2_swagger) = {
-  info: {
-    title: "Auth API";
-    version: "0.1";
-    contact:{
-      url: "https://github.com/caos/zitadel/pkg/auth"
-    };
-  };
-
-  schemes: HTTPS;
-
-  consumes: "application/json";
-  consumes: "application/grpc";
-
-  produces: "application/json";
-  produces: "application/grpc";
-};
-
-service AuthService {
-  // Readiness
-  rpc Healthz(google.protobuf.Empty) returns (google.protobuf.Empty) {
-    option (google.api.http) = {
-      get: "/healthz"
-    };
-  }
-
-  // Authorization
-  rpc GetMyUserSessions(google.protobuf.Empty) returns (UserSessionViews) {
-    option (google.api.http) = {
-      get: "/users/me/sessions"
-    };
-
-    option (caos.zitadel.utils.v1.auth_option) = {
-      permission: "authenticated"
-    };
-  }
-
-  //User
-  rpc GetMyUser(google.protobuf.Empty) returns (UserView) {
-    option (google.api.http) = {
-      get: "/users/me"
-    };
-
-    option (caos.zitadel.utils.v1.auth_option) = {
-      permission: "authenticated"
-    };
-  }
-
-  rpc GetMyUserProfile(google.protobuf.Empty) returns (UserProfileView) {
-    option (google.api.http) = {
-      get: "/users/me/profile"
-    };
-
-    option (caos.zitadel.utils.v1.auth_option) = {
-      permission: "authenticated"
-    };
-  }
-
-  rpc UpdateMyUserProfile(UpdateUserProfileRequest) returns (UserProfile) {
-    option (google.api.http) = {
-      put: "/users/me/profile"
-      body: "*"
-    };
-
-    option (caos.zitadel.utils.v1.auth_option) = {
-      permission: "authenticated"
-    };
-  }
-
-  rpc ChangeMyUserName(ChangeUserNameRequest) returns (google.protobuf.Empty) {
-    option (google.api.http) = {
-      put: "/users/me/username"
-      body: "*"
-    };
-
-    option (caos.zitadel.utils.v1.auth_option) = {
-      permission: "authenticated"
-    };
-  }
-
-  rpc GetMyUserEmail(google.protobuf.Empty) returns (UserEmailView) {
-    option (google.api.http) = {
-      get: "/users/me/email"
-    };
-
-    option (caos.zitadel.utils.v1.auth_option) = {
-      permission: "authenticated"
-    };
-  }
-
-  rpc ChangeMyUserEmail(UpdateUserEmailRequest) returns (UserEmail) {
-    option (google.api.http) = {
-      put: "/users/me/email"
-      body: "*"
-    };
-
-    option (caos.zitadel.utils.v1.auth_option) = {
-      permission: "authenticated"
-    };
-  }
-
-  rpc VerifyMyUserEmail(VerifyMyUserEmailRequest) returns (google.protobuf.Empty) {
-    option (google.api.http) = {
-      post: "/users/me/email/_verify"
-      body: "*"
-    };
-
-    option (caos.zitadel.utils.v1.auth_option) = {
-      permission: "authenticated"
-    };
-  }
-
-  rpc ResendMyEmailVerificationMail(google.protobuf.Empty) returns (google.protobuf.Empty) {
-    option (google.api.http) = {
-      post: "/users/me/email/_resendverification"
-      body: "*"
-    };
-
-    option (caos.zitadel.utils.v1.auth_option) = {
-      permission: "authenticated"
-    };
-  }
-
-  rpc GetMyUserPhone(google.protobuf.Empty) returns (UserPhoneView) {
-    option (google.api.http) = {
-      get: "/users/me/phone"
-    };
-
-    option (caos.zitadel.utils.v1.auth_option) = {
-      permission: "authenticated"
-    };
-  }
-
-  rpc ChangeMyUserPhone(UpdateUserPhoneRequest) returns (UserPhone) {
-    option (google.api.http) = {
-      put: "/users/me/phone"
-      body: "*"
-    };
-
-    option (caos.zitadel.utils.v1.auth_option) = {
-      permission: "authenticated"
-    };
-  }
-
-  rpc RemoveMyUserPhone(google.protobuf.Empty) returns (google.protobuf.Empty) {
-    option (google.api.http) = {
-      delete: "/users/me/phone"
-    };
-
-    option (caos.zitadel.utils.v1.auth_option) = {
-      permission: "authenticated"
-    };
-  }
-
-  rpc VerifyMyUserPhone(VerifyUserPhoneRequest) returns (google.protobuf.Empty) {
-    option (google.api.http) = {
-      post: "/users/me/phone/_verify"
-      body: "*"
-    };
-
-    option (caos.zitadel.utils.v1.auth_option) = {
-      permission: "authenticated"
-    };
-  }
-
-  rpc ResendMyPhoneVerificationCode(google.protobuf.Empty) returns (google.protobuf.Empty) {
-    option (google.api.http) = {
-      post: "/users/me/phone/_resendverification"
-      body: "*"
-    };
-
-    option (caos.zitadel.utils.v1.auth_option) = {
-      permission: "authenticated"
-    };
-  }
-
-  rpc GetMyUserAddress(google.protobuf.Empty) returns (UserAddressView) {
-    option (google.api.http) = {
-      get: "/users/me/address"
-    };
-
-    option (caos.zitadel.utils.v1.auth_option) = {
-      permission: "authenticated"
-    };
-  }
-
-  rpc GetMyUserChanges(ChangesRequest) returns (Changes) {
-    option (google.api.http) = {
-      get: "/users/me/changes"
-    };
-
-    option (caos.zitadel.utils.v1.auth_option) = {
-      permission: "authenticated"
-    };
-  }
-
-  rpc UpdateMyUserAddress(UpdateUserAddressRequest) returns (UserAddress) {
-    option (google.api.http) = {
-      put: "/users/me/address"
-      body: "*"
-    };
-
-    option (caos.zitadel.utils.v1.auth_option) = {
-      permission: "authenticated"
-    };
-  }
-
-  rpc GetMyMfas(google.protobuf.Empty) returns (MultiFactors) {
-    option (google.api.http) = {
-      get: "/users/me/mfas"
-    };
-
-    option (caos.zitadel.utils.v1.auth_option) = {
-      permission: "authenticated"
-    };
-  }
-
-  //Password
-  rpc ChangeMyPassword(PasswordChange) returns (google.protobuf.Empty) {
-    option (google.api.http) = {
-      put: "/users/me/passwords/_change"
-      body: "*"
-    };
-
-    option (caos.zitadel.utils.v1.auth_option) = {
-      permission: "authenticated"
-    };
-  }
-
-  rpc GetMyPasswordComplexityPolicy(google.protobuf.Empty) returns (PasswordComplexityPolicy) {
-    option (google.api.http) = {
-      get: "/policies/passwords/complexity"
-    };
-
-    option (caos.zitadel.utils.v1.auth_option) = {
-      permission: "authenticated"
-    };
-  }
-
-  //ExternalIDP
-  rpc SearchMyExternalIDPs(ExternalIDPSearchRequest) returns (ExternalIDPSearchResponse) {
-    option (google.api.http) = {
-      post: "/users/me/externalidps/_search"
-      body: "*"
-    };
-
-    option (caos.zitadel.utils.v1.auth_option) = {
-      permission: "authenticated"
-    };
-  }
-
-  rpc RemoveMyExternalIDP(ExternalIDPRemoveRequest) returns (google.protobuf.Empty) {
-    option (google.api.http) = {
-      delete: "/users/me/externalidps/{idp_config_id}/{external_user_id}"
-    };
-
-    option (caos.zitadel.utils.v1.auth_option) = {
-      permission: "authenticated"
-    };
-  }
-
-  // MFA
-  rpc AddMfaOTP(google.protobuf.Empty) returns (MfaOtpResponse) {
-    option (google.api.http) = {
-      post: "/users/me/mfas/otp"
-      body: "*"
-    };
-    option (caos.zitadel.utils.v1.auth_option) = {
-      permission: "authenticated"
-    };
-  }
-
-  rpc VerifyMfaOTP(VerifyMfaOtp) returns (google.protobuf.Empty) {
-    option (google.api.http) = {
-      put: "/users/me/mfas/otp/_verify"
-      body: "*"
-    };
-
-    option (caos.zitadel.utils.v1.auth_option) = {
-      permission: "authenticated"
-    };
-  }
-
-  rpc RemoveMfaOTP(google.protobuf.Empty) returns (google.protobuf.Empty) {
-    option (google.api.http) = {
-      delete: "/users/me/mfas/otp"
-    };
-
-    option (caos.zitadel.utils.v1.auth_option) = {
-      permission: "authenticated"
-    };
-  }
-
-  rpc AddMyMfaU2F(google.protobuf.Empty) returns (WebAuthNResponse) {
-    option (google.api.http) = {
-      post: "/users/me/mfas/u2f"
-      body: "*"
-    };
-    option (caos.zitadel.utils.v1.auth_option) = {
-      permission: "authenticated"
-    };
-  }
-
-  rpc VerifyMyMfaU2F(VerifyWebAuthN) returns (google.protobuf.Empty) {
-    option (google.api.http) = {
-      put: "/users/me/mfas/u2f/_verify"
-      body: "*"
-    };
-
-    option (caos.zitadel.utils.v1.auth_option) = {
-      permission: "authenticated"
-    };
-  }
-
-  rpc RemoveMyMfaU2F(WebAuthNTokenID) returns (google.protobuf.Empty) {
-    option (google.api.http) = {
-      delete: "/users/me/mfas/u2f/{id}"
-    };
-
-    option (caos.zitadel.utils.v1.auth_option) = {
-      permission: "authenticated"
-    };
-  }
-
-  rpc GetMyPasswordless(google.protobuf.Empty) returns (WebAuthNTokens) {
-    option (google.api.http) = {
-      get: "/users/me/passwordless"
-    };
-    option (caos.zitadel.utils.v1.auth_option) = {
-      permission: "authenticated"
-    };
-  }
-
-  rpc AddMyPasswordless(google.protobuf.Empty) returns (WebAuthNResponse) {
-    option (google.api.http) = {
-      post: "/users/me/passwordless"
-      body: "*"
-    };
-    option (caos.zitadel.utils.v1.auth_option) = {
-      permission: "authenticated"
-    };
-  }
-
-  rpc VerifyMyPasswordless(VerifyWebAuthN) returns (google.protobuf.Empty) {
-    option (google.api.http) = {
-      put: "/users/me/passwordless/_verify"
-      body: "*"
-    };
-
-    option (caos.zitadel.utils.v1.auth_option) = {
-      permission: "authenticated"
-    };
-  }
-
-  rpc RemoveMyPasswordless(WebAuthNTokenID) returns (google.protobuf.Empty) {
-    option (google.api.http) = {
-      delete: "/users/me/passwordless/{id}"
-    };
-
-    option (caos.zitadel.utils.v1.auth_option) = {
-      permission: "authenticated"
-    };
-  }
-
-  rpc SearchMyUserGrant(UserGrantSearchRequest) returns (UserGrantSearchResponse) {
-    option (google.api.http) = {
-      post: "/usergrants/me/_search"
-      body: "*"
-    };
-    option (caos.zitadel.utils.v1.auth_option) = {
-      permission: "authenticated"
-    };
-  }
-
-  rpc SearchMyProjectOrgs(MyProjectOrgSearchRequest) returns (MyProjectOrgSearchResponse) {
-    option (google.api.http) = {
-      post: "/global/projectorgs/_search"
-      body: "*"
-    };
-
-    option (caos.zitadel.utils.v1.auth_option) = {
-      permission: "authenticated"
-    };
-  }
-
-  //Permission
-  rpc GetMyZitadelPermissions(google.protobuf.Empty) returns (MyPermissions) {
-    option (google.api.http) = {
-      get: "/permissions/zitadel/me"
-    };
-
-    option (caos.zitadel.utils.v1.auth_option) = {
-      permission: "authenticated"
-    };
-  }
-
-  rpc GetMyProjectPermissions(google.protobuf.Empty) returns (MyPermissions) {
-    option (google.api.http) = {
-      get: "/permissions/me"
-    };
-
-    option (caos.zitadel.utils.v1.auth_option) = {
-      permission: "authenticated"
-    };
-  }
-
-  rpc SearchMyUserMemberships(UserMembershipSearchRequest) returns (UserMembershipSearchResponse) {
-    option (google.api.http) = {
-      post: "/users/me/memberships/_search"
-      body: "*"
-    };
-
-    option (caos.zitadel.utils.v1.auth_option) = {
-      permission: "authenticated"
-    };
-  }
-}
-
-message UserSessionViews {
-  repeated UserSessionView user_sessions = 1;
-}
-
-message UserSessionView {
-  string id = 1;
-  string agent_id = 2;
-  UserSessionState auth_state = 3;
-  string user_id = 4;
-  string user_name = 5;
-  uint64 sequence = 6;
-  string login_name = 7;
-  string display_name = 8;
-}
-
-enum UserSessionState {
-  USERSESSIONSTATE_UNSPECIFIED = 0;
-  USERSESSIONSTATE_ACTIVE = 1;
-  USERSESSIONSTATE_TERMINATED = 2;
-}
-
-message UserView {
-  string id = 1;
-  UserState state = 2;
-  google.protobuf.Timestamp creation_date = 3;
-  google.protobuf.Timestamp change_date = 4;
-  uint64 sequence = 5;
-  repeated string login_names = 6;
-  string preferred_login_name = 7;
-  google.protobuf.Timestamp last_login = 8;
-  string resource_owner = 9;
-  string user_name = 10;
-
-  oneof user {
-    option (validate.required) = true;
-
-    HumanView human = 11;
-    MachineView machine = 12;
-  }
-}
-
-message MachineView {
-  google.protobuf.Timestamp last_key_added = 1;
-
-  string name = 2;
-  string description = 3;
-}
-
-message MachineKeyView {
-  string id = 1;
-  MachineKeyType type = 2;
-  uint64 sequence = 3;
-
-  google.protobuf.Timestamp creation_date = 4;
-  google.protobuf.Timestamp expiration_date = 5;
-}
-
-enum MachineKeyType {
-  MACHINEKEY_UNSPECIFIED = 0;
-  MACHINEKEY_JSON = 1;
-}
-
-message HumanView {
-  google.protobuf.Timestamp password_changed = 1;
-  string first_name = 2;
-  string last_name = 3;
-  string display_name = 4;
-  string nick_name = 5;
-  string preferred_language = 6;
-  Gender gender = 7;
-  string email = 8;
-  bool is_email_verified = 9;
-  string phone = 10;
-  bool is_phone_verified = 11;
-  string country = 12;
-  string locality = 13;
-  string postal_code = 14;
-  string region = 15;
-  string street_address = 16;
-}
-
-enum UserState {
-  USERSTATE_UNSPECIFIED = 0;
-  USERSTATE_ACTIVE = 1;
-  USERSTATE_INACTIVE = 2;
-  USERSTATE_DELETED = 3;
-  USERSTATE_LOCKED = 4;
-  USERSTATE_SUSPEND = 5;
-  USERSTATE_INITIAL = 6;
-}
-
-enum Gender {
-  GENDER_UNSPECIFIED = 0;
-  GENDER_FEMALE = 1;
-  GENDER_MALE = 2;
-  GENDER_DIVERSE = 3;
-}
-
-message UserProfile {
-  string id = 1;
-  string first_name = 2;
-  string last_name = 3;
-  string nick_name = 4;
-  string display_name = 5;
-  string preferred_language = 6;
-  Gender gender = 7;
-  uint64 sequence = 8;
-  google.protobuf.Timestamp creation_date = 9;
-  google.protobuf.Timestamp change_date = 10;
-}
-
-message UserProfileView {
-  string id = 1;
-  string first_name = 2;
-  string last_name = 3;
-  string nick_name = 4;
-  string display_name = 5;
-  string preferred_language = 6;
-  Gender gender = 7;
-  uint64 sequence = 8;
-  google.protobuf.Timestamp creation_date = 9;
-  google.protobuf.Timestamp change_date = 10;
-  repeated string login_names = 11;
-  string preferred_login_name = 12;
-}
-
-message UpdateUserProfileRequest {
-  string first_name = 1 [(validate.rules).string = {min_len: 1, max_len: 200}];
-  string last_name = 2 [(validate.rules).string = {min_len: 1, max_len: 200}];
-  string nick_name = 3 [(validate.rules).string.max_len = 200];
-  string preferred_language = 4 [(validate.rules).string = {min_len: 1, max_len: 200}];
-  Gender gender = 5;
-}
-
-message ChangeUserNameRequest {
-  string user_name = 1 [(validate.rules).string.pattern = "^[^[:space:]]{1,200}$"];
-}
-
-message UserEmail {
-  string id = 1;
-  string email = 2;
-  bool isEmailVerified = 3;
-  uint64 sequence = 4;
-  google.protobuf.Timestamp creation_date = 5;
-  google.protobuf.Timestamp change_date = 6;
-}
-
-message UserEmailView {
-  string id = 1;
-  string email = 2;
-  bool isEmailVerified = 3;
-  uint64 sequence = 4;
-  google.protobuf.Timestamp creation_date = 5;
-  google.protobuf.Timestamp change_date = 6;
-}
-
-message VerifyMyUserEmailRequest {
-  string code = 1 [(validate.rules).string = {min_len: 1, max_len: 200}];
-}
-
-message UpdateUserEmailRequest {
-  string email = 1 [(validate.rules).string = {min_len: 1, max_len: 200}];
-}
-
-message UserPhone {
-  string id = 1;
-  string phone = 2;
-  bool is_phone_verified = 3;
-  uint64 sequence = 4;
-  google.protobuf.Timestamp creation_date = 5;
-  google.protobuf.Timestamp change_date = 6;
-}
-
-message UserPhoneView {
-  string id = 1;
-  string phone = 2;
-  bool is_phone_verified = 3;
-  uint64 sequence = 4;
-  google.protobuf.Timestamp creation_date = 5;
-  google.protobuf.Timestamp change_date = 6;
-}
-
-message UpdateUserPhoneRequest {
-  string phone = 1 [(validate.rules).string = {min_len: 1, max_len: 20}];
-}
-
-message VerifyUserPhoneRequest {
-  string code = 1 [(validate.rules).string = {min_len: 1, max_len: 200}];
-}
-
-message UserAddress {
-  string id = 1;
-  string country = 2;
-  string locality = 3;
-  string postal_code = 4;
-  string region = 5;
-  string street_address = 6;
-  uint64 sequence = 7;
-  google.protobuf.Timestamp creation_date = 8;
-  google.protobuf.Timestamp change_date = 9;
-}
-
-message UserAddressView {
-  string id = 1;
-  string country = 2;
-  string locality = 3;
-  string postal_code = 4;
-  string region = 5;
-  string street_address = 6;
-  uint64 sequence = 7;
-  google.protobuf.Timestamp creation_date = 8;
-  google.protobuf.Timestamp change_date = 9;
-}
-
-message UpdateUserAddressRequest {
-  string country = 1 [(validate.rules).string = {max_len: 200}];
-  string locality = 2 [(validate.rules).string = {max_len: 200}];
-  string postal_code = 3 [(validate.rules).string = {max_len: 200}];
-  string region = 4 [(validate.rules).string = {max_len: 200}];
-  string street_address = 5 [(validate.rules).string = {max_len: 200}];
-}
-
-message PasswordChange {
-  string old_password = 1 [(validate.rules).string = {min_len: 1, max_len: 72}];
-  string new_password = 2 [(validate.rules).string = {min_len: 1, max_len: 72}];
-}
-
-enum MfaType {
-  MFATYPE_UNSPECIFIED = 0;
-  MFATYPE_OTP = 1;
-  MFATYPE_U2F = 2;
-}
-
-message VerifyMfaOtp {
-  string code = 1 [(validate.rules).string = {min_len: 1}];
-}
-
-message MultiFactors {
-  repeated MultiFactor mfas = 1;
-}
-
-message MultiFactor {
-  MfaType type = 1;
-  MFAState state = 2;
-  string attribute = 3;
-  string id = 4;
-}
-
-message MfaOtpResponse {
-  string user_id = 1;
-  string url = 2;
-  string secret = 3;
-  MFAState state = 4;
-}
-
-message WebAuthNTokens {
-  repeated WebAuthNToken tokens = 1;
-}
-
-message WebAuthNToken {
-  string id = 1;
-  string name = 2;
-  MFAState state = 3;
-}
-
-message WebAuthNResponse {
-  string id = 1;
-  bytes public_key = 2;
-  MFAState state = 3;
-}
-
-message VerifyWebAuthN {
-  bytes public_key_credential = 1;
-  string token_name = 2;
-}
-
-message WebAuthNTokenID {
-  string id = 1;
-}
-
-enum MFAState {
-  MFASTATE_UNSPECIFIED = 0;
-  MFASTATE_NOT_READY = 1;
-  MFASTATE_READY = 2;
-  MFASTATE_REMOVED = 3;
-}
-
-message UserGrantSearchRequest {
-  uint64 offset = 1;
-  uint64 limit = 2;
-  UserGrantSearchKey sorting_column = 3 [(validate.rules).enum = {not_in: [0]}];;
-  bool asc = 4;
-  repeated UserGrantSearchQuery queries = 5;
-}
-
-message UserGrantSearchQuery {
-  UserGrantSearchKey key = 1 [(validate.rules).enum = {not_in: [0]}];;
-  SearchMethod method = 2;
-  string value = 3;
-}
-
-enum UserGrantSearchKey {
-  UserGrantSearchKey_UNKNOWN = 0;
-  UserGrantSearchKey_ORG_ID = 1;
-  UserGrantSearchKey_PROJECT_ID = 2;
-}
-
-message UserGrantSearchResponse {
-  uint64 offset = 1;
-  uint64 limit = 2;
-  uint64 total_result = 3;
-  repeated UserGrantView result = 4;
-  uint64 processed_sequence = 5;
-  google.protobuf.Timestamp view_timestamp = 6;
-}
-
-message UserGrantView {
-  string OrgId = 1;
-  string ProjectId = 2;
-  string UserId = 3;
-  repeated string Roles = 4;
-  string OrgName = 5;
-  string GrantId = 6;
-}
-
-message MyProjectOrgSearchRequest {
-  uint64 offset = 1;
-  uint64 limit = 2;
-  bool asc = 4;
-  repeated MyProjectOrgSearchQuery queries = 5;
-}
-
-message MyProjectOrgSearchQuery {
-  MyProjectOrgSearchKey key = 1 [(validate.rules).enum = {not_in: [0]}];;
-  SearchMethod method = 2;
-  string value = 3;
-}
-
-enum MyProjectOrgSearchKey {
-  MYPROJECTORGSEARCHKEY_UNSPECIFIED = 0;
-  MYPROJECTORGSEARCHKEY_ORG_NAME = 1;
-}
-
-message MyProjectOrgSearchResponse {
-  uint64 offset = 1;
-  uint64 limit = 2;
-  uint64 total_result = 3;
-  repeated Org result = 4;
-}
-
-message Org {
-  string id = 1;
-  string name = 2;
-}
-
-message MyPermissions {
-  repeated string permissions = 1;
-}
-
-enum SearchMethod {
-  SEARCHMETHOD_EQUALS = 0;
-  SEARCHMETHOD_STARTS_WITH = 1;
-  SEARCHMETHOD_CONTAINS = 2;
-  SEARCHMETHOD_EQUALS_IGNORE_CASE = 3;
-  SEARCHMETHOD_STARTS_WITH_IGNORE_CASE = 4;
-  SEARCHMETHOD_CONTAINS_IGNORE_CASE = 5;
-}
-
-message ChangesRequest {
-  uint64 limit = 1;
-  uint64 sequence_offset = 2;
-  bool asc = 3;
-}
-
-message Changes {
-  repeated Change changes = 1;
-  uint64 offset = 2;
-  uint64 limit = 3;
-}
-
-message Change {
-  google.protobuf.Timestamp change_date = 1;
-  caos.zitadel.api.v1.LocalizedMessage event_type = 2;
-  uint64 sequence = 3;
-  string editor_id = 4;
-  string editor = 5;
-  google.protobuf.Struct data = 6;
-}
-
-message PasswordComplexityPolicy {
-  string id = 1;
-  string description = 2;
-  google.protobuf.Timestamp creation_date = 3;
-  google.protobuf.Timestamp change_date = 4;
-  uint64 min_length = 5;
-  bool has_lowercase = 6;
-  bool has_uppercase = 7;
-  bool has_number = 8;
-  bool has_symbol = 9;
-  uint64 sequence = 10;
-  bool is_default = 11;
-}
-
-message ExternalIDPResponse {
-  string idp_config_id = 1;
-  string user_id = 2;
-  string display_name = 3;
-}
-
-message ExternalIDPRemoveRequest {
-  string idp_config_id = 1;
-  string external_user_id = 2;
-}
-
-message ExternalIDPSearchRequest {
-  uint64 offset = 1;
-  uint64 limit = 2;
-}
-
-message ExternalIDPSearchResponse {
-  uint64 offset = 1;
-  uint64 limit = 2;
-  uint64 total_result = 3;
-  repeated ExternalIDPView result = 4;
-  uint64 processed_sequence = 5;
-  google.protobuf.Timestamp view_timestamp = 6;
-}
-
-message ExternalIDPView {
-  string user_id = 1;
-  string idp_config_id = 2;
-  string external_user_id = 3;
-  string idp_name = 4;
-  string external_user_display_name = 5;
-  google.protobuf.Timestamp creation_date = 6;
-  google.protobuf.Timestamp change_date = 7;
-}
-
-
-message UserMembershipSearchResponse {
-  uint64 offset = 1;
-  uint64 limit = 2;
-  uint64 total_result = 3;
-  repeated UserMembershipView result = 4;
-  uint64 processed_sequence = 5;
-  google.protobuf.Timestamp view_timestamp = 6;
-}
-
-message UserMembershipSearchRequest {
-  uint64 offset = 1;
-  uint64 limit = 2;
-  repeated UserMembershipSearchQuery queries = 3;
-}
-
-message UserMembershipSearchQuery {
-  UserMembershipSearchKey key = 1 [(validate.rules).enum = {not_in: [0]}];
-  SearchMethod method = 2 [(validate.rules).enum = {in: [0]}];
-  string value = 3;
-}
-
-enum UserMembershipSearchKey {
-  USERMEMBERSHIPSEARCHKEY_UNSPECIFIED = 0;
-  USERMEMBERSHIPSEARCHKEY_TYPE = 1;
-  USERMEMBERSHIPSEARCHKEY_OBJECT_ID = 2;
-}
-
-message UserMembershipView {
-  string user_id = 1;
-  MemberType member_type = 2;
-  string aggregate_id = 3;
-  string object_id = 4;
-  repeated string roles = 5;
-  string display_name = 6;
-  google.protobuf.Timestamp creation_date = 7;
-  google.protobuf.Timestamp change_date = 8;
-  uint64 sequence = 9;
-  string resource_owner = 10;
-}
-
-enum MemberType {
-  MEMBERTYPE_UNSPECIFIED = 0;
-  MEMBERTYPE_ORGANISATION = 1;
-  MEMBERTYPE_PROJECT = 2;
-  MEMBERTYPE_PROJECT_GRANT = 3;
-}
diff --git a/pkg/grpc/auth/proto/generate.go b/pkg/grpc/auth/proto/generate.go
deleted file mode 100644
index f8d39cd2a9..0000000000
--- a/pkg/grpc/auth/proto/generate.go
+++ /dev/null
@@ -1,4 +0,0 @@
-package proto
-
-//go:generate protoc -I${GOPATH}/src -I../proto -I${GOPATH}/src/github.com/caos/zitadel/pkg/grpc/message -I${GOPATH}/src/github.com/grpc-ecosystem/grpc-gateway -I${GOPATH}/src/github.com/grpc-ecosystem/grpc-gateway/third_party/googleapis -I${GOPATH}/src/github.com/envoyproxy/protoc-gen-validate -I${GOPATH}/src/github.com/caos/zitadel/internal/protoc/protoc-gen-authoption --go_out=plugins=grpc:${GOPATH}/src --grpc-gateway_out=logtostderr=true:${GOPATH}/src --swagger_out=logtostderr=true:.. --authoption_out=:.. --validate_out=lang=go:${GOPATH}/src auth.proto
-//go:generate mockgen -package api -destination ../mock/auth.proto.mock.go github.com/caos/zitadel/pkg/grpc/auth AuthServiceClient
diff --git a/pkg/grpc/management/changes.go b/pkg/grpc/management/changes.go
index 3120e82aaf..172d2de0d3 100644
--- a/pkg/grpc/management/changes.go
+++ b/pkg/grpc/management/changes.go
@@ -4,12 +4,45 @@ import (
 	"github.com/caos/zitadel/internal/api/grpc/server/middleware"
 )
 
-func (c *Changes) Localizers() []middleware.Localizer {
+func (c *ListUserChangesResponse) Localizers() []middleware.Localizer {
 	if c == nil {
 		return nil
 	}
-	localizers := make([]middleware.Localizer, len(c.Changes))
-	for i, change := range c.Changes {
+	localizers := make([]middleware.Localizer, len(c.Result))
+	for i, change := range c.Result {
+		localizers[i] = change.EventType
+	}
+	return localizers
+}
+
+func (c *ListOrgChangesResponse) Localizers() []middleware.Localizer {
+	if c == nil {
+		return nil
+	}
+	localizers := make([]middleware.Localizer, len(c.Result))
+	for i, change := range c.Result {
+		localizers[i] = change.EventType
+	}
+	return localizers
+}
+
+func (c *ListProjectChangesResponse) Localizers() []middleware.Localizer {
+	if c == nil {
+		return nil
+	}
+	localizers := make([]middleware.Localizer, len(c.Result))
+	for i, change := range c.Result {
+		localizers[i] = change.EventType
+	}
+	return localizers
+}
+
+func (c *ListAppChangesResponse) Localizers() []middleware.Localizer {
+	if c == nil {
+		return nil
+	}
+	localizers := make([]middleware.Localizer, len(c.Result))
+	for i, change := range c.Result {
 		localizers[i] = change.EventType
 	}
 	return localizers
diff --git a/pkg/grpc/management/mock/management.proto.mock.go b/pkg/grpc/management/mock/management.proto.mock.go
deleted file mode 100644
index bd5202fad8..0000000000
--- a/pkg/grpc/management/mock/management.proto.mock.go
+++ /dev/null
@@ -1,3177 +0,0 @@
-// Code generated by MockGen. DO NOT EDIT.
-// Source: github.com/caos/zitadel/pkg/grpc/management (interfaces: ManagementServiceClient)
-
-// Package api is a generated GoMock package.
-package api
-
-import (
-	context "context"
-	management "github.com/caos/zitadel/pkg/grpc/management"
-	gomock "github.com/golang/mock/gomock"
-	grpc "google.golang.org/grpc"
-	emptypb "google.golang.org/protobuf/types/known/emptypb"
-	reflect "reflect"
-)
-
-// MockManagementServiceClient is a mock of ManagementServiceClient interface
-type MockManagementServiceClient struct {
-	ctrl     *gomock.Controller
-	recorder *MockManagementServiceClientMockRecorder
-}
-
-// MockManagementServiceClientMockRecorder is the mock recorder for MockManagementServiceClient
-type MockManagementServiceClientMockRecorder struct {
-	mock *MockManagementServiceClient
-}
-
-// NewMockManagementServiceClient creates a new mock instance
-func NewMockManagementServiceClient(ctrl *gomock.Controller) *MockManagementServiceClient {
-	mock := &MockManagementServiceClient{ctrl: ctrl}
-	mock.recorder = &MockManagementServiceClientMockRecorder{mock}
-	return mock
-}
-
-// EXPECT returns an object that allows the caller to indicate expected use
-func (m *MockManagementServiceClient) EXPECT() *MockManagementServiceClientMockRecorder {
-	return m.recorder
-}
-
-// AddIdpProviderToLoginPolicy mocks base method
-func (m *MockManagementServiceClient) AddIdpProviderToLoginPolicy(arg0 context.Context, arg1 *management.IdpProviderAdd, arg2 ...grpc.CallOption) (*management.IdpProvider, error) {
-	m.ctrl.T.Helper()
-	varargs := []interface{}{arg0, arg1}
-	for _, a := range arg2 {
-		varargs = append(varargs, a)
-	}
-	ret := m.ctrl.Call(m, "AddIdpProviderToLoginPolicy", varargs...)
-	ret0, _ := ret[0].(*management.IdpProvider)
-	ret1, _ := ret[1].(error)
-	return ret0, ret1
-}
-
-// AddIdpProviderToLoginPolicy indicates an expected call of AddIdpProviderToLoginPolicy
-func (mr *MockManagementServiceClientMockRecorder) AddIdpProviderToLoginPolicy(arg0, arg1 interface{}, arg2 ...interface{}) *gomock.Call {
-	mr.mock.ctrl.T.Helper()
-	varargs := append([]interface{}{arg0, arg1}, arg2...)
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "AddIdpProviderToLoginPolicy", reflect.TypeOf((*MockManagementServiceClient)(nil).AddIdpProviderToLoginPolicy), varargs...)
-}
-
-// AddMachineKey mocks base method
-func (m *MockManagementServiceClient) AddMachineKey(arg0 context.Context, arg1 *management.AddMachineKeyRequest, arg2 ...grpc.CallOption) (*management.AddMachineKeyResponse, error) {
-	m.ctrl.T.Helper()
-	varargs := []interface{}{arg0, arg1}
-	for _, a := range arg2 {
-		varargs = append(varargs, a)
-	}
-	ret := m.ctrl.Call(m, "AddMachineKey", varargs...)
-	ret0, _ := ret[0].(*management.AddMachineKeyResponse)
-	ret1, _ := ret[1].(error)
-	return ret0, ret1
-}
-
-// AddMachineKey indicates an expected call of AddMachineKey
-func (mr *MockManagementServiceClientMockRecorder) AddMachineKey(arg0, arg1 interface{}, arg2 ...interface{}) *gomock.Call {
-	mr.mock.ctrl.T.Helper()
-	varargs := append([]interface{}{arg0, arg1}, arg2...)
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "AddMachineKey", reflect.TypeOf((*MockManagementServiceClient)(nil).AddMachineKey), varargs...)
-}
-
-// AddMultiFactorToLoginPolicy mocks base method
-func (m *MockManagementServiceClient) AddMultiFactorToLoginPolicy(arg0 context.Context, arg1 *management.MultiFactor, arg2 ...grpc.CallOption) (*management.MultiFactor, error) {
-	m.ctrl.T.Helper()
-	varargs := []interface{}{arg0, arg1}
-	for _, a := range arg2 {
-		varargs = append(varargs, a)
-	}
-	ret := m.ctrl.Call(m, "AddMultiFactorToLoginPolicy", varargs...)
-	ret0, _ := ret[0].(*management.MultiFactor)
-	ret1, _ := ret[1].(error)
-	return ret0, ret1
-}
-
-// AddMultiFactorToLoginPolicy indicates an expected call of AddMultiFactorToLoginPolicy
-func (mr *MockManagementServiceClientMockRecorder) AddMultiFactorToLoginPolicy(arg0, arg1 interface{}, arg2 ...interface{}) *gomock.Call {
-	mr.mock.ctrl.T.Helper()
-	varargs := append([]interface{}{arg0, arg1}, arg2...)
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "AddMultiFactorToLoginPolicy", reflect.TypeOf((*MockManagementServiceClient)(nil).AddMultiFactorToLoginPolicy), varargs...)
-}
-
-// AddMyOrgDomain mocks base method
-func (m *MockManagementServiceClient) AddMyOrgDomain(arg0 context.Context, arg1 *management.AddOrgDomainRequest, arg2 ...grpc.CallOption) (*management.OrgDomain, error) {
-	m.ctrl.T.Helper()
-	varargs := []interface{}{arg0, arg1}
-	for _, a := range arg2 {
-		varargs = append(varargs, a)
-	}
-	ret := m.ctrl.Call(m, "AddMyOrgDomain", varargs...)
-	ret0, _ := ret[0].(*management.OrgDomain)
-	ret1, _ := ret[1].(error)
-	return ret0, ret1
-}
-
-// AddMyOrgDomain indicates an expected call of AddMyOrgDomain
-func (mr *MockManagementServiceClientMockRecorder) AddMyOrgDomain(arg0, arg1 interface{}, arg2 ...interface{}) *gomock.Call {
-	mr.mock.ctrl.T.Helper()
-	varargs := append([]interface{}{arg0, arg1}, arg2...)
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "AddMyOrgDomain", reflect.TypeOf((*MockManagementServiceClient)(nil).AddMyOrgDomain), varargs...)
-}
-
-// AddMyOrgMember mocks base method
-func (m *MockManagementServiceClient) AddMyOrgMember(arg0 context.Context, arg1 *management.AddOrgMemberRequest, arg2 ...grpc.CallOption) (*management.OrgMember, error) {
-	m.ctrl.T.Helper()
-	varargs := []interface{}{arg0, arg1}
-	for _, a := range arg2 {
-		varargs = append(varargs, a)
-	}
-	ret := m.ctrl.Call(m, "AddMyOrgMember", varargs...)
-	ret0, _ := ret[0].(*management.OrgMember)
-	ret1, _ := ret[1].(error)
-	return ret0, ret1
-}
-
-// AddMyOrgMember indicates an expected call of AddMyOrgMember
-func (mr *MockManagementServiceClientMockRecorder) AddMyOrgMember(arg0, arg1 interface{}, arg2 ...interface{}) *gomock.Call {
-	mr.mock.ctrl.T.Helper()
-	varargs := append([]interface{}{arg0, arg1}, arg2...)
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "AddMyOrgMember", reflect.TypeOf((*MockManagementServiceClient)(nil).AddMyOrgMember), varargs...)
-}
-
-// AddProjectGrantMember mocks base method
-func (m *MockManagementServiceClient) AddProjectGrantMember(arg0 context.Context, arg1 *management.ProjectGrantMemberAdd, arg2 ...grpc.CallOption) (*management.ProjectGrantMember, error) {
-	m.ctrl.T.Helper()
-	varargs := []interface{}{arg0, arg1}
-	for _, a := range arg2 {
-		varargs = append(varargs, a)
-	}
-	ret := m.ctrl.Call(m, "AddProjectGrantMember", varargs...)
-	ret0, _ := ret[0].(*management.ProjectGrantMember)
-	ret1, _ := ret[1].(error)
-	return ret0, ret1
-}
-
-// AddProjectGrantMember indicates an expected call of AddProjectGrantMember
-func (mr *MockManagementServiceClientMockRecorder) AddProjectGrantMember(arg0, arg1 interface{}, arg2 ...interface{}) *gomock.Call {
-	mr.mock.ctrl.T.Helper()
-	varargs := append([]interface{}{arg0, arg1}, arg2...)
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "AddProjectGrantMember", reflect.TypeOf((*MockManagementServiceClient)(nil).AddProjectGrantMember), varargs...)
-}
-
-// AddProjectMember mocks base method
-func (m *MockManagementServiceClient) AddProjectMember(arg0 context.Context, arg1 *management.ProjectMemberAdd, arg2 ...grpc.CallOption) (*management.ProjectMember, error) {
-	m.ctrl.T.Helper()
-	varargs := []interface{}{arg0, arg1}
-	for _, a := range arg2 {
-		varargs = append(varargs, a)
-	}
-	ret := m.ctrl.Call(m, "AddProjectMember", varargs...)
-	ret0, _ := ret[0].(*management.ProjectMember)
-	ret1, _ := ret[1].(error)
-	return ret0, ret1
-}
-
-// AddProjectMember indicates an expected call of AddProjectMember
-func (mr *MockManagementServiceClientMockRecorder) AddProjectMember(arg0, arg1 interface{}, arg2 ...interface{}) *gomock.Call {
-	mr.mock.ctrl.T.Helper()
-	varargs := append([]interface{}{arg0, arg1}, arg2...)
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "AddProjectMember", reflect.TypeOf((*MockManagementServiceClient)(nil).AddProjectMember), varargs...)
-}
-
-// AddProjectRole mocks base method
-func (m *MockManagementServiceClient) AddProjectRole(arg0 context.Context, arg1 *management.ProjectRoleAdd, arg2 ...grpc.CallOption) (*management.ProjectRole, error) {
-	m.ctrl.T.Helper()
-	varargs := []interface{}{arg0, arg1}
-	for _, a := range arg2 {
-		varargs = append(varargs, a)
-	}
-	ret := m.ctrl.Call(m, "AddProjectRole", varargs...)
-	ret0, _ := ret[0].(*management.ProjectRole)
-	ret1, _ := ret[1].(error)
-	return ret0, ret1
-}
-
-// AddProjectRole indicates an expected call of AddProjectRole
-func (mr *MockManagementServiceClientMockRecorder) AddProjectRole(arg0, arg1 interface{}, arg2 ...interface{}) *gomock.Call {
-	mr.mock.ctrl.T.Helper()
-	varargs := append([]interface{}{arg0, arg1}, arg2...)
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "AddProjectRole", reflect.TypeOf((*MockManagementServiceClient)(nil).AddProjectRole), varargs...)
-}
-
-// AddSecondFactorToLoginPolicy mocks base method
-func (m *MockManagementServiceClient) AddSecondFactorToLoginPolicy(arg0 context.Context, arg1 *management.SecondFactor, arg2 ...grpc.CallOption) (*management.SecondFactor, error) {
-	m.ctrl.T.Helper()
-	varargs := []interface{}{arg0, arg1}
-	for _, a := range arg2 {
-		varargs = append(varargs, a)
-	}
-	ret := m.ctrl.Call(m, "AddSecondFactorToLoginPolicy", varargs...)
-	ret0, _ := ret[0].(*management.SecondFactor)
-	ret1, _ := ret[1].(error)
-	return ret0, ret1
-}
-
-// AddSecondFactorToLoginPolicy indicates an expected call of AddSecondFactorToLoginPolicy
-func (mr *MockManagementServiceClientMockRecorder) AddSecondFactorToLoginPolicy(arg0, arg1 interface{}, arg2 ...interface{}) *gomock.Call {
-	mr.mock.ctrl.T.Helper()
-	varargs := append([]interface{}{arg0, arg1}, arg2...)
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "AddSecondFactorToLoginPolicy", reflect.TypeOf((*MockManagementServiceClient)(nil).AddSecondFactorToLoginPolicy), varargs...)
-}
-
-// ApplicationByID mocks base method
-func (m *MockManagementServiceClient) ApplicationByID(arg0 context.Context, arg1 *management.ApplicationID, arg2 ...grpc.CallOption) (*management.ApplicationView, error) {
-	m.ctrl.T.Helper()
-	varargs := []interface{}{arg0, arg1}
-	for _, a := range arg2 {
-		varargs = append(varargs, a)
-	}
-	ret := m.ctrl.Call(m, "ApplicationByID", varargs...)
-	ret0, _ := ret[0].(*management.ApplicationView)
-	ret1, _ := ret[1].(error)
-	return ret0, ret1
-}
-
-// ApplicationByID indicates an expected call of ApplicationByID
-func (mr *MockManagementServiceClientMockRecorder) ApplicationByID(arg0, arg1 interface{}, arg2 ...interface{}) *gomock.Call {
-	mr.mock.ctrl.T.Helper()
-	varargs := append([]interface{}{arg0, arg1}, arg2...)
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "ApplicationByID", reflect.TypeOf((*MockManagementServiceClient)(nil).ApplicationByID), varargs...)
-}
-
-// ApplicationChanges mocks base method
-func (m *MockManagementServiceClient) ApplicationChanges(arg0 context.Context, arg1 *management.ChangeRequest, arg2 ...grpc.CallOption) (*management.Changes, error) {
-	m.ctrl.T.Helper()
-	varargs := []interface{}{arg0, arg1}
-	for _, a := range arg2 {
-		varargs = append(varargs, a)
-	}
-	ret := m.ctrl.Call(m, "ApplicationChanges", varargs...)
-	ret0, _ := ret[0].(*management.Changes)
-	ret1, _ := ret[1].(error)
-	return ret0, ret1
-}
-
-// ApplicationChanges indicates an expected call of ApplicationChanges
-func (mr *MockManagementServiceClientMockRecorder) ApplicationChanges(arg0, arg1 interface{}, arg2 ...interface{}) *gomock.Call {
-	mr.mock.ctrl.T.Helper()
-	varargs := append([]interface{}{arg0, arg1}, arg2...)
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "ApplicationChanges", reflect.TypeOf((*MockManagementServiceClient)(nil).ApplicationChanges), varargs...)
-}
-
-// BulkAddProjectRole mocks base method
-func (m *MockManagementServiceClient) BulkAddProjectRole(arg0 context.Context, arg1 *management.ProjectRoleAddBulk, arg2 ...grpc.CallOption) (*emptypb.Empty, error) {
-	m.ctrl.T.Helper()
-	varargs := []interface{}{arg0, arg1}
-	for _, a := range arg2 {
-		varargs = append(varargs, a)
-	}
-	ret := m.ctrl.Call(m, "BulkAddProjectRole", varargs...)
-	ret0, _ := ret[0].(*emptypb.Empty)
-	ret1, _ := ret[1].(error)
-	return ret0, ret1
-}
-
-// BulkAddProjectRole indicates an expected call of BulkAddProjectRole
-func (mr *MockManagementServiceClientMockRecorder) BulkAddProjectRole(arg0, arg1 interface{}, arg2 ...interface{}) *gomock.Call {
-	mr.mock.ctrl.T.Helper()
-	varargs := append([]interface{}{arg0, arg1}, arg2...)
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "BulkAddProjectRole", reflect.TypeOf((*MockManagementServiceClient)(nil).BulkAddProjectRole), varargs...)
-}
-
-// BulkRemoveUserGrant mocks base method
-func (m *MockManagementServiceClient) BulkRemoveUserGrant(arg0 context.Context, arg1 *management.UserGrantRemoveBulk, arg2 ...grpc.CallOption) (*emptypb.Empty, error) {
-	m.ctrl.T.Helper()
-	varargs := []interface{}{arg0, arg1}
-	for _, a := range arg2 {
-		varargs = append(varargs, a)
-	}
-	ret := m.ctrl.Call(m, "BulkRemoveUserGrant", varargs...)
-	ret0, _ := ret[0].(*emptypb.Empty)
-	ret1, _ := ret[1].(error)
-	return ret0, ret1
-}
-
-// BulkRemoveUserGrant indicates an expected call of BulkRemoveUserGrant
-func (mr *MockManagementServiceClientMockRecorder) BulkRemoveUserGrant(arg0, arg1 interface{}, arg2 ...interface{}) *gomock.Call {
-	mr.mock.ctrl.T.Helper()
-	varargs := append([]interface{}{arg0, arg1}, arg2...)
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "BulkRemoveUserGrant", reflect.TypeOf((*MockManagementServiceClient)(nil).BulkRemoveUserGrant), varargs...)
-}
-
-// ChangeMyOrgMember mocks base method
-func (m *MockManagementServiceClient) ChangeMyOrgMember(arg0 context.Context, arg1 *management.ChangeOrgMemberRequest, arg2 ...grpc.CallOption) (*management.OrgMember, error) {
-	m.ctrl.T.Helper()
-	varargs := []interface{}{arg0, arg1}
-	for _, a := range arg2 {
-		varargs = append(varargs, a)
-	}
-	ret := m.ctrl.Call(m, "ChangeMyOrgMember", varargs...)
-	ret0, _ := ret[0].(*management.OrgMember)
-	ret1, _ := ret[1].(error)
-	return ret0, ret1
-}
-
-// ChangeMyOrgMember indicates an expected call of ChangeMyOrgMember
-func (mr *MockManagementServiceClientMockRecorder) ChangeMyOrgMember(arg0, arg1 interface{}, arg2 ...interface{}) *gomock.Call {
-	mr.mock.ctrl.T.Helper()
-	varargs := append([]interface{}{arg0, arg1}, arg2...)
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "ChangeMyOrgMember", reflect.TypeOf((*MockManagementServiceClient)(nil).ChangeMyOrgMember), varargs...)
-}
-
-// ChangeProjectGrantMember mocks base method
-func (m *MockManagementServiceClient) ChangeProjectGrantMember(arg0 context.Context, arg1 *management.ProjectGrantMemberChange, arg2 ...grpc.CallOption) (*management.ProjectGrantMember, error) {
-	m.ctrl.T.Helper()
-	varargs := []interface{}{arg0, arg1}
-	for _, a := range arg2 {
-		varargs = append(varargs, a)
-	}
-	ret := m.ctrl.Call(m, "ChangeProjectGrantMember", varargs...)
-	ret0, _ := ret[0].(*management.ProjectGrantMember)
-	ret1, _ := ret[1].(error)
-	return ret0, ret1
-}
-
-// ChangeProjectGrantMember indicates an expected call of ChangeProjectGrantMember
-func (mr *MockManagementServiceClientMockRecorder) ChangeProjectGrantMember(arg0, arg1 interface{}, arg2 ...interface{}) *gomock.Call {
-	mr.mock.ctrl.T.Helper()
-	varargs := append([]interface{}{arg0, arg1}, arg2...)
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "ChangeProjectGrantMember", reflect.TypeOf((*MockManagementServiceClient)(nil).ChangeProjectGrantMember), varargs...)
-}
-
-// ChangeProjectMember mocks base method
-func (m *MockManagementServiceClient) ChangeProjectMember(arg0 context.Context, arg1 *management.ProjectMemberChange, arg2 ...grpc.CallOption) (*management.ProjectMember, error) {
-	m.ctrl.T.Helper()
-	varargs := []interface{}{arg0, arg1}
-	for _, a := range arg2 {
-		varargs = append(varargs, a)
-	}
-	ret := m.ctrl.Call(m, "ChangeProjectMember", varargs...)
-	ret0, _ := ret[0].(*management.ProjectMember)
-	ret1, _ := ret[1].(error)
-	return ret0, ret1
-}
-
-// ChangeProjectMember indicates an expected call of ChangeProjectMember
-func (mr *MockManagementServiceClientMockRecorder) ChangeProjectMember(arg0, arg1 interface{}, arg2 ...interface{}) *gomock.Call {
-	mr.mock.ctrl.T.Helper()
-	varargs := append([]interface{}{arg0, arg1}, arg2...)
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "ChangeProjectMember", reflect.TypeOf((*MockManagementServiceClient)(nil).ChangeProjectMember), varargs...)
-}
-
-// ChangeProjectRole mocks base method
-func (m *MockManagementServiceClient) ChangeProjectRole(arg0 context.Context, arg1 *management.ProjectRoleChange, arg2 ...grpc.CallOption) (*management.ProjectRole, error) {
-	m.ctrl.T.Helper()
-	varargs := []interface{}{arg0, arg1}
-	for _, a := range arg2 {
-		varargs = append(varargs, a)
-	}
-	ret := m.ctrl.Call(m, "ChangeProjectRole", varargs...)
-	ret0, _ := ret[0].(*management.ProjectRole)
-	ret1, _ := ret[1].(error)
-	return ret0, ret1
-}
-
-// ChangeProjectRole indicates an expected call of ChangeProjectRole
-func (mr *MockManagementServiceClientMockRecorder) ChangeProjectRole(arg0, arg1 interface{}, arg2 ...interface{}) *gomock.Call {
-	mr.mock.ctrl.T.Helper()
-	varargs := append([]interface{}{arg0, arg1}, arg2...)
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "ChangeProjectRole", reflect.TypeOf((*MockManagementServiceClient)(nil).ChangeProjectRole), varargs...)
-}
-
-// ChangeUserEmail mocks base method
-func (m *MockManagementServiceClient) ChangeUserEmail(arg0 context.Context, arg1 *management.UpdateUserEmailRequest, arg2 ...grpc.CallOption) (*management.UserEmail, error) {
-	m.ctrl.T.Helper()
-	varargs := []interface{}{arg0, arg1}
-	for _, a := range arg2 {
-		varargs = append(varargs, a)
-	}
-	ret := m.ctrl.Call(m, "ChangeUserEmail", varargs...)
-	ret0, _ := ret[0].(*management.UserEmail)
-	ret1, _ := ret[1].(error)
-	return ret0, ret1
-}
-
-// ChangeUserEmail indicates an expected call of ChangeUserEmail
-func (mr *MockManagementServiceClientMockRecorder) ChangeUserEmail(arg0, arg1 interface{}, arg2 ...interface{}) *gomock.Call {
-	mr.mock.ctrl.T.Helper()
-	varargs := append([]interface{}{arg0, arg1}, arg2...)
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "ChangeUserEmail", reflect.TypeOf((*MockManagementServiceClient)(nil).ChangeUserEmail), varargs...)
-}
-
-// ChangeUserPhone mocks base method
-func (m *MockManagementServiceClient) ChangeUserPhone(arg0 context.Context, arg1 *management.UpdateUserPhoneRequest, arg2 ...grpc.CallOption) (*management.UserPhone, error) {
-	m.ctrl.T.Helper()
-	varargs := []interface{}{arg0, arg1}
-	for _, a := range arg2 {
-		varargs = append(varargs, a)
-	}
-	ret := m.ctrl.Call(m, "ChangeUserPhone", varargs...)
-	ret0, _ := ret[0].(*management.UserPhone)
-	ret1, _ := ret[1].(error)
-	return ret0, ret1
-}
-
-// ChangeUserPhone indicates an expected call of ChangeUserPhone
-func (mr *MockManagementServiceClientMockRecorder) ChangeUserPhone(arg0, arg1 interface{}, arg2 ...interface{}) *gomock.Call {
-	mr.mock.ctrl.T.Helper()
-	varargs := append([]interface{}{arg0, arg1}, arg2...)
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "ChangeUserPhone", reflect.TypeOf((*MockManagementServiceClient)(nil).ChangeUserPhone), varargs...)
-}
-
-// ChangeUserUserName mocks base method
-func (m *MockManagementServiceClient) ChangeUserUserName(arg0 context.Context, arg1 *management.UpdateUserUserNameRequest, arg2 ...grpc.CallOption) (*emptypb.Empty, error) {
-	m.ctrl.T.Helper()
-	varargs := []interface{}{arg0, arg1}
-	for _, a := range arg2 {
-		varargs = append(varargs, a)
-	}
-	ret := m.ctrl.Call(m, "ChangeUserUserName", varargs...)
-	ret0, _ := ret[0].(*emptypb.Empty)
-	ret1, _ := ret[1].(error)
-	return ret0, ret1
-}
-
-// ChangeUserUserName indicates an expected call of ChangeUserUserName
-func (mr *MockManagementServiceClientMockRecorder) ChangeUserUserName(arg0, arg1 interface{}, arg2 ...interface{}) *gomock.Call {
-	mr.mock.ctrl.T.Helper()
-	varargs := append([]interface{}{arg0, arg1}, arg2...)
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "ChangeUserUserName", reflect.TypeOf((*MockManagementServiceClient)(nil).ChangeUserUserName), varargs...)
-}
-
-// CreateLoginPolicy mocks base method
-func (m *MockManagementServiceClient) CreateLoginPolicy(arg0 context.Context, arg1 *management.LoginPolicyRequest, arg2 ...grpc.CallOption) (*management.LoginPolicy, error) {
-	m.ctrl.T.Helper()
-	varargs := []interface{}{arg0, arg1}
-	for _, a := range arg2 {
-		varargs = append(varargs, a)
-	}
-	ret := m.ctrl.Call(m, "CreateLoginPolicy", varargs...)
-	ret0, _ := ret[0].(*management.LoginPolicy)
-	ret1, _ := ret[1].(error)
-	return ret0, ret1
-}
-
-// CreateLoginPolicy indicates an expected call of CreateLoginPolicy
-func (mr *MockManagementServiceClientMockRecorder) CreateLoginPolicy(arg0, arg1 interface{}, arg2 ...interface{}) *gomock.Call {
-	mr.mock.ctrl.T.Helper()
-	varargs := append([]interface{}{arg0, arg1}, arg2...)
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "CreateLoginPolicy", reflect.TypeOf((*MockManagementServiceClient)(nil).CreateLoginPolicy), varargs...)
-}
-
-// CreateMailTemplate mocks base method
-func (m *MockManagementServiceClient) CreateMailTemplate(arg0 context.Context, arg1 *management.MailTemplateUpdate, arg2 ...grpc.CallOption) (*management.MailTemplate, error) {
-	m.ctrl.T.Helper()
-	varargs := []interface{}{arg0, arg1}
-	for _, a := range arg2 {
-		varargs = append(varargs, a)
-	}
-	ret := m.ctrl.Call(m, "CreateMailTemplate", varargs...)
-	ret0, _ := ret[0].(*management.MailTemplate)
-	ret1, _ := ret[1].(error)
-	return ret0, ret1
-}
-
-// CreateMailTemplate indicates an expected call of CreateMailTemplate
-func (mr *MockManagementServiceClientMockRecorder) CreateMailTemplate(arg0, arg1 interface{}, arg2 ...interface{}) *gomock.Call {
-	mr.mock.ctrl.T.Helper()
-	varargs := append([]interface{}{arg0, arg1}, arg2...)
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "CreateMailTemplate", reflect.TypeOf((*MockManagementServiceClient)(nil).CreateMailTemplate), varargs...)
-}
-
-// CreateMailText mocks base method
-func (m *MockManagementServiceClient) CreateMailText(arg0 context.Context, arg1 *management.MailTextUpdate, arg2 ...grpc.CallOption) (*management.MailText, error) {
-	m.ctrl.T.Helper()
-	varargs := []interface{}{arg0, arg1}
-	for _, a := range arg2 {
-		varargs = append(varargs, a)
-	}
-	ret := m.ctrl.Call(m, "CreateMailText", varargs...)
-	ret0, _ := ret[0].(*management.MailText)
-	ret1, _ := ret[1].(error)
-	return ret0, ret1
-}
-
-// CreateMailText indicates an expected call of CreateMailText
-func (mr *MockManagementServiceClientMockRecorder) CreateMailText(arg0, arg1 interface{}, arg2 ...interface{}) *gomock.Call {
-	mr.mock.ctrl.T.Helper()
-	varargs := append([]interface{}{arg0, arg1}, arg2...)
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "CreateMailText", reflect.TypeOf((*MockManagementServiceClient)(nil).CreateMailText), varargs...)
-}
-
-// CreateOIDCApplication mocks base method
-func (m *MockManagementServiceClient) CreateOIDCApplication(arg0 context.Context, arg1 *management.OIDCApplicationCreate, arg2 ...grpc.CallOption) (*management.Application, error) {
-	m.ctrl.T.Helper()
-	varargs := []interface{}{arg0, arg1}
-	for _, a := range arg2 {
-		varargs = append(varargs, a)
-	}
-	ret := m.ctrl.Call(m, "CreateOIDCApplication", varargs...)
-	ret0, _ := ret[0].(*management.Application)
-	ret1, _ := ret[1].(error)
-	return ret0, ret1
-}
-
-// CreateOIDCApplication indicates an expected call of CreateOIDCApplication
-func (mr *MockManagementServiceClientMockRecorder) CreateOIDCApplication(arg0, arg1 interface{}, arg2 ...interface{}) *gomock.Call {
-	mr.mock.ctrl.T.Helper()
-	varargs := append([]interface{}{arg0, arg1}, arg2...)
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "CreateOIDCApplication", reflect.TypeOf((*MockManagementServiceClient)(nil).CreateOIDCApplication), varargs...)
-}
-
-// CreateOidcIdp mocks base method
-func (m *MockManagementServiceClient) CreateOidcIdp(arg0 context.Context, arg1 *management.OidcIdpConfigCreate, arg2 ...grpc.CallOption) (*management.Idp, error) {
-	m.ctrl.T.Helper()
-	varargs := []interface{}{arg0, arg1}
-	for _, a := range arg2 {
-		varargs = append(varargs, a)
-	}
-	ret := m.ctrl.Call(m, "CreateOidcIdp", varargs...)
-	ret0, _ := ret[0].(*management.Idp)
-	ret1, _ := ret[1].(error)
-	return ret0, ret1
-}
-
-// CreateOidcIdp indicates an expected call of CreateOidcIdp
-func (mr *MockManagementServiceClientMockRecorder) CreateOidcIdp(arg0, arg1 interface{}, arg2 ...interface{}) *gomock.Call {
-	mr.mock.ctrl.T.Helper()
-	varargs := append([]interface{}{arg0, arg1}, arg2...)
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "CreateOidcIdp", reflect.TypeOf((*MockManagementServiceClient)(nil).CreateOidcIdp), varargs...)
-}
-
-// CreateOrg mocks base method
-func (m *MockManagementServiceClient) CreateOrg(arg0 context.Context, arg1 *management.OrgCreateRequest, arg2 ...grpc.CallOption) (*management.Org, error) {
-	m.ctrl.T.Helper()
-	varargs := []interface{}{arg0, arg1}
-	for _, a := range arg2 {
-		varargs = append(varargs, a)
-	}
-	ret := m.ctrl.Call(m, "CreateOrg", varargs...)
-	ret0, _ := ret[0].(*management.Org)
-	ret1, _ := ret[1].(error)
-	return ret0, ret1
-}
-
-// CreateOrg indicates an expected call of CreateOrg
-func (mr *MockManagementServiceClientMockRecorder) CreateOrg(arg0, arg1 interface{}, arg2 ...interface{}) *gomock.Call {
-	mr.mock.ctrl.T.Helper()
-	varargs := append([]interface{}{arg0, arg1}, arg2...)
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "CreateOrg", reflect.TypeOf((*MockManagementServiceClient)(nil).CreateOrg), varargs...)
-}
-
-// CreatePasswordAgePolicy mocks base method
-func (m *MockManagementServiceClient) CreatePasswordAgePolicy(arg0 context.Context, arg1 *management.PasswordAgePolicyRequest, arg2 ...grpc.CallOption) (*management.PasswordAgePolicy, error) {
-	m.ctrl.T.Helper()
-	varargs := []interface{}{arg0, arg1}
-	for _, a := range arg2 {
-		varargs = append(varargs, a)
-	}
-	ret := m.ctrl.Call(m, "CreatePasswordAgePolicy", varargs...)
-	ret0, _ := ret[0].(*management.PasswordAgePolicy)
-	ret1, _ := ret[1].(error)
-	return ret0, ret1
-}
-
-// CreatePasswordAgePolicy indicates an expected call of CreatePasswordAgePolicy
-func (mr *MockManagementServiceClientMockRecorder) CreatePasswordAgePolicy(arg0, arg1 interface{}, arg2 ...interface{}) *gomock.Call {
-	mr.mock.ctrl.T.Helper()
-	varargs := append([]interface{}{arg0, arg1}, arg2...)
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "CreatePasswordAgePolicy", reflect.TypeOf((*MockManagementServiceClient)(nil).CreatePasswordAgePolicy), varargs...)
-}
-
-// CreatePasswordComplexityPolicy mocks base method
-func (m *MockManagementServiceClient) CreatePasswordComplexityPolicy(arg0 context.Context, arg1 *management.PasswordComplexityPolicyRequest, arg2 ...grpc.CallOption) (*management.PasswordComplexityPolicy, error) {
-	m.ctrl.T.Helper()
-	varargs := []interface{}{arg0, arg1}
-	for _, a := range arg2 {
-		varargs = append(varargs, a)
-	}
-	ret := m.ctrl.Call(m, "CreatePasswordComplexityPolicy", varargs...)
-	ret0, _ := ret[0].(*management.PasswordComplexityPolicy)
-	ret1, _ := ret[1].(error)
-	return ret0, ret1
-}
-
-// CreatePasswordComplexityPolicy indicates an expected call of CreatePasswordComplexityPolicy
-func (mr *MockManagementServiceClientMockRecorder) CreatePasswordComplexityPolicy(arg0, arg1 interface{}, arg2 ...interface{}) *gomock.Call {
-	mr.mock.ctrl.T.Helper()
-	varargs := append([]interface{}{arg0, arg1}, arg2...)
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "CreatePasswordComplexityPolicy", reflect.TypeOf((*MockManagementServiceClient)(nil).CreatePasswordComplexityPolicy), varargs...)
-}
-
-// CreatePasswordLockoutPolicy mocks base method
-func (m *MockManagementServiceClient) CreatePasswordLockoutPolicy(arg0 context.Context, arg1 *management.PasswordLockoutPolicyRequest, arg2 ...grpc.CallOption) (*management.PasswordLockoutPolicy, error) {
-	m.ctrl.T.Helper()
-	varargs := []interface{}{arg0, arg1}
-	for _, a := range arg2 {
-		varargs = append(varargs, a)
-	}
-	ret := m.ctrl.Call(m, "CreatePasswordLockoutPolicy", varargs...)
-	ret0, _ := ret[0].(*management.PasswordLockoutPolicy)
-	ret1, _ := ret[1].(error)
-	return ret0, ret1
-}
-
-// CreatePasswordLockoutPolicy indicates an expected call of CreatePasswordLockoutPolicy
-func (mr *MockManagementServiceClientMockRecorder) CreatePasswordLockoutPolicy(arg0, arg1 interface{}, arg2 ...interface{}) *gomock.Call {
-	mr.mock.ctrl.T.Helper()
-	varargs := append([]interface{}{arg0, arg1}, arg2...)
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "CreatePasswordLockoutPolicy", reflect.TypeOf((*MockManagementServiceClient)(nil).CreatePasswordLockoutPolicy), varargs...)
-}
-
-// CreateProject mocks base method
-func (m *MockManagementServiceClient) CreateProject(arg0 context.Context, arg1 *management.ProjectCreateRequest, arg2 ...grpc.CallOption) (*management.Project, error) {
-	m.ctrl.T.Helper()
-	varargs := []interface{}{arg0, arg1}
-	for _, a := range arg2 {
-		varargs = append(varargs, a)
-	}
-	ret := m.ctrl.Call(m, "CreateProject", varargs...)
-	ret0, _ := ret[0].(*management.Project)
-	ret1, _ := ret[1].(error)
-	return ret0, ret1
-}
-
-// CreateProject indicates an expected call of CreateProject
-func (mr *MockManagementServiceClientMockRecorder) CreateProject(arg0, arg1 interface{}, arg2 ...interface{}) *gomock.Call {
-	mr.mock.ctrl.T.Helper()
-	varargs := append([]interface{}{arg0, arg1}, arg2...)
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "CreateProject", reflect.TypeOf((*MockManagementServiceClient)(nil).CreateProject), varargs...)
-}
-
-// CreateProjectGrant mocks base method
-func (m *MockManagementServiceClient) CreateProjectGrant(arg0 context.Context, arg1 *management.ProjectGrantCreate, arg2 ...grpc.CallOption) (*management.ProjectGrant, error) {
-	m.ctrl.T.Helper()
-	varargs := []interface{}{arg0, arg1}
-	for _, a := range arg2 {
-		varargs = append(varargs, a)
-	}
-	ret := m.ctrl.Call(m, "CreateProjectGrant", varargs...)
-	ret0, _ := ret[0].(*management.ProjectGrant)
-	ret1, _ := ret[1].(error)
-	return ret0, ret1
-}
-
-// CreateProjectGrant indicates an expected call of CreateProjectGrant
-func (mr *MockManagementServiceClientMockRecorder) CreateProjectGrant(arg0, arg1 interface{}, arg2 ...interface{}) *gomock.Call {
-	mr.mock.ctrl.T.Helper()
-	varargs := append([]interface{}{arg0, arg1}, arg2...)
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "CreateProjectGrant", reflect.TypeOf((*MockManagementServiceClient)(nil).CreateProjectGrant), varargs...)
-}
-
-// CreateUser mocks base method
-func (m *MockManagementServiceClient) CreateUser(arg0 context.Context, arg1 *management.CreateUserRequest, arg2 ...grpc.CallOption) (*management.UserResponse, error) {
-	m.ctrl.T.Helper()
-	varargs := []interface{}{arg0, arg1}
-	for _, a := range arg2 {
-		varargs = append(varargs, a)
-	}
-	ret := m.ctrl.Call(m, "CreateUser", varargs...)
-	ret0, _ := ret[0].(*management.UserResponse)
-	ret1, _ := ret[1].(error)
-	return ret0, ret1
-}
-
-// CreateUser indicates an expected call of CreateUser
-func (mr *MockManagementServiceClientMockRecorder) CreateUser(arg0, arg1 interface{}, arg2 ...interface{}) *gomock.Call {
-	mr.mock.ctrl.T.Helper()
-	varargs := append([]interface{}{arg0, arg1}, arg2...)
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "CreateUser", reflect.TypeOf((*MockManagementServiceClient)(nil).CreateUser), varargs...)
-}
-
-// CreateUserGrant mocks base method
-func (m *MockManagementServiceClient) CreateUserGrant(arg0 context.Context, arg1 *management.UserGrantCreate, arg2 ...grpc.CallOption) (*management.UserGrant, error) {
-	m.ctrl.T.Helper()
-	varargs := []interface{}{arg0, arg1}
-	for _, a := range arg2 {
-		varargs = append(varargs, a)
-	}
-	ret := m.ctrl.Call(m, "CreateUserGrant", varargs...)
-	ret0, _ := ret[0].(*management.UserGrant)
-	ret1, _ := ret[1].(error)
-	return ret0, ret1
-}
-
-// CreateUserGrant indicates an expected call of CreateUserGrant
-func (mr *MockManagementServiceClientMockRecorder) CreateUserGrant(arg0, arg1 interface{}, arg2 ...interface{}) *gomock.Call {
-	mr.mock.ctrl.T.Helper()
-	varargs := append([]interface{}{arg0, arg1}, arg2...)
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "CreateUserGrant", reflect.TypeOf((*MockManagementServiceClient)(nil).CreateUserGrant), varargs...)
-}
-
-// DeactivateApplication mocks base method
-func (m *MockManagementServiceClient) DeactivateApplication(arg0 context.Context, arg1 *management.ApplicationID, arg2 ...grpc.CallOption) (*management.Application, error) {
-	m.ctrl.T.Helper()
-	varargs := []interface{}{arg0, arg1}
-	for _, a := range arg2 {
-		varargs = append(varargs, a)
-	}
-	ret := m.ctrl.Call(m, "DeactivateApplication", varargs...)
-	ret0, _ := ret[0].(*management.Application)
-	ret1, _ := ret[1].(error)
-	return ret0, ret1
-}
-
-// DeactivateApplication indicates an expected call of DeactivateApplication
-func (mr *MockManagementServiceClientMockRecorder) DeactivateApplication(arg0, arg1 interface{}, arg2 ...interface{}) *gomock.Call {
-	mr.mock.ctrl.T.Helper()
-	varargs := append([]interface{}{arg0, arg1}, arg2...)
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "DeactivateApplication", reflect.TypeOf((*MockManagementServiceClient)(nil).DeactivateApplication), varargs...)
-}
-
-// DeactivateIdpConfig mocks base method
-func (m *MockManagementServiceClient) DeactivateIdpConfig(arg0 context.Context, arg1 *management.IdpID, arg2 ...grpc.CallOption) (*management.Idp, error) {
-	m.ctrl.T.Helper()
-	varargs := []interface{}{arg0, arg1}
-	for _, a := range arg2 {
-		varargs = append(varargs, a)
-	}
-	ret := m.ctrl.Call(m, "DeactivateIdpConfig", varargs...)
-	ret0, _ := ret[0].(*management.Idp)
-	ret1, _ := ret[1].(error)
-	return ret0, ret1
-}
-
-// DeactivateIdpConfig indicates an expected call of DeactivateIdpConfig
-func (mr *MockManagementServiceClientMockRecorder) DeactivateIdpConfig(arg0, arg1 interface{}, arg2 ...interface{}) *gomock.Call {
-	mr.mock.ctrl.T.Helper()
-	varargs := append([]interface{}{arg0, arg1}, arg2...)
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "DeactivateIdpConfig", reflect.TypeOf((*MockManagementServiceClient)(nil).DeactivateIdpConfig), varargs...)
-}
-
-// DeactivateMyOrg mocks base method
-func (m *MockManagementServiceClient) DeactivateMyOrg(arg0 context.Context, arg1 *emptypb.Empty, arg2 ...grpc.CallOption) (*management.Org, error) {
-	m.ctrl.T.Helper()
-	varargs := []interface{}{arg0, arg1}
-	for _, a := range arg2 {
-		varargs = append(varargs, a)
-	}
-	ret := m.ctrl.Call(m, "DeactivateMyOrg", varargs...)
-	ret0, _ := ret[0].(*management.Org)
-	ret1, _ := ret[1].(error)
-	return ret0, ret1
-}
-
-// DeactivateMyOrg indicates an expected call of DeactivateMyOrg
-func (mr *MockManagementServiceClientMockRecorder) DeactivateMyOrg(arg0, arg1 interface{}, arg2 ...interface{}) *gomock.Call {
-	mr.mock.ctrl.T.Helper()
-	varargs := append([]interface{}{arg0, arg1}, arg2...)
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "DeactivateMyOrg", reflect.TypeOf((*MockManagementServiceClient)(nil).DeactivateMyOrg), varargs...)
-}
-
-// DeactivateProject mocks base method
-func (m *MockManagementServiceClient) DeactivateProject(arg0 context.Context, arg1 *management.ProjectID, arg2 ...grpc.CallOption) (*management.Project, error) {
-	m.ctrl.T.Helper()
-	varargs := []interface{}{arg0, arg1}
-	for _, a := range arg2 {
-		varargs = append(varargs, a)
-	}
-	ret := m.ctrl.Call(m, "DeactivateProject", varargs...)
-	ret0, _ := ret[0].(*management.Project)
-	ret1, _ := ret[1].(error)
-	return ret0, ret1
-}
-
-// DeactivateProject indicates an expected call of DeactivateProject
-func (mr *MockManagementServiceClientMockRecorder) DeactivateProject(arg0, arg1 interface{}, arg2 ...interface{}) *gomock.Call {
-	mr.mock.ctrl.T.Helper()
-	varargs := append([]interface{}{arg0, arg1}, arg2...)
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "DeactivateProject", reflect.TypeOf((*MockManagementServiceClient)(nil).DeactivateProject), varargs...)
-}
-
-// DeactivateProjectGrant mocks base method
-func (m *MockManagementServiceClient) DeactivateProjectGrant(arg0 context.Context, arg1 *management.ProjectGrantID, arg2 ...grpc.CallOption) (*management.ProjectGrant, error) {
-	m.ctrl.T.Helper()
-	varargs := []interface{}{arg0, arg1}
-	for _, a := range arg2 {
-		varargs = append(varargs, a)
-	}
-	ret := m.ctrl.Call(m, "DeactivateProjectGrant", varargs...)
-	ret0, _ := ret[0].(*management.ProjectGrant)
-	ret1, _ := ret[1].(error)
-	return ret0, ret1
-}
-
-// DeactivateProjectGrant indicates an expected call of DeactivateProjectGrant
-func (mr *MockManagementServiceClientMockRecorder) DeactivateProjectGrant(arg0, arg1 interface{}, arg2 ...interface{}) *gomock.Call {
-	mr.mock.ctrl.T.Helper()
-	varargs := append([]interface{}{arg0, arg1}, arg2...)
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "DeactivateProjectGrant", reflect.TypeOf((*MockManagementServiceClient)(nil).DeactivateProjectGrant), varargs...)
-}
-
-// DeactivateUser mocks base method
-func (m *MockManagementServiceClient) DeactivateUser(arg0 context.Context, arg1 *management.UserID, arg2 ...grpc.CallOption) (*management.UserResponse, error) {
-	m.ctrl.T.Helper()
-	varargs := []interface{}{arg0, arg1}
-	for _, a := range arg2 {
-		varargs = append(varargs, a)
-	}
-	ret := m.ctrl.Call(m, "DeactivateUser", varargs...)
-	ret0, _ := ret[0].(*management.UserResponse)
-	ret1, _ := ret[1].(error)
-	return ret0, ret1
-}
-
-// DeactivateUser indicates an expected call of DeactivateUser
-func (mr *MockManagementServiceClientMockRecorder) DeactivateUser(arg0, arg1 interface{}, arg2 ...interface{}) *gomock.Call {
-	mr.mock.ctrl.T.Helper()
-	varargs := append([]interface{}{arg0, arg1}, arg2...)
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "DeactivateUser", reflect.TypeOf((*MockManagementServiceClient)(nil).DeactivateUser), varargs...)
-}
-
-// DeactivateUserGrant mocks base method
-func (m *MockManagementServiceClient) DeactivateUserGrant(arg0 context.Context, arg1 *management.UserGrantID, arg2 ...grpc.CallOption) (*management.UserGrant, error) {
-	m.ctrl.T.Helper()
-	varargs := []interface{}{arg0, arg1}
-	for _, a := range arg2 {
-		varargs = append(varargs, a)
-	}
-	ret := m.ctrl.Call(m, "DeactivateUserGrant", varargs...)
-	ret0, _ := ret[0].(*management.UserGrant)
-	ret1, _ := ret[1].(error)
-	return ret0, ret1
-}
-
-// DeactivateUserGrant indicates an expected call of DeactivateUserGrant
-func (mr *MockManagementServiceClientMockRecorder) DeactivateUserGrant(arg0, arg1 interface{}, arg2 ...interface{}) *gomock.Call {
-	mr.mock.ctrl.T.Helper()
-	varargs := append([]interface{}{arg0, arg1}, arg2...)
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "DeactivateUserGrant", reflect.TypeOf((*MockManagementServiceClient)(nil).DeactivateUserGrant), varargs...)
-}
-
-// DeleteMachineKey mocks base method
-func (m *MockManagementServiceClient) DeleteMachineKey(arg0 context.Context, arg1 *management.MachineKeyIDRequest, arg2 ...grpc.CallOption) (*emptypb.Empty, error) {
-	m.ctrl.T.Helper()
-	varargs := []interface{}{arg0, arg1}
-	for _, a := range arg2 {
-		varargs = append(varargs, a)
-	}
-	ret := m.ctrl.Call(m, "DeleteMachineKey", varargs...)
-	ret0, _ := ret[0].(*emptypb.Empty)
-	ret1, _ := ret[1].(error)
-	return ret0, ret1
-}
-
-// DeleteMachineKey indicates an expected call of DeleteMachineKey
-func (mr *MockManagementServiceClientMockRecorder) DeleteMachineKey(arg0, arg1 interface{}, arg2 ...interface{}) *gomock.Call {
-	mr.mock.ctrl.T.Helper()
-	varargs := append([]interface{}{arg0, arg1}, arg2...)
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "DeleteMachineKey", reflect.TypeOf((*MockManagementServiceClient)(nil).DeleteMachineKey), varargs...)
-}
-
-// DeleteUser mocks base method
-func (m *MockManagementServiceClient) DeleteUser(arg0 context.Context, arg1 *management.UserID, arg2 ...grpc.CallOption) (*emptypb.Empty, error) {
-	m.ctrl.T.Helper()
-	varargs := []interface{}{arg0, arg1}
-	for _, a := range arg2 {
-		varargs = append(varargs, a)
-	}
-	ret := m.ctrl.Call(m, "DeleteUser", varargs...)
-	ret0, _ := ret[0].(*emptypb.Empty)
-	ret1, _ := ret[1].(error)
-	return ret0, ret1
-}
-
-// DeleteUser indicates an expected call of DeleteUser
-func (mr *MockManagementServiceClientMockRecorder) DeleteUser(arg0, arg1 interface{}, arg2 ...interface{}) *gomock.Call {
-	mr.mock.ctrl.T.Helper()
-	varargs := append([]interface{}{arg0, arg1}, arg2...)
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "DeleteUser", reflect.TypeOf((*MockManagementServiceClient)(nil).DeleteUser), varargs...)
-}
-
-// GenerateMyOrgDomainValidation mocks base method
-func (m *MockManagementServiceClient) GenerateMyOrgDomainValidation(arg0 context.Context, arg1 *management.OrgDomainValidationRequest, arg2 ...grpc.CallOption) (*management.OrgDomainValidationResponse, error) {
-	m.ctrl.T.Helper()
-	varargs := []interface{}{arg0, arg1}
-	for _, a := range arg2 {
-		varargs = append(varargs, a)
-	}
-	ret := m.ctrl.Call(m, "GenerateMyOrgDomainValidation", varargs...)
-	ret0, _ := ret[0].(*management.OrgDomainValidationResponse)
-	ret1, _ := ret[1].(error)
-	return ret0, ret1
-}
-
-// GenerateMyOrgDomainValidation indicates an expected call of GenerateMyOrgDomainValidation
-func (mr *MockManagementServiceClientMockRecorder) GenerateMyOrgDomainValidation(arg0, arg1 interface{}, arg2 ...interface{}) *gomock.Call {
-	mr.mock.ctrl.T.Helper()
-	varargs := append([]interface{}{arg0, arg1}, arg2...)
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "GenerateMyOrgDomainValidation", reflect.TypeOf((*MockManagementServiceClient)(nil).GenerateMyOrgDomainValidation), varargs...)
-}
-
-// GetDefaultLoginPolicy mocks base method
-func (m *MockManagementServiceClient) GetDefaultLoginPolicy(arg0 context.Context, arg1 *emptypb.Empty, arg2 ...grpc.CallOption) (*management.LoginPolicyView, error) {
-	m.ctrl.T.Helper()
-	varargs := []interface{}{arg0, arg1}
-	for _, a := range arg2 {
-		varargs = append(varargs, a)
-	}
-	ret := m.ctrl.Call(m, "GetDefaultLoginPolicy", varargs...)
-	ret0, _ := ret[0].(*management.LoginPolicyView)
-	ret1, _ := ret[1].(error)
-	return ret0, ret1
-}
-
-// GetDefaultLoginPolicy indicates an expected call of GetDefaultLoginPolicy
-func (mr *MockManagementServiceClientMockRecorder) GetDefaultLoginPolicy(arg0, arg1 interface{}, arg2 ...interface{}) *gomock.Call {
-	mr.mock.ctrl.T.Helper()
-	varargs := append([]interface{}{arg0, arg1}, arg2...)
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "GetDefaultLoginPolicy", reflect.TypeOf((*MockManagementServiceClient)(nil).GetDefaultLoginPolicy), varargs...)
-}
-
-// GetDefaultMailTemplate mocks base method
-func (m *MockManagementServiceClient) GetDefaultMailTemplate(arg0 context.Context, arg1 *emptypb.Empty, arg2 ...grpc.CallOption) (*management.MailTemplateView, error) {
-	m.ctrl.T.Helper()
-	varargs := []interface{}{arg0, arg1}
-	for _, a := range arg2 {
-		varargs = append(varargs, a)
-	}
-	ret := m.ctrl.Call(m, "GetDefaultMailTemplate", varargs...)
-	ret0, _ := ret[0].(*management.MailTemplateView)
-	ret1, _ := ret[1].(error)
-	return ret0, ret1
-}
-
-// GetDefaultMailTemplate indicates an expected call of GetDefaultMailTemplate
-func (mr *MockManagementServiceClientMockRecorder) GetDefaultMailTemplate(arg0, arg1 interface{}, arg2 ...interface{}) *gomock.Call {
-	mr.mock.ctrl.T.Helper()
-	varargs := append([]interface{}{arg0, arg1}, arg2...)
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "GetDefaultMailTemplate", reflect.TypeOf((*MockManagementServiceClient)(nil).GetDefaultMailTemplate), varargs...)
-}
-
-// GetDefaultMailTexts mocks base method
-func (m *MockManagementServiceClient) GetDefaultMailTexts(arg0 context.Context, arg1 *emptypb.Empty, arg2 ...grpc.CallOption) (*management.MailTextsView, error) {
-	m.ctrl.T.Helper()
-	varargs := []interface{}{arg0, arg1}
-	for _, a := range arg2 {
-		varargs = append(varargs, a)
-	}
-	ret := m.ctrl.Call(m, "GetDefaultMailTexts", varargs...)
-	ret0, _ := ret[0].(*management.MailTextsView)
-	ret1, _ := ret[1].(error)
-	return ret0, ret1
-}
-
-// GetDefaultMailTexts indicates an expected call of GetDefaultMailTexts
-func (mr *MockManagementServiceClientMockRecorder) GetDefaultMailTexts(arg0, arg1 interface{}, arg2 ...interface{}) *gomock.Call {
-	mr.mock.ctrl.T.Helper()
-	varargs := append([]interface{}{arg0, arg1}, arg2...)
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "GetDefaultMailTexts", reflect.TypeOf((*MockManagementServiceClient)(nil).GetDefaultMailTexts), varargs...)
-}
-
-// GetDefaultPasswordAgePolicy mocks base method
-func (m *MockManagementServiceClient) GetDefaultPasswordAgePolicy(arg0 context.Context, arg1 *emptypb.Empty, arg2 ...grpc.CallOption) (*management.PasswordAgePolicyView, error) {
-	m.ctrl.T.Helper()
-	varargs := []interface{}{arg0, arg1}
-	for _, a := range arg2 {
-		varargs = append(varargs, a)
-	}
-	ret := m.ctrl.Call(m, "GetDefaultPasswordAgePolicy", varargs...)
-	ret0, _ := ret[0].(*management.PasswordAgePolicyView)
-	ret1, _ := ret[1].(error)
-	return ret0, ret1
-}
-
-// GetDefaultPasswordAgePolicy indicates an expected call of GetDefaultPasswordAgePolicy
-func (mr *MockManagementServiceClientMockRecorder) GetDefaultPasswordAgePolicy(arg0, arg1 interface{}, arg2 ...interface{}) *gomock.Call {
-	mr.mock.ctrl.T.Helper()
-	varargs := append([]interface{}{arg0, arg1}, arg2...)
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "GetDefaultPasswordAgePolicy", reflect.TypeOf((*MockManagementServiceClient)(nil).GetDefaultPasswordAgePolicy), varargs...)
-}
-
-// GetDefaultPasswordComplexityPolicy mocks base method
-func (m *MockManagementServiceClient) GetDefaultPasswordComplexityPolicy(arg0 context.Context, arg1 *emptypb.Empty, arg2 ...grpc.CallOption) (*management.PasswordComplexityPolicyView, error) {
-	m.ctrl.T.Helper()
-	varargs := []interface{}{arg0, arg1}
-	for _, a := range arg2 {
-		varargs = append(varargs, a)
-	}
-	ret := m.ctrl.Call(m, "GetDefaultPasswordComplexityPolicy", varargs...)
-	ret0, _ := ret[0].(*management.PasswordComplexityPolicyView)
-	ret1, _ := ret[1].(error)
-	return ret0, ret1
-}
-
-// GetDefaultPasswordComplexityPolicy indicates an expected call of GetDefaultPasswordComplexityPolicy
-func (mr *MockManagementServiceClientMockRecorder) GetDefaultPasswordComplexityPolicy(arg0, arg1 interface{}, arg2 ...interface{}) *gomock.Call {
-	mr.mock.ctrl.T.Helper()
-	varargs := append([]interface{}{arg0, arg1}, arg2...)
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "GetDefaultPasswordComplexityPolicy", reflect.TypeOf((*MockManagementServiceClient)(nil).GetDefaultPasswordComplexityPolicy), varargs...)
-}
-
-// GetDefaultPasswordLockoutPolicy mocks base method
-func (m *MockManagementServiceClient) GetDefaultPasswordLockoutPolicy(arg0 context.Context, arg1 *emptypb.Empty, arg2 ...grpc.CallOption) (*management.PasswordLockoutPolicyView, error) {
-	m.ctrl.T.Helper()
-	varargs := []interface{}{arg0, arg1}
-	for _, a := range arg2 {
-		varargs = append(varargs, a)
-	}
-	ret := m.ctrl.Call(m, "GetDefaultPasswordLockoutPolicy", varargs...)
-	ret0, _ := ret[0].(*management.PasswordLockoutPolicyView)
-	ret1, _ := ret[1].(error)
-	return ret0, ret1
-}
-
-// GetDefaultPasswordLockoutPolicy indicates an expected call of GetDefaultPasswordLockoutPolicy
-func (mr *MockManagementServiceClientMockRecorder) GetDefaultPasswordLockoutPolicy(arg0, arg1 interface{}, arg2 ...interface{}) *gomock.Call {
-	mr.mock.ctrl.T.Helper()
-	varargs := append([]interface{}{arg0, arg1}, arg2...)
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "GetDefaultPasswordLockoutPolicy", reflect.TypeOf((*MockManagementServiceClient)(nil).GetDefaultPasswordLockoutPolicy), varargs...)
-}
-
-// GetGrantedProjectByID mocks base method
-func (m *MockManagementServiceClient) GetGrantedProjectByID(arg0 context.Context, arg1 *management.ProjectGrantID, arg2 ...grpc.CallOption) (*management.ProjectGrantView, error) {
-	m.ctrl.T.Helper()
-	varargs := []interface{}{arg0, arg1}
-	for _, a := range arg2 {
-		varargs = append(varargs, a)
-	}
-	ret := m.ctrl.Call(m, "GetGrantedProjectByID", varargs...)
-	ret0, _ := ret[0].(*management.ProjectGrantView)
-	ret1, _ := ret[1].(error)
-	return ret0, ret1
-}
-
-// GetGrantedProjectByID indicates an expected call of GetGrantedProjectByID
-func (mr *MockManagementServiceClientMockRecorder) GetGrantedProjectByID(arg0, arg1 interface{}, arg2 ...interface{}) *gomock.Call {
-	mr.mock.ctrl.T.Helper()
-	varargs := append([]interface{}{arg0, arg1}, arg2...)
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "GetGrantedProjectByID", reflect.TypeOf((*MockManagementServiceClient)(nil).GetGrantedProjectByID), varargs...)
-}
-
-// GetIam mocks base method
-func (m *MockManagementServiceClient) GetIam(arg0 context.Context, arg1 *emptypb.Empty, arg2 ...grpc.CallOption) (*management.Iam, error) {
-	m.ctrl.T.Helper()
-	varargs := []interface{}{arg0, arg1}
-	for _, a := range arg2 {
-		varargs = append(varargs, a)
-	}
-	ret := m.ctrl.Call(m, "GetIam", varargs...)
-	ret0, _ := ret[0].(*management.Iam)
-	ret1, _ := ret[1].(error)
-	return ret0, ret1
-}
-
-// GetIam indicates an expected call of GetIam
-func (mr *MockManagementServiceClientMockRecorder) GetIam(arg0, arg1 interface{}, arg2 ...interface{}) *gomock.Call {
-	mr.mock.ctrl.T.Helper()
-	varargs := append([]interface{}{arg0, arg1}, arg2...)
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "GetIam", reflect.TypeOf((*MockManagementServiceClient)(nil).GetIam), varargs...)
-}
-
-// GetLoginPolicy mocks base method
-func (m *MockManagementServiceClient) GetLoginPolicy(arg0 context.Context, arg1 *emptypb.Empty, arg2 ...grpc.CallOption) (*management.LoginPolicyView, error) {
-	m.ctrl.T.Helper()
-	varargs := []interface{}{arg0, arg1}
-	for _, a := range arg2 {
-		varargs = append(varargs, a)
-	}
-	ret := m.ctrl.Call(m, "GetLoginPolicy", varargs...)
-	ret0, _ := ret[0].(*management.LoginPolicyView)
-	ret1, _ := ret[1].(error)
-	return ret0, ret1
-}
-
-// GetLoginPolicy indicates an expected call of GetLoginPolicy
-func (mr *MockManagementServiceClientMockRecorder) GetLoginPolicy(arg0, arg1 interface{}, arg2 ...interface{}) *gomock.Call {
-	mr.mock.ctrl.T.Helper()
-	varargs := append([]interface{}{arg0, arg1}, arg2...)
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "GetLoginPolicy", reflect.TypeOf((*MockManagementServiceClient)(nil).GetLoginPolicy), varargs...)
-}
-
-// GetLoginPolicyIdpProviders mocks base method
-func (m *MockManagementServiceClient) GetLoginPolicyIdpProviders(arg0 context.Context, arg1 *management.IdpProviderSearchRequest, arg2 ...grpc.CallOption) (*management.IdpProviderSearchResponse, error) {
-	m.ctrl.T.Helper()
-	varargs := []interface{}{arg0, arg1}
-	for _, a := range arg2 {
-		varargs = append(varargs, a)
-	}
-	ret := m.ctrl.Call(m, "GetLoginPolicyIdpProviders", varargs...)
-	ret0, _ := ret[0].(*management.IdpProviderSearchResponse)
-	ret1, _ := ret[1].(error)
-	return ret0, ret1
-}
-
-// GetLoginPolicyIdpProviders indicates an expected call of GetLoginPolicyIdpProviders
-func (mr *MockManagementServiceClientMockRecorder) GetLoginPolicyIdpProviders(arg0, arg1 interface{}, arg2 ...interface{}) *gomock.Call {
-	mr.mock.ctrl.T.Helper()
-	varargs := append([]interface{}{arg0, arg1}, arg2...)
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "GetLoginPolicyIdpProviders", reflect.TypeOf((*MockManagementServiceClient)(nil).GetLoginPolicyIdpProviders), varargs...)
-}
-
-// GetLoginPolicyMultiFactors mocks base method
-func (m *MockManagementServiceClient) GetLoginPolicyMultiFactors(arg0 context.Context, arg1 *emptypb.Empty, arg2 ...grpc.CallOption) (*management.MultiFactorsResult, error) {
-	m.ctrl.T.Helper()
-	varargs := []interface{}{arg0, arg1}
-	for _, a := range arg2 {
-		varargs = append(varargs, a)
-	}
-	ret := m.ctrl.Call(m, "GetLoginPolicyMultiFactors", varargs...)
-	ret0, _ := ret[0].(*management.MultiFactorsResult)
-	ret1, _ := ret[1].(error)
-	return ret0, ret1
-}
-
-// GetLoginPolicyMultiFactors indicates an expected call of GetLoginPolicyMultiFactors
-func (mr *MockManagementServiceClientMockRecorder) GetLoginPolicyMultiFactors(arg0, arg1 interface{}, arg2 ...interface{}) *gomock.Call {
-	mr.mock.ctrl.T.Helper()
-	varargs := append([]interface{}{arg0, arg1}, arg2...)
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "GetLoginPolicyMultiFactors", reflect.TypeOf((*MockManagementServiceClient)(nil).GetLoginPolicyMultiFactors), varargs...)
-}
-
-// GetLoginPolicySecondFactors mocks base method
-func (m *MockManagementServiceClient) GetLoginPolicySecondFactors(arg0 context.Context, arg1 *emptypb.Empty, arg2 ...grpc.CallOption) (*management.SecondFactorsResult, error) {
-	m.ctrl.T.Helper()
-	varargs := []interface{}{arg0, arg1}
-	for _, a := range arg2 {
-		varargs = append(varargs, a)
-	}
-	ret := m.ctrl.Call(m, "GetLoginPolicySecondFactors", varargs...)
-	ret0, _ := ret[0].(*management.SecondFactorsResult)
-	ret1, _ := ret[1].(error)
-	return ret0, ret1
-}
-
-// GetLoginPolicySecondFactors indicates an expected call of GetLoginPolicySecondFactors
-func (mr *MockManagementServiceClientMockRecorder) GetLoginPolicySecondFactors(arg0, arg1 interface{}, arg2 ...interface{}) *gomock.Call {
-	mr.mock.ctrl.T.Helper()
-	varargs := append([]interface{}{arg0, arg1}, arg2...)
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "GetLoginPolicySecondFactors", reflect.TypeOf((*MockManagementServiceClient)(nil).GetLoginPolicySecondFactors), varargs...)
-}
-
-// GetMachineKey mocks base method
-func (m *MockManagementServiceClient) GetMachineKey(arg0 context.Context, arg1 *management.MachineKeyIDRequest, arg2 ...grpc.CallOption) (*management.MachineKeyView, error) {
-	m.ctrl.T.Helper()
-	varargs := []interface{}{arg0, arg1}
-	for _, a := range arg2 {
-		varargs = append(varargs, a)
-	}
-	ret := m.ctrl.Call(m, "GetMachineKey", varargs...)
-	ret0, _ := ret[0].(*management.MachineKeyView)
-	ret1, _ := ret[1].(error)
-	return ret0, ret1
-}
-
-// GetMachineKey indicates an expected call of GetMachineKey
-func (mr *MockManagementServiceClientMockRecorder) GetMachineKey(arg0, arg1 interface{}, arg2 ...interface{}) *gomock.Call {
-	mr.mock.ctrl.T.Helper()
-	varargs := append([]interface{}{arg0, arg1}, arg2...)
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "GetMachineKey", reflect.TypeOf((*MockManagementServiceClient)(nil).GetMachineKey), varargs...)
-}
-
-// GetMailTemplate mocks base method
-func (m *MockManagementServiceClient) GetMailTemplate(arg0 context.Context, arg1 *emptypb.Empty, arg2 ...grpc.CallOption) (*management.MailTemplateView, error) {
-	m.ctrl.T.Helper()
-	varargs := []interface{}{arg0, arg1}
-	for _, a := range arg2 {
-		varargs = append(varargs, a)
-	}
-	ret := m.ctrl.Call(m, "GetMailTemplate", varargs...)
-	ret0, _ := ret[0].(*management.MailTemplateView)
-	ret1, _ := ret[1].(error)
-	return ret0, ret1
-}
-
-// GetMailTemplate indicates an expected call of GetMailTemplate
-func (mr *MockManagementServiceClientMockRecorder) GetMailTemplate(arg0, arg1 interface{}, arg2 ...interface{}) *gomock.Call {
-	mr.mock.ctrl.T.Helper()
-	varargs := append([]interface{}{arg0, arg1}, arg2...)
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "GetMailTemplate", reflect.TypeOf((*MockManagementServiceClient)(nil).GetMailTemplate), varargs...)
-}
-
-// GetMailTexts mocks base method
-func (m *MockManagementServiceClient) GetMailTexts(arg0 context.Context, arg1 *emptypb.Empty, arg2 ...grpc.CallOption) (*management.MailTextsView, error) {
-	m.ctrl.T.Helper()
-	varargs := []interface{}{arg0, arg1}
-	for _, a := range arg2 {
-		varargs = append(varargs, a)
-	}
-	ret := m.ctrl.Call(m, "GetMailTexts", varargs...)
-	ret0, _ := ret[0].(*management.MailTextsView)
-	ret1, _ := ret[1].(error)
-	return ret0, ret1
-}
-
-// GetMailTexts indicates an expected call of GetMailTexts
-func (mr *MockManagementServiceClientMockRecorder) GetMailTexts(arg0, arg1 interface{}, arg2 ...interface{}) *gomock.Call {
-	mr.mock.ctrl.T.Helper()
-	varargs := append([]interface{}{arg0, arg1}, arg2...)
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "GetMailTexts", reflect.TypeOf((*MockManagementServiceClient)(nil).GetMailTexts), varargs...)
-}
-
-// GetMyOrg mocks base method
-func (m *MockManagementServiceClient) GetMyOrg(arg0 context.Context, arg1 *emptypb.Empty, arg2 ...grpc.CallOption) (*management.OrgView, error) {
-	m.ctrl.T.Helper()
-	varargs := []interface{}{arg0, arg1}
-	for _, a := range arg2 {
-		varargs = append(varargs, a)
-	}
-	ret := m.ctrl.Call(m, "GetMyOrg", varargs...)
-	ret0, _ := ret[0].(*management.OrgView)
-	ret1, _ := ret[1].(error)
-	return ret0, ret1
-}
-
-// GetMyOrg indicates an expected call of GetMyOrg
-func (mr *MockManagementServiceClientMockRecorder) GetMyOrg(arg0, arg1 interface{}, arg2 ...interface{}) *gomock.Call {
-	mr.mock.ctrl.T.Helper()
-	varargs := append([]interface{}{arg0, arg1}, arg2...)
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "GetMyOrg", reflect.TypeOf((*MockManagementServiceClient)(nil).GetMyOrg), varargs...)
-}
-
-// GetMyOrgIamPolicy mocks base method
-func (m *MockManagementServiceClient) GetMyOrgIamPolicy(arg0 context.Context, arg1 *emptypb.Empty, arg2 ...grpc.CallOption) (*management.OrgIamPolicyView, error) {
-	m.ctrl.T.Helper()
-	varargs := []interface{}{arg0, arg1}
-	for _, a := range arg2 {
-		varargs = append(varargs, a)
-	}
-	ret := m.ctrl.Call(m, "GetMyOrgIamPolicy", varargs...)
-	ret0, _ := ret[0].(*management.OrgIamPolicyView)
-	ret1, _ := ret[1].(error)
-	return ret0, ret1
-}
-
-// GetMyOrgIamPolicy indicates an expected call of GetMyOrgIamPolicy
-func (mr *MockManagementServiceClientMockRecorder) GetMyOrgIamPolicy(arg0, arg1 interface{}, arg2 ...interface{}) *gomock.Call {
-	mr.mock.ctrl.T.Helper()
-	varargs := append([]interface{}{arg0, arg1}, arg2...)
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "GetMyOrgIamPolicy", reflect.TypeOf((*MockManagementServiceClient)(nil).GetMyOrgIamPolicy), varargs...)
-}
-
-// GetOrgByDomainGlobal mocks base method
-func (m *MockManagementServiceClient) GetOrgByDomainGlobal(arg0 context.Context, arg1 *management.Domain, arg2 ...grpc.CallOption) (*management.OrgView, error) {
-	m.ctrl.T.Helper()
-	varargs := []interface{}{arg0, arg1}
-	for _, a := range arg2 {
-		varargs = append(varargs, a)
-	}
-	ret := m.ctrl.Call(m, "GetOrgByDomainGlobal", varargs...)
-	ret0, _ := ret[0].(*management.OrgView)
-	ret1, _ := ret[1].(error)
-	return ret0, ret1
-}
-
-// GetOrgByDomainGlobal indicates an expected call of GetOrgByDomainGlobal
-func (mr *MockManagementServiceClientMockRecorder) GetOrgByDomainGlobal(arg0, arg1 interface{}, arg2 ...interface{}) *gomock.Call {
-	mr.mock.ctrl.T.Helper()
-	varargs := append([]interface{}{arg0, arg1}, arg2...)
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "GetOrgByDomainGlobal", reflect.TypeOf((*MockManagementServiceClient)(nil).GetOrgByDomainGlobal), varargs...)
-}
-
-// GetOrgMemberRoles mocks base method
-func (m *MockManagementServiceClient) GetOrgMemberRoles(arg0 context.Context, arg1 *emptypb.Empty, arg2 ...grpc.CallOption) (*management.OrgMemberRoles, error) {
-	m.ctrl.T.Helper()
-	varargs := []interface{}{arg0, arg1}
-	for _, a := range arg2 {
-		varargs = append(varargs, a)
-	}
-	ret := m.ctrl.Call(m, "GetOrgMemberRoles", varargs...)
-	ret0, _ := ret[0].(*management.OrgMemberRoles)
-	ret1, _ := ret[1].(error)
-	return ret0, ret1
-}
-
-// GetOrgMemberRoles indicates an expected call of GetOrgMemberRoles
-func (mr *MockManagementServiceClientMockRecorder) GetOrgMemberRoles(arg0, arg1 interface{}, arg2 ...interface{}) *gomock.Call {
-	mr.mock.ctrl.T.Helper()
-	varargs := append([]interface{}{arg0, arg1}, arg2...)
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "GetOrgMemberRoles", reflect.TypeOf((*MockManagementServiceClient)(nil).GetOrgMemberRoles), varargs...)
-}
-
-// GetPasswordAgePolicy mocks base method
-func (m *MockManagementServiceClient) GetPasswordAgePolicy(arg0 context.Context, arg1 *emptypb.Empty, arg2 ...grpc.CallOption) (*management.PasswordAgePolicyView, error) {
-	m.ctrl.T.Helper()
-	varargs := []interface{}{arg0, arg1}
-	for _, a := range arg2 {
-		varargs = append(varargs, a)
-	}
-	ret := m.ctrl.Call(m, "GetPasswordAgePolicy", varargs...)
-	ret0, _ := ret[0].(*management.PasswordAgePolicyView)
-	ret1, _ := ret[1].(error)
-	return ret0, ret1
-}
-
-// GetPasswordAgePolicy indicates an expected call of GetPasswordAgePolicy
-func (mr *MockManagementServiceClientMockRecorder) GetPasswordAgePolicy(arg0, arg1 interface{}, arg2 ...interface{}) *gomock.Call {
-	mr.mock.ctrl.T.Helper()
-	varargs := append([]interface{}{arg0, arg1}, arg2...)
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "GetPasswordAgePolicy", reflect.TypeOf((*MockManagementServiceClient)(nil).GetPasswordAgePolicy), varargs...)
-}
-
-// GetPasswordComplexityPolicy mocks base method
-func (m *MockManagementServiceClient) GetPasswordComplexityPolicy(arg0 context.Context, arg1 *emptypb.Empty, arg2 ...grpc.CallOption) (*management.PasswordComplexityPolicyView, error) {
-	m.ctrl.T.Helper()
-	varargs := []interface{}{arg0, arg1}
-	for _, a := range arg2 {
-		varargs = append(varargs, a)
-	}
-	ret := m.ctrl.Call(m, "GetPasswordComplexityPolicy", varargs...)
-	ret0, _ := ret[0].(*management.PasswordComplexityPolicyView)
-	ret1, _ := ret[1].(error)
-	return ret0, ret1
-}
-
-// GetPasswordComplexityPolicy indicates an expected call of GetPasswordComplexityPolicy
-func (mr *MockManagementServiceClientMockRecorder) GetPasswordComplexityPolicy(arg0, arg1 interface{}, arg2 ...interface{}) *gomock.Call {
-	mr.mock.ctrl.T.Helper()
-	varargs := append([]interface{}{arg0, arg1}, arg2...)
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "GetPasswordComplexityPolicy", reflect.TypeOf((*MockManagementServiceClient)(nil).GetPasswordComplexityPolicy), varargs...)
-}
-
-// GetPasswordLockoutPolicy mocks base method
-func (m *MockManagementServiceClient) GetPasswordLockoutPolicy(arg0 context.Context, arg1 *emptypb.Empty, arg2 ...grpc.CallOption) (*management.PasswordLockoutPolicyView, error) {
-	m.ctrl.T.Helper()
-	varargs := []interface{}{arg0, arg1}
-	for _, a := range arg2 {
-		varargs = append(varargs, a)
-	}
-	ret := m.ctrl.Call(m, "GetPasswordLockoutPolicy", varargs...)
-	ret0, _ := ret[0].(*management.PasswordLockoutPolicyView)
-	ret1, _ := ret[1].(error)
-	return ret0, ret1
-}
-
-// GetPasswordLockoutPolicy indicates an expected call of GetPasswordLockoutPolicy
-func (mr *MockManagementServiceClientMockRecorder) GetPasswordLockoutPolicy(arg0, arg1 interface{}, arg2 ...interface{}) *gomock.Call {
-	mr.mock.ctrl.T.Helper()
-	varargs := append([]interface{}{arg0, arg1}, arg2...)
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "GetPasswordLockoutPolicy", reflect.TypeOf((*MockManagementServiceClient)(nil).GetPasswordLockoutPolicy), varargs...)
-}
-
-// GetPasswordless mocks base method
-func (m *MockManagementServiceClient) GetPasswordless(arg0 context.Context, arg1 *management.UserID, arg2 ...grpc.CallOption) (*management.WebAuthNTokens, error) {
-	m.ctrl.T.Helper()
-	varargs := []interface{}{arg0, arg1}
-	for _, a := range arg2 {
-		varargs = append(varargs, a)
-	}
-	ret := m.ctrl.Call(m, "GetPasswordless", varargs...)
-	ret0, _ := ret[0].(*management.WebAuthNTokens)
-	ret1, _ := ret[1].(error)
-	return ret0, ret1
-}
-
-// GetPasswordless indicates an expected call of GetPasswordless
-func (mr *MockManagementServiceClientMockRecorder) GetPasswordless(arg0, arg1 interface{}, arg2 ...interface{}) *gomock.Call {
-	mr.mock.ctrl.T.Helper()
-	varargs := append([]interface{}{arg0, arg1}, arg2...)
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "GetPasswordless", reflect.TypeOf((*MockManagementServiceClient)(nil).GetPasswordless), varargs...)
-}
-
-// GetProjectGrantMemberRoles mocks base method
-func (m *MockManagementServiceClient) GetProjectGrantMemberRoles(arg0 context.Context, arg1 *emptypb.Empty, arg2 ...grpc.CallOption) (*management.ProjectGrantMemberRoles, error) {
-	m.ctrl.T.Helper()
-	varargs := []interface{}{arg0, arg1}
-	for _, a := range arg2 {
-		varargs = append(varargs, a)
-	}
-	ret := m.ctrl.Call(m, "GetProjectGrantMemberRoles", varargs...)
-	ret0, _ := ret[0].(*management.ProjectGrantMemberRoles)
-	ret1, _ := ret[1].(error)
-	return ret0, ret1
-}
-
-// GetProjectGrantMemberRoles indicates an expected call of GetProjectGrantMemberRoles
-func (mr *MockManagementServiceClientMockRecorder) GetProjectGrantMemberRoles(arg0, arg1 interface{}, arg2 ...interface{}) *gomock.Call {
-	mr.mock.ctrl.T.Helper()
-	varargs := append([]interface{}{arg0, arg1}, arg2...)
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "GetProjectGrantMemberRoles", reflect.TypeOf((*MockManagementServiceClient)(nil).GetProjectGrantMemberRoles), varargs...)
-}
-
-// GetProjectMemberRoles mocks base method
-func (m *MockManagementServiceClient) GetProjectMemberRoles(arg0 context.Context, arg1 *emptypb.Empty, arg2 ...grpc.CallOption) (*management.ProjectMemberRoles, error) {
-	m.ctrl.T.Helper()
-	varargs := []interface{}{arg0, arg1}
-	for _, a := range arg2 {
-		varargs = append(varargs, a)
-	}
-	ret := m.ctrl.Call(m, "GetProjectMemberRoles", varargs...)
-	ret0, _ := ret[0].(*management.ProjectMemberRoles)
-	ret1, _ := ret[1].(error)
-	return ret0, ret1
-}
-
-// GetProjectMemberRoles indicates an expected call of GetProjectMemberRoles
-func (mr *MockManagementServiceClientMockRecorder) GetProjectMemberRoles(arg0, arg1 interface{}, arg2 ...interface{}) *gomock.Call {
-	mr.mock.ctrl.T.Helper()
-	varargs := append([]interface{}{arg0, arg1}, arg2...)
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "GetProjectMemberRoles", reflect.TypeOf((*MockManagementServiceClient)(nil).GetProjectMemberRoles), varargs...)
-}
-
-// GetUserAddress mocks base method
-func (m *MockManagementServiceClient) GetUserAddress(arg0 context.Context, arg1 *management.UserID, arg2 ...grpc.CallOption) (*management.UserAddressView, error) {
-	m.ctrl.T.Helper()
-	varargs := []interface{}{arg0, arg1}
-	for _, a := range arg2 {
-		varargs = append(varargs, a)
-	}
-	ret := m.ctrl.Call(m, "GetUserAddress", varargs...)
-	ret0, _ := ret[0].(*management.UserAddressView)
-	ret1, _ := ret[1].(error)
-	return ret0, ret1
-}
-
-// GetUserAddress indicates an expected call of GetUserAddress
-func (mr *MockManagementServiceClientMockRecorder) GetUserAddress(arg0, arg1 interface{}, arg2 ...interface{}) *gomock.Call {
-	mr.mock.ctrl.T.Helper()
-	varargs := append([]interface{}{arg0, arg1}, arg2...)
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "GetUserAddress", reflect.TypeOf((*MockManagementServiceClient)(nil).GetUserAddress), varargs...)
-}
-
-// GetUserByID mocks base method
-func (m *MockManagementServiceClient) GetUserByID(arg0 context.Context, arg1 *management.UserID, arg2 ...grpc.CallOption) (*management.UserView, error) {
-	m.ctrl.T.Helper()
-	varargs := []interface{}{arg0, arg1}
-	for _, a := range arg2 {
-		varargs = append(varargs, a)
-	}
-	ret := m.ctrl.Call(m, "GetUserByID", varargs...)
-	ret0, _ := ret[0].(*management.UserView)
-	ret1, _ := ret[1].(error)
-	return ret0, ret1
-}
-
-// GetUserByID indicates an expected call of GetUserByID
-func (mr *MockManagementServiceClientMockRecorder) GetUserByID(arg0, arg1 interface{}, arg2 ...interface{}) *gomock.Call {
-	mr.mock.ctrl.T.Helper()
-	varargs := append([]interface{}{arg0, arg1}, arg2...)
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "GetUserByID", reflect.TypeOf((*MockManagementServiceClient)(nil).GetUserByID), varargs...)
-}
-
-// GetUserByLoginNameGlobal mocks base method
-func (m *MockManagementServiceClient) GetUserByLoginNameGlobal(arg0 context.Context, arg1 *management.LoginName, arg2 ...grpc.CallOption) (*management.UserView, error) {
-	m.ctrl.T.Helper()
-	varargs := []interface{}{arg0, arg1}
-	for _, a := range arg2 {
-		varargs = append(varargs, a)
-	}
-	ret := m.ctrl.Call(m, "GetUserByLoginNameGlobal", varargs...)
-	ret0, _ := ret[0].(*management.UserView)
-	ret1, _ := ret[1].(error)
-	return ret0, ret1
-}
-
-// GetUserByLoginNameGlobal indicates an expected call of GetUserByLoginNameGlobal
-func (mr *MockManagementServiceClientMockRecorder) GetUserByLoginNameGlobal(arg0, arg1 interface{}, arg2 ...interface{}) *gomock.Call {
-	mr.mock.ctrl.T.Helper()
-	varargs := append([]interface{}{arg0, arg1}, arg2...)
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "GetUserByLoginNameGlobal", reflect.TypeOf((*MockManagementServiceClient)(nil).GetUserByLoginNameGlobal), varargs...)
-}
-
-// GetUserEmail mocks base method
-func (m *MockManagementServiceClient) GetUserEmail(arg0 context.Context, arg1 *management.UserID, arg2 ...grpc.CallOption) (*management.UserEmailView, error) {
-	m.ctrl.T.Helper()
-	varargs := []interface{}{arg0, arg1}
-	for _, a := range arg2 {
-		varargs = append(varargs, a)
-	}
-	ret := m.ctrl.Call(m, "GetUserEmail", varargs...)
-	ret0, _ := ret[0].(*management.UserEmailView)
-	ret1, _ := ret[1].(error)
-	return ret0, ret1
-}
-
-// GetUserEmail indicates an expected call of GetUserEmail
-func (mr *MockManagementServiceClientMockRecorder) GetUserEmail(arg0, arg1 interface{}, arg2 ...interface{}) *gomock.Call {
-	mr.mock.ctrl.T.Helper()
-	varargs := append([]interface{}{arg0, arg1}, arg2...)
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "GetUserEmail", reflect.TypeOf((*MockManagementServiceClient)(nil).GetUserEmail), varargs...)
-}
-
-// GetUserMfas mocks base method
-func (m *MockManagementServiceClient) GetUserMfas(arg0 context.Context, arg1 *management.UserID, arg2 ...grpc.CallOption) (*management.UserMultiFactors, error) {
-	m.ctrl.T.Helper()
-	varargs := []interface{}{arg0, arg1}
-	for _, a := range arg2 {
-		varargs = append(varargs, a)
-	}
-	ret := m.ctrl.Call(m, "GetUserMfas", varargs...)
-	ret0, _ := ret[0].(*management.UserMultiFactors)
-	ret1, _ := ret[1].(error)
-	return ret0, ret1
-}
-
-// GetUserMfas indicates an expected call of GetUserMfas
-func (mr *MockManagementServiceClientMockRecorder) GetUserMfas(arg0, arg1 interface{}, arg2 ...interface{}) *gomock.Call {
-	mr.mock.ctrl.T.Helper()
-	varargs := append([]interface{}{arg0, arg1}, arg2...)
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "GetUserMfas", reflect.TypeOf((*MockManagementServiceClient)(nil).GetUserMfas), varargs...)
-}
-
-// GetUserPhone mocks base method
-func (m *MockManagementServiceClient) GetUserPhone(arg0 context.Context, arg1 *management.UserID, arg2 ...grpc.CallOption) (*management.UserPhoneView, error) {
-	m.ctrl.T.Helper()
-	varargs := []interface{}{arg0, arg1}
-	for _, a := range arg2 {
-		varargs = append(varargs, a)
-	}
-	ret := m.ctrl.Call(m, "GetUserPhone", varargs...)
-	ret0, _ := ret[0].(*management.UserPhoneView)
-	ret1, _ := ret[1].(error)
-	return ret0, ret1
-}
-
-// GetUserPhone indicates an expected call of GetUserPhone
-func (mr *MockManagementServiceClientMockRecorder) GetUserPhone(arg0, arg1 interface{}, arg2 ...interface{}) *gomock.Call {
-	mr.mock.ctrl.T.Helper()
-	varargs := append([]interface{}{arg0, arg1}, arg2...)
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "GetUserPhone", reflect.TypeOf((*MockManagementServiceClient)(nil).GetUserPhone), varargs...)
-}
-
-// GetUserProfile mocks base method
-func (m *MockManagementServiceClient) GetUserProfile(arg0 context.Context, arg1 *management.UserID, arg2 ...grpc.CallOption) (*management.UserProfileView, error) {
-	m.ctrl.T.Helper()
-	varargs := []interface{}{arg0, arg1}
-	for _, a := range arg2 {
-		varargs = append(varargs, a)
-	}
-	ret := m.ctrl.Call(m, "GetUserProfile", varargs...)
-	ret0, _ := ret[0].(*management.UserProfileView)
-	ret1, _ := ret[1].(error)
-	return ret0, ret1
-}
-
-// GetUserProfile indicates an expected call of GetUserProfile
-func (mr *MockManagementServiceClientMockRecorder) GetUserProfile(arg0, arg1 interface{}, arg2 ...interface{}) *gomock.Call {
-	mr.mock.ctrl.T.Helper()
-	varargs := append([]interface{}{arg0, arg1}, arg2...)
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "GetUserProfile", reflect.TypeOf((*MockManagementServiceClient)(nil).GetUserProfile), varargs...)
-}
-
-// GetZitadelDocs mocks base method
-func (m *MockManagementServiceClient) GetZitadelDocs(arg0 context.Context, arg1 *emptypb.Empty, arg2 ...grpc.CallOption) (*management.ZitadelDocs, error) {
-	m.ctrl.T.Helper()
-	varargs := []interface{}{arg0, arg1}
-	for _, a := range arg2 {
-		varargs = append(varargs, a)
-	}
-	ret := m.ctrl.Call(m, "GetZitadelDocs", varargs...)
-	ret0, _ := ret[0].(*management.ZitadelDocs)
-	ret1, _ := ret[1].(error)
-	return ret0, ret1
-}
-
-// GetZitadelDocs indicates an expected call of GetZitadelDocs
-func (mr *MockManagementServiceClientMockRecorder) GetZitadelDocs(arg0, arg1 interface{}, arg2 ...interface{}) *gomock.Call {
-	mr.mock.ctrl.T.Helper()
-	varargs := append([]interface{}{arg0, arg1}, arg2...)
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "GetZitadelDocs", reflect.TypeOf((*MockManagementServiceClient)(nil).GetZitadelDocs), varargs...)
-}
-
-// Healthz mocks base method
-func (m *MockManagementServiceClient) Healthz(arg0 context.Context, arg1 *emptypb.Empty, arg2 ...grpc.CallOption) (*emptypb.Empty, error) {
-	m.ctrl.T.Helper()
-	varargs := []interface{}{arg0, arg1}
-	for _, a := range arg2 {
-		varargs = append(varargs, a)
-	}
-	ret := m.ctrl.Call(m, "Healthz", varargs...)
-	ret0, _ := ret[0].(*emptypb.Empty)
-	ret1, _ := ret[1].(error)
-	return ret0, ret1
-}
-
-// Healthz indicates an expected call of Healthz
-func (mr *MockManagementServiceClientMockRecorder) Healthz(arg0, arg1 interface{}, arg2 ...interface{}) *gomock.Call {
-	mr.mock.ctrl.T.Helper()
-	varargs := append([]interface{}{arg0, arg1}, arg2...)
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "Healthz", reflect.TypeOf((*MockManagementServiceClient)(nil).Healthz), varargs...)
-}
-
-// IdpByID mocks base method
-func (m *MockManagementServiceClient) IdpByID(arg0 context.Context, arg1 *management.IdpID, arg2 ...grpc.CallOption) (*management.IdpView, error) {
-	m.ctrl.T.Helper()
-	varargs := []interface{}{arg0, arg1}
-	for _, a := range arg2 {
-		varargs = append(varargs, a)
-	}
-	ret := m.ctrl.Call(m, "IdpByID", varargs...)
-	ret0, _ := ret[0].(*management.IdpView)
-	ret1, _ := ret[1].(error)
-	return ret0, ret1
-}
-
-// IdpByID indicates an expected call of IdpByID
-func (mr *MockManagementServiceClientMockRecorder) IdpByID(arg0, arg1 interface{}, arg2 ...interface{}) *gomock.Call {
-	mr.mock.ctrl.T.Helper()
-	varargs := append([]interface{}{arg0, arg1}, arg2...)
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "IdpByID", reflect.TypeOf((*MockManagementServiceClient)(nil).IdpByID), varargs...)
-}
-
-// IsUserUnique mocks base method
-func (m *MockManagementServiceClient) IsUserUnique(arg0 context.Context, arg1 *management.UniqueUserRequest, arg2 ...grpc.CallOption) (*management.UniqueUserResponse, error) {
-	m.ctrl.T.Helper()
-	varargs := []interface{}{arg0, arg1}
-	for _, a := range arg2 {
-		varargs = append(varargs, a)
-	}
-	ret := m.ctrl.Call(m, "IsUserUnique", varargs...)
-	ret0, _ := ret[0].(*management.UniqueUserResponse)
-	ret1, _ := ret[1].(error)
-	return ret0, ret1
-}
-
-// IsUserUnique indicates an expected call of IsUserUnique
-func (mr *MockManagementServiceClientMockRecorder) IsUserUnique(arg0, arg1 interface{}, arg2 ...interface{}) *gomock.Call {
-	mr.mock.ctrl.T.Helper()
-	varargs := append([]interface{}{arg0, arg1}, arg2...)
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "IsUserUnique", reflect.TypeOf((*MockManagementServiceClient)(nil).IsUserUnique), varargs...)
-}
-
-// LockUser mocks base method
-func (m *MockManagementServiceClient) LockUser(arg0 context.Context, arg1 *management.UserID, arg2 ...grpc.CallOption) (*management.UserResponse, error) {
-	m.ctrl.T.Helper()
-	varargs := []interface{}{arg0, arg1}
-	for _, a := range arg2 {
-		varargs = append(varargs, a)
-	}
-	ret := m.ctrl.Call(m, "LockUser", varargs...)
-	ret0, _ := ret[0].(*management.UserResponse)
-	ret1, _ := ret[1].(error)
-	return ret0, ret1
-}
-
-// LockUser indicates an expected call of LockUser
-func (mr *MockManagementServiceClientMockRecorder) LockUser(arg0, arg1 interface{}, arg2 ...interface{}) *gomock.Call {
-	mr.mock.ctrl.T.Helper()
-	varargs := append([]interface{}{arg0, arg1}, arg2...)
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "LockUser", reflect.TypeOf((*MockManagementServiceClient)(nil).LockUser), varargs...)
-}
-
-// OrgChanges mocks base method
-func (m *MockManagementServiceClient) OrgChanges(arg0 context.Context, arg1 *management.ChangeRequest, arg2 ...grpc.CallOption) (*management.Changes, error) {
-	m.ctrl.T.Helper()
-	varargs := []interface{}{arg0, arg1}
-	for _, a := range arg2 {
-		varargs = append(varargs, a)
-	}
-	ret := m.ctrl.Call(m, "OrgChanges", varargs...)
-	ret0, _ := ret[0].(*management.Changes)
-	ret1, _ := ret[1].(error)
-	return ret0, ret1
-}
-
-// OrgChanges indicates an expected call of OrgChanges
-func (mr *MockManagementServiceClientMockRecorder) OrgChanges(arg0, arg1 interface{}, arg2 ...interface{}) *gomock.Call {
-	mr.mock.ctrl.T.Helper()
-	varargs := append([]interface{}{arg0, arg1}, arg2...)
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "OrgChanges", reflect.TypeOf((*MockManagementServiceClient)(nil).OrgChanges), varargs...)
-}
-
-// ProjectByID mocks base method
-func (m *MockManagementServiceClient) ProjectByID(arg0 context.Context, arg1 *management.ProjectID, arg2 ...grpc.CallOption) (*management.ProjectView, error) {
-	m.ctrl.T.Helper()
-	varargs := []interface{}{arg0, arg1}
-	for _, a := range arg2 {
-		varargs = append(varargs, a)
-	}
-	ret := m.ctrl.Call(m, "ProjectByID", varargs...)
-	ret0, _ := ret[0].(*management.ProjectView)
-	ret1, _ := ret[1].(error)
-	return ret0, ret1
-}
-
-// ProjectByID indicates an expected call of ProjectByID
-func (mr *MockManagementServiceClientMockRecorder) ProjectByID(arg0, arg1 interface{}, arg2 ...interface{}) *gomock.Call {
-	mr.mock.ctrl.T.Helper()
-	varargs := append([]interface{}{arg0, arg1}, arg2...)
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "ProjectByID", reflect.TypeOf((*MockManagementServiceClient)(nil).ProjectByID), varargs...)
-}
-
-// ProjectChanges mocks base method
-func (m *MockManagementServiceClient) ProjectChanges(arg0 context.Context, arg1 *management.ChangeRequest, arg2 ...grpc.CallOption) (*management.Changes, error) {
-	m.ctrl.T.Helper()
-	varargs := []interface{}{arg0, arg1}
-	for _, a := range arg2 {
-		varargs = append(varargs, a)
-	}
-	ret := m.ctrl.Call(m, "ProjectChanges", varargs...)
-	ret0, _ := ret[0].(*management.Changes)
-	ret1, _ := ret[1].(error)
-	return ret0, ret1
-}
-
-// ProjectChanges indicates an expected call of ProjectChanges
-func (mr *MockManagementServiceClientMockRecorder) ProjectChanges(arg0, arg1 interface{}, arg2 ...interface{}) *gomock.Call {
-	mr.mock.ctrl.T.Helper()
-	varargs := append([]interface{}{arg0, arg1}, arg2...)
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "ProjectChanges", reflect.TypeOf((*MockManagementServiceClient)(nil).ProjectChanges), varargs...)
-}
-
-// ProjectGrantByID mocks base method
-func (m *MockManagementServiceClient) ProjectGrantByID(arg0 context.Context, arg1 *management.ProjectGrantID, arg2 ...grpc.CallOption) (*management.ProjectGrantView, error) {
-	m.ctrl.T.Helper()
-	varargs := []interface{}{arg0, arg1}
-	for _, a := range arg2 {
-		varargs = append(varargs, a)
-	}
-	ret := m.ctrl.Call(m, "ProjectGrantByID", varargs...)
-	ret0, _ := ret[0].(*management.ProjectGrantView)
-	ret1, _ := ret[1].(error)
-	return ret0, ret1
-}
-
-// ProjectGrantByID indicates an expected call of ProjectGrantByID
-func (mr *MockManagementServiceClientMockRecorder) ProjectGrantByID(arg0, arg1 interface{}, arg2 ...interface{}) *gomock.Call {
-	mr.mock.ctrl.T.Helper()
-	varargs := append([]interface{}{arg0, arg1}, arg2...)
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "ProjectGrantByID", reflect.TypeOf((*MockManagementServiceClient)(nil).ProjectGrantByID), varargs...)
-}
-
-// ReactivateApplication mocks base method
-func (m *MockManagementServiceClient) ReactivateApplication(arg0 context.Context, arg1 *management.ApplicationID, arg2 ...grpc.CallOption) (*management.Application, error) {
-	m.ctrl.T.Helper()
-	varargs := []interface{}{arg0, arg1}
-	for _, a := range arg2 {
-		varargs = append(varargs, a)
-	}
-	ret := m.ctrl.Call(m, "ReactivateApplication", varargs...)
-	ret0, _ := ret[0].(*management.Application)
-	ret1, _ := ret[1].(error)
-	return ret0, ret1
-}
-
-// ReactivateApplication indicates an expected call of ReactivateApplication
-func (mr *MockManagementServiceClientMockRecorder) ReactivateApplication(arg0, arg1 interface{}, arg2 ...interface{}) *gomock.Call {
-	mr.mock.ctrl.T.Helper()
-	varargs := append([]interface{}{arg0, arg1}, arg2...)
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "ReactivateApplication", reflect.TypeOf((*MockManagementServiceClient)(nil).ReactivateApplication), varargs...)
-}
-
-// ReactivateIdpConfig mocks base method
-func (m *MockManagementServiceClient) ReactivateIdpConfig(arg0 context.Context, arg1 *management.IdpID, arg2 ...grpc.CallOption) (*management.Idp, error) {
-	m.ctrl.T.Helper()
-	varargs := []interface{}{arg0, arg1}
-	for _, a := range arg2 {
-		varargs = append(varargs, a)
-	}
-	ret := m.ctrl.Call(m, "ReactivateIdpConfig", varargs...)
-	ret0, _ := ret[0].(*management.Idp)
-	ret1, _ := ret[1].(error)
-	return ret0, ret1
-}
-
-// ReactivateIdpConfig indicates an expected call of ReactivateIdpConfig
-func (mr *MockManagementServiceClientMockRecorder) ReactivateIdpConfig(arg0, arg1 interface{}, arg2 ...interface{}) *gomock.Call {
-	mr.mock.ctrl.T.Helper()
-	varargs := append([]interface{}{arg0, arg1}, arg2...)
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "ReactivateIdpConfig", reflect.TypeOf((*MockManagementServiceClient)(nil).ReactivateIdpConfig), varargs...)
-}
-
-// ReactivateMyOrg mocks base method
-func (m *MockManagementServiceClient) ReactivateMyOrg(arg0 context.Context, arg1 *emptypb.Empty, arg2 ...grpc.CallOption) (*management.Org, error) {
-	m.ctrl.T.Helper()
-	varargs := []interface{}{arg0, arg1}
-	for _, a := range arg2 {
-		varargs = append(varargs, a)
-	}
-	ret := m.ctrl.Call(m, "ReactivateMyOrg", varargs...)
-	ret0, _ := ret[0].(*management.Org)
-	ret1, _ := ret[1].(error)
-	return ret0, ret1
-}
-
-// ReactivateMyOrg indicates an expected call of ReactivateMyOrg
-func (mr *MockManagementServiceClientMockRecorder) ReactivateMyOrg(arg0, arg1 interface{}, arg2 ...interface{}) *gomock.Call {
-	mr.mock.ctrl.T.Helper()
-	varargs := append([]interface{}{arg0, arg1}, arg2...)
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "ReactivateMyOrg", reflect.TypeOf((*MockManagementServiceClient)(nil).ReactivateMyOrg), varargs...)
-}
-
-// ReactivateProject mocks base method
-func (m *MockManagementServiceClient) ReactivateProject(arg0 context.Context, arg1 *management.ProjectID, arg2 ...grpc.CallOption) (*management.Project, error) {
-	m.ctrl.T.Helper()
-	varargs := []interface{}{arg0, arg1}
-	for _, a := range arg2 {
-		varargs = append(varargs, a)
-	}
-	ret := m.ctrl.Call(m, "ReactivateProject", varargs...)
-	ret0, _ := ret[0].(*management.Project)
-	ret1, _ := ret[1].(error)
-	return ret0, ret1
-}
-
-// ReactivateProject indicates an expected call of ReactivateProject
-func (mr *MockManagementServiceClientMockRecorder) ReactivateProject(arg0, arg1 interface{}, arg2 ...interface{}) *gomock.Call {
-	mr.mock.ctrl.T.Helper()
-	varargs := append([]interface{}{arg0, arg1}, arg2...)
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "ReactivateProject", reflect.TypeOf((*MockManagementServiceClient)(nil).ReactivateProject), varargs...)
-}
-
-// ReactivateProjectGrant mocks base method
-func (m *MockManagementServiceClient) ReactivateProjectGrant(arg0 context.Context, arg1 *management.ProjectGrantID, arg2 ...grpc.CallOption) (*management.ProjectGrant, error) {
-	m.ctrl.T.Helper()
-	varargs := []interface{}{arg0, arg1}
-	for _, a := range arg2 {
-		varargs = append(varargs, a)
-	}
-	ret := m.ctrl.Call(m, "ReactivateProjectGrant", varargs...)
-	ret0, _ := ret[0].(*management.ProjectGrant)
-	ret1, _ := ret[1].(error)
-	return ret0, ret1
-}
-
-// ReactivateProjectGrant indicates an expected call of ReactivateProjectGrant
-func (mr *MockManagementServiceClientMockRecorder) ReactivateProjectGrant(arg0, arg1 interface{}, arg2 ...interface{}) *gomock.Call {
-	mr.mock.ctrl.T.Helper()
-	varargs := append([]interface{}{arg0, arg1}, arg2...)
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "ReactivateProjectGrant", reflect.TypeOf((*MockManagementServiceClient)(nil).ReactivateProjectGrant), varargs...)
-}
-
-// ReactivateUser mocks base method
-func (m *MockManagementServiceClient) ReactivateUser(arg0 context.Context, arg1 *management.UserID, arg2 ...grpc.CallOption) (*management.UserResponse, error) {
-	m.ctrl.T.Helper()
-	varargs := []interface{}{arg0, arg1}
-	for _, a := range arg2 {
-		varargs = append(varargs, a)
-	}
-	ret := m.ctrl.Call(m, "ReactivateUser", varargs...)
-	ret0, _ := ret[0].(*management.UserResponse)
-	ret1, _ := ret[1].(error)
-	return ret0, ret1
-}
-
-// ReactivateUser indicates an expected call of ReactivateUser
-func (mr *MockManagementServiceClientMockRecorder) ReactivateUser(arg0, arg1 interface{}, arg2 ...interface{}) *gomock.Call {
-	mr.mock.ctrl.T.Helper()
-	varargs := append([]interface{}{arg0, arg1}, arg2...)
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "ReactivateUser", reflect.TypeOf((*MockManagementServiceClient)(nil).ReactivateUser), varargs...)
-}
-
-// ReactivateUserGrant mocks base method
-func (m *MockManagementServiceClient) ReactivateUserGrant(arg0 context.Context, arg1 *management.UserGrantID, arg2 ...grpc.CallOption) (*management.UserGrant, error) {
-	m.ctrl.T.Helper()
-	varargs := []interface{}{arg0, arg1}
-	for _, a := range arg2 {
-		varargs = append(varargs, a)
-	}
-	ret := m.ctrl.Call(m, "ReactivateUserGrant", varargs...)
-	ret0, _ := ret[0].(*management.UserGrant)
-	ret1, _ := ret[1].(error)
-	return ret0, ret1
-}
-
-// ReactivateUserGrant indicates an expected call of ReactivateUserGrant
-func (mr *MockManagementServiceClientMockRecorder) ReactivateUserGrant(arg0, arg1 interface{}, arg2 ...interface{}) *gomock.Call {
-	mr.mock.ctrl.T.Helper()
-	varargs := append([]interface{}{arg0, arg1}, arg2...)
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "ReactivateUserGrant", reflect.TypeOf((*MockManagementServiceClient)(nil).ReactivateUserGrant), varargs...)
-}
-
-// RegenerateOIDCClientSecret mocks base method
-func (m *MockManagementServiceClient) RegenerateOIDCClientSecret(arg0 context.Context, arg1 *management.ApplicationID, arg2 ...grpc.CallOption) (*management.ClientSecret, error) {
-	m.ctrl.T.Helper()
-	varargs := []interface{}{arg0, arg1}
-	for _, a := range arg2 {
-		varargs = append(varargs, a)
-	}
-	ret := m.ctrl.Call(m, "RegenerateOIDCClientSecret", varargs...)
-	ret0, _ := ret[0].(*management.ClientSecret)
-	ret1, _ := ret[1].(error)
-	return ret0, ret1
-}
-
-// RegenerateOIDCClientSecret indicates an expected call of RegenerateOIDCClientSecret
-func (mr *MockManagementServiceClientMockRecorder) RegenerateOIDCClientSecret(arg0, arg1 interface{}, arg2 ...interface{}) *gomock.Call {
-	mr.mock.ctrl.T.Helper()
-	varargs := append([]interface{}{arg0, arg1}, arg2...)
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "RegenerateOIDCClientSecret", reflect.TypeOf((*MockManagementServiceClient)(nil).RegenerateOIDCClientSecret), varargs...)
-}
-
-// RemoveApplication mocks base method
-func (m *MockManagementServiceClient) RemoveApplication(arg0 context.Context, arg1 *management.ApplicationID, arg2 ...grpc.CallOption) (*emptypb.Empty, error) {
-	m.ctrl.T.Helper()
-	varargs := []interface{}{arg0, arg1}
-	for _, a := range arg2 {
-		varargs = append(varargs, a)
-	}
-	ret := m.ctrl.Call(m, "RemoveApplication", varargs...)
-	ret0, _ := ret[0].(*emptypb.Empty)
-	ret1, _ := ret[1].(error)
-	return ret0, ret1
-}
-
-// RemoveApplication indicates an expected call of RemoveApplication
-func (mr *MockManagementServiceClientMockRecorder) RemoveApplication(arg0, arg1 interface{}, arg2 ...interface{}) *gomock.Call {
-	mr.mock.ctrl.T.Helper()
-	varargs := append([]interface{}{arg0, arg1}, arg2...)
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "RemoveApplication", reflect.TypeOf((*MockManagementServiceClient)(nil).RemoveApplication), varargs...)
-}
-
-// RemoveExternalIDP mocks base method
-func (m *MockManagementServiceClient) RemoveExternalIDP(arg0 context.Context, arg1 *management.ExternalIDPRemoveRequest, arg2 ...grpc.CallOption) (*emptypb.Empty, error) {
-	m.ctrl.T.Helper()
-	varargs := []interface{}{arg0, arg1}
-	for _, a := range arg2 {
-		varargs = append(varargs, a)
-	}
-	ret := m.ctrl.Call(m, "RemoveExternalIDP", varargs...)
-	ret0, _ := ret[0].(*emptypb.Empty)
-	ret1, _ := ret[1].(error)
-	return ret0, ret1
-}
-
-// RemoveExternalIDP indicates an expected call of RemoveExternalIDP
-func (mr *MockManagementServiceClientMockRecorder) RemoveExternalIDP(arg0, arg1 interface{}, arg2 ...interface{}) *gomock.Call {
-	mr.mock.ctrl.T.Helper()
-	varargs := append([]interface{}{arg0, arg1}, arg2...)
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "RemoveExternalIDP", reflect.TypeOf((*MockManagementServiceClient)(nil).RemoveExternalIDP), varargs...)
-}
-
-// RemoveIdpConfig mocks base method
-func (m *MockManagementServiceClient) RemoveIdpConfig(arg0 context.Context, arg1 *management.IdpID, arg2 ...grpc.CallOption) (*emptypb.Empty, error) {
-	m.ctrl.T.Helper()
-	varargs := []interface{}{arg0, arg1}
-	for _, a := range arg2 {
-		varargs = append(varargs, a)
-	}
-	ret := m.ctrl.Call(m, "RemoveIdpConfig", varargs...)
-	ret0, _ := ret[0].(*emptypb.Empty)
-	ret1, _ := ret[1].(error)
-	return ret0, ret1
-}
-
-// RemoveIdpConfig indicates an expected call of RemoveIdpConfig
-func (mr *MockManagementServiceClientMockRecorder) RemoveIdpConfig(arg0, arg1 interface{}, arg2 ...interface{}) *gomock.Call {
-	mr.mock.ctrl.T.Helper()
-	varargs := append([]interface{}{arg0, arg1}, arg2...)
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "RemoveIdpConfig", reflect.TypeOf((*MockManagementServiceClient)(nil).RemoveIdpConfig), varargs...)
-}
-
-// RemoveIdpProviderFromLoginPolicy mocks base method
-func (m *MockManagementServiceClient) RemoveIdpProviderFromLoginPolicy(arg0 context.Context, arg1 *management.IdpProviderID, arg2 ...grpc.CallOption) (*emptypb.Empty, error) {
-	m.ctrl.T.Helper()
-	varargs := []interface{}{arg0, arg1}
-	for _, a := range arg2 {
-		varargs = append(varargs, a)
-	}
-	ret := m.ctrl.Call(m, "RemoveIdpProviderFromLoginPolicy", varargs...)
-	ret0, _ := ret[0].(*emptypb.Empty)
-	ret1, _ := ret[1].(error)
-	return ret0, ret1
-}
-
-// RemoveIdpProviderFromLoginPolicy indicates an expected call of RemoveIdpProviderFromLoginPolicy
-func (mr *MockManagementServiceClientMockRecorder) RemoveIdpProviderFromLoginPolicy(arg0, arg1 interface{}, arg2 ...interface{}) *gomock.Call {
-	mr.mock.ctrl.T.Helper()
-	varargs := append([]interface{}{arg0, arg1}, arg2...)
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "RemoveIdpProviderFromLoginPolicy", reflect.TypeOf((*MockManagementServiceClient)(nil).RemoveIdpProviderFromLoginPolicy), varargs...)
-}
-
-// RemoveLoginPolicy mocks base method
-func (m *MockManagementServiceClient) RemoveLoginPolicy(arg0 context.Context, arg1 *emptypb.Empty, arg2 ...grpc.CallOption) (*emptypb.Empty, error) {
-	m.ctrl.T.Helper()
-	varargs := []interface{}{arg0, arg1}
-	for _, a := range arg2 {
-		varargs = append(varargs, a)
-	}
-	ret := m.ctrl.Call(m, "RemoveLoginPolicy", varargs...)
-	ret0, _ := ret[0].(*emptypb.Empty)
-	ret1, _ := ret[1].(error)
-	return ret0, ret1
-}
-
-// RemoveLoginPolicy indicates an expected call of RemoveLoginPolicy
-func (mr *MockManagementServiceClientMockRecorder) RemoveLoginPolicy(arg0, arg1 interface{}, arg2 ...interface{}) *gomock.Call {
-	mr.mock.ctrl.T.Helper()
-	varargs := append([]interface{}{arg0, arg1}, arg2...)
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "RemoveLoginPolicy", reflect.TypeOf((*MockManagementServiceClient)(nil).RemoveLoginPolicy), varargs...)
-}
-
-// RemoveMailTemplate mocks base method
-func (m *MockManagementServiceClient) RemoveMailTemplate(arg0 context.Context, arg1 *emptypb.Empty, arg2 ...grpc.CallOption) (*emptypb.Empty, error) {
-	m.ctrl.T.Helper()
-	varargs := []interface{}{arg0, arg1}
-	for _, a := range arg2 {
-		varargs = append(varargs, a)
-	}
-	ret := m.ctrl.Call(m, "RemoveMailTemplate", varargs...)
-	ret0, _ := ret[0].(*emptypb.Empty)
-	ret1, _ := ret[1].(error)
-	return ret0, ret1
-}
-
-// RemoveMailTemplate indicates an expected call of RemoveMailTemplate
-func (mr *MockManagementServiceClientMockRecorder) RemoveMailTemplate(arg0, arg1 interface{}, arg2 ...interface{}) *gomock.Call {
-	mr.mock.ctrl.T.Helper()
-	varargs := append([]interface{}{arg0, arg1}, arg2...)
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "RemoveMailTemplate", reflect.TypeOf((*MockManagementServiceClient)(nil).RemoveMailTemplate), varargs...)
-}
-
-// RemoveMailText mocks base method
-func (m *MockManagementServiceClient) RemoveMailText(arg0 context.Context, arg1 *management.MailTextRemove, arg2 ...grpc.CallOption) (*emptypb.Empty, error) {
-	m.ctrl.T.Helper()
-	varargs := []interface{}{arg0, arg1}
-	for _, a := range arg2 {
-		varargs = append(varargs, a)
-	}
-	ret := m.ctrl.Call(m, "RemoveMailText", varargs...)
-	ret0, _ := ret[0].(*emptypb.Empty)
-	ret1, _ := ret[1].(error)
-	return ret0, ret1
-}
-
-// RemoveMailText indicates an expected call of RemoveMailText
-func (mr *MockManagementServiceClientMockRecorder) RemoveMailText(arg0, arg1 interface{}, arg2 ...interface{}) *gomock.Call {
-	mr.mock.ctrl.T.Helper()
-	varargs := append([]interface{}{arg0, arg1}, arg2...)
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "RemoveMailText", reflect.TypeOf((*MockManagementServiceClient)(nil).RemoveMailText), varargs...)
-}
-
-// RemoveMfaOTP mocks base method
-func (m *MockManagementServiceClient) RemoveMfaOTP(arg0 context.Context, arg1 *management.UserID, arg2 ...grpc.CallOption) (*emptypb.Empty, error) {
-	m.ctrl.T.Helper()
-	varargs := []interface{}{arg0, arg1}
-	for _, a := range arg2 {
-		varargs = append(varargs, a)
-	}
-	ret := m.ctrl.Call(m, "RemoveMfaOTP", varargs...)
-	ret0, _ := ret[0].(*emptypb.Empty)
-	ret1, _ := ret[1].(error)
-	return ret0, ret1
-}
-
-// RemoveMfaOTP indicates an expected call of RemoveMfaOTP
-func (mr *MockManagementServiceClientMockRecorder) RemoveMfaOTP(arg0, arg1 interface{}, arg2 ...interface{}) *gomock.Call {
-	mr.mock.ctrl.T.Helper()
-	varargs := append([]interface{}{arg0, arg1}, arg2...)
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "RemoveMfaOTP", reflect.TypeOf((*MockManagementServiceClient)(nil).RemoveMfaOTP), varargs...)
-}
-
-// RemoveMfaU2F mocks base method
-func (m *MockManagementServiceClient) RemoveMfaU2F(arg0 context.Context, arg1 *management.WebAuthNTokenID, arg2 ...grpc.CallOption) (*emptypb.Empty, error) {
-	m.ctrl.T.Helper()
-	varargs := []interface{}{arg0, arg1}
-	for _, a := range arg2 {
-		varargs = append(varargs, a)
-	}
-	ret := m.ctrl.Call(m, "RemoveMfaU2F", varargs...)
-	ret0, _ := ret[0].(*emptypb.Empty)
-	ret1, _ := ret[1].(error)
-	return ret0, ret1
-}
-
-// RemoveMfaU2F indicates an expected call of RemoveMfaU2F
-func (mr *MockManagementServiceClientMockRecorder) RemoveMfaU2F(arg0, arg1 interface{}, arg2 ...interface{}) *gomock.Call {
-	mr.mock.ctrl.T.Helper()
-	varargs := append([]interface{}{arg0, arg1}, arg2...)
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "RemoveMfaU2F", reflect.TypeOf((*MockManagementServiceClient)(nil).RemoveMfaU2F), varargs...)
-}
-
-// RemoveMultiFactorFromLoginPolicy mocks base method
-func (m *MockManagementServiceClient) RemoveMultiFactorFromLoginPolicy(arg0 context.Context, arg1 *management.MultiFactor, arg2 ...grpc.CallOption) (*emptypb.Empty, error) {
-	m.ctrl.T.Helper()
-	varargs := []interface{}{arg0, arg1}
-	for _, a := range arg2 {
-		varargs = append(varargs, a)
-	}
-	ret := m.ctrl.Call(m, "RemoveMultiFactorFromLoginPolicy", varargs...)
-	ret0, _ := ret[0].(*emptypb.Empty)
-	ret1, _ := ret[1].(error)
-	return ret0, ret1
-}
-
-// RemoveMultiFactorFromLoginPolicy indicates an expected call of RemoveMultiFactorFromLoginPolicy
-func (mr *MockManagementServiceClientMockRecorder) RemoveMultiFactorFromLoginPolicy(arg0, arg1 interface{}, arg2 ...interface{}) *gomock.Call {
-	mr.mock.ctrl.T.Helper()
-	varargs := append([]interface{}{arg0, arg1}, arg2...)
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "RemoveMultiFactorFromLoginPolicy", reflect.TypeOf((*MockManagementServiceClient)(nil).RemoveMultiFactorFromLoginPolicy), varargs...)
-}
-
-// RemoveMyOrgDomain mocks base method
-func (m *MockManagementServiceClient) RemoveMyOrgDomain(arg0 context.Context, arg1 *management.RemoveOrgDomainRequest, arg2 ...grpc.CallOption) (*emptypb.Empty, error) {
-	m.ctrl.T.Helper()
-	varargs := []interface{}{arg0, arg1}
-	for _, a := range arg2 {
-		varargs = append(varargs, a)
-	}
-	ret := m.ctrl.Call(m, "RemoveMyOrgDomain", varargs...)
-	ret0, _ := ret[0].(*emptypb.Empty)
-	ret1, _ := ret[1].(error)
-	return ret0, ret1
-}
-
-// RemoveMyOrgDomain indicates an expected call of RemoveMyOrgDomain
-func (mr *MockManagementServiceClientMockRecorder) RemoveMyOrgDomain(arg0, arg1 interface{}, arg2 ...interface{}) *gomock.Call {
-	mr.mock.ctrl.T.Helper()
-	varargs := append([]interface{}{arg0, arg1}, arg2...)
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "RemoveMyOrgDomain", reflect.TypeOf((*MockManagementServiceClient)(nil).RemoveMyOrgDomain), varargs...)
-}
-
-// RemoveMyOrgMember mocks base method
-func (m *MockManagementServiceClient) RemoveMyOrgMember(arg0 context.Context, arg1 *management.RemoveOrgMemberRequest, arg2 ...grpc.CallOption) (*emptypb.Empty, error) {
-	m.ctrl.T.Helper()
-	varargs := []interface{}{arg0, arg1}
-	for _, a := range arg2 {
-		varargs = append(varargs, a)
-	}
-	ret := m.ctrl.Call(m, "RemoveMyOrgMember", varargs...)
-	ret0, _ := ret[0].(*emptypb.Empty)
-	ret1, _ := ret[1].(error)
-	return ret0, ret1
-}
-
-// RemoveMyOrgMember indicates an expected call of RemoveMyOrgMember
-func (mr *MockManagementServiceClientMockRecorder) RemoveMyOrgMember(arg0, arg1 interface{}, arg2 ...interface{}) *gomock.Call {
-	mr.mock.ctrl.T.Helper()
-	varargs := append([]interface{}{arg0, arg1}, arg2...)
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "RemoveMyOrgMember", reflect.TypeOf((*MockManagementServiceClient)(nil).RemoveMyOrgMember), varargs...)
-}
-
-// RemovePasswordAgePolicy mocks base method
-func (m *MockManagementServiceClient) RemovePasswordAgePolicy(arg0 context.Context, arg1 *emptypb.Empty, arg2 ...grpc.CallOption) (*emptypb.Empty, error) {
-	m.ctrl.T.Helper()
-	varargs := []interface{}{arg0, arg1}
-	for _, a := range arg2 {
-		varargs = append(varargs, a)
-	}
-	ret := m.ctrl.Call(m, "RemovePasswordAgePolicy", varargs...)
-	ret0, _ := ret[0].(*emptypb.Empty)
-	ret1, _ := ret[1].(error)
-	return ret0, ret1
-}
-
-// RemovePasswordAgePolicy indicates an expected call of RemovePasswordAgePolicy
-func (mr *MockManagementServiceClientMockRecorder) RemovePasswordAgePolicy(arg0, arg1 interface{}, arg2 ...interface{}) *gomock.Call {
-	mr.mock.ctrl.T.Helper()
-	varargs := append([]interface{}{arg0, arg1}, arg2...)
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "RemovePasswordAgePolicy", reflect.TypeOf((*MockManagementServiceClient)(nil).RemovePasswordAgePolicy), varargs...)
-}
-
-// RemovePasswordComplexityPolicy mocks base method
-func (m *MockManagementServiceClient) RemovePasswordComplexityPolicy(arg0 context.Context, arg1 *emptypb.Empty, arg2 ...grpc.CallOption) (*emptypb.Empty, error) {
-	m.ctrl.T.Helper()
-	varargs := []interface{}{arg0, arg1}
-	for _, a := range arg2 {
-		varargs = append(varargs, a)
-	}
-	ret := m.ctrl.Call(m, "RemovePasswordComplexityPolicy", varargs...)
-	ret0, _ := ret[0].(*emptypb.Empty)
-	ret1, _ := ret[1].(error)
-	return ret0, ret1
-}
-
-// RemovePasswordComplexityPolicy indicates an expected call of RemovePasswordComplexityPolicy
-func (mr *MockManagementServiceClientMockRecorder) RemovePasswordComplexityPolicy(arg0, arg1 interface{}, arg2 ...interface{}) *gomock.Call {
-	mr.mock.ctrl.T.Helper()
-	varargs := append([]interface{}{arg0, arg1}, arg2...)
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "RemovePasswordComplexityPolicy", reflect.TypeOf((*MockManagementServiceClient)(nil).RemovePasswordComplexityPolicy), varargs...)
-}
-
-// RemovePasswordLockoutPolicy mocks base method
-func (m *MockManagementServiceClient) RemovePasswordLockoutPolicy(arg0 context.Context, arg1 *emptypb.Empty, arg2 ...grpc.CallOption) (*emptypb.Empty, error) {
-	m.ctrl.T.Helper()
-	varargs := []interface{}{arg0, arg1}
-	for _, a := range arg2 {
-		varargs = append(varargs, a)
-	}
-	ret := m.ctrl.Call(m, "RemovePasswordLockoutPolicy", varargs...)
-	ret0, _ := ret[0].(*emptypb.Empty)
-	ret1, _ := ret[1].(error)
-	return ret0, ret1
-}
-
-// RemovePasswordLockoutPolicy indicates an expected call of RemovePasswordLockoutPolicy
-func (mr *MockManagementServiceClientMockRecorder) RemovePasswordLockoutPolicy(arg0, arg1 interface{}, arg2 ...interface{}) *gomock.Call {
-	mr.mock.ctrl.T.Helper()
-	varargs := append([]interface{}{arg0, arg1}, arg2...)
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "RemovePasswordLockoutPolicy", reflect.TypeOf((*MockManagementServiceClient)(nil).RemovePasswordLockoutPolicy), varargs...)
-}
-
-// RemovePasswordless mocks base method
-func (m *MockManagementServiceClient) RemovePasswordless(arg0 context.Context, arg1 *management.WebAuthNTokenID, arg2 ...grpc.CallOption) (*emptypb.Empty, error) {
-	m.ctrl.T.Helper()
-	varargs := []interface{}{arg0, arg1}
-	for _, a := range arg2 {
-		varargs = append(varargs, a)
-	}
-	ret := m.ctrl.Call(m, "RemovePasswordless", varargs...)
-	ret0, _ := ret[0].(*emptypb.Empty)
-	ret1, _ := ret[1].(error)
-	return ret0, ret1
-}
-
-// RemovePasswordless indicates an expected call of RemovePasswordless
-func (mr *MockManagementServiceClientMockRecorder) RemovePasswordless(arg0, arg1 interface{}, arg2 ...interface{}) *gomock.Call {
-	mr.mock.ctrl.T.Helper()
-	varargs := append([]interface{}{arg0, arg1}, arg2...)
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "RemovePasswordless", reflect.TypeOf((*MockManagementServiceClient)(nil).RemovePasswordless), varargs...)
-}
-
-// RemoveProject mocks base method
-func (m *MockManagementServiceClient) RemoveProject(arg0 context.Context, arg1 *management.ProjectID, arg2 ...grpc.CallOption) (*emptypb.Empty, error) {
-	m.ctrl.T.Helper()
-	varargs := []interface{}{arg0, arg1}
-	for _, a := range arg2 {
-		varargs = append(varargs, a)
-	}
-	ret := m.ctrl.Call(m, "RemoveProject", varargs...)
-	ret0, _ := ret[0].(*emptypb.Empty)
-	ret1, _ := ret[1].(error)
-	return ret0, ret1
-}
-
-// RemoveProject indicates an expected call of RemoveProject
-func (mr *MockManagementServiceClientMockRecorder) RemoveProject(arg0, arg1 interface{}, arg2 ...interface{}) *gomock.Call {
-	mr.mock.ctrl.T.Helper()
-	varargs := append([]interface{}{arg0, arg1}, arg2...)
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "RemoveProject", reflect.TypeOf((*MockManagementServiceClient)(nil).RemoveProject), varargs...)
-}
-
-// RemoveProjectGrant mocks base method
-func (m *MockManagementServiceClient) RemoveProjectGrant(arg0 context.Context, arg1 *management.ProjectGrantID, arg2 ...grpc.CallOption) (*emptypb.Empty, error) {
-	m.ctrl.T.Helper()
-	varargs := []interface{}{arg0, arg1}
-	for _, a := range arg2 {
-		varargs = append(varargs, a)
-	}
-	ret := m.ctrl.Call(m, "RemoveProjectGrant", varargs...)
-	ret0, _ := ret[0].(*emptypb.Empty)
-	ret1, _ := ret[1].(error)
-	return ret0, ret1
-}
-
-// RemoveProjectGrant indicates an expected call of RemoveProjectGrant
-func (mr *MockManagementServiceClientMockRecorder) RemoveProjectGrant(arg0, arg1 interface{}, arg2 ...interface{}) *gomock.Call {
-	mr.mock.ctrl.T.Helper()
-	varargs := append([]interface{}{arg0, arg1}, arg2...)
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "RemoveProjectGrant", reflect.TypeOf((*MockManagementServiceClient)(nil).RemoveProjectGrant), varargs...)
-}
-
-// RemoveProjectGrantMember mocks base method
-func (m *MockManagementServiceClient) RemoveProjectGrantMember(arg0 context.Context, arg1 *management.ProjectGrantMemberRemove, arg2 ...grpc.CallOption) (*emptypb.Empty, error) {
-	m.ctrl.T.Helper()
-	varargs := []interface{}{arg0, arg1}
-	for _, a := range arg2 {
-		varargs = append(varargs, a)
-	}
-	ret := m.ctrl.Call(m, "RemoveProjectGrantMember", varargs...)
-	ret0, _ := ret[0].(*emptypb.Empty)
-	ret1, _ := ret[1].(error)
-	return ret0, ret1
-}
-
-// RemoveProjectGrantMember indicates an expected call of RemoveProjectGrantMember
-func (mr *MockManagementServiceClientMockRecorder) RemoveProjectGrantMember(arg0, arg1 interface{}, arg2 ...interface{}) *gomock.Call {
-	mr.mock.ctrl.T.Helper()
-	varargs := append([]interface{}{arg0, arg1}, arg2...)
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "RemoveProjectGrantMember", reflect.TypeOf((*MockManagementServiceClient)(nil).RemoveProjectGrantMember), varargs...)
-}
-
-// RemoveProjectMember mocks base method
-func (m *MockManagementServiceClient) RemoveProjectMember(arg0 context.Context, arg1 *management.ProjectMemberRemove, arg2 ...grpc.CallOption) (*emptypb.Empty, error) {
-	m.ctrl.T.Helper()
-	varargs := []interface{}{arg0, arg1}
-	for _, a := range arg2 {
-		varargs = append(varargs, a)
-	}
-	ret := m.ctrl.Call(m, "RemoveProjectMember", varargs...)
-	ret0, _ := ret[0].(*emptypb.Empty)
-	ret1, _ := ret[1].(error)
-	return ret0, ret1
-}
-
-// RemoveProjectMember indicates an expected call of RemoveProjectMember
-func (mr *MockManagementServiceClientMockRecorder) RemoveProjectMember(arg0, arg1 interface{}, arg2 ...interface{}) *gomock.Call {
-	mr.mock.ctrl.T.Helper()
-	varargs := append([]interface{}{arg0, arg1}, arg2...)
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "RemoveProjectMember", reflect.TypeOf((*MockManagementServiceClient)(nil).RemoveProjectMember), varargs...)
-}
-
-// RemoveProjectRole mocks base method
-func (m *MockManagementServiceClient) RemoveProjectRole(arg0 context.Context, arg1 *management.ProjectRoleRemove, arg2 ...grpc.CallOption) (*emptypb.Empty, error) {
-	m.ctrl.T.Helper()
-	varargs := []interface{}{arg0, arg1}
-	for _, a := range arg2 {
-		varargs = append(varargs, a)
-	}
-	ret := m.ctrl.Call(m, "RemoveProjectRole", varargs...)
-	ret0, _ := ret[0].(*emptypb.Empty)
-	ret1, _ := ret[1].(error)
-	return ret0, ret1
-}
-
-// RemoveProjectRole indicates an expected call of RemoveProjectRole
-func (mr *MockManagementServiceClientMockRecorder) RemoveProjectRole(arg0, arg1 interface{}, arg2 ...interface{}) *gomock.Call {
-	mr.mock.ctrl.T.Helper()
-	varargs := append([]interface{}{arg0, arg1}, arg2...)
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "RemoveProjectRole", reflect.TypeOf((*MockManagementServiceClient)(nil).RemoveProjectRole), varargs...)
-}
-
-// RemoveSecondFactorFromLoginPolicy mocks base method
-func (m *MockManagementServiceClient) RemoveSecondFactorFromLoginPolicy(arg0 context.Context, arg1 *management.SecondFactor, arg2 ...grpc.CallOption) (*emptypb.Empty, error) {
-	m.ctrl.T.Helper()
-	varargs := []interface{}{arg0, arg1}
-	for _, a := range arg2 {
-		varargs = append(varargs, a)
-	}
-	ret := m.ctrl.Call(m, "RemoveSecondFactorFromLoginPolicy", varargs...)
-	ret0, _ := ret[0].(*emptypb.Empty)
-	ret1, _ := ret[1].(error)
-	return ret0, ret1
-}
-
-// RemoveSecondFactorFromLoginPolicy indicates an expected call of RemoveSecondFactorFromLoginPolicy
-func (mr *MockManagementServiceClientMockRecorder) RemoveSecondFactorFromLoginPolicy(arg0, arg1 interface{}, arg2 ...interface{}) *gomock.Call {
-	mr.mock.ctrl.T.Helper()
-	varargs := append([]interface{}{arg0, arg1}, arg2...)
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "RemoveSecondFactorFromLoginPolicy", reflect.TypeOf((*MockManagementServiceClient)(nil).RemoveSecondFactorFromLoginPolicy), varargs...)
-}
-
-// RemoveUserGrant mocks base method
-func (m *MockManagementServiceClient) RemoveUserGrant(arg0 context.Context, arg1 *management.UserGrantID, arg2 ...grpc.CallOption) (*emptypb.Empty, error) {
-	m.ctrl.T.Helper()
-	varargs := []interface{}{arg0, arg1}
-	for _, a := range arg2 {
-		varargs = append(varargs, a)
-	}
-	ret := m.ctrl.Call(m, "RemoveUserGrant", varargs...)
-	ret0, _ := ret[0].(*emptypb.Empty)
-	ret1, _ := ret[1].(error)
-	return ret0, ret1
-}
-
-// RemoveUserGrant indicates an expected call of RemoveUserGrant
-func (mr *MockManagementServiceClientMockRecorder) RemoveUserGrant(arg0, arg1 interface{}, arg2 ...interface{}) *gomock.Call {
-	mr.mock.ctrl.T.Helper()
-	varargs := append([]interface{}{arg0, arg1}, arg2...)
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "RemoveUserGrant", reflect.TypeOf((*MockManagementServiceClient)(nil).RemoveUserGrant), varargs...)
-}
-
-// RemoveUserPhone mocks base method
-func (m *MockManagementServiceClient) RemoveUserPhone(arg0 context.Context, arg1 *management.UserID, arg2 ...grpc.CallOption) (*emptypb.Empty, error) {
-	m.ctrl.T.Helper()
-	varargs := []interface{}{arg0, arg1}
-	for _, a := range arg2 {
-		varargs = append(varargs, a)
-	}
-	ret := m.ctrl.Call(m, "RemoveUserPhone", varargs...)
-	ret0, _ := ret[0].(*emptypb.Empty)
-	ret1, _ := ret[1].(error)
-	return ret0, ret1
-}
-
-// RemoveUserPhone indicates an expected call of RemoveUserPhone
-func (mr *MockManagementServiceClientMockRecorder) RemoveUserPhone(arg0, arg1 interface{}, arg2 ...interface{}) *gomock.Call {
-	mr.mock.ctrl.T.Helper()
-	varargs := append([]interface{}{arg0, arg1}, arg2...)
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "RemoveUserPhone", reflect.TypeOf((*MockManagementServiceClient)(nil).RemoveUserPhone), varargs...)
-}
-
-// ResendEmailVerificationMail mocks base method
-func (m *MockManagementServiceClient) ResendEmailVerificationMail(arg0 context.Context, arg1 *management.UserID, arg2 ...grpc.CallOption) (*emptypb.Empty, error) {
-	m.ctrl.T.Helper()
-	varargs := []interface{}{arg0, arg1}
-	for _, a := range arg2 {
-		varargs = append(varargs, a)
-	}
-	ret := m.ctrl.Call(m, "ResendEmailVerificationMail", varargs...)
-	ret0, _ := ret[0].(*emptypb.Empty)
-	ret1, _ := ret[1].(error)
-	return ret0, ret1
-}
-
-// ResendEmailVerificationMail indicates an expected call of ResendEmailVerificationMail
-func (mr *MockManagementServiceClientMockRecorder) ResendEmailVerificationMail(arg0, arg1 interface{}, arg2 ...interface{}) *gomock.Call {
-	mr.mock.ctrl.T.Helper()
-	varargs := append([]interface{}{arg0, arg1}, arg2...)
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "ResendEmailVerificationMail", reflect.TypeOf((*MockManagementServiceClient)(nil).ResendEmailVerificationMail), varargs...)
-}
-
-// ResendInitialMail mocks base method
-func (m *MockManagementServiceClient) ResendInitialMail(arg0 context.Context, arg1 *management.InitialMailRequest, arg2 ...grpc.CallOption) (*emptypb.Empty, error) {
-	m.ctrl.T.Helper()
-	varargs := []interface{}{arg0, arg1}
-	for _, a := range arg2 {
-		varargs = append(varargs, a)
-	}
-	ret := m.ctrl.Call(m, "ResendInitialMail", varargs...)
-	ret0, _ := ret[0].(*emptypb.Empty)
-	ret1, _ := ret[1].(error)
-	return ret0, ret1
-}
-
-// ResendInitialMail indicates an expected call of ResendInitialMail
-func (mr *MockManagementServiceClientMockRecorder) ResendInitialMail(arg0, arg1 interface{}, arg2 ...interface{}) *gomock.Call {
-	mr.mock.ctrl.T.Helper()
-	varargs := append([]interface{}{arg0, arg1}, arg2...)
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "ResendInitialMail", reflect.TypeOf((*MockManagementServiceClient)(nil).ResendInitialMail), varargs...)
-}
-
-// ResendPhoneVerificationCode mocks base method
-func (m *MockManagementServiceClient) ResendPhoneVerificationCode(arg0 context.Context, arg1 *management.UserID, arg2 ...grpc.CallOption) (*emptypb.Empty, error) {
-	m.ctrl.T.Helper()
-	varargs := []interface{}{arg0, arg1}
-	for _, a := range arg2 {
-		varargs = append(varargs, a)
-	}
-	ret := m.ctrl.Call(m, "ResendPhoneVerificationCode", varargs...)
-	ret0, _ := ret[0].(*emptypb.Empty)
-	ret1, _ := ret[1].(error)
-	return ret0, ret1
-}
-
-// ResendPhoneVerificationCode indicates an expected call of ResendPhoneVerificationCode
-func (mr *MockManagementServiceClientMockRecorder) ResendPhoneVerificationCode(arg0, arg1 interface{}, arg2 ...interface{}) *gomock.Call {
-	mr.mock.ctrl.T.Helper()
-	varargs := append([]interface{}{arg0, arg1}, arg2...)
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "ResendPhoneVerificationCode", reflect.TypeOf((*MockManagementServiceClient)(nil).ResendPhoneVerificationCode), varargs...)
-}
-
-// SearchApplications mocks base method
-func (m *MockManagementServiceClient) SearchApplications(arg0 context.Context, arg1 *management.ApplicationSearchRequest, arg2 ...grpc.CallOption) (*management.ApplicationSearchResponse, error) {
-	m.ctrl.T.Helper()
-	varargs := []interface{}{arg0, arg1}
-	for _, a := range arg2 {
-		varargs = append(varargs, a)
-	}
-	ret := m.ctrl.Call(m, "SearchApplications", varargs...)
-	ret0, _ := ret[0].(*management.ApplicationSearchResponse)
-	ret1, _ := ret[1].(error)
-	return ret0, ret1
-}
-
-// SearchApplications indicates an expected call of SearchApplications
-func (mr *MockManagementServiceClientMockRecorder) SearchApplications(arg0, arg1 interface{}, arg2 ...interface{}) *gomock.Call {
-	mr.mock.ctrl.T.Helper()
-	varargs := append([]interface{}{arg0, arg1}, arg2...)
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "SearchApplications", reflect.TypeOf((*MockManagementServiceClient)(nil).SearchApplications), varargs...)
-}
-
-// SearchGrantedProjects mocks base method
-func (m *MockManagementServiceClient) SearchGrantedProjects(arg0 context.Context, arg1 *management.GrantedProjectSearchRequest, arg2 ...grpc.CallOption) (*management.ProjectGrantSearchResponse, error) {
-	m.ctrl.T.Helper()
-	varargs := []interface{}{arg0, arg1}
-	for _, a := range arg2 {
-		varargs = append(varargs, a)
-	}
-	ret := m.ctrl.Call(m, "SearchGrantedProjects", varargs...)
-	ret0, _ := ret[0].(*management.ProjectGrantSearchResponse)
-	ret1, _ := ret[1].(error)
-	return ret0, ret1
-}
-
-// SearchGrantedProjects indicates an expected call of SearchGrantedProjects
-func (mr *MockManagementServiceClientMockRecorder) SearchGrantedProjects(arg0, arg1 interface{}, arg2 ...interface{}) *gomock.Call {
-	mr.mock.ctrl.T.Helper()
-	varargs := append([]interface{}{arg0, arg1}, arg2...)
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "SearchGrantedProjects", reflect.TypeOf((*MockManagementServiceClient)(nil).SearchGrantedProjects), varargs...)
-}
-
-// SearchIdps mocks base method
-func (m *MockManagementServiceClient) SearchIdps(arg0 context.Context, arg1 *management.IdpSearchRequest, arg2 ...grpc.CallOption) (*management.IdpSearchResponse, error) {
-	m.ctrl.T.Helper()
-	varargs := []interface{}{arg0, arg1}
-	for _, a := range arg2 {
-		varargs = append(varargs, a)
-	}
-	ret := m.ctrl.Call(m, "SearchIdps", varargs...)
-	ret0, _ := ret[0].(*management.IdpSearchResponse)
-	ret1, _ := ret[1].(error)
-	return ret0, ret1
-}
-
-// SearchIdps indicates an expected call of SearchIdps
-func (mr *MockManagementServiceClientMockRecorder) SearchIdps(arg0, arg1 interface{}, arg2 ...interface{}) *gomock.Call {
-	mr.mock.ctrl.T.Helper()
-	varargs := append([]interface{}{arg0, arg1}, arg2...)
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "SearchIdps", reflect.TypeOf((*MockManagementServiceClient)(nil).SearchIdps), varargs...)
-}
-
-// SearchMachineKeys mocks base method
-func (m *MockManagementServiceClient) SearchMachineKeys(arg0 context.Context, arg1 *management.MachineKeySearchRequest, arg2 ...grpc.CallOption) (*management.MachineKeySearchResponse, error) {
-	m.ctrl.T.Helper()
-	varargs := []interface{}{arg0, arg1}
-	for _, a := range arg2 {
-		varargs = append(varargs, a)
-	}
-	ret := m.ctrl.Call(m, "SearchMachineKeys", varargs...)
-	ret0, _ := ret[0].(*management.MachineKeySearchResponse)
-	ret1, _ := ret[1].(error)
-	return ret0, ret1
-}
-
-// SearchMachineKeys indicates an expected call of SearchMachineKeys
-func (mr *MockManagementServiceClientMockRecorder) SearchMachineKeys(arg0, arg1 interface{}, arg2 ...interface{}) *gomock.Call {
-	mr.mock.ctrl.T.Helper()
-	varargs := append([]interface{}{arg0, arg1}, arg2...)
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "SearchMachineKeys", reflect.TypeOf((*MockManagementServiceClient)(nil).SearchMachineKeys), varargs...)
-}
-
-// SearchMyOrgDomains mocks base method
-func (m *MockManagementServiceClient) SearchMyOrgDomains(arg0 context.Context, arg1 *management.OrgDomainSearchRequest, arg2 ...grpc.CallOption) (*management.OrgDomainSearchResponse, error) {
-	m.ctrl.T.Helper()
-	varargs := []interface{}{arg0, arg1}
-	for _, a := range arg2 {
-		varargs = append(varargs, a)
-	}
-	ret := m.ctrl.Call(m, "SearchMyOrgDomains", varargs...)
-	ret0, _ := ret[0].(*management.OrgDomainSearchResponse)
-	ret1, _ := ret[1].(error)
-	return ret0, ret1
-}
-
-// SearchMyOrgDomains indicates an expected call of SearchMyOrgDomains
-func (mr *MockManagementServiceClientMockRecorder) SearchMyOrgDomains(arg0, arg1 interface{}, arg2 ...interface{}) *gomock.Call {
-	mr.mock.ctrl.T.Helper()
-	varargs := append([]interface{}{arg0, arg1}, arg2...)
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "SearchMyOrgDomains", reflect.TypeOf((*MockManagementServiceClient)(nil).SearchMyOrgDomains), varargs...)
-}
-
-// SearchMyOrgMembers mocks base method
-func (m *MockManagementServiceClient) SearchMyOrgMembers(arg0 context.Context, arg1 *management.OrgMemberSearchRequest, arg2 ...grpc.CallOption) (*management.OrgMemberSearchResponse, error) {
-	m.ctrl.T.Helper()
-	varargs := []interface{}{arg0, arg1}
-	for _, a := range arg2 {
-		varargs = append(varargs, a)
-	}
-	ret := m.ctrl.Call(m, "SearchMyOrgMembers", varargs...)
-	ret0, _ := ret[0].(*management.OrgMemberSearchResponse)
-	ret1, _ := ret[1].(error)
-	return ret0, ret1
-}
-
-// SearchMyOrgMembers indicates an expected call of SearchMyOrgMembers
-func (mr *MockManagementServiceClientMockRecorder) SearchMyOrgMembers(arg0, arg1 interface{}, arg2 ...interface{}) *gomock.Call {
-	mr.mock.ctrl.T.Helper()
-	varargs := append([]interface{}{arg0, arg1}, arg2...)
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "SearchMyOrgMembers", reflect.TypeOf((*MockManagementServiceClient)(nil).SearchMyOrgMembers), varargs...)
-}
-
-// SearchProjectGrantMembers mocks base method
-func (m *MockManagementServiceClient) SearchProjectGrantMembers(arg0 context.Context, arg1 *management.ProjectGrantMemberSearchRequest, arg2 ...grpc.CallOption) (*management.ProjectGrantMemberSearchResponse, error) {
-	m.ctrl.T.Helper()
-	varargs := []interface{}{arg0, arg1}
-	for _, a := range arg2 {
-		varargs = append(varargs, a)
-	}
-	ret := m.ctrl.Call(m, "SearchProjectGrantMembers", varargs...)
-	ret0, _ := ret[0].(*management.ProjectGrantMemberSearchResponse)
-	ret1, _ := ret[1].(error)
-	return ret0, ret1
-}
-
-// SearchProjectGrantMembers indicates an expected call of SearchProjectGrantMembers
-func (mr *MockManagementServiceClientMockRecorder) SearchProjectGrantMembers(arg0, arg1 interface{}, arg2 ...interface{}) *gomock.Call {
-	mr.mock.ctrl.T.Helper()
-	varargs := append([]interface{}{arg0, arg1}, arg2...)
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "SearchProjectGrantMembers", reflect.TypeOf((*MockManagementServiceClient)(nil).SearchProjectGrantMembers), varargs...)
-}
-
-// SearchProjectGrants mocks base method
-func (m *MockManagementServiceClient) SearchProjectGrants(arg0 context.Context, arg1 *management.ProjectGrantSearchRequest, arg2 ...grpc.CallOption) (*management.ProjectGrantSearchResponse, error) {
-	m.ctrl.T.Helper()
-	varargs := []interface{}{arg0, arg1}
-	for _, a := range arg2 {
-		varargs = append(varargs, a)
-	}
-	ret := m.ctrl.Call(m, "SearchProjectGrants", varargs...)
-	ret0, _ := ret[0].(*management.ProjectGrantSearchResponse)
-	ret1, _ := ret[1].(error)
-	return ret0, ret1
-}
-
-// SearchProjectGrants indicates an expected call of SearchProjectGrants
-func (mr *MockManagementServiceClientMockRecorder) SearchProjectGrants(arg0, arg1 interface{}, arg2 ...interface{}) *gomock.Call {
-	mr.mock.ctrl.T.Helper()
-	varargs := append([]interface{}{arg0, arg1}, arg2...)
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "SearchProjectGrants", reflect.TypeOf((*MockManagementServiceClient)(nil).SearchProjectGrants), varargs...)
-}
-
-// SearchProjectMembers mocks base method
-func (m *MockManagementServiceClient) SearchProjectMembers(arg0 context.Context, arg1 *management.ProjectMemberSearchRequest, arg2 ...grpc.CallOption) (*management.ProjectMemberSearchResponse, error) {
-	m.ctrl.T.Helper()
-	varargs := []interface{}{arg0, arg1}
-	for _, a := range arg2 {
-		varargs = append(varargs, a)
-	}
-	ret := m.ctrl.Call(m, "SearchProjectMembers", varargs...)
-	ret0, _ := ret[0].(*management.ProjectMemberSearchResponse)
-	ret1, _ := ret[1].(error)
-	return ret0, ret1
-}
-
-// SearchProjectMembers indicates an expected call of SearchProjectMembers
-func (mr *MockManagementServiceClientMockRecorder) SearchProjectMembers(arg0, arg1 interface{}, arg2 ...interface{}) *gomock.Call {
-	mr.mock.ctrl.T.Helper()
-	varargs := append([]interface{}{arg0, arg1}, arg2...)
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "SearchProjectMembers", reflect.TypeOf((*MockManagementServiceClient)(nil).SearchProjectMembers), varargs...)
-}
-
-// SearchProjectRoles mocks base method
-func (m *MockManagementServiceClient) SearchProjectRoles(arg0 context.Context, arg1 *management.ProjectRoleSearchRequest, arg2 ...grpc.CallOption) (*management.ProjectRoleSearchResponse, error) {
-	m.ctrl.T.Helper()
-	varargs := []interface{}{arg0, arg1}
-	for _, a := range arg2 {
-		varargs = append(varargs, a)
-	}
-	ret := m.ctrl.Call(m, "SearchProjectRoles", varargs...)
-	ret0, _ := ret[0].(*management.ProjectRoleSearchResponse)
-	ret1, _ := ret[1].(error)
-	return ret0, ret1
-}
-
-// SearchProjectRoles indicates an expected call of SearchProjectRoles
-func (mr *MockManagementServiceClientMockRecorder) SearchProjectRoles(arg0, arg1 interface{}, arg2 ...interface{}) *gomock.Call {
-	mr.mock.ctrl.T.Helper()
-	varargs := append([]interface{}{arg0, arg1}, arg2...)
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "SearchProjectRoles", reflect.TypeOf((*MockManagementServiceClient)(nil).SearchProjectRoles), varargs...)
-}
-
-// SearchProjects mocks base method
-func (m *MockManagementServiceClient) SearchProjects(arg0 context.Context, arg1 *management.ProjectSearchRequest, arg2 ...grpc.CallOption) (*management.ProjectSearchResponse, error) {
-	m.ctrl.T.Helper()
-	varargs := []interface{}{arg0, arg1}
-	for _, a := range arg2 {
-		varargs = append(varargs, a)
-	}
-	ret := m.ctrl.Call(m, "SearchProjects", varargs...)
-	ret0, _ := ret[0].(*management.ProjectSearchResponse)
-	ret1, _ := ret[1].(error)
-	return ret0, ret1
-}
-
-// SearchProjects indicates an expected call of SearchProjects
-func (mr *MockManagementServiceClientMockRecorder) SearchProjects(arg0, arg1 interface{}, arg2 ...interface{}) *gomock.Call {
-	mr.mock.ctrl.T.Helper()
-	varargs := append([]interface{}{arg0, arg1}, arg2...)
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "SearchProjects", reflect.TypeOf((*MockManagementServiceClient)(nil).SearchProjects), varargs...)
-}
-
-// SearchUserExternalIDPs mocks base method
-func (m *MockManagementServiceClient) SearchUserExternalIDPs(arg0 context.Context, arg1 *management.ExternalIDPSearchRequest, arg2 ...grpc.CallOption) (*management.ExternalIDPSearchResponse, error) {
-	m.ctrl.T.Helper()
-	varargs := []interface{}{arg0, arg1}
-	for _, a := range arg2 {
-		varargs = append(varargs, a)
-	}
-	ret := m.ctrl.Call(m, "SearchUserExternalIDPs", varargs...)
-	ret0, _ := ret[0].(*management.ExternalIDPSearchResponse)
-	ret1, _ := ret[1].(error)
-	return ret0, ret1
-}
-
-// SearchUserExternalIDPs indicates an expected call of SearchUserExternalIDPs
-func (mr *MockManagementServiceClientMockRecorder) SearchUserExternalIDPs(arg0, arg1 interface{}, arg2 ...interface{}) *gomock.Call {
-	mr.mock.ctrl.T.Helper()
-	varargs := append([]interface{}{arg0, arg1}, arg2...)
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "SearchUserExternalIDPs", reflect.TypeOf((*MockManagementServiceClient)(nil).SearchUserExternalIDPs), varargs...)
-}
-
-// SearchUserGrants mocks base method
-func (m *MockManagementServiceClient) SearchUserGrants(arg0 context.Context, arg1 *management.UserGrantSearchRequest, arg2 ...grpc.CallOption) (*management.UserGrantSearchResponse, error) {
-	m.ctrl.T.Helper()
-	varargs := []interface{}{arg0, arg1}
-	for _, a := range arg2 {
-		varargs = append(varargs, a)
-	}
-	ret := m.ctrl.Call(m, "SearchUserGrants", varargs...)
-	ret0, _ := ret[0].(*management.UserGrantSearchResponse)
-	ret1, _ := ret[1].(error)
-	return ret0, ret1
-}
-
-// SearchUserGrants indicates an expected call of SearchUserGrants
-func (mr *MockManagementServiceClientMockRecorder) SearchUserGrants(arg0, arg1 interface{}, arg2 ...interface{}) *gomock.Call {
-	mr.mock.ctrl.T.Helper()
-	varargs := append([]interface{}{arg0, arg1}, arg2...)
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "SearchUserGrants", reflect.TypeOf((*MockManagementServiceClient)(nil).SearchUserGrants), varargs...)
-}
-
-// SearchUserMemberships mocks base method
-func (m *MockManagementServiceClient) SearchUserMemberships(arg0 context.Context, arg1 *management.UserMembershipSearchRequest, arg2 ...grpc.CallOption) (*management.UserMembershipSearchResponse, error) {
-	m.ctrl.T.Helper()
-	varargs := []interface{}{arg0, arg1}
-	for _, a := range arg2 {
-		varargs = append(varargs, a)
-	}
-	ret := m.ctrl.Call(m, "SearchUserMemberships", varargs...)
-	ret0, _ := ret[0].(*management.UserMembershipSearchResponse)
-	ret1, _ := ret[1].(error)
-	return ret0, ret1
-}
-
-// SearchUserMemberships indicates an expected call of SearchUserMemberships
-func (mr *MockManagementServiceClientMockRecorder) SearchUserMemberships(arg0, arg1 interface{}, arg2 ...interface{}) *gomock.Call {
-	mr.mock.ctrl.T.Helper()
-	varargs := append([]interface{}{arg0, arg1}, arg2...)
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "SearchUserMemberships", reflect.TypeOf((*MockManagementServiceClient)(nil).SearchUserMemberships), varargs...)
-}
-
-// SearchUsers mocks base method
-func (m *MockManagementServiceClient) SearchUsers(arg0 context.Context, arg1 *management.UserSearchRequest, arg2 ...grpc.CallOption) (*management.UserSearchResponse, error) {
-	m.ctrl.T.Helper()
-	varargs := []interface{}{arg0, arg1}
-	for _, a := range arg2 {
-		varargs = append(varargs, a)
-	}
-	ret := m.ctrl.Call(m, "SearchUsers", varargs...)
-	ret0, _ := ret[0].(*management.UserSearchResponse)
-	ret1, _ := ret[1].(error)
-	return ret0, ret1
-}
-
-// SearchUsers indicates an expected call of SearchUsers
-func (mr *MockManagementServiceClientMockRecorder) SearchUsers(arg0, arg1 interface{}, arg2 ...interface{}) *gomock.Call {
-	mr.mock.ctrl.T.Helper()
-	varargs := append([]interface{}{arg0, arg1}, arg2...)
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "SearchUsers", reflect.TypeOf((*MockManagementServiceClient)(nil).SearchUsers), varargs...)
-}
-
-// SendSetPasswordNotification mocks base method
-func (m *MockManagementServiceClient) SendSetPasswordNotification(arg0 context.Context, arg1 *management.SetPasswordNotificationRequest, arg2 ...grpc.CallOption) (*emptypb.Empty, error) {
-	m.ctrl.T.Helper()
-	varargs := []interface{}{arg0, arg1}
-	for _, a := range arg2 {
-		varargs = append(varargs, a)
-	}
-	ret := m.ctrl.Call(m, "SendSetPasswordNotification", varargs...)
-	ret0, _ := ret[0].(*emptypb.Empty)
-	ret1, _ := ret[1].(error)
-	return ret0, ret1
-}
-
-// SendSetPasswordNotification indicates an expected call of SendSetPasswordNotification
-func (mr *MockManagementServiceClientMockRecorder) SendSetPasswordNotification(arg0, arg1 interface{}, arg2 ...interface{}) *gomock.Call {
-	mr.mock.ctrl.T.Helper()
-	varargs := append([]interface{}{arg0, arg1}, arg2...)
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "SendSetPasswordNotification", reflect.TypeOf((*MockManagementServiceClient)(nil).SendSetPasswordNotification), varargs...)
-}
-
-// SetInitialPassword mocks base method
-func (m *MockManagementServiceClient) SetInitialPassword(arg0 context.Context, arg1 *management.PasswordRequest, arg2 ...grpc.CallOption) (*emptypb.Empty, error) {
-	m.ctrl.T.Helper()
-	varargs := []interface{}{arg0, arg1}
-	for _, a := range arg2 {
-		varargs = append(varargs, a)
-	}
-	ret := m.ctrl.Call(m, "SetInitialPassword", varargs...)
-	ret0, _ := ret[0].(*emptypb.Empty)
-	ret1, _ := ret[1].(error)
-	return ret0, ret1
-}
-
-// SetInitialPassword indicates an expected call of SetInitialPassword
-func (mr *MockManagementServiceClientMockRecorder) SetInitialPassword(arg0, arg1 interface{}, arg2 ...interface{}) *gomock.Call {
-	mr.mock.ctrl.T.Helper()
-	varargs := append([]interface{}{arg0, arg1}, arg2...)
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "SetInitialPassword", reflect.TypeOf((*MockManagementServiceClient)(nil).SetInitialPassword), varargs...)
-}
-
-// SetMyPrimaryOrgDomain mocks base method
-func (m *MockManagementServiceClient) SetMyPrimaryOrgDomain(arg0 context.Context, arg1 *management.PrimaryOrgDomainRequest, arg2 ...grpc.CallOption) (*emptypb.Empty, error) {
-	m.ctrl.T.Helper()
-	varargs := []interface{}{arg0, arg1}
-	for _, a := range arg2 {
-		varargs = append(varargs, a)
-	}
-	ret := m.ctrl.Call(m, "SetMyPrimaryOrgDomain", varargs...)
-	ret0, _ := ret[0].(*emptypb.Empty)
-	ret1, _ := ret[1].(error)
-	return ret0, ret1
-}
-
-// SetMyPrimaryOrgDomain indicates an expected call of SetMyPrimaryOrgDomain
-func (mr *MockManagementServiceClientMockRecorder) SetMyPrimaryOrgDomain(arg0, arg1 interface{}, arg2 ...interface{}) *gomock.Call {
-	mr.mock.ctrl.T.Helper()
-	varargs := append([]interface{}{arg0, arg1}, arg2...)
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "SetMyPrimaryOrgDomain", reflect.TypeOf((*MockManagementServiceClient)(nil).SetMyPrimaryOrgDomain), varargs...)
-}
-
-// UnlockUser mocks base method
-func (m *MockManagementServiceClient) UnlockUser(arg0 context.Context, arg1 *management.UserID, arg2 ...grpc.CallOption) (*management.UserResponse, error) {
-	m.ctrl.T.Helper()
-	varargs := []interface{}{arg0, arg1}
-	for _, a := range arg2 {
-		varargs = append(varargs, a)
-	}
-	ret := m.ctrl.Call(m, "UnlockUser", varargs...)
-	ret0, _ := ret[0].(*management.UserResponse)
-	ret1, _ := ret[1].(error)
-	return ret0, ret1
-}
-
-// UnlockUser indicates an expected call of UnlockUser
-func (mr *MockManagementServiceClientMockRecorder) UnlockUser(arg0, arg1 interface{}, arg2 ...interface{}) *gomock.Call {
-	mr.mock.ctrl.T.Helper()
-	varargs := append([]interface{}{arg0, arg1}, arg2...)
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "UnlockUser", reflect.TypeOf((*MockManagementServiceClient)(nil).UnlockUser), varargs...)
-}
-
-// UpdateApplication mocks base method
-func (m *MockManagementServiceClient) UpdateApplication(arg0 context.Context, arg1 *management.ApplicationUpdate, arg2 ...grpc.CallOption) (*management.Application, error) {
-	m.ctrl.T.Helper()
-	varargs := []interface{}{arg0, arg1}
-	for _, a := range arg2 {
-		varargs = append(varargs, a)
-	}
-	ret := m.ctrl.Call(m, "UpdateApplication", varargs...)
-	ret0, _ := ret[0].(*management.Application)
-	ret1, _ := ret[1].(error)
-	return ret0, ret1
-}
-
-// UpdateApplication indicates an expected call of UpdateApplication
-func (mr *MockManagementServiceClientMockRecorder) UpdateApplication(arg0, arg1 interface{}, arg2 ...interface{}) *gomock.Call {
-	mr.mock.ctrl.T.Helper()
-	varargs := append([]interface{}{arg0, arg1}, arg2...)
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "UpdateApplication", reflect.TypeOf((*MockManagementServiceClient)(nil).UpdateApplication), varargs...)
-}
-
-// UpdateApplicationOIDCConfig mocks base method
-func (m *MockManagementServiceClient) UpdateApplicationOIDCConfig(arg0 context.Context, arg1 *management.OIDCConfigUpdate, arg2 ...grpc.CallOption) (*management.OIDCConfig, error) {
-	m.ctrl.T.Helper()
-	varargs := []interface{}{arg0, arg1}
-	for _, a := range arg2 {
-		varargs = append(varargs, a)
-	}
-	ret := m.ctrl.Call(m, "UpdateApplicationOIDCConfig", varargs...)
-	ret0, _ := ret[0].(*management.OIDCConfig)
-	ret1, _ := ret[1].(error)
-	return ret0, ret1
-}
-
-// UpdateApplicationOIDCConfig indicates an expected call of UpdateApplicationOIDCConfig
-func (mr *MockManagementServiceClientMockRecorder) UpdateApplicationOIDCConfig(arg0, arg1 interface{}, arg2 ...interface{}) *gomock.Call {
-	mr.mock.ctrl.T.Helper()
-	varargs := append([]interface{}{arg0, arg1}, arg2...)
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "UpdateApplicationOIDCConfig", reflect.TypeOf((*MockManagementServiceClient)(nil).UpdateApplicationOIDCConfig), varargs...)
-}
-
-// UpdateIdpConfig mocks base method
-func (m *MockManagementServiceClient) UpdateIdpConfig(arg0 context.Context, arg1 *management.IdpUpdate, arg2 ...grpc.CallOption) (*management.Idp, error) {
-	m.ctrl.T.Helper()
-	varargs := []interface{}{arg0, arg1}
-	for _, a := range arg2 {
-		varargs = append(varargs, a)
-	}
-	ret := m.ctrl.Call(m, "UpdateIdpConfig", varargs...)
-	ret0, _ := ret[0].(*management.Idp)
-	ret1, _ := ret[1].(error)
-	return ret0, ret1
-}
-
-// UpdateIdpConfig indicates an expected call of UpdateIdpConfig
-func (mr *MockManagementServiceClientMockRecorder) UpdateIdpConfig(arg0, arg1 interface{}, arg2 ...interface{}) *gomock.Call {
-	mr.mock.ctrl.T.Helper()
-	varargs := append([]interface{}{arg0, arg1}, arg2...)
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "UpdateIdpConfig", reflect.TypeOf((*MockManagementServiceClient)(nil).UpdateIdpConfig), varargs...)
-}
-
-// UpdateLoginPolicy mocks base method
-func (m *MockManagementServiceClient) UpdateLoginPolicy(arg0 context.Context, arg1 *management.LoginPolicyRequest, arg2 ...grpc.CallOption) (*management.LoginPolicy, error) {
-	m.ctrl.T.Helper()
-	varargs := []interface{}{arg0, arg1}
-	for _, a := range arg2 {
-		varargs = append(varargs, a)
-	}
-	ret := m.ctrl.Call(m, "UpdateLoginPolicy", varargs...)
-	ret0, _ := ret[0].(*management.LoginPolicy)
-	ret1, _ := ret[1].(error)
-	return ret0, ret1
-}
-
-// UpdateLoginPolicy indicates an expected call of UpdateLoginPolicy
-func (mr *MockManagementServiceClientMockRecorder) UpdateLoginPolicy(arg0, arg1 interface{}, arg2 ...interface{}) *gomock.Call {
-	mr.mock.ctrl.T.Helper()
-	varargs := append([]interface{}{arg0, arg1}, arg2...)
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "UpdateLoginPolicy", reflect.TypeOf((*MockManagementServiceClient)(nil).UpdateLoginPolicy), varargs...)
-}
-
-// UpdateMailTemplate mocks base method
-func (m *MockManagementServiceClient) UpdateMailTemplate(arg0 context.Context, arg1 *management.MailTemplateUpdate, arg2 ...grpc.CallOption) (*management.MailTemplate, error) {
-	m.ctrl.T.Helper()
-	varargs := []interface{}{arg0, arg1}
-	for _, a := range arg2 {
-		varargs = append(varargs, a)
-	}
-	ret := m.ctrl.Call(m, "UpdateMailTemplate", varargs...)
-	ret0, _ := ret[0].(*management.MailTemplate)
-	ret1, _ := ret[1].(error)
-	return ret0, ret1
-}
-
-// UpdateMailTemplate indicates an expected call of UpdateMailTemplate
-func (mr *MockManagementServiceClientMockRecorder) UpdateMailTemplate(arg0, arg1 interface{}, arg2 ...interface{}) *gomock.Call {
-	mr.mock.ctrl.T.Helper()
-	varargs := append([]interface{}{arg0, arg1}, arg2...)
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "UpdateMailTemplate", reflect.TypeOf((*MockManagementServiceClient)(nil).UpdateMailTemplate), varargs...)
-}
-
-// UpdateMailText mocks base method
-func (m *MockManagementServiceClient) UpdateMailText(arg0 context.Context, arg1 *management.MailTextUpdate, arg2 ...grpc.CallOption) (*management.MailText, error) {
-	m.ctrl.T.Helper()
-	varargs := []interface{}{arg0, arg1}
-	for _, a := range arg2 {
-		varargs = append(varargs, a)
-	}
-	ret := m.ctrl.Call(m, "UpdateMailText", varargs...)
-	ret0, _ := ret[0].(*management.MailText)
-	ret1, _ := ret[1].(error)
-	return ret0, ret1
-}
-
-// UpdateMailText indicates an expected call of UpdateMailText
-func (mr *MockManagementServiceClientMockRecorder) UpdateMailText(arg0, arg1 interface{}, arg2 ...interface{}) *gomock.Call {
-	mr.mock.ctrl.T.Helper()
-	varargs := append([]interface{}{arg0, arg1}, arg2...)
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "UpdateMailText", reflect.TypeOf((*MockManagementServiceClient)(nil).UpdateMailText), varargs...)
-}
-
-// UpdateOidcIdpConfig mocks base method
-func (m *MockManagementServiceClient) UpdateOidcIdpConfig(arg0 context.Context, arg1 *management.OidcIdpConfigUpdate, arg2 ...grpc.CallOption) (*management.OidcIdpConfig, error) {
-	m.ctrl.T.Helper()
-	varargs := []interface{}{arg0, arg1}
-	for _, a := range arg2 {
-		varargs = append(varargs, a)
-	}
-	ret := m.ctrl.Call(m, "UpdateOidcIdpConfig", varargs...)
-	ret0, _ := ret[0].(*management.OidcIdpConfig)
-	ret1, _ := ret[1].(error)
-	return ret0, ret1
-}
-
-// UpdateOidcIdpConfig indicates an expected call of UpdateOidcIdpConfig
-func (mr *MockManagementServiceClientMockRecorder) UpdateOidcIdpConfig(arg0, arg1 interface{}, arg2 ...interface{}) *gomock.Call {
-	mr.mock.ctrl.T.Helper()
-	varargs := append([]interface{}{arg0, arg1}, arg2...)
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "UpdateOidcIdpConfig", reflect.TypeOf((*MockManagementServiceClient)(nil).UpdateOidcIdpConfig), varargs...)
-}
-
-// UpdatePasswordAgePolicy mocks base method
-func (m *MockManagementServiceClient) UpdatePasswordAgePolicy(arg0 context.Context, arg1 *management.PasswordAgePolicyRequest, arg2 ...grpc.CallOption) (*management.PasswordAgePolicy, error) {
-	m.ctrl.T.Helper()
-	varargs := []interface{}{arg0, arg1}
-	for _, a := range arg2 {
-		varargs = append(varargs, a)
-	}
-	ret := m.ctrl.Call(m, "UpdatePasswordAgePolicy", varargs...)
-	ret0, _ := ret[0].(*management.PasswordAgePolicy)
-	ret1, _ := ret[1].(error)
-	return ret0, ret1
-}
-
-// UpdatePasswordAgePolicy indicates an expected call of UpdatePasswordAgePolicy
-func (mr *MockManagementServiceClientMockRecorder) UpdatePasswordAgePolicy(arg0, arg1 interface{}, arg2 ...interface{}) *gomock.Call {
-	mr.mock.ctrl.T.Helper()
-	varargs := append([]interface{}{arg0, arg1}, arg2...)
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "UpdatePasswordAgePolicy", reflect.TypeOf((*MockManagementServiceClient)(nil).UpdatePasswordAgePolicy), varargs...)
-}
-
-// UpdatePasswordComplexityPolicy mocks base method
-func (m *MockManagementServiceClient) UpdatePasswordComplexityPolicy(arg0 context.Context, arg1 *management.PasswordComplexityPolicyRequest, arg2 ...grpc.CallOption) (*management.PasswordComplexityPolicy, error) {
-	m.ctrl.T.Helper()
-	varargs := []interface{}{arg0, arg1}
-	for _, a := range arg2 {
-		varargs = append(varargs, a)
-	}
-	ret := m.ctrl.Call(m, "UpdatePasswordComplexityPolicy", varargs...)
-	ret0, _ := ret[0].(*management.PasswordComplexityPolicy)
-	ret1, _ := ret[1].(error)
-	return ret0, ret1
-}
-
-// UpdatePasswordComplexityPolicy indicates an expected call of UpdatePasswordComplexityPolicy
-func (mr *MockManagementServiceClientMockRecorder) UpdatePasswordComplexityPolicy(arg0, arg1 interface{}, arg2 ...interface{}) *gomock.Call {
-	mr.mock.ctrl.T.Helper()
-	varargs := append([]interface{}{arg0, arg1}, arg2...)
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "UpdatePasswordComplexityPolicy", reflect.TypeOf((*MockManagementServiceClient)(nil).UpdatePasswordComplexityPolicy), varargs...)
-}
-
-// UpdatePasswordLockoutPolicy mocks base method
-func (m *MockManagementServiceClient) UpdatePasswordLockoutPolicy(arg0 context.Context, arg1 *management.PasswordLockoutPolicyRequest, arg2 ...grpc.CallOption) (*management.PasswordLockoutPolicy, error) {
-	m.ctrl.T.Helper()
-	varargs := []interface{}{arg0, arg1}
-	for _, a := range arg2 {
-		varargs = append(varargs, a)
-	}
-	ret := m.ctrl.Call(m, "UpdatePasswordLockoutPolicy", varargs...)
-	ret0, _ := ret[0].(*management.PasswordLockoutPolicy)
-	ret1, _ := ret[1].(error)
-	return ret0, ret1
-}
-
-// UpdatePasswordLockoutPolicy indicates an expected call of UpdatePasswordLockoutPolicy
-func (mr *MockManagementServiceClientMockRecorder) UpdatePasswordLockoutPolicy(arg0, arg1 interface{}, arg2 ...interface{}) *gomock.Call {
-	mr.mock.ctrl.T.Helper()
-	varargs := append([]interface{}{arg0, arg1}, arg2...)
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "UpdatePasswordLockoutPolicy", reflect.TypeOf((*MockManagementServiceClient)(nil).UpdatePasswordLockoutPolicy), varargs...)
-}
-
-// UpdateProject mocks base method
-func (m *MockManagementServiceClient) UpdateProject(arg0 context.Context, arg1 *management.ProjectUpdateRequest, arg2 ...grpc.CallOption) (*management.Project, error) {
-	m.ctrl.T.Helper()
-	varargs := []interface{}{arg0, arg1}
-	for _, a := range arg2 {
-		varargs = append(varargs, a)
-	}
-	ret := m.ctrl.Call(m, "UpdateProject", varargs...)
-	ret0, _ := ret[0].(*management.Project)
-	ret1, _ := ret[1].(error)
-	return ret0, ret1
-}
-
-// UpdateProject indicates an expected call of UpdateProject
-func (mr *MockManagementServiceClientMockRecorder) UpdateProject(arg0, arg1 interface{}, arg2 ...interface{}) *gomock.Call {
-	mr.mock.ctrl.T.Helper()
-	varargs := append([]interface{}{arg0, arg1}, arg2...)
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "UpdateProject", reflect.TypeOf((*MockManagementServiceClient)(nil).UpdateProject), varargs...)
-}
-
-// UpdateProjectGrant mocks base method
-func (m *MockManagementServiceClient) UpdateProjectGrant(arg0 context.Context, arg1 *management.ProjectGrantUpdate, arg2 ...grpc.CallOption) (*management.ProjectGrant, error) {
-	m.ctrl.T.Helper()
-	varargs := []interface{}{arg0, arg1}
-	for _, a := range arg2 {
-		varargs = append(varargs, a)
-	}
-	ret := m.ctrl.Call(m, "UpdateProjectGrant", varargs...)
-	ret0, _ := ret[0].(*management.ProjectGrant)
-	ret1, _ := ret[1].(error)
-	return ret0, ret1
-}
-
-// UpdateProjectGrant indicates an expected call of UpdateProjectGrant
-func (mr *MockManagementServiceClientMockRecorder) UpdateProjectGrant(arg0, arg1 interface{}, arg2 ...interface{}) *gomock.Call {
-	mr.mock.ctrl.T.Helper()
-	varargs := append([]interface{}{arg0, arg1}, arg2...)
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "UpdateProjectGrant", reflect.TypeOf((*MockManagementServiceClient)(nil).UpdateProjectGrant), varargs...)
-}
-
-// UpdateUserAddress mocks base method
-func (m *MockManagementServiceClient) UpdateUserAddress(arg0 context.Context, arg1 *management.UpdateUserAddressRequest, arg2 ...grpc.CallOption) (*management.UserAddress, error) {
-	m.ctrl.T.Helper()
-	varargs := []interface{}{arg0, arg1}
-	for _, a := range arg2 {
-		varargs = append(varargs, a)
-	}
-	ret := m.ctrl.Call(m, "UpdateUserAddress", varargs...)
-	ret0, _ := ret[0].(*management.UserAddress)
-	ret1, _ := ret[1].(error)
-	return ret0, ret1
-}
-
-// UpdateUserAddress indicates an expected call of UpdateUserAddress
-func (mr *MockManagementServiceClientMockRecorder) UpdateUserAddress(arg0, arg1 interface{}, arg2 ...interface{}) *gomock.Call {
-	mr.mock.ctrl.T.Helper()
-	varargs := append([]interface{}{arg0, arg1}, arg2...)
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "UpdateUserAddress", reflect.TypeOf((*MockManagementServiceClient)(nil).UpdateUserAddress), varargs...)
-}
-
-// UpdateUserGrant mocks base method
-func (m *MockManagementServiceClient) UpdateUserGrant(arg0 context.Context, arg1 *management.UserGrantUpdate, arg2 ...grpc.CallOption) (*management.UserGrant, error) {
-	m.ctrl.T.Helper()
-	varargs := []interface{}{arg0, arg1}
-	for _, a := range arg2 {
-		varargs = append(varargs, a)
-	}
-	ret := m.ctrl.Call(m, "UpdateUserGrant", varargs...)
-	ret0, _ := ret[0].(*management.UserGrant)
-	ret1, _ := ret[1].(error)
-	return ret0, ret1
-}
-
-// UpdateUserGrant indicates an expected call of UpdateUserGrant
-func (mr *MockManagementServiceClientMockRecorder) UpdateUserGrant(arg0, arg1 interface{}, arg2 ...interface{}) *gomock.Call {
-	mr.mock.ctrl.T.Helper()
-	varargs := append([]interface{}{arg0, arg1}, arg2...)
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "UpdateUserGrant", reflect.TypeOf((*MockManagementServiceClient)(nil).UpdateUserGrant), varargs...)
-}
-
-// UpdateUserMachine mocks base method
-func (m *MockManagementServiceClient) UpdateUserMachine(arg0 context.Context, arg1 *management.UpdateMachineRequest, arg2 ...grpc.CallOption) (*management.MachineResponse, error) {
-	m.ctrl.T.Helper()
-	varargs := []interface{}{arg0, arg1}
-	for _, a := range arg2 {
-		varargs = append(varargs, a)
-	}
-	ret := m.ctrl.Call(m, "UpdateUserMachine", varargs...)
-	ret0, _ := ret[0].(*management.MachineResponse)
-	ret1, _ := ret[1].(error)
-	return ret0, ret1
-}
-
-// UpdateUserMachine indicates an expected call of UpdateUserMachine
-func (mr *MockManagementServiceClientMockRecorder) UpdateUserMachine(arg0, arg1 interface{}, arg2 ...interface{}) *gomock.Call {
-	mr.mock.ctrl.T.Helper()
-	varargs := append([]interface{}{arg0, arg1}, arg2...)
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "UpdateUserMachine", reflect.TypeOf((*MockManagementServiceClient)(nil).UpdateUserMachine), varargs...)
-}
-
-// UpdateUserProfile mocks base method
-func (m *MockManagementServiceClient) UpdateUserProfile(arg0 context.Context, arg1 *management.UpdateUserProfileRequest, arg2 ...grpc.CallOption) (*management.UserProfile, error) {
-	m.ctrl.T.Helper()
-	varargs := []interface{}{arg0, arg1}
-	for _, a := range arg2 {
-		varargs = append(varargs, a)
-	}
-	ret := m.ctrl.Call(m, "UpdateUserProfile", varargs...)
-	ret0, _ := ret[0].(*management.UserProfile)
-	ret1, _ := ret[1].(error)
-	return ret0, ret1
-}
-
-// UpdateUserProfile indicates an expected call of UpdateUserProfile
-func (mr *MockManagementServiceClientMockRecorder) UpdateUserProfile(arg0, arg1 interface{}, arg2 ...interface{}) *gomock.Call {
-	mr.mock.ctrl.T.Helper()
-	varargs := append([]interface{}{arg0, arg1}, arg2...)
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "UpdateUserProfile", reflect.TypeOf((*MockManagementServiceClient)(nil).UpdateUserProfile), varargs...)
-}
-
-// UserChanges mocks base method
-func (m *MockManagementServiceClient) UserChanges(arg0 context.Context, arg1 *management.ChangeRequest, arg2 ...grpc.CallOption) (*management.Changes, error) {
-	m.ctrl.T.Helper()
-	varargs := []interface{}{arg0, arg1}
-	for _, a := range arg2 {
-		varargs = append(varargs, a)
-	}
-	ret := m.ctrl.Call(m, "UserChanges", varargs...)
-	ret0, _ := ret[0].(*management.Changes)
-	ret1, _ := ret[1].(error)
-	return ret0, ret1
-}
-
-// UserChanges indicates an expected call of UserChanges
-func (mr *MockManagementServiceClientMockRecorder) UserChanges(arg0, arg1 interface{}, arg2 ...interface{}) *gomock.Call {
-	mr.mock.ctrl.T.Helper()
-	varargs := append([]interface{}{arg0, arg1}, arg2...)
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "UserChanges", reflect.TypeOf((*MockManagementServiceClient)(nil).UserChanges), varargs...)
-}
-
-// UserGrantByID mocks base method
-func (m *MockManagementServiceClient) UserGrantByID(arg0 context.Context, arg1 *management.UserGrantID, arg2 ...grpc.CallOption) (*management.UserGrantView, error) {
-	m.ctrl.T.Helper()
-	varargs := []interface{}{arg0, arg1}
-	for _, a := range arg2 {
-		varargs = append(varargs, a)
-	}
-	ret := m.ctrl.Call(m, "UserGrantByID", varargs...)
-	ret0, _ := ret[0].(*management.UserGrantView)
-	ret1, _ := ret[1].(error)
-	return ret0, ret1
-}
-
-// UserGrantByID indicates an expected call of UserGrantByID
-func (mr *MockManagementServiceClientMockRecorder) UserGrantByID(arg0, arg1 interface{}, arg2 ...interface{}) *gomock.Call {
-	mr.mock.ctrl.T.Helper()
-	varargs := append([]interface{}{arg0, arg1}, arg2...)
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "UserGrantByID", reflect.TypeOf((*MockManagementServiceClient)(nil).UserGrantByID), varargs...)
-}
-
-// ValidateMyOrgDomain mocks base method
-func (m *MockManagementServiceClient) ValidateMyOrgDomain(arg0 context.Context, arg1 *management.ValidateOrgDomainRequest, arg2 ...grpc.CallOption) (*emptypb.Empty, error) {
-	m.ctrl.T.Helper()
-	varargs := []interface{}{arg0, arg1}
-	for _, a := range arg2 {
-		varargs = append(varargs, a)
-	}
-	ret := m.ctrl.Call(m, "ValidateMyOrgDomain", varargs...)
-	ret0, _ := ret[0].(*emptypb.Empty)
-	ret1, _ := ret[1].(error)
-	return ret0, ret1
-}
-
-// ValidateMyOrgDomain indicates an expected call of ValidateMyOrgDomain
-func (mr *MockManagementServiceClientMockRecorder) ValidateMyOrgDomain(arg0, arg1 interface{}, arg2 ...interface{}) *gomock.Call {
-	mr.mock.ctrl.T.Helper()
-	varargs := append([]interface{}{arg0, arg1}, arg2...)
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "ValidateMyOrgDomain", reflect.TypeOf((*MockManagementServiceClient)(nil).ValidateMyOrgDomain), varargs...)
-}
diff --git a/pkg/grpc/management/oneof.go b/pkg/grpc/management/oneof.go
index 21ca94cb67..3d6a65f0d2 100644
--- a/pkg/grpc/management/oneof.go
+++ b/pkg/grpc/management/oneof.go
@@ -2,4 +2,4 @@ package management
 
 //AppConfig is a type alias of the generated isApplication_AppConfig config
 //to make it public
-type AppConfig = isApplication_AppConfig
+// type AppConfig = isApplication_AppConfig
diff --git a/pkg/grpc/management/proto/generate.go b/pkg/grpc/management/proto/generate.go
deleted file mode 100644
index d64a5ddfda..0000000000
--- a/pkg/grpc/management/proto/generate.go
+++ /dev/null
@@ -1,4 +0,0 @@
-package proto
-
-//go:generate protoc -I${GOPATH}/src -I../proto -I${GOPATH}/src/github.com/caos/zitadel/pkg/grpc/message -I${GOPATH}/src/github.com/grpc-ecosystem/grpc-gateway -I${GOPATH}/src/github.com/grpc-ecosystem/grpc-gateway/third_party/googleapis -I${GOPATH}/src/github.com/envoyproxy/protoc-gen-validate -I${GOPATH}/src/github.com/caos/zitadel/internal/protoc/protoc-gen-authoption --go_out=plugins=grpc:${GOPATH}/src --grpc-gateway_out=logtostderr=true,allow_delete_body=true:${GOPATH}/src --swagger_out=logtostderr=true,allow_delete_body=true:.. --authoption_out=.. --validate_out=lang=go:${GOPATH}/src management.proto
-//go:generate mockgen -package api -destination ../mock/management.proto.mock.go github.com/caos/zitadel/pkg/grpc/management ManagementServiceClient
diff --git a/pkg/grpc/management/proto/management.proto b/pkg/grpc/management/proto/management.proto
deleted file mode 100644
index 2e91f29266..0000000000
--- a/pkg/grpc/management/proto/management.proto
+++ /dev/null
@@ -1,3649 +0,0 @@
-syntax = "proto3";
-
-import "google/api/annotations.proto";
-import "google/protobuf/empty.proto";
-import "google/protobuf/struct.proto";
-import "google/protobuf/timestamp.proto";
-import "google/protobuf/duration.proto";
-import "protoc-gen-swagger/options/annotations.proto";
-import "validate/validate.proto";
-import "authoption/options.proto";
-import "proto/message.proto";
-
-package caos.zitadel.management.api.v1;
-
-option go_package = "github.com/caos/zitadel/pkg/grpc/management";
-
-option (grpc.gateway.protoc_gen_swagger.options.openapiv2_swagger) = {
-  info: {
-    title: "Management API";
-    version: "0.1";
-    contact:{
-      url: "https://github.com/caos/zitadel/pkg/management"
-    };
-  };
-
-  schemes: HTTPS;
-
-  consumes: "application/json";
-  consumes: "application/grpc";
-
-  produces: "application/json";
-  produces: "application/grpc";
-};
-
-// All requests are based on your context if nothing other is specified
-// Requests which have /me in the url get the parameter from the context
-service ManagementService {
-
-  //READINESS
-  rpc Healthz(google.protobuf.Empty) returns (google.protobuf.Empty) {
-    option (google.api.http) = {
-      get: "/healthz"
-    };
-  }
-
-  rpc GetZitadelDocs(google.protobuf.Empty) returns (ZitadelDocs) {
-    option (google.api.http) = {
-      get: "/zitadel/docs"
-    };
-  }
-
-  // GetIam returns some needed settings of the iam (Global Organisation ID, Zitadel Project ID)
-  rpc GetIam(google.protobuf.Empty) returns (Iam) {
-    option (google.api.http) = {
-      get: "/iam"
-    };
-
-    option (caos.zitadel.utils.v1.auth_option) = {
-      permission: "authenticated"
-    };
-  }
-
-  rpc IsUserUnique(UniqueUserRequest) returns (UniqueUserResponse) {
-    option (google.api.http) = {
-      get: "/users/_isunique"
-    };
-
-    option (caos.zitadel.utils.v1.auth_option) = {
-      permission: "user.read"
-    };
-  }
-
-  rpc GetUserByID(UserID) returns (UserView) {
-    option (google.api.http) = {
-      get: "/users/{id}"
-    };
-
-    option (caos.zitadel.utils.v1.auth_option) = {
-      permission: "user.read"
-    };
-  }
-
-  // GetUserByLoginNameGlobal returns User, global search is overall organisations
-  rpc GetUserByLoginNameGlobal(LoginName) returns (UserView) {
-    option (google.api.http) = {
-      get: "/global/users/_byloginname"
-    };
-
-    option (caos.zitadel.utils.v1.auth_option) = {
-      permission: "user.global.read"
-    };
-  }
-
-  // Limit should always be set, there is a default limit set by the service
-  rpc SearchUsers(UserSearchRequest) returns (UserSearchResponse) {
-    option (google.api.http) = {
-      post: "/users/_search"
-      body: "*"
-    };
-
-    option (caos.zitadel.utils.v1.auth_option) = {
-      permission: "user.read"
-    };
-  }
-
-  rpc CreateUser(CreateUserRequest) returns (UserResponse) {
-    option (google.api.http) = {
-      post: "/users"
-      body: "*"
-    };
-
-    option (caos.zitadel.utils.v1.auth_option) = {
-      permission: "user.write"
-    };
-  }
-
-  rpc DeactivateUser(UserID) returns (google.protobuf.Empty) {
-    option (google.api.http) = {
-      put: "/users/{id}/_deactivate"
-      body: "*"
-    };
-
-    option (caos.zitadel.utils.v1.auth_option) = {
-      permission: "user.write"
-    };
-  }
-
-  rpc ReactivateUser(UserID) returns (google.protobuf.Empty) {
-    option (google.api.http) = {
-      put: "/users/{id}/_reactivate"
-      body: "*"
-    };
-
-    option (caos.zitadel.utils.v1.auth_option) = {
-      permission: "user.write"
-    };
-  }
-
-  rpc LockUser(UserID) returns (google.protobuf.Empty) {
-    option (google.api.http) = {
-      put: "/users/{id}/_lock"
-      body: "*"
-    };
-
-    option (caos.zitadel.utils.v1.auth_option) = {
-      permission: "user.write"
-    };
-  }
-
-  rpc UnlockUser(UserID) returns (google.protobuf.Empty) {
-    option (google.api.http) = {
-      put: "/users/{id}/_unlock"
-      body: "*"
-    };
-
-    option (caos.zitadel.utils.v1.auth_option) = {
-      permission: "user.write"
-    };
-  }
-
-  rpc DeleteUser(UserID) returns (google.protobuf.Empty) {
-    option (google.api.http) = {
-      delete: "/users/{id}"
-    };
-
-    option (caos.zitadel.utils.v1.auth_option) = {
-      permission: "user.delete"
-    };
-  }
-
-  // UserChanges returns the event stream of the user object
-  rpc UserChanges(ChangeRequest) returns (Changes) {
-    option (google.api.http) = {
-      get: "/users/{id}/changes"
-    };
-
-    option (caos.zitadel.utils.v1.auth_option) = {
-      permission: "user.read"
-    };
-  }
-
-  rpc AddMachineKey(AddMachineKeyRequest) returns (AddMachineKeyResponse) {
-    option (google.api.http) = {
-      post: "/users/{user_id}/keys"
-      body: "*"
-    };
-
-    option (caos.zitadel.utils.v1.auth_option) = {
-      permission: "user.write"
-    };
-  }
-
-  rpc DeleteMachineKey(MachineKeyIDRequest) returns (google.protobuf.Empty) {
-    option (google.api.http) = {
-      delete: "/users/{user_id}/keys/{key_id}"
-    };
-
-    option (caos.zitadel.utils.v1.auth_option) = {
-      permission: "user.write"
-    };
-  }
-
-  rpc SearchMachineKeys(MachineKeySearchRequest) returns (MachineKeySearchResponse) {
-    option (google.api.http) = {
-      post: "/users/{user_id}/keys/_search"
-      body: "*"
-    };
-
-    option (caos.zitadel.utils.v1.auth_option) = {
-      permission: "user.read"
-    };
-  }
-
-  rpc GetMachineKey(MachineKeyIDRequest) returns (MachineKeyView) {
-    option (google.api.http) = {
-      get: "/users/{user_id}/keys/{key_id}"
-    };
-
-    option (caos.zitadel.utils.v1.auth_option) = {
-      permission: "user.read"
-    };
-  }
-
-  rpc GetUserProfile(UserID) returns (UserProfileView) {
-    option (google.api.http) = {
-      get: "/users/{id}/profile"
-    };
-
-    option (caos.zitadel.utils.v1.auth_option) = {
-      permission: "user.read"
-    };
-  }
-
-  rpc UpdateUserProfile(UpdateUserProfileRequest) returns (UserProfile) {
-    option (google.api.http) = {
-      put: "/users/{id}/profile"
-      body: "*"
-    };
-
-    option (caos.zitadel.utils.v1.auth_option) = {
-      permission: "user.write"
-    };
-  }
-
-  rpc GetUserEmail(UserID) returns (UserEmailView) {
-    option (google.api.http) = {
-      get: "/users/{id}/email"
-    };
-
-    option (caos.zitadel.utils.v1.auth_option) = {
-      permission: "user.read"
-    };
-  }
-
-  rpc ChangeUserUserName(UpdateUserUserNameRequest) returns (google.protobuf.Empty) {
-    option (google.api.http) = {
-      get: "/users/{id}/username"
-    };
-
-    option (caos.zitadel.utils.v1.auth_option) = {
-      permission: "user.write"
-    };
-  }
-
-  rpc ChangeUserEmail(UpdateUserEmailRequest) returns (UserEmail) {
-    option (google.api.http) = {
-      put: "/users/{id}/email"
-      body: "*"
-    };
-
-    option (caos.zitadel.utils.v1.auth_option) = {
-      permission: "user.write"
-    };
-  }
-
-  rpc ResendEmailVerificationMail(UserID) returns (google.protobuf.Empty) {
-    option (google.api.http) = {
-      post: "/users/{id}/email/_resendverification"
-      body: "*"
-    };
-
-    option (caos.zitadel.utils.v1.auth_option) = {
-      permission: "user.write"
-    };
-  }
-
-  rpc GetUserPhone(UserID) returns (UserPhoneView) {
-    option (google.api.http) = {
-      get: "/users/{id}/phone"
-    };
-
-    option (caos.zitadel.utils.v1.auth_option) = {
-      permission: "user.read"
-    };
-  }
-
-  rpc ChangeUserPhone(UpdateUserPhoneRequest) returns (UserPhone) {
-    option (google.api.http) = {
-      put: "/users/{id}/phone"
-      body: "*"
-    };
-
-    option (caos.zitadel.utils.v1.auth_option) = {
-      permission: "user.write"
-    };
-  }
-
-  rpc RemoveUserPhone(UserID) returns (google.protobuf.Empty) {
-    option (google.api.http) = {
-      delete: "/users/{id}/phone"
-    };
-
-    option (caos.zitadel.utils.v1.auth_option) = {
-      permission: "user.write"
-    };
-  }
-
-  rpc ResendPhoneVerificationCode(UserID) returns (google.protobuf.Empty) {
-    option (google.api.http) = {
-      post: "/users/{id}/phone/_resendverification"
-      body: "*"
-    };
-
-    option (caos.zitadel.utils.v1.auth_option) = {
-      permission: "user.write"
-    };
-  }
-
-  rpc GetUserAddress(UserID) returns (UserAddressView) {
-    option (google.api.http) = {
-      get: "/users/{id}/address"
-    };
-
-    option (caos.zitadel.utils.v1.auth_option) = {
-      permission: "user.read"
-    };
-  }
-
-  rpc UpdateUserAddress(UpdateUserAddressRequest) returns (UserAddress) {
-    option (google.api.http) = {
-      put: "/users/{id}/address"
-      body: "*"
-    };
-
-    option (caos.zitadel.utils.v1.auth_option) = {
-      permission: "user.write"
-    };
-  }
-
-  rpc UpdateUserMachine(UpdateMachineRequest) returns (MachineResponse) {
-    option (google.api.http) = {
-      put: "/users/{id}/machine"
-      body: "*"
-    };
-
-    option (caos.zitadel.utils.v1.auth_option) = {
-      permission: "user.write"
-    };
-  }
-
-  rpc SearchUserExternalIDPs(ExternalIDPSearchRequest) returns (ExternalIDPSearchResponse) {
-    option (google.api.http) = {
-      post: "/users/{user_id}/externalidps/_search"
-      body: "*"
-    };
-
-    option (caos.zitadel.utils.v1.auth_option) = {
-      permission: "user.read"
-    };
-  }
-
-  rpc RemoveExternalIDP(ExternalIDPRemoveRequest) returns (google.protobuf.Empty) {
-    option (google.api.http) = {
-      delete: "/users/{user_id}/externalidps/{idp_config_id}/{external_user_id}"
-    };
-
-    option (caos.zitadel.utils.v1.auth_option) = {
-      permission: "user.write"
-    };
-  }
-
-  rpc GetUserMfas(UserID) returns (UserMultiFactors) {
-    option (google.api.http) = {
-      get: "/users/{id}/mfas"
-    };
-
-    option (caos.zitadel.utils.v1.auth_option) = {
-      permission: "user.read"
-    };
-  }
-
-  rpc RemoveMfaOTP(UserID) returns (google.protobuf.Empty) {
-    option (google.api.http) = {
-      delete: "/users/{id}/mfas/otp"
-    };
-
-    option (caos.zitadel.utils.v1.auth_option) = {
-      permission: "user.write"
-    };
-  }
-
-  rpc RemoveMfaU2F(WebAuthNTokenID) returns (google.protobuf.Empty) {
-    option (google.api.http) = {
-      delete: "/users/{user_id}/mfas/u2f/{id}"
-    };
-
-    option (caos.zitadel.utils.v1.auth_option) = {
-      permission: "user.write"
-    };
-  }
-
-  rpc GetPasswordless(UserID) returns (WebAuthNTokens) {
-    option (google.api.http) = {
-      get: "/users/{id}/passwordless"
-    };
-
-    option (caos.zitadel.utils.v1.auth_option) = {
-      permission: "user.read"
-    };
-  }
-
-  rpc RemovePasswordless(WebAuthNTokenID) returns (google.protobuf.Empty) {
-    option (google.api.http) = {
-      delete: "/users/{user_id}/passwordless"
-    };
-
-    option (caos.zitadel.utils.v1.auth_option) = {
-      permission: "user.write"
-    };
-  }
-
-  // Sends an Notification (Email/SMS) with a password reset Link
-  rpc SendSetPasswordNotification(SetPasswordNotificationRequest) returns (google.protobuf.Empty) {
-    option (google.api.http) = {
-      post: "/users/{id}/password/_sendsetnotification"
-      body: "*"
-    };
-
-    option (caos.zitadel.utils.v1.auth_option) = {
-      permission: "user.write"
-    };
-  }
-
-  // A Manager is only allowed to set an initial password, on the next login the user has to change his password
-  rpc SetInitialPassword(PasswordRequest) returns (google.protobuf.Empty) {
-    option (google.api.http) = {
-      post: "/users/{id}/password/_initialize"
-      body: "*"
-    };
-
-    option (caos.zitadel.utils.v1.auth_option) = {
-      permission: "user.write"
-    };
-  }
-
-  rpc ResendInitialMail(InitialMailRequest) returns (google.protobuf.Empty) {
-    option (google.api.http) = {
-      post: "/users/{id}/_resendinitialisation"
-      body: "*"
-    };
-
-    option (caos.zitadel.utils.v1.auth_option) = {
-      permission: "user.write"
-    };
-  }
-
-  rpc SearchUserMemberships(UserMembershipSearchRequest) returns (UserMembershipSearchResponse) {
-    option (google.api.http) = {
-      post: "/users/{user_id}/memberships/_search"
-      body: "*"
-    };
-
-    option (caos.zitadel.utils.v1.auth_option) = {
-      permission: "user.membership.read"
-    };
-  }
-
-  rpc CreateOrg(OrgCreateRequest) returns (Org) {
-    option (google.api.http) = {
-      post: "/orgs"
-      body: "*"
-    };
-
-    option (caos.zitadel.utils.v1.auth_option) = {
-      permission: "org.create"
-    };
-  }
-
-  // OrgChanges returns the event stream of the org object
-  rpc OrgChanges(ChangeRequest) returns (Changes) {
-    option (google.api.http) = {
-      get: "/orgs/{id}/changes"
-    };
-
-    option (caos.zitadel.utils.v1.auth_option) = {
-      permission: "org.read"
-    };
-  }
-
-  rpc GetMyOrg(google.protobuf.Empty) returns (OrgView) {
-    option (google.api.http) = {
-      get: "/orgs/me"
-    };
-
-    option (caos.zitadel.utils.v1.auth_option) = {
-      permission: "org.read"
-    };
-  }
-
-  // search a organisation by its domain overall organisations
-  rpc GetOrgByDomainGlobal(Domain) returns (OrgView) {
-    option (google.api.http) = {
-      get: "/global/orgs/_bydomain"
-    };
-
-    option (caos.zitadel.utils.v1.auth_option) = {
-      permission: "org.global.read"
-    };
-  }
-
-  rpc DeactivateMyOrg(google.protobuf.Empty) returns (google.protobuf.Empty) {
-    option (google.api.http) = {
-      put: "/orgs/me/_deactivate"
-      body: "*"
-    };
-
-    option (caos.zitadel.utils.v1.auth_option) = {
-      permission: "org.write"
-    };
-  }
-
-  rpc ReactivateMyOrg(google.protobuf.Empty) returns (google.protobuf.Empty) {
-    option (google.api.http) = {
-      put: "/orgs/me/_reactivate"
-      body: "*"
-    };
-
-    option (caos.zitadel.utils.v1.auth_option) = {
-      permission: "org.write"
-    };
-  }
-
-  rpc SearchMyOrgDomains(OrgDomainSearchRequest) returns (OrgDomainSearchResponse) {
-    option (google.api.http) = {
-      post: "/orgs/me/domains/_search"
-      body: "*"
-    };
-
-    option (caos.zitadel.utils.v1.auth_option) = {
-      permission: "org.read"
-    };
-  }
-
-  rpc AddMyOrgDomain(AddOrgDomainRequest) returns (OrgDomain) {
-    option (google.api.http) = {
-      post: "/orgs/me/domains"
-      body: "*"
-    };
-
-    option (caos.zitadel.utils.v1.auth_option) = {
-      permission: "org.write"
-    };
-  }
-
-  rpc GenerateMyOrgDomainValidation(OrgDomainValidationRequest) returns (OrgDomainValidationResponse) {
-    option (google.api.http) = {
-      post: "/orgs/me/domains/{domain}/validation/create"
-      body: "*"
-    };
-
-    option (caos.zitadel.utils.v1.auth_option) = {
-      permission: "org.write"
-    };
-  }
-
-  rpc ValidateMyOrgDomain(ValidateOrgDomainRequest) returns (google.protobuf.Empty) {
-    option (google.api.http) = {
-      post: "/orgs/me/domains/{domain}/validation/check"
-      body: "*"
-    };
-
-    option (caos.zitadel.utils.v1.auth_option) = {
-      permission: "org.write"
-    };
-  }
-
-  rpc SetMyPrimaryOrgDomain(PrimaryOrgDomainRequest) returns (google.protobuf.Empty) {
-    option (google.api.http) = {
-      post: "/orgs/me/domains/{domain}/_primary"
-    };
-
-    option (caos.zitadel.utils.v1.auth_option) = {
-      permission: "org.write"
-    };
-  }
-
-  rpc RemoveMyOrgDomain(RemoveOrgDomainRequest) returns (google.protobuf.Empty) {
-    option (google.api.http) = {
-      delete: "/orgs/me/domains/{domain}"
-    };
-
-    option (caos.zitadel.utils.v1.auth_option) = {
-      permission: "org.write"
-    };
-  }
-
-  rpc GetMyOrgIamPolicy(google.protobuf.Empty) returns (OrgIamPolicyView) {
-    option (google.api.http) = {
-      get: "/orgs/me/iampolicy"
-    };
-
-    option (caos.zitadel.utils.v1.auth_option) = {
-      permission: "authenticated"
-    };
-  }
-
-  rpc GetOrgMemberRoles(google.protobuf.Empty) returns (OrgMemberRoles) {
-    option (google.api.http) = {
-      get: "/orgs/members/roles"
-    };
-
-    option (caos.zitadel.utils.v1.auth_option) = {
-      permission: "org.member.read"
-    };
-  }
-
-  rpc AddMyOrgMember(AddOrgMemberRequest) returns (OrgMember) {
-    option (google.api.http) = {
-      post: "/orgs/me/members"
-      body: "*"
-    };
-
-    option (caos.zitadel.utils.v1.auth_option) = {
-      permission: "org.member.write"
-    };
-  }
-
-  rpc ChangeMyOrgMember(ChangeOrgMemberRequest) returns (OrgMember) {
-    option (google.api.http) = {
-      put: "/orgs/me/members/{user_id}"
-      body: "*"
-    };
-
-    option (caos.zitadel.utils.v1.auth_option) = {
-      permission: "org.member.write"
-    };
-  }
-
-  rpc RemoveMyOrgMember(RemoveOrgMemberRequest) returns (google.protobuf.Empty) {
-    option (google.api.http) = {
-      delete: "/orgs/me/members/{user_id}"
-    };
-
-    option (caos.zitadel.utils.v1.auth_option) = {
-      permission: "org.member.delete"
-    };
-  }
-
-  rpc SearchMyOrgMembers(OrgMemberSearchRequest) returns (OrgMemberSearchResponse) {
-    option (google.api.http) = {
-      post: "/orgs/me/members/_search"
-      body: "*"
-    };
-
-    option (caos.zitadel.utils.v1.auth_option) = {
-      permission: "org.member.read"
-    };
-  }
-
-  // ProjectChanges returns the event stream of the project object
-  rpc ProjectChanges(ChangeRequest) returns (Changes) {
-    option (google.api.http) = {
-      get: "/projects/{id}/changes"
-    };
-
-    option (caos.zitadel.utils.v1.auth_option) = {
-      permission: "project.read"
-    };
-  }
-
-  rpc SearchProjects(ProjectSearchRequest) returns (ProjectSearchResponse) {
-    option (google.api.http) = {
-      post: "/projects/_search"
-      body: "*"
-    };
-
-    option (caos.zitadel.utils.v1.auth_option) = {
-      permission: "project.read"
-    };
-  }
-
-  rpc ProjectByID(ProjectID) returns (ProjectView) {
-    option (google.api.http) = {
-      get: "/projects/{id}"
-    };
-
-    option (caos.zitadel.utils.v1.auth_option) = {
-      permission: "project.read"
-      check_field_name: "Id"
-    };
-  }
-
-  rpc CreateProject(ProjectCreateRequest) returns (Project) {
-    option (google.api.http) = {
-      post: "/projects"
-      body: "*"
-    };
-
-    option (caos.zitadel.utils.v1.auth_option) = {
-      permission: "project.create"
-    };
-  }
-
-  rpc UpdateProject(ProjectUpdateRequest) returns (Project) {
-    option (google.api.http) = {
-      put: "/projects/{id}"
-      body: "*"
-    };
-
-    option (caos.zitadel.utils.v1.auth_option) = {
-      permission: "project.write"
-      check_field_name: "Id"
-    };
-  }
-
-  rpc DeactivateProject(ProjectID) returns (google.protobuf.Empty) {
-    option (google.api.http) = {
-      put: "/projects/{id}/_deactivate"
-      body: "*"
-    };
-
-    option (caos.zitadel.utils.v1.auth_option) = {
-      permission: "project.write"
-      check_field_name: "Id"
-    };
-  }
-
-  rpc ReactivateProject(ProjectID) returns (google.protobuf.Empty) {
-    option (google.api.http) = {
-      put: "/projects/{id}/_reactivate"
-      body: "*"
-    };
-
-    option (caos.zitadel.utils.v1.auth_option) = {
-      permission: "project.write"
-      check_field_name: "Id"
-    };
-  }
-
-  rpc RemoveProject(ProjectID) returns (google.protobuf.Empty) {
-    option (google.api.http) = {
-      delete: "/projects/{id}"
-    };
-
-    option (caos.zitadel.utils.v1.auth_option) = {
-      permission: "project.delete"
-      check_field_name: "Id"
-    };
-  }
-
-  // returns all projects my organisation got granted from another organisation
-  rpc SearchGrantedProjects(GrantedProjectSearchRequest) returns (ProjectGrantSearchResponse) {
-    option (google.api.http) = {
-      post: "/grantedprojects/_search"
-      body: "*"
-    };
-
-    option (caos.zitadel.utils.v1.auth_option) = {
-      permission: "project.read"
-    };
-  }
-
-  // returns a project my organisation got granted from another organisation
-  rpc GetGrantedProjectByID(ProjectGrantID) returns (ProjectGrantView) {
-    option (google.api.http) = {
-      get: "/grantedprojects/{project_id}/grants/{id}"
-    };
-
-    option (caos.zitadel.utils.v1.auth_option) = {
-      permission: "project.read"
-      check_field_name: "Id"
-    };
-  }
-
-  rpc GetProjectMemberRoles(google.protobuf.Empty) returns (ProjectMemberRoles) {
-    option (google.api.http) = {
-      get: "/projects/members/roles"
-    };
-
-    option (caos.zitadel.utils.v1.auth_option) = {
-      permission: "project.member.read"
-    };
-  }
-
-  rpc SearchProjectMembers(ProjectMemberSearchRequest) returns (ProjectMemberSearchResponse) {
-    option (google.api.http) = {
-      post: "/projects/{project_id}/members/_search"
-      body: "*"
-    };
-
-    option (caos.zitadel.utils.v1.auth_option) = {
-      permission: "project.member.read"
-      check_field_name: "ProjectId"
-    };
-  }
-
-  rpc AddProjectMember(ProjectMemberAdd) returns (ProjectMember) {
-    option (google.api.http) = {
-      post: "/projects/{id}/members"
-      body: "*"
-    };
-
-    option (caos.zitadel.utils.v1.auth_option) = {
-      permission: "project.member.write"
-      check_field_name: "Id"
-    };
-  }
-
-  rpc ChangeProjectMember(ProjectMemberChange) returns (ProjectMember) {
-    option (google.api.http) = {
-      put: "/projects/{id}/members/{user_id}"
-      body: "*"
-    };
-
-    option (caos.zitadel.utils.v1.auth_option) = {
-      permission: "project.member.write"
-      check_field_name: "Id"
-    };
-  }
-
-  rpc RemoveProjectMember(ProjectMemberRemove) returns (google.protobuf.Empty) {
-    option (google.api.http) = {
-      delete: "/projects/{id}/members/{user_id}"
-    };
-
-    option (caos.zitadel.utils.v1.auth_option) = {
-      permission: "project.member.delete"
-      check_field_name: "Id"
-    };
-  }
-
-  rpc SearchProjectRoles(ProjectRoleSearchRequest) returns (ProjectRoleSearchResponse) {
-    option (google.api.http) = {
-      post: "/projects/{project_id}/roles/_search"
-      body: "*"
-    };
-
-    option (caos.zitadel.utils.v1.auth_option) = {
-      permission: "project.role.read"
-      check_field_name: "ProjectId"
-    };
-  }
-
-  rpc AddProjectRole(ProjectRoleAdd) returns (ProjectRole) {
-    option (google.api.http) = {
-      post: "/projects/{id}/roles"
-      body: "*"
-    };
-
-    option (caos.zitadel.utils.v1.auth_option) = {
-      permission: "project.role.write"
-      check_field_name: "Id"
-    };
-  }
-
-  // add a list of project roles in one request
-  rpc BulkAddProjectRole(ProjectRoleAddBulk) returns (google.protobuf.Empty) {
-    option (google.api.http) = {
-      post: "/projects/{id}/roles/_bulk"
-      body: "*"
-    };
-
-    option (caos.zitadel.utils.v1.auth_option) = {
-      permission: "project.role.write"
-      check_field_name: "Id"
-    };
-  }
-
-  rpc ChangeProjectRole(ProjectRoleChange) returns (ProjectRole) {
-    option (google.api.http) = {
-      put: "/projects/{id}/roles/{key}"
-      body: "*"
-    };
-
-    option (caos.zitadel.utils.v1.auth_option) = {
-      permission: "project.role.write"
-      check_field_name: "Id"
-    };
-  }
-
-  // RemoveProjectRole removes role from UserGrants, ProjectGrants and from Project
-  rpc RemoveProjectRole(ProjectRoleRemove) returns (google.protobuf.Empty) {
-    option (google.api.http) = {
-      delete: "/projects/{id}/roles/{key}"
-    };
-
-    option (caos.zitadel.utils.v1.auth_option) = {
-      permission: "project.role.delete"
-      check_field_name: "Id"
-    };
-  }
-
-  rpc SearchApplications(ApplicationSearchRequest) returns (ApplicationSearchResponse) {
-    option (google.api.http) = {
-      post: "/projects/{project_id}/applications/_search"
-      body: "*"
-    };
-
-    option (caos.zitadel.utils.v1.auth_option) = {
-      permission: "project.app.read"
-      check_field_name: "ProjectId"
-    };
-  }
-
-  rpc ApplicationByID(ApplicationID) returns (ApplicationView) {
-    option (google.api.http) = {
-      get: "/projects/{project_id}/applications/{id}"
-    };
-
-    option (caos.zitadel.utils.v1.auth_option) = {
-      permission: "project.app.read"
-      check_field_name: "ProjectId"
-    };
-  }
-
-  // ApplicationChanges returns the event stream of the application object
-  rpc ApplicationChanges(ChangeRequest) returns (Changes) {
-    option (google.api.http) = {
-      get: "/projects/{id}/applications/{sec_id}/changes"
-    };
-
-    option (caos.zitadel.utils.v1.auth_option) = {
-      permission: "project.app.read"
-    };
-  }
-
-  rpc CreateOIDCApplication(OIDCApplicationCreate) returns (Application) {
-    option (google.api.http) = {
-      post: "/projects/{project_id}/applications/oidc"
-      body: "*"
-    };
-
-    option (caos.zitadel.utils.v1.auth_option) = {
-      permission: "project.app.write"
-      check_field_name: "ProjectId"
-    };
-  }
-
-  rpc CreateAPIApplication(APIApplicationCreate) returns (Application) {
-    option (google.api.http) = {
-      post: "/projects/{project_id}/applications/api"
-      body: "*"
-    };
-
-    option (caos.zitadel.utils.v1.auth_option) = {
-      permission: "project.app.write"
-      check_field_name: "ProjectId"
-    };
-  }
-
-  rpc UpdateApplication(ApplicationUpdate) returns (Application) {
-    option (google.api.http) = {
-      put: "/projects/{project_id}/applications/{id}"
-      body: "*"
-    };
-
-    option (caos.zitadel.utils.v1.auth_option) = {
-      permission: "project.app.write"
-      check_field_name: "ProjectId"
-    };
-  }
-
-  rpc DeactivateApplication(ApplicationID) returns (google.protobuf.Empty) {
-    option (google.api.http) = {
-      put: "/projects/{project_id}/applications/{id}/_deactivate"
-      body: "*"
-    };
-
-    option (caos.zitadel.utils.v1.auth_option) = {
-      permission: "project.app.write"
-      check_field_name: "ProjectId"
-    };
-  }
-
-  rpc ReactivateApplication(ApplicationID) returns (google.protobuf.Empty) {
-    option (google.api.http) = {
-      put: "/projects/{project_id}/applications/{id}/_reactivate"
-      body: "*"
-    };
-
-    option (caos.zitadel.utils.v1.auth_option) = {
-      permission: "project.app.write"
-      check_field_name: "ProjectId"
-    };
-  }
-
-  rpc RemoveApplication(ApplicationID) returns (google.protobuf.Empty) {
-    option (google.api.http) = {
-      delete: "/projects/{project_id}/applications/{id}"
-    };
-
-    option (caos.zitadel.utils.v1.auth_option) = {
-      permission: "project.app.delete"
-      check_field_name: "ProjectId"
-    };
-  }
-
-  rpc UpdateApplicationOIDCConfig(OIDCConfigUpdate) returns (OIDCConfig) {
-    option (google.api.http) = {
-      put: "/projects/{project_id}/applications/{application_id}/oidcconfig"
-      body: "*"
-    };
-
-    option (caos.zitadel.utils.v1.auth_option) = {
-      permission: "project.app.write"
-      check_field_name: "ProjectId"
-    };
-  }
-
-  rpc RegenerateOIDCClientSecret(ApplicationID) returns (ClientSecret) {
-    option (google.api.http) = {
-      put: "/projects/{project_id}/applications/{id}/oidcconfig/_changeclientsecret"
-      body: "*"
-    };
-
-    option (caos.zitadel.utils.v1.auth_option) = {
-      permission: "project.app.write"
-      check_field_name: "ProjectId"
-    };
-  }
-
-  rpc UpdateApplicationAPIConfig(APIConfigUpdate) returns (APIConfig) {
-    option (google.api.http) = {
-      put: "/projects/{project_id}/applications/{application_id}/apiconfig"
-      body: "*"
-    };
-
-    option (caos.zitadel.utils.v1.auth_option) = {
-      permission: "project.app.write"
-      check_field_name: "ProjectId"
-    };
-  }
-
-  rpc RegenerateAPIClientSecret(ApplicationID) returns (ClientSecret) {
-    option (google.api.http) = {
-      put: "/projects/{project_id}/applications/{id}/apiconfig/_changeclientsecret"
-      body: "*"
-    };
-
-    option (caos.zitadel.utils.v1.auth_option) = {
-      permission: "project.app.write"
-      check_field_name: "ProjectId"
-    };
-  }
-
-  rpc AddClientKey(AddClientKeyRequest) returns (AddClientKeyResponse){
-    option (google.api.http) = {
-      post: "/projects/{project_id}/applications/{application_id}/keys"
-      body: "*"
-    };
-
-    option (caos.zitadel.utils.v1.auth_option) = {
-      permission: "project.app.write"
-      check_field_name: "ProjectId"
-    };
-  }
-
-  rpc DeleteClientKey(ClientKeyIDRequest) returns (google.protobuf.Empty) {
-    option (google.api.http) = {
-      delete: "/projects/{project_id}/applications/{application_id}/keys/{key_id}"
-    };
-
-    option (caos.zitadel.utils.v1.auth_option) = {
-      permission: "project.app.write"
-      check_field_name: "ProjectId"
-    };
-  }
-
-  rpc SearchClientKeys(ClientKeySearchRequest) returns (ClientKeySearchResponse) {
-    option (google.api.http) = {
-      post: "/projects/{project_id}/applications/{application_id}/keys/_search"
-      body: "*"
-    };
-
-    option (caos.zitadel.utils.v1.auth_option) = {
-      permission: "project.app.read"
-      check_field_name: "ProjectId"
-    };
-  }
-
-  rpc GetClientKey(ClientKeyIDRequest) returns (ClientKeyView) {
-    option (google.api.http) = {
-      get: "/projects/{project_id}/applications/{application_id}/keys/{key_id}"
-    };
-
-    option (caos.zitadel.utils.v1.auth_option) = {
-      permission: "project.app.read"
-      check_field_name: "ProjectId"
-    };
-  }
-
-  rpc SearchProjectGrants(ProjectGrantSearchRequest) returns (ProjectGrantSearchResponse) {
-    option (google.api.http) = {
-      post: "/projects/{project_id}/grants/_search"
-      body: "*"
-    };
-
-    option (caos.zitadel.utils.v1.auth_option) = {
-      permission: "project.grant.read"
-      check_field_name: "ProjectId"
-    };
-  }
-
-  rpc ProjectGrantByID(ProjectGrantID) returns (ProjectGrantView) {
-    option (google.api.http) = {
-      get: "/projects/{project_id}/grants/{id}"
-    };
-
-    option (caos.zitadel.utils.v1.auth_option) = {
-      permission: "project.grant.read"
-    };
-  }
-
-  rpc CreateProjectGrant(ProjectGrantCreate) returns (ProjectGrant) {
-    option (google.api.http) = {
-      post: "/projects/{project_id}/grants"
-      body: "*"
-    };
-
-    option (caos.zitadel.utils.v1.auth_option) = {
-      permission: "project.grant.write"
-    };
-  }
-
-  rpc UpdateProjectGrant(ProjectGrantUpdate) returns (ProjectGrant) {
-    option (google.api.http) = {
-      put: "/projects/{project_id}/grants/{id}"
-      body: "*"
-    };
-
-    option (caos.zitadel.utils.v1.auth_option) = {
-      permission: "project.grant.write"
-    };
-  }
-
-  rpc DeactivateProjectGrant(ProjectGrantID) returns (google.protobuf.Empty) {
-    option (google.api.http) = {
-      put: "/projects/{project_id}/grants/{id}/_deactivate"
-      body: "*"
-    };
-
-    option (caos.zitadel.utils.v1.auth_option) = {
-      permission: "project.grant.write"
-    };
-  }
-
-  rpc ReactivateProjectGrant(ProjectGrantID) returns (google.protobuf.Empty) {
-    option (google.api.http) = {
-      put: "/projects/{project_id}/grants/{id}/_reactivate"
-      body: "*"
-    };
-
-    option (caos.zitadel.utils.v1.auth_option) = {
-      permission: "project.grant.write"
-    };
-  }
-
-  // RemoveProjectGrant removes project grant and all user grants for this project grant
-  rpc RemoveProjectGrant(ProjectGrantID) returns (google.protobuf.Empty) {
-    option (google.api.http) = {
-      delete: "/projects/{project_id}/grants/{id}"
-    };
-
-    option (caos.zitadel.utils.v1.auth_option) = {
-      permission: "project.grant.delete"
-    };
-  }
-
-  rpc GetProjectGrantMemberRoles(google.protobuf.Empty) returns (ProjectGrantMemberRoles) {
-    option (google.api.http) = {
-      get: "/projects/grants/members/roles"
-    };
-
-    option (caos.zitadel.utils.v1.auth_option) = {
-      permission: "project.grant.member.read"
-    };
-  }
-
-  rpc SearchProjectGrantMembers(ProjectGrantMemberSearchRequest) returns (ProjectGrantMemberSearchResponse) {
-    option (google.api.http) = {
-      post: "/projects/{project_id}/grants/{grant_id}/members/_search"
-      body: "*"
-    };
-
-    option (caos.zitadel.utils.v1.auth_option) = {
-      permission: "project.grant.member.read"
-    };
-  }
-
-  rpc AddProjectGrantMember(ProjectGrantMemberAdd) returns (ProjectGrantMember) {
-    option (google.api.http) = {
-      post: "/projects/{project_id}/grants/{grant_id}/members"
-      body: "*"
-    };
-
-    option (caos.zitadel.utils.v1.auth_option) = {
-      permission: "project.grant.member.write"
-    };
-  }
-
-  rpc ChangeProjectGrantMember(ProjectGrantMemberChange) returns (ProjectGrantMember) {
-    option (google.api.http) = {
-      put: "/projects/{project_id}/grants/{grant_id}/members/{user_id}"
-      body: "*"
-    };
-
-    option (caos.zitadel.utils.v1.auth_option) = {
-      permission: "project.grant.member.write"
-    };
-  }
-
-  rpc RemoveProjectGrantMember(ProjectGrantMemberRemove) returns (google.protobuf.Empty) {
-    option (google.api.http) = {
-      delete: "/projects/{project_id}/grants/{grant_id}/members/{user_id}"
-    };
-
-    option (caos.zitadel.utils.v1.auth_option) = {
-      permission: "project.grant.member.delete"
-    };
-  }
-
-  rpc SearchUserGrants(UserGrantSearchRequest) returns (UserGrantSearchResponse) {
-    option (google.api.http) = {
-      post: "/users/grants/_search"
-      body: "*"
-    };
-
-    option (caos.zitadel.utils.v1.auth_option) = {
-      permission: "user.grant.read"
-    };
-  }
-
-  rpc UserGrantByID(UserGrantID) returns (UserGrantView) {
-    option (google.api.http) = {
-      get: "/users/{user_id}/grants/{id}"
-    };
-
-    option (caos.zitadel.utils.v1.auth_option) = {
-      permission: "user.grant.read"
-    };
-  }
-
-  rpc CreateUserGrant(UserGrantCreate) returns (UserGrant) {
-    option (google.api.http) = {
-      post: "/users/{user_id}/grants"
-      body: "*"
-    };
-
-    option (caos.zitadel.utils.v1.auth_option) = {
-      permission: "user.grant.write"
-    };
-  }
-
-  rpc UpdateUserGrant(UserGrantUpdate) returns (UserGrant) {
-    option (google.api.http) = {
-      put: "/users/{user_id}/grants/{id}"
-      body: "*"
-    };
-
-    option (caos.zitadel.utils.v1.auth_option) = {
-      permission: "user.grant.write"
-    };
-  }
-
-  rpc DeactivateUserGrant(UserGrantID) returns (google.protobuf.Empty) {
-    option (google.api.http) = {
-      put: "/users/{user_id}/grants/{id}/_deactivate"
-      body: "*"
-    };
-
-    option (caos.zitadel.utils.v1.auth_option) = {
-      permission: "user.grant.write"
-    };
-  }
-
-  rpc ReactivateUserGrant(UserGrantID) returns (google.protobuf.Empty) {
-    option (google.api.http) = {
-      put: "/users/{user_id}/grants/{id}/_reactivate"
-      body: "*"
-    };
-
-    option (caos.zitadel.utils.v1.auth_option) = {
-      permission: "user.grant.write"
-    };
-  }
-
-  rpc RemoveUserGrant(UserGrantID) returns (google.protobuf.Empty) {
-    option (google.api.http) = {
-      delete: "/users/{user_id}/grants/{id}"
-    };
-
-    option (caos.zitadel.utils.v1.auth_option) = {
-      permission: "user.grant.delete"
-    };
-  }
-
-  // remove a list of user grants in one request
-  rpc BulkRemoveUserGrant(UserGrantRemoveBulk) returns (google.protobuf.Empty) {
-    option (google.api.http) = {
-      delete: "/usersgrants/_bulk"
-      body: "*"
-    };
-
-    option (caos.zitadel.utils.v1.auth_option) = {
-      permission: "user.grant.delete"
-    };
-  }
-
-  rpc IdpByID(IdpID) returns (IdpView) {
-    option (google.api.http) = {
-      get: "/orgs/me/idps/{id}"
-    };
-
-    option (caos.zitadel.utils.v1.auth_option) = {
-      permission: "org.idp.read"
-    };
-  }
-
-  rpc CreateOidcIdp(OidcIdpConfigCreate) returns (Idp) {
-    option (google.api.http) = {
-      post: "/orgs/me/idps/oidc"
-      body: "*"
-    };
-
-    option (caos.zitadel.utils.v1.auth_option) = {
-      permission: "org.idp.write"
-    };
-  }
-
-  rpc UpdateIdpConfig(IdpUpdate) returns (Idp) {
-    option (google.api.http) = {
-      put: "/orgs/me/idps/{id}"
-      body: "*"
-    };
-
-    option (caos.zitadel.utils.v1.auth_option) = {
-      permission: "org.idp.write"
-    };
-  }
-
-  rpc DeactivateIdpConfig(IdpID) returns (google.protobuf.Empty) {
-    option (google.api.http) = {
-      put: "/orgs/me/idps/{id}/_deactivate"
-      body: "*"
-    };
-
-    option (caos.zitadel.utils.v1.auth_option) = {
-      permission: "org.idp.write"
-    };
-  }
-
-  rpc ReactivateIdpConfig(IdpID) returns (google.protobuf.Empty) {
-    option (google.api.http) = {
-      put: "/orgs/me/idps/{id}/_reactivate"
-      body: "*"
-    };
-
-    option (caos.zitadel.utils.v1.auth_option) = {
-      permission: "org.idp.write"
-    };
-  }
-
-  rpc RemoveIdpConfig(IdpID) returns (google.protobuf.Empty) {
-    option (google.api.http) = {
-      delete: "/orgs/me/idps/{id}"
-    };
-
-    option (caos.zitadel.utils.v1.auth_option) = {
-      permission: "org.idp.write"
-    };
-  }
-
-  rpc UpdateOidcIdpConfig(OidcIdpConfigUpdate) returns (OidcIdpConfig) {
-    option (google.api.http) = {
-      put: "/orgs/me/idps/{idp_id}/oidcconfig"
-      body: "*"
-    };
-
-    option (caos.zitadel.utils.v1.auth_option) = {
-      permission: "org.idp.write"
-    };
-  }
-
-  rpc SearchIdps(IdpSearchRequest) returns (IdpSearchResponse) {
-    option (google.api.http) = {
-      post: "/orgs/me/idps/_search"
-      body: "*"
-    };
-
-    option (caos.zitadel.utils.v1.auth_option) = {
-      permission: "org.idp.read"
-    };
-  }
-
-  rpc GetLoginPolicy(google.protobuf.Empty) returns (LoginPolicyView) {
-    option (google.api.http) = {
-      get: "/orgs/me/policies/login"
-    };
-
-    option (caos.zitadel.utils.v1.auth_option) = {
-      permission: "policy.read"
-    };
-  }
-
-  rpc GetDefaultLoginPolicy(google.protobuf.Empty) returns (LoginPolicyView) {
-    option (google.api.http) = {
-      get: "/orgs/default/policies/login"
-    };
-
-    option (caos.zitadel.utils.v1.auth_option) = {
-      permission: "policy.read"
-    };
-  }
-
-  rpc CreateLoginPolicy(LoginPolicyRequest) returns (LoginPolicy) {
-    option (google.api.http) = {
-      post: "/orgs/me/policies/login"
-      body: "*"
-    };
-
-    option (caos.zitadel.utils.v1.auth_option) = {
-      permission: "policy.write"
-    };
-  }
-
-  rpc UpdateLoginPolicy(LoginPolicyRequest) returns (LoginPolicy) {
-    option (google.api.http) = {
-      put: "/orgs/me/policies/login"
-      body: "*"
-    };
-
-    option (caos.zitadel.utils.v1.auth_option) = {
-      permission: "policy.write"
-    };
-  }
-
-  rpc RemoveLoginPolicy(google.protobuf.Empty) returns (google.protobuf.Empty) {
-    option (google.api.http) = {
-      delete: "/orgs/me/policies/login"
-    };
-
-    option (caos.zitadel.utils.v1.auth_option) = {
-      permission: "policy.delete"
-    };
-  }
-
-  rpc GetLoginPolicyIdpProviders(IdpProviderSearchRequest) returns (IdpProviderSearchResponse) {
-    option (google.api.http) = {
-      post: "/orgs/me/policies/login/idpproviders/_search"
-      body: "*"
-    };
-
-    option (caos.zitadel.utils.v1.auth_option) = {
-      permission: "policy.read"
-    };
-  }
-
-  rpc AddIdpProviderToLoginPolicy(IdpProviderAdd) returns (IdpProvider) {
-    option (google.api.http) = {
-      post: "/orgs/me/policies/login/idpproviders"
-      body: "*"
-    };
-
-    option (caos.zitadel.utils.v1.auth_option) = {
-      permission: "policy.write"
-    };
-  }
-
-  rpc RemoveIdpProviderFromLoginPolicy(IdpProviderID) returns (google.protobuf.Empty) {
-    option (google.api.http) = {
-      delete: "/orgs/me/policies/login/idpproviders/{idp_config_id}"
-    };
-
-    option (caos.zitadel.utils.v1.auth_option) = {
-      permission: "policy.write"
-    };
-  }
-
-  rpc GetLoginPolicySecondFactors(google.protobuf.Empty) returns (SecondFactorsResult) {
-    option (google.api.http) = {
-      get: "/orgs/me/policies/login/secondfactors/_search"
-    };
-
-    option (caos.zitadel.utils.v1.auth_option) = {
-      permission: "policy.read"
-    };
-  }
-
-  rpc AddSecondFactorToLoginPolicy(SecondFactor) returns (SecondFactor) {
-    option (google.api.http) = {
-      post: "/orgs/me/policies/login/secondfactors"
-      body: "*"
-    };
-
-    option (caos.zitadel.utils.v1.auth_option) = {
-      permission: "policy.write"
-    };
-  }
-
-  rpc RemoveSecondFactorFromLoginPolicy(SecondFactor) returns (google.protobuf.Empty) {
-    option (google.api.http) = {
-      delete: "/orgs/me/policies/login/secondfactors/{second_factor}"
-    };
-
-    option (caos.zitadel.utils.v1.auth_option) = {
-      permission: "policy.write"
-    };
-  }
-
-  rpc GetLoginPolicyMultiFactors(google.protobuf.Empty) returns (MultiFactorsResult) {
-    option (google.api.http) = {
-      get: "/orgs/me/policies/login/multifactors/_search"
-    };
-
-    option (caos.zitadel.utils.v1.auth_option) = {
-      permission: "policy.read"
-    };
-  }
-
-  rpc AddMultiFactorToLoginPolicy(MultiFactor) returns (MultiFactor) {
-    option (google.api.http) = {
-      post: "/orgs/me/policies/login/multifactors"
-      body: "*"
-    };
-
-    option (caos.zitadel.utils.v1.auth_option) = {
-      permission: "policy.write"
-    };
-  }
-
-  rpc RemoveMultiFactorFromLoginPolicy(MultiFactor) returns (google.protobuf.Empty) {
-    option (google.api.http) = {
-      delete: "/orgs/me/policies/login/multifactors/{multi_factor}"
-    };
-
-    option (caos.zitadel.utils.v1.auth_option) = {
-      permission: "policy.write"
-    };
-  }
-
-  rpc GetPasswordComplexityPolicy(google.protobuf.Empty) returns (PasswordComplexityPolicyView) {
-    option (google.api.http) = {
-      get: "/orgs/me/policies/password/complexity"
-    };
-
-    option (caos.zitadel.utils.v1.auth_option) = {
-      permission: "policy.read"
-    };
-  }
-
-  rpc GetDefaultPasswordComplexityPolicy(google.protobuf.Empty) returns (PasswordComplexityPolicyView) {
-    option (google.api.http) = {
-      get: "/orgs/default/policies/password/complexity"
-    };
-
-    option (caos.zitadel.utils.v1.auth_option) = {
-      permission: "policy.read"
-    };
-  }
-
-  rpc CreatePasswordComplexityPolicy(PasswordComplexityPolicyRequest) returns (PasswordComplexityPolicy) {
-    option (google.api.http) = {
-      post: "/orgs/me/policies/password/complexity"
-      body: "*"
-    };
-
-    option (caos.zitadel.utils.v1.auth_option) = {
-      permission: "policy.write"
-    };
-  }
-
-  rpc UpdatePasswordComplexityPolicy(PasswordComplexityPolicyRequest) returns (PasswordComplexityPolicy) {
-    option (google.api.http) = {
-      put: "/orgs/me/policies/password/complexity"
-      body: "*"
-    };
-
-    option (caos.zitadel.utils.v1.auth_option) = {
-      permission: "policy.write"
-    };
-  }
-
-  rpc RemovePasswordComplexityPolicy(google.protobuf.Empty) returns (google.protobuf.Empty) {
-    option (google.api.http) = {
-      delete: "/orgs/me/policies/password/complexity"
-    };
-
-    option (caos.zitadel.utils.v1.auth_option) = {
-      permission: "policy.delete"
-    };
-  }
-
-  rpc GetPasswordAgePolicy(google.protobuf.Empty) returns (PasswordAgePolicyView) {
-    option (google.api.http) = {
-      get: "/orgs/me/policies/password/age"
-    };
-
-    option (caos.zitadel.utils.v1.auth_option) = {
-      permission: "policy.read"
-    };
-  }
-
-  rpc GetDefaultPasswordAgePolicy(google.protobuf.Empty) returns (PasswordAgePolicyView) {
-    option (google.api.http) = {
-      get: "/orgs/default/policies/password/age"
-    };
-
-    option (caos.zitadel.utils.v1.auth_option) = {
-      permission: "policy.read"
-    };
-  }
-
-  rpc CreatePasswordAgePolicy(PasswordAgePolicyRequest) returns (PasswordAgePolicy) {
-    option (google.api.http) = {
-      post: "/orgs/me/policies/password/age"
-      body: "*"
-    };
-
-    option (caos.zitadel.utils.v1.auth_option) = {
-      permission: "policy.write"
-    };
-  }
-
-  rpc UpdatePasswordAgePolicy(PasswordAgePolicyRequest) returns (PasswordAgePolicy) {
-    option (google.api.http) = {
-      put: "/orgs/me/policies/password/age"
-      body: "*"
-    };
-
-    option (caos.zitadel.utils.v1.auth_option) = {
-      permission: "policy.write"
-    };
-  }
-
-  rpc RemovePasswordAgePolicy(google.protobuf.Empty) returns (google.protobuf.Empty) {
-    option (google.api.http) = {
-      delete: "/orgs/me/policies/password/age"
-    };
-
-    option (caos.zitadel.utils.v1.auth_option) = {
-      permission: "policy.delete"
-    };
-  }
-
-  rpc GetPasswordLockoutPolicy(google.protobuf.Empty) returns (PasswordLockoutPolicyView) {
-    option (google.api.http) = {
-      get: "/orgs/me/policies/password/lockout"
-    };
-
-    option (caos.zitadel.utils.v1.auth_option) = {
-      permission: "policy.read"
-    };
-  }
-
-  rpc GetDefaultPasswordLockoutPolicy(google.protobuf.Empty) returns (PasswordLockoutPolicyView) {
-    option (google.api.http) = {
-      get: "/orgs/default/policies/password/lockout"
-    };
-
-    option (caos.zitadel.utils.v1.auth_option) = {
-      permission: "policy.read"
-    };
-  }
-
-  rpc CreatePasswordLockoutPolicy(PasswordLockoutPolicyRequest) returns (PasswordLockoutPolicy) {
-    option (google.api.http) = {
-      post: "/orgs/me/policies/password/lockout"
-      body: "*"
-    };
-
-    option (caos.zitadel.utils.v1.auth_option) = {
-      permission: "policy.write"
-    };
-  }
-
-  rpc UpdatePasswordLockoutPolicy(PasswordLockoutPolicyRequest) returns (PasswordLockoutPolicy) {
-    option (google.api.http) = {
-      put: "/orgs/me/policies/password/lockout"
-      body: "*"
-    };
-
-    option (caos.zitadel.utils.v1.auth_option) = {
-      permission: "policy.write"
-    };
-  }
-
-  rpc RemovePasswordLockoutPolicy(google.protobuf.Empty) returns (google.protobuf.Empty) {
-    option (google.api.http) = {
-      delete: "/orgs/me/policies/password/lockout"
-    };
-
-    option (caos.zitadel.utils.v1.auth_option) = {
-      permission: "policy.delete"
-    };
-  }
-
-  rpc GetMailTemplate(google.protobuf.Empty) returns (MailTemplateView) {
-    option (google.api.http) = {
-      get: "/orgs/me/policies/mailtemplate"
-    };
-
-    option (caos.zitadel.utils.v1.auth_option) = {
-      permission: "policy.read"
-    };
-  }
-
-  rpc GetDefaultMailTemplate(google.protobuf.Empty) returns (MailTemplateView) {
-    option (google.api.http) = {
-      get: "/orgs/default/policies/mailtemplate"
-    };
-
-    option (caos.zitadel.utils.v1.auth_option) = {
-      permission: "policy.read"
-    };
-  }
-
-  rpc CreateMailTemplate(MailTemplateUpdate) returns (MailTemplate) {
-    option (google.api.http) = {
-      post: "/orgs/me/policies/mailtemplate"
-      body: "*"
-    };
-
-    option (caos.zitadel.utils.v1.auth_option) = {
-      permission: "policy.write"
-    };
-  }
-
-  rpc UpdateMailTemplate(MailTemplateUpdate) returns (MailTemplate) {
-    option (google.api.http) = {
-      put: "/orgs/me/policies/mailtemplate"
-      body: "*"
-    };
-
-    option (caos.zitadel.utils.v1.auth_option) = {
-      permission: "policy.write"
-    };
-  }
-
-  rpc RemoveMailTemplate(google.protobuf.Empty) returns (google.protobuf.Empty) {
-    option (google.api.http) = {
-      delete: "/orgs/me/policies/mailtemplate"
-    };
-
-    option (caos.zitadel.utils.v1.auth_option) = {
-      permission: "policy.delete"
-    };
-  }
-
-
-  rpc GetMailTexts(google.protobuf.Empty) returns (MailTextsView) {
-    option (google.api.http) = {
-      get: "/orgs/me/policies/mailtexts"
-    };
-
-    option (caos.zitadel.utils.v1.auth_option) = {
-      permission: "policy.read"
-    };
-  }
-
-  rpc GetDefaultMailTexts(google.protobuf.Empty) returns (MailTextsView) {
-    option (google.api.http) = {
-      get: "/orgs/default/policies/mailtexts"
-    };
-
-    option (caos.zitadel.utils.v1.auth_option) = {
-      permission: "policy.read"
-    };
-  }
-
-  rpc CreateMailText(MailTextUpdate) returns (MailText) {
-    option (google.api.http) = {
-      post: "/orgs/me/policies/mailtext"
-      body: "*"
-    };
-
-    option (caos.zitadel.utils.v1.auth_option) = {
-      permission: "policy.write"
-    };
-  }
-
-  rpc UpdateMailText(MailTextUpdate) returns (MailText) {
-    option (google.api.http) = {
-      put: "/orgs/me/policies/mailtext"
-      body: "*"
-    };
-
-    option (caos.zitadel.utils.v1.auth_option) = {
-      permission: "policy.write"
-    };
-  }
-
-  rpc RemoveMailText(MailTextRemove) returns (google.protobuf.Empty) {
-    option (google.api.http) = {
-      delete: "/orgs/me/policies/mailtext/type/{mail_text_type}/language/{language}"
-    };
-
-    option (caos.zitadel.utils.v1.auth_option) = {
-      permission: "policy.delete"
-    };
-  }
-
-}
-
-message ZitadelDocs {
-  string issuer = 1;
-  string discovery_endpoint = 2;
-}
-
-message Iam {
-  string global_org_id = 1;
-  string iam_project_id = 2;
-  IamSetupStep set_up_done = 3;
-  IamSetupStep set_up_started = 4;
-}
-
-enum IamSetupStep {
-  iam_setup_step_UNDEFINED = 0;
-  iam_setup_step_1 = 1;
-  iam_setup_step_2 = 2;
-}
-
-message ChangeRequest {
-  string id = 1;
-  string sec_id = 2;
-  uint64 limit = 3;
-  uint64 sequence_offset = 4;
-  bool asc = 5;
-}
-
-message Changes {
-  repeated Change changes = 1;
-  uint64 offset = 2;
-  uint64 limit = 3;
-}
-
-message Change {
-  google.protobuf.Timestamp change_date = 1;
-  caos.zitadel.api.v1.LocalizedMessage event_type = 2;
-  uint64 sequence = 3;
-  string editor_id = 4;
-  string editor = 5;
-  google.protobuf.Struct data = 6;
-}
-
-message ApplicationID {
-  string id = 1 [(validate.rules).string.min_len = 1];
-  string project_id = 2 [(validate.rules).string.min_len = 1];
-}
-
-message ProjectID {
-  string id = 1 [(validate.rules).string.min_len = 1];
-}
-
-message UserID {
-  string id = 1 [(validate.rules).string.min_len = 1];
-}
-
-message WebAuthNTokens {
-  repeated WebAuthNToken tokens = 1;
-}
-
-message WebAuthNToken {
-  string id = 1;
-  string name = 2;
-  MFAState state = 3;
-}
-
-message WebAuthNTokenID {
-  string user_id = 1 [(validate.rules).string.min_len = 1];
-  string id = 2 [(validate.rules).string.min_len = 1];
-}
-
-message LoginName {
-  string login_name = 1 [(validate.rules).string.min_len = 1];
-}
-
-message UniqueUserRequest {
-  string user_name = 1 [(validate.rules).string.pattern = "^[^[:space:]]{1,200}$"];
-  string email = 2 [(validate.rules).string = {min_len: 1, max_len: 200}];
-}
-
-message UniqueUserResponse {
-  bool is_unique = 1;
-}
-
-message CreateUserRequest {
-  string user_name = 1 [(validate.rules).string.pattern = "^[^[:space:]]{1,200}$"];
-
-  oneof user {
-    option (validate.required) = true;
-
-    CreateHumanRequest human = 2;
-    CreateMachineRequest machine = 3;
-  }
-}
-
-message CreateHumanRequest {
-  string first_name = 1 [(validate.rules).string = {min_len: 1, max_len: 200}];
-  string last_name = 2 [(validate.rules).string = {min_len: 1, max_len: 200}];
-  string nick_name = 3 [(validate.rules).string = {max_len: 200}];
-  string preferred_language = 4 [(validate.rules).string = {max_len: 200}];
-  Gender gender = 5;
-  string email = 6 [(validate.rules).string = {min_len: 1, max_len: 200, email: true}];
-  bool is_email_verified = 7;
-  string phone = 8 [(validate.rules).string = {max_len: 20}];
-  bool is_phone_verified = 9;
-  string country = 10 [(validate.rules).string = {max_len: 200}];
-  string locality = 11 [(validate.rules).string = {max_len: 200}];
-  string postal_code = 12 [(validate.rules).string = {max_len: 200}];
-  string region = 13 [(validate.rules).string = {max_len: 200}];
-  string street_address = 14 [(validate.rules).string = {max_len: 200}];
-  string password = 15 [(validate.rules).string = {max_len: 72}];
-}
-
-message CreateMachineRequest {
-  string name = 1 [(validate.rules).string = {min_len: 1, max_len: 200}];
-  string description = 2 [(validate.rules).string.max_len = 500];
-}
-
-message UserResponse {
-  string id = 1;
-  UserState state = 2;
-  google.protobuf.Timestamp change_date = 3;
-  uint64 sequence = 4;
-  string user_name = 5;
-
-  oneof user {
-    option (validate.required) = true;
-
-    HumanResponse human = 6;
-    MachineResponse machine = 7;
-  }
-}
-
-enum UserState {
-  USERSTATE_UNSPECIFIED = 0;
-  USERSTATE_ACTIVE = 1;
-  USERSTATE_INACTIVE = 2;
-  USERSTATE_DELETED = 3;
-  USERSTATE_LOCKED = 4;
-  USERSTATE_SUSPEND = 5;
-  USERSTATE_INITIAL = 6;
-}
-
-enum Gender {
-  GENDER_UNSPECIFIED = 0;
-  GENDER_FEMALE = 1;
-  GENDER_MALE = 2;
-  GENDER_DIVERSE = 3;
-}
-
-message UserView {
-  string id = 1;
-  UserState state = 2;
-  google.protobuf.Timestamp creation_date = 3;
-  google.protobuf.Timestamp change_date = 4;
-  uint64 sequence = 5;
-  repeated string login_names = 6;
-  string preferred_login_name = 7;
-  google.protobuf.Timestamp last_login = 8;
-  string resource_owner = 9;
-  string user_name = 10;
-
-  oneof user {
-    option (validate.required) = true;
-
-    HumanView human = 11;
-    MachineView machine = 12;
-  }
-}
-
-message HumanResponse {
-  string first_name = 1;
-  string last_name = 2;
-  string display_name = 3;
-  string nick_name = 4;
-  string preferred_language = 5;
-  Gender gender = 6;
-  string email = 7;
-  bool is_email_verified = 8;
-  string phone = 9;
-  bool is_phone_verified = 10;
-  string country = 11;
-  string locality = 12;
-  string postal_code = 13;
-  string region = 14;
-  string street_address = 15;
-}
-
-message HumanView {
-  google.protobuf.Timestamp password_changed = 1;
-  string first_name = 2;
-  string last_name = 3;
-  string display_name = 4;
-  string nick_name = 5;
-  string preferred_language = 6;
-  Gender gender = 7;
-  string email = 8;
-  bool is_email_verified = 9;
-  string phone = 10;
-  bool is_phone_verified = 11;
-  string country = 12;
-  string locality = 13;
-  string postal_code = 14;
-  string region = 15;
-  string street_address = 16;
-}
-
-message MachineResponse {
-  string name = 1;
-  string description = 2;
-}
-
-message MachineView {
-  google.protobuf.Timestamp last_key_added = 1;
-  string name = 2;
-  string description = 3;
-}
-
-message UpdateMachineRequest {
-  string id = 1 [(validate.rules).string.min_len = 1];
-  string description = 2 [(validate.rules).string.max_len = 500];
-  string name = 3 [(validate.rules).string = {min_len: 1, max_len: 200}];
-}
-
-message AddMachineKeyRequest {
-  string user_id = 1 [(validate.rules).string.min_len = 1];
-  MachineKeyType type = 2 [(validate.rules).enum = {not_in: [0]}];
-  google.protobuf.Timestamp expiration_date = 3;
-}
-
-message AddMachineKeyResponse {
-  string id = 1;
-  google.protobuf.Timestamp creation_date = 2;
-  uint64 sequence = 3;
-
-  MachineKeyType type = 4;
-  google.protobuf.Timestamp expiration_date = 5;
-  bytes key_details = 6;
-}
-
-message MachineKeyIDRequest {
-  string user_id = 1 [(validate.rules).string.min_len = 1];
-  string key_id = 2 [(validate.rules).string.min_len = 1];
-}
-
-message MachineKeyView {
-  string id = 1;
-  MachineKeyType type = 2;
-  uint64 sequence = 3;
-
-  google.protobuf.Timestamp creation_date = 4;
-  google.protobuf.Timestamp expiration_date = 5;
-}
-
-enum MachineKeyType {
-  MACHINEKEY_UNSPECIFIED = 0;
-  MACHINEKEY_JSON = 1;
-}
-
-message MachineKeySearchRequest {
-  uint64 offset = 1;
-  uint64 limit = 2;
-  bool asc = 3;
-  string user_id = 4 [(validate.rules).string.min_len = 1];
-}
-
-message MachineKeySearchResponse {
-  uint64 offset = 1;
-  uint64 limit = 2;
-  uint64 total_result = 3;
-  repeated MachineKeyView result = 4;
-  uint64 processed_sequence = 5;
-  google.protobuf.Timestamp view_timestamp = 6;
-}
-
-message UserSearchRequest {
-  uint64 offset = 1;
-  uint64 limit = 2;
-  UserSearchKey sorting_column = 3;
-  bool asc = 4;
-  repeated UserSearchQuery queries = 5;
-}
-
-message UserSearchQuery {
-  UserSearchKey key = 1 [(validate.rules).enum = {not_in: [0]}];
-  SearchMethod method = 2;
-  string value = 3;
-}
-
-enum UserSearchKey {
-  USERSEARCHKEY_UNSPECIFIED = 0;
-  USERSEARCHKEY_USER_NAME = 1;
-  USERSEARCHKEY_FIRST_NAME = 2;
-  USERSEARCHKEY_LAST_NAME = 3;
-  USERSEARCHKEY_NICK_NAME = 4;
-  USERSEARCHKEY_DISPLAY_NAME = 5;
-  USERSEARCHKEY_EMAIL = 6;
-  USERSEARCHKEY_STATE = 7;
-  USERSEARCHKEY_TYPE = 8;
-}
-
-message UserSearchResponse {
-  uint64 offset = 1;
-  uint64 limit = 2;
-  uint64 total_result = 3;
-  repeated UserView result = 4;
-  uint64 processed_sequence = 5;
-  google.protobuf.Timestamp view_timestamp = 6;
-}
-
-enum SearchMethod {
-  SEARCHMETHOD_EQUALS = 0;
-  SEARCHMETHOD_STARTS_WITH = 1;
-  SEARCHMETHOD_CONTAINS = 2;
-  SEARCHMETHOD_EQUALS_IGNORE_CASE = 3;
-  SEARCHMETHOD_STARTS_WITH_IGNORE_CASE = 4;
-  SEARCHMETHOD_CONTAINS_IGNORE_CASE = 5;
-  SEARCHMETHOD_NOT_EQUALS = 6;
-  SEARCHMETHOD_GREATER_THAN = 7;
-  SEARCHMETHOD_LESS_THAN = 8;
-  SEARCHMETHOD_IS_ONE_OF = 9;
-  SEARCHMETHOD_LIST_CONTAINS = 10;
-}
-
-message UserProfile {
-  string id = 1;
-  string first_name = 2;
-  string last_name = 3;
-  string nick_name = 4;
-  string display_name = 5;
-  string preferred_language = 6;
-  Gender gender = 7;
-  uint64 sequence = 8;
-  google.protobuf.Timestamp change_date = 9;
-}
-
-message UserProfileView {
-  string id = 1;
-  string first_name = 2;
-  string last_name = 3;
-  string nick_name = 4;
-  string display_name = 5;
-  string preferred_language = 6;
-  Gender gender = 7;
-  uint64 sequence = 8;
-  google.protobuf.Timestamp creation_date = 9;
-  google.protobuf.Timestamp change_date = 10;
-  repeated string login_names = 11;
-  string preferred_login_name = 12;
-}
-
-message UpdateUserProfileRequest {
-  string id = 1;
-  string first_name = 2 [(validate.rules).string = {min_len: 1, max_len: 200}];
-  string last_name = 3 [(validate.rules).string = {min_len: 1, max_len: 200}];
-  string nick_name = 4 [(validate.rules).string = {max_len: 200}];
-  string preferred_language = 5 [(validate.rules).string = {max_len: 200}];
-  Gender gender = 6;
-}
-
-message UpdateUserUserNameRequest {
-  string id = 1;
-  string user_name = 2 [(validate.rules).string.pattern = "^[^[:space:]]{1,200}$"];
-}
-
-message UserEmail {
-  string id = 1;
-  string email = 2;
-  bool is_email_verified = 3;
-  uint64 sequence = 4;
-  google.protobuf.Timestamp change_date = 5;
-}
-
-message UserEmailView {
-  string id = 1;
-  string email = 2;
-  bool is_email_verified = 3;
-  uint64 sequence = 4;
-  google.protobuf.Timestamp creation_date = 5;
-  google.protobuf.Timestamp change_date = 6;
-}
-
-message UpdateUserEmailRequest {
-  string id = 1;
-  string email = 2 [(validate.rules).string = {min_len: 1, max_len: 200}];
-  bool is_email_verified = 3;
-}
-
-message UserPhone {
-  string id = 1;
-  string phone = 2;
-  bool is_phone_verified = 3;
-  uint64 sequence = 5;
-  google.protobuf.Timestamp change_date = 6;
-}
-
-message UserPhoneView {
-  string id = 1;
-  string phone = 2;
-  bool is_phone_verified = 3;
-  uint64 sequence = 5;
-  google.protobuf.Timestamp creation_date = 6;
-  google.protobuf.Timestamp change_date = 7;
-}
-
-message UpdateUserPhoneRequest {
-  string id = 1 [(validate.rules).string.min_len = 1];
-  string phone = 2 [(validate.rules).string = {min_len: 1, max_len: 20}];
-  bool is_phone_verified = 3;
-}
-
-message UserAddress {
-  string id = 1;
-  string country = 2;
-  string locality = 3;
-  string postal_code = 4;
-  string region = 5;
-  string street_address = 6;
-  uint64 sequence = 7;
-  google.protobuf.Timestamp change_date = 8;
-}
-
-message UserAddressView {
-  string id = 1;
-  string country = 2;
-  string locality = 3;
-  string postal_code = 4;
-  string region = 5;
-  string street_address = 6;
-  uint64 sequence = 7;
-  google.protobuf.Timestamp creation_date = 8;
-  google.protobuf.Timestamp change_date = 9;
-}
-
-message UpdateUserAddressRequest {
-  string id = 1 [(validate.rules).string.min_len = 1];
-  string country = 2 [(validate.rules).string = {max_len: 200}];
-  string locality = 3 [(validate.rules).string = {max_len: 200}];
-  string postal_code = 4 [(validate.rules).string = {max_len: 200}];
-  string region = 5 [(validate.rules).string = {max_len: 200}];
-  string street_address = 6 [(validate.rules).string = {max_len: 200}];
-}
-
-message UserMultiFactors {
-  repeated UserMultiFactor mfas = 1;
-}
-
-message UserMultiFactor {
-  MfaType type = 1;
-  MFAState state = 2;
-  string attribute = 3;
-  string id = 4;
-}
-
-enum MfaType {
-  MFATYPE_UNSPECIFIED = 0;
-  MFATYPE_OTP = 1;
-  MFATYPE_U2F = 2;
-}
-
-enum MFAState {
-  MFASTATE_UNSPECIFIED = 0;
-  MFASTATE_NOT_READY = 1;
-  MFASTATE_READY = 2;
-  MFASTATE_REMOVED = 3;
-}
-
-message PasswordRequest {
-  string id = 1 [(validate.rules).string.min_len = 1];
-  string password = 2 [(validate.rules).string = {min_len: 1, max_len: 72}];
-}
-
-message SetPasswordNotificationRequest {
-  string id = 1 [(validate.rules).string.min_len = 1];
-  NotificationType type = 2;
-}
-
-enum NotificationType {
-  NOTIFICATIONTYPE_EMAIL = 0;
-  NOTIFICATIONTYPE_SMS = 1;
-}
-
-message InitialMailRequest {
-  string id = 1 [(validate.rules).string.min_len = 1];
-  string email = 2;
-}
-
-enum PolicyState {
-  POLICYSTATE_UNSPECIFIED = 0;
-  POLICYSTATE_ACTIVE = 1;
-  POLICYSTATE_INACTIVE = 2;
-  POLICYSTATE_DELETED = 3;
-}
-
-message OrgIamPolicyView {
-  bool user_login_must_be_domain = 1;
-  bool default = 2;
-}
-
-message OrgCreateRequest {
-  string name = 1 [(validate.rules).string = {min_len: 1, max_len: 200}];
-}
-
-message Org {
-  string id = 1;
-  OrgState state = 2;
-  google.protobuf.Timestamp change_date = 3;
-  string name = 4;
-  uint64 sequence = 5;
-}
-
-message OrgView {
-  string id = 1;
-  OrgState state = 2;
-  google.protobuf.Timestamp creation_date = 3;
-  google.protobuf.Timestamp change_date = 4;
-  string name = 5;
-  uint64 sequence = 6;
-}
-
-enum OrgState {
-  ORGSTATE_UNSPECIFIED = 0;
-  ORGSTATE_ACTIVE = 1;
-  ORGSTATE_INACTIVE = 2;
-}
-
-message Domain {
-  string domain = 1 [(validate.rules).string = {min_len: 1}];
-}
-
-message OrgDomain {
-  string org_id = 1;
-  google.protobuf.Timestamp change_date = 2;
-  string domain = 3;
-  bool verified = 4;
-  bool primary = 5;
-  uint64 sequence = 6;
-}
-
-message OrgDomainView {
-  string org_id = 1;
-  google.protobuf.Timestamp creation_date = 2;
-  google.protobuf.Timestamp change_date = 3;
-  string domain = 4;
-  bool verified = 5;
-  bool primary = 6;
-  uint64 sequence = 7;
-  OrgDomainValidationType validation_type = 8;
-}
-
-message AddOrgDomainRequest {
-  string domain = 1 [(validate.rules).string = {min_len: 1, max_len: 200}];
-}
-
-message OrgDomainValidationRequest {
-  string domain = 1 [(validate.rules).string = {min_len: 1, max_len: 200}];
-  OrgDomainValidationType type = 2 [(validate.rules).enum = {not_in: [0]}];
-}
-
-enum OrgDomainValidationType {
-  ORGDOMAINVALIDATIONTYPE_UNSPECIFIED = 0;
-  ORGDOMAINVALIDATIONTYPE_HTTP = 1;
-  ORGDOMAINVALIDATIONTYPE_DNS = 2;
-}
-
-message OrgDomainValidationResponse {
-  string token = 1;
-  string url = 2;
-}
-
-message ValidateOrgDomainRequest {
-  string domain = 1 [(validate.rules).string = {min_len: 1, max_len: 200}];
-}
-
-message PrimaryOrgDomainRequest {
-  string domain = 1 [(validate.rules).string = {min_len: 1}];
-}
-
-message RemoveOrgDomainRequest {
-  string domain = 1 [(validate.rules).string = {min_len: 1}];
-}
-
-message OrgDomainSearchResponse {
-  uint64 offset = 1;
-  uint64 limit = 2;
-  uint64 total_result = 3;
-  repeated OrgDomainView result = 4;
-  uint64 processed_sequence = 5;
-  google.protobuf.Timestamp view_timestamp = 6;
-}
-
-message OrgDomainSearchRequest {
-  uint64 offset = 1;
-  uint64 limit = 2;
-  repeated OrgDomainSearchQuery queries = 3;
-}
-
-message OrgDomainSearchQuery {
-  OrgDomainSearchKey key = 1 [(validate.rules).enum = {not_in: [0]}];
-  SearchMethod method = 2;
-  string value = 3;
-}
-
-enum OrgDomainSearchKey {
-  ORGDOMAINSEARCHKEY_UNSPECIFIED = 0;
-  ORGDOMAINSEARCHKEY_DOMAIN = 1;
-}
-
-message OrgMemberRoles {
-  repeated string roles = 1;
-}
-
-message OrgMember {
-  string user_id = 1;
-  repeated string roles = 2;
-  google.protobuf.Timestamp change_date = 3;
-  uint64 sequence = 4;
-}
-
-message AddOrgMemberRequest {
-  string user_id = 1 [(validate.rules).string = {min_len: 1}];
-  repeated string roles = 2;
-}
-
-message ChangeOrgMemberRequest {
-  string user_id = 1 [(validate.rules).string = {min_len: 1}];
-  repeated string roles = 2;
-}
-
-message RemoveOrgMemberRequest {
-  string user_id = 1 [(validate.rules).string = {min_len: 1}];
-}
-
-message OrgMemberSearchResponse {
-  uint64 offset = 1;
-  uint64 limit = 2;
-  uint64 total_result = 3;
-  repeated OrgMemberView result = 4;
-  uint64 processed_sequence = 5;
-  google.protobuf.Timestamp view_timestamp = 6;
-}
-
-message OrgMemberView {
-  string user_id = 1;
-  repeated string roles = 2;
-  google.protobuf.Timestamp change_date = 3;
-  google.protobuf.Timestamp creation_date = 4;
-  uint64 sequence = 5;
-  string user_name = 6;
-  string email = 7;
-  string first_name = 8;
-  string last_name = 9;
-  string display_name = 10;
-}
-
-message OrgMemberSearchRequest {
-  uint64 offset = 1;
-  uint64 limit = 2;
-  repeated OrgMemberSearchQuery queries = 3;
-}
-
-message OrgMemberSearchQuery {
-  OrgMemberSearchKey key = 1 [(validate.rules).enum = {not_in: [0]}];
-  SearchMethod method = 2;
-  string value = 3;
-}
-
-enum OrgMemberSearchKey {
-  ORGMEMBERSEARCHKEY_UNSPECIFIED = 0;
-  ORGMEMBERSEARCHKEY_FIRST_NAME = 1;
-  ORGMEMBERSEARCHKEY_LAST_NAME = 2;
-  ORGMEMBERSEARCHKEY_EMAIL = 3;
-  ORGMEMBERSEARCHKEY_USER_ID = 4;
-}
-
-message ProjectCreateRequest {
-  string name = 1 [(validate.rules).string = {min_len: 1, max_len: 200}];
-  bool project_role_assertion = 2;
-  bool project_role_check = 3;
-}
-
-message ProjectUpdateRequest {
-  string id = 1 [(validate.rules).string = {min_len: 1}];
-  string name = 2 [(validate.rules).string = {min_len: 1, max_len: 200}];
-  bool project_role_assertion = 3;
-  bool project_role_check = 4;
-}
-
-message ProjectSearchResponse {
-  uint64 offset = 1;
-  uint64 limit = 2;
-  uint64 total_result = 3;
-  repeated ProjectView result = 4;
-  uint64 processed_sequence = 5;
-  google.protobuf.Timestamp view_timestamp = 6;
-}
-
-message ProjectView {
-  string project_id = 1;
-  string name = 2;
-  ProjectState state = 3;
-  google.protobuf.Timestamp change_date = 4;
-  google.protobuf.Timestamp creation_date = 5;
-  string resource_owner = 6;
-  uint64 sequence = 7;
-  bool project_role_assertion = 8;
-  bool project_role_check = 9;
-}
-
-message ProjectSearchRequest {
-  uint64 offset = 1;
-  uint64 limit = 2;
-  repeated ProjectSearchQuery queries = 3;
-}
-
-message ProjectSearchQuery {
-  ProjectSearchKey key = 1 [(validate.rules).enum = {not_in: [0]}];
-  SearchMethod method = 2;
-  string value = 3;
-}
-
-enum ProjectSearchKey {
-  PROJECTSEARCHKEY_UNSPECIFIED = 0;
-  PROJECTSEARCHKEY_PROJECT_NAME = 1;
-}
-
-message Projects {
-  repeated Project projects = 1;
-}
-
-message Project {
-  string id = 1;
-  string name = 2;
-  ProjectState state = 3;
-  google.protobuf.Timestamp change_date = 4;
-  uint64 sequence = 5;
-  bool project_role_assertion = 6;
-  bool project_role_check = 7;
-}
-
-enum ProjectState {
-  PROJECTSTATE_UNSPECIFIED = 0;
-  PROJECTSTATE_ACTIVE = 1;
-  PROJECTSTATE_INACTIVE = 2;
-}
-
-message ProjectMemberRoles {
-  repeated string roles = 1;
-}
-
-message ProjectMember {
-  string user_id = 1;
-  repeated string roles = 2;
-  google.protobuf.Timestamp change_date = 3;
-  google.protobuf.Timestamp creation_date = 4;
-  uint64 sequence = 5;
-}
-
-message ProjectMemberAdd {
-  string id = 1 [(validate.rules).string = {min_len: 1}];
-  string user_id = 2 [(validate.rules).string = {min_len: 1}];
-  repeated string roles = 3;
-}
-
-message ProjectMemberChange {
-  string id = 1 [(validate.rules).string = {min_len: 1}];
-  string user_id = 2 [(validate.rules).string = {min_len: 1}];
-  repeated string roles = 3;
-}
-
-message ProjectMemberRemove {
-  string id = 1 [(validate.rules).string = {min_len: 1}];
-  string user_id = 2 [(validate.rules).string = {min_len: 1}];
-}
-
-message ProjectRoleAdd {
-  string id = 1 [(validate.rules).string = {min_len: 1}];
-  string key = 2 [(validate.rules).string = {min_len: 1}];
-  string display_name = 3;
-  string group = 4;
-}
-
-message ProjectRoleAddBulk {
-  string id = 1 [(validate.rules).string = {min_len: 1}];
-  repeated ProjectRoleBulkAdd project_roles = 2;
-}
-
-message ProjectRoleBulkAdd {
-  string key = 1 [(validate.rules).string = {min_len: 1}];
-  string display_name = 2;
-  string group = 3;
-}
-
-message ProjectRoleChange {
-  string id = 1 [(validate.rules).string = {min_len: 1}];
-  string key = 2 [(validate.rules).string = {min_len: 1}];
-  string display_name = 3;
-  string group = 4;
-}
-
-message ProjectRole {
-  string project_id = 1;
-  string key = 2;
-  string display_name = 3;
-  google.protobuf.Timestamp change_date = 4;
-  string group = 5;
-  uint64 sequence = 6;
-}
-
-message ProjectRoleView {
-  string project_id = 1;
-  string key = 2;
-  string display_name = 3;
-  google.protobuf.Timestamp creation_date = 4;
-  google.protobuf.Timestamp change_date = 5;
-  string group = 6;
-  uint64 sequence = 7;
-}
-
-message ProjectRoleRemove {
-  string id = 1 [(validate.rules).string = {min_len: 1}];
-  string key = 2 [(validate.rules).string = {min_len: 1}];
-}
-
-message ProjectRoleSearchResponse {
-  uint64 offset = 1;
-  uint64 limit = 2;
-  uint64 total_result = 3;
-  repeated ProjectRoleView result = 4;
-  uint64 processed_sequence = 5;
-  google.protobuf.Timestamp view_timestamp = 6;
-}
-
-message ProjectRoleSearchRequest {
-  string project_id = 1 [(validate.rules).string = {min_len: 1}];
-  uint64 offset = 2;
-  uint64 limit = 3;
-  repeated ProjectRoleSearchQuery queries = 4;
-}
-
-message ProjectRoleSearchQuery {
-  ProjectRoleSearchKey key = 1 [(validate.rules).enum = {not_in: [0]}];
-  SearchMethod method = 2;
-  string value = 3;
-}
-
-enum ProjectRoleSearchKey {
-  PROJECTROLESEARCHKEY_UNSPECIFIED = 0;
-  PROJECTROLESEARCHKEY_KEY = 1;
-  PROJECTROLESEARCHKEY_DISPLAY_NAME = 2;
-}
-
-message ProjectMemberView {
-  string user_id = 1;
-  string user_name = 2;
-  string email = 3;
-  string first_name = 4;
-  string last_name = 5;
-  repeated string roles = 6;
-  google.protobuf.Timestamp change_date = 7;
-  google.protobuf.Timestamp creation_date = 8;
-  uint64 sequence = 10;
-  string display_name = 11;
-}
-
-message ProjectMemberSearchResponse {
-  uint64 offset = 1;
-  uint64 limit = 2;
-  uint64 total_result = 3;
-  repeated ProjectMemberView result = 4;
-  uint64 processed_sequence = 5;
-  google.protobuf.Timestamp view_timestamp = 6;
-}
-
-message ProjectMemberSearchRequest {
-  string project_id = 1 [(validate.rules).string = {min_len: 1}];
-  uint64 offset = 2;
-  uint64 limit = 3;
-  repeated ProjectMemberSearchQuery queries = 4;
-}
-
-message ProjectMemberSearchQuery {
-  ProjectMemberSearchKey key = 1 [(validate.rules).enum = {not_in: [0]}];
-  SearchMethod method = 2;
-  string value = 3;
-}
-
-enum ProjectMemberSearchKey {
-  PROJECTMEMBERSEARCHKEY_UNSPECIFIED = 0;
-  PROJECTMEMBERSEARCHKEY_FIRST_NAME = 1;
-  PROJECTMEMBERSEARCHKEY_LAST_NAME = 2;
-  PROJECTMEMBERSEARCHKEY_EMAIL = 3;
-  PROJECTMEMBERSEARCHKEY_USER_ID = 4;
-  PROJECTMEMBERSEARCHKEY_USER_NAME = 5;
-}
-
-enum AppState {
-  APPSTATE_UNSPECIFIED = 0;
-  APPSTATE_ACTIVE = 1;
-  APPSTATE_INACTIVE = 2;
-}
-
-message Application {
-  string id = 1;
-  AppState state = 2;
-  google.protobuf.Timestamp change_date = 4;
-  string name = 5;
-  oneof app_config {
-    OIDCConfig oidc_config = 8;
-    APIConfig api_config = 10;
-  }
-  uint64 sequence = 9;
-}
-
-message ApplicationUpdate {
-  string project_id = 1 [(validate.rules).string = {min_len: 1}];
-  string id = 2 [(validate.rules).string = {min_len: 1}];
-  string name = 5 [(validate.rules).string = {min_len: 1, max_len: 200}];
-}
-
-message OIDCConfig {
-  repeated string redirect_uris = 1;
-  repeated OIDCResponseType response_types = 2;
-  repeated OIDCGrantType grant_types = 3;
-  OIDCApplicationType application_type = 4;
-  string client_id = 5;
-  string client_secret = 6;
-  OIDCAuthMethodType auth_method_type = 7;
-  repeated string post_logout_redirect_uris = 8;
-  OIDCVersion version = 9;
-  bool none_compliant = 10;
-  repeated caos.zitadel.api.v1.LocalizedMessage compliance_problems = 11;
-  bool dev_mode = 12;
-  OIDCTokenType access_token_type = 13;
-  bool access_token_role_assertion = 14;
-  bool id_token_role_assertion = 15;
-  bool id_token_userinfo_assertion = 16;
-  google.protobuf.Duration clock_skew = 17;
-}
-
-message OIDCApplicationCreate {
-  string project_id = 1 [(validate.rules).string = {min_len: 1}];
-  string name = 2 [(validate.rules).string = {min_len: 1, max_len: 200}];
-  repeated string redirect_uris = 3;
-  repeated OIDCResponseType response_types = 4;
-  repeated OIDCGrantType grant_types = 5;
-  OIDCApplicationType application_type = 6;
-  OIDCAuthMethodType auth_method_type = 7;
-  repeated string post_logout_redirect_uris = 8;
-  OIDCVersion version = 9;
-  bool dev_mode = 10;
-  OIDCTokenType access_token_type = 11;
-  bool access_token_role_assertion = 12;
-  bool id_token_role_assertion = 13;
-  bool id_token_userinfo_assertion = 14;
-  google.protobuf.Duration clock_skew = 15 [(validate.rules).duration = {gte: {}, lte: {seconds: 5}}];
-}
-
-message APIApplicationCreate {
-  string project_id = 1 [(validate.rules).string = {min_len: 1}];
-  string name = 2 [(validate.rules).string = {min_len: 1, max_len: 200}];
-  APIAuthMethodType auth_method_type = 3;
-}
-
-message APIConfig {
-  string client_id = 1;
-  string client_secret = 2;
-  APIAuthMethodType auth_method_type = 3;
-}
-
-enum OIDCVersion {
-  OIDCV1_0 = 0;
-}
-
-enum OIDCTokenType {
-  OIDCTokenType_Bearer = 0;
-  OIDCTokenType_JWT = 1;
-}
-
-message OIDCConfigUpdate {
-  string project_id = 1 [(validate.rules).string = {min_len: 1}];
-  string application_id = 2 [(validate.rules).string = {min_len: 1}];
-  repeated string redirect_uris = 3;
-  repeated OIDCResponseType response_types = 4;
-  repeated OIDCGrantType grant_types = 5;
-  OIDCApplicationType application_type = 6;
-  OIDCAuthMethodType auth_method_type = 7;
-  repeated string post_logout_redirect_uris = 8;
-  bool dev_mode = 9;
-  OIDCTokenType access_token_type = 10;
-  bool access_token_role_assertion = 11;
-  bool id_token_role_assertion = 12;
-  bool id_token_userinfo_assertion = 13;
-  google.protobuf.Duration clock_skew = 14 [(validate.rules).duration = {gte: {}, lte: {seconds: 5}}];
-}
-
-message APIConfigUpdate {
-  string project_id = 1 [(validate.rules).string = {min_len: 1}];
-  string application_id = 2 [(validate.rules).string = {min_len: 1}];
-  APIAuthMethodType auth_method_type = 7;
-}
-
-enum OIDCResponseType {
-  OIDCRESPONSETYPE_CODE = 0;
-  OIDCRESPONSETYPE_ID_TOKEN = 1;
-  OIDCRESPONSETYPE_ID_TOKEN_TOKEN = 2;
-}
-
-enum OIDCGrantType {
-  OIDCGRANTTYPE_AUTHORIZATION_CODE = 0;
-  OIDCGRANTTYPE_IMPLICIT = 1;
-  OIDCGRANTTYPE_REFRESH_TOKEN = 2;
-}
-
-enum OIDCApplicationType {
-  OIDCAPPLICATIONTYPE_WEB = 0;
-  OIDCAPPLICATIONTYPE_USER_AGENT = 1;
-  OIDCAPPLICATIONTYPE_NATIVE = 2;
-}
-
-enum OIDCAuthMethodType {
-  OIDCAUTHMETHODTYPE_BASIC = 0;
-  OIDCAUTHMETHODTYPE_POST = 1;
-  OIDCAUTHMETHODTYPE_NONE = 2;
-  OIDCAUTHMETHODTYPE_PRIVATE_KEY_JWT = 3;
-}
-
-enum APIAuthMethodType {
-  APIAUTHMETHODTYPE_BASIC = 0;
-  APIAUTHMETHODTYPE_PRIVATE_KEY_JWT = 1;
-}
-
-message ClientSecret {
-  string client_secret = 1;
-}
-
-message ApplicationView {
-  string id = 1;
-  AppState state = 2;
-  google.protobuf.Timestamp creation_date = 3;
-  google.protobuf.Timestamp change_date = 4;
-  string name = 5;
-  oneof app_config {
-    OIDCConfig oidc_config = 8;
-    APIConfig api_config = 10;
-  }
-
-  uint64 sequence = 9;
-}
-
-message ApplicationSearchResponse {
-  uint64 offset = 1;
-  uint64 limit = 2;
-  uint64 total_result = 3;
-  repeated ApplicationView result = 4;
-  uint64 processed_sequence = 5;
-  google.protobuf.Timestamp view_timestamp = 6;
-}
-
-message ApplicationSearchRequest {
-  string project_id = 1 [(validate.rules).string = {min_len: 1}];
-  uint64 offset = 2;
-  uint64 limit = 3;
-  repeated ApplicationSearchQuery queries = 4;
-}
-
-message ApplicationSearchQuery {
-  ApplicationSearchKey key = 1 [(validate.rules).enum = {not_in: [0]}];
-  SearchMethod method = 2;
-  string value = 3;
-}
-
-enum ApplicationSearchKey {
-  APPLICATIONSERACHKEY_UNSPECIFIED = 0;
-  APPLICATIONSEARCHKEY_APP_NAME = 1;
-}
-
-message AddClientKeyRequest {
-  string project_id = 1 [(validate.rules).string.min_len = 1];
-  string application_id = 2 [(validate.rules).string.min_len = 1];
-  AuthNKeyType type = 3 [(validate.rules).enum = {not_in: [0]}];
-  google.protobuf.Timestamp expiration_date = 4;
-}
-
-message AddClientKeyResponse {
-  string id = 1;
-  google.protobuf.Timestamp creation_date = 2;
-  uint64 sequence = 3;
-
-  AuthNKeyType type = 4;
-  google.protobuf.Timestamp expiration_date = 5;
-  bytes key_details = 6;
-}
-
-message ClientKeyIDRequest {
-  string project_id = 1 [(validate.rules).string.min_len = 1];
-  string application_id = 2 [(validate.rules).string.min_len = 1];
-  string key_id = 3 [(validate.rules).string.min_len = 1];
-}
-
-message ClientKeyView {
-  string id = 1;
-  AuthNKeyType type = 2;
-  uint64 sequence = 3;
-
-  google.protobuf.Timestamp creation_date = 4;
-  google.protobuf.Timestamp expiration_date = 5;
-}
-
-enum AuthNKeyType {
-  AUTHNKEY_UNSPECIFIED = 0;
-  AUTHNKEY_JSON = 1;
-}
-
-message ClientKeySearchRequest {
-  uint64 offset = 1;
-  uint64 limit = 2;
-  bool asc = 3;
-  string project_id = 4 [(validate.rules).string.min_len = 1];
-  string application_id = 5 [(validate.rules).string.min_len = 1];
-}
-
-message ClientKeySearchResponse {
-  uint64 offset = 1;
-  uint64 limit = 2;
-  uint64 total_result = 3;
-  repeated ClientKeyView result = 4;
-  uint64 processed_sequence = 5;
-  google.protobuf.Timestamp view_timestamp = 6;
-}
-
-message ProjectGrant {
-  string id = 1;
-  string project_id = 2;
-  string granted_org_id = 3;
-  repeated string role_keys = 4;
-  ProjectGrantState state = 5;
-  google.protobuf.Timestamp creation_date = 6;
-  google.protobuf.Timestamp change_date = 7;
-  uint64 sequence = 9;
-}
-
-message ProjectGrantCreate {
-  string project_id = 1 [(validate.rules).string = {min_len: 1}];
-  string granted_org_id = 2 [(validate.rules).string = {min_len: 1}];
-  repeated string role_keys = 3;
-}
-
-message ProjectGrantUpdate {
-  string project_id = 1 [(validate.rules).string = {min_len: 1}];
-  string id = 2 [(validate.rules).string = {min_len: 1}];
-  repeated string role_keys = 3;
-}
-
-message ProjectGrantID {
-  string project_id = 1 [(validate.rules).string = {min_len: 1}];
-  string id = 2 [(validate.rules).string = {min_len: 1}];
-}
-
-enum ProjectGrantState {
-  PROJECTGRANTSTATE_UNSPECIFIED = 0;
-  PROJECTGRANTSTATE_ACTIVE = 1;
-  PROJECTGRANTSTATE_INACTIVE = 2;
-}
-
-message ProjectGrantView {
-  string id = 1;
-  string project_id = 2;
-  string granted_org_id = 3;
-  string granted_org_name = 4;
-  repeated string role_keys = 5;
-  ProjectGrantState state = 6;
-  google.protobuf.Timestamp creation_date = 7;
-  google.protobuf.Timestamp change_date = 8;
-  string project_name = 9;
-  uint64 sequence = 10;
-  string resource_owner = 11;
-  string resource_owner_name = 12;
-}
-
-message ProjectGrantSearchResponse {
-  uint64 offset = 1;
-  uint64 limit = 2;
-  uint64 total_result = 3;
-  repeated ProjectGrantView result = 4;
-  uint64 processed_sequence = 5;
-  google.protobuf.Timestamp view_timestamp = 6;
-}
-
-message GrantedProjectSearchRequest {
-  uint64 offset = 1;
-  uint64 limit = 2;
-  repeated ProjectSearchQuery queries = 3;
-}
-
-message ProjectGrantSearchRequest {
-  string project_id = 1 [(validate.rules).string = {min_len: 1}];
-  uint64 offset = 2;
-  uint64 limit = 3;
-  repeated ProjectGrantSearchQuery queries = 4;
-}
-
-message ProjectGrantSearchQuery {
-  ProjectGrantSearchKey key = 1 [(validate.rules).enum = {not_in: [0]}];
-  SearchMethod method = 2;
-  string value = 3;
-}
-
-enum ProjectGrantSearchKey {
-  PROJECTGRANTSEARCHKEY_UNSPECIFIED = 0;
-  PROJECTGRANTSEARCHKEY_PROJECT_NAME = 1;
-  PROJECTGRANTSEARCHKEY_ROLE_KEY = 2;
-}
-
-message ProjectGrantMemberRoles {
-  repeated string roles = 1;
-}
-
-message ProjectGrantMember {
-  string user_id = 1;
-  repeated string roles = 2;
-  google.protobuf.Timestamp change_date = 3;
-  google.protobuf.Timestamp creation_date = 4;
-  uint64 sequence = 5;
-}
-
-message ProjectGrantMemberAdd {
-  string project_id = 1 [(validate.rules).string = {min_len: 1}];
-  string grant_id = 2 [(validate.rules).string = {min_len: 1}];
-  string user_id = 3 [(validate.rules).string = {min_len: 1}];
-  repeated string roles = 4;
-}
-
-message ProjectGrantMemberChange {
-  string project_id = 1 [(validate.rules).string = {min_len: 1}];
-  string grant_id = 2 [(validate.rules).string = {min_len: 1}];
-  string user_id = 3 [(validate.rules).string = {min_len: 1}];
-  repeated string roles = 4;
-}
-
-message ProjectGrantMemberRemove {
-  string project_id = 1 [(validate.rules).string = {min_len: 1}];
-  string grant_id = 2 [(validate.rules).string = {min_len: 1}];
-  string user_id = 3 [(validate.rules).string = {min_len: 1}];
-}
-
-message ProjectGrantMemberView {
-  string user_id = 1;
-  string user_name = 2;
-  string email = 3;
-  string first_name = 4;
-  string last_name = 5;
-  repeated string roles = 6;
-  google.protobuf.Timestamp change_date = 7;
-  google.protobuf.Timestamp creation_date = 8;
-  uint64 sequence = 9;
-  string display_name = 10;
-}
-
-message ProjectGrantMemberSearchResponse {
-  uint64 offset = 1;
-  uint64 limit = 2;
-  uint64 total_result = 3;
-  repeated ProjectGrantMemberView result = 4;
-  uint64 processed_sequence = 5;
-  google.protobuf.Timestamp view_timestamp = 6;
-}
-
-message ProjectGrantMemberSearchRequest {
-  string project_id = 1 [(validate.rules).string = {min_len: 1}];
-  string grant_id = 2 [(validate.rules).string = {min_len: 1}];
-  uint64 offset = 3;
-  uint64 limit = 4;
-  repeated ProjectGrantMemberSearchQuery queries = 5;
-}
-
-message ProjectGrantMemberSearchQuery {
-  ProjectGrantMemberSearchKey key = 1 [(validate.rules).enum = {not_in: [0]}];
-  SearchMethod method = 2;
-  string value = 3;
-}
-
-enum ProjectGrantMemberSearchKey {
-  PROJECTGRANTMEMBERSEARCHKEY_UNSPECIFIED = 0;
-  PROJECTGRANTMEMBERSEARCHKEY_FIRST_NAME = 1;
-  PROJECTGRANTMEMBERSEARCHKEY_LAST_NAME = 2;
-  PROJECTGRANTMEMBERSEARCHKEY_EMAIL = 3;
-  PROJECTGRANTMEMBERSEARCHKEY_USER_ID = 4;
-  PROJECTGRANTMEMBERSEARCHKEY_USER_NAME = 5;
-}
-
-message UserGrant {
-  string id = 1;
-  string user_id = 2;
-  string org_id = 3;
-  string project_id = 4;
-  repeated string role_keys = 5;
-  UserGrantState state = 6;
-  google.protobuf.Timestamp change_date = 7;
-  uint64 sequence = 8;
-  string grant_id = 9;
-}
-
-message UserGrantCreate {
-  string user_id = 1 [(validate.rules).string = {min_len: 1}];
-  string project_id = 2 [(validate.rules).string = {min_len: 1}];
-  repeated string role_keys = 3;
-  string grant_id = 4;
-}
-
-message UserGrantUpdate {
-  string user_id = 1 [(validate.rules).string = {min_len: 1}];
-  string id = 2 [(validate.rules).string = {min_len: 1}];
-  repeated string role_keys = 3;
-}
-
-message UserGrantRemoveBulk {
-  repeated string ids = 1 [(validate.rules).repeated.min_items = 1];
-}
-
-message UserGrantID {
-  string user_id = 1 [(validate.rules).string = {min_len: 1}];
-  string id = 2 [(validate.rules).string = {min_len: 1}];
-}
-
-enum UserGrantState {
-  USERGRANTSTATE_UNSPECIFIED = 0;
-  USERGRANTSTATE_ACTIVE = 1;
-  USERGRANTSTATE_INACTIVE = 2;
-}
-
-message UserGrantView {
-  string id = 1;
-  string user_id = 2;
-  string org_id = 3;
-  string project_id = 4;
-  repeated string role_keys = 5;
-  UserGrantState state = 6;
-  google.protobuf.Timestamp creation_date = 7;
-  google.protobuf.Timestamp change_date = 8;
-  string user_name = 9;
-  string first_name = 10;
-  string last_name = 11;
-  string email = 12;
-  string org_name = 13;
-  string org_domain = 14;
-  string project_name = 15;
-  uint64 sequence = 16;
-  string resource_owner = 17;
-  string display_name = 18;
-  string grant_id = 19;
-}
-
-
-message UserGrantSearchResponse {
-  uint64 offset = 1;
-  uint64 limit = 2;
-  uint64 total_result = 3;
-  repeated UserGrantView result = 4;
-  uint64 processed_sequence = 5;
-  google.protobuf.Timestamp view_timestamp = 6;
-}
-
-message UserGrantSearchRequest {
-  uint64 offset = 1;
-  uint64 limit = 2;
-  repeated UserGrantSearchQuery queries = 3;
-}
-
-message UserGrantSearchQuery {
-  UserGrantSearchKey key = 1 [(validate.rules).enum = {not_in: [0]}];
-  SearchMethod method = 2 [(validate.rules).enum.defined_only = true];
-  string value = 3;
-}
-
-enum UserGrantSearchKey {
-  USERGRANTSEARCHKEY_UNSPECIFIED = 0;
-  USERGRANTSEARCHKEY_PROJECT_ID = 1;
-  USERGRANTSEARCHKEY_USER_ID = 2;
-  USERGRANTSEARCHKEY_WITH_GRANTED = 3;
-  USERGRANTSEARCHKEY_ROLE_KEY = 4;
-  USERGRANTSEARCHKEY_GRANT_ID = 5;
-  USERGRANTSEARCHKEY_USER_NAME = 6;
-  USERGRANTSEARCHKEY_FIRST_NAME = 7;
-  USERGRANTSEARCHKEY_LAST_NAME = 8;
-  USERGRANTSEARCHKEY_EMAIL = 9;
-  USERGRANTSEARCHKEY_ORG_NAME = 10;
-  USERGRANTSEARCHKEY_ORG_DOMAIN = 11;
-  USERGRANTSEARCHKEY_PROJECT_NAME = 12;
-  USERGRANTSEARCHKEY_DISPLAY_NAME = 13;
-}
-
-message UserMembershipSearchResponse {
-  uint64 offset = 1;
-  uint64 limit = 2;
-  uint64 total_result = 3;
-  repeated UserMembershipView result = 4;
-  uint64 processed_sequence = 5;
-  google.protobuf.Timestamp view_timestamp = 6;
-}
-
-message UserMembershipSearchRequest {
-  string user_id = 1 [(validate.rules).string = {min_len: 1}];
-  uint64 offset = 2;
-  uint64 limit = 3;
-  repeated UserMembershipSearchQuery queries = 4;
-}
-
-message UserMembershipSearchQuery {
-  UserMembershipSearchKey key = 1 [(validate.rules).enum = {not_in: [0]}];
-  SearchMethod method = 2 [(validate.rules).enum = {in: [0]}];
-  string value = 3;
-}
-
-enum UserMembershipSearchKey {
-  USERMEMBERSHIPSEARCHKEY_UNSPECIFIED = 0;
-  USERMEMBERSHIPSEARCHKEY_TYPE = 1;
-  USERMEMBERSHIPSEARCHKEY_OBJECT_ID = 2;
-}
-
-message UserMembershipView {
-  string user_id = 1;
-  MemberType member_type = 2;
-  string aggregate_id = 3;
-  string object_id = 4;
-  repeated string roles = 5;
-  string display_name = 6;
-  google.protobuf.Timestamp creation_date = 7;
-  google.protobuf.Timestamp change_date = 8;
-  uint64 sequence = 9;
-  string resource_owner = 10;
-}
-
-enum MemberType {
-  MEMBERTYPE_UNSPECIFIED = 0;
-  MEMBERTYPE_ORGANISATION = 1;
-  MEMBERTYPE_PROJECT = 2;
-  MEMBERTYPE_PROJECT_GRANT = 3;
-}
-
-message IdpID {
-  string id = 1 [(validate.rules).string = {min_len: 1}];
-}
-
-message Idp {
-  string id = 1;
-  IdpState state = 2;
-  google.protobuf.Timestamp change_date = 3;
-  string name = 4;
-  IdpStylingType styling_type = 5;
-  oneof idp_config {
-    OidcIdpConfig oidc_config = 6;
-  }
-  uint64 sequence = 7;
-}
-
-message IdpUpdate {
-  string id = 1 [(validate.rules).string = {min_len: 1}];
-  string name = 2 [(validate.rules).string = {min_len: 1, max_len: 200}];
-  IdpStylingType styling_type = 3;
-}
-
-message OidcIdpConfig {
-  string client_id = 1;
-  string client_secret = 2;
-  string issuer = 3;
-  repeated string scopes = 4;
-  OIDCMappingField idp_display_name_mapping = 5;
-  OIDCMappingField username_mapping = 6;
-}
-
-enum IdpStylingType {
-  IDPSTYLINGTYPE_UNSPECIFIED = 0;
-  IDPSTYLINGTYPE_GOOGLE = 1;
-}
-
-enum IdpState {
-  IDPCONFIGSTATE_UNSPECIFIED = 0;
-  IDPCONFIGSTATE_ACTIVE = 1;
-  IDPCONFIGSTATE_INACTIVE = 2;
-}
-
-enum OIDCMappingField {
-  OIDCMAPPINGFIELD_UNSPECIFIED = 0;
-  OIDCMAPPINGFIELD_PREFERRED_USERNAME = 1;
-  OIDCMAPPINGFIELD_EMAIL = 2;
-}
-
-message OidcIdpConfigCreate {
-  string name = 1 [(validate.rules).string = {min_len: 1, max_len: 200}];
-  IdpStylingType styling_type = 2;
-  string client_id = 3 [(validate.rules).string = {min_len: 1, max_len: 200}];
-  string client_secret = 4 [(validate.rules).string = {min_len: 1, max_len: 200}];
-  string issuer = 5 [(validate.rules).string = {min_len: 1, max_len: 200}];
-  repeated string scopes = 6;
-  OIDCMappingField idp_display_name_mapping = 7;
-  OIDCMappingField username_mapping = 8;
-}
-
-message OidcIdpConfigUpdate {
-  string idp_id = 1 [(validate.rules).string = {min_len: 1}];
-  string client_id = 2 [(validate.rules).string = {min_len: 1, max_len: 200}];
-  string client_secret = 3;
-  string issuer = 4 [(validate.rules).string = {min_len: 1, max_len: 200}];
-  repeated string scopes = 5;
-  OIDCMappingField idp_display_name_mapping = 6;
-  OIDCMappingField username_mapping = 7;
-}
-
-message IdpSearchResponse {
-  uint64 offset = 1;
-  uint64 limit = 2;
-  uint64 total_result = 3;
-  repeated IdpView result = 4;
-  uint64 processed_sequence = 5;
-  google.protobuf.Timestamp view_timestamp = 6;
-}
-
-message IdpView {
-  string id = 1;
-  IdpState state = 2;
-  google.protobuf.Timestamp creation_date = 3;
-  google.protobuf.Timestamp change_date = 4;
-  string name = 5;
-  IdpStylingType styling_type = 6;
-  IdpProviderType provider_type = 7;
-  oneof idp_config_view {
-    OidcIdpConfigView oidc_config = 8;
-  }
-  uint64 sequence = 9;
-}
-
-message OidcIdpConfigView {
-  string client_id = 1;
-  string issuer = 2;
-  repeated string scopes = 3;
-  OIDCMappingField idp_display_name_mapping = 4;
-  OIDCMappingField username_mapping = 5;
-}
-
-message IdpSearchRequest {
-  uint64 offset = 1;
-  uint64 limit = 2;
-  repeated IdpSearchQuery queries = 3;
-}
-
-message IdpSearchQuery {
-  IdpSearchKey key = 1 [(validate.rules).enum = {not_in: [0]}];
-  SearchMethod method = 2;
-  string value = 3;
-}
-
-enum IdpSearchKey {
-  IDPSEARCHKEY_UNSPECIFIED = 0;
-  IDPSEARCHKEY_IDP_CONFIG_ID = 1;
-  IDPSEARCHKEY_NAME = 2;
-  IDPSEARCHKEY_PROVIDER_TYPE = 3;
-}
-
-message LoginPolicy {
-  bool allow_username_password = 1;
-  bool allow_register = 2;
-  bool allow_external_idp = 3;
-  google.protobuf.Timestamp change_date = 4;
-  bool force_mfa = 5;
-  PasswordlessType passwordless_type = 6;
-}
-
-message LoginPolicyRequest {
-  bool allow_username_password = 1;
-  bool allow_register = 2;
-  bool allow_external_idp = 3;
-  bool force_mfa = 4;
-  PasswordlessType passwordless_type = 5;
-}
-
-enum PasswordlessType {
-  PASSWORDLESSTYPE_NOT_ALLOWED = 0;
-  PASSWORDLESSTYPE_ALLOWED = 1;
-}
-
-
-message IdpProviderID {
-  string idp_config_id = 1 [(validate.rules).string = {min_len: 1}];
-}
-
-message IdpProviderAdd {
-  string idp_config_id = 1 [(validate.rules).string = {min_len: 1, max_len: 200}];
-  IdpProviderType idp_provider_type = 2 [(validate.rules).enum = {not_in: [0]}];
-}
-
-message IdpProvider {
-  string idp_config_id = 1;
-  IdpProviderType idp_provider_Type = 2;
-}
-
-message LoginPolicyView {
-  bool default = 1;
-  bool allow_username_password = 2;
-  bool allow_register = 3;
-  bool allow_external_idp = 4;
-  google.protobuf.Timestamp creation_date = 5;
-  google.protobuf.Timestamp change_date = 6;
-  bool force_mfa = 7;
-  PasswordlessType passwordless_type = 8;
-}
-
-message IdpProviderView {
-  string idp_config_id = 1;
-  string name = 2;
-  IdpProviderType type = 3;
-}
-
-enum IdpType {
-  IDPTYPE_UNSPECIFIED = 0;
-  IDPTYPE_OIDC = 1;
-  IDPTYPE_SAML = 2;
-}
-
-enum IdpProviderType {
-  IDPPROVIDERTYPE_UNSPECIFIED = 0;
-  IDPPROVIDERTYPE_SYSTEM = 1;
-  IDPPROVIDERTYPE_ORG = 2;
-}
-
-message IdpProviderSearchResponse {
-  uint64 offset = 1;
-  uint64 limit = 2;
-  uint64 total_result = 3;
-  repeated IdpProviderView result = 4;
-  uint64 processed_sequence = 5;
-  google.protobuf.Timestamp view_timestamp = 6;
-}
-
-message IdpProviderSearchRequest {
-  uint64 offset = 1;
-  uint64 limit = 2;
-}
-
-//ProjectType is deprecated, remove as soon as console is ready 
-enum ProjectType {
-  PROJECTTYPE_UNSPECIFIED = 0;
-  PROJECTTYPE_OWNED = 1;
-  PROJECTTYPE_GRANTED = 2;
-}
-
-message ExternalIDPSearchRequest {
-  uint64 offset = 1;
-  uint64 limit = 2;
-  string user_id = 3;
-}
-
-message ExternalIDPSearchResponse {
-  uint64 offset = 1;
-  uint64 limit = 2;
-  uint64 total_result = 3;
-  repeated ExternalIDPView result = 4;
-  uint64 processed_sequence = 5;
-  google.protobuf.Timestamp view_timestamp = 6;
-}
-
-message ExternalIDPView {
-  string user_id = 1;
-  string idp_config_id = 2;
-  string external_user_id = 3;
-  string idp_name = 4;
-  string external_user_display_name = 5;
-  google.protobuf.Timestamp creation_date = 6;
-  google.protobuf.Timestamp change_date = 7;
-}
-
-message ExternalIDPRemoveRequest {
-  string user_id = 1;
-  string idp_config_id = 2;
-  string external_user_id = 3;
-}
-
-message SecondFactorsResult {
-  repeated SecondFactorType second_factors = 1;
-}
-
-message SecondFactor {
-  SecondFactorType second_factor = 1;
-}
-
-enum SecondFactorType {
-  SECONDFACTORTYPE_UNSPECIFIED = 0;
-  SECONDFACTORTYPE_OTP = 1;
-  SECONDFACTORTYPE_U2F = 2;
-}
-
-message MultiFactorsResult {
-  repeated MultiFactorType multi_factors = 1;
-}
-
-message MultiFactor {
-  MultiFactorType multi_factor = 1;
-}
-
-enum MultiFactorType {
-  MULTIFACTORTYPE_UNSPECIFIED = 0;
-  MULTIFACTORTYPE_U2F_WITH_PIN = 1;
-}
-
-message PasswordComplexityPolicy {
-  uint64 min_length = 1;
-  bool has_lowercase = 2;
-  bool has_uppercase = 3;
-  bool has_number = 4;
-  bool has_symbol = 5;
-  uint64 sequence = 6;
-  google.protobuf.Timestamp change_date = 7;
-}
-
-message PasswordComplexityPolicyRequest {
-  uint64 min_length = 1;
-  bool has_lowercase = 2;
-  bool has_uppercase = 3;
-  bool has_number = 4;
-  bool has_symbol = 5;
-}
-
-message PasswordComplexityPolicyView {
-  bool default = 1;
-  uint64 min_length = 2;
-  bool has_lowercase = 3;
-  bool has_uppercase = 4;
-  bool has_number = 5;
-  bool has_symbol = 6;
-  uint64 sequence = 7;
-  google.protobuf.Timestamp creation_date = 8;
-  google.protobuf.Timestamp change_date = 9;
-}
-
-message PasswordAgePolicy {
-  uint64 max_age_days = 1;
-  uint64 expire_warn_days = 2;
-  uint64 sequence = 3;
-  google.protobuf.Timestamp change_date = 4;
-}
-
-message PasswordAgePolicyRequest {
-  uint64 max_age_days = 1;
-  uint64 expire_warn_days = 2;
-}
-
-message PasswordAgePolicyView {
-  bool default = 1;
-  uint64 max_age_days = 2;
-  uint64 expire_warn_days = 3;
-  uint64 sequence = 4;
-  google.protobuf.Timestamp creation_date = 5;
-  google.protobuf.Timestamp change_date = 6;
-}
-
-message PasswordLockoutPolicy {
-  uint64 max_attempts = 1;
-  bool show_lockout_failure = 2;
-  uint64 sequence = 3;
-  google.protobuf.Timestamp change_date = 4;
-}
-
-message PasswordLockoutPolicyRequest {
-  uint64 max_attempts = 1;
-  bool show_lockout_failure = 2;
-}
-
-message PasswordLockoutPolicyView {
-  bool default = 1;
-  uint64 max_attempts = 2;
-  bool show_lockout_failure = 3;
-  uint64 sequence = 4;
-  google.protobuf.Timestamp creation_date = 5;
-  google.protobuf.Timestamp change_date = 6;
-}
-message MailTemplate {
-    bytes template = 1;
-    google.protobuf.Timestamp creation_date = 2;
-    google.protobuf.Timestamp change_date = 3;
-}
-
-message MailTemplateUpdate {
-    bytes template = 1;
-}
-
-message MailTemplateView {
-  bool default = 1;
-    bytes template = 2;
-    google.protobuf.Timestamp creation_date = 3;
-    google.protobuf.Timestamp change_date = 4;
-}
-
-message MailText {
-	string mail_text_type = 1;
-	string language = 2;
-	string title = 3;
-	string pre_header = 4;
-	string subject = 5;
-	string greeting = 6;
-	string text = 7;
-	string button_text = 8;
-    google.protobuf.Timestamp creation_date = 9;
-    google.protobuf.Timestamp change_date = 10;
-}
-
-message MailTextUpdate {
-	string mail_text_type = 1;
-	string language = 2;
-	string title = 3;
-	string pre_header = 4;
-	string subject = 5;
-	string greeting = 6;
-	string text = 7;
-	string button_text = 8;
-}
-
-message MailTextRemove {
-	string mail_text_type = 1;
-	string language = 2;
-}
-
-message MailTextsView{
-    repeated MailTextView texts = 1;
-}
-
-message MailTextView {
-  bool default = 1;
-	string mail_text_type = 2;
-	string language = 3;
-	string title = 4;
-	string pre_header = 5;
-	string subject = 6;
-	string greeting = 7;
-	string text = 8;
-	string button_text = 9;
-    google.protobuf.Timestamp creation_date = 10;
-    google.protobuf.Timestamp change_date = 11;
-}
diff --git a/pkg/grpc/message/proto/generate.go b/pkg/grpc/message/proto/generate.go
deleted file mode 100644
index b83492fb90..0000000000
--- a/pkg/grpc/message/proto/generate.go
+++ /dev/null
@@ -1,3 +0,0 @@
-package proto
-
-//go:generate protoc -I$GOPATH/src -I. --go_out=plugins=grpc:$GOPATH/src ./message.proto
diff --git a/pkg/grpc/user/user.go b/pkg/grpc/user/user.go
new file mode 100644
index 0000000000..2cb9aaa8df
--- /dev/null
+++ b/pkg/grpc/user/user.go
@@ -0,0 +1,13 @@
+package user
+
+type SearchQuery_ResourceOwner struct {
+	ResourceOwner *ResourceOwnerQuery
+}
+
+func (SearchQuery_ResourceOwner) isSearchQuery_Query() {}
+
+type ResourceOwnerQuery struct {
+	OrgID string
+}
+
+type MembershipType = isMembership_Type
diff --git a/proto/zitadel/admin.proto b/proto/zitadel/admin.proto
new file mode 100644
index 0000000000..4dae768a4a
--- /dev/null
+++ b/proto/zitadel/admin.proto
@@ -0,0 +1,987 @@
+syntax = "proto3";
+
+import "zitadel/idp.proto";
+import "zitadel/user.proto";
+import "zitadel/object.proto";
+import "zitadel/options.proto";
+import "zitadel/org.proto";
+import "zitadel/policy.proto";
+import "zitadel/member.proto";
+
+import "google/api/annotations.proto";
+import "google/protobuf/timestamp.proto";
+
+import "protoc-gen-openapiv2/options/annotations.proto";
+
+import "validate/validate.proto";
+
+package zitadel.admin.v1;
+
+option go_package ="github.com/caos/zitadel/pkg/grpc/admin";
+
+option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_swagger) = {
+    info: {
+        title: "admin service";
+        version: "1.0";
+        contact:{
+            url: "https://github.com/caos/zitadel/api/admin" //TODO: should be swagger path
+        };
+    };
+
+    schemes: HTTPS;
+
+    consumes: "application/json";
+    consumes: "application/grpc";
+
+    produces: "application/json";
+    produces: "application/grpc";
+};
+
+
+service AdminService {
+    rpc Healthz(HealthzRequest) returns (HealthzResponse) {
+        option (google.api.http) = {
+            get: "/healthz"
+        };
+    }
+    
+    rpc IsOrgUnique(IsOrgUniqueRequest) returns (IsOrgUniqueResponse) {
+        option (google.api.http) = {
+            get: "/orgs/_is_unique"
+        };
+
+        option (zitadel.v1.auth_option) = {
+            permission: "iam.read"
+        };
+    }
+
+    rpc GetOrgByID(GetOrgByIDRequest) returns (GetOrgByIDResponse) {
+        option (google.api.http) = {
+            get: "/orgs/{id}"
+        };
+
+        option (zitadel.v1.auth_option) = {
+            permission: "iam.read"
+        };
+    }
+
+    rpc ListOrgs(ListOrgsRequest) returns (ListOrgsResponse) {
+        option (google.api.http) = {
+            post: "/orgs/_search"
+            body: "*"
+        };
+
+        option (zitadel.v1.auth_option) = {
+            permission: "iam.read"
+        };
+    }
+
+    rpc SetUpOrg(SetUpOrgRequest) returns (SetUpOrgResponse) {
+        option (google.api.http) = {
+            post: "/orgs/_setup"
+            body: "*"
+        };
+
+        option (zitadel.v1.auth_option) = {
+            permission: "iam.write"
+        };
+    }
+
+    rpc GetIDPByID(GetIDPByIDRequest) returns (GetIDPByIDResponse) {
+        option (google.api.http) = {
+            get: "/idps/{id}"
+        };
+
+        option (zitadel.v1.auth_option) = {
+            permission: "iam.idp.read"
+        };
+    }
+
+    rpc ListIDPs(ListIDPsRequest) returns (ListIDPsResponse) {
+        option (google.api.http) = {
+            post: "/idps/_search"
+            body: "*"
+        };
+
+        option (zitadel.v1.auth_option) = {
+            permission: "iam.idp.read"
+        };
+    }
+
+    rpc AddOIDCIDP(AddOIDCIDPRequest) returns (AddOIDCIDPResponse) {
+        option (google.api.http) = {
+            post: "/idps/oidc"
+            body: "*"
+        };
+
+        option (zitadel.v1.auth_option) = {
+            permission: "iam.idp.write"
+        };
+    }
+
+    rpc UpdateIDP(UpdateIDPRequest) returns (UpdateIDPResponse) {
+        option (google.api.http) = {
+            put: "/idps/{idp_id}"
+            body: "*"
+        };
+
+        option (zitadel.v1.auth_option) = {
+            permission: "iam.idp.write"
+        };
+    }
+
+    rpc DeactivateIDP(DeactivateIDPRequest) returns (DeactivateIDPResponse) {
+        option (google.api.http) = {
+            post: "/idps/{idp_id}/_deactivate"
+        };
+
+        option (zitadel.v1.auth_option) = {
+            permission: "iam.idp.write"
+        };
+    }
+
+    rpc ReactivateIDP(ReactivateIDPRequest) returns (ReactivateIDPResponse) {
+        option (google.api.http) = {
+            post: "/idps/{idp_id}/_reactivate"
+        };
+
+        option (zitadel.v1.auth_option) = {
+            permission: "iam.idp.write"
+        };
+    }
+
+    rpc RemoveIDP(RemoveIDPRequest) returns (RemoveIDPResponse) {
+        option (google.api.http) = {
+            delete: "/idps/{idp_id}"
+        };
+
+        option (zitadel.v1.auth_option) = {
+            permission: "iam.idp.write"
+        };
+    }
+
+    rpc UpdateIDPOIDCConfig(UpdateIDPOIDCConfigRequest) returns (UpdateIDPOIDCConfigResponse) {
+        option (google.api.http) = {
+            put: "/idps/{idp_id}/oidc_config"
+            body: "*"
+        };
+
+        option (zitadel.v1.auth_option) = {
+            permission: "iam.idp.write"
+        };
+    }
+
+    rpc GetOrgIAMPolicy(GetOrgIAMPolicyRequest) returns (GetOrgIAMPolicyResponse) {
+        option (google.api.http) = {
+            get: "/policies/orgiam"
+        };
+
+        option (zitadel.v1.auth_option) = {
+            permission: "iam.policy.read"
+        };
+    }
+
+    rpc UpdateOrgIAMPolicy(UpdateOrgIAMPolicyRequest) returns (UpdateOrgIAMPolicyResponse) {
+        option (google.api.http) = {
+            put: "/policies/orgiam"
+            body: "*"
+        };
+
+        option (zitadel.v1.auth_option) = {
+            permission: "iam.policy.write"
+        };
+    }
+
+    rpc GetCustomOrgIAMPolicy(GetCustomOrgIAMPolicyRequest) returns (GetCustomOrgIAMPolicyResponse) {
+        option (google.api.http) = {
+            get: "/orgs/{org_id}/policies/orgiam"
+        };
+
+        option (zitadel.v1.auth_option) = {
+            permission: "iam.policy.read"
+        };
+    }
+
+    rpc AddCustomOrgIAMPolicy(AddCustomOrgIAMPolicyRequest) returns (AddCustomOrgIAMPolicyResponse) {
+        option (google.api.http) = {
+            post: "/orgs/{org_id}/policies/orgiam"
+            body: "*"
+        };
+
+        option (zitadel.v1.auth_option) = {
+            permission: "iam.policy.write"
+        };
+    }
+
+    rpc UpdateCustomOrgIAMPolicy(UpdateCustomOrgIAMPolicyRequest) returns (UpdateCustomOrgIAMPolicyResponse) {
+        option (google.api.http) = {
+            put: "/orgs/{org_id}/policies/orgiam"
+            body: "*"
+        };
+
+        option (zitadel.v1.auth_option) = {
+            permission: "iam.policy.write"
+        };
+    }
+
+    rpc ResetCustomOrgIAMPolicyToDefault(ResetCustomOrgIAMPolicyToDefaultRequest) returns (ResetCustomOrgIAMPolicyToDefaultResponse) {
+        option (google.api.http) = {
+            delete: "/orgs/{org_id}/policies/orgiam"
+        };
+
+        option (zitadel.v1.auth_option) = {
+            permission: "iam.policy.delete"
+        };
+    }
+
+    rpc GetLabelPolicy(GetLabelPolicyRequest) returns (GetLabelPolicyResponse) {
+        option (google.api.http) = {
+            get: "/policies/label"
+        };
+
+        option (zitadel.v1.auth_option) = {
+            permission: "iam.policy.read"
+        };
+    }
+
+    rpc UpdateLabelPolicy(UpdateLabelPolicyRequest) returns (UpdateLabelPolicyResponse) {
+        option (google.api.http) = {
+            put: "/policies/label"
+            body: "*"
+        };
+
+        option (zitadel.v1.auth_option) = {
+            permission: "iam.policy.write"
+        };
+    }
+
+    rpc GetLoginPolicy(GetLoginPolicyRequest) returns (GetLoginPolicyResponse) {
+        option (google.api.http) = {
+            get: "/policies/login"
+        };
+    
+        option (zitadel.v1.auth_option) = {
+            permission: "iam.policy.read"
+        };
+    }
+    
+    rpc UpdateLoginPolicy(UpdateLoginPolicyRequest) returns (UpdateLoginPolicyResponse) {
+        option (google.api.http) = {
+            put: "/policies/login"
+            body: "*"
+        };
+    
+        option (zitadel.v1.auth_option) = {
+            permission: "iam.policy.write"
+        };
+    }
+
+    rpc ListLoginPolicyIDPs(ListLoginPolicyIDPsRequest) returns (ListLoginPolicyIDPsResponse) {
+        option (google.api.http) = {
+            post: "/policies/login/idps/_search"
+            body: "*"
+        };
+
+        option (zitadel.v1.auth_option) = {
+            permission: "iam.policy.read"
+        };
+    }
+
+    rpc AddIDPToLoginPolicy(AddIDPToLoginPolicyRequest) returns (AddIDPToLoginPolicyResponse) {
+        option (google.api.http) = {
+            post: "/policies/login/idps"
+            body: "*"
+        };
+
+        option (zitadel.v1.auth_option) = {
+            permission: "iam.policy.write"
+        };
+    }
+
+    rpc RemoveIDPFromLoginPolicy(RemoveIDPFromLoginPolicyRequest) returns (RemoveIDPFromLoginPolicyResponse) {
+        option (google.api.http) = {
+            delete: "/policies/login/idps/{idp_id}"
+        };
+
+        option (zitadel.v1.auth_option) = {
+            permission: "iam.policy.write"
+        };
+    }
+
+    rpc ListLoginPolicySecondFactors(ListLoginPolicySecondFactorsRequest) returns (ListLoginPolicySecondFactorsResponse) {
+        option (google.api.http) = {
+            post: "/policies/login/second_factors/_search"
+        };
+
+        option (zitadel.v1.auth_option) = {
+            permission: "iam.policy.read"
+        };
+    }
+
+    rpc AddSecondFactorToLoginPolicy(AddSecondFactorToLoginPolicyRequest) returns (AddSecondFactorToLoginPolicyResponse) {
+        option (google.api.http) = {
+            post: "/policies/login/second_factors"
+            body: "*"
+        };
+
+        option (zitadel.v1.auth_option) = {
+            permission: "iam.policy.write"
+        };
+    }
+
+    rpc RemoveSecondFactorFromLoginPolicy(RemoveSecondFactorFromLoginPolicyRequest) returns (RemoveSecondFactorFromLoginPolicyResponse) {
+        option (google.api.http) = {
+            delete: "/policies/login/second_factors/{type}"
+        };
+
+        option (zitadel.v1.auth_option) = {
+            permission: "iam.policy.write"
+        };
+    }
+
+    rpc ListLoginPolicyMultiFactors(ListLoginPolicyMultiFactorsRequest) returns (ListLoginPolicyMultiFactorsResponse) {
+        option (google.api.http) = {
+            post: "/policies/login/multi_factors/_search"
+        };
+
+        option (zitadel.v1.auth_option) = {
+            permission: "iam.policy.read"
+        };
+    }
+
+    rpc AddMultiFactorToLoginPolicy(AddMultiFactorToLoginPolicyRequest) returns (AddMultiFactorToLoginPolicyResponse) {
+        option (google.api.http) = {
+            post: "/policies/login/multi_factors"
+            body: "*"
+        };
+
+        option (zitadel.v1.auth_option) = {
+            permission: "iam.policy.write"
+        };
+    }
+
+    rpc RemoveMultiFactorFromLoginPolicy(RemoveMultiFactorFromLoginPolicyRequest) returns (RemoveMultiFactorFromLoginPolicyResponse) {
+        option (google.api.http) = {
+            delete: "/policies/login/multi_factors/{type}"
+        };
+
+        option (zitadel.v1.auth_option) = {
+            permission: "iam.policy.write"
+        };
+    }
+
+    rpc GetPasswordComplexityPolicy(GetPasswordComplexityPolicyRequest) returns (GetPasswordComplexityPolicyResponse) {
+        option (google.api.http) = {
+            get: "/policies/password/complexity"
+        };
+
+        option (zitadel.v1.auth_option) = {
+            permission: "iam.policy.read"
+        };
+    }
+
+    rpc UpdatePasswordComplexityPolicy(UpdatePasswordComplexityPolicyRequest) returns (UpdatePasswordComplexityPolicyResponse) {
+        option (google.api.http) = {
+            put: "/policies/password/complexity"
+            body: "*"
+        };
+
+        option (zitadel.v1.auth_option) = {
+            permission: "iam.policy.write"
+        };
+    }
+
+    rpc GetPasswordAgePolicy(GetPasswordAgePolicyRequest) returns (GetPasswordAgePolicyResponse) {
+        option (google.api.http) = {
+            get: "/policies/password/age"
+        };
+    
+        option (zitadel.v1.auth_option) = {
+            permission: "iam.policy.read"
+        };
+    }
+    
+    rpc UpdatePasswordAgePolicy(UpdatePasswordAgePolicyRequest) returns (UpdatePasswordAgePolicyResponse) {
+        option (google.api.http) = {
+            put: "/policies/password/age"
+            body: "*"
+        };
+    
+        option (zitadel.v1.auth_option) = {
+            permission: "iam.policy.write"
+        };
+    }
+
+    rpc GetPasswordLockoutPolicy(GetPasswordLockoutPolicyRequest) returns (GetPasswordLockoutPolicyResponse) {
+        option (google.api.http) = {
+            get: "/policies/password/lockout"
+        };
+    
+        option (zitadel.v1.auth_option) = {
+            permission: "iam.policy.read"
+        };
+    }
+    
+    rpc UpdatePasswordLockoutPolicy(UpdatePasswordLockoutPolicyRequest) returns (UpdatePasswordLockoutPolicyResponse) {
+        option (google.api.http) = {
+            put: "/policies/password/lockout"
+            body: "*"
+        };
+    
+        option (zitadel.v1.auth_option) = {
+            permission: "iam.policy.write"
+        };
+    }
+
+    rpc ListIAMMemberRoles(ListIAMMemberRolesRequest) returns (ListIAMMemberRolesResponse) {
+        option (google.api.http) = {
+            post: "/members/roles/_search"
+        };
+
+        option (zitadel.v1.auth_option) = {
+            permission: "iam.member.read"
+        };
+    }
+
+    rpc ListIAMMembers(ListIAMMembersRequest) returns (ListIAMMembersResponse) {
+        option (google.api.http) = {
+            post: "/members/_search"
+            body: "*"
+        };
+
+        option (zitadel.v1.auth_option) = {
+            permission: "iam.member.read"
+        };
+    }
+
+    rpc AddIAMMember(AddIAMMemberRequest) returns (AddIAMMemberResponse) {
+        option (google.api.http) = {
+            post: "/members"
+            body: "*"
+        };
+
+        option (zitadel.v1.auth_option) = {
+            permission: "iam.member.write"
+        };
+    }
+
+    rpc UpdateIAMMember(UpdateIAMMemberRequest) returns (UpdateIAMMemberResponse) {
+        option (google.api.http) = {
+            put: "/members/{user_id}"
+            body: "*"
+        };
+
+        option (zitadel.v1.auth_option) = {
+            permission: "iam.member.write"
+        };
+    }
+
+    rpc RemoveIAMMember(RemoveIAMMemberRequest) returns (RemoveIAMMemberResponse) {
+        option (google.api.http) = {
+            delete: "/members/{user_id}"
+        };
+
+        option (zitadel.v1.auth_option) = {
+            permission: "iam.member.delete"
+        };
+    }
+
+    rpc ListViews(ListViewsRequest) returns (ListViewsResponse) {
+        option (google.api.http) = {
+            post: "/views/_search"
+        };
+
+        option (zitadel.v1.auth_option) = {
+            permission: "iam.read"
+        };
+    }
+
+    rpc ClearView(ClearViewRequest) returns (ClearViewResponse) {
+        option (google.api.http) = {
+            post: "/views/{database}/{view_name}"
+        };
+
+        option (zitadel.v1.auth_option) = {
+            permission: "iam.write"
+        };
+    }
+
+    rpc ListFailedEvents(ListFailedEventsRequest) returns (ListFailedEventsResponse) {
+        option (google.api.http) = {
+            post: "/failedevents/_search"
+        };
+
+        option (zitadel.v1.auth_option) = {
+            permission: "iam.read"
+        };
+    }
+
+    rpc RemoveFailedEvent(RemoveFailedEventRequest) returns (RemoveFailedEventResponse) {
+        option (google.api.http) = {
+            delete: "/failedevents/{database}/{view_name}/{failed_sequence}"
+        };
+
+        option (zitadel.v1.auth_option) = {
+            permission: "iam.write"
+        };
+    }
+}
+
+message HealthzRequest {}
+
+message HealthzResponse {}
+
+message IsOrgUniqueRequest {
+    string name = 1 [(validate.rules).string.min_len = 1];
+    string domain = 2 [(validate.rules).string.min_len = 1];
+}
+
+message IsOrgUniqueResponse {
+    bool is_unique = 1;
+}
+
+message GetOrgByIDRequest {
+    string id = 1 [(validate.rules).string.min_len = 1];
+}
+
+message GetOrgByIDResponse {
+    zitadel.org.v1.Org org = 1;
+}
+
+message ListOrgsRequest {
+    zitadel.v1.ListQuery query = 1;
+    zitadel.org.v1.OrgFieldName sorting_column = 2;
+    repeated zitadel.org.v1.OrgQuery queries = 3;
+}
+
+message ListOrgsResponse {
+    zitadel.v1.ListDetails details = 1;
+    zitadel.org.v1.OrgFieldName sorting_column = 2;
+    repeated zitadel.org.v1.Org result = 3;
+}
+
+message SetUpOrgRequest {
+    message Org {
+        string name = 1 [(validate.rules).string = {min_len: 1, max_len: 200}];
+        string domain = 2;
+    }
+    message Human {
+        message Profile {
+            string first_name = 1 [(validate.rules).string = {min_len: 1, max_len: 200}];
+            string last_name = 2 [(validate.rules).string = {min_len: 1, max_len: 200}];
+            string nick_name = 3 [(validate.rules).string = {max_len: 200}];
+            string display_name = 4 [(validate.rules).string = {max_len: 200}];
+            string preferred_language = 5 [(validate.rules).string = {max_len: 10}];
+            zitadel.user.v1.Gender gender = 6;
+        }
+        message Email {
+            string email = 1 [(validate.rules).string.email = true];  //TODO: check if no value is allowed
+            bool is_email_verified = 2;
+        }
+        message Phone {
+            // has to be a global number
+            string phone = 1 [(validate.rules).string = {min_len: 1, max_len: 50, prefix: "+"}];
+            bool is_phone_verified = 2;
+        }
+    
+        string user_name = 1 [(validate.rules).string = {min_len: 1, max_len: 200}];
+        
+        Profile profile = 2 [(validate.rules).message.required = true];
+        Email email = 3 [(validate.rules).message.required = true];
+        Phone phone = 4;
+        string password = 5 [(validate.rules).string = {min_len: 1, max_len: 72}];
+    }
+    Org org = 1 [(validate.rules).message.required = true];
+    oneof user {
+        option (validate.required) = true;
+
+        Human human = 2;
+    }
+}
+
+message SetUpOrgResponse {
+    zitadel.v1.ObjectDetails details = 1;
+    string org_id = 2;
+    string user_id = 3;
+}
+
+message GetIDPByIDRequest {
+    string id = 1 [(validate.rules).string = {min_len: 1, max_len: 200}];
+}
+
+message GetIDPByIDResponse {
+    zitadel.idp.v1.IDP idp = 1;
+}
+
+message ListIDPsRequest {
+    zitadel.v1.ListQuery query = 1;
+    zitadel.idp.v1.IDPFieldName sorting_column = 2;
+    repeated IDPQuery queries = 3;
+}
+
+message IDPQuery {
+    oneof query {
+        zitadel.idp.v1.IDPIDQuery idp_id_query = 1;
+        zitadel.idp.v1.IDPNameQuery idp_name_query = 2;
+    }
+}
+
+message ListIDPsResponse {
+    zitadel.v1.ListDetails details = 1;
+    zitadel.idp.v1.IDPFieldName sorting_column = 2;
+    repeated zitadel.idp.v1.IDP result = 3;
+}
+
+message AddOIDCIDPRequest {
+    string name = 1 [(validate.rules).string = {min_len: 1, max_len: 200}];
+    zitadel.idp.v1.IDPStylingType styling_type = 2 [(validate.rules).enum = {defined_only: true}];
+
+    string client_id = 3 [(validate.rules).string = {min_len: 1, max_len: 200}];
+    string client_secret = 4 [(validate.rules).string = {min_len: 1, max_len: 200}];
+    string issuer = 5 [(validate.rules).string = {min_len: 1, max_len: 200}];
+    repeated string scopes = 6;
+    zitadel.idp.v1.OIDCMappingField display_name_mapping = 7 [(validate.rules).enum = {defined_only: true}];
+    zitadel.idp.v1.OIDCMappingField username_mapping = 8 [(validate.rules).enum = {defined_only: true}];
+}
+
+message AddOIDCIDPResponse {
+    zitadel.v1.ObjectDetails details = 1;
+    string idp_id = 2;
+}
+
+message UpdateIDPRequest {
+    string idp_id = 1 [(validate.rules).string = {min_len: 1, max_len: 200}];
+    string name = 2 [(validate.rules).string = {min_len: 1, max_len: 200}];
+    zitadel.idp.v1.IDPStylingType styling_type = 3 [(validate.rules).enum = {defined_only: true}];
+}
+
+message UpdateIDPResponse {
+    zitadel.v1.ObjectDetails details = 1;
+}
+
+message DeactivateIDPRequest {
+    string idp_id = 1 [(validate.rules).string = {min_len: 1, max_len: 200}];
+}
+
+message DeactivateIDPResponse {
+    zitadel.v1.ObjectDetails details = 1;
+}
+
+message ReactivateIDPRequest {
+    string idp_id = 1 [(validate.rules).string = {min_len: 1, max_len: 200}];
+}
+
+message ReactivateIDPResponse {
+    zitadel.v1.ObjectDetails details = 1;
+}
+
+message RemoveIDPRequest {
+    string idp_id = 1 [(validate.rules).string = {min_len: 1, max_len: 200}];
+}
+
+message RemoveIDPResponse {
+    zitadel.v1.ObjectDetails details = 1;
+}
+
+message UpdateIDPOIDCConfigRequest {
+    string idp_id = 1 [(validate.rules).string = {min_len: 1, max_len: 200}];
+    string issuer = 2 [(validate.rules).string = {min_len: 1, max_len: 200}];
+    string client_id = 3 [(validate.rules).string = {min_len: 1, max_len: 200}];
+    string client_secret = 4 [(validate.rules).string = {max_len: 200}];
+    repeated string scopes = 5;
+    zitadel.idp.v1.OIDCMappingField display_name_mapping = 6 [(validate.rules).enum = {defined_only: true}];
+    zitadel.idp.v1.OIDCMappingField username_mapping = 7 [(validate.rules).enum = {defined_only: true}];
+}
+
+message UpdateIDPOIDCConfigResponse {
+    zitadel.v1.ObjectDetails details = 1;
+}
+
+message GetOrgIAMPolicyRequest {}
+
+message GetOrgIAMPolicyResponse {
+    zitadel.policy.v1.OrgIAMPolicy policy = 1;
+}
+
+message UpdateOrgIAMPolicyRequest {
+    bool user_login_must_be_domain = 1;
+}
+
+message UpdateOrgIAMPolicyResponse {
+    zitadel.v1.ObjectDetails details = 1;
+}
+
+message GetCustomOrgIAMPolicyRequest {
+    string org_id = 1 [(validate.rules).string = {min_len: 1, max_len: 200}];
+}
+
+message GetCustomOrgIAMPolicyResponse {
+    zitadel.policy.v1.OrgIAMPolicy policy = 1;
+    bool is_default = 2;
+}
+
+message AddCustomOrgIAMPolicyRequest {
+    string org_id = 1 [(validate.rules).string = {min_len: 1, max_len: 200}];
+    bool user_login_must_be_domain = 2;
+}
+
+message AddCustomOrgIAMPolicyResponse {
+    zitadel.v1.ObjectDetails details = 1;
+}
+
+message UpdateCustomOrgIAMPolicyRequest {
+    string org_id = 1 [(validate.rules).string = {min_len: 1, max_len: 200}];
+    bool user_login_must_be_domain = 2;
+}
+
+message UpdateCustomOrgIAMPolicyResponse {
+    zitadel.v1.ObjectDetails details = 1;
+}
+
+message ResetCustomOrgIAMPolicyToDefaultRequest {
+    string org_id = 1 [(validate.rules).string = {min_len: 1, max_len: 200}];
+}
+
+message ResetCustomOrgIAMPolicyToDefaultResponse {
+    zitadel.v1.ObjectDetails details = 1;
+}
+
+message GetLabelPolicyRequest {}
+
+message GetLabelPolicyResponse {
+    zitadel.policy.v1.LabelPolicy policy = 1;
+}
+
+message UpdateLabelPolicyRequest {
+    string primary_color = 1 [(validate.rules).string = {min_len: 1, max_len: 50}];
+    string secondary_color = 2 [(validate.rules).string = {min_len: 1, max_len: 50}];
+}
+
+message UpdateLabelPolicyResponse {
+    zitadel.v1.ObjectDetails details = 1;
+}
+
+message GetLoginPolicyRequest {}
+
+message GetLoginPolicyResponse {
+    zitadel.policy.v1.LoginPolicy policy = 1;
+}
+
+message UpdateLoginPolicyRequest {
+    bool allow_username_password = 1;
+    bool allow_register = 2;
+    bool allow_external_idp = 3;
+    bool force_mfa = 4;
+    zitadel.policy.v1.PasswordlessType passwordless_type = 5 [(validate.rules).enum = {defined_only: true}];
+}
+
+message UpdateLoginPolicyResponse {
+    zitadel.v1.ObjectDetails details = 1;
+}
+
+message ListLoginPolicyIDPsRequest {
+    zitadel.v1.ListQuery query = 1;
+}
+
+message ListLoginPolicyIDPsResponse {
+    zitadel.v1.ListDetails details = 1;
+    repeated zitadel.idp.v1.IDPLoginPolicyLink result = 2;
+}
+
+message AddIDPToLoginPolicyRequest {
+    string idp_id = 1 [(validate.rules).string = {min_len: 1, max_len: 200}];
+}
+
+message AddIDPToLoginPolicyResponse {
+    zitadel.v1.ObjectDetails details = 1;
+}
+
+message RemoveIDPFromLoginPolicyRequest {
+    string idp_id = 1 [(validate.rules).string = {min_len: 1, max_len: 200}];
+}
+
+message RemoveIDPFromLoginPolicyResponse {
+    zitadel.v1.ObjectDetails details = 1;
+}
+
+message ListLoginPolicySecondFactorsRequest {}
+
+message ListLoginPolicySecondFactorsResponse {
+    zitadel.v1.ListDetails details = 1;
+    repeated zitadel.policy.v1.SecondFactorType result = 2;
+}
+
+message AddSecondFactorToLoginPolicyRequest {
+    zitadel.policy.v1.SecondFactorType type = 1 [(validate.rules).enum = {defined_only: true, not_in: [0]}];
+}
+
+message AddSecondFactorToLoginPolicyResponse {
+    zitadel.v1.ObjectDetails details = 1;
+}
+
+message RemoveSecondFactorFromLoginPolicyRequest {
+    zitadel.policy.v1.SecondFactorType type = 1 [(validate.rules).enum = {defined_only: true, not_in: [0]}];
+}
+
+message RemoveSecondFactorFromLoginPolicyResponse {
+    zitadel.v1.ObjectDetails details = 1;
+}
+
+message ListLoginPolicyMultiFactorsRequest {}
+
+message ListLoginPolicyMultiFactorsResponse {
+    zitadel.v1.ListDetails details = 1;
+    repeated zitadel.policy.v1.MultiFactorType result = 2;
+}
+
+message AddMultiFactorToLoginPolicyRequest {
+    zitadel.policy.v1.MultiFactorType type = 1 [(validate.rules).enum = {defined_only: true, not_in: [0]}];
+}
+
+message AddMultiFactorToLoginPolicyResponse {
+    zitadel.v1.ObjectDetails details = 1;
+}
+
+message RemoveMultiFactorFromLoginPolicyRequest {
+    zitadel.policy.v1.MultiFactorType type = 1 [(validate.rules).enum = {defined_only: true, not_in: [0]}];
+}
+
+message RemoveMultiFactorFromLoginPolicyResponse {
+    zitadel.v1.ObjectDetails details = 1;
+}
+
+message GetPasswordComplexityPolicyRequest {}
+
+message GetPasswordComplexityPolicyResponse {
+    zitadel.policy.v1.PasswordComplexityPolicy policy = 1;
+}
+
+message UpdatePasswordComplexityPolicyRequest {
+    uint32 min_length = 1;
+    bool has_uppercase = 2;
+    bool has_lowercase = 3;
+    bool has_number = 4;
+    bool has_symbol = 5;
+}
+
+message UpdatePasswordComplexityPolicyResponse {
+    zitadel.v1.ObjectDetails details = 1;
+}
+
+message GetPasswordAgePolicyRequest {}
+
+message GetPasswordAgePolicyResponse {
+    zitadel.policy.v1.PasswordAgePolicy policy = 1;
+}
+
+message UpdatePasswordAgePolicyRequest {
+    uint32 max_age_days = 1;
+    uint32 expire_warn_days = 2;
+}
+
+message UpdatePasswordAgePolicyResponse {
+    zitadel.v1.ObjectDetails details = 1;
+}
+
+message GetPasswordLockoutPolicyRequest {}
+
+message GetPasswordLockoutPolicyResponse {
+    zitadel.policy.v1.PasswordLockoutPolicy policy = 1;
+}
+
+message UpdatePasswordLockoutPolicyRequest {
+    uint32 max_attempts = 1;
+    bool show_lockout_failure = 2;
+}
+
+message UpdatePasswordLockoutPolicyResponse {
+    zitadel.v1.ObjectDetails details = 1;
+}
+
+message AddIAMMemberRequest {
+    string user_id = 1 [(validate.rules).string = {min_len: 1, max_len: 200}];
+    repeated string roles = 2;
+}
+
+message AddIAMMemberResponse {
+    zitadel.v1.ObjectDetails details = 1;
+}
+
+message UpdateIAMMemberRequest {
+    string user_id = 1 [(validate.rules).string = {min_len: 1, max_len: 200}];
+    repeated string roles = 2;
+}
+
+message UpdateIAMMemberResponse {
+    zitadel.v1.ObjectDetails details = 1;
+}
+
+message RemoveIAMMemberRequest {
+    string user_id = 1 [(validate.rules).string = {min_len: 1, max_len: 200}];
+}
+
+message RemoveIAMMemberResponse {
+    zitadel.v1.ObjectDetails details = 1;
+}
+
+message ListIAMMemberRolesRequest {}
+
+message ListIAMMemberRolesResponse {
+    zitadel.v1.ListDetails details = 1;
+    repeated string roles = 2;
+}
+
+message ListIAMMembersRequest {
+    zitadel.v1.ListQuery query = 1;
+    repeated zitadel.member.v1.SearchQuery queries = 2;
+}
+
+message ListIAMMembersResponse {
+    zitadel.v1.ListDetails details = 1;
+    repeated zitadel.member.v1.Member result = 2;
+}
+
+message ListViewsRequest {}
+
+message ListViewsResponse {
+    //TODO: search
+    repeated View result = 1;
+}
+
+message ClearViewRequest {
+    string database = 1 [(validate.rules).string = {min_len: 1, max_len: 200}];
+    string view_name = 2 [(validate.rules).string = {min_len: 1, max_len: 200}];
+}
+
+message ClearViewResponse {}
+
+message ListFailedEventsRequest {}
+
+message ListFailedEventsResponse {
+    //TODO: search
+    repeated FailedEvent result = 1;
+}
+
+message RemoveFailedEventRequest {
+    string database = 1 [(validate.rules).string = {min_len: 1, max_len: 200}];
+    string view_name = 2 [(validate.rules).string = {min_len: 1, max_len: 200}];
+    uint64 failed_sequence = 3;
+}
+
+message RemoveFailedEventResponse {}
+
+message View {
+    string database = 1;
+    string view_name = 2;
+    uint64 processed_sequence = 3;
+    google.protobuf.Timestamp event_timestamp = 4;
+    google.protobuf.Timestamp last_successful_spooler_run = 5;
+}
+
+message FailedEvent {
+    string database = 1;
+    string view_name = 2;
+    uint64 failed_sequence = 3;
+    uint64 failure_count = 4;
+    string error_message = 5;
+}
\ No newline at end of file
diff --git a/proto/zitadel/app.proto b/proto/zitadel/app.proto
new file mode 100644
index 0000000000..808985e84b
--- /dev/null
+++ b/proto/zitadel/app.proto
@@ -0,0 +1,105 @@
+syntax = "proto3";
+
+import "zitadel/object.proto";
+import "zitadel/message.proto";
+import "google/protobuf/duration.proto";
+import "validate/validate.proto";
+
+package zitadel.app.v1;
+
+option go_package ="github.com/caos/zitadel/pkg/grpc/app";
+
+message App {
+    string id = 1;
+    zitadel.v1.ObjectDetails details = 2;
+    AppState state = 3;
+    string name = 4;
+    oneof config {
+        OIDCConfig oidc_config = 5;
+        APIConfig api_config = 6;
+    }
+}
+
+enum AppState {
+    APP_STATE_UNSPECIFIED = 0;
+    APP_STATE_ACTIVE = 1;
+    APP_STATE_INACTIVE = 2;
+}
+
+message AppQuery {
+    oneof query {
+        option (validate.required) = true;
+
+        AppNameQuery name_query = 1;
+    }
+}
+
+message AppNameQuery {
+    string name = 1 [(validate.rules).string = {max_len: 200}];
+    zitadel.v1.TextQueryMethod method = 2 [(validate.rules).enum.defined_only = true];
+}
+
+message OIDCConfig {
+    repeated string redirect_uris = 1;
+    repeated OIDCResponseType response_types = 2;
+    repeated OIDCGrantType grant_types = 3;
+    OIDCAppType app_type = 4;
+    string client_id = 5;
+    string client_secret = 6;
+    OIDCAuthMethodType auth_method_type = 7;
+    repeated string post_logout_redirect_uris = 8;
+    OIDCVersion version = 9;
+    bool none_compliant = 10;
+    repeated zitadel.v1.LocalizedMessage compliance_problems = 11;
+    bool dev_mode = 12;
+    OIDCTokenType access_token_type = 13;
+    bool access_token_role_assertion = 14;
+    bool id_token_role_assertion = 15;
+    bool id_token_userinfo_assertion = 16;
+    google.protobuf.Duration clock_skew = 17;
+}
+
+enum OIDCResponseType {
+    OIDC_RESPONSE_TYPE_CODE = 0;
+    OIDC_RESPONSE_TYPE_ID_TOKEN = 1;
+    OIDC_RESPONSE_TYPE_ID_TOKEN_TOKEN = 2;
+}
+
+enum OIDCGrantType{
+    OIDC_GRANT_TYPE_AUTHORIZATION_CODE = 0;
+    OIDC_GRANT_TYPE_IMPLICIT = 1;
+    OIDC_GRANT_TYPE_REFRESH_TOKEN = 2;
+}
+
+enum OIDCAppType {
+    OIDC_APP_TYPE_WEB = 0;
+    OIDC_APP_TYPE_USER_AGENT = 1;
+    OIDC_APP_TYPE_NATIVE = 2;
+}
+
+enum OIDCAuthMethodType {
+    OIDC_AUTH_METHOD_TYPE_BASIC = 0;
+    OIDC_AUTH_METHOD_TYPE_POST = 1;
+    OIDC_AUTH_METHOD_TYPE_NONE = 2;
+    OIDC_AUTH_METHOD_TYPE_PRIVATE_KEY_JWT = 3;
+}
+
+enum OIDCVersion {
+    OIDC_VERSION_1_0 = 0;
+}
+
+enum OIDCTokenType {
+    OIDC_TOKEN_TYPE_BEARER = 0;
+    OIDC_TOKEN_TYPE_JWT = 1;
+}
+
+enum APIAuthMethodType {
+    API_AUTH_METHOD_TYPE_BASIC = 0;
+    API_AUTH_METHOD_TYPE_PRIVATE_KEY_JWT = 1;
+}
+
+message APIConfig {
+    string client_id = 1;
+    string client_secret = 2;
+    APIAuthMethodType auth_method_type = 3;
+}
diff --git a/proto/zitadel/auth.proto b/proto/zitadel/auth.proto
new file mode 100644
index 0000000000..98395c00d4
--- /dev/null
+++ b/proto/zitadel/auth.proto
@@ -0,0 +1,669 @@
+syntax = "proto3";
+
+import "zitadel/user.proto";
+import "zitadel/org.proto";
+import "zitadel/change.proto";
+import "zitadel/object.proto";
+import "zitadel/options.proto";
+import "zitadel/policy.proto";
+import "zitadel/idp.proto";
+import "validate/validate.proto";
+import "google/api/annotations.proto";
+import "google/protobuf/timestamp.proto";
+import "protoc-gen-openapiv2/options/annotations.proto";
+
+package zitadel.auth.v1;
+
+option go_package ="github.com/caos/zitadel/pkg/grpc/auth";
+
+option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_swagger) = {
+    info: {
+        title: "auth service";
+        version: "1.0";
+        contact:{
+            url: "https://github.com/caos/zitadel/api/auth" //TODO: should be swagger path
+        };
+    };
+
+    schemes: HTTPS;
+
+    consumes: "application/json";
+    consumes: "application/grpc";
+
+    produces: "application/json";
+    produces: "application/grpc";
+};
+
+
+service AuthService {
+    rpc Healthz(HealthzRequest) returns (HealthzResponse) {
+        option (google.api.http) = {
+            get: "/healthz"
+        };
+    }
+    
+    rpc GetMyUser(GetMyUserRequest) returns (GetMyUserResponse) {
+        option (google.api.http) = {
+            get: "/users/me"
+        };
+
+        option (zitadel.v1.auth_option) = {
+            permission: "authenticated"
+        };
+    }
+
+    rpc ListMyUserChanges(ListMyUserChangesRequest) returns (ListMyUserChangesResponse) {
+        option (google.api.http) = {
+            post: "/users/me/changes/_search"
+        };
+    
+        option (zitadel.v1.auth_option) = {
+            permission: "authenticated"
+        };
+    }
+
+    rpc ListMyUserSessions(ListMyUserSessionsRequest) returns (ListMyUserSessionsResponse) {
+        option (google.api.http) = {
+            post: "/users/me/sessions/_search"
+        };
+
+        option (zitadel.v1.auth_option) = {
+            permission: "authenticated"
+        };
+    }
+
+    rpc UpdateMyUserName(UpdateMyUserNameRequest) returns (UpdateMyUserNameResponse) {
+        option (google.api.http) = {
+            put: "/users/me/username"
+            body: "*"
+        };
+    
+        option (zitadel.v1.auth_option) = {
+            permission: "authenticated"
+        };
+    }
+
+    rpc GetMyPasswordComplexityPolicy(GetMyPasswordComplexityPolicyRequest) returns (GetMyPasswordComplexityPolicyResponse) {
+        option (google.api.http) = {
+            get: "/policies/passwords/complexity"
+        };
+
+        option (zitadel.v1.auth_option) = {
+            permission: "authenticated"
+        };
+    }
+
+    rpc UpdateMyPassword(UpdateMyPasswordRequest) returns (UpdateMyPasswordResponse) {
+        option (google.api.http) = {
+            put: "/users/me/password"
+            body: "*"
+        };
+
+        option (zitadel.v1.auth_option) = {
+            permission: "authenticated"
+        };
+    }
+
+    rpc GetMyProfile(GetMyProfileRequest) returns (GetMyProfileResponse) {
+        option (google.api.http) = {
+            get: "/users/me/profile"
+        };
+
+        option (zitadel.v1.auth_option) = {
+            permission: "authenticated"
+        };
+    }
+
+    rpc UpdateMyProfile(UpdateMyProfileRequest) returns (UpdateMyProfileResponse) {
+        option (google.api.http) = {
+            put: "/users/me/profile"
+            body: "*"
+        };
+
+        option (zitadel.v1.auth_option) = {
+            permission: "authenticated"
+        };
+    }
+
+    rpc GetMyEmail(GetMyEmailRequest) returns (GetMyEmailResponse) {
+        option (google.api.http) = {
+            get: "/users/me/email"
+        };
+
+        option (zitadel.v1.auth_option) = {
+            permission: "authenticated"
+        };
+    }
+
+    rpc SetMyEmail(SetMyEmailRequest) returns (SetMyEmailResponse) {
+        option (google.api.http) = {
+            put: "/users/me/email"
+            body: "*"
+        };
+
+        option (zitadel.v1.auth_option) = {
+            permission: "authenticated"
+        };
+    }
+
+    rpc VerifyMyEmail(VerifyMyEmailRequest) returns (VerifyMyEmailResponse) {
+        option (google.api.http) = {
+            post: "/users/me/email/_verify"
+            body: "*"
+        };
+
+        option (zitadel.v1.auth_option) = {
+            permission: "authenticated"
+        };
+    }
+
+    rpc ResendMyEmailVerification(ResendMyEmailVerificationRequest) returns (ResendMyEmailVerificationResponse) {
+        option (google.api.http) = {
+            post: "/users/me/email/_resend_verification"
+            body: "*"
+        };
+
+        option (zitadel.v1.auth_option) = {
+            permission: "authenticated"
+        };
+    }
+
+    rpc GetMyPhone(GetMyPhoneRequest) returns (GetMyPhoneResponse) {
+        option (google.api.http) = {
+            get: "/users/me/phone"
+        };
+
+        option (zitadel.v1.auth_option) = {
+            permission: "authenticated"
+        };
+    }
+
+    rpc SetMyPhone(SetMyPhoneRequest) returns (SetMyPhoneResponse) {
+        option (google.api.http) = {
+            put: "/users/me/phone"
+            body: "*"
+        };
+
+        option (zitadel.v1.auth_option) = {
+            permission: "authenticated"
+        };
+    }
+
+    rpc VerifyMyPhone(VerifyMyPhoneRequest) returns (VerifyMyPhoneResponse) {
+        option (google.api.http) = {
+            post: "/users/me/phone/_verify"
+            body: "*"
+        };
+
+        option (zitadel.v1.auth_option) = {
+            permission: "authenticated"
+        };
+    }
+
+    rpc ResendMyPhoneVerification(ResendMyPhoneVerificationRequest) returns (ResendMyPhoneVerificationResponse) {
+        option (google.api.http) = {
+            post: "/users/me/phone/_resend_verification"
+            body: "*"
+        };
+
+        option (zitadel.v1.auth_option) = {
+            permission: "authenticated"
+        };
+    }
+
+    rpc RemoveMyPhone(RemoveMyPhoneRequest) returns (RemoveMyPhoneResponse) {
+        option (google.api.http) = {
+            delete: "/users/me/phone"
+        };
+
+        option (zitadel.v1.auth_option) = {
+            permission: "authenticated"
+        };
+    }
+
+    rpc ListMyLinkedIDPs(ListMyLinkedIDPsRequest) returns (ListMyLinkedIDPsResponse) {
+        option (google.api.http) = {
+            post: "/users/me/idps/_search"
+            body: "*"
+        };
+
+        option (zitadel.v1.auth_option) = {
+            permission: "authenticated"
+        };
+    }
+
+    rpc RemoveMyLinkedIDP(RemoveMyLinkedIDPRequest) returns (RemoveMyLinkedIDPResponse) {
+        option (google.api.http) = {
+            delete: "/users/me/idps/{idp_id}/{linked_user_id}"
+        };
+
+        option (zitadel.v1.auth_option) = {
+            permission: "authenticated"
+        };
+    }
+
+    rpc ListMyAuthFactors(ListMyAuthFactorsRequest) returns (ListMyAuthFactorsResponse) {
+        option (google.api.http) = {
+            post: "/users/me/auth_factors/_search"
+        };
+
+        option (zitadel.v1.auth_option) = {
+            permission: "authenticated"
+        };
+    }
+
+    rpc AddMyAuthFactorOTP(AddMyAuthFactorOTPRequest) returns (AddMyAuthFactorOTPResponse) {
+        option (google.api.http) = {
+            post: "/users/me/auth_factors/otp"
+            body: "*"
+        };
+        option (zitadel.v1.auth_option) = {
+            permission: "authenticated"
+        };
+    }
+
+    rpc VerifyMyAuthFactorOTP(VerifyMyAuthFactorOTPRequest) returns (VerifyMyAuthFactorOTPResponse) {
+        option (google.api.http) = {
+            post: "/users/me/auth_factors/otp/_verify"
+            body: "*"
+        };
+
+        option (zitadel.v1.auth_option) = {
+            permission: "authenticated"
+        };
+    }
+
+    rpc RemoveMyAuthFactorOTP(RemoveMyAuthFactorOTPRequest) returns (RemoveMyAuthFactorOTPResponse) {
+        option (google.api.http) = {
+            delete: "/users/me/auth_factors/otp"
+        };
+
+        option (zitadel.v1.auth_option) = {
+            permission: "authenticated"
+        };
+    }
+
+    rpc AddMyAuthFactorU2F(AddMyAuthFactorU2FRequest) returns (AddMyAuthFactorU2FResponse) {
+        option (google.api.http) = {
+            post: "/users/me/auth_factors/u2f"
+            body: "*"
+        };
+        option (zitadel.v1.auth_option) = {
+            permission: "authenticated"
+        };
+    }
+
+    rpc VerifyMyAuthFactorU2F(VerifyMyAuthFactorU2FRequest) returns (VerifyMyAuthFactorU2FResponse) {
+        option (google.api.http) = {
+            post: "/users/me/auth_factors/u2f/_verify"
+            body: "*"
+        };
+
+        option (zitadel.v1.auth_option) = {
+            permission: "authenticated"
+        };
+    }
+
+    rpc RemoveMyAuthFactorU2F(RemoveMyAuthFactorU2FRequest) returns (RemoveMyAuthFactorU2FResponse) {
+        option (google.api.http) = {
+            delete: "/users/me/auth_factors/u2f/{token_id}"
+        };
+
+        option (zitadel.v1.auth_option) = {
+            permission: "authenticated"
+        };
+    }
+
+    rpc ListMyPasswordless(ListMyPasswordlessRequest) returns (ListMyPasswordlessResponse) {
+        option (google.api.http) = {
+            post: "/users/me/passwordless/_search"
+        };
+        option (zitadel.v1.auth_option) = {
+            permission: "authenticated"
+        };
+    }
+
+    rpc AddMyPasswordless(AddMyPasswordlessRequest) returns (AddMyPasswordlessResponse) {
+        option (google.api.http) = {
+            post: "/users/me/passwordless"
+            body: "*"
+        };
+        option (zitadel.v1.auth_option) = {
+            permission: "authenticated"
+        };
+    }
+
+    rpc VerifyMyPasswordless(VerifyMyPasswordlessRequest) returns (VerifyMyPasswordlessResponse) {
+        option (google.api.http) = {
+            post: "/users/me/passwordless/_verify"
+            body: "*"
+        };
+
+        option (zitadel.v1.auth_option) = {
+            permission: "authenticated"
+        };
+    }
+
+    rpc RemoveMyPasswordless(RemoveMyPasswordlessRequest) returns (RemoveMyPasswordlessResponse) {
+        option (google.api.http) = {
+            delete: "/users/me/passwordless/{token_id}"
+        };
+
+        option (zitadel.v1.auth_option) = {
+            permission: "authenticated"
+        };
+    }
+
+    rpc ListMyUserGrants(ListMyUserGrantsRequest) returns (ListMyUserGrantsResponse) {
+        option (google.api.http) = {
+            post: "/usergrants/me/_search"
+            body: "*"
+        };
+        option (zitadel.v1.auth_option) = {
+            permission: "authenticated"
+        };
+    }
+
+    rpc ListMyProjectOrgs(ListMyProjectOrgsRequest) returns (ListMyProjectOrgsResponse) {
+        option (google.api.http) = {
+            post: "/global/projectorgs/_search"
+            body: "*"
+        };
+
+        option (zitadel.v1.auth_option) = {
+            permission: "authenticated"
+        };
+    }
+
+    rpc ListMyZitadelPermissions(ListMyZitadelPermissionsRequest) returns (ListMyZitadelPermissionsResponse) {
+        option (google.api.http) = {
+            post: "/permissions/zitadel/me/_search"
+        };
+
+        option (zitadel.v1.auth_option) = {
+            permission: "authenticated"
+        };
+    }
+
+    rpc ListMyProjectPermissions(ListMyProjectPermissionsRequest) returns (ListMyProjectPermissionsResponse) {
+        option (google.api.http) = {
+            post: "/permissions/me/_search"
+        };
+
+        option (zitadel.v1.auth_option) = {
+            permission: "authenticated"
+        };
+    }
+}
+
+message HealthzRequest {}
+
+message HealthzResponse {}
+
+//GetMyUserRequest is an empty request
+// the request parameters are read from the token-header
+message GetMyUserRequest {}
+
+message GetMyUserResponse {
+    zitadel.user.v1.User user = 1;
+    google.protobuf.Timestamp last_login = 2;
+}
+
+message ListMyUserChangesRequest {
+    zitadel.v1.ListQuery query = 1;
+}
+
+message ListMyUserChangesResponse {
+    zitadel.v1.ListDetails details = 1;
+    repeated zitadel.change.v1.Change result = 2;
+}
+
+message ListMyUserSessionsRequest {}
+
+message ListMyUserSessionsResponse {
+    repeated zitadel.user.v1.Session result = 1;
+}
+
+message UpdateMyUserNameRequest {
+    string user_name = 1 [(validate.rules).string = {min_len: 1, max_len: 200}];
+}
+
+message UpdateMyUserNameResponse {
+    zitadel.v1.ObjectDetails details = 1;
+}
+
+message GetMyPasswordComplexityPolicyRequest {}
+
+message GetMyPasswordComplexityPolicyResponse {
+    zitadel.policy.v1.PasswordComplexityPolicy policy = 1;
+}
+
+message UpdateMyPasswordRequest {
+    string old_password = 1 [(validate.rules).string = {min_len: 1, max_bytes: 70}];
+    string new_password = 2 [(validate.rules).string = {min_len: 1, max_bytes: 70}];
+}
+
+message UpdateMyPasswordResponse {
+    zitadel.v1.ObjectDetails details = 1;
+}
+
+message GetMyProfileRequest {}
+
+message GetMyProfileResponse {
+    zitadel.v1.ObjectDetails details = 1;
+    zitadel.user.v1.Profile profile = 2;
+}
+
+message UpdateMyProfileRequest {
+    string first_name = 1 [(validate.rules).string = {min_len: 1, max_len: 200}];
+    string last_name = 2 [(validate.rules).string = {min_len: 1, max_len: 200}];
+    string nick_name = 3 [(validate.rules).string = {max_len: 200}];
+    string display_name = 4 [(validate.rules).string = {min_len: 1, max_len: 200}];
+    string preferred_language = 5 [(validate.rules).string = {max_len: 10}];
+    zitadel.user.v1.Gender gender = 6;
+}
+
+message UpdateMyProfileResponse {
+    zitadel.v1.ObjectDetails details = 1;
+}
+
+message GetMyEmailRequest {}
+
+message GetMyEmailResponse {
+    zitadel.v1.ObjectDetails details = 1;
+    zitadel.user.v1.Email email = 2;
+}
+
+message SetMyEmailRequest {
+    string email = 1 [(validate.rules).string.email = true]; //TODO: check if no value is allowed
+}
+
+message SetMyEmailResponse {
+    zitadel.v1.ObjectDetails details = 1;
+}
+
+message VerifyMyEmailRequest {
+    string code = 1 [(validate.rules).string = {min_len: 1, max_len: 200}];
+}
+
+message VerifyMyEmailResponse {
+    zitadel.v1.ObjectDetails details = 1;
+}
+
+message ResendMyEmailVerificationRequest {}
+
+message ResendMyEmailVerificationResponse {
+    zitadel.v1.ObjectDetails details = 1;
+}
+
+message GetMyPhoneRequest {}
+
+message GetMyPhoneResponse {
+    zitadel.v1.ObjectDetails details = 1;
+    zitadel.user.v1.Phone phone = 2;
+}
+
+message SetMyPhoneRequest {
+    string phone = 1 [(validate.rules).string = {min_len: 1, max_len: 50, prefix: "+"}];
+}
+
+message SetMyPhoneResponse {
+    zitadel.v1.ObjectDetails details = 1;
+}
+
+message VerifyMyPhoneRequest {
+    string code = 1 [(validate.rules).string = {min_len: 1, max_len: 200}];
+}
+
+message VerifyMyPhoneResponse {}
+
+message ResendMyPhoneVerificationRequest {}
+
+message ResendMyPhoneVerificationResponse {
+    zitadel.v1.ObjectDetails details = 1;
+}
+
+message RemoveMyPhoneRequest {}
+
+message RemoveMyPhoneResponse {
+    zitadel.v1.ObjectDetails details = 1;
+}
+
+message ListMyLinkedIDPsRequest {
+    zitadel.v1.ListQuery query = 1;
+    //PLANNED: queries for idp name and login name
+}
+
+message ListMyLinkedIDPsResponse {
+    zitadel.v1.ListDetails details = 1;
+    repeated zitadel.idp.v1.IDPUserLink result = 2;
+}
+
+message RemoveMyLinkedIDPRequest {
+    string idp_id = 1 [(validate.rules).string = {min_len: 1, max_len: 200}];
+    string linked_user_id = 2 [(validate.rules).string = {min_len: 1, max_len: 200}];
+}
+
+message RemoveMyLinkedIDPResponse {
+    zitadel.v1.ObjectDetails details = 1;
+}
+
+message ListMyAuthFactorsRequest {}
+
+message ListMyAuthFactorsResponse {
+    repeated zitadel.user.v1.AuthFactor result = 1;
+}
+
+message AddMyAuthFactorU2FRequest {}
+
+message AddMyAuthFactorU2FResponse {
+    zitadel.user.v1.WebAuthNKey key = 1;
+    zitadel.v1.ObjectDetails details = 2;
+}
+
+message AddMyAuthFactorOTPRequest {}
+
+message AddMyAuthFactorOTPResponse {
+    string url = 1;
+    string secret = 2;
+    zitadel.v1.ObjectDetails details = 3;
+}
+
+message VerifyMyAuthFactorOTPRequest {
+    string code = 1 [(validate.rules).string = {min_len: 1, max_len: 200}];
+}
+
+message VerifyMyAuthFactorOTPResponse {
+    zitadel.v1.ObjectDetails details = 1;
+}
+
+message VerifyMyAuthFactorU2FRequest {
+    zitadel.user.v1.WebAuthNVerification verification = 1 [(validate.rules).message.required = true];
+}
+
+message VerifyMyAuthFactorU2FResponse {
+    zitadel.v1.ObjectDetails details = 1;
+}
+
+message RemoveMyAuthFactorOTPRequest {}
+
+message RemoveMyAuthFactorOTPResponse {
+    zitadel.v1.ObjectDetails details = 1;
+}
+
+message RemoveMyAuthFactorU2FRequest {
+    string token_id = 1 [(validate.rules).string = {min_len: 1, max_len: 200}];
+}
+
+message RemoveMyAuthFactorU2FResponse {
+    zitadel.v1.ObjectDetails details = 1;
+}
+
+message ListMyPasswordlessRequest {}
+
+message ListMyPasswordlessResponse {
+    repeated zitadel.user.v1.WebAuthNToken result = 1; 
+}
+
+message AddMyPasswordlessRequest {}
+
+message AddMyPasswordlessResponse {
+    zitadel.user.v1.WebAuthNKey key = 1;
+    zitadel.v1.ObjectDetails details = 2;
+}
+
+message VerifyMyPasswordlessRequest {
+    zitadel.user.v1.WebAuthNVerification verification = 1 [(validate.rules).message.required = true];
+}
+
+message VerifyMyPasswordlessResponse {
+    zitadel.v1.ObjectDetails details = 1;
+}
+
+message RemoveMyPasswordlessRequest {
+    string token_id = 1 [(validate.rules).string = {min_len: 1, max_len: 200}];
+}
+
+message RemoveMyPasswordlessResponse {
+    zitadel.v1.ObjectDetails details = 1;
+}
+
+message ListMyUserGrantsRequest {
+    zitadel.v1.ListQuery query = 1;
+}
+
+message ListMyUserGrantsResponse {
+    zitadel.v1.ListDetails details = 1;
+    repeated UserGrant result = 2;
+}
+
+message UserGrant {
+    string org_id = 1;
+    string project_id = 2;
+    string user_id = 3;
+    repeated string roles = 4;
+    string org_name = 5;
+    string grant_id = 6;
+}
+
+message ListMyProjectOrgsRequest {
+    zitadel.v1.ListQuery query = 1;
+    repeated zitadel.org.v1.OrgQuery queries = 2;
+}
+
+message ListMyProjectOrgsResponse {
+    zitadel.v1.ListDetails details = 1;
+    repeated zitadel.org.v1.Org result = 2;
+}
+
+message ListMyZitadelPermissionsRequest {}
+
+message ListMyZitadelPermissionsResponse {
+    repeated string result = 1;
+}
+
+message ListMyProjectPermissionsRequest {}
+
+message ListMyProjectPermissionsResponse {
+    repeated string result = 1;
+}
\ No newline at end of file
diff --git a/proto/zitadel/auth_n_key.proto b/proto/zitadel/auth_n_key.proto
new file mode 100644
index 0000000000..15f6f7f9da
--- /dev/null
+++ b/proto/zitadel/auth_n_key.proto
@@ -0,0 +1,20 @@
+syntax = "proto3";
+
+import "zitadel/object.proto";
+import "google/protobuf/timestamp.proto";
+
+package zitadel.authn.v1;
+
+option go_package ="github.com/caos/zitadel/pkg/grpc/authn";
+
+message Key {
+    string id = 1;
+    zitadel.v1.ObjectDetails details = 2;
+    KeyType type = 3;
+    google.protobuf.Timestamp expiration_date = 4;
+}
+
+enum KeyType {
+    KEY_TYPE_UNSPECIFIED = 0;
+    KEY_TYPE_JSON = 1;
+}
\ No newline at end of file
diff --git a/proto/zitadel/change.proto b/proto/zitadel/change.proto
new file mode 100644
index 0000000000..98d5915142
--- /dev/null
+++ b/proto/zitadel/change.proto
@@ -0,0 +1,17 @@
+syntax = "proto3";
+
+import "google/protobuf/timestamp.proto";
+import "zitadel/message.proto";
+
+package zitadel.change.v1;
+
+option go_package ="github.com/caos/zitadel/pkg/grpc/change";
+
+message Change {
+    google.protobuf.Timestamp change_date = 1;
+    zitadel.v1.LocalizedMessage event_type = 2;
+    uint64 sequence = 3;
+    string editor_id = 4;
+    string editor_display_name = 5;
+    string resource_owner_id = 6;
+}
\ No newline at end of file
diff --git a/proto/zitadel/idp.proto b/proto/zitadel/idp.proto
new file mode 100644
index 0000000000..d14eb8e94d
--- /dev/null
+++ b/proto/zitadel/idp.proto
@@ -0,0 +1,90 @@
+syntax = "proto3";
+
+import "zitadel/object.proto";
+import "validate/validate.proto";
+
+package zitadel.idp.v1;
+
+option go_package ="github.com/caos/zitadel/pkg/grpc/idp";
+
+message IDP {
+    string id = 1;
+    zitadel.v1.ObjectDetails details = 2;
+    IDPState state = 3;
+    string name = 4;
+    IDPStylingType styling_type = 5;
+    IDPOwnerType owner = 6;
+    oneof config {
+        OIDCConfig oidc_config = 7;
+    }
+}
+
+message IDPUserLink {
+    string user_id = 1;
+    string idp_id = 2;
+    string idp_name = 3;
+    string provided_user_id = 4;
+    string provided_user_name = 5;
+    IDPType idp_type = 6;
+}
+
+message IDPLoginPolicyLink {
+    string idp_id = 1;
+    string idp_name = 2;
+    IDPType idp_type = 3;
+}
+
+enum IDPState {
+    IDP_STATE_UNSPECIFIED = 0;
+    IDP_STATE_ACTIVE = 1;
+    IDP_STATE_INACTIVE = 2;
+}
+
+enum IDPStylingType {
+    STYLING_TYPE_UNSPECIFIED = 0;
+    STYLING_TYPE_GOOGLE = 1;
+}
+
+enum IDPType {
+    IDP_TYPE_UNSPECIFIED = 0;
+    IDP_TYPE_OIDC = 1;
+    //PLANNED: IDP_TYPE_SAML
+}
+
+enum IDPOwnerType {
+    IDP_OWNER_TYPE_UNSPECIFIED = 0;
+    IDP_OWNER_TYPE_SYSTEM = 1;
+    IDP_OWNER_TYPE_ORG = 2;
+}
+
+message OIDCConfig {
+    string client_id = 1;
+    string issuer = 2;
+    repeated string scopes = 3;
+    OIDCMappingField display_name_mapping = 4;
+    OIDCMappingField username_mapping = 5;
+}
+
+enum OIDCMappingField {
+    OIDC_MAPPING_FIELD_UNSPECIFIED = 0;
+    OIDC_MAPPING_FIELD_PREFERRED_USERNAME = 1;
+    OIDC_MAPPING_FIELD_EMAIL = 2;
+}
+
+message IDPIDQuery {
+    string id = 1 [(validate.rules).string = {max_len: 200}];
+}
+
+message IDPNameQuery {
+    string name = 1 [(validate.rules).string = {max_len: 200}];
+    zitadel.v1.TextQueryMethod method = 2 [(validate.rules).enum.defined_only = true];
+}
+
+message IDPOwnerTypeQuery {
+    IDPOwnerType owner_type = 1 [(validate.rules).enum = {defined_only: true}];
+}
+
+enum IDPFieldName {
+    IDP_FIELD_NAME_UNSPECIFIED = 0;
+    IDP_FIELD_NAME_NAME = 1;
+}
diff --git a/proto/zitadel/management.proto b/proto/zitadel/management.proto
new file mode 100644
index 0000000000..77e48b1059
--- /dev/null
+++ b/proto/zitadel/management.proto
@@ -0,0 +1,3200 @@
+syntax = "proto3";
+
+import "zitadel/app.proto";
+import "zitadel/idp.proto";
+import "zitadel/user.proto";
+import "zitadel/object.proto";
+import "zitadel/options.proto";
+import "zitadel/org.proto";
+import "zitadel/member.proto";
+import "zitadel/project.proto";
+import "zitadel/policy.proto";
+import "zitadel/message.proto";
+import "zitadel/change.proto";
+import "zitadel/auth_n_key.proto";
+
+import "google/api/annotations.proto";
+import "google/protobuf/timestamp.proto";
+import "google/protobuf/duration.proto";
+import "protoc-gen-openapiv2/options/annotations.proto";
+import "validate/validate.proto";
+
+
+package zitadel.management.v1;
+
+option go_package ="github.com/caos/zitadel/pkg/grpc/management";
+
+option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_swagger) = {
+    swagger: "2.0",
+    info: {
+        title: "management api of ZITADEL";
+        version: "1.0";
+        description: "it's for managing organisation internal and extnernal objects.";
+        contact:{
+            name: "CAOS developers of ZITADEL"
+            url: "https://zitadel.ch"
+            email: "hi@caos.ch" //TODO: is there a zitadel@caos.ch?
+        }
+        license: {
+            name: "Apache License 2.0",
+            url: "https://github.com/caos/zitadel/blob/master/LICENSE"
+        };
+    };
+
+    schemes: HTTPS;
+    consumes: "application/json";
+    produces: "application/json";
+    
+    consumes: "application/grpc";
+    produces: "application/grpc";
+
+    consumes: "application/grpc-web+proto";
+    produces: "application/grpc-web+proto";
+
+
+    external_docs: {
+        description: "Detailed information about ZITADEL",
+        url: "https://docs.zitadel.ch"
+    }
+};
+
+
+service ManagementService {
+    rpc Healthz(HealthzRequest) returns (HealthzResponse) {
+        option (google.api.http) = {
+            get: "/healthz"
+        };
+    }
+
+    rpc GetOIDCInformation(GetOIDCInformationRequest) returns (GetOIDCInformationResponse) {
+        option (google.api.http) = {
+            get: "/zitadel/docs"
+        };
+    }
+
+    // GetIam returns some needed settings of the iam (Global Organisation ID, Zitadel Project ID)
+    rpc GetIAM(GetIAMRequest) returns (GetIAMResponse) {
+        option (google.api.http) = {
+            get: "/iam"
+        };
+
+        option (zitadel.v1.auth_option) = {
+            permission: "authenticated"
+        };
+    }
+
+    rpc GetUserByID(GetUserByIDRequest) returns (GetUserByIDResponse) {
+        option (google.api.http) = {
+            get: "/users/{id}"
+        };
+
+        option (zitadel.v1.auth_option) = {
+            permission: "user.read"
+        };
+    }
+
+    // GetUserByLoginNameGlobal searches a user over all organisations
+    // the login name has to match exactly
+    rpc GetUserByLoginNameGlobal(GetUserByLoginNameGlobalRequest) returns (GetUserByLoginNameGlobalResponse) {
+        option (google.api.http) = {
+            get: "/global/users/_by_login_name"
+        };
+
+        option (zitadel.v1.auth_option) = {
+            permission: "user.global.read"
+        };
+
+        option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_operation) = {
+            summary: "Search a user within all organisations by it's loginname";
+            description: "The request only returns data if the login name matches exactly."
+            tags: "user";
+            tags: "global";
+            responses: {
+                key: "200"
+                value: {
+                    description: "OK";
+                }
+                //TODO: errors
+            };
+        };
+    }
+
+    // Limit should always be set, there is a default limit set by the service
+    rpc ListUsers(ListUsersRequest) returns (ListUsersResponse) {
+        option (google.api.http) = {
+            post: "/users/_search"
+            body: "*"
+        };
+
+        option (zitadel.v1.auth_option) = {
+            permission: "user.read"
+        };
+    }
+
+    rpc ListUserChanges(ListUserChangesRequest) returns (ListUserChangesResponse) {
+        option (google.api.http) = {
+            post: "/users/{user_id}/changes/_search"
+        };
+
+        option (zitadel.v1.auth_option) = {
+            permission: "user.read"
+        };
+    }
+
+    rpc IsUserUnique(IsUserUniqueRequest) returns (IsUserUniqueResponse) {
+        option (google.api.http) = {
+            get: "/users/_is_unique"
+        };
+
+        option (zitadel.v1.auth_option) = {
+            permission: "user.read"
+        };
+    }
+
+    rpc AddHumanUser(AddHumanUserRequest) returns (AddHumanUserResponse) {
+        option (google.api.http) = {
+            post: "/users/human"
+            body: "*"
+        };
+
+        option (zitadel.v1.auth_option) = {
+            permission: "user.write"
+        };
+    }
+
+    rpc AddMachineUser(AddMachineUserRequest) returns (AddMachineUserResponse) {
+        option (google.api.http) = {
+            post: "/users/machine"
+            body: "*"
+        };
+
+        option (zitadel.v1.auth_option) = {
+            permission: "user.write"
+        };
+    }
+
+    rpc DeactivateUser(DeactivateUserRequest) returns (DeactivateUserResponse) {
+        option (google.api.http) = {
+            post: "/users/{id}/_deactivate"
+            body: "*"
+        };
+
+        option (zitadel.v1.auth_option) = {
+            permission: "user.write"
+        };
+    }
+
+    rpc ReactivateUser(ReactivateUserRequest) returns (ReactivateUserResponse) {
+        option (google.api.http) = {
+            post: "/users/{id}/_reactivate"
+            body: "*"
+        };
+
+        option (zitadel.v1.auth_option) = {
+            permission: "user.write"
+        };
+    }
+
+    rpc LockUser(LockUserRequest) returns (LockUserResponse) {
+        option (google.api.http) = {
+            post: "/users/{id}/_lock"
+            body: "*"
+        };
+
+        option (zitadel.v1.auth_option) = {
+            permission: "user.write"
+        };
+    }
+
+    rpc UnlockUser(UnlockUserRequest) returns (UnlockUserResponse) {
+        option (google.api.http) = {
+            post: "/users/{id}/_unlock"
+            body: "*"
+        };
+
+        option (zitadel.v1.auth_option) = {
+            permission: "user.write"
+        };
+    }
+
+    rpc RemoveUser(RemoveUserRequest) returns (RemoveUserResponse) {
+        option (google.api.http) = {
+            delete: "/users/{id}"
+        };
+
+        option (zitadel.v1.auth_option) = {
+            permission: "user.delete"
+        };
+    }
+
+    rpc UpdateUserName(UpdateUserNameRequest) returns (UpdateUserNameResponse) {
+        option (google.api.http) = {
+            get: "/users/{user_id}/username"
+        };
+        
+        option (zitadel.v1.auth_option) = {
+            permission: "user.write"
+        };
+    }
+
+    rpc GetHumanProfile(GetHumanProfileRequest) returns (GetHumanProfileResponse) {
+        option (google.api.http) = {
+            get: "/users/{user_id}/profile"
+        };
+
+        option (zitadel.v1.auth_option) = {
+            permission: "user.read"
+        };
+    }
+
+    rpc UpdateHumanProfile(UpdateHumanProfileRequest) returns (UpdateHumanProfileResponse) {
+        option (google.api.http) = {
+            put: "/users/{user_id}/profile"
+            body: "*"
+        };
+
+        option (zitadel.v1.auth_option) = {
+            permission: "user.write"
+        };
+    }
+
+    rpc GetHumanEmail(GetHumanEmailRequest) returns (GetHumanEmailResponse) {
+        option (google.api.http) = {
+            get: "/users/{user_id}/email"
+        };
+
+        option (zitadel.v1.auth_option) = {
+            permission: "user.read"
+        };
+    }
+
+    rpc UpdateHumanEmail(UpdateHumanEmailRequest) returns (UpdateHumanEmailResponse) {
+        option (google.api.http) = {
+            put: "/users/{user_id}/email"
+            body: "*"
+        };
+
+        option (zitadel.v1.auth_option) = {
+            permission: "user.write"
+        };
+    }
+
+    rpc ResendHumanInitialization(ResendHumanInitializationRequest) returns (ResendHumanInitializationResponse) {
+        option (google.api.http) = {
+            post: "/users/{user_id}/_resend_initialization" 
+            body: "*"
+        };
+
+        option (zitadel.v1.auth_option) = {
+            permission: "user.write"
+        };
+    }
+
+    rpc ResendHumanEmailVerification(ResendHumanEmailVerificationRequest) returns (ResendHumanEmailVerificationResponse) {
+        option (google.api.http) = {
+            post: "/users/{user_id}/email/_resend_verification"
+            body: "*"
+        };
+
+        option (zitadel.v1.auth_option) = {
+            permission: "user.write"
+        };
+    }  
+
+    rpc GetHumanPhone(GetHumanPhoneRequest) returns (GetHumanPhoneResponse) {
+        option (google.api.http) = {
+            get: "/users/{user_id}/phone"
+        };
+
+        option (zitadel.v1.auth_option) = {
+            permission: "user.read"
+        };
+    }
+
+    rpc UpdateHumanPhone(UpdateHumanPhoneRequest) returns (UpdateHumanPhoneResponse) {
+        option (google.api.http) = {
+            put: "/users/{user_id}/phone"
+            body: "*"
+        };
+
+        option (zitadel.v1.auth_option) = {
+            permission: "user.write"
+        };
+    }
+
+    rpc RemoveHumanPhone(RemoveHumanPhoneRequest) returns (RemoveHumanPhoneResponse) {
+        option (google.api.http) = {
+            delete: "/users/{user_id}/phone"
+        };
+
+        option (zitadel.v1.auth_option) = {
+            permission: "user.write"
+        };
+    }
+
+    rpc ResendHumanPhoneVerification(ResendHumanPhoneVerificationRequest) returns (ResendHumanPhoneVerificationResponse) {
+        option (google.api.http) = {
+            post: "/users/{user_id}/phone/_resend_verification"
+            body: "*"
+        };
+
+        option (zitadel.v1.auth_option) = {
+            permission: "user.write"
+        };
+    }
+
+    // A Manager is only allowed to set an initial password, on the next login the user has to change his password
+    rpc SetHumanInitialPassword(SetHumanInitialPasswordRequest) returns (SetHumanInitialPasswordResponse) {
+        option (google.api.http) = {
+            post: "/users/{user_id}/password/_initialize"
+            body: "*"
+        };
+
+        option (zitadel.v1.auth_option) = {
+            permission: "user.write"
+        };
+    }
+
+    rpc SendHumanResetPasswordNotification(SendHumanResetPasswordNotificationRequest) returns (SendHumanResetPasswordNotificationResponse) {
+        option (google.api.http) = {
+            post: "/users/{user_id}/password/_reset"
+            body: "*"
+        };
+
+        option (zitadel.v1.auth_option) = {
+            permission: "user.write"
+        };
+    }
+
+    rpc ListHumanAuthFactors(ListHumanAuthFactorsRequest) returns (ListHumanAuthFactorsResponse) {
+        option (google.api.http) = {
+            post: "/users/{user_id}/auth_factors/_search"
+        };
+
+        option (zitadel.v1.auth_option) = {
+            permission: "user.read"
+        };
+    }
+
+    rpc RemoveHumanAuthFactorOTP(RemoveHumanAuthFactorOTPRequest) returns (RemoveHumanAuthFactorOTPResponse) {
+        option (google.api.http) = {
+            delete: "/users/{user_id}/auth_factors/otp"
+        };
+
+        option (zitadel.v1.auth_option) = {
+            permission: "user.write"
+        };
+    }
+
+    rpc RemoveHumanAuthFactorU2F(RemoveHumanAuthFactorU2FRequest) returns (RemoveHumanAuthFactorU2FResponse) {
+        option (google.api.http) = {
+            delete: "/users/{user_id}/auth_factors/u2f"
+        };
+
+        option (zitadel.v1.auth_option) = {
+            permission: "user.write"
+        };
+    }
+
+    rpc ListHumanPasswordless(ListHumanPasswordlessRequest) returns (ListHumanPasswordlessResponse) {
+        option (google.api.http) = {
+            post: "/users/{user_id}/passwordless/_search"
+        };
+
+        option (zitadel.v1.auth_option) = {
+            permission: "user.read"
+        };
+    }
+
+    rpc RemoveHumanPasswordless(RemoveHumanPasswordlessRequest) returns (RemoveHumanPasswordlessResponse) {
+        option (google.api.http) = {
+            delete: "/users/{user_id}/passwordless"
+        };
+
+        option (zitadel.v1.auth_option) = {
+            permission: "user.write"
+        };
+    }
+
+    rpc UpdateMachine(UpdateMachineRequest) returns (UpdateMachineResponse) {
+        option (google.api.http) = {
+            put: "/users/{user_id}/machine"
+            body: "*"
+        };
+
+        option (zitadel.v1.auth_option) = {
+            permission: "user.write"
+        };
+    }
+
+    rpc GetMachineKeyByIDs(GetMachineKeyByIDsRequest) returns (GetMachineKeyByIDsResponse) {
+        option (google.api.http) = {
+            post: "/users/{user_id}/keys/{key_id}"
+            body: "*"
+        };
+
+        option (zitadel.v1.auth_option) = {
+            permission: "user.read"
+        };
+    }
+
+    rpc ListMachineKeys(ListMachineKeysRequest) returns (ListMachineKeysResponse) {
+        option (google.api.http) = {
+            post: "/users/{user_id}/keys/_search"
+            body: "*"
+        };
+
+        option (zitadel.v1.auth_option) = {
+            permission: "user.read"
+        };
+    }
+
+    rpc AddMachineKey(AddMachineKeyRequest) returns (AddMachineKeyResponse) {
+        option (google.api.http) = {
+            post: "/users/{user_id}/keys"
+            body: "*"
+        };
+
+        option (zitadel.v1.auth_option) = {
+            permission: "user.write"
+        };
+    }
+
+    rpc RemoveMachineKey(RemoveMachineKeyRequest) returns (RemoveMachineKeyResponse) {
+        option (google.api.http) = {
+            delete: "/users/{user_id}/keys/{key_id}"
+        };
+
+        option (zitadel.v1.auth_option) = {
+            permission: "user.write"
+        };
+    }
+
+    rpc ListHumanLinkedIDPs(ListHumanLinkedIDPsRequest) returns (ListHumanLinkedIDPsResponse) {
+        option (google.api.http) = {
+            post: "/users/{user_id}/idps/_search"
+            body: "*"
+        };
+
+        option (zitadel.v1.auth_option) = {
+            permission: "user.read"
+        };
+    }
+
+    rpc RemoveHumanLinkedIDP(RemoveHumanLinkedIDPRequest) returns (RemoveHumanLinkedIDPResponse) {
+        option (google.api.http) = {
+            delete: "/users/{user_id}/idps/{idp_id}/{linked_user_id}"
+        };
+
+        option (zitadel.v1.auth_option) = {
+            permission: "user.write"
+        };
+    }
+
+    rpc ListUserMemberships(ListUserMembershipsRequest) returns (ListUserMembershipsResponse) {
+        option (google.api.http) = {
+            post: "/users/{user_id}/memberships/_search"
+            body: "*"
+        };
+
+        option (zitadel.v1.auth_option) = {
+            permission: "user.membership.read"
+        };
+    }
+
+    rpc GetMyOrg(GetMyOrgRequest) returns (GetMyOrgResponse) {
+        option (google.api.http) = {
+            get: "/orgs/me"
+        };
+
+        option (zitadel.v1.auth_option) = {
+            permission: "org.read"
+        };
+    }
+
+    rpc GetOrgByDomainGlobal(GetOrgByDomainGlobalRequest) returns (GetOrgByDomainGlobalResponse) {
+        option (google.api.http) = {
+            get: "/global/orgs/_by_domain"
+        };
+
+        option (zitadel.v1.auth_option) = {
+            permission: "org.global.read"
+        };
+    }
+
+    rpc ListOrgChanges(ListOrgChangesRequest) returns (ListOrgChangesResponse) {
+        option (google.api.http) = {
+            post: "/orgs/me/changes/_search"
+        };
+
+        option (zitadel.v1.auth_option) = {
+            permission: "org.read"
+        };
+    }
+
+    rpc AddOrg(AddOrgRequest) returns (AddOrgResponse) {
+        option (google.api.http) = {
+            post: "/orgs"
+            body: "*"
+        };
+
+        option (zitadel.v1.auth_option) = {
+            permission: "org.create"
+        };
+    }
+
+    rpc DeactivateOrg(DeactivateOrgRequest) returns (DeactivateOrgResponse) {
+        option (google.api.http) = {
+            post: "/orgs/me/_deactivate"
+            body: "*"
+        };
+
+        option (zitadel.v1.auth_option) = {
+            permission: "org.write"
+        };
+    }
+
+    rpc ReactivateOrg(ReactivateOrgRequest) returns (ReactivateOrgResponse) {
+        option (google.api.http) = {
+            post: "/orgs/me/_reactivate"
+            body: "*"
+        };
+
+        option (zitadel.v1.auth_option) = {
+            permission: "org.write"
+        };
+    }
+
+    rpc ListOrgDomains(ListOrgDomainsRequest) returns (ListOrgDomainsResponse) {
+        option (google.api.http) = {
+            post: "/orgs/me/domains/_search"
+            body: "*"
+        };
+
+        option (zitadel.v1.auth_option) = {
+            permission: "org.read"
+        };
+    }
+
+    rpc AddOrgDomain(AddOrgDomainRequest) returns (AddOrgDomainResponse) {
+        option (google.api.http) = {
+            post: "/orgs/me/domains"
+            body: "*"
+        };
+
+        option (zitadel.v1.auth_option) = {
+            permission: "org.write"
+        };
+    }
+
+    rpc RemoveOrgDomain(RemoveOrgDomainRequest) returns (RemoveOrgDomainResponse) {
+        option (google.api.http) = {
+            delete: "/orgs/me/domains/{domain}"
+        };
+
+        option (zitadel.v1.auth_option) = {
+            permission: "org.write"
+        };
+    }
+
+    rpc GenerateOrgDomainValidation(GenerateOrgDomainValidationRequest) returns (GenerateOrgDomainValidationResponse) {
+        option (google.api.http) = {
+            post: "/orgs/me/domains/{domain}/validation/_generate"
+            body: "*"
+        };
+
+        option (zitadel.v1.auth_option) = {
+            permission: "org.write"
+        };
+    }
+
+    rpc ValidateOrgDomain(ValidateOrgDomainRequest) returns (ValidateOrgDomainResponse) {
+        option (google.api.http) = {
+            post: "/orgs/me/domains/{domain}/validation/_validate"
+            body: "*"
+        };
+
+        option (zitadel.v1.auth_option) = {
+            permission: "org.write"
+        };
+    }
+
+    rpc SetPrimaryOrgDomain(SetPrimaryOrgDomainRequest) returns (SetPrimaryOrgDomainResponse) {
+        option (google.api.http) = {
+            post: "/orgs/me/domains/{domain}/_set_primary"
+        };
+
+        option (zitadel.v1.auth_option) = {
+            permission: "org.write"
+        };
+    }
+
+    rpc ListOrgMemberRoles(ListOrgMemberRolesRequest) returns (ListOrgMemberRolesResponse) {
+        option (google.api.http) = {
+            post: "/orgs/members/roles/_search"
+        };
+
+        option (zitadel.v1.auth_option) = {
+            permission: "org.member.read"
+        };
+    }
+
+    rpc ListOrgMembers(ListOrgMembersRequest) returns (ListOrgMembersResponse) {
+        option (google.api.http) = {
+            post: "/orgs/me/members/_search"
+            body: "*"
+        };
+
+        option (zitadel.v1.auth_option) = {
+            permission: "org.member.read"
+        };
+    }
+
+    rpc AddOrgMember(AddOrgMemberRequest) returns (AddOrgMemberResponse) {
+        option (google.api.http) = {
+            post: "/orgs/me/members"
+            body: "*"
+        };
+
+        option (zitadel.v1.auth_option) = {
+            permission: "org.member.write"
+        };
+    }
+
+    rpc UpdateOrgMember(UpdateOrgMemberRequest) returns (UpdateOrgMemberResponse) {
+        option (google.api.http) = {
+            put: "/orgs/me/members/{user_id}"
+            body: "*"
+        };
+
+        option (zitadel.v1.auth_option) = {
+            permission: "org.member.write"
+        };
+    }
+
+    rpc RemoveOrgMember(RemoveOrgMemberRequest) returns (RemoveOrgMemberResponse) {
+        option (google.api.http) = {
+            delete: "/orgs/me/members/{user_id}"
+        };
+
+        option (zitadel.v1.auth_option) = {
+            permission: "org.member.delete"
+        };
+    }
+
+    rpc GetProjectByID(GetProjectByIDRequest) returns (GetProjectByIDResponse) {
+        option (google.api.http) = {
+            get: "/projects/{id}"
+        };
+
+        option (zitadel.v1.auth_option) = {
+            permission: "project.read"
+            check_field_name: "Id"
+        };
+    }
+
+    // returns a project my organisation got granted from another organisation
+    rpc GetGrantedProjectByID(GetGrantedProjectByIDRequest) returns (GetGrantedProjectByIDResponse) {
+        option (google.api.http) = {
+            get: "/granted_projects/{project_id}/grants/{grant_id}"
+        };
+
+        option (zitadel.v1.auth_option) = {
+            permission: "project.read"
+            check_field_name: "Id"
+        };
+    }
+
+    rpc ListProjects(ListProjectsRequest) returns (ListProjectsResponse) {
+        option (google.api.http) = {
+            post: "/projects/_search"
+            body: "*"
+        };
+
+        option (zitadel.v1.auth_option) = {
+            permission: "project.read"
+        };
+    }
+
+      // returns all projects my organisation got granted from another organisation
+    rpc ListGrantedProjects(ListGrantedProjectsRequest) returns (ListGrantedProjectsResponse) {
+        option (google.api.http) = {
+            post: "/granted_projects/_search"
+            body: "*"
+        };
+
+        option (zitadel.v1.auth_option) = {
+            permission: "project.read"
+        };
+    }
+
+    rpc ListProjectChanges(ListProjectChangesRequest) returns (ListProjectChangesResponse) {
+        option (google.api.http) = {
+            post: "/projects/{project_id}/changes/_search"
+        };
+
+        option (zitadel.v1.auth_option) = {
+            permission: "project.read"
+        };
+    }
+
+    rpc AddProject(AddProjectRequest) returns (AddProjectResponse) {
+        option (google.api.http) = {
+            post: "/projects"
+            body: "*"
+        };
+
+        option (zitadel.v1.auth_option) = {
+            permission: "project.create"
+        };
+    }
+
+    rpc UpdateProject(UpdateProjectRequest) returns (UpdateProjectResponse) {
+        option (google.api.http) = {
+            put: "/projects/{id}"
+            body: "*"
+        };
+
+        option (zitadel.v1.auth_option) = {
+            permission: "project.write"
+            check_field_name: "Id"
+        };
+    }
+
+    rpc DeactivateProject(DeactivateProjectRequest) returns (DeactivateProjectResponse) {
+        option (google.api.http) = {
+            post: "/projects/{id}/_deactivate"
+            body: "*"
+        };
+
+        option (zitadel.v1.auth_option) = {
+            permission: "project.write"
+            check_field_name: "Id"
+        };
+    }
+
+    rpc ReactivateProject(ReactivateProjectRequest) returns (ReactivateProjectResponse) {
+        option (google.api.http) = {
+            post: "/projects/{id}/_reactivate"
+            body: "*"
+        };
+
+        option (zitadel.v1.auth_option) = {
+            permission: "project.write"
+            check_field_name: "Id"
+        };
+    }
+
+    rpc RemoveProject(RemoveProjectRequest) returns (RemoveProjectResponse) {
+        option (google.api.http) = {
+            delete: "/projects/{id}"
+        };
+
+        option (zitadel.v1.auth_option) = {
+            permission: "project.delete"
+            check_field_name: "Id"
+        };
+    }
+
+    rpc ListProjectRoles(ListProjectRolesRequest) returns (ListProjectRolesResponse) {
+        option (google.api.http) = {
+            post: "/projects/{project_id}/roles/_search"
+            body: "*"
+        };
+
+        option (zitadel.v1.auth_option) = {
+            permission: "project.role.read"
+            check_field_name: "ProjectId"
+        };
+    }
+
+    rpc AddProjectRole(AddProjectRoleRequest) returns (AddProjectRoleResponse) {
+        option (google.api.http) = {
+            post: "/projects/{project_id}/roles"
+            body: "*"
+        };
+
+        option (zitadel.v1.auth_option) = {
+            permission: "project.role.write"
+            check_field_name: "Id"
+        };
+    }
+
+    // add a list of project roles in one request
+    rpc BulkAddProjectRoles(BulkAddProjectRolesRequest) returns (BulkAddProjectRolesResponse) {
+        option (google.api.http) = {
+            post: "/projects/{project_id}/roles/_bulk"
+            body: "*"
+        };
+
+        option (zitadel.v1.auth_option) = {
+            permission: "project.role.write"
+            check_field_name: "Id"
+        };
+    }
+
+    rpc UpdateProjectRole(UpdateProjectRoleRequest) returns (UpdateProjectRoleResponse) {
+        option (google.api.http) = {
+            put: "/projects/{project_id}/roles/{role_key}"
+            body: "*"
+        };
+
+        option (zitadel.v1.auth_option) = {
+            permission: "project.role.write"
+            check_field_name: "Id"
+        };
+    }
+
+    // RemoveProjectRole removes role from UserGrants, ProjectGrants and from Project
+    rpc RemoveProjectRole(RemoveProjectRoleRequest) returns (RemoveProjectRoleResponse) {
+        option (google.api.http) = {
+            delete: "/projects/{project_id}/roles/{role_key}"
+        };
+
+        option (zitadel.v1.auth_option) = {
+            permission: "project.role.delete"
+            check_field_name: "Id"
+        };
+    }
+
+    rpc ListProjectMemberRoles(ListProjectMemberRolesRequest) returns (ListProjectMemberRolesResponse) {
+        option (google.api.http) = {
+            post: "/projects/members/roles/_search"
+        };
+
+        option (zitadel.v1.auth_option) = {
+            permission: "project.member.read"
+        };
+    }
+
+    rpc ListProjectMembers(ListProjectMembersRequest) returns (ListProjectMembersResponse) {
+        option (google.api.http) = {
+            post: "/projects/{project_id}/members/_search"
+            body: "*"
+        };
+
+        option (zitadel.v1.auth_option) = {
+            permission: "project.member.read"
+            check_field_name: "ProjectId"
+        };
+    }
+
+    rpc AddProjectMember(AddProjectMemberRequest) returns (AddProjectMemberResponse) {
+        option (google.api.http) = {
+            post: "/projects/{project_id}/members"
+            body: "*"
+        };
+
+        option (zitadel.v1.auth_option) = {
+            permission: "project.member.write"
+            check_field_name: "Id"
+        };
+    }
+
+    rpc UpdateProjectMember(UpdateProjectMemberRequest) returns (UpdateProjectMemberResponse) {
+        option (google.api.http) = {
+            put: "/projects/{project_id}/members/{user_id}"
+            body: "*"
+        };
+
+        option (zitadel.v1.auth_option) = {
+            permission: "project.member.write"
+            check_field_name: "Id"
+        };
+    }
+
+    rpc RemoveProjectMember(RemoveProjectMemberRequest) returns (RemoveProjectMemberResponse) {
+        option (google.api.http) = {
+            delete: "/projects/{project_id}/members/{user_id}"
+        };
+
+        option (zitadel.v1.auth_option) = {
+            permission: "project.member.delete"
+            check_field_name: "Id"
+        };
+    }
+
+    rpc GetAppByID(GetAppByIDRequest) returns (GetAppByIDResponse) {
+        option (google.api.http) = {
+            get: "/projects/{project_id}/apps/{app_id}"
+        };
+
+        option (zitadel.v1.auth_option) = {
+            permission: "project.app.read"
+            check_field_name: "ProjectId"
+        };
+    }
+
+    rpc ListApps(ListAppsRequest) returns (ListAppsResponse) {
+        option (google.api.http) = {
+            post: "/projects/{project_id}/apps/_search"
+            body: "*"
+        };
+
+        option (zitadel.v1.auth_option) = {
+            permission: "project.app.read"
+            check_field_name: "ProjectId"
+        };
+    }
+
+    rpc ListAppChanges(ListAppChangesRequest) returns (ListAppChangesResponse) {
+        option (google.api.http) = {
+            post: "/projects/{project_id}/apps/{app_id}/changes/_search"
+        };
+
+        option (zitadel.v1.auth_option) = {
+            permission: "project.app.read"
+            check_field_name: "ProjectId"
+        };
+    }
+
+    rpc AddOIDCApp(AddOIDCAppRequest) returns (AddOIDCAppResponse) {
+        option (google.api.http) = {
+            post: "/projects/{project_id}/apps/oidc"
+            body: "*"
+        };
+
+        option (zitadel.v1.auth_option) = {
+            permission: "project.app.write"
+            check_field_name: "ProjectId"
+        };
+    }
+
+    rpc AddAPIApp(AddAPIAppRequest) returns (AddAPIAppResponse) {
+        option (google.api.http) = {
+            post: "/projects/{project_id}/apps/api"
+            body: "*"
+        };
+
+        option (zitadel.v1.auth_option) = {
+            permission: "project.app.write"
+            check_field_name: "ProjectId"
+        };
+    }
+
+    rpc UpdateApp(UpdateAppRequest) returns (UpdateAppResponse) {
+        option (google.api.http) = {
+            put: "/projects/{project_id}/apps/{app_id}"
+            body: "*"
+        };
+
+        option (zitadel.v1.auth_option) = {
+            permission: "project.app.write"
+            check_field_name: "ProjectId"
+        };
+    }
+
+    rpc UpdateOIDCAppConfig(UpdateOIDCAppConfigRequest) returns (UpdateOIDCAppConfigResponse) {
+        option (google.api.http) = {
+            put: "/projects/{project_id}/apps/{app_id}/oidc_config"
+            body: "*"
+        };
+
+        option (zitadel.v1.auth_option) = {
+            permission: "project.app.write"
+            check_field_name: "ProjectId"
+        };
+    }
+
+    rpc UpdateAPIAppConfig(UpdateAPIAppConfigRequest) returns (UpdateAPIAppConfigResponse) {
+        option (google.api.http) = {
+            put: "/projects/{project_id}/apps/{app_id}/api_config"
+            body: "*"
+        };
+
+        option (zitadel.v1.auth_option) = {
+            permission: "project.app.write"
+            check_field_name: "ProjectId"
+        };
+    }
+
+    rpc DeactivateApp(DeactivateAppRequest) returns (DeactivateAppResponse) {
+        option (google.api.http) = {
+            post: "/projects/{project_id}/apps/{app_id}/_deactivate"
+            body: "*"
+        };
+
+        option (zitadel.v1.auth_option) = {
+            permission: "project.app.write"
+            check_field_name: "ProjectId"
+        };
+    }
+
+    rpc ReactivateApp(ReactivateAppRequest) returns (ReactivateAppResponse) {
+        option (google.api.http) = {
+            post: "/projects/{project_id}/apps/{app_id}/_reactivate"
+            body: "*"
+        };
+
+        option (zitadel.v1.auth_option) = {
+            permission: "project.app.write"
+            check_field_name: "ProjectId"
+        };
+    }
+
+    rpc RemoveApp(RemoveAppRequest) returns (RemoveAppResponse) {
+        option (google.api.http) = {
+            delete: "/projects/{project_id}/apps/{app_id}"
+        };
+
+        option (zitadel.v1.auth_option) = {
+            permission: "project.app.delete"
+            check_field_name: "ProjectId"
+        };
+    }
+
+    rpc RegenerateOIDCClientSecret(RegenerateOIDCClientSecretRequest) returns (RegenerateOIDCClientSecretResponse) {
+        option (google.api.http) = {
+            post: "/projects/{project_id}/apps/{app_id}/oidc_config/_generate_client_secret"
+            body: "*"
+        };
+
+        option (zitadel.v1.auth_option) = {
+            permission: "project.app.write"
+            check_field_name: "ProjectId"
+        };
+    }
+
+    rpc RegenerateAPIClientSecret(RegenerateAPIClientSecretRequest) returns (RegenerateAPIClientSecretResponse) {
+        option (google.api.http) = {
+            post: "/projects/{project_id}/apps/{app_id}/api_config/_generate_client_secret"
+            body: "*"
+        };
+
+        option (zitadel.v1.auth_option) = {
+            permission: "project.app.write"
+            check_field_name: "ProjectId"
+        };
+    }
+
+    rpc GetAppKey(GetAppKeyRequest) returns (GetAppKeyResponse) {
+        option (google.api.http) = {
+            get: "/projects/{project_id}/apps/{app_id}/keys/{key_id}"
+        };
+
+        option (zitadel.v1.auth_option) = {
+            permission: "project.app.read"
+            check_field_name: "ProjectId"
+        };
+    }
+
+    rpc ListAppKeys(ListAppKeysRequest) returns (ListAppKeysResponse) {
+        option (google.api.http) = {
+            post: "/projects/{project_id}/apps/{app_id}/keys/_search"
+            body: "*"
+        };
+
+        option (zitadel.v1.auth_option) = {
+            permission: "project.app.read"
+            check_field_name: "ProjectId"
+        };
+    }
+
+    rpc AddAppKey(AddAppKeyRequest) returns (AddAppKeyResponse){
+        option (google.api.http) = {
+            post: "/projects/{project_id}/apps/{app_id}/keys"
+            body: "*"
+        };
+
+        option (zitadel.v1.auth_option) = {
+            permission: "project.app.write"
+            check_field_name: "ProjectId"
+        };
+    }
+
+    rpc RemoveAppKey(RemoveAppKeyRequest) returns (RemoveAppKeyResponse) {
+        option (google.api.http) = {
+            delete: "/projects/{project_id}/apps/{app_id}/keys/{key_id}"
+        };
+
+        option (zitadel.v1.auth_option) = {
+            permission: "project.app.write"
+            check_field_name: "ProjectId"
+        };
+    }
+
+    rpc GetProjectGrantByID(GetProjectGrantByIDRequest) returns (GetProjectGrantByIDResponse) {
+        option (google.api.http) = {
+            get: "/projects/{project_id}/grants/{grant_id}"
+        };
+
+        option (zitadel.v1.auth_option) = {
+            permission: "project.grant.read"
+        };
+    }
+
+    rpc ListProjectGrants(ListProjectGrantsRequest) returns (ListProjectGrantsResponse) {
+        option (google.api.http) = {
+            post: "/projects/{project_id}/grants/_search"
+            body: "*"
+        };
+
+        option (zitadel.v1.auth_option) = {
+            permission: "project.grant.read"
+            check_field_name: "ProjectId"
+        };
+    }
+
+    rpc AddProjectGrant(AddProjectGrantRequest) returns (AddProjectGrantResponse) {
+        option (google.api.http) = {
+            post: "/projects/{project_id}/grants"
+            body: "*"
+        };
+
+        option (zitadel.v1.auth_option) = {
+            permission: "project.grant.write"
+        };
+    }
+
+    rpc UpdateProjectGrant(UpdateProjectGrantRequest) returns (UpdateProjectGrantResponse) {
+        option (google.api.http) = {
+            put: "/projects/{project_id}/grants/{grant_id}"
+            body: "*"
+        };
+
+        option (zitadel.v1.auth_option) = {
+            permission: "project.grant.write"
+        };
+    }
+
+    rpc DeactivateProjectGrant(DeactivateProjectGrantRequest) returns (DeactivateProjectGrantResponse) {
+        option (google.api.http) = {
+            post: "/projects/{project_id}/grants/{grant_id}/_deactivate"
+            body: "*"
+        };
+
+        option (zitadel.v1.auth_option) = {
+            permission: "project.grant.write"
+        };
+    }
+
+    rpc ReactivateProjectGrant(ReactivateProjectGrantRequest) returns (ReactivateProjectGrantResponse) {
+        option (google.api.http) = {
+            post: "/projects/{project_id}/grants/{grant_id}/_reactivate"
+            body: "*"
+        };
+
+        option (zitadel.v1.auth_option) = {
+            permission: "project.grant.write"
+        };
+    }
+
+    // RemoveProjectGrant removes project grant and all user grants for this project grant
+    rpc RemoveProjectGrant(RemoveProjectGrantRequest) returns (RemoveProjectGrantResponse) {
+        option (google.api.http) = {
+            delete: "/projects/{project_id}/grants/{grant_id}"
+        };
+
+        option (zitadel.v1.auth_option) = {
+            permission: "project.grant.delete"
+        };
+    }
+
+    rpc ListProjectGrantMemberRoles(ListProjectGrantMemberRolesRequest) returns (ListProjectGrantMemberRolesResponse) {
+        option (google.api.http) = {
+            post: "/projects/grants/members/roles/_search"
+        };
+
+        option (zitadel.v1.auth_option) = {
+            permission: "project.grant.member.read"
+        };
+    }
+
+    rpc ListProjectGrantMembers(ListProjectGrantMembersRequest) returns (ListProjectGrantMembersResponse) {
+        option (google.api.http) = {
+            post: "/projects/{project_id}/grants/{grant_id}/members/_search"
+            body: "*"
+        };
+
+        option (zitadel.v1.auth_option) = {
+            permission: "project.grant.member.read"
+        };
+    }
+
+    rpc AddProjectGrantMember(AddProjectGrantMemberRequest) returns (AddProjectGrantMemberResponse) {
+        option (google.api.http) = {
+            post: "/projects/{project_id}/grants/{grant_id}/members"
+            body: "*"
+        };
+
+        option (zitadel.v1.auth_option) = {
+            permission: "project.grant.member.write"
+        };
+    }
+
+    rpc UpdateProjectGrantMember(UpdateProjectGrantMemberRequest) returns (UpdateProjectGrantMemberResponse) {
+        option (google.api.http) = {
+            put: "/projects/{project_id}/grants/{grant_id}/members/{user_id}"
+            body: "*"
+        };
+
+        option (zitadel.v1.auth_option) = {
+            permission: "project.grant.member.write"
+        };
+    }
+
+    rpc RemoveProjectGrantMember(RemoveProjectGrantMemberRequest) returns (RemoveProjectGrantMemberResponse) {
+        option (google.api.http) = {
+            delete: "/projects/{project_id}/grants/{grant_id}/members/{user_id}"
+        };
+
+        option (zitadel.v1.auth_option) = {
+            permission: "project.grant.member.delete"
+        };
+    }
+
+    rpc GetUserGrantByID(GetUserGrantByIDRequest) returns (GetUserGrantByIDResponse) {
+        option (google.api.http) = {
+            get: "/users/{user_id}/grants/{grant_id}"
+        };
+
+        option (zitadel.v1.auth_option) = {
+            permission: "user.grant.read"
+        };
+    }
+
+    rpc ListUserGrants(ListUserGrantRequest) returns (ListUserGrantResponse) {
+        option (google.api.http) = {
+            post: "/users/grants/_search"
+            body: "*"
+        };
+
+        option (zitadel.v1.auth_option) = {
+            permission: "user.grant.read"
+        };
+    }
+
+    rpc AddUserGrant(AddUserGrantRequest) returns (AddUserGrantResponse) {
+        option (google.api.http) = {
+            post: "/users/{user_id}/grants"
+            body: "*"
+        };
+
+        option (zitadel.v1.auth_option) = {
+            permission: "user.grant.write"
+        };
+    }
+
+    rpc UpdateUserGrant(UpdateUserGrantRequest) returns (UpdateUserGrantResponse) {
+        option (google.api.http) = {
+            put: "/users/{user_id}/grants/{grant_id}"
+            body: "*"
+        };
+
+        option (zitadel.v1.auth_option) = {
+            permission: "user.grant.write"
+        };
+    }
+
+    rpc DeactivateUserGrant(DeactivateUserGrantRequest) returns (DeactivateUserGrantResponse) {
+        option (google.api.http) = {
+            post: "/users/{user_id}/grants/{grant_id}/_deactivate"
+            body: "*"
+        };
+
+        option (zitadel.v1.auth_option) = {
+            permission: "user.grant.write"
+        };
+    }
+
+    rpc ReactivateUserGrant(ReactivateUserGrantRequest) returns (ReactivateUserGrantResponse) {
+        option (google.api.http) = {
+            post: "/users/{user_id}/grants/{grant_id}/_reactivate"
+            body: "*"
+        };
+
+        option (zitadel.v1.auth_option) = {
+            permission: "user.grant.write"
+        };
+    }
+
+    rpc RemoveUserGrant(RemoveUserGrantRequest) returns (RemoveUserGrantResponse) {
+        option (google.api.http) = {
+            delete: "/users/{user_id}/grants/{grant_id}"
+        };
+
+        option (zitadel.v1.auth_option) = {
+            permission: "user.grant.delete"
+        };
+    }
+
+    // remove a list of user grants in one request
+    rpc BulkRemoveUserGrant(BulkRemoveUserGrantRequest) returns (BulkRemoveUserGrantResponse) {
+        option (google.api.http) = {
+            delete: "/user_grants/_bulk"
+            body: "*"
+        };
+
+        option (zitadel.v1.auth_option) = {
+            permission: "user.grant.delete"
+        };
+    }
+
+    rpc GetOrgIAMPolicy(GetOrgIAMPolicyRequest) returns (GetOrgIAMPolicyResponse) {
+        option (google.api.http) = {
+            get: "/policies/orgiam"
+        };
+
+        option (zitadel.v1.auth_option) = {
+            permission: "authenticated"
+        };
+    }
+
+    rpc GetLoginPolicy(GetLoginPolicyRequest) returns (GetLoginPolicyResponse) {
+        option (google.api.http) = {
+            get: "/policies/login"
+        };
+
+        option (zitadel.v1.auth_option) = {
+            permission: "policy.read"
+        };
+    }
+
+    rpc GetDefaultLoginPolicy(GetDefaultLoginPolicyRequest) returns (GetDefaultLoginPolicyResponse) {
+        option (google.api.http) = {
+            get: "/policies/default/login"
+        };
+
+        option (zitadel.v1.auth_option) = {
+            permission: "policy.read"
+        };
+    }
+
+    rpc AddCustomLoginPolicy(AddCustomLoginPolicyRequest) returns (AddCustomLoginPolicyResponse) {
+        option (google.api.http) = {
+            post: "/policies/login"
+            body: "*"
+        };
+
+        option (zitadel.v1.auth_option) = {
+            permission: "policy.write"
+        };
+    }
+
+    rpc UpdateCustomLoginPolicy(UpdateCustomLoginPolicyRequest) returns (UpdateCustomLoginPolicyResponse) {
+        option (google.api.http) = {
+            put: "/policies/login"
+            body: "*"
+        };
+
+        option (zitadel.v1.auth_option) = {
+            permission: "policy.write"
+        };
+    }
+
+    rpc ResetLoginPolicyToDefault(ResetLoginPolicyToDefaultRequest) returns (ResetLoginPolicyToDefaultResponse) {
+        option (google.api.http) = {
+            delete: "/policies/login"
+        };
+
+        option (zitadel.v1.auth_option) = {
+            permission: "policy.delete"
+        };
+    }
+
+    rpc ListLoginPolicyIDPs(ListLoginPolicyIDPsRequest) returns (ListLoginPolicyIDPsResponse) {
+        option (google.api.http) = {
+            post: "/policies/login/idps/_search"
+            body: "*"
+        };
+
+        option (zitadel.v1.auth_option) = {
+            permission: "policy.read"
+        };
+    }
+
+    rpc AddIDPToLoginPolicy(AddIDPToLoginPolicyRequest) returns (AddIDPToLoginPolicyResponse) {
+        option (google.api.http) = {
+            post: "/policies/login/idps"
+            body: "*"
+        };
+
+        option (zitadel.v1.auth_option) = {
+            permission: "policy.write"
+        };
+    }
+
+    rpc RemoveIDPFromLoginPolicy(RemoveIDPFromLoginPolicyRequest) returns (RemoveIDPFromLoginPolicyResponse) {
+        option (google.api.http) = {
+            delete: "/policies/login/idps/{idp_id}"
+        };
+
+        option (zitadel.v1.auth_option) = {
+            permission: "policy.write"
+        };
+    }
+
+    rpc ListLoginPolicySecondFactors(ListLoginPolicySecondFactorsRequest) returns (ListLoginPolicySecondFactorsResponse) {
+        option (google.api.http) = {
+            post: "/policies/login/second_factors/_search"
+        };
+
+        option (zitadel.v1.auth_option) = {
+            permission: "policy.read"
+        };
+    }
+
+    rpc AddSecondFactorToLoginPolicy(AddSecondFactorToLoginPolicyRequest) returns (AddSecondFactorToLoginPolicyResponse) {
+        option (google.api.http) = {
+            post: "/policies/login/second_factors"
+            body: "*"
+        };
+
+        option (zitadel.v1.auth_option) = {
+            permission: "policy.write"
+        };
+    }
+
+    rpc RemoveSecondFactorFromLoginPolicy(RemoveSecondFactorFromLoginPolicyRequest) returns (RemoveSecondFactorFromLoginPolicyResponse) {
+        option (google.api.http) = {
+            delete: "/policies/login/second_factors/{type}"
+        };
+
+        option (zitadel.v1.auth_option) = {
+            permission: "policy.write"
+        };
+    }
+
+    rpc ListLoginPolicyMultiFactors(ListLoginPolicyMultiFactorsRequest) returns (ListLoginPolicyMultiFactorsResponse) {
+        option (google.api.http) = {
+            post: "/policies/login/auth_factors/_search"
+        };
+
+        option (zitadel.v1.auth_option) = {
+            permission: "policy.read"
+        };
+    }
+
+    rpc AddMultiFactorToLoginPolicy(AddMultiFactorToLoginPolicyRequest) returns (AddMultiFactorToLoginPolicyResponse) {
+        option (google.api.http) = {
+            post: "/policies/login/multi_factors"
+            body: "*"
+        };
+
+        option (zitadel.v1.auth_option) = {
+            permission: "policy.write"
+        };
+    }
+
+    rpc RemoveMultiFactorFromLoginPolicy(RemoveMultiFactorFromLoginPolicyRequest) returns (RemoveMultiFactorFromLoginPolicyResponse) {
+        option (google.api.http) = {
+            delete: "/policies/login/multi_factors/{type}"
+        };
+
+        option (zitadel.v1.auth_option) = {
+            permission: "policy.write"
+        };
+    }
+
+    rpc GetPasswordComplexityPolicy(GetPasswordComplexityPolicyRequest) returns (GetPasswordComplexityPolicyResponse) {
+        option (google.api.http) = {
+            get: "/policies/password/complexity"
+        };
+
+        option (zitadel.v1.auth_option) = {
+            permission: "policy.read"
+        };
+    }
+
+    rpc GetDefaultPasswordComplexityPolicy(GetDefaultPasswordComplexityPolicyRequest) returns (GetDefaultPasswordComplexityPolicyResponse) {
+        option (google.api.http) = {
+            get: "/policies/default/password/complexity"
+        };
+
+        option (zitadel.v1.auth_option) = {
+            permission: "policy.read"
+        };
+    }
+
+    rpc AddCustomPasswordComplexityPolicy(AddCustomPasswordComplexityPolicyRequest) returns (AddCustomPasswordComplexityPolicyResponse) {
+        option (google.api.http) = {
+            post: "/policies/password/complexity"
+            body: "*"
+        };
+
+        option (zitadel.v1.auth_option) = {
+            permission: "policy.write"
+        };
+    }
+
+    rpc UpdateCustomPasswordComplexityPolicy(UpdateCustomPasswordComplexityPolicyRequest) returns (UpdateCustomPasswordComplexityPolicyResponse) {
+        option (google.api.http) = {
+            put: "/policies/password/complexity"
+            body: "*"
+        };
+
+        option (zitadel.v1.auth_option) = {
+            permission: "policy.write"
+        };
+    }
+
+    rpc ResetPasswordComplexityPolicyToDefault(ResetPasswordComplexityPolicyToDefaultRequest) returns (ResetPasswordComplexityPolicyToDefaultResponse) {
+        option (google.api.http) = {
+            delete: "/policies/password/complexity"
+        };
+
+        option (zitadel.v1.auth_option) = {
+            permission: "policy.delete"
+        };
+    }
+
+    rpc GetPasswordAgePolicy(GetPasswordAgePolicyRequest) returns (GetPasswordAgePolicyResponse) {
+        option (google.api.http) = {
+            get: "/policies/password/age"
+        };
+
+        option (zitadel.v1.auth_option) = {
+            permission: "policy.read"
+        };
+    }
+
+    rpc GetDefaultPasswordAgePolicy(GetDefaultPasswordAgePolicyRequest) returns (GetDefaultPasswordAgePolicyResponse) {
+        option (google.api.http) = {
+            get: "/policies/default/password/age"
+        };
+
+        option (zitadel.v1.auth_option) = {
+            permission: "policy.read"
+        };
+    }
+
+    rpc AddCustomPasswordAgePolicy(AddCustomPasswordAgePolicyRequest) returns (AddCustomPasswordAgePolicyResponse) {
+        option (google.api.http) = {
+            post: "/policies/password/age"
+            body: "*"
+        };
+
+        option (zitadel.v1.auth_option) = {
+            permission: "policy.write"
+        };
+    }
+
+    rpc UpdateCustomPasswordAgePolicy(UpdateCustomPasswordAgePolicyRequest) returns (UpdateCustomPasswordAgePolicyResponse) {
+        option (google.api.http) = {
+            put: "/policies/password/age"
+            body: "*"
+        };
+
+        option (zitadel.v1.auth_option) = {
+            permission: "policy.write"
+        };
+    }
+
+    rpc ResetPasswordAgePolicyToDefault(ResetPasswordAgePolicyToDefaultRequest) returns (ResetPasswordAgePolicyToDefaultResponse) {
+        option (google.api.http) = {
+            delete: "/policies/password/age"
+        };
+
+        option (zitadel.v1.auth_option) = {
+            permission: "policy.delete"
+        };
+    }
+
+    rpc GetPasswordLockoutPolicy(GetPasswordLockoutPolicyRequest) returns (GetPasswordLockoutPolicyResponse) {
+        option (google.api.http) = {
+            get: "/policies/password/lockout"
+        };
+
+        option (zitadel.v1.auth_option) = {
+            permission: "policy.read"
+        };
+    }
+
+    rpc GetDefaultPasswordLockoutPolicy(GetDefaultPasswordLockoutPolicyRequest) returns (GetDefaultPasswordLockoutPolicyResponse) {
+        option (google.api.http) = {
+            get: "/policies/default/password/lockout"
+        };
+
+        option (zitadel.v1.auth_option) = {
+            permission: "policy.read"
+        };
+    }
+
+    rpc AddCustomPasswordLockoutPolicy(AddCustomPasswordLockoutPolicyRequest) returns (AddCustomPasswordLockoutPolicyResponse) {
+        option (google.api.http) = {
+            post: "/policies/password/lockout"
+            body: "*"
+        };
+
+        option (zitadel.v1.auth_option) = {
+            permission: "policy.write"
+        };
+    }
+
+    rpc UpdateCustomPasswordLockoutPolicy(UpdateCustomPasswordLockoutPolicyRequest) returns (UpdateCustomPasswordLockoutPolicyResponse) {
+        option (google.api.http) = {
+            put: "/policies/password/lockout"
+            body: "*"
+        };
+
+        option (zitadel.v1.auth_option) = {
+            permission: "policy.write"
+        };
+    }
+
+    rpc ResetPasswordLockoutPolicyToDefault(ResetPasswordLockoutPolicyToDefaultRequest) returns (ResetPasswordLockoutPolicyToDefaultResponse) {
+        option (google.api.http) = {
+            delete: "/policies/password/lockout"
+        };
+
+        option (zitadel.v1.auth_option) = {
+            permission: "policy.delete"
+        };
+    }
+
+    rpc GetOrgIDPByID(GetOrgIDPByIDRequest) returns (GetOrgIDPByIDResponse) {
+        option (google.api.http) = {
+            get: "/idps/{id}"
+        };
+
+        option (zitadel.v1.auth_option) = {
+            permission: "org.idp.read"
+        };
+    }
+
+    rpc ListOrgIDPs(ListOrgIDPsRequest) returns (ListOrgIDPsResponse) {
+        option (google.api.http) = {
+            post: "/idps/_search"
+            body: "*"
+        };
+
+        option (zitadel.v1.auth_option) = {
+            permission: "org.idp.read"
+        };
+    }
+
+    rpc AddOrgOIDCIDP(AddOrgOIDCIDPRequest) returns (AddOrgOIDCIDPResponse) {
+        option (google.api.http) = {
+            post: "/idps/oidc"
+            body: "*"
+        };
+
+        option (zitadel.v1.auth_option) = {
+            permission: "org.idp.write"
+        };
+    }
+
+    rpc DeactivateOrgIDP(DeactivateOrgIDPRequest) returns (DeactivateOrgIDPResponse) {
+        option (google.api.http) = {
+            post: "/idps/{idp_id}/_deactivate"
+            body: "*"
+        };
+
+        option (zitadel.v1.auth_option) = {
+            permission: "org.idp.write"
+        };
+    }
+
+    rpc ReactivateOrgIDP(ReactivateOrgIDPRequest) returns (ReactivateOrgIDPResponse) {
+        option (google.api.http) = {
+            post: "/idps/{idp_id}/_reactivate"
+            body: "*"
+        };
+
+        option (zitadel.v1.auth_option) = {
+            permission: "org.idp.write"
+        };
+    }
+
+    rpc RemoveOrgIDP(RemoveOrgIDPRequest) returns (RemoveOrgIDPResponse) {
+        option (google.api.http) = {
+            delete: "/idps/{idp_id}"
+        };
+
+        option (zitadel.v1.auth_option) = {
+            permission: "org.idp.write"
+        };
+    }
+
+    rpc UpdateOrgIDP(UpdateOrgIDPRequest) returns (UpdateOrgIDPResponse) {
+        option (google.api.http) = {
+            put: "/idps/{idp_id}"
+            body: "*"
+        };
+
+        option (zitadel.v1.auth_option) = {
+            permission: "org.idp.write"
+        };
+    }
+
+    rpc UpdateOrgIDPOIDCConfig(UpdateOrgIDPOIDCConfigRequest) returns (UpdateOrgIDPOIDCConfigResponse) {
+        option (google.api.http) = {
+            put: "/idps/{idp_id}/oidc_config"
+            body: "*"
+        };
+
+        option (zitadel.v1.auth_option) = {
+            permission: "org.idp.write"
+        };
+    }
+}
+
+message HealthzRequest {}
+
+message HealthzResponse {}
+
+message GetOIDCInformationRequest {}
+
+message GetOIDCInformationResponse {
+    string issuer = 1;
+    string discovery_endpoint = 2;
+}
+
+message GetIAMRequest {}
+
+message GetIAMResponse {
+    string global_org_id = 1;
+    string iam_project_id = 2;
+}
+
+message GetUserByIDRequest {
+    string id = 1 [(validate.rules).string = {min_len: 1, max_len: 200}];
+}
+
+message GetUserByIDResponse {
+    zitadel.user.v1.User user = 1;
+}
+
+message GetUserByLoginNameGlobalRequest{
+    string login_name = 1 [(validate.rules).string = {min_len: 1, max_len: 200}];
+}
+
+message GetUserByLoginNameGlobalResponse {
+    zitadel.user.v1.User user = 1;
+}
+
+message ListUsersRequest {
+    zitadel.v1.ListQuery query = 1;
+    zitadel.user.v1.UserFieldName sorting_column = 2;
+    repeated zitadel.user.v1.SearchQuery queries = 3;
+}
+
+message ListUsersResponse {
+    zitadel.v1.ListDetails details = 1;
+    zitadel.user.v1.UserFieldName sorting_column = 2;
+    repeated zitadel.user.v1.User result = 3;
+}
+
+message ListUserChangesRequest {
+    zitadel.v1.ListQuery query = 1;
+    string user_id = 2 [(validate.rules).string = {min_len: 1, max_len: 200}];
+}
+
+message ListUserChangesResponse {
+    zitadel.v1.ListDetails details = 1;
+    repeated zitadel.change.v1.Change result = 2;
+}
+
+message IsUserUniqueRequest {
+    string user_name = 1 [(validate.rules).string.pattern = "^[^[:space:]]{1,200}$"];
+    string email = 2  [(validate.rules).string = {min_len: 1, max_len: 200}];
+}
+
+message IsUserUniqueResponse {
+    bool is_unique = 1;
+}
+
+message AddHumanUserRequest {
+    message Profile {
+        string first_name = 1 [(validate.rules).string = {min_len: 1, max_len: 200}];
+        string last_name = 2 [(validate.rules).string = {min_len: 1, max_len: 200}];
+        string nick_name = 3 [(validate.rules).string = {max_len: 200}];
+        string display_name = 4 [(validate.rules).string = {max_len: 200}];
+        string preferred_language = 5 [(validate.rules).string = {max_len: 10}];
+        zitadel.user.v1.Gender gender = 6;
+    }
+    message Email {
+        string email = 1 [(validate.rules).string.email = true];  //TODO: check if no value is allowed
+        bool is_email_verified = 2;
+    }
+    message Phone {
+        // has to be a global number
+        string phone = 1 [(validate.rules).string = {min_len: 1, max_len: 50, prefix: "+"}];
+        bool is_phone_verified = 2;
+    }
+
+    string user_name = 1 [(validate.rules).string = {min_len: 1, max_len: 200}];
+
+    Profile profile = 2 [(validate.rules).message.required = true];
+    Email email = 3 [(validate.rules).message.required = true];
+    Phone phone = 4;
+    string initial_password = 5;
+}
+
+message AddHumanUserResponse {
+    string user_id = 1;
+    zitadel.v1.ObjectDetails details = 2;
+}
+
+message AddMachineUserRequest {
+    string user_name = 1 [(validate.rules).string = {min_len: 1, max_len: 200}];
+
+    string name = 2 [(validate.rules).string = {min_len: 1, max_len: 200}];
+    string description = 3 [(validate.rules).string = {max_len: 500}];
+}
+
+message AddMachineUserResponse {
+    string user_id = 1;
+    zitadel.v1.ObjectDetails details = 2;
+}
+
+message DeactivateUserRequest {
+    string id = 1 [(validate.rules).string = {min_len: 1, max_len: 200}];
+}
+
+message DeactivateUserResponse {
+    zitadel.v1.ObjectDetails details = 1;
+}
+
+message ReactivateUserRequest {
+    string id = 1 [(validate.rules).string = {min_len: 1, max_len: 200}];
+}
+
+message ReactivateUserResponse {
+    zitadel.v1.ObjectDetails details = 1;
+}
+
+message LockUserRequest {
+    string id = 1 [(validate.rules).string = {min_len: 1, max_len: 200}];
+}
+
+message LockUserResponse {
+    zitadel.v1.ObjectDetails details = 1;
+}
+
+message UnlockUserRequest {
+    string id = 1 [(validate.rules).string = {min_len: 1, max_len: 200}];
+}
+
+message UnlockUserResponse {
+    zitadel.v1.ObjectDetails details = 1;
+}
+
+message RemoveUserRequest {
+    string id = 1 [(validate.rules).string = {min_len: 1, max_len: 200}];
+}
+
+message RemoveUserResponse {
+    zitadel.v1.ObjectDetails details = 1;
+}
+
+message UpdateUserNameRequest {
+    string user_id = 1 [(validate.rules).string = {min_len: 1, max_len: 200}];
+    string user_name = 2 [(validate.rules).string = {min_len: 1, max_len: 200}];
+}
+
+message UpdateUserNameResponse {
+    zitadel.v1.ObjectDetails details = 1;
+}
+
+message GetHumanProfileRequest {
+    string user_id = 1 [(validate.rules).string = {min_len: 1, max_len: 200}];
+}
+
+message GetHumanProfileResponse {
+    zitadel.v1.ObjectDetails details = 1;
+    zitadel.user.v1.Profile profile = 2;
+}
+
+message UpdateHumanProfileRequest {
+    string user_id = 1 [(validate.rules).string = {min_len: 1, max_len: 200}];
+
+    string first_name = 2 [(validate.rules).string = {min_len: 1, max_len: 200}];
+    string last_name = 3 [(validate.rules).string = {min_len: 1, max_len: 200}];
+    string nick_name = 4 [(validate.rules).string = {max_len: 200}];
+    string display_name = 5 [(validate.rules).string = {min_len: 1, max_len: 200}];
+    string preferred_language = 6 [(validate.rules).string = {max_len: 10}];
+    zitadel.user.v1.Gender gender = 7;
+}
+
+message UpdateHumanProfileResponse {
+    zitadel.v1.ObjectDetails details = 1;
+}
+
+message GetHumanEmailRequest {
+    string user_id = 1 [(validate.rules).string = {min_len: 1, max_len: 200}];
+}
+
+message GetHumanEmailResponse {
+    zitadel.v1.ObjectDetails details = 1;
+    zitadel.user.v1.Email email = 2;
+}
+
+message UpdateHumanEmailRequest {
+    string user_id = 1 [(validate.rules).string = {min_len: 1, max_len: 200}];
+
+    string email = 2 [(validate.rules).string.email = true];
+    bool is_email_verified = 3;
+}
+
+message UpdateHumanEmailResponse {
+    zitadel.v1.ObjectDetails details = 1;
+}
+
+message ResendHumanInitializationRequest {
+    string user_id = 1 [(validate.rules).string = {min_len: 1, max_len: 200}];
+    string email = 2 [(validate.rules).string.email = true];
+}
+
+message ResendHumanInitializationResponse {
+    zitadel.v1.ObjectDetails details = 1;
+}
+
+message ResendHumanEmailVerificationRequest {
+    string user_id = 1 [(validate.rules).string = {min_len: 1, max_len: 200}];
+}
+
+message ResendHumanEmailVerificationResponse {
+    zitadel.v1.ObjectDetails details = 1;
+}
+
+message GetHumanPhoneRequest {
+    string user_id = 1 [(validate.rules).string = {min_len: 1, max_len: 200}];
+}
+
+message GetHumanPhoneResponse {
+    zitadel.v1.ObjectDetails details = 1;
+    zitadel.user.v1.Phone phone = 2;
+}
+
+message UpdateHumanPhoneRequest {
+    string user_id = 1 [(validate.rules).string = {min_len: 1, max_len: 200}];
+
+
+    string phone = 2 [(validate.rules).string = {min_len: 1, max_len: 50, prefix: "+"}];
+    bool is_phone_verified = 3;
+}
+
+message UpdateHumanPhoneResponse {
+    zitadel.v1.ObjectDetails details = 1;
+}
+
+message RemoveHumanPhoneRequest {
+    string user_id = 1 [(validate.rules).string = {min_len: 1, max_len: 200}];
+}
+
+message RemoveHumanPhoneResponse {
+    zitadel.v1.ObjectDetails details = 1;
+}
+
+message ResendHumanPhoneVerificationRequest {
+    string user_id = 1 [(validate.rules).string = {min_len: 1, max_len: 200}];
+}
+
+message ResendHumanPhoneVerificationResponse {
+    zitadel.v1.ObjectDetails details = 1;
+}
+
+message SetHumanInitialPasswordRequest {
+    string user_id = 1 [(validate.rules).string.min_len = 1];
+    string password = 2 [(validate.rules).string = {min_len: 1, max_len: 72}];
+}
+
+message SetHumanInitialPasswordResponse {
+    zitadel.v1.ObjectDetails details = 1;
+}
+
+message SendHumanResetPasswordNotificationRequest {
+    enum Type {
+        TYPE_EMAIL = 0;
+        TYPE_SMS = 1;
+    }
+    string user_id = 1 [(validate.rules).string = {min_len: 1, max_len: 200}];
+    Type type = 2 [(validate.rules).enum.defined_only = true];
+}
+
+message SendHumanResetPasswordNotificationResponse {
+    zitadel.v1.ObjectDetails details = 1;
+}
+
+message ListHumanAuthFactorsRequest {
+    string user_id = 1 [(validate.rules).string = {min_len: 1, max_len: 200}];
+}
+
+message ListHumanAuthFactorsResponse {
+    repeated zitadel.user.v1.AuthFactor result = 1;
+}
+
+message RemoveHumanAuthFactorOTPRequest {
+    string user_id = 1 [(validate.rules).string = {min_len: 1, max_len: 200}];
+}
+
+message RemoveHumanAuthFactorOTPResponse {
+    zitadel.v1.ObjectDetails details = 1;
+}
+
+message RemoveHumanAuthFactorU2FRequest {
+    string user_id = 1 [(validate.rules).string = {min_len: 1, max_len: 200}];
+    string token_id = 2 [(validate.rules).string = {min_len: 1, max_len: 200}];
+}
+
+message RemoveHumanAuthFactorU2FResponse {
+    zitadel.v1.ObjectDetails details = 1;
+}
+
+message ListHumanPasswordlessRequest {
+    string user_id = 1 [(validate.rules).string = {min_len: 1, max_len: 200}];
+}
+
+message ListHumanPasswordlessResponse {
+    repeated zitadel.user.v1.WebAuthNToken result = 1;
+}
+
+message RemoveHumanPasswordlessRequest {
+    string user_id = 1 [(validate.rules).string = {min_len: 1, max_len: 200}];
+    string token_id = 2 [(validate.rules).string = {min_len: 1, max_len: 200}];
+}
+
+message RemoveHumanPasswordlessResponse {
+    zitadel.v1.ObjectDetails details = 1;
+}
+
+message UpdateMachineRequest {
+    string user_id = 1 [(validate.rules).string = {min_len: 1, max_len: 200}];
+    string description = 2 [(validate.rules).string.max_len = 500];
+    string name = 3 [(validate.rules).string = {min_len: 1, max_len: 200}];
+}
+
+message UpdateMachineResponse {
+    zitadel.v1.ObjectDetails details = 1;
+}
+
+message GetMachineKeyByIDsRequest {
+    string user_id = 1 [(validate.rules).string = {min_len: 1, max_len: 200}];
+    string key_id = 2 [(validate.rules).string = {min_len: 1, max_len: 200}];
+}
+
+message GetMachineKeyByIDsResponse {
+    zitadel.authn.v1.Key key = 1;
+}
+
+message ListMachineKeysRequest {
+    string user_id = 1 [(validate.rules).string = {min_len: 1, max_len: 200}];
+    zitadel.v1.ListQuery query = 2;
+}
+
+message ListMachineKeysResponse {
+    zitadel.v1.ListDetails details = 1;
+    repeated zitadel.authn.v1.Key result = 2;
+}
+
+message AddMachineKeyRequest {
+    string user_id = 1 [(validate.rules).string.min_len = 1];
+    zitadel.authn.v1.KeyType type = 2 [(validate.rules).enum = {defined_only: true, not_in: [0]}];
+    google.protobuf.Timestamp expiration_date = 3;
+}
+
+message AddMachineKeyResponse {
+    string key_id = 1;
+    bytes key_details = 2;
+    zitadel.v1.ObjectDetails details = 3;
+}
+
+message RemoveMachineKeyRequest {
+    string user_id = 1 [(validate.rules).string = {min_len: 1, max_len: 200}];
+    string key_id = 2 [(validate.rules).string = {min_len: 1, max_len: 200}];
+}
+
+message RemoveMachineKeyResponse {
+    zitadel.v1.ObjectDetails details = 1;
+}
+
+message ListHumanLinkedIDPsRequest {
+    string user_id = 1 [(validate.rules).string = {min_len: 1, max_len: 200}];
+    zitadel.v1.ListQuery query = 2;
+}
+
+message ListHumanLinkedIDPsResponse {
+    zitadel.v1.ListDetails details = 1;
+    repeated zitadel.idp.v1.IDPUserLink result = 2;
+}
+
+message RemoveHumanLinkedIDPRequest {
+    string user_id = 1 [(validate.rules).string = {min_len: 1, max_len: 200}];
+    string idp_id = 2 [(validate.rules).string = {min_len: 1, max_len: 200}];
+    string linked_user_id = 3 [(validate.rules).string = {min_len: 1, max_len: 200}];
+}
+
+message RemoveHumanLinkedIDPResponse {
+    zitadel.v1.ObjectDetails details = 1;
+}
+
+message ListUserMembershipsRequest {
+    string user_id = 1 [(validate.rules).string = {min_len: 1, max_len: 200}];
+    zitadel.v1.ListQuery query = 2;
+    repeated zitadel.user.v1.MembershipQuery queries = 3;
+}
+
+message ListUserMembershipsResponse {
+    zitadel.v1.ListDetails details = 1;
+    repeated zitadel.user.v1.Membership result = 2;
+}
+
+message GetMyOrgRequest {}
+
+message GetMyOrgResponse {
+    zitadel.org.v1.Org org = 1;
+}
+
+message GetOrgByDomainGlobalRequest {
+    string domain = 1 [(validate.rules).string = {min_len: 1, max_len: 200}];
+}
+
+message ListOrgChangesRequest {
+    zitadel.v1.ListQuery query = 1;
+}
+
+message ListOrgChangesResponse {
+    zitadel.v1.ListDetails details = 1;
+    repeated zitadel.change.v1.Change result = 2;
+}
+
+message GetOrgByDomainGlobalResponse {
+    zitadel.org.v1.Org org = 1;
+}
+
+message AddOrgRequest {
+    string name = 1 [(validate.rules).string = {min_len: 1, max_len: 200}];
+}
+
+message AddOrgResponse {
+    string id = 1;
+    zitadel.v1.ObjectDetails details = 2;
+}
+
+message DeactivateOrgRequest {}
+
+message DeactivateOrgResponse {
+    zitadel.v1.ObjectDetails details = 1;
+}
+
+message ReactivateOrgRequest {}
+
+message ReactivateOrgResponse {
+    zitadel.v1.ObjectDetails details = 1;
+}
+
+message ListOrgDomainsRequest {
+    zitadel.v1.ListQuery query = 1;
+    repeated zitadel.org.v1.DomainSearchQuery queries = 2;
+}
+
+message ListOrgDomainsResponse {
+    zitadel.v1.ListDetails details = 1;
+    repeated zitadel.org.v1.Domain result = 2;
+}
+
+message AddOrgDomainRequest {
+    string domain = 1 [(validate.rules).string = {min_len: 1, max_len: 200}];
+}
+
+message AddOrgDomainResponse {
+    zitadel.v1.ObjectDetails details = 1;
+}
+
+message RemoveOrgDomainRequest {
+    string domain = 1 [(validate.rules).string = {min_len: 1, max_len: 200}];
+}
+
+message RemoveOrgDomainResponse {
+    zitadel.v1.ObjectDetails details = 1;
+}
+
+message GenerateOrgDomainValidationRequest {
+    string domain = 1 [(validate.rules).string = {min_len: 1, max_len: 200}];
+    zitadel.org.v1.DomainValidationType type = 2 [(validate.rules).enum = {defined_only: true, not_in: [0]}];
+}
+
+message GenerateOrgDomainValidationResponse {
+    zitadel.v1.ObjectDetails details = 1;
+    string token = 2;
+    string url = 3;
+}
+
+message ValidateOrgDomainRequest {
+    string domain = 1 [(validate.rules).string = {min_len: 1, max_len: 200}];
+}
+
+message ValidateOrgDomainResponse {
+    zitadel.v1.ObjectDetails details = 1;
+}
+
+message SetPrimaryOrgDomainRequest {
+    string domain = 1 [(validate.rules).string = {min_len: 1, max_len: 200}];
+}
+
+message SetPrimaryOrgDomainResponse {
+    zitadel.v1.ObjectDetails details = 1;
+}
+
+message ListOrgMemberRolesRequest {}
+
+message ListOrgMemberRolesResponse {
+    repeated string result = 1;
+}
+
+message ListOrgMembersRequest {
+    zitadel.v1.ListQuery query = 1;
+    repeated zitadel.member.v1.SearchQuery queries = 2;
+}
+
+message ListOrgMembersResponse {
+    zitadel.v1.ListDetails details = 1;
+    repeated zitadel.member.v1.Member result = 2;
+}
+
+message AddOrgMemberRequest {
+    string user_id = 1 [(validate.rules).string = {min_len: 1, max_len: 200}];
+    repeated string roles = 2;
+}
+message AddOrgMemberResponse {
+    zitadel.v1.ObjectDetails details = 1;
+}
+
+message UpdateOrgMemberRequest {
+    string user_id = 1 [(validate.rules).string = {min_len: 1, max_len: 200}];
+    repeated string roles = 2;
+}
+
+message UpdateOrgMemberResponse {
+    zitadel.v1.ObjectDetails details = 1;
+}
+
+message RemoveOrgMemberRequest {
+    string user_id = 1 [(validate.rules).string = {min_len: 1, max_len: 200}];
+}
+
+message RemoveOrgMemberResponse {
+    zitadel.v1.ObjectDetails details = 1;
+}
+
+message GetProjectByIDRequest {
+    string id = 1 [(validate.rules).string = {min_len: 1, max_len: 200}];
+}
+
+message GetProjectByIDResponse {
+    zitadel.project.v1.Project project = 1;
+}
+
+message GetGrantedProjectByIDRequest {
+    string project_id = 1 [(validate.rules).string = {min_len: 1, max_len: 200}];
+    string grant_id = 2 [(validate.rules).string = {min_len: 1, max_len: 200}];
+}
+
+message GetGrantedProjectByIDResponse {
+    zitadel.project.v1.GrantedProject granted_project = 1;
+}
+
+message ListProjectsRequest {
+    zitadel.v1.ListQuery query = 1;
+    repeated zitadel.project.v1.ProjectQuery queries = 2;
+}
+
+message ListProjectsResponse {
+    zitadel.v1.ListDetails details = 1;
+    repeated zitadel.project.v1.Project result = 2;
+}
+
+message ListGrantedProjectsRequest {
+    zitadel.v1.ListQuery query = 1;
+    repeated zitadel.project.v1.ProjectQuery queries = 2;
+}
+
+message ListGrantedProjectsResponse {
+    zitadel.v1.ListDetails details = 1;
+    repeated zitadel.project.v1.GrantedProject result = 2;
+}
+
+message ListProjectChangesRequest {
+    zitadel.v1.ListQuery query = 1;
+    string project_id = 2 [(validate.rules).string = {min_len: 1, max_len: 200}];
+}
+
+message ListProjectChangesResponse {
+    zitadel.v1.ListDetails details = 1;
+    repeated zitadel.change.v1.Change result = 2;
+}
+
+message AddProjectRequest {
+    string name = 1 [(validate.rules).string = {min_len: 1, max_len: 200}];
+    bool project_role_assertion = 2;
+    bool project_role_check = 3;
+}
+
+message AddProjectResponse {
+    string id = 1 [(validate.rules).string = {min_len: 1, max_len: 200}];
+    zitadel.v1.ObjectDetails details = 2;
+}
+
+message UpdateProjectRequest {
+    string id = 1 [(validate.rules).string = {min_len: 1, max_len: 200}];
+    string name = 2 [(validate.rules).string = {min_len: 1, max_len: 200}];
+    bool project_role_assertion = 3;
+    bool project_role_check = 4;
+}
+
+message UpdateProjectResponse {
+    zitadel.v1.ObjectDetails details = 1;
+}
+
+message DeactivateProjectRequest {
+    string id = 1 [(validate.rules).string = {min_len: 1, max_len: 200}];
+}
+
+message DeactivateProjectResponse {
+    zitadel.v1.ObjectDetails details = 1;
+}
+
+message ReactivateProjectRequest {
+    string id = 1 [(validate.rules).string = {min_len: 1, max_len: 200}];
+}
+
+message ReactivateProjectResponse {
+    zitadel.v1.ObjectDetails details = 1;
+}
+
+message RemoveProjectRequest {
+    string id = 1 [(validate.rules).string = {min_len: 1, max_len: 200}];
+}
+
+message RemoveProjectResponse {
+    zitadel.v1.ObjectDetails details = 1;
+}
+
+message ListProjectMemberRolesRequest {}
+
+message ListProjectMemberRolesResponse {
+    zitadel.v1.ListDetails details = 1;
+    repeated string result = 2;
+}
+
+message AddProjectRoleRequest {
+    string project_id = 1 [(validate.rules).string = {min_len: 1, max_len: 200}];
+    string role_key = 2 [(validate.rules).string = {min_len: 1, max_len: 200}];
+    string display_name = 3 [(validate.rules).string = {min_len: 1, max_len: 200}];
+    string group = 4 [(validate.rules).string = {max_len: 200}];
+}
+
+message AddProjectRoleResponse {
+    zitadel.v1.ObjectDetails details = 1;
+}
+
+message BulkAddProjectRolesRequest {
+    message Role {
+        string key = 1 [(validate.rules).string = {min_len: 1, max_len: 200}];
+        string display_name = 2 [(validate.rules).string = {min_len: 1, max_len: 200}];
+        string group = 3 [(validate.rules).string = {max_len: 200}];
+    }
+
+    string project_id = 1 [(validate.rules).string = {min_len: 1, max_len: 200}];
+    repeated Role roles = 2;
+}
+
+message BulkAddProjectRolesResponse {
+    zitadel.v1.ObjectDetails details = 1;
+}
+
+message UpdateProjectRoleRequest {
+    string project_id = 1 [(validate.rules).string = {min_len: 1, max_len: 200}];
+    string role_key = 2 [(validate.rules).string = {min_len: 1, max_len: 200}];
+    string display_name = 3 [(validate.rules).string = {min_len: 1, max_len: 200}];
+    string group = 4 [(validate.rules).string = {max_len: 200}];
+}
+
+message UpdateProjectRoleResponse {
+    zitadel.v1.ObjectDetails details = 1;
+}
+
+message RemoveProjectRoleRequest {
+    string project_id = 1 [(validate.rules).string = {min_len: 1, max_len: 200}];
+    string role_key = 2 [(validate.rules).string = {min_len: 1, max_len: 200}];
+}
+
+message RemoveProjectRoleResponse {
+    zitadel.v1.ObjectDetails details = 1;
+}
+
+message ListProjectRolesRequest {
+    string project_id = 1 [(validate.rules).string = {min_len: 1, max_len: 200}];
+    zitadel.v1.ListQuery query = 2;
+    repeated zitadel.project.v1.RoleQuery queries = 3;
+}
+
+message ListProjectRolesResponse {
+    zitadel.v1.ListDetails details = 1;
+    repeated zitadel.project.v1.Role result = 2;
+}
+
+message ListProjectMembersRequest {
+    string project_id = 1 [(validate.rules).string = {min_len: 1, max_len: 200}];
+    zitadel.v1.ListQuery query = 2;
+    repeated zitadel.member.v1.SearchQuery queries = 3;
+}
+
+message ListProjectMembersResponse {
+    zitadel.v1.ListDetails details = 1;
+    repeated zitadel.member.v1.Member result = 2;
+}
+
+message AddProjectMemberRequest {
+    string project_id = 1 [(validate.rules).string = {min_len: 1, max_len: 200}];
+    string user_id = 2 [(validate.rules).string = {min_len: 1, max_len: 200}];
+    repeated string roles = 3;
+}
+
+message AddProjectMemberResponse {
+    zitadel.v1.ObjectDetails details = 1;
+}
+
+message UpdateProjectMemberRequest {
+    string project_id = 1 [(validate.rules).string = {min_len: 1, max_len: 200}];
+    string user_id = 2 [(validate.rules).string = {min_len: 1, max_len: 200}];
+    repeated string roles = 3;
+}
+
+message UpdateProjectMemberResponse {
+    zitadel.v1.ObjectDetails details = 1;
+}
+
+message RemoveProjectMemberRequest {
+    string project_id = 1 [(validate.rules).string = {min_len: 1, max_len: 200}];
+    string user_id = 2 [(validate.rules).string = {min_len: 1, max_len: 200}];
+}
+
+message RemoveProjectMemberResponse {
+    zitadel.v1.ObjectDetails details = 1;
+}
+
+message GetAppByIDRequest {
+    string project_id = 1 [(validate.rules).string = {min_len: 1, max_len: 200}];
+    string app_id = 2 [(validate.rules).string = {min_len: 1, max_len: 200}];
+}
+
+message GetAppByIDResponse {
+    zitadel.app.v1.App app = 1;
+}
+
+message ListAppsRequest {
+    string project_id = 1 [(validate.rules).string = {min_len: 1, max_len: 200}];
+    zitadel.v1.ListQuery query = 2;
+    repeated zitadel.app.v1.AppQuery queries = 3;
+}
+
+message ListAppsResponse {
+    zitadel.v1.ListDetails details = 1;
+    repeated zitadel.app.v1.App result = 2;
+}
+
+message ListAppChangesRequest {
+    zitadel.v1.ListQuery query = 1;
+    string project_id = 2 [(validate.rules).string = {min_len: 1, max_len: 200}];
+    string app_id = 3 [(validate.rules).string = {min_len: 1, max_len: 200}];
+}
+
+message ListAppChangesResponse {
+    zitadel.v1.ListDetails details = 1;
+    repeated zitadel.change.v1.Change result = 2;
+}
+
+message AddOIDCAppRequest {
+    string project_id = 1 [(validate.rules).string = {min_len: 1, max_len: 200}];
+    string name = 2 [(validate.rules).string = {min_len: 1, max_len: 200}];
+    repeated string redirect_uris = 3;
+    repeated zitadel.app.v1.OIDCResponseType response_types = 4;
+    repeated zitadel.app.v1.OIDCGrantType grant_types = 5;
+    zitadel.app.v1.OIDCAppType app_type = 6 [(validate.rules).enum = {defined_only: true}];
+    zitadel.app.v1.OIDCAuthMethodType auth_method_type = 7 [(validate.rules).enum = {defined_only: true}];
+    repeated string post_logout_redirect_uris = 8;
+    zitadel.app.v1.OIDCVersion version = 9 [(validate.rules).enum = {defined_only: true}];
+    bool dev_mode = 10;
+    zitadel.app.v1.OIDCTokenType access_token_type = 11 [(validate.rules).enum = {defined_only: true}];
+    bool access_token_role_assertion = 12;
+    bool id_token_role_assertion = 13;
+    bool id_token_userinfo_assertion = 14;
+    google.protobuf.Duration clock_skew = 15 [(validate.rules).duration = {gte: {}, lte: {seconds: 5}}];
+}
+
+message AddOIDCAppResponse {
+    string app_id = 1;
+    zitadel.v1.ObjectDetails details = 2;
+    string client_id = 3;
+    string client_secret = 4;
+    bool none_compliant = 5;
+    repeated zitadel.v1.LocalizedMessage compliance_problems = 6;
+}
+
+message AddAPIAppRequest {
+    string project_id = 1 [(validate.rules).string = {min_len: 1, max_len: 200}];
+    string name = 2 [(validate.rules).string = {min_len: 1, max_len: 200}];
+    zitadel.app.v1.APIAuthMethodType auth_method_type = 3 [(validate.rules).enum = {defined_only: true}];
+}
+
+message AddAPIAppResponse {
+    string app_id = 1;
+    zitadel.v1.ObjectDetails details = 2;
+    string client_id = 3;
+    string client_secret = 4;
+}
+
+message UpdateAppRequest {
+    string project_id = 1 [(validate.rules).string = {min_len: 1, max_len: 200}];
+    string app_id = 2 [(validate.rules).string = {min_len: 1, max_len: 200}];
+    string name = 5 [(validate.rules).string = {min_len: 1, max_len: 200}];
+}
+
+message UpdateAppResponse {
+    zitadel.v1.ObjectDetails details = 1;
+}
+
+message UpdateOIDCAppConfigRequest {
+    string project_id = 1 [(validate.rules).string = {min_len: 1, max_len: 200}];
+    string app_id = 2 [(validate.rules).string = {min_len: 1, max_len: 200}];
+
+    repeated string redirect_uris = 3;
+    repeated zitadel.app.v1.OIDCResponseType response_types = 4;
+    repeated zitadel.app.v1.OIDCGrantType grant_types = 5;
+    zitadel.app.v1.OIDCAppType app_type = 6 [(validate.rules).enum = {defined_only: true}];
+    zitadel.app.v1.OIDCAuthMethodType auth_method_type = 7 [(validate.rules).enum = {defined_only: true}];
+    repeated string post_logout_redirect_uris = 8;
+    bool dev_mode = 9;
+    zitadel.app.v1.OIDCTokenType access_token_type = 10 [(validate.rules).enum = {defined_only: true}];
+    bool access_token_role_assertion = 11;
+    bool id_token_role_assertion = 12;
+    bool id_token_userinfo_assertion = 13;
+    google.protobuf.Duration clock_skew = 14 [(validate.rules).duration = {gte: {}, lte: {seconds: 5}}];
+}
+
+message UpdateOIDCAppConfigResponse {
+    zitadel.v1.ObjectDetails details = 1;
+}
+
+message UpdateAPIAppConfigRequest {
+    string project_id = 1 [(validate.rules).string = {min_len: 1, max_len: 200}];
+    string app_id = 2 [(validate.rules).string = {min_len: 1, max_len: 200}];
+    zitadel.app.v1.APIAuthMethodType auth_method_type = 7 [(validate.rules).enum = {defined_only: true}];
+}
+
+message UpdateAPIAppConfigResponse {
+    zitadel.v1.ObjectDetails details = 1;
+}
+
+message DeactivateAppRequest {
+    string project_id = 1 [(validate.rules).string = {min_len: 1, max_len: 200}];
+    string app_id = 2 [(validate.rules).string = {min_len: 1, max_len: 200}];
+}
+
+message DeactivateAppResponse {
+    zitadel.v1.ObjectDetails details = 1;
+}
+
+message ReactivateAppRequest {
+    string project_id = 1 [(validate.rules).string = {min_len: 1, max_len: 200}];
+    string app_id = 2 [(validate.rules).string = {min_len: 1, max_len: 200}];
+}
+
+message ReactivateAppResponse {
+    zitadel.v1.ObjectDetails details = 1;
+}
+
+message RemoveAppRequest {
+    string project_id = 1 [(validate.rules).string = {min_len: 1, max_len: 200}];
+    string app_id = 2 [(validate.rules).string = {min_len: 1, max_len: 200}];
+}
+
+message RemoveAppResponse {
+    zitadel.v1.ObjectDetails details = 1;
+}
+
+message RegenerateOIDCClientSecretRequest {
+    string project_id = 1 [(validate.rules).string = {min_len: 1, max_len: 200}];
+    string app_id = 2 [(validate.rules).string = {min_len: 1, max_len: 200}];
+}
+
+message RegenerateOIDCClientSecretResponse {
+    string client_secret = 1;
+    zitadel.v1.ObjectDetails details = 2;
+}
+
+message RegenerateAPIClientSecretRequest {
+    string project_id = 1 [(validate.rules).string = {min_len: 1, max_len: 200}];
+    string app_id = 2 [(validate.rules).string = {min_len: 1, max_len: 200}];
+}
+
+message RegenerateAPIClientSecretResponse {
+    string client_secret = 1;
+    zitadel.v1.ObjectDetails details = 2;
+}
+
+message GetAppKeyRequest {
+    string project_id = 1 [(validate.rules).string = {min_len: 1, max_len: 200}];
+    string app_id = 2 [(validate.rules).string = {min_len: 1, max_len: 200}];
+    string key_id = 3 [(validate.rules).string = {min_len: 1, max_len: 200}];
+}
+
+message GetAppKeyResponse {
+    zitadel.authn.v1.Key key = 1;
+}
+
+message ListAppKeysRequest {
+    zitadel.v1.ListQuery query = 1;
+    string app_id = 2 [(validate.rules).string = {min_len: 1, max_len: 200}];
+    string project_id = 3 [(validate.rules).string = {min_len: 1, max_len: 200}];
+}
+message ListAppKeysResponse {
+    zitadel.v1.ListDetails details = 1;
+    repeated zitadel.authn.v1.Key result = 2;
+}
+
+message AddAppKeyRequest {
+    string project_id = 1 [(validate.rules).string = {min_len: 1, max_len: 200}];
+    string app_id = 2 [(validate.rules).string = {min_len: 1, max_len: 200}];
+    zitadel.authn.v1.KeyType type = 3 [(validate.rules).enum = {defined_only: true, not_in: [0]}];
+    google.protobuf.Timestamp expiration_date = 4;
+}
+
+message AddAppKeyResponse {
+    string id = 1;
+    zitadel.v1.ObjectDetails details = 2;
+    bytes key_details = 3;
+}
+
+message RemoveAppKeyRequest {
+    string project_id = 1 [(validate.rules).string = {min_len: 1, max_len: 200}];
+    string app_id = 2 [(validate.rules).string = {min_len: 1, max_len: 200}];
+    string key_id = 3 [(validate.rules).string = {min_len: 1, max_len: 200}];
+}
+
+message RemoveAppKeyResponse {
+    zitadel.v1.ObjectDetails details = 1;
+}
+
+message GetProjectGrantByIDRequest {
+    string project_id = 1 [(validate.rules).string = {min_len: 1, max_len: 200}];
+    string grant_id = 2 [(validate.rules).string = {min_len: 1, max_len: 200}];
+}
+
+message GetProjectGrantByIDResponse {
+    zitadel.project.v1.GrantedProject project_grant = 1;
+}
+
+message ListProjectGrantsRequest {
+    string project_id = 1 [(validate.rules).string = {min_len: 1, max_len: 200}];
+    zitadel.v1.ListQuery query = 2;
+    repeated zitadel.project.v1.ProjectGrantQuery queries = 3;
+}
+
+message ListProjectGrantsResponse {
+    zitadel.v1.ListDetails details = 1;
+    repeated zitadel.project.v1.GrantedProject result = 2;
+}
+
+message AddProjectGrantRequest {
+    string project_id = 1 [(validate.rules).string = {min_len: 1, max_len: 200}];
+    string granted_org_id = 2 [(validate.rules).string = {min_len: 1, max_len: 200}];
+    repeated string role_keys = 3;
+}
+
+message AddProjectGrantResponse {
+    string grant_id = 1;
+    zitadel.v1.ObjectDetails details = 2;
+}
+
+message UpdateProjectGrantRequest {
+    string project_id = 1 [(validate.rules).string = {min_len: 1, max_len: 200}];
+    string grant_id = 2 [(validate.rules).string = {min_len: 1, max_len: 200}];
+    repeated string role_keys = 3;
+}
+
+message UpdateProjectGrantResponse {
+    zitadel.v1.ObjectDetails details = 1;
+}
+
+message DeactivateProjectGrantRequest {
+    string project_id = 1 [(validate.rules).string = {min_len: 1, max_len: 200}];
+    string grant_id = 2 [(validate.rules).string = {min_len: 1, max_len: 200}];
+}
+
+message DeactivateProjectGrantResponse {
+    zitadel.v1.ObjectDetails details = 1;
+}
+
+message ReactivateProjectGrantRequest {
+    string project_id = 1 [(validate.rules).string = {min_len: 1, max_len: 200}];
+    string grant_id = 2 [(validate.rules).string = {min_len: 1, max_len: 200}];
+}
+message ReactivateProjectGrantResponse {
+    zitadel.v1.ObjectDetails details = 1;
+}
+
+message RemoveProjectGrantRequest {
+    string project_id = 1 [(validate.rules).string = {min_len: 1, max_len: 200}];
+    string grant_id = 2 [(validate.rules).string = {min_len: 1, max_len: 200}];
+}
+message RemoveProjectGrantResponse {
+    zitadel.v1.ObjectDetails details = 1;
+}
+
+message ListProjectGrantMemberRolesRequest {
+    zitadel.v1.ListQuery query = 1;
+    repeated string result = 2;
+}
+
+message ListProjectGrantMemberRolesResponse {
+    zitadel.v1.ListDetails details = 1;
+    repeated string result = 2;
+}
+
+message ListProjectGrantMembersRequest {
+    string project_id = 1 [(validate.rules).string = {min_len: 1, max_len: 200}];
+    string grant_id = 2 [(validate.rules).string = {min_len: 1, max_len: 200}];
+    zitadel.v1.ListQuery query = 3;
+    repeated zitadel.member.v1.SearchQuery queries = 4;
+}
+
+message ListProjectGrantMembersResponse {
+    zitadel.v1.ListDetails details = 1;
+    repeated zitadel.member.v1.Member result = 2;
+}
+
+message AddProjectGrantMemberRequest {
+    string project_id = 1 [(validate.rules).string = {min_len: 1, max_len: 200}];
+    string grant_id = 2 [(validate.rules).string = {min_len: 1, max_len: 200}];
+    string user_id = 3 [(validate.rules).string = {min_len: 1, max_len: 200}];
+    repeated string roles = 4;
+}
+
+message AddProjectGrantMemberResponse {
+    zitadel.v1.ObjectDetails details = 1;
+}
+
+message UpdateProjectGrantMemberRequest {
+    string project_id = 1 [(validate.rules).string = {min_len: 1, max_len: 200}];
+    string grant_id = 2 [(validate.rules).string = {min_len: 1, max_len: 200}];
+    string user_id = 3 [(validate.rules).string = {min_len: 1, max_len: 200}];
+    repeated string roles = 4;
+}
+
+message UpdateProjectGrantMemberResponse {
+    zitadel.v1.ObjectDetails details = 1;
+}
+
+message RemoveProjectGrantMemberRequest {
+    string project_id = 1 [(validate.rules).string = {min_len: 1, max_len: 200}];
+    string grant_id = 2 [(validate.rules).string = {min_len: 1, max_len: 200}];
+    string user_id = 3 [(validate.rules).string = {min_len: 1, max_len: 200}];
+}
+
+message RemoveProjectGrantMemberResponse {
+    zitadel.v1.ObjectDetails details = 1;
+}
+
+message GetUserGrantByIDRequest {
+    string user_id = 1 [(validate.rules).string = {min_len: 1, max_len: 200}];
+    string grant_id = 2 [(validate.rules).string = {min_len: 1, max_len: 200}];
+}
+
+message GetUserGrantByIDResponse {
+    zitadel.user.v1.UserGrant user_grant = 1;
+}
+
+message ListUserGrantRequest {
+    zitadel.v1.ListQuery query = 1;
+    repeated zitadel.user.v1.UserGrantQuery queries = 2;
+}
+
+message ListUserGrantResponse {
+    zitadel.v1.ListDetails details = 1;
+    repeated zitadel.user.v1.UserGrant result = 2;
+}
+
+message AddUserGrantRequest {
+    string user_id = 1 [(validate.rules).string = {min_len: 1, max_len: 200}];
+    string project_id = 2 [(validate.rules).string = {min_len: 1, max_len: 200}];
+    string project_grant_id = 3 [(validate.rules).string = {min_len: 1, max_len: 200}];
+    repeated string role_keys = 4;
+}
+
+message AddUserGrantResponse {
+    string user_grant_id = 1;
+    zitadel.v1.ObjectDetails details = 2;
+}
+
+message UpdateUserGrantRequest {
+    string user_id = 1 [(validate.rules).string = {min_len: 1, max_len: 200}];
+    string grant_id = 2 [(validate.rules).string = {min_len: 1, max_len: 200}];
+    repeated string role_keys = 3;
+}
+
+message UpdateUserGrantResponse {
+    zitadel.v1.ObjectDetails details = 1;
+}
+
+message DeactivateUserGrantRequest {
+    string user_id = 1 [(validate.rules).string = {min_len: 1, max_len: 200}];
+    string grant_id = 2 [(validate.rules).string = {min_len: 1, max_len: 200}];
+}
+
+message DeactivateUserGrantResponse {
+    zitadel.v1.ObjectDetails details = 1;
+}
+
+message ReactivateUserGrantRequest {
+    string user_id = 1 [(validate.rules).string = {min_len: 1, max_len: 200}];
+    string grant_id = 2 [(validate.rules).string = {min_len: 1, max_len: 200}];
+}
+
+message ReactivateUserGrantResponse {
+    zitadel.v1.ObjectDetails details = 1;
+}
+
+message RemoveUserGrantRequest {
+    string user_id = 1 [(validate.rules).string = {min_len: 1, max_len: 200}];
+    string grant_id = 2 [(validate.rules).string = {min_len: 1, max_len: 200}];
+}
+
+message RemoveUserGrantResponse {
+    zitadel.v1.ObjectDetails details = 1;
+}
+
+message BulkRemoveUserGrantRequest {
+    repeated string grant_id = 1;
+}
+
+message BulkRemoveUserGrantResponse {
+    message RemovedUserGrant {
+        zitadel.v1.ObjectDetails details = 1;
+        string grant_id = 2;
+    }
+
+    repeated RemovedUserGrant result = 1;
+}
+
+message GetOrgIAMPolicyRequest {}
+
+message GetOrgIAMPolicyResponse {
+    zitadel.policy.v1.OrgIAMPolicy policy = 1;
+}
+
+message GetLoginPolicyRequest {}
+
+message GetLoginPolicyResponse {
+    zitadel.policy.v1.LoginPolicy policy = 1;
+    bool is_default = 2;
+}
+
+message GetDefaultLoginPolicyRequest {}
+
+message GetDefaultLoginPolicyResponse {
+    zitadel.policy.v1.LoginPolicy policy = 1;
+}
+
+message AddCustomLoginPolicyRequest {
+    bool allow_username_password = 1;
+    bool allow_register = 2;
+    bool allow_external_idp = 3;
+    bool force_mfa = 4;
+    zitadel.policy.v1.PasswordlessType passwordless_type = 5 [(validate.rules).enum = {defined_only: true}];
+}
+
+message AddCustomLoginPolicyResponse {
+    zitadel.v1.ObjectDetails details = 1;
+}
+
+message UpdateCustomLoginPolicyRequest {
+    bool allow_username_password = 1;
+    bool allow_register = 2;
+    bool allow_external_idp = 3;
+    bool force_mfa = 4;
+    zitadel.policy.v1.PasswordlessType passwordless_type = 5 [(validate.rules).enum = {defined_only: true}];
+}
+
+message UpdateCustomLoginPolicyResponse {
+    zitadel.v1.ObjectDetails details = 1;
+}
+
+message ResetLoginPolicyToDefaultRequest {}
+
+message ResetLoginPolicyToDefaultResponse {
+    zitadel.v1.ObjectDetails details = 1;
+}
+
+message ListLoginPolicyIDPsRequest {
+    zitadel.v1.ListQuery query = 1;
+}
+
+message ListLoginPolicyIDPsResponse {
+    zitadel.v1.ListDetails details = 1;
+    repeated zitadel.idp.v1.IDPLoginPolicyLink result = 2;
+}
+
+message AddIDPToLoginPolicyRequest {
+    string idp_id = 1 [(validate.rules).string = {min_len: 1, max_len: 200}];
+}
+
+message AddIDPToLoginPolicyResponse {
+    zitadel.v1.ObjectDetails details = 1;
+}
+
+message RemoveIDPFromLoginPolicyRequest {
+    string idp_id = 1 [(validate.rules).string = {min_len: 1, max_len: 200}];
+}
+
+message RemoveIDPFromLoginPolicyResponse {
+    zitadel.v1.ObjectDetails details = 1;
+}
+
+message ListLoginPolicySecondFactorsRequest {}
+
+message ListLoginPolicySecondFactorsResponse {
+    zitadel.v1.ListDetails details = 1;
+    repeated zitadel.policy.v1.SecondFactorType result = 2;
+}
+
+message AddSecondFactorToLoginPolicyRequest {
+    zitadel.policy.v1.SecondFactorType type = 1 [(validate.rules).enum = {defined_only: true, not_in: [0]}];
+}
+message AddSecondFactorToLoginPolicyResponse {
+    zitadel.v1.ObjectDetails details = 1;
+}
+
+message RemoveSecondFactorFromLoginPolicyRequest {
+    zitadel.policy.v1.SecondFactorType type = 1 [(validate.rules).enum = {defined_only: true, not_in: [0]}];
+}
+
+message RemoveSecondFactorFromLoginPolicyResponse {
+    zitadel.v1.ObjectDetails details = 1;
+}
+
+message ListLoginPolicyMultiFactorsRequest {}
+
+message ListLoginPolicyMultiFactorsResponse {
+    zitadel.v1.ListDetails details = 1;
+    repeated zitadel.policy.v1.MultiFactorType result = 2;
+}
+
+message AddMultiFactorToLoginPolicyRequest {
+    zitadel.policy.v1.MultiFactorType type = 1 [(validate.rules).enum = {defined_only: true, not_in: [0]}];
+}
+
+message AddMultiFactorToLoginPolicyResponse {
+    zitadel.v1.ObjectDetails details = 1;
+}
+
+message RemoveMultiFactorFromLoginPolicyRequest {
+    zitadel.policy.v1.MultiFactorType type = 1 [(validate.rules).enum = {defined_only: true, not_in: [0]}];
+}
+
+message RemoveMultiFactorFromLoginPolicyResponse {
+    zitadel.v1.ObjectDetails details = 1;
+}
+
+message GetPasswordComplexityPolicyRequest {}
+
+message GetPasswordComplexityPolicyResponse {
+    zitadel.policy.v1.PasswordComplexityPolicy policy = 1;
+    bool is_default = 2;
+}
+
+message GetDefaultPasswordComplexityPolicyRequest {}
+
+message GetDefaultPasswordComplexityPolicyResponse {
+    zitadel.policy.v1.PasswordComplexityPolicy policy = 1;
+}
+
+message AddCustomPasswordComplexityPolicyRequest {
+    uint64 min_length = 1;
+    bool has_uppercase = 2;
+    bool has_lowercase = 3;
+    bool has_number = 4;
+    bool has_symbol = 5;
+}
+
+message AddCustomPasswordComplexityPolicyResponse {
+    zitadel.v1.ObjectDetails details = 1;
+}
+
+message UpdateCustomPasswordComplexityPolicyRequest {
+    uint64 min_length = 1;
+    bool has_uppercase = 2;
+    bool has_lowercase = 3;
+    bool has_number = 4;
+    bool has_symbol = 5;
+}
+
+message UpdateCustomPasswordComplexityPolicyResponse {
+    zitadel.v1.ObjectDetails details = 1;
+}
+
+message ResetPasswordComplexityPolicyToDefaultRequest {}
+
+message ResetPasswordComplexityPolicyToDefaultResponse {
+    zitadel.v1.ObjectDetails details = 1;
+}
+
+message GetPasswordAgePolicyRequest {}
+
+message GetPasswordAgePolicyResponse {
+    zitadel.policy.v1.PasswordAgePolicy policy = 1;
+    bool is_default = 2;
+}
+
+message GetDefaultPasswordAgePolicyRequest {}
+
+message GetDefaultPasswordAgePolicyResponse {
+    zitadel.policy.v1.PasswordAgePolicy policy = 1;
+}
+
+message AddCustomPasswordAgePolicyRequest {
+    uint32 max_age_days = 1;
+    uint32 expire_warn_days = 2;
+}
+
+message AddCustomPasswordAgePolicyResponse {
+    zitadel.v1.ObjectDetails details = 1;
+}
+
+message UpdateCustomPasswordAgePolicyRequest {
+    uint32 max_age_days = 1;
+    uint32 expire_warn_days = 2;
+}
+
+message UpdateCustomPasswordAgePolicyResponse {
+    zitadel.v1.ObjectDetails details = 1;
+}
+
+message ResetPasswordAgePolicyToDefaultRequest {}
+
+message ResetPasswordAgePolicyToDefaultResponse {
+    zitadel.v1.ObjectDetails details = 1;
+}
+
+message GetPasswordLockoutPolicyRequest {}
+
+message GetPasswordLockoutPolicyResponse {
+    zitadel.policy.v1.PasswordLockoutPolicy policy = 1;
+    bool is_default = 2;
+}
+
+message GetDefaultPasswordLockoutPolicyRequest {}
+
+message GetDefaultPasswordLockoutPolicyResponse {
+    zitadel.policy.v1.PasswordLockoutPolicy policy = 1;
+}
+
+message AddCustomPasswordLockoutPolicyRequest {
+    uint32 max_attempts = 1;
+    bool show_lockout_failure = 2;
+}
+
+message AddCustomPasswordLockoutPolicyResponse {
+    zitadel.v1.ObjectDetails details = 1;
+}
+
+message UpdateCustomPasswordLockoutPolicyRequest {
+    uint32 max_attempts = 1;
+    bool show_lockout_failure = 2;
+}
+
+message UpdateCustomPasswordLockoutPolicyResponse {
+    zitadel.v1.ObjectDetails details = 1;
+}
+
+message ResetPasswordLockoutPolicyToDefaultRequest {}
+
+message ResetPasswordLockoutPolicyToDefaultResponse {
+    zitadel.v1.ObjectDetails details = 1;
+}
+
+message GetOrgIDPByIDRequest {
+    string id = 1 [(validate.rules).string = {min_len: 1, max_len: 200}];
+}
+
+message GetOrgIDPByIDResponse {
+    zitadel.idp.v1.IDP idp = 1;
+}
+
+message ListOrgIDPsRequest {
+    zitadel.v1.ListQuery query = 1;
+    zitadel.idp.v1.IDPFieldName sorting_column = 2;
+    repeated IDPQuery queries = 3;
+}
+
+message IDPQuery {
+    oneof query {
+        option (validate.required) = true;
+
+        zitadel.idp.v1.IDPIDQuery idp_id_query = 1;
+        zitadel.idp.v1.IDPNameQuery idp_name_query = 2;
+        zitadel.idp.v1.IDPOwnerTypeQuery owner_type_query = 3;
+    }
+}
+
+message ListOrgIDPsResponse {
+    zitadel.v1.ListDetails details = 1;
+    zitadel.idp.v1.IDPFieldName sorting_column = 2;
+    repeated zitadel.idp.v1.IDP result = 3;
+}
+
+message AddOrgOIDCIDPRequest {
+    string name = 1 [(validate.rules).string = {min_len: 1, max_len: 200}];
+    zitadel.idp.v1.IDPStylingType styling_type = 2 [(validate.rules).enum = {defined_only: true}];
+
+    string client_id = 3 [(validate.rules).string = {min_len: 1, max_len: 200}];
+    string client_secret = 4 [(validate.rules).string = {min_len: 1, max_len: 200}];
+    string issuer = 5 [(validate.rules).string = {min_len: 1, max_len: 200}];
+    repeated string scopes = 6;
+    zitadel.idp.v1.OIDCMappingField display_name_mapping = 7 [(validate.rules).enum = {defined_only: true}];
+    zitadel.idp.v1.OIDCMappingField username_mapping = 8 [(validate.rules).enum = {defined_only: true}];
+}
+
+message AddOrgOIDCIDPResponse {
+    zitadel.v1.ObjectDetails details = 1;
+    string idp_id = 2;
+}
+
+message DeactivateOrgIDPRequest {
+    string idp_id = 1 [(validate.rules).string = {min_len: 1, max_len: 200}];
+}
+
+message DeactivateOrgIDPResponse {
+    zitadel.v1.ObjectDetails details = 1;
+}
+
+message ReactivateOrgIDPRequest {
+    string idp_id = 1 [(validate.rules).string = {min_len: 1, max_len: 200}];
+}
+
+message ReactivateOrgIDPResponse {
+    zitadel.v1.ObjectDetails details = 1;
+}
+
+message RemoveOrgIDPRequest {
+    string idp_id = 1 [(validate.rules).string = {min_len: 1, max_len: 200}];
+}
+
+message RemoveOrgIDPResponse {}
+
+message UpdateOrgIDPRequest {
+    string idp_id = 1 [(validate.rules).string = {min_len: 1, max_len: 200}];
+    string name = 2 [(validate.rules).string = {min_len: 1, max_len: 200}];
+    zitadel.idp.v1.IDPStylingType styling_type = 3 [(validate.rules).enum = {defined_only: true}];
+}
+
+message UpdateOrgIDPResponse {
+    zitadel.v1.ObjectDetails details = 1;
+}
+
+message UpdateOrgIDPOIDCConfigRequest {
+    string idp_id = 1 [(validate.rules).string = {min_len: 1, max_len: 200}];
+
+    string client_id = 2 [(validate.rules).string = {min_len: 1, max_len: 200}];
+    string client_secret = 3 [(validate.rules).string = {max_len: 200}];
+    string issuer = 4 [(validate.rules).string = {min_len: 1, max_len: 200}];
+    repeated string scopes = 5;
+    zitadel.idp.v1.OIDCMappingField display_name_mapping = 6 [(validate.rules).enum = {defined_only: true}];
+    zitadel.idp.v1.OIDCMappingField username_mapping = 7 [(validate.rules).enum = {defined_only: true}];
+}
+
+message UpdateOrgIDPOIDCConfigResponse {
+    zitadel.v1.ObjectDetails details = 1;
+}
diff --git a/proto/zitadel/member.proto b/proto/zitadel/member.proto
new file mode 100644
index 0000000000..b59d26b7b5
--- /dev/null
+++ b/proto/zitadel/member.proto
@@ -0,0 +1,49 @@
+syntax = "proto3";
+
+import "zitadel/object.proto";
+import "validate/validate.proto";
+
+package zitadel.member.v1;
+
+option go_package ="github.com/caos/zitadel/pkg/grpc/member";
+
+message Member {
+    string user_id = 1;
+    zitadel.v1.ObjectDetails details = 2;
+    repeated string roles = 3;
+    string preferred_login_name = 4;
+    string email = 5;
+    string first_name = 6;
+    string last_name = 7;
+    string display_name = 8;
+}
+
+message SearchQuery {
+    oneof query {
+        option (validate.required) = true;
+
+        FirstNameQuery first_name_query = 1;
+        LastNameQuery last_name_query = 2;
+        EmailQuery email_query = 3;
+        UserIDQuery user_id_query = 4;
+    }
+}
+
+message FirstNameQuery {
+    string first_name = 1 [(validate.rules).string = {max_len: 200}];
+    zitadel.v1.TextQueryMethod method = 2 [(validate.rules).enum.defined_only = true];
+}
+
+message LastNameQuery {
+    string last_name = 1 [(validate.rules).string = {max_len: 200}];
+    zitadel.v1.TextQueryMethod method = 2 [(validate.rules).enum.defined_only = true];
+}
+
+message EmailQuery {
+    string email = 1 [(validate.rules).string = {max_len: 200}];
+    zitadel.v1.TextQueryMethod method = 2 [(validate.rules).enum.defined_only = true];
+}
+
+message UserIDQuery {
+    string user_id = 1 [(validate.rules).string = {max_len: 200}];
+}
diff --git a/pkg/grpc/message/proto/message.proto b/proto/zitadel/message.proto
similarity index 89%
rename from pkg/grpc/message/proto/message.proto
rename to proto/zitadel/message.proto
index 535f1dee02..245ce8e1e7 100644
--- a/pkg/grpc/message/proto/message.proto
+++ b/proto/zitadel/message.proto
@@ -1,6 +1,6 @@
 syntax = "proto3";
 
-package caos.zitadel.api.v1;
+package zitadel.v1;
 
 option go_package = "github.com/caos/zitadel/pkg/grpc/message";
 
diff --git a/proto/zitadel/object.proto b/proto/zitadel/object.proto
new file mode 100644
index 0000000000..c007a39cba
--- /dev/null
+++ b/proto/zitadel/object.proto
@@ -0,0 +1,53 @@
+syntax = "proto3";
+
+import "google/protobuf/timestamp.proto";
+
+package zitadel.v1;
+
+option go_package ="github.com/caos/zitadel/pkg/grpc/object";
+
+message ObjectDetails {
+    //sequence represents the order of events. It's always upcounting
+    //
+    // on read: the sequence of the last event reduced by the projection
+    //
+    // on manipulation: the timestamp of the event(s) added by the manipulation
+    uint64 sequence = 1;
+    //creation_date is the timestamp where the first operation on the object was made
+    //
+    // on read: the timestamp of the first event of the object
+    //
+    // on create: the timestamp of the event(s) added by the manipulation
+    google.protobuf.Timestamp creation_date = 2;
+    //change_date is the timestamp when the object was changed
+    //
+    // on read: the timestamp of the last event reduced by the projection
+    //
+    // on manipulation: the
+    google.protobuf.Timestamp change_date = 3;
+    //resource_owner is the organisation an object belongs to
+    string resource_owner = 4;
+}
+
+message ListQuery {
+    uint64 offset = 1;
+    uint32 limit = 2;
+    bool asc = 3;
+}
+
+message ListDetails {
+    uint64 total_result = 1;
+    uint64 processed_sequence = 2;
+    google.protobuf.Timestamp view_timestamp = 3;
+}
+
+enum TextQueryMethod {
+    TEXT_QUERY_METHOD_EQUALS = 0;
+    TEXT_QUERY_METHOD_EQUALS_IGNORE_CASE = 1;
+    TEXT_QUERY_METHOD_STARTS_WITH = 2;
+    TEXT_QUERY_METHOD_STARTS_WITH_IGNORE_CASE = 3;
+    TEXT_QUERY_METHOD_CONTAINS = 4;
+    TEXT_QUERY_METHOD_CONTAINS_IGNORE_CASE = 5;
+    TEXT_QUERY_METHOD_ENDS_WITH = 6;
+    TEXT_QUERY_METHOD_ENDS_WITH_IGNORE_CASE = 7;
+}
diff --git a/proto/zitadel/options.proto b/proto/zitadel/options.proto
new file mode 100644
index 0000000000..5ca89b2f24
--- /dev/null
+++ b/proto/zitadel/options.proto
@@ -0,0 +1,17 @@
+syntax = "proto3";
+
+package zitadel.v1;
+
+import "google/protobuf/descriptor.proto";
+
+option go_package = "github.com/caos/zitadel/internal/protoc/protoc-gen-authoption/authoption";
+
+
+extend google.protobuf.MethodOptions {
+    AuthOption auth_option = 50000;
+}
+
+message AuthOption {
+    string permission = 1;
+    string check_field_name = 2;
+}
\ No newline at end of file
diff --git a/proto/zitadel/org.proto b/proto/zitadel/org.proto
new file mode 100644
index 0000000000..1d2f8c3ae9
--- /dev/null
+++ b/proto/zitadel/org.proto
@@ -0,0 +1,74 @@
+syntax = "proto3";
+
+import "zitadel/object.proto";
+import "validate/validate.proto";
+
+package zitadel.org.v1;
+
+option go_package ="github.com/caos/zitadel/pkg/grpc/org";
+
+message Org {
+    string id = 1;
+    zitadel.v1.ObjectDetails details = 2;
+    OrgState state = 3;
+    string name = 4;
+    string primary_domain = 5;
+}
+
+enum OrgState {
+    ORG_STATE_UNSPECIFIED = 0;
+    ORG_STATE_ACTIVE = 1;
+    ORG_STATE_INACTIVE = 2;
+}
+
+message Domain {
+    string org_id = 1;
+    zitadel.v1.ObjectDetails details = 2;
+    string domain_name = 3;
+    bool is_verified = 4;
+    bool is_primary = 5;
+    DomainValidationType validation_type = 6;
+}
+
+enum DomainValidationType {
+    DOMAIN_VALIDATION_TYPE_UNSPECIFIED = 0;
+    DOMAIN_VALIDATION_TYPE_HTTP = 1;
+    DOMAIN_VALIDATION_TYPE_DNS = 2;
+}
+
+message OrgQuery {
+    oneof query {
+        option (validate.required) = true;
+
+        OrgNameQuery name_query = 1;
+        OrgDomainQuery domain_query = 2;
+    }
+}
+
+message OrgNameQuery {
+    string name = 1 [(validate.rules).string = {max_len: 200}];
+    zitadel.v1.TextQueryMethod method = 2 [(validate.rules).enum.defined_only = true];
+}
+
+message OrgDomainQuery {
+    string domain = 1 [(validate.rules).string = {max_len: 200}];
+    zitadel.v1.TextQueryMethod method = 2 [(validate.rules).enum.defined_only = true];
+}
+
+enum OrgFieldName {
+    ORG_FIELD_NAME_UNSPECIFIED = 0;
+    ORG_FIELD_NAME_NAME = 1;
+}
+
+message DomainSearchQuery {
+    oneof query {
+        option (validate.required) = true;
+
+        DomainNameQuery domain_name_query = 1;
+    }
+}
+
+message DomainNameQuery {
+    string name = 1 [(validate.rules).string = {max_len: 200}];
+    zitadel.v1.TextQueryMethod method = 2 [(validate.rules).enum.defined_only = true];
+}
diff --git a/proto/zitadel/policy.proto b/proto/zitadel/policy.proto
new file mode 100644
index 0000000000..c9e356cb04
--- /dev/null
+++ b/proto/zitadel/policy.proto
@@ -0,0 +1,71 @@
+syntax = "proto3";
+
+import "zitadel/object.proto";
+
+package zitadel.policy.v1;
+
+option go_package ="github.com/caos/zitadel/pkg/grpc/policy";
+
+message OrgIAMPolicy {
+    zitadel.v1.ObjectDetails details = 1;
+    bool user_login_must_be_domain = 2;
+    bool is_default = 3;
+}
+
+message LabelPolicy {
+    zitadel.v1.ObjectDetails details = 1;
+    string primary_color = 2;
+    string secondary_color = 3;
+    bool is_default = 4;
+}
+
+message LoginPolicy {
+    zitadel.v1.ObjectDetails details = 1;
+    bool allow_username_password = 2;
+    bool allow_register = 3;
+    bool allow_external_idp = 4;
+    bool force_mfa = 5;
+    PasswordlessType passwordless_type = 6;
+    bool is_default = 7;
+}
+
+enum SecondFactorType {
+    SECOND_FACTOR_TYPE_UNSPECIFIED = 0;
+    SECOND_FACTOR_TYPE_OTP = 1;
+    SECOND_FACTOR_TYPE_U2F = 2;
+}
+
+enum MultiFactorType {
+    MULTI_FACTOR_TYPE_UNSPECIFIED = 0;
+    MULTI_FACTOR_TYPE_U2F_WITH_VERIFICATION = 1; //TODO: what does livio think after the weekend? :D
+}
+
+enum PasswordlessType {
+    PASSWORDLESS_TYPE_NOT_ALLOWED = 0;
+    PASSWORDLESS_TYPE_ALLOWED = 1;
+    //PLANNED: PASSWORDLESS_TYPE_WITH_CERT
+}
+
+message PasswordComplexityPolicy {
+    zitadel.v1.ObjectDetails details = 1;
+    uint64 min_length = 2;
+    bool has_uppercase = 3;
+    bool has_lowercase = 4;
+    bool has_number = 5;
+    bool has_symbol = 6;
+    bool is_default = 7;
+}
+
+message PasswordAgePolicy {
+    zitadel.v1.ObjectDetails details = 1;
+    uint64 max_age_days = 2;
+    uint64 expire_warn_days = 3;
+    bool is_default = 4;
+}
+
+message PasswordLockoutPolicy {
+    zitadel.v1.ObjectDetails details = 1;
+    uint64 max_attempts = 2;
+    bool show_lockout_failure = 3;
+    bool is_default = 4;
+}
\ No newline at end of file
diff --git a/proto/zitadel/project.proto b/proto/zitadel/project.proto
new file mode 100644
index 0000000000..e018aa334e
--- /dev/null
+++ b/proto/zitadel/project.proto
@@ -0,0 +1,104 @@
+syntax = "proto3";
+
+import "zitadel/object.proto";
+import "validate/validate.proto";
+
+package zitadel.project.v1;
+
+option go_package ="github.com/caos/zitadel/pkg/grpc/project";
+
+message Project {
+    string id = 1;
+    zitadel.v1.ObjectDetails details = 2;
+    string name = 3;
+    ProjectState state = 4;
+    // describes if roles of user should be added in token
+    bool project_role_assertion = 5;
+    // ZITADEL checks if the user has at least one on this project
+    bool project_role_check = 6;
+}
+
+message GrantedProject {
+    string grant_id = 1;
+    string granted_org_id = 2;
+    string granted_org_name = 3;
+    repeated string granted_role_keys = 4;
+    ProjectGrantState state = 5;
+    
+    string project_id = 6;
+    string project_name = 7;
+    string project_owner_id = 8;
+    string project_owner_name = 9;
+
+    zitadel.v1.ObjectDetails details = 10;
+}
+
+enum ProjectState {
+    PROJECT_STATE_UNSPECIFIED = 0;
+    PROJECT_STATE_ACTIVE = 1;
+    PROJECT_STATE_INACTIVE = 2;
+}
+
+enum ProjectGrantState {
+    PROJECT_GRANT_STATE_UNSPECIFIED = 0;
+    PROJECT_GRANT_STATE_ACTIVE = 1;
+    PROJECT_GRANT_STATE_INACTIVE = 2;
+}
+
+message ProjectQuery {
+    oneof query {
+        option (validate.required) = true;
+
+        ProjectNameQuery name_query = 1;
+    }
+}
+
+message ProjectNameQuery {
+    string name = 1 [(validate.rules).string = {max_len: 200}];
+    zitadel.v1.TextQueryMethod method = 2 [(validate.rules).enum.defined_only = true];
+}
+
+message Role {
+    string key = 1;
+    zitadel.v1.ObjectDetails details = 2;
+    string display_name = 3;
+    string group = 4;
+}
+
+message RoleQuery {
+    oneof query {
+        option (validate.required) = true;
+
+        RoleKeyQuery key_query = 1;
+        RoleDisplayNameQuery display_name_query = 2;
+    }
+}
+
+message RoleKeyQuery {
+    string key = 1 [(validate.rules).string = {max_len: 200}];
+    zitadel.v1.TextQueryMethod method = 2 [(validate.rules).enum.defined_only = true];
+}
+
+message RoleDisplayNameQuery {
+    string display_name = 1 [(validate.rules).string = {max_len: 200}];
+    zitadel.v1.TextQueryMethod method = 2 [(validate.rules).enum.defined_only = true];
+}
+
+message ProjectGrantQuery {
+    oneof query {
+        option (validate.required) = true;
+
+        GrantProjectNameQuery project_name_query = 1;
+        GrantRoleKeyQuery role_key_query = 2;
+    }
+}
+
+message GrantProjectNameQuery {
+    string name = 1 [(validate.rules).string = {max_len: 200}];
+    zitadel.v1.TextQueryMethod method = 2 [(validate.rules).enum.defined_only = true];
+}
+
+message GrantRoleKeyQuery {
+    string role_key = 1 [(validate.rules).string = {max_len: 200}];
+    zitadel.v1.TextQueryMethod method = 2 [(validate.rules).enum.defined_only = true];
+}
\ No newline at end of file
diff --git a/proto/zitadel/user.proto b/proto/zitadel/user.proto
new file mode 100644
index 0000000000..398d744c1d
--- /dev/null
+++ b/proto/zitadel/user.proto
@@ -0,0 +1,356 @@
+syntax = "proto3";
+
+import "zitadel/object.proto";
+import "validate/validate.proto";
+
+package zitadel.user.v1;
+
+option go_package ="github.com/caos/zitadel/pkg/grpc/user";
+
+message User {
+    string id = 1;
+    zitadel.v1.ObjectDetails details = 2;
+    UserState state = 3;
+    string user_name = 4;
+    repeated string login_names = 5;
+    string preferred_login_name = 6;
+    oneof type {
+        Human human = 7;
+        Machine machine = 8;
+    }
+}
+
+enum UserState {
+    USER_STATE_UNSPECIFIED = 0;
+    USER_STATE_ACTIVE = 1;
+    USER_STATE_INACTIVE = 2;
+    USER_STATE_DELETED = 3;
+    USER_STATE_LOCKED = 4;
+    USER_STATE_SUSPEND = 5;
+    USER_STATE_INITIAL = 6;
+}
+
+message Human {
+    Profile profile = 1;
+    Email email = 2;
+    Phone phone = 3;
+    Address address = 4;
+}
+
+message Machine {
+    string name = 1;
+    string description = 2;
+}
+
+message Profile {
+    string first_name = 1;
+    string last_name = 2;
+    string nick_name = 3;
+    string display_name = 4;
+    string preferred_language = 5;
+    Gender gender = 6;
+}
+
+message Email {
+    string email = 1;
+    bool is_email_verified = 2;
+}
+
+message Phone {
+    string phone = 1;
+    bool is_phone_verified = 2;
+}
+
+message Address {
+    string country = 1;
+    string locality = 2;
+    string postal_code = 3;
+    string region = 4;
+    string street_address = 5;
+}
+
+enum Gender {
+    GENDER_UNSPECIFIED = 0;
+    GENDER_FEMALE = 1;
+    GENDER_MALE = 2;
+    GENDER_DIVERSE = 3;
+}
+
+message SearchQuery {
+    oneof query {
+        option (validate.required) = true;
+
+        UserNameQuery user_name_query = 1;
+        FirstNameQuery first_name_query = 2;
+        LastNameQuery last_name_query = 3;
+        NickNameQuery nick_name_query = 4;
+        DisplayNameQuery display_name_query = 5;
+        EmailQuery email_query = 6;
+        StateQuery state_query = 7;
+        TypeQuery type_query = 8;
+    }
+}
+
+message UserNameQuery {
+    string user_name = 1 [(validate.rules).string = {max_len: 200}];
+    zitadel.v1.TextQueryMethod method = 2 [(validate.rules).enum.defined_only = true];
+}
+
+message FirstNameQuery {
+    string first_name = 1 [(validate.rules).string = {max_len: 200}];
+    zitadel.v1.TextQueryMethod method = 2 [(validate.rules).enum.defined_only = true];
+}
+
+message LastNameQuery {
+    string last_name = 1 [(validate.rules).string = {max_len: 200}];
+    zitadel.v1.TextQueryMethod method = 2 [(validate.rules).enum.defined_only = true];
+}
+
+message NickNameQuery {
+    string nick_name = 1 [(validate.rules).string = {max_len: 200}];
+    zitadel.v1.TextQueryMethod method = 2 [(validate.rules).enum.defined_only = true];
+}
+
+message DisplayNameQuery {
+    string display_name = 1 [(validate.rules).string = {max_len: 200}];
+    zitadel.v1.TextQueryMethod method = 2 [(validate.rules).enum.defined_only = true];
+}
+
+message EmailQuery {
+    string email_address = 1 [(validate.rules).string = {max_len: 200}];
+    zitadel.v1.TextQueryMethod method = 2 [(validate.rules).enum.defined_only = true];
+}
+
+//UserStateQuery is always equals
+message StateQuery {
+    UserState state = 1 [(validate.rules).enum.defined_only = true];
+}
+
+//UserTypeQuery is always equals
+message TypeQuery {
+    Type type = 1 [(validate.rules).enum.defined_only = true];
+}
+
+enum Type {
+    TYPE_UNSPECIFIED = 0;
+    TYPE_HUMAN = 1;
+    TYPE_MACHINE = 2;
+}
+
+enum UserFieldName {
+    USER_FIELD_NAME_UNSPECIFIED = 0;
+    USER_FIELD_NAME_USER_NAME = 1;
+    USER_FIELD_NAME_FIRST_NAME = 2;
+    USER_FIELD_NAME_LAST_NAME = 3;
+    USER_FIELD_NAME_NICK_NAME = 4;
+    USER_FIELD_NAME_DISPLAY_NAME = 5;
+    USER_FIELD_NAME_EMAIL = 6;
+    USER_FIELD_NAME_STATE = 7;
+    USER_FIELD_NAME_TYPE = 8;
+}
+
+message AuthFactor {
+    AuthFactorState state = 1;
+    oneof type {
+        AuthFactorOTP otp = 2;
+        AuthFactorU2F u2f = 3;
+    }
+}
+
+enum AuthFactorState {
+    AUTH_FACTOR_STATE_UNSPECIFIED = 0;
+    AUTH_FACTOR_STATE_NOT_READY = 1;
+    AUTH_FACTOR_STATE_READY = 2;
+    AUTH_FACTOR_STATE_REMOVED = 3;
+}
+
+message AuthFactorOTP {}
+
+message AuthFactorU2F {
+    string id = 1;
+    string name = 2;
+}
+
+message WebAuthNKey {
+    string id = 1;
+    bytes public_key = 2;
+}
+
+message WebAuthNVerification {
+    bytes public_key_credential = 1 [(validate.rules).bytes.min_len = 50]; //TODO: define correct min and max len
+    string token_name = 2 [(validate.rules).string = {min_len: 1, max_len: 200}];
+}
+
+message WebAuthNToken {
+    string id = 1;
+    AuthFactorState state = 2;
+    string name = 3;
+}
+
+message Membership {
+    string user_id = 1;
+    zitadel.v1.ObjectDetails details = 2;
+    repeated string roles = 3;
+    string display_name = 4;
+    oneof type {
+        bool iam = 5;
+        string org_id = 6;
+        string project_id = 7;
+        string project_grant_id = 8;
+    }
+}
+
+message MembershipQuery {
+    oneof query {
+        option (validate.required) = true;
+
+        MembershipOrgQuery org_query = 1;
+        MembershipProjectQuery project_query = 2;
+        MembershipProjectGrantQuery project_grant_query = 3;
+        MembershipIAMQuery iam_query = 4;
+    }
+}
+
+message MembershipOrgQuery {
+    string org_id = 1 [(validate.rules).string = {max_len: 200}];
+}
+
+message MembershipProjectQuery {
+    string project_id = 1 [(validate.rules).string = {max_len: 200}];
+}
+
+message MembershipProjectGrantQuery {
+    string project_grant_id = 1 [(validate.rules).string = {max_len: 200}];
+}
+
+message MembershipIAMQuery {
+    bool iam = 1;
+}
+
+message Session {
+    string session_id = 1;
+    string agent_id = 2;
+    SessionState auth_state = 3;
+    string user_id = 4;
+    string user_name = 5;
+    string login_name = 7;
+    string display_name = 8;
+    zitadel.v1.ObjectDetails details = 9;
+}
+
+enum SessionState {
+    SESSION_STATE_UNSPECIFIED = 0;
+    SESSION_STATE_ACTIVE = 1;
+    SESSION_STATE_TERMINATED = 2;
+}
+
+message UserGrant {
+    string grant_id = 1;
+    zitadel.v1.ObjectDetails details = 2;
+    repeated string role_keys = 3;
+    UserGrantState state = 4;
+    
+    string user_id = 5;
+    string user_name = 6;
+    string first_name = 7;
+    string last_name = 8;
+    string email = 9;
+    string display_name = 10;
+    
+    string org_id = 11;
+    string org_name = 12;
+    string org_domain = 13;
+    
+    string project_id = 14;
+    string project_name = 15;
+}
+
+enum UserGrantState {
+    USER_GRANT_STATE_UNSPECIFIED = 0;
+    USER_GRANT_STATE_ACTIVE = 1;
+    USER_GRANT_STATE_INACTIVE = 2;
+}
+
+message UserGrantQuery {
+    oneof query {
+        option (validate.required) = true;
+
+        UserGrantProjectIDQuery project_id_query = 1;
+        UserGrantUserIDQuery user_id_query = 2;
+        UserGrantWithGrantedQuery with_granted_query = 3;
+        UserGrantRoleKeyQuery role_key_query = 4;
+        UserGrantProjectGrantIDQuery project_grant_id_query = 5;
+        UserGrantUserNameQuery user_name_query = 6;
+        UserGrantFirstNameQuery first_name_query = 7;
+        UserGrantLastNameQuery last_name_query = 8;
+        UserGrantEmailQuery email_query = 9;
+        UserGrantOrgNameQuery org_name_query = 10;
+        UserGrantOrgDomainQuery org_domain_query = 11;
+        UserGrantProjectNameQuery project_name_query = 12;
+        UserGrantDisplayNameQuery display_name_query = 13;
+    }
+}
+
+message UserGrantProjectIDQuery {
+    string project_id = 1 [(validate.rules).string = {max_len: 200}];
+}
+
+message UserGrantUserIDQuery {
+    string user_id = 1 [(validate.rules).string = {max_len: 200}];
+}
+
+message UserGrantWithGrantedQuery {
+    bool with_granted = 1;
+}
+
+message UserGrantRoleKeyQuery {
+    string role_key = 1 [(validate.rules).string = {max_len: 200}];
+    zitadel.v1.TextQueryMethod method = 2 [(validate.rules).enum.defined_only = true];
+}
+
+message UserGrantProjectGrantIDQuery {
+    string project_grant_id = 1 [(validate.rules).string = {max_len: 200}];
+}
+
+message UserGrantUserNameQuery {
+    string user_name = 1 [(validate.rules).string = {max_len: 200}];
+    zitadel.v1.TextQueryMethod method = 2 [(validate.rules).enum.defined_only = true];
+}
+
+message UserGrantFirstNameQuery {
+    string first_name = 1 [(validate.rules).string = {max_len: 200}];
+    zitadel.v1.TextQueryMethod method = 2 [(validate.rules).enum.defined_only = true];
+}
+
+message UserGrantLastNameQuery {
+    string last_name = 1 [(validate.rules).string = {max_len: 200}];
+    zitadel.v1.TextQueryMethod method = 2 [(validate.rules).enum.defined_only = true];
+}
+
+message UserGrantEmailQuery {
+    string email = 1 [(validate.rules).string = {max_len: 200}];
+    zitadel.v1.TextQueryMethod method = 2 [(validate.rules).enum.defined_only = true];
+}
+
+message UserGrantOrgNameQuery {
+    string org_name = 1 [(validate.rules).string = {max_len: 200}];
+    zitadel.v1.TextQueryMethod method = 2 [(validate.rules).enum.defined_only = true];
+}
+
+message UserGrantOrgDomainQuery {
+    string org_domain = 1 [(validate.rules).string = {max_len: 200}];
+    zitadel.v1.TextQueryMethod method = 2 [(validate.rules).enum.defined_only = true];
+}
+
+message UserGrantProjectNameQuery {
+    string project_name = 1 [(validate.rules).string = {max_len: 200}];
+    zitadel.v1.TextQueryMethod method = 2 [(validate.rules).enum.defined_only = true];
+}
+
+//TODO: needed as you can search first and last name?
+message UserGrantDisplayNameQuery {
+    string display_name = 1;
+    zitadel.v1.TextQueryMethod method = 2 [(validate.rules).enum.defined_only = true];
+}
+
+//PLANNED: login name query
\ No newline at end of file
diff --git a/tools/go.mod b/tools/go.mod
new file mode 100644
index 0000000000..de329918b2
--- /dev/null
+++ b/tools/go.mod
@@ -0,0 +1,25 @@
+module github.com/caos/zitadel/tools
+
+go 1.15
+
+require (
+	github.com/envoyproxy/protoc-gen-validate v0.4.1
+	github.com/go-bindata/go-bindata/v3 v3.1.3
+	github.com/golang/mock v1.4.4
+	github.com/golang/protobuf v1.4.3
+	github.com/grpc-ecosystem/grpc-gateway v1.16.0
+	github.com/iancoleman/strcase v0.1.3 // indirect
+	github.com/kisielk/errcheck v1.5.0 // indirect
+	github.com/lyft/protoc-gen-star v0.5.2 // indirect
+	github.com/rakyll/statik v0.1.7
+	github.com/spf13/afero v1.5.1 // indirect
+	golang.org/x/lint v0.0.0-20201208152925-83fdc39ff7b5 // indirect
+	golang.org/x/mod v0.4.1 // indirect
+	golang.org/x/net v0.0.0-20210119194325-5f4716e94777 // indirect
+	golang.org/x/sys v0.0.0-20210124154548-22da62e12c0c // indirect
+	golang.org/x/text v0.3.5 // indirect
+	golang.org/x/tools v0.1.0 // indirect
+	google.golang.org/genproto v0.0.0-20210212180131-e7f2df4ecc2d // indirect
+	google.golang.org/grpc/cmd/protoc-gen-go-grpc v1.1.0
+	gopkg.in/yaml.v2 v2.4.0 // indirect
+)
diff --git a/tools/go.sum b/tools/go.sum
new file mode 100644
index 0000000000..1b4bc0522b
--- /dev/null
+++ b/tools/go.sum
@@ -0,0 +1,189 @@
+cloud.google.com/go v0.26.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw=
+cloud.google.com/go v0.34.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw=
+github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU=
+github.com/antihax/optional v1.0.0/go.mod h1:uupD/76wgC+ih3iEmQUL+0Ugr19nfwCT1kdvxnR2qWY=
+github.com/census-instrumentation/opencensus-proto v0.2.1/go.mod h1:f6KPmirojxKA12rnyqOA5BBL4O983OfeGPqjHWSTneU=
+github.com/client9/misspell v0.3.4/go.mod h1:qj6jICC3Q7zFZvVWo7KLAzC3yx5G7kyvSDkc90ppPyw=
+github.com/cncf/udpa/go v0.0.0-20191209042840-269d4d468f6f/go.mod h1:M8M6+tZqaGXZJjfX53e64911xZQV5JYwmTeXPW+k8Sc=
+github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
+github.com/envoyproxy/go-control-plane v0.9.0/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4=
+github.com/envoyproxy/go-control-plane v0.9.1-0.20191026205805-5f8ba28d4473/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4=
+github.com/envoyproxy/go-control-plane v0.9.4/go.mod h1:6rpuAdCZL397s3pYoYcLgu1mIlRU8Am5FuJP05cCM98=
+github.com/envoyproxy/protoc-gen-validate v0.1.0/go.mod h1:iSmxcyjqTsJpI2R4NaDN7+kN2VEUnK/pcBlmesArF7c=
+github.com/envoyproxy/protoc-gen-validate v0.4.1 h1:7dLaJvASGRD7X49jSCSXXHwKPm0ZN9r9kJD+p+vS7dM=
+github.com/envoyproxy/protoc-gen-validate v0.4.1/go.mod h1:E+IEazqdaWv3FrnGtZIu3b9fPFMK8AzeTTrk9SfVwWs=
+github.com/ghodss/yaml v1.0.0 h1:wQHKEahhL6wmXdzwWG11gIVCkOv05bNOh+Rxn0yngAk=
+github.com/ghodss/yaml v1.0.0/go.mod h1:4dBDuWmgqj2HViK6kFavaiC9ZROes6MMH2rRYeMEF04=
+github.com/go-bindata/go-bindata v1.0.0 h1:DZ34txDXWn1DyWa+vQf7V9ANc2ILTtrEjtlsdJRF26M=
+github.com/go-bindata/go-bindata v3.1.2+incompatible h1:5vjJMVhowQdPzjE1LdxyFF7YFTXg5IgGVW4gBr5IbvE=
+github.com/go-bindata/go-bindata/v3 v3.1.3 h1:F0nVttLC3ws0ojc7p60veTurcOm//D4QBODNM7EGrCI=
+github.com/go-bindata/go-bindata/v3 v3.1.3/go.mod h1:1/zrpXsLD8YDIbhZRqXzm1Ghc7NhEvIN9+Z6R5/xH4I=
+github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b h1:VKtxabqXZkF25pY9ekfRL6a582T4P37/31XEstQ5p58=
+github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b/go.mod h1:SBH7ygxi8pfUlaOkMMuAQtPIUF8ecWP5IEl/CR7VP2Q=
+github.com/golang/mock v1.1.1/go.mod h1:oTYuIxOrZwtPieC+H1uAHpcLFnEyAGVDL/k47Jfbm0A=
+github.com/golang/mock v1.4.4 h1:l75CXGRSwbaYNpl/Z2X1XIIAMSCquvXgpVZDhwEIJsc=
+github.com/golang/mock v1.4.4/go.mod h1:l3mdAwkq5BuhzHwde/uurv3sEJeZMXNpwsxVWU71h+4=
+github.com/golang/protobuf v1.2.0/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
+github.com/golang/protobuf v1.3.2/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
+github.com/golang/protobuf v1.3.3/go.mod h1:vzj43D7+SQXF/4pzW/hwtAqwc6iTitCiVSaWz5lYuqw=
+github.com/golang/protobuf v1.4.0-rc.1/go.mod h1:ceaxUfeHdC40wWswd/P6IGgMaK3YpKi5j83Wpe3EHw8=
+github.com/golang/protobuf v1.4.0-rc.1.0.20200221234624-67d41d38c208/go.mod h1:xKAWHe0F5eneWXFV3EuXVDTCmh+JuBKY0li0aMyXATA=
+github.com/golang/protobuf v1.4.0-rc.2/go.mod h1:LlEzMj4AhA7rCAGe4KMBDvJI+AwstrUpVNzEA03Pprs=
+github.com/golang/protobuf v1.4.0-rc.4.0.20200313231945-b860323f09d0/go.mod h1:WU3c8KckQ9AFe+yFwt9sWVRKCVIyN9cPHBJSNnbL67w=
+github.com/golang/protobuf v1.4.0/go.mod h1:jodUvKwWbYaEsadDk5Fwe5c77LiNKVO9IDvqG2KuDX0=
+github.com/golang/protobuf v1.4.1/go.mod h1:U8fpvMrcmy5pZrNK1lt4xCsGvpyWQ/VVv6QDs8UjoX8=
+github.com/golang/protobuf v1.4.2/go.mod h1:oDoupMAO8OvCJWAcko0GGGIgR6R6ocIYbsSw735rRwI=
+github.com/golang/protobuf v1.4.3 h1:JjCZWpVbqXDqFVmTfYWEVTMIYrL/NPdPSCHPJ0T/raM=
+github.com/golang/protobuf v1.4.3/go.mod h1:oDoupMAO8OvCJWAcko0GGGIgR6R6ocIYbsSw735rRwI=
+github.com/google/go-cmp v0.2.0/go.mod h1:oXzfMopK8JAjlY9xF4vHSVASa0yLyX7SntLO5aqRK0M=
+github.com/google/go-cmp v0.3.0/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU=
+github.com/google/go-cmp v0.3.1/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU=
+github.com/google/go-cmp v0.4.0/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
+github.com/google/go-cmp v0.5.0/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
+github.com/google/uuid v1.1.2/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
+github.com/grpc-ecosystem/grpc-gateway v1.16.0 h1:gmcG1KaJ57LophUzW0Hy8NmPhnMZb4M0+kPpLofRdBo=
+github.com/grpc-ecosystem/grpc-gateway v1.16.0/go.mod h1:BDjrQk3hbvj6Nolgz8mAMFbcEtjT1g+wF4CSlocrBnw=
+github.com/iancoleman/strcase v0.0.0-20180726023541-3605ed457bf7 h1:ux/56T2xqZO/3cP1I2F86qpeoYPCOzk+KF/UH/Ar+lk=
+github.com/iancoleman/strcase v0.0.0-20180726023541-3605ed457bf7/go.mod h1:SK73tn/9oHe+/Y0h39VT4UCxmurVJkR5NA7kMEAOgSE=
+github.com/iancoleman/strcase v0.1.3 h1:dJBk1m2/qjL1twPLf68JND55vvivMupZ4wIzE8CTdBw=
+github.com/iancoleman/strcase v0.1.3/go.mod h1:SK73tn/9oHe+/Y0h39VT4UCxmurVJkR5NA7kMEAOgSE=
+github.com/kisielk/errcheck v1.2.0 h1:reN85Pxc5larApoH1keMBiu2GWtPqXQ1nc9gx+jOU+E=
+github.com/kisielk/errcheck v1.2.0/go.mod h1:/BMXB+zMLi60iA8Vv6Ksmxu/1UDYcXs4uQLJ+jE2L00=
+github.com/kisielk/errcheck v1.5.0 h1:e8esj/e4R+SAOwFwN+n3zr0nYeCyeweozKfO23MvHzY=
+github.com/kisielk/errcheck v1.5.0/go.mod h1:pFxgyoBC7bSaBwPgfKdkLd5X25qrDl4LWUI2bnpBCr8=
+github.com/kr/fs v0.1.0/go.mod h1:FFnZGqtBN9Gxj7eW1uZ42v5BccTP0vu6NEaFoC2HwRg=
+github.com/lyft/protoc-gen-star v0.5.1 h1:sImehRT+p7lW9n6R7MQc5hVgzWGEkDVZU4AsBQ4Isu8=
+github.com/lyft/protoc-gen-star v0.5.1/go.mod h1:9toiA3cC7z5uVbODF7kEQ91Xn7XNFkVUl+SrEe+ZORU=
+github.com/lyft/protoc-gen-star v0.5.2 h1:ICQPpOr4uO46eme1Y5Jj0fnJkc9/upQ9xxt0+2AmUDQ=
+github.com/lyft/protoc-gen-star v0.5.2/go.mod h1:9toiA3cC7z5uVbODF7kEQ91Xn7XNFkVUl+SrEe+ZORU=
+github.com/pkg/errors v0.8.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
+github.com/pkg/sftp v1.10.1/go.mod h1:lYOWFsE0bwd1+KfKJaKeuokY15vzFx25BLbzYYoAxZI=
+github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
+github.com/prometheus/client_model v0.0.0-20190812154241-14fe0d1b01d4/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA=
+github.com/rakyll/statik v0.1.7 h1:OF3QCZUuyPxuGEP7B4ypUa7sB/iHtqOTDYZXGM8KOdQ=
+github.com/rakyll/statik v0.1.7/go.mod h1:AlZONWzMtEnMs7W4e/1LURLiI49pIMmp6V9Unghqrcc=
+github.com/rogpeppe/fastuuid v1.2.0/go.mod h1:jVj6XXZzXRy/MSR5jhDC/2q6DgLz+nrA6LYCDYWNEvQ=
+github.com/spf13/afero v1.3.3/go.mod h1:5KUK8ByomD5Ti5Artl0RtHeI5pTF7MIDuXL3yY520V4=
+github.com/spf13/afero v1.3.4 h1:8q6vk3hthlpb2SouZcnBVKboxWQWMDNF38bwholZrJc=
+github.com/spf13/afero v1.3.4/go.mod h1:Ai8FlHk4v/PARR026UzYexafAt9roJ7LcLMAmO6Z93I=
+github.com/spf13/afero v1.5.1 h1:VHu76Lk0LSP1x254maIu2bplkWpfBWI+B+6fdoZprcg=
+github.com/spf13/afero v1.5.1/go.mod h1:Ai8FlHk4v/PARR026UzYexafAt9roJ7LcLMAmO6Z93I=
+github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
+github.com/stretchr/testify v1.4.0/go.mod h1:j7eGeouHqKxXV5pUuKE4zz7dFj8WfuZ+81PSLYec5m4=
+github.com/stretchr/testify v1.6.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
+github.com/yuin/goldmark v1.1.27/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
+github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
+golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
+golang.org/x/crypto v0.0.0-20190820162420-60c769a6c586/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
+golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
+golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
+golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
+golang.org/x/lint v0.0.0-20181026193005-c67002cb31c3/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE=
+golang.org/x/lint v0.0.0-20190227174305-5b3e6a55c961/go.mod h1:wehouNa3lNwaWXcvxsM5YxQ5yQlVC4a0KAMCusXpPoU=
+golang.org/x/lint v0.0.0-20190313153728-d0100b6bd8b3/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc=
+golang.org/x/lint v0.0.0-20191125180803-fdd1cda4f05f/go.mod h1:5qLYkcX4OjUUV8bRuDixDT3tpyyb+LUpUlRWLxfhWrs=
+golang.org/x/lint v0.0.0-20200302205851-738671d3881b h1:Wh+f8QHJXR411sJR8/vRBTZ7YapZaRvUcLFFJhusH0k=
+golang.org/x/lint v0.0.0-20200302205851-738671d3881b/go.mod h1:3xt1FjdF8hUf6vQPIChWIBhFzV8gjjsPE/fR3IyQdNY=
+golang.org/x/lint v0.0.0-20201208152925-83fdc39ff7b5 h1:2M3HP5CCK1Si9FQhwnzYhXdG6DXeebvUHFpre8QvbyI=
+golang.org/x/lint v0.0.0-20201208152925-83fdc39ff7b5/go.mod h1:3xt1FjdF8hUf6vQPIChWIBhFzV8gjjsPE/fR3IyQdNY=
+golang.org/x/mod v0.1.1-0.20191105210325-c90efee705ee/go.mod h1:QqPTAvyqsEbceGzBzNggFXnrqF1CaUcvgkdR5Ot7KZg=
+golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
+golang.org/x/mod v0.3.0 h1:RM4zey1++hCTbCVQfnWeKs9/IEsaBLA8vTkd0WVtmH4=
+golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
+golang.org/x/mod v0.4.1 h1:Kvvh58BN8Y9/lBi7hTekvtMpm07eUZ0ck5pRHpsMWrY=
+golang.org/x/mod v0.4.1/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
+golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
+golang.org/x/net v0.0.0-20180826012351-8a410e7b638d/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
+golang.org/x/net v0.0.0-20190108225652-1e06a53dbb7e/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
+golang.org/x/net v0.0.0-20190213061140-3a22650c66bd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
+golang.org/x/net v0.0.0-20190311183353-d8887717615a/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
+golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
+golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
+golang.org/x/net v0.0.0-20200226121028-0de0cce0169b/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
+golang.org/x/net v0.0.0-20200822124328-c89045814202 h1:VvcQYSHwXgi7W+TpUR6A9g6Up98WAHf3f/ulnJ62IyA=
+golang.org/x/net v0.0.0-20200822124328-c89045814202/go.mod h1:/O7V0waA8r7cgGh81Ro3o1hOxt32SMVPicZroKQ2sZA=
+golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU=
+golang.org/x/net v0.0.0-20210119194325-5f4716e94777 h1:003p0dJM77cxMSyCPFphvZf/Y5/NXf5fzg6ufd1/Oew=
+golang.org/x/net v0.0.0-20210119194325-5f4716e94777/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg=
+golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
+golang.org/x/oauth2 v0.0.0-20200107190931-bf48bf16ab8d/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
+golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sync v0.0.0-20181221193216-37e7f081c4d4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
+golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
+golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20200323222414-85ca7c5b95cd/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20210119212857-b64e53b001e4 h1:myAQVi0cGEoqQVR5POX+8RR2mrocKqNN1hmeMqhX27k=
+golang.org/x/sys v0.0.0-20210119212857-b64e53b001e4/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20210124154548-22da62e12c0c h1:VwygUrnw9jn88c4u8GD3rZQbqrP/tgas88tPUbBxQrk=
+golang.org/x/sys v0.0.0-20210124154548-22da62e12c0c/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
+golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
+golang.org/x/text v0.3.3 h1:cokOdA+Jmi5PJGXLlLllQSgYigAEfHXJAERHVMaCc2k=
+golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
+golang.org/x/text v0.3.5 h1:i6eZZ+zk0SOf0xgBpEpPD18qWcJda6q1sxt3S0kzyUQ=
+golang.org/x/text v0.3.5/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
+golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
+golang.org/x/tools v0.0.0-20181030221726-6c7e314b6563/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
+golang.org/x/tools v0.0.0-20190114222345-bf090417da8b/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
+golang.org/x/tools v0.0.0-20190226205152-f727befe758c/go.mod h1:9Yl7xja0Znq3iFh3HoIrodX9oNMXvdceNzlUR8zjMvY=
+golang.org/x/tools v0.0.0-20190311212946-11955173bddd/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs=
+golang.org/x/tools v0.0.0-20190425150028-36563e24a262/go.mod h1:RgjU9mgBXZiqYHBnxXauZ1Gv1EHHAz9KjViQ78xBX0Q=
+golang.org/x/tools v0.0.0-20190524140312-2c0ae7006135/go.mod h1:RgjU9mgBXZiqYHBnxXauZ1Gv1EHHAz9KjViQ78xBX0Q=
+golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
+golang.org/x/tools v0.0.0-20191125144606-a911d9008d1f/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
+golang.org/x/tools v0.0.0-20200130002326-2f3ba24bd6e7/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28=
+golang.org/x/tools v0.0.0-20200522201501-cb1345f3a375 h1:SjQ2+AKWgZLc1xej6WSzL+Dfs5Uyd5xcZH1mGC411IA=
+golang.org/x/tools v0.0.0-20200522201501-cb1345f3a375/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE=
+golang.org/x/tools v0.0.0-20200619180055-7c47624df98f/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE=
+golang.org/x/tools v0.1.0 h1:po9/4sTYwZU9lPhi1tOrb4hCv3qrhiQ77LZfGa2OjwY=
+golang.org/x/tools v0.1.0/go.mod h1:xkSsbof2nBLbhDlRMhhhyNLN/zl3eTqcnHD5viDpcZ0=
+golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
+golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
+golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
+golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1 h1:go1bK/D/BFZV2I8cIQd1NKEZ+0owSTG1fDTci4IqFcE=
+golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
+google.golang.org/appengine v1.1.0/go.mod h1:EbEs0AVv82hx2wNQdGPgUI5lhzA/G0D9YwlJXL52JkM=
+google.golang.org/appengine v1.4.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4=
+google.golang.org/genproto v0.0.0-20180817151627-c66870c02cf8/go.mod h1:JiN7NxoALGmiZfu7CAH4rXhgtRTLTxftemlI0sWmxmc=
+google.golang.org/genproto v0.0.0-20190819201941-24fa4b261c55/go.mod h1:DMBHOl98Agz4BDEuKkezgsaosCRResVns1a3J2ZsMNc=
+google.golang.org/genproto v0.0.0-20200513103714-09dca8ec2884/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c=
+google.golang.org/genproto v0.0.0-20200526211855-cb27e3aa2013 h1:+kGHl1aib/qcwaRi1CbqBZ1rk19r85MNUf8HaBghugY=
+google.golang.org/genproto v0.0.0-20200526211855-cb27e3aa2013/go.mod h1:NbSheEEYHJ7i3ixzK3sjbqSGDJWnxyFXZblF3eUsNvo=
+google.golang.org/genproto v0.0.0-20210212180131-e7f2df4ecc2d h1:Edhcm0CKDPLQIecHCp5Iz57Lo7MfT6zUFBAlocmOjcY=
+google.golang.org/genproto v0.0.0-20210212180131-e7f2df4ecc2d/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no=
+google.golang.org/grpc v1.19.0/go.mod h1:mqu4LbDTu4XGKhr4mRzUsmM4RtVoemTSY81AxZiDr8c=
+google.golang.org/grpc v1.23.0/go.mod h1:Y5yQAOtifL1yxbo5wqy6BxZv8vAUGQwXBOALyacEbxg=
+google.golang.org/grpc v1.25.1/go.mod h1:c3i+UQWmh7LiEpx4sFZnkU36qjEYZ0imhYfXVyQciAY=
+google.golang.org/grpc v1.27.0/go.mod h1:qbnxyOmOxrQa7FizSgH+ReBfzJrCY1pSN7KXBS8abTk=
+google.golang.org/grpc v1.33.1 h1:DGeFlSan2f+WEtCERJ4J9GJWk15TxUi8QGagfI87Xyc=
+google.golang.org/grpc v1.33.1/go.mod h1:fr5YgcSWrqhRRxogOsw7RzIpsmvOZ6IcH4kBYTpR3n0=
+google.golang.org/grpc v1.35.0 h1:TwIQcH3es+MojMVojxxfQ3l3OF2KzlRxML2xZq0kRo8=
+google.golang.org/grpc/cmd/protoc-gen-go-grpc v1.1.0 h1:M1YKkFIboKNieVO5DLUEVzQfGwJD30Nv2jfUgzb5UcE=
+google.golang.org/grpc/cmd/protoc-gen-go-grpc v1.1.0/go.mod h1:6Kw0yEErY5E/yWrBtf03jp27GLLJujG4z/JK95pnjjw=
+google.golang.org/protobuf v0.0.0-20200109180630-ec00e32a8dfd/go.mod h1:DFci5gLYBciE7Vtevhsrf46CRTquxDuWsQurQQe4oz8=
+google.golang.org/protobuf v0.0.0-20200221191635-4d8936d0db64/go.mod h1:kwYJMbMJ01Woi6D6+Kah6886xMZcty6N08ah7+eCXa0=
+google.golang.org/protobuf v0.0.0-20200228230310-ab0ca4ff8a60/go.mod h1:cfTl7dwQJ+fmap5saPgwCLgHXTUD7jkjRqWcaiX5VyM=
+google.golang.org/protobuf v1.20.1-0.20200309200217-e05f789c0967/go.mod h1:A+miEFZTKqfCUM6K7xSMQL9OKL/b6hQv+e19PK+JZNE=
+google.golang.org/protobuf v1.21.0/go.mod h1:47Nbq4nVaFHyn7ilMalzfO3qCViNmqZ2kzikPIcrTAo=
+google.golang.org/protobuf v1.22.0/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU=
+google.golang.org/protobuf v1.23.0/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU=
+google.golang.org/protobuf v1.23.1-0.20200526195155-81db48ad09cc/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU=
+google.golang.org/protobuf v1.24.0/go.mod h1:r/3tXBNzIEhYS9I1OUVjXDlt8tc493IdKGjtUeSXeh4=
+google.golang.org/protobuf v1.25.0 h1:Ejskq+SyPohKW+1uil0JJMtmHCgJPJ/qWTxr8qp+R4c=
+google.golang.org/protobuf v1.25.0/go.mod h1:9JNX74DMeImyA3h4bdi1ymwjUzf21/xIlbajtzgsN7c=
+gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
+gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
+gopkg.in/yaml.v2 v2.2.3 h1:fvjTMHxHEw/mxHbtzPi3JCcKXQRAnQTBRo6YCJSVHKI=
+gopkg.in/yaml.v2 v2.2.3/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
+gopkg.in/yaml.v2 v2.4.0 h1:D8xgwECY7CYvx+Y2n4sBz93Jn9JRvxdiyyo8CTfuKaY=
+gopkg.in/yaml.v2 v2.4.0/go.mod h1:RDklbk79AGWmwhnvt/jBztapEOGDOx6ZbXqjP6csGnQ=
+gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
+honnef.co/go/tools v0.0.0-20190102054323-c2f93a96b099/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
+honnef.co/go/tools v0.0.0-20190523083050-ea95bdfd59fc/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
diff --git a/tools/install.sh b/tools/install.sh
new file mode 100755
index 0000000000..4f29afa130
--- /dev/null
+++ b/tools/install.sh
@@ -0,0 +1,10 @@
+#! /bin/sh
+
+set -eux
+
+cd $GOPATH/src/github.com/caos/zitadel/tools
+for imp in `cat tools.go | grep "_" | sed -E "s/_ \"(.*.+)\"/\1/g"`; do
+    echo "installing $imp"
+    go install $imp
+done
+cd -
\ No newline at end of file
diff --git a/tools/tools.go b/tools/tools.go
new file mode 100644
index 0000000000..0899916486
--- /dev/null
+++ b/tools/tools.go
@@ -0,0 +1,24 @@
+// +build tools
+
+package tools
+
+import (
+	//proto
+	_ "github.com/envoyproxy/protoc-gen-validate"
+	//proto custom authoptions
+	_ "github.com/go-bindata/go-bindata/v3/go-bindata"
+	// gateway grpc to rest
+	_ "github.com/grpc-ecosystem/grpc-gateway/v2/protoc-gen-grpc-gateway"
+	// openapi v2 descriptions
+	_ "github.com/grpc-ecosystem/grpc-gateway/v2/protoc-gen-openapiv2"
+	// grpc generator
+	_ "google.golang.org/grpc/cmd/protoc-gen-go-grpc"
+	//protoc
+	_ "google.golang.org/protobuf/cmd/protoc-gen-go"
+	//generate static files
+	_ "github.com/rakyll/statik"
+	//proto
+	_ "google.golang.org/grpc/cmd/protoc-gen-go-grpc"
+	//mock
+	_ "github.com/golang/mock/mockgen"
+)