feat: protos refactoring

* start with user * user first try done in all services * user, org, idp for discussion * remove unused stuff * bla * dockerbuild * rename search, get multiple to list... * add annotation * update proto dependencies * update proto dependencies * change proto imports * replace all old imports * fix go out * remove unused lines * correct protoc flags * grpc and openapi flags * go out source path relative * -p * remove dead code * sourcepath relative * ls * is onenapi the problem? * hobla * authoption output * wrong field name * gopf * correct option, add correct flags * small improvments * SIMPLYFY * relative path * gopf bin ich en tubel * correct path * default policies in admin * grpc generation in one file * remove non ascii * metadata on manipulations * correct auth_option import * fixes * larry * idp provider to idp * fix generate * admin and auth nearly done * admin and auth nearly done * gen * healthz * imports * deleted too much imports * fix org * add import * imports * import * naming * auth_opt * gopf * management * imports * _TYPE_UNSPECIFIED * improts * auth opts * management policies * imports * passwordlessType to MFAType * auth_opt * add user grant calls * add missing messages * result * fix option * improvements * ids * fix http * imports * fixes * fields * body * add fields * remove wrong member query * fix request response * fixes * add copy files * variable versions * generate all files * improvements * add dependencies * factors * user session * oidc information, iam * remove unused file * changes * enums * dockerfile * fix build * remove unused folder * update readme for build * move old server impl * add event type to change * some changes * start admin * remove wrong field * admin only list calls missing * fix proto numbers * surprisingly it compiles * service ts changes * admin mgmt * mgmt * auth manipulation and gets done, lists missing * validations and some field changes * validations * enum validations * remove todo * move proto files to proto/zitadel * change proto path in dockerfile * it compiles! * add validate import * remove duplicate import * fix protos * fix import * tests * cleanup * remove unimplemented methods * iam member multiple queries * all auth and admin calls * add initial password on crate human * message names * management user server * machine done * fix: todos (#1346) * fix: pub sub in new eventstore * fix: todos * fix: todos * fix: todos * fix: todos * fix: todos * fix tests * fix: search method domain * admin service, user import type typescript * admin changes * admin changes * fix: search method domain * more user grpc and begin org, fix configs * fix: return object details * org grpc * remove creation date add details * app * fix: return object details * fix: return object details * mgmt service, project members * app * fix: convert policies * project, members, granted projects, searches * fix: convert usergrants * fix: convert usergrants * auth user detail, user detail, mfa, second factor, auth * fix: convert usergrants * mfa, memberships, password, owned proj detail * fix: convert usergrants * project grant * missing details * changes, userview * idp table, keys * org list and user table filter * unify rest paths (#1381) * unify rest paths * post for all searches, mfa to multi_factor, secondfactor to second_factor * remove v1 * fix tests * rename api client key to app key * machine keys, age policy * user list, machine keys, changes * fix: org states * add default flag to policy * second factor to type * idp id * app type * unify ListQuery, ListDetails, ObjectDetails field names * user grants, apps, memberships * fix type params * metadata to detail, linke idps * api create, membership, app detail, create * idp, app, policy * queries, multi -> auth factors and missing fields * update converters * provider to user, remove old mgmt refs * temp remove authfactor dialog, build finish Co-authored-by: Max Peintner <max@caos.ch> Co-authored-by: Fabi <38692350+fgerschwiler@users.noreply.github.com> Co-authored-by: Livio Amstutz <livio.a@gmail.com> Co-authored-by: Fabiennne <fabienne.gerschwiler@gmail.com>
2025-08-11 18:07:31 +00:00 · 2021-03-09 10:30:11 +01:00
parent 9f417f3957
commit dabd5920dc
372 changed files with 17881 additions and 22036 deletions
--- a/proto/zitadel/admin.proto
+++ b/proto/zitadel/admin.proto
@@ -0,0 +1,987 @@
+syntax = "proto3";
+
+import "zitadel/idp.proto";
+import "zitadel/user.proto";
+import "zitadel/object.proto";
+import "zitadel/options.proto";
+import "zitadel/org.proto";
+import "zitadel/policy.proto";
+import "zitadel/member.proto";
+
+import "google/api/annotations.proto";
+import "google/protobuf/timestamp.proto";
+
+import "protoc-gen-openapiv2/options/annotations.proto";
+
+import "validate/validate.proto";
+
+package zitadel.admin.v1;
+
+option go_package ="github.com/caos/zitadel/pkg/grpc/admin";
+
+option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_swagger) = {
+    info: {
+        title: "admin service";
+        version: "1.0";
+        contact:{
+            url: "https://github.com/caos/zitadel/api/admin" //TODO: should be swagger path
+        };
+    };
+
+    schemes: HTTPS;
+
+    consumes: "application/json";
+    consumes: "application/grpc";
+
+    produces: "application/json";
+    produces: "application/grpc";
+};
+
+
+service AdminService {
+    rpc Healthz(HealthzRequest) returns (HealthzResponse) {
+        option (google.api.http) = {
+            get: "/healthz"
+        };
+    }
+    
+    rpc IsOrgUnique(IsOrgUniqueRequest) returns (IsOrgUniqueResponse) {
+        option (google.api.http) = {
+            get: "/orgs/_is_unique"
+        };
+
+        option (zitadel.v1.auth_option) = {
+            permission: "iam.read"
+        };
+    }
+
+    rpc GetOrgByID(GetOrgByIDRequest) returns (GetOrgByIDResponse) {
+        option (google.api.http) = {
+            get: "/orgs/{id}"
+        };
+
+        option (zitadel.v1.auth_option) = {
+            permission: "iam.read"
+        };
+    }
+
+    rpc ListOrgs(ListOrgsRequest) returns (ListOrgsResponse) {
+        option (google.api.http) = {
+            post: "/orgs/_search"
+            body: "*"
+        };
+
+        option (zitadel.v1.auth_option) = {
+            permission: "iam.read"
+        };
+    }
+
+    rpc SetUpOrg(SetUpOrgRequest) returns (SetUpOrgResponse) {
+        option (google.api.http) = {
+            post: "/orgs/_setup"
+            body: "*"
+        };
+
+        option (zitadel.v1.auth_option) = {
+            permission: "iam.write"
+        };
+    }
+
+    rpc GetIDPByID(GetIDPByIDRequest) returns (GetIDPByIDResponse) {
+        option (google.api.http) = {
+            get: "/idps/{id}"
+        };
+
+        option (zitadel.v1.auth_option) = {
+            permission: "iam.idp.read"
+        };
+    }
+
+    rpc ListIDPs(ListIDPsRequest) returns (ListIDPsResponse) {
+        option (google.api.http) = {
+            post: "/idps/_search"
+            body: "*"
+        };
+
+        option (zitadel.v1.auth_option) = {
+            permission: "iam.idp.read"
+        };
+    }
+
+    rpc AddOIDCIDP(AddOIDCIDPRequest) returns (AddOIDCIDPResponse) {
+        option (google.api.http) = {
+            post: "/idps/oidc"
+            body: "*"
+        };
+
+        option (zitadel.v1.auth_option) = {
+            permission: "iam.idp.write"
+        };
+    }
+
+    rpc UpdateIDP(UpdateIDPRequest) returns (UpdateIDPResponse) {
+        option (google.api.http) = {
+            put: "/idps/{idp_id}"
+            body: "*"
+        };
+
+        option (zitadel.v1.auth_option) = {
+            permission: "iam.idp.write"
+        };
+    }
+
+    rpc DeactivateIDP(DeactivateIDPRequest) returns (DeactivateIDPResponse) {
+        option (google.api.http) = {
+            post: "/idps/{idp_id}/_deactivate"
+        };
+
+        option (zitadel.v1.auth_option) = {
+            permission: "iam.idp.write"
+        };
+    }
+
+    rpc ReactivateIDP(ReactivateIDPRequest) returns (ReactivateIDPResponse) {
+        option (google.api.http) = {
+            post: "/idps/{idp_id}/_reactivate"
+        };
+
+        option (zitadel.v1.auth_option) = {
+            permission: "iam.idp.write"
+        };
+    }
+
+    rpc RemoveIDP(RemoveIDPRequest) returns (RemoveIDPResponse) {
+        option (google.api.http) = {
+            delete: "/idps/{idp_id}"
+        };
+
+        option (zitadel.v1.auth_option) = {
+            permission: "iam.idp.write"
+        };
+    }
+
+    rpc UpdateIDPOIDCConfig(UpdateIDPOIDCConfigRequest) returns (UpdateIDPOIDCConfigResponse) {
+        option (google.api.http) = {
+            put: "/idps/{idp_id}/oidc_config"
+            body: "*"
+        };
+
+        option (zitadel.v1.auth_option) = {
+            permission: "iam.idp.write"
+        };
+    }
+
+    rpc GetOrgIAMPolicy(GetOrgIAMPolicyRequest) returns (GetOrgIAMPolicyResponse) {
+        option (google.api.http) = {
+            get: "/policies/orgiam"
+        };
+
+        option (zitadel.v1.auth_option) = {
+            permission: "iam.policy.read"
+        };
+    }
+
+    rpc UpdateOrgIAMPolicy(UpdateOrgIAMPolicyRequest) returns (UpdateOrgIAMPolicyResponse) {
+        option (google.api.http) = {
+            put: "/policies/orgiam"
+            body: "*"
+        };
+
+        option (zitadel.v1.auth_option) = {
+            permission: "iam.policy.write"
+        };
+    }
+
+    rpc GetCustomOrgIAMPolicy(GetCustomOrgIAMPolicyRequest) returns (GetCustomOrgIAMPolicyResponse) {
+        option (google.api.http) = {
+            get: "/orgs/{org_id}/policies/orgiam"
+        };
+
+        option (zitadel.v1.auth_option) = {
+            permission: "iam.policy.read"
+        };
+    }
+
+    rpc AddCustomOrgIAMPolicy(AddCustomOrgIAMPolicyRequest) returns (AddCustomOrgIAMPolicyResponse) {
+        option (google.api.http) = {
+            post: "/orgs/{org_id}/policies/orgiam"
+            body: "*"
+        };
+
+        option (zitadel.v1.auth_option) = {
+            permission: "iam.policy.write"
+        };
+    }
+
+    rpc UpdateCustomOrgIAMPolicy(UpdateCustomOrgIAMPolicyRequest) returns (UpdateCustomOrgIAMPolicyResponse) {
+        option (google.api.http) = {
+            put: "/orgs/{org_id}/policies/orgiam"
+            body: "*"
+        };
+
+        option (zitadel.v1.auth_option) = {
+            permission: "iam.policy.write"
+        };
+    }
+
+    rpc ResetCustomOrgIAMPolicyToDefault(ResetCustomOrgIAMPolicyToDefaultRequest) returns (ResetCustomOrgIAMPolicyToDefaultResponse) {
+        option (google.api.http) = {
+            delete: "/orgs/{org_id}/policies/orgiam"
+        };
+
+        option (zitadel.v1.auth_option) = {
+            permission: "iam.policy.delete"
+        };
+    }
+
+    rpc GetLabelPolicy(GetLabelPolicyRequest) returns (GetLabelPolicyResponse) {
+        option (google.api.http) = {
+            get: "/policies/label"
+        };
+
+        option (zitadel.v1.auth_option) = {
+            permission: "iam.policy.read"
+        };
+    }
+
+    rpc UpdateLabelPolicy(UpdateLabelPolicyRequest) returns (UpdateLabelPolicyResponse) {
+        option (google.api.http) = {
+            put: "/policies/label"
+            body: "*"
+        };
+
+        option (zitadel.v1.auth_option) = {
+            permission: "iam.policy.write"
+        };
+    }
+
+    rpc GetLoginPolicy(GetLoginPolicyRequest) returns (GetLoginPolicyResponse) {
+        option (google.api.http) = {
+            get: "/policies/login"
+        };
+    
+        option (zitadel.v1.auth_option) = {
+            permission: "iam.policy.read"
+        };
+    }
+    
+    rpc UpdateLoginPolicy(UpdateLoginPolicyRequest) returns (UpdateLoginPolicyResponse) {
+        option (google.api.http) = {
+            put: "/policies/login"
+            body: "*"
+        };
+    
+        option (zitadel.v1.auth_option) = {
+            permission: "iam.policy.write"
+        };
+    }
+
+    rpc ListLoginPolicyIDPs(ListLoginPolicyIDPsRequest) returns (ListLoginPolicyIDPsResponse) {
+        option (google.api.http) = {
+            post: "/policies/login/idps/_search"
+            body: "*"
+        };
+
+        option (zitadel.v1.auth_option) = {
+            permission: "iam.policy.read"
+        };
+    }
+
+    rpc AddIDPToLoginPolicy(AddIDPToLoginPolicyRequest) returns (AddIDPToLoginPolicyResponse) {
+        option (google.api.http) = {
+            post: "/policies/login/idps"
+            body: "*"
+        };
+
+        option (zitadel.v1.auth_option) = {
+            permission: "iam.policy.write"
+        };
+    }
+
+    rpc RemoveIDPFromLoginPolicy(RemoveIDPFromLoginPolicyRequest) returns (RemoveIDPFromLoginPolicyResponse) {
+        option (google.api.http) = {
+            delete: "/policies/login/idps/{idp_id}"
+        };
+
+        option (zitadel.v1.auth_option) = {
+            permission: "iam.policy.write"
+        };
+    }
+
+    rpc ListLoginPolicySecondFactors(ListLoginPolicySecondFactorsRequest) returns (ListLoginPolicySecondFactorsResponse) {
+        option (google.api.http) = {
+            post: "/policies/login/second_factors/_search"
+        };
+
+        option (zitadel.v1.auth_option) = {
+            permission: "iam.policy.read"
+        };
+    }
+
+    rpc AddSecondFactorToLoginPolicy(AddSecondFactorToLoginPolicyRequest) returns (AddSecondFactorToLoginPolicyResponse) {
+        option (google.api.http) = {
+            post: "/policies/login/second_factors"
+            body: "*"
+        };
+
+        option (zitadel.v1.auth_option) = {
+            permission: "iam.policy.write"
+        };
+    }
+
+    rpc RemoveSecondFactorFromLoginPolicy(RemoveSecondFactorFromLoginPolicyRequest) returns (RemoveSecondFactorFromLoginPolicyResponse) {
+        option (google.api.http) = {
+            delete: "/policies/login/second_factors/{type}"
+        };
+
+        option (zitadel.v1.auth_option) = {
+            permission: "iam.policy.write"
+        };
+    }
+
+    rpc ListLoginPolicyMultiFactors(ListLoginPolicyMultiFactorsRequest) returns (ListLoginPolicyMultiFactorsResponse) {
+        option (google.api.http) = {
+            post: "/policies/login/multi_factors/_search"
+        };
+
+        option (zitadel.v1.auth_option) = {
+            permission: "iam.policy.read"
+        };
+    }
+
+    rpc AddMultiFactorToLoginPolicy(AddMultiFactorToLoginPolicyRequest) returns (AddMultiFactorToLoginPolicyResponse) {
+        option (google.api.http) = {
+            post: "/policies/login/multi_factors"
+            body: "*"
+        };
+
+        option (zitadel.v1.auth_option) = {
+            permission: "iam.policy.write"
+        };
+    }
+
+    rpc RemoveMultiFactorFromLoginPolicy(RemoveMultiFactorFromLoginPolicyRequest) returns (RemoveMultiFactorFromLoginPolicyResponse) {
+        option (google.api.http) = {
+            delete: "/policies/login/multi_factors/{type}"
+        };
+
+        option (zitadel.v1.auth_option) = {
+            permission: "iam.policy.write"
+        };
+    }
+
+    rpc GetPasswordComplexityPolicy(GetPasswordComplexityPolicyRequest) returns (GetPasswordComplexityPolicyResponse) {
+        option (google.api.http) = {
+            get: "/policies/password/complexity"
+        };
+
+        option (zitadel.v1.auth_option) = {
+            permission: "iam.policy.read"
+        };
+    }
+
+    rpc UpdatePasswordComplexityPolicy(UpdatePasswordComplexityPolicyRequest) returns (UpdatePasswordComplexityPolicyResponse) {
+        option (google.api.http) = {
+            put: "/policies/password/complexity"
+            body: "*"
+        };
+
+        option (zitadel.v1.auth_option) = {
+            permission: "iam.policy.write"
+        };
+    }
+
+    rpc GetPasswordAgePolicy(GetPasswordAgePolicyRequest) returns (GetPasswordAgePolicyResponse) {
+        option (google.api.http) = {
+            get: "/policies/password/age"
+        };
+    
+        option (zitadel.v1.auth_option) = {
+            permission: "iam.policy.read"
+        };
+    }
+    
+    rpc UpdatePasswordAgePolicy(UpdatePasswordAgePolicyRequest) returns (UpdatePasswordAgePolicyResponse) {
+        option (google.api.http) = {
+            put: "/policies/password/age"
+            body: "*"
+        };
+    
+        option (zitadel.v1.auth_option) = {
+            permission: "iam.policy.write"
+        };
+    }
+
+    rpc GetPasswordLockoutPolicy(GetPasswordLockoutPolicyRequest) returns (GetPasswordLockoutPolicyResponse) {
+        option (google.api.http) = {
+            get: "/policies/password/lockout"
+        };
+    
+        option (zitadel.v1.auth_option) = {
+            permission: "iam.policy.read"
+        };
+    }
+    
+    rpc UpdatePasswordLockoutPolicy(UpdatePasswordLockoutPolicyRequest) returns (UpdatePasswordLockoutPolicyResponse) {
+        option (google.api.http) = {
+            put: "/policies/password/lockout"
+            body: "*"
+        };
+    
+        option (zitadel.v1.auth_option) = {
+            permission: "iam.policy.write"
+        };
+    }
+
+    rpc ListIAMMemberRoles(ListIAMMemberRolesRequest) returns (ListIAMMemberRolesResponse) {
+        option (google.api.http) = {
+            post: "/members/roles/_search"
+        };
+
+        option (zitadel.v1.auth_option) = {
+            permission: "iam.member.read"
+        };
+    }
+
+    rpc ListIAMMembers(ListIAMMembersRequest) returns (ListIAMMembersResponse) {
+        option (google.api.http) = {
+            post: "/members/_search"
+            body: "*"
+        };
+
+        option (zitadel.v1.auth_option) = {
+            permission: "iam.member.read"
+        };
+    }
+
+    rpc AddIAMMember(AddIAMMemberRequest) returns (AddIAMMemberResponse) {
+        option (google.api.http) = {
+            post: "/members"
+            body: "*"
+        };
+
+        option (zitadel.v1.auth_option) = {
+            permission: "iam.member.write"
+        };
+    }
+
+    rpc UpdateIAMMember(UpdateIAMMemberRequest) returns (UpdateIAMMemberResponse) {
+        option (google.api.http) = {
+            put: "/members/{user_id}"
+            body: "*"
+        };
+
+        option (zitadel.v1.auth_option) = {
+            permission: "iam.member.write"
+        };
+    }
+
+    rpc RemoveIAMMember(RemoveIAMMemberRequest) returns (RemoveIAMMemberResponse) {
+        option (google.api.http) = {
+            delete: "/members/{user_id}"
+        };
+
+        option (zitadel.v1.auth_option) = {
+            permission: "iam.member.delete"
+        };
+    }
+
+    rpc ListViews(ListViewsRequest) returns (ListViewsResponse) {
+        option (google.api.http) = {
+            post: "/views/_search"
+        };
+
+        option (zitadel.v1.auth_option) = {
+            permission: "iam.read"
+        };
+    }
+
+    rpc ClearView(ClearViewRequest) returns (ClearViewResponse) {
+        option (google.api.http) = {
+            post: "/views/{database}/{view_name}"
+        };
+
+        option (zitadel.v1.auth_option) = {
+            permission: "iam.write"
+        };
+    }
+
+    rpc ListFailedEvents(ListFailedEventsRequest) returns (ListFailedEventsResponse) {
+        option (google.api.http) = {
+            post: "/failedevents/_search"
+        };
+
+        option (zitadel.v1.auth_option) = {
+            permission: "iam.read"
+        };
+    }
+
+    rpc RemoveFailedEvent(RemoveFailedEventRequest) returns (RemoveFailedEventResponse) {
+        option (google.api.http) = {
+            delete: "/failedevents/{database}/{view_name}/{failed_sequence}"
+        };
+
+        option (zitadel.v1.auth_option) = {
+            permission: "iam.write"
+        };
+    }
+}
+
+message HealthzRequest {}
+
+message HealthzResponse {}
+
+message IsOrgUniqueRequest {
+    string name = 1 [(validate.rules).string.min_len = 1];
+    string domain = 2 [(validate.rules).string.min_len = 1];
+}
+
+message IsOrgUniqueResponse {
+    bool is_unique = 1;
+}
+
+message GetOrgByIDRequest {
+    string id = 1 [(validate.rules).string.min_len = 1];
+}
+
+message GetOrgByIDResponse {
+    zitadel.org.v1.Org org = 1;
+}
+
+message ListOrgsRequest {
+    zitadel.v1.ListQuery query = 1;
+    zitadel.org.v1.OrgFieldName sorting_column = 2;
+    repeated zitadel.org.v1.OrgQuery queries = 3;
+}
+
+message ListOrgsResponse {
+    zitadel.v1.ListDetails details = 1;
+    zitadel.org.v1.OrgFieldName sorting_column = 2;
+    repeated zitadel.org.v1.Org result = 3;
+}
+
+message SetUpOrgRequest {
+    message Org {
+        string name = 1 [(validate.rules).string = {min_len: 1, max_len: 200}];
+        string domain = 2;
+    }
+    message Human {
+        message Profile {
+            string first_name = 1 [(validate.rules).string = {min_len: 1, max_len: 200}];
+            string last_name = 2 [(validate.rules).string = {min_len: 1, max_len: 200}];
+            string nick_name = 3 [(validate.rules).string = {max_len: 200}];
+            string display_name = 4 [(validate.rules).string = {max_len: 200}];
+            string preferred_language = 5 [(validate.rules).string = {max_len: 10}];
+            zitadel.user.v1.Gender gender = 6;
+        }
+        message Email {
+            string email = 1 [(validate.rules).string.email = true];  //TODO: check if no value is allowed
+            bool is_email_verified = 2;
+        }
+        message Phone {
+            // has to be a global number
+            string phone = 1 [(validate.rules).string = {min_len: 1, max_len: 50, prefix: "+"}];
+            bool is_phone_verified = 2;
+        }
+    
+        string user_name = 1 [(validate.rules).string = {min_len: 1, max_len: 200}];
+        
+        Profile profile = 2 [(validate.rules).message.required = true];
+        Email email = 3 [(validate.rules).message.required = true];
+        Phone phone = 4;
+        string password = 5 [(validate.rules).string = {min_len: 1, max_len: 72}];
+    }
+    Org org = 1 [(validate.rules).message.required = true];
+    oneof user {
+        option (validate.required) = true;
+
+        Human human = 2;
+    }
+}
+
+message SetUpOrgResponse {
+    zitadel.v1.ObjectDetails details = 1;
+    string org_id = 2;
+    string user_id = 3;
+}
+
+message GetIDPByIDRequest {
+    string id = 1 [(validate.rules).string = {min_len: 1, max_len: 200}];
+}
+
+message GetIDPByIDResponse {
+    zitadel.idp.v1.IDP idp = 1;
+}
+
+message ListIDPsRequest {
+    zitadel.v1.ListQuery query = 1;
+    zitadel.idp.v1.IDPFieldName sorting_column = 2;
+    repeated IDPQuery queries = 3;
+}
+
+message IDPQuery {
+    oneof query {
+        zitadel.idp.v1.IDPIDQuery idp_id_query = 1;
+        zitadel.idp.v1.IDPNameQuery idp_name_query = 2;
+    }
+}
+
+message ListIDPsResponse {
+    zitadel.v1.ListDetails details = 1;
+    zitadel.idp.v1.IDPFieldName sorting_column = 2;
+    repeated zitadel.idp.v1.IDP result = 3;
+}
+
+message AddOIDCIDPRequest {
+    string name = 1 [(validate.rules).string = {min_len: 1, max_len: 200}];
+    zitadel.idp.v1.IDPStylingType styling_type = 2 [(validate.rules).enum = {defined_only: true}];
+
+    string client_id = 3 [(validate.rules).string = {min_len: 1, max_len: 200}];
+    string client_secret = 4 [(validate.rules).string = {min_len: 1, max_len: 200}];
+    string issuer = 5 [(validate.rules).string = {min_len: 1, max_len: 200}];
+    repeated string scopes = 6;
+    zitadel.idp.v1.OIDCMappingField display_name_mapping = 7 [(validate.rules).enum = {defined_only: true}];
+    zitadel.idp.v1.OIDCMappingField username_mapping = 8 [(validate.rules).enum = {defined_only: true}];
+}
+
+message AddOIDCIDPResponse {
+    zitadel.v1.ObjectDetails details = 1;
+    string idp_id = 2;
+}
+
+message UpdateIDPRequest {
+    string idp_id = 1 [(validate.rules).string = {min_len: 1, max_len: 200}];
+    string name = 2 [(validate.rules).string = {min_len: 1, max_len: 200}];
+    zitadel.idp.v1.IDPStylingType styling_type = 3 [(validate.rules).enum = {defined_only: true}];
+}
+
+message UpdateIDPResponse {
+    zitadel.v1.ObjectDetails details = 1;
+}
+
+message DeactivateIDPRequest {
+    string idp_id = 1 [(validate.rules).string = {min_len: 1, max_len: 200}];
+}
+
+message DeactivateIDPResponse {
+    zitadel.v1.ObjectDetails details = 1;
+}
+
+message ReactivateIDPRequest {
+    string idp_id = 1 [(validate.rules).string = {min_len: 1, max_len: 200}];
+}
+
+message ReactivateIDPResponse {
+    zitadel.v1.ObjectDetails details = 1;
+}
+
+message RemoveIDPRequest {
+    string idp_id = 1 [(validate.rules).string = {min_len: 1, max_len: 200}];
+}
+
+message RemoveIDPResponse {
+    zitadel.v1.ObjectDetails details = 1;
+}
+
+message UpdateIDPOIDCConfigRequest {
+    string idp_id = 1 [(validate.rules).string = {min_len: 1, max_len: 200}];
+    string issuer = 2 [(validate.rules).string = {min_len: 1, max_len: 200}];
+    string client_id = 3 [(validate.rules).string = {min_len: 1, max_len: 200}];
+    string client_secret = 4 [(validate.rules).string = {max_len: 200}];
+    repeated string scopes = 5;
+    zitadel.idp.v1.OIDCMappingField display_name_mapping = 6 [(validate.rules).enum = {defined_only: true}];
+    zitadel.idp.v1.OIDCMappingField username_mapping = 7 [(validate.rules).enum = {defined_only: true}];
+}
+
+message UpdateIDPOIDCConfigResponse {
+    zitadel.v1.ObjectDetails details = 1;
+}
+
+message GetOrgIAMPolicyRequest {}
+
+message GetOrgIAMPolicyResponse {
+    zitadel.policy.v1.OrgIAMPolicy policy = 1;
+}
+
+message UpdateOrgIAMPolicyRequest {
+    bool user_login_must_be_domain = 1;
+}
+
+message UpdateOrgIAMPolicyResponse {
+    zitadel.v1.ObjectDetails details = 1;
+}
+
+message GetCustomOrgIAMPolicyRequest {
+    string org_id = 1 [(validate.rules).string = {min_len: 1, max_len: 200}];
+}
+
+message GetCustomOrgIAMPolicyResponse {
+    zitadel.policy.v1.OrgIAMPolicy policy = 1;
+    bool is_default = 2;
+}
+
+message AddCustomOrgIAMPolicyRequest {
+    string org_id = 1 [(validate.rules).string = {min_len: 1, max_len: 200}];
+    bool user_login_must_be_domain = 2;
+}
+
+message AddCustomOrgIAMPolicyResponse {
+    zitadel.v1.ObjectDetails details = 1;
+}
+
+message UpdateCustomOrgIAMPolicyRequest {
+    string org_id = 1 [(validate.rules).string = {min_len: 1, max_len: 200}];
+    bool user_login_must_be_domain = 2;
+}
+
+message UpdateCustomOrgIAMPolicyResponse {
+    zitadel.v1.ObjectDetails details = 1;
+}
+
+message ResetCustomOrgIAMPolicyToDefaultRequest {
+    string org_id = 1 [(validate.rules).string = {min_len: 1, max_len: 200}];
+}
+
+message ResetCustomOrgIAMPolicyToDefaultResponse {
+    zitadel.v1.ObjectDetails details = 1;
+}
+
+message GetLabelPolicyRequest {}
+
+message GetLabelPolicyResponse {
+    zitadel.policy.v1.LabelPolicy policy = 1;
+}
+
+message UpdateLabelPolicyRequest {
+    string primary_color = 1 [(validate.rules).string = {min_len: 1, max_len: 50}];
+    string secondary_color = 2 [(validate.rules).string = {min_len: 1, max_len: 50}];
+}
+
+message UpdateLabelPolicyResponse {
+    zitadel.v1.ObjectDetails details = 1;
+}
+
+message GetLoginPolicyRequest {}
+
+message GetLoginPolicyResponse {
+    zitadel.policy.v1.LoginPolicy policy = 1;
+}
+
+message UpdateLoginPolicyRequest {
+    bool allow_username_password = 1;
+    bool allow_register = 2;
+    bool allow_external_idp = 3;
+    bool force_mfa = 4;
+    zitadel.policy.v1.PasswordlessType passwordless_type = 5 [(validate.rules).enum = {defined_only: true}];
+}
+
+message UpdateLoginPolicyResponse {
+    zitadel.v1.ObjectDetails details = 1;
+}
+
+message ListLoginPolicyIDPsRequest {
+    zitadel.v1.ListQuery query = 1;
+}
+
+message ListLoginPolicyIDPsResponse {
+    zitadel.v1.ListDetails details = 1;
+    repeated zitadel.idp.v1.IDPLoginPolicyLink result = 2;
+}
+
+message AddIDPToLoginPolicyRequest {
+    string idp_id = 1 [(validate.rules).string = {min_len: 1, max_len: 200}];
+}
+
+message AddIDPToLoginPolicyResponse {
+    zitadel.v1.ObjectDetails details = 1;
+}
+
+message RemoveIDPFromLoginPolicyRequest {
+    string idp_id = 1 [(validate.rules).string = {min_len: 1, max_len: 200}];
+}
+
+message RemoveIDPFromLoginPolicyResponse {
+    zitadel.v1.ObjectDetails details = 1;
+}
+
+message ListLoginPolicySecondFactorsRequest {}
+
+message ListLoginPolicySecondFactorsResponse {
+    zitadel.v1.ListDetails details = 1;
+    repeated zitadel.policy.v1.SecondFactorType result = 2;
+}
+
+message AddSecondFactorToLoginPolicyRequest {
+    zitadel.policy.v1.SecondFactorType type = 1 [(validate.rules).enum = {defined_only: true, not_in: [0]}];
+}
+
+message AddSecondFactorToLoginPolicyResponse {
+    zitadel.v1.ObjectDetails details = 1;
+}
+
+message RemoveSecondFactorFromLoginPolicyRequest {
+    zitadel.policy.v1.SecondFactorType type = 1 [(validate.rules).enum = {defined_only: true, not_in: [0]}];
+}
+
+message RemoveSecondFactorFromLoginPolicyResponse {
+    zitadel.v1.ObjectDetails details = 1;
+}
+
+message ListLoginPolicyMultiFactorsRequest {}
+
+message ListLoginPolicyMultiFactorsResponse {
+    zitadel.v1.ListDetails details = 1;
+    repeated zitadel.policy.v1.MultiFactorType result = 2;
+}
+
+message AddMultiFactorToLoginPolicyRequest {
+    zitadel.policy.v1.MultiFactorType type = 1 [(validate.rules).enum = {defined_only: true, not_in: [0]}];
+}
+
+message AddMultiFactorToLoginPolicyResponse {
+    zitadel.v1.ObjectDetails details = 1;
+}
+
+message RemoveMultiFactorFromLoginPolicyRequest {
+    zitadel.policy.v1.MultiFactorType type = 1 [(validate.rules).enum = {defined_only: true, not_in: [0]}];
+}
+
+message RemoveMultiFactorFromLoginPolicyResponse {
+    zitadel.v1.ObjectDetails details = 1;
+}
+
+message GetPasswordComplexityPolicyRequest {}
+
+message GetPasswordComplexityPolicyResponse {
+    zitadel.policy.v1.PasswordComplexityPolicy policy = 1;
+}
+
+message UpdatePasswordComplexityPolicyRequest {
+    uint32 min_length = 1;
+    bool has_uppercase = 2;
+    bool has_lowercase = 3;
+    bool has_number = 4;
+    bool has_symbol = 5;
+}
+
+message UpdatePasswordComplexityPolicyResponse {
+    zitadel.v1.ObjectDetails details = 1;
+}
+
+message GetPasswordAgePolicyRequest {}
+
+message GetPasswordAgePolicyResponse {
+    zitadel.policy.v1.PasswordAgePolicy policy = 1;
+}
+
+message UpdatePasswordAgePolicyRequest {
+    uint32 max_age_days = 1;
+    uint32 expire_warn_days = 2;
+}
+
+message UpdatePasswordAgePolicyResponse {
+    zitadel.v1.ObjectDetails details = 1;
+}
+
+message GetPasswordLockoutPolicyRequest {}
+
+message GetPasswordLockoutPolicyResponse {
+    zitadel.policy.v1.PasswordLockoutPolicy policy = 1;
+}
+
+message UpdatePasswordLockoutPolicyRequest {
+    uint32 max_attempts = 1;
+    bool show_lockout_failure = 2;
+}
+
+message UpdatePasswordLockoutPolicyResponse {
+    zitadel.v1.ObjectDetails details = 1;
+}
+
+message AddIAMMemberRequest {
+    string user_id = 1 [(validate.rules).string = {min_len: 1, max_len: 200}];
+    repeated string roles = 2;
+}
+
+message AddIAMMemberResponse {
+    zitadel.v1.ObjectDetails details = 1;
+}
+
+message UpdateIAMMemberRequest {
+    string user_id = 1 [(validate.rules).string = {min_len: 1, max_len: 200}];
+    repeated string roles = 2;
+}
+
+message UpdateIAMMemberResponse {
+    zitadel.v1.ObjectDetails details = 1;
+}
+
+message RemoveIAMMemberRequest {
+    string user_id = 1 [(validate.rules).string = {min_len: 1, max_len: 200}];
+}
+
+message RemoveIAMMemberResponse {
+    zitadel.v1.ObjectDetails details = 1;
+}
+
+message ListIAMMemberRolesRequest {}
+
+message ListIAMMemberRolesResponse {
+    zitadel.v1.ListDetails details = 1;
+    repeated string roles = 2;
+}
+
+message ListIAMMembersRequest {
+    zitadel.v1.ListQuery query = 1;
+    repeated zitadel.member.v1.SearchQuery queries = 2;
+}
+
+message ListIAMMembersResponse {
+    zitadel.v1.ListDetails details = 1;
+    repeated zitadel.member.v1.Member result = 2;
+}
+
+message ListViewsRequest {}
+
+message ListViewsResponse {
+    //TODO: search
+    repeated View result = 1;
+}
+
+message ClearViewRequest {
+    string database = 1 [(validate.rules).string = {min_len: 1, max_len: 200}];
+    string view_name = 2 [(validate.rules).string = {min_len: 1, max_len: 200}];
+}
+
+message ClearViewResponse {}
+
+message ListFailedEventsRequest {}
+
+message ListFailedEventsResponse {
+    //TODO: search
+    repeated FailedEvent result = 1;
+}
+
+message RemoveFailedEventRequest {
+    string database = 1 [(validate.rules).string = {min_len: 1, max_len: 200}];
+    string view_name = 2 [(validate.rules).string = {min_len: 1, max_len: 200}];
+    uint64 failed_sequence = 3;
+}
+
+message RemoveFailedEventResponse {}
+
+message View {
+    string database = 1;
+    string view_name = 2;
+    uint64 processed_sequence = 3;
+    google.protobuf.Timestamp event_timestamp = 4;
+    google.protobuf.Timestamp last_successful_spooler_run = 5;
+}
+
+message FailedEvent {
+    string database = 1;
+    string view_name = 2;
+    uint64 failed_sequence = 3;
+    uint64 failure_count = 4;
+    string error_message = 5;
+}
--- a/proto/zitadel/app.proto
+++ b/proto/zitadel/app.proto
@@ -0,0 +1,105 @@
+syntax = "proto3";
+
+import "zitadel/object.proto";
+import "zitadel/message.proto";
+import "google/protobuf/duration.proto";
+import "validate/validate.proto";
+
+package zitadel.app.v1;
+
+option go_package ="github.com/caos/zitadel/pkg/grpc/app";
+
+message App {
+    string id = 1;
+    zitadel.v1.ObjectDetails details = 2;
+    AppState state = 3;
+    string name = 4;
+    oneof config {
+        OIDCConfig oidc_config = 5;
+        APIConfig api_config = 6;
+    }
+}
+
+enum AppState {
+    APP_STATE_UNSPECIFIED = 0;
+    APP_STATE_ACTIVE = 1;
+    APP_STATE_INACTIVE = 2;
+}
+
+message AppQuery {
+    oneof query {
+        option (validate.required) = true;
+
+        AppNameQuery name_query = 1;
+    }
+}
+
+message AppNameQuery {
+    string name = 1 [(validate.rules).string = {max_len: 200}];
+    zitadel.v1.TextQueryMethod method = 2 [(validate.rules).enum.defined_only = true];
+}
+
+message OIDCConfig {
+    repeated string redirect_uris = 1;
+    repeated OIDCResponseType response_types = 2;
+    repeated OIDCGrantType grant_types = 3;
+    OIDCAppType app_type = 4;
+    string client_id = 5;
+    string client_secret = 6;
+    OIDCAuthMethodType auth_method_type = 7;
+    repeated string post_logout_redirect_uris = 8;
+    OIDCVersion version = 9;
+    bool none_compliant = 10;
+    repeated zitadel.v1.LocalizedMessage compliance_problems = 11;
+    bool dev_mode = 12;
+    OIDCTokenType access_token_type = 13;
+    bool access_token_role_assertion = 14;
+    bool id_token_role_assertion = 15;
+    bool id_token_userinfo_assertion = 16;
+    google.protobuf.Duration clock_skew = 17;
+}
+
+enum OIDCResponseType {
+    OIDC_RESPONSE_TYPE_CODE = 0;
+    OIDC_RESPONSE_TYPE_ID_TOKEN = 1;
+    OIDC_RESPONSE_TYPE_ID_TOKEN_TOKEN = 2;
+}
+
+enum OIDCGrantType{
+    OIDC_GRANT_TYPE_AUTHORIZATION_CODE = 0;
+    OIDC_GRANT_TYPE_IMPLICIT = 1;
+    OIDC_GRANT_TYPE_REFRESH_TOKEN = 2;
+}
+
+enum OIDCAppType {
+    OIDC_APP_TYPE_WEB = 0;
+    OIDC_APP_TYPE_USER_AGENT = 1;
+    OIDC_APP_TYPE_NATIVE = 2;
+}
+
+enum OIDCAuthMethodType {
+    OIDC_AUTH_METHOD_TYPE_BASIC = 0;
+    OIDC_AUTH_METHOD_TYPE_POST = 1;
+    OIDC_AUTH_METHOD_TYPE_NONE = 2;
+    OIDC_AUTH_METHOD_TYPE_PRIVATE_KEY_JWT = 3;
+}
+
+enum OIDCVersion {
+    OIDC_VERSION_1_0 = 0;
+}
+
+enum OIDCTokenType {
+    OIDC_TOKEN_TYPE_BEARER = 0;
+    OIDC_TOKEN_TYPE_JWT = 1;
+}
+
+enum APIAuthMethodType {
+    API_AUTH_METHOD_TYPE_BASIC = 0;
+    API_AUTH_METHOD_TYPE_PRIVATE_KEY_JWT = 1;
+}
+
+message APIConfig {
+    string client_id = 1;
+    string client_secret = 2;
+    APIAuthMethodType auth_method_type = 3;
+}
--- a/proto/zitadel/auth.proto
+++ b/proto/zitadel/auth.proto
@@ -0,0 +1,669 @@
+syntax = "proto3";
+
+import "zitadel/user.proto";
+import "zitadel/org.proto";
+import "zitadel/change.proto";
+import "zitadel/object.proto";
+import "zitadel/options.proto";
+import "zitadel/policy.proto";
+import "zitadel/idp.proto";
+import "validate/validate.proto";
+import "google/api/annotations.proto";
+import "google/protobuf/timestamp.proto";
+import "protoc-gen-openapiv2/options/annotations.proto";
+
+package zitadel.auth.v1;
+
+option go_package ="github.com/caos/zitadel/pkg/grpc/auth";
+
+option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_swagger) = {
+    info: {
+        title: "auth service";
+        version: "1.0";
+        contact:{
+            url: "https://github.com/caos/zitadel/api/auth" //TODO: should be swagger path
+        };
+    };
+
+    schemes: HTTPS;
+
+    consumes: "application/json";
+    consumes: "application/grpc";
+
+    produces: "application/json";
+    produces: "application/grpc";
+};
+
+
+service AuthService {
+    rpc Healthz(HealthzRequest) returns (HealthzResponse) {
+        option (google.api.http) = {
+            get: "/healthz"
+        };
+    }
+    
+    rpc GetMyUser(GetMyUserRequest) returns (GetMyUserResponse) {
+        option (google.api.http) = {
+            get: "/users/me"
+        };
+
+        option (zitadel.v1.auth_option) = {
+            permission: "authenticated"
+        };
+    }
+
+    rpc ListMyUserChanges(ListMyUserChangesRequest) returns (ListMyUserChangesResponse) {
+        option (google.api.http) = {
+            post: "/users/me/changes/_search"
+        };
+    
+        option (zitadel.v1.auth_option) = {
+            permission: "authenticated"
+        };
+    }
+
+    rpc ListMyUserSessions(ListMyUserSessionsRequest) returns (ListMyUserSessionsResponse) {
+        option (google.api.http) = {
+            post: "/users/me/sessions/_search"
+        };
+
+        option (zitadel.v1.auth_option) = {
+            permission: "authenticated"
+        };
+    }
+
+    rpc UpdateMyUserName(UpdateMyUserNameRequest) returns (UpdateMyUserNameResponse) {
+        option (google.api.http) = {
+            put: "/users/me/username"
+            body: "*"
+        };
+    
+        option (zitadel.v1.auth_option) = {
+            permission: "authenticated"
+        };
+    }
+
+    rpc GetMyPasswordComplexityPolicy(GetMyPasswordComplexityPolicyRequest) returns (GetMyPasswordComplexityPolicyResponse) {
+        option (google.api.http) = {
+            get: "/policies/passwords/complexity"
+        };
+
+        option (zitadel.v1.auth_option) = {
+            permission: "authenticated"
+        };
+    }
+
+    rpc UpdateMyPassword(UpdateMyPasswordRequest) returns (UpdateMyPasswordResponse) {
+        option (google.api.http) = {
+            put: "/users/me/password"
+            body: "*"
+        };
+
+        option (zitadel.v1.auth_option) = {
+            permission: "authenticated"
+        };
+    }
+
+    rpc GetMyProfile(GetMyProfileRequest) returns (GetMyProfileResponse) {
+        option (google.api.http) = {
+            get: "/users/me/profile"
+        };
+
+        option (zitadel.v1.auth_option) = {
+            permission: "authenticated"
+        };
+    }
+
+    rpc UpdateMyProfile(UpdateMyProfileRequest) returns (UpdateMyProfileResponse) {
+        option (google.api.http) = {
+            put: "/users/me/profile"
+            body: "*"
+        };
+
+        option (zitadel.v1.auth_option) = {
+            permission: "authenticated"
+        };
+    }
+
+    rpc GetMyEmail(GetMyEmailRequest) returns (GetMyEmailResponse) {
+        option (google.api.http) = {
+            get: "/users/me/email"
+        };
+
+        option (zitadel.v1.auth_option) = {
+            permission: "authenticated"
+        };
+    }
+
+    rpc SetMyEmail(SetMyEmailRequest) returns (SetMyEmailResponse) {
+        option (google.api.http) = {
+            put: "/users/me/email"
+            body: "*"
+        };
+
+        option (zitadel.v1.auth_option) = {
+            permission: "authenticated"
+        };
+    }
+
+    rpc VerifyMyEmail(VerifyMyEmailRequest) returns (VerifyMyEmailResponse) {
+        option (google.api.http) = {
+            post: "/users/me/email/_verify"
+            body: "*"
+        };
+
+        option (zitadel.v1.auth_option) = {
+            permission: "authenticated"
+        };
+    }
+
+    rpc ResendMyEmailVerification(ResendMyEmailVerificationRequest) returns (ResendMyEmailVerificationResponse) {
+        option (google.api.http) = {
+            post: "/users/me/email/_resend_verification"
+            body: "*"
+        };
+
+        option (zitadel.v1.auth_option) = {
+            permission: "authenticated"
+        };
+    }
+
+    rpc GetMyPhone(GetMyPhoneRequest) returns (GetMyPhoneResponse) {
+        option (google.api.http) = {
+            get: "/users/me/phone"
+        };
+
+        option (zitadel.v1.auth_option) = {
+            permission: "authenticated"
+        };
+    }
+
+    rpc SetMyPhone(SetMyPhoneRequest) returns (SetMyPhoneResponse) {
+        option (google.api.http) = {
+            put: "/users/me/phone"
+            body: "*"
+        };
+
+        option (zitadel.v1.auth_option) = {
+            permission: "authenticated"
+        };
+    }
+
+    rpc VerifyMyPhone(VerifyMyPhoneRequest) returns (VerifyMyPhoneResponse) {
+        option (google.api.http) = {
+            post: "/users/me/phone/_verify"
+            body: "*"
+        };
+
+        option (zitadel.v1.auth_option) = {
+            permission: "authenticated"
+        };
+    }
+
+    rpc ResendMyPhoneVerification(ResendMyPhoneVerificationRequest) returns (ResendMyPhoneVerificationResponse) {
+        option (google.api.http) = {
+            post: "/users/me/phone/_resend_verification"
+            body: "*"
+        };
+
+        option (zitadel.v1.auth_option) = {
+            permission: "authenticated"
+        };
+    }
+
+    rpc RemoveMyPhone(RemoveMyPhoneRequest) returns (RemoveMyPhoneResponse) {
+        option (google.api.http) = {
+            delete: "/users/me/phone"
+        };
+
+        option (zitadel.v1.auth_option) = {
+            permission: "authenticated"
+        };
+    }
+
+    rpc ListMyLinkedIDPs(ListMyLinkedIDPsRequest) returns (ListMyLinkedIDPsResponse) {
+        option (google.api.http) = {
+            post: "/users/me/idps/_search"
+            body: "*"
+        };
+
+        option (zitadel.v1.auth_option) = {
+            permission: "authenticated"
+        };
+    }
+
+    rpc RemoveMyLinkedIDP(RemoveMyLinkedIDPRequest) returns (RemoveMyLinkedIDPResponse) {
+        option (google.api.http) = {
+            delete: "/users/me/idps/{idp_id}/{linked_user_id}"
+        };
+
+        option (zitadel.v1.auth_option) = {
+            permission: "authenticated"
+        };
+    }
+
+    rpc ListMyAuthFactors(ListMyAuthFactorsRequest) returns (ListMyAuthFactorsResponse) {
+        option (google.api.http) = {
+            post: "/users/me/auth_factors/_search"
+        };
+
+        option (zitadel.v1.auth_option) = {
+            permission: "authenticated"
+        };
+    }
+
+    rpc AddMyAuthFactorOTP(AddMyAuthFactorOTPRequest) returns (AddMyAuthFactorOTPResponse) {
+        option (google.api.http) = {
+            post: "/users/me/auth_factors/otp"
+            body: "*"
+        };
+        option (zitadel.v1.auth_option) = {
+            permission: "authenticated"
+        };
+    }
+
+    rpc VerifyMyAuthFactorOTP(VerifyMyAuthFactorOTPRequest) returns (VerifyMyAuthFactorOTPResponse) {
+        option (google.api.http) = {
+            post: "/users/me/auth_factors/otp/_verify"
+            body: "*"
+        };
+
+        option (zitadel.v1.auth_option) = {
+            permission: "authenticated"
+        };
+    }
+
+    rpc RemoveMyAuthFactorOTP(RemoveMyAuthFactorOTPRequest) returns (RemoveMyAuthFactorOTPResponse) {
+        option (google.api.http) = {
+            delete: "/users/me/auth_factors/otp"
+        };
+
+        option (zitadel.v1.auth_option) = {
+            permission: "authenticated"
+        };
+    }
+
+    rpc AddMyAuthFactorU2F(AddMyAuthFactorU2FRequest) returns (AddMyAuthFactorU2FResponse) {
+        option (google.api.http) = {
+            post: "/users/me/auth_factors/u2f"
+            body: "*"
+        };
+        option (zitadel.v1.auth_option) = {
+            permission: "authenticated"
+        };
+    }
+
+    rpc VerifyMyAuthFactorU2F(VerifyMyAuthFactorU2FRequest) returns (VerifyMyAuthFactorU2FResponse) {
+        option (google.api.http) = {
+            post: "/users/me/auth_factors/u2f/_verify"
+            body: "*"
+        };
+
+        option (zitadel.v1.auth_option) = {
+            permission: "authenticated"
+        };
+    }
+
+    rpc RemoveMyAuthFactorU2F(RemoveMyAuthFactorU2FRequest) returns (RemoveMyAuthFactorU2FResponse) {
+        option (google.api.http) = {
+            delete: "/users/me/auth_factors/u2f/{token_id}"
+        };
+
+        option (zitadel.v1.auth_option) = {
+            permission: "authenticated"
+        };
+    }
+
+    rpc ListMyPasswordless(ListMyPasswordlessRequest) returns (ListMyPasswordlessResponse) {
+        option (google.api.http) = {
+            post: "/users/me/passwordless/_search"
+        };
+        option (zitadel.v1.auth_option) = {
+            permission: "authenticated"
+        };
+    }
+
+    rpc AddMyPasswordless(AddMyPasswordlessRequest) returns (AddMyPasswordlessResponse) {
+        option (google.api.http) = {
+            post: "/users/me/passwordless"
+            body: "*"
+        };
+        option (zitadel.v1.auth_option) = {
+            permission: "authenticated"
+        };
+    }
+
+    rpc VerifyMyPasswordless(VerifyMyPasswordlessRequest) returns (VerifyMyPasswordlessResponse) {
+        option (google.api.http) = {
+            post: "/users/me/passwordless/_verify"
+            body: "*"
+        };
+
+        option (zitadel.v1.auth_option) = {
+            permission: "authenticated"
+        };
+    }
+
+    rpc RemoveMyPasswordless(RemoveMyPasswordlessRequest) returns (RemoveMyPasswordlessResponse) {
+        option (google.api.http) = {
+            delete: "/users/me/passwordless/{token_id}"
+        };
+
+        option (zitadel.v1.auth_option) = {
+            permission: "authenticated"
+        };
+    }
+
+    rpc ListMyUserGrants(ListMyUserGrantsRequest) returns (ListMyUserGrantsResponse) {
+        option (google.api.http) = {
+            post: "/usergrants/me/_search"
+            body: "*"
+        };
+        option (zitadel.v1.auth_option) = {
+            permission: "authenticated"
+        };
+    }
+
+    rpc ListMyProjectOrgs(ListMyProjectOrgsRequest) returns (ListMyProjectOrgsResponse) {
+        option (google.api.http) = {
+            post: "/global/projectorgs/_search"
+            body: "*"
+        };
+
+        option (zitadel.v1.auth_option) = {
+            permission: "authenticated"
+        };
+    }
+
+    rpc ListMyZitadelPermissions(ListMyZitadelPermissionsRequest) returns (ListMyZitadelPermissionsResponse) {
+        option (google.api.http) = {
+            post: "/permissions/zitadel/me/_search"
+        };
+
+        option (zitadel.v1.auth_option) = {
+            permission: "authenticated"
+        };
+    }
+
+    rpc ListMyProjectPermissions(ListMyProjectPermissionsRequest) returns (ListMyProjectPermissionsResponse) {
+        option (google.api.http) = {
+            post: "/permissions/me/_search"
+        };
+
+        option (zitadel.v1.auth_option) = {
+            permission: "authenticated"
+        };
+    }
+}
+
+message HealthzRequest {}
+
+message HealthzResponse {}
+
+//GetMyUserRequest is an empty request
+// the request parameters are read from the token-header
+message GetMyUserRequest {}
+
+message GetMyUserResponse {
+    zitadel.user.v1.User user = 1;
+    google.protobuf.Timestamp last_login = 2;
+}
+
+message ListMyUserChangesRequest {
+    zitadel.v1.ListQuery query = 1;
+}
+
+message ListMyUserChangesResponse {
+    zitadel.v1.ListDetails details = 1;
+    repeated zitadel.change.v1.Change result = 2;
+}
+
+message ListMyUserSessionsRequest {}
+
+message ListMyUserSessionsResponse {
+    repeated zitadel.user.v1.Session result = 1;
+}
+
+message UpdateMyUserNameRequest {
+    string user_name = 1 [(validate.rules).string = {min_len: 1, max_len: 200}];
+}
+
+message UpdateMyUserNameResponse {
+    zitadel.v1.ObjectDetails details = 1;
+}
+
+message GetMyPasswordComplexityPolicyRequest {}
+
+message GetMyPasswordComplexityPolicyResponse {
+    zitadel.policy.v1.PasswordComplexityPolicy policy = 1;
+}
+
+message UpdateMyPasswordRequest {
+    string old_password = 1 [(validate.rules).string = {min_len: 1, max_bytes: 70}];
+    string new_password = 2 [(validate.rules).string = {min_len: 1, max_bytes: 70}];
+}
+
+message UpdateMyPasswordResponse {
+    zitadel.v1.ObjectDetails details = 1;
+}
+
+message GetMyProfileRequest {}
+
+message GetMyProfileResponse {
+    zitadel.v1.ObjectDetails details = 1;
+    zitadel.user.v1.Profile profile = 2;
+}
+
+message UpdateMyProfileRequest {
+    string first_name = 1 [(validate.rules).string = {min_len: 1, max_len: 200}];
+    string last_name = 2 [(validate.rules).string = {min_len: 1, max_len: 200}];
+    string nick_name = 3 [(validate.rules).string = {max_len: 200}];
+    string display_name = 4 [(validate.rules).string = {min_len: 1, max_len: 200}];
+    string preferred_language = 5 [(validate.rules).string = {max_len: 10}];
+    zitadel.user.v1.Gender gender = 6;
+}
+
+message UpdateMyProfileResponse {
+    zitadel.v1.ObjectDetails details = 1;
+}
+
+message GetMyEmailRequest {}
+
+message GetMyEmailResponse {
+    zitadel.v1.ObjectDetails details = 1;
+    zitadel.user.v1.Email email = 2;
+}
+
+message SetMyEmailRequest {
+    string email = 1 [(validate.rules).string.email = true]; //TODO: check if no value is allowed
+}
+
+message SetMyEmailResponse {
+    zitadel.v1.ObjectDetails details = 1;
+}
+
+message VerifyMyEmailRequest {
+    string code = 1 [(validate.rules).string = {min_len: 1, max_len: 200}];
+}
+
+message VerifyMyEmailResponse {
+    zitadel.v1.ObjectDetails details = 1;
+}
+
+message ResendMyEmailVerificationRequest {}
+
+message ResendMyEmailVerificationResponse {
+    zitadel.v1.ObjectDetails details = 1;
+}
+
+message GetMyPhoneRequest {}
+
+message GetMyPhoneResponse {
+    zitadel.v1.ObjectDetails details = 1;
+    zitadel.user.v1.Phone phone = 2;
+}
+
+message SetMyPhoneRequest {
+    string phone = 1 [(validate.rules).string = {min_len: 1, max_len: 50, prefix: "+"}];
+}
+
+message SetMyPhoneResponse {
+    zitadel.v1.ObjectDetails details = 1;
+}
+
+message VerifyMyPhoneRequest {
+    string code = 1 [(validate.rules).string = {min_len: 1, max_len: 200}];
+}
+
+message VerifyMyPhoneResponse {}
+
+message ResendMyPhoneVerificationRequest {}
+
+message ResendMyPhoneVerificationResponse {
+    zitadel.v1.ObjectDetails details = 1;
+}
+
+message RemoveMyPhoneRequest {}
+
+message RemoveMyPhoneResponse {
+    zitadel.v1.ObjectDetails details = 1;
+}
+
+message ListMyLinkedIDPsRequest {
+    zitadel.v1.ListQuery query = 1;
+    //PLANNED: queries for idp name and login name
+}
+
+message ListMyLinkedIDPsResponse {
+    zitadel.v1.ListDetails details = 1;
+    repeated zitadel.idp.v1.IDPUserLink result = 2;
+}
+
+message RemoveMyLinkedIDPRequest {
+    string idp_id = 1 [(validate.rules).string = {min_len: 1, max_len: 200}];
+    string linked_user_id = 2 [(validate.rules).string = {min_len: 1, max_len: 200}];
+}
+
+message RemoveMyLinkedIDPResponse {
+    zitadel.v1.ObjectDetails details = 1;
+}
+
+message ListMyAuthFactorsRequest {}
+
+message ListMyAuthFactorsResponse {
+    repeated zitadel.user.v1.AuthFactor result = 1;
+}
+
+message AddMyAuthFactorU2FRequest {}
+
+message AddMyAuthFactorU2FResponse {
+    zitadel.user.v1.WebAuthNKey key = 1;
+    zitadel.v1.ObjectDetails details = 2;
+}
+
+message AddMyAuthFactorOTPRequest {}
+
+message AddMyAuthFactorOTPResponse {
+    string url = 1;
+    string secret = 2;
+    zitadel.v1.ObjectDetails details = 3;
+}
+
+message VerifyMyAuthFactorOTPRequest {
+    string code = 1 [(validate.rules).string = {min_len: 1, max_len: 200}];
+}
+
+message VerifyMyAuthFactorOTPResponse {
+    zitadel.v1.ObjectDetails details = 1;
+}
+
+message VerifyMyAuthFactorU2FRequest {
+    zitadel.user.v1.WebAuthNVerification verification = 1 [(validate.rules).message.required = true];
+}
+
+message VerifyMyAuthFactorU2FResponse {
+    zitadel.v1.ObjectDetails details = 1;
+}
+
+message RemoveMyAuthFactorOTPRequest {}
+
+message RemoveMyAuthFactorOTPResponse {
+    zitadel.v1.ObjectDetails details = 1;
+}
+
+message RemoveMyAuthFactorU2FRequest {
+    string token_id = 1 [(validate.rules).string = {min_len: 1, max_len: 200}];
+}
+
+message RemoveMyAuthFactorU2FResponse {
+    zitadel.v1.ObjectDetails details = 1;
+}
+
+message ListMyPasswordlessRequest {}
+
+message ListMyPasswordlessResponse {
+    repeated zitadel.user.v1.WebAuthNToken result = 1; 
+}
+
+message AddMyPasswordlessRequest {}
+
+message AddMyPasswordlessResponse {
+    zitadel.user.v1.WebAuthNKey key = 1;
+    zitadel.v1.ObjectDetails details = 2;
+}
+
+message VerifyMyPasswordlessRequest {
+    zitadel.user.v1.WebAuthNVerification verification = 1 [(validate.rules).message.required = true];
+}
+
+message VerifyMyPasswordlessResponse {
+    zitadel.v1.ObjectDetails details = 1;
+}
+
+message RemoveMyPasswordlessRequest {
+    string token_id = 1 [(validate.rules).string = {min_len: 1, max_len: 200}];
+}
+
+message RemoveMyPasswordlessResponse {
+    zitadel.v1.ObjectDetails details = 1;
+}
+
+message ListMyUserGrantsRequest {
+    zitadel.v1.ListQuery query = 1;
+}
+
+message ListMyUserGrantsResponse {
+    zitadel.v1.ListDetails details = 1;
+    repeated UserGrant result = 2;
+}
+
+message UserGrant {
+    string org_id = 1;
+    string project_id = 2;
+    string user_id = 3;
+    repeated string roles = 4;
+    string org_name = 5;
+    string grant_id = 6;
+}
+
+message ListMyProjectOrgsRequest {
+    zitadel.v1.ListQuery query = 1;
+    repeated zitadel.org.v1.OrgQuery queries = 2;
+}
+
+message ListMyProjectOrgsResponse {
+    zitadel.v1.ListDetails details = 1;
+    repeated zitadel.org.v1.Org result = 2;
+}
+
+message ListMyZitadelPermissionsRequest {}
+
+message ListMyZitadelPermissionsResponse {
+    repeated string result = 1;
+}
+
+message ListMyProjectPermissionsRequest {}
+
+message ListMyProjectPermissionsResponse {
+    repeated string result = 1;
+}
--- a/proto/zitadel/auth_n_key.proto
+++ b/proto/zitadel/auth_n_key.proto
@@ -0,0 +1,20 @@
+syntax = "proto3";
+
+import "zitadel/object.proto";
+import "google/protobuf/timestamp.proto";
+
+package zitadel.authn.v1;
+
+option go_package ="github.com/caos/zitadel/pkg/grpc/authn";
+
+message Key {
+    string id = 1;
+    zitadel.v1.ObjectDetails details = 2;
+    KeyType type = 3;
+    google.protobuf.Timestamp expiration_date = 4;
+}
+
+enum KeyType {
+    KEY_TYPE_UNSPECIFIED = 0;
+    KEY_TYPE_JSON = 1;
+}
--- a/proto/zitadel/change.proto
+++ b/proto/zitadel/change.proto
@@ -0,0 +1,17 @@
+syntax = "proto3";
+
+import "google/protobuf/timestamp.proto";
+import "zitadel/message.proto";
+
+package zitadel.change.v1;
+
+option go_package ="github.com/caos/zitadel/pkg/grpc/change";
+
+message Change {
+    google.protobuf.Timestamp change_date = 1;
+    zitadel.v1.LocalizedMessage event_type = 2;
+    uint64 sequence = 3;
+    string editor_id = 4;
+    string editor_display_name = 5;
+    string resource_owner_id = 6;
+}
--- a/proto/zitadel/idp.proto
+++ b/proto/zitadel/idp.proto
@@ -0,0 +1,90 @@
+syntax = "proto3";
+
+import "zitadel/object.proto";
+import "validate/validate.proto";
+
+package zitadel.idp.v1;
+
+option go_package ="github.com/caos/zitadel/pkg/grpc/idp";
+
+message IDP {
+    string id = 1;
+    zitadel.v1.ObjectDetails details = 2;
+    IDPState state = 3;
+    string name = 4;
+    IDPStylingType styling_type = 5;
+    IDPOwnerType owner = 6;
+    oneof config {
+        OIDCConfig oidc_config = 7;
+    }
+}
+
+message IDPUserLink {
+    string user_id = 1;
+    string idp_id = 2;
+    string idp_name = 3;
+    string provided_user_id = 4;
+    string provided_user_name = 5;
+    IDPType idp_type = 6;
+}
+
+message IDPLoginPolicyLink {
+    string idp_id = 1;
+    string idp_name = 2;
+    IDPType idp_type = 3;
+}
+
+enum IDPState {
+    IDP_STATE_UNSPECIFIED = 0;
+    IDP_STATE_ACTIVE = 1;
+    IDP_STATE_INACTIVE = 2;
+}
+
+enum IDPStylingType {
+    STYLING_TYPE_UNSPECIFIED = 0;
+    STYLING_TYPE_GOOGLE = 1;
+}
+
+enum IDPType {
+    IDP_TYPE_UNSPECIFIED = 0;
+    IDP_TYPE_OIDC = 1;
+    //PLANNED: IDP_TYPE_SAML
+}
+
+enum IDPOwnerType {
+    IDP_OWNER_TYPE_UNSPECIFIED = 0;
+    IDP_OWNER_TYPE_SYSTEM = 1;
+    IDP_OWNER_TYPE_ORG = 2;
+}
+
+message OIDCConfig {
+    string client_id = 1;
+    string issuer = 2;
+    repeated string scopes = 3;
+    OIDCMappingField display_name_mapping = 4;
+    OIDCMappingField username_mapping = 5;
+}
+
+enum OIDCMappingField {
+    OIDC_MAPPING_FIELD_UNSPECIFIED = 0;
+    OIDC_MAPPING_FIELD_PREFERRED_USERNAME = 1;
+    OIDC_MAPPING_FIELD_EMAIL = 2;
+}
+
+message IDPIDQuery {
+    string id = 1 [(validate.rules).string = {max_len: 200}];
+}
+
+message IDPNameQuery {
+    string name = 1 [(validate.rules).string = {max_len: 200}];
+    zitadel.v1.TextQueryMethod method = 2 [(validate.rules).enum.defined_only = true];
+}
+
+message IDPOwnerTypeQuery {
+    IDPOwnerType owner_type = 1 [(validate.rules).enum = {defined_only: true}];
+}
+
+enum IDPFieldName {
+    IDP_FIELD_NAME_UNSPECIFIED = 0;
+    IDP_FIELD_NAME_NAME = 1;
+}
--- a/proto/zitadel/management.proto
+++ b/proto/zitadel/management.proto
--- a/proto/zitadel/member.proto
+++ b/proto/zitadel/member.proto
@@ -0,0 +1,49 @@
+syntax = "proto3";
+
+import "zitadel/object.proto";
+import "validate/validate.proto";
+
+package zitadel.member.v1;
+
+option go_package ="github.com/caos/zitadel/pkg/grpc/member";
+
+message Member {
+    string user_id = 1;
+    zitadel.v1.ObjectDetails details = 2;
+    repeated string roles = 3;
+    string preferred_login_name = 4;
+    string email = 5;
+    string first_name = 6;
+    string last_name = 7;
+    string display_name = 8;
+}
+
+message SearchQuery {
+    oneof query {
+        option (validate.required) = true;
+
+        FirstNameQuery first_name_query = 1;
+        LastNameQuery last_name_query = 2;
+        EmailQuery email_query = 3;
+        UserIDQuery user_id_query = 4;
+    }
+}
+
+message FirstNameQuery {
+    string first_name = 1 [(validate.rules).string = {max_len: 200}];
+    zitadel.v1.TextQueryMethod method = 2 [(validate.rules).enum.defined_only = true];
+}
+
+message LastNameQuery {
+    string last_name = 1 [(validate.rules).string = {max_len: 200}];
+    zitadel.v1.TextQueryMethod method = 2 [(validate.rules).enum.defined_only = true];
+}
+
+message EmailQuery {
+    string email = 1 [(validate.rules).string = {max_len: 200}];
+    zitadel.v1.TextQueryMethod method = 2 [(validate.rules).enum.defined_only = true];
+}
+
+message UserIDQuery {
+    string user_id = 1 [(validate.rules).string = {max_len: 200}];
+}
--- a/proto/zitadel/message.proto
+++ b/proto/zitadel/message.proto
@@ -0,0 +1,15 @@
+syntax = "proto3";
+
+package zitadel.v1;
+
+option go_package = "github.com/caos/zitadel/pkg/grpc/message";
+
+message ErrorDetail {
+    string id = 1;
+    string message = 2;
+}
+
+message LocalizedMessage {
+    string key = 1;
+    string localized_message = 2;
+}
--- a/proto/zitadel/object.proto
+++ b/proto/zitadel/object.proto
@@ -0,0 +1,53 @@
+syntax = "proto3";
+
+import "google/protobuf/timestamp.proto";
+
+package zitadel.v1;
+
+option go_package ="github.com/caos/zitadel/pkg/grpc/object";
+
+message ObjectDetails {
+    //sequence represents the order of events. It's always upcounting
+    //
+    // on read: the sequence of the last event reduced by the projection
+    //
+    // on manipulation: the timestamp of the event(s) added by the manipulation
+    uint64 sequence = 1;
+    //creation_date is the timestamp where the first operation on the object was made
+    //
+    // on read: the timestamp of the first event of the object
+    //
+    // on create: the timestamp of the event(s) added by the manipulation
+    google.protobuf.Timestamp creation_date = 2;
+    //change_date is the timestamp when the object was changed
+    //
+    // on read: the timestamp of the last event reduced by the projection
+    //
+    // on manipulation: the
+    google.protobuf.Timestamp change_date = 3;
+    //resource_owner is the organisation an object belongs to
+    string resource_owner = 4;
+}
+
+message ListQuery {
+    uint64 offset = 1;
+    uint32 limit = 2;
+    bool asc = 3;
+}
+
+message ListDetails {
+    uint64 total_result = 1;
+    uint64 processed_sequence = 2;
+    google.protobuf.Timestamp view_timestamp = 3;
+}
+
+enum TextQueryMethod {
+    TEXT_QUERY_METHOD_EQUALS = 0;
+    TEXT_QUERY_METHOD_EQUALS_IGNORE_CASE = 1;
+    TEXT_QUERY_METHOD_STARTS_WITH = 2;
+    TEXT_QUERY_METHOD_STARTS_WITH_IGNORE_CASE = 3;
+    TEXT_QUERY_METHOD_CONTAINS = 4;
+    TEXT_QUERY_METHOD_CONTAINS_IGNORE_CASE = 5;
+    TEXT_QUERY_METHOD_ENDS_WITH = 6;
+    TEXT_QUERY_METHOD_ENDS_WITH_IGNORE_CASE = 7;
+}
--- a/proto/zitadel/options.proto
+++ b/proto/zitadel/options.proto
@@ -0,0 +1,17 @@
+syntax = "proto3";
+
+package zitadel.v1;
+
+import "google/protobuf/descriptor.proto";
+
+option go_package = "github.com/caos/zitadel/internal/protoc/protoc-gen-authoption/authoption";
+
+
+extend google.protobuf.MethodOptions {
+    AuthOption auth_option = 50000;
+}
+
+message AuthOption {
+    string permission = 1;
+    string check_field_name = 2;
+}
--- a/proto/zitadel/org.proto
+++ b/proto/zitadel/org.proto
@@ -0,0 +1,74 @@
+syntax = "proto3";
+
+import "zitadel/object.proto";
+import "validate/validate.proto";
+
+package zitadel.org.v1;
+
+option go_package ="github.com/caos/zitadel/pkg/grpc/org";
+
+message Org {
+    string id = 1;
+    zitadel.v1.ObjectDetails details = 2;
+    OrgState state = 3;
+    string name = 4;
+    string primary_domain = 5;
+}
+
+enum OrgState {
+    ORG_STATE_UNSPECIFIED = 0;
+    ORG_STATE_ACTIVE = 1;
+    ORG_STATE_INACTIVE = 2;
+}
+
+message Domain {
+    string org_id = 1;
+    zitadel.v1.ObjectDetails details = 2;
+    string domain_name = 3;
+    bool is_verified = 4;
+    bool is_primary = 5;
+    DomainValidationType validation_type = 6;
+}
+
+enum DomainValidationType {
+    DOMAIN_VALIDATION_TYPE_UNSPECIFIED = 0;
+    DOMAIN_VALIDATION_TYPE_HTTP = 1;
+    DOMAIN_VALIDATION_TYPE_DNS = 2;
+}
+
+message OrgQuery {
+    oneof query {
+        option (validate.required) = true;
+
+        OrgNameQuery name_query = 1;
+        OrgDomainQuery domain_query = 2;
+    }
+}
+
+message OrgNameQuery {
+    string name = 1 [(validate.rules).string = {max_len: 200}];
+    zitadel.v1.TextQueryMethod method = 2 [(validate.rules).enum.defined_only = true];
+}
+
+message OrgDomainQuery {
+    string domain = 1 [(validate.rules).string = {max_len: 200}];
+    zitadel.v1.TextQueryMethod method = 2 [(validate.rules).enum.defined_only = true];
+}
+
+enum OrgFieldName {
+    ORG_FIELD_NAME_UNSPECIFIED = 0;
+    ORG_FIELD_NAME_NAME = 1;
+}
+
+message DomainSearchQuery {
+    oneof query {
+        option (validate.required) = true;
+
+        DomainNameQuery domain_name_query = 1;
+    }
+}
+
+message DomainNameQuery {
+    string name = 1 [(validate.rules).string = {max_len: 200}];
+    zitadel.v1.TextQueryMethod method = 2 [(validate.rules).enum.defined_only = true];
+}
--- a/proto/zitadel/policy.proto
+++ b/proto/zitadel/policy.proto
@@ -0,0 +1,71 @@
+syntax = "proto3";
+
+import "zitadel/object.proto";
+
+package zitadel.policy.v1;
+
+option go_package ="github.com/caos/zitadel/pkg/grpc/policy";
+
+message OrgIAMPolicy {
+    zitadel.v1.ObjectDetails details = 1;
+    bool user_login_must_be_domain = 2;
+    bool is_default = 3;
+}
+
+message LabelPolicy {
+    zitadel.v1.ObjectDetails details = 1;
+    string primary_color = 2;
+    string secondary_color = 3;
+    bool is_default = 4;
+}
+
+message LoginPolicy {
+    zitadel.v1.ObjectDetails details = 1;
+    bool allow_username_password = 2;
+    bool allow_register = 3;
+    bool allow_external_idp = 4;
+    bool force_mfa = 5;
+    PasswordlessType passwordless_type = 6;
+    bool is_default = 7;
+}
+
+enum SecondFactorType {
+    SECOND_FACTOR_TYPE_UNSPECIFIED = 0;
+    SECOND_FACTOR_TYPE_OTP = 1;
+    SECOND_FACTOR_TYPE_U2F = 2;
+}
+
+enum MultiFactorType {
+    MULTI_FACTOR_TYPE_UNSPECIFIED = 0;
+    MULTI_FACTOR_TYPE_U2F_WITH_VERIFICATION = 1; //TODO: what does livio think after the weekend? :D
+}
+
+enum PasswordlessType {
+    PASSWORDLESS_TYPE_NOT_ALLOWED = 0;
+    PASSWORDLESS_TYPE_ALLOWED = 1;
+    //PLANNED: PASSWORDLESS_TYPE_WITH_CERT
+}
+
+message PasswordComplexityPolicy {
+    zitadel.v1.ObjectDetails details = 1;
+    uint64 min_length = 2;
+    bool has_uppercase = 3;
+    bool has_lowercase = 4;
+    bool has_number = 5;
+    bool has_symbol = 6;
+    bool is_default = 7;
+}
+
+message PasswordAgePolicy {
+    zitadel.v1.ObjectDetails details = 1;
+    uint64 max_age_days = 2;
+    uint64 expire_warn_days = 3;
+    bool is_default = 4;
+}
+
+message PasswordLockoutPolicy {
+    zitadel.v1.ObjectDetails details = 1;
+    uint64 max_attempts = 2;
+    bool show_lockout_failure = 3;
+    bool is_default = 4;
+}
--- a/proto/zitadel/project.proto
+++ b/proto/zitadel/project.proto
@@ -0,0 +1,104 @@
+syntax = "proto3";
+
+import "zitadel/object.proto";
+import "validate/validate.proto";
+
+package zitadel.project.v1;
+
+option go_package ="github.com/caos/zitadel/pkg/grpc/project";
+
+message Project {
+    string id = 1;
+    zitadel.v1.ObjectDetails details = 2;
+    string name = 3;
+    ProjectState state = 4;
+    // describes if roles of user should be added in token
+    bool project_role_assertion = 5;
+    // ZITADEL checks if the user has at least one on this project
+    bool project_role_check = 6;
+}
+
+message GrantedProject {
+    string grant_id = 1;
+    string granted_org_id = 2;
+    string granted_org_name = 3;
+    repeated string granted_role_keys = 4;
+    ProjectGrantState state = 5;
+    
+    string project_id = 6;
+    string project_name = 7;
+    string project_owner_id = 8;
+    string project_owner_name = 9;
+
+    zitadel.v1.ObjectDetails details = 10;
+}
+
+enum ProjectState {
+    PROJECT_STATE_UNSPECIFIED = 0;
+    PROJECT_STATE_ACTIVE = 1;
+    PROJECT_STATE_INACTIVE = 2;
+}
+
+enum ProjectGrantState {
+    PROJECT_GRANT_STATE_UNSPECIFIED = 0;
+    PROJECT_GRANT_STATE_ACTIVE = 1;
+    PROJECT_GRANT_STATE_INACTIVE = 2;
+}
+
+message ProjectQuery {
+    oneof query {
+        option (validate.required) = true;
+
+        ProjectNameQuery name_query = 1;
+    }
+}
+
+message ProjectNameQuery {
+    string name = 1 [(validate.rules).string = {max_len: 200}];
+    zitadel.v1.TextQueryMethod method = 2 [(validate.rules).enum.defined_only = true];
+}
+
+message Role {
+    string key = 1;
+    zitadel.v1.ObjectDetails details = 2;
+    string display_name = 3;
+    string group = 4;
+}
+
+message RoleQuery {
+    oneof query {
+        option (validate.required) = true;
+
+        RoleKeyQuery key_query = 1;
+        RoleDisplayNameQuery display_name_query = 2;
+    }
+}
+
+message RoleKeyQuery {
+    string key = 1 [(validate.rules).string = {max_len: 200}];
+    zitadel.v1.TextQueryMethod method = 2 [(validate.rules).enum.defined_only = true];
+}
+
+message RoleDisplayNameQuery {
+    string display_name = 1 [(validate.rules).string = {max_len: 200}];
+    zitadel.v1.TextQueryMethod method = 2 [(validate.rules).enum.defined_only = true];
+}
+
+message ProjectGrantQuery {
+    oneof query {
+        option (validate.required) = true;
+
+        GrantProjectNameQuery project_name_query = 1;
+        GrantRoleKeyQuery role_key_query = 2;
+    }
+}
+
+message GrantProjectNameQuery {
+    string name = 1 [(validate.rules).string = {max_len: 200}];
+    zitadel.v1.TextQueryMethod method = 2 [(validate.rules).enum.defined_only = true];
+}
+
+message GrantRoleKeyQuery {
+    string role_key = 1 [(validate.rules).string = {max_len: 200}];
+    zitadel.v1.TextQueryMethod method = 2 [(validate.rules).enum.defined_only = true];
+}
--- a/proto/zitadel/user.proto
+++ b/proto/zitadel/user.proto
@@ -0,0 +1,356 @@
+syntax = "proto3";
+
+import "zitadel/object.proto";
+import "validate/validate.proto";
+
+package zitadel.user.v1;
+
+option go_package ="github.com/caos/zitadel/pkg/grpc/user";
+
+message User {
+    string id = 1;
+    zitadel.v1.ObjectDetails details = 2;
+    UserState state = 3;
+    string user_name = 4;
+    repeated string login_names = 5;
+    string preferred_login_name = 6;
+    oneof type {
+        Human human = 7;
+        Machine machine = 8;
+    }
+}
+
+enum UserState {
+    USER_STATE_UNSPECIFIED = 0;
+    USER_STATE_ACTIVE = 1;
+    USER_STATE_INACTIVE = 2;
+    USER_STATE_DELETED = 3;
+    USER_STATE_LOCKED = 4;
+    USER_STATE_SUSPEND = 5;
+    USER_STATE_INITIAL = 6;
+}
+
+message Human {
+    Profile profile = 1;
+    Email email = 2;
+    Phone phone = 3;
+    Address address = 4;
+}
+
+message Machine {
+    string name = 1;
+    string description = 2;
+}
+
+message Profile {
+    string first_name = 1;
+    string last_name = 2;
+    string nick_name = 3;
+    string display_name = 4;
+    string preferred_language = 5;
+    Gender gender = 6;
+}
+
+message Email {
+    string email = 1;
+    bool is_email_verified = 2;
+}
+
+message Phone {
+    string phone = 1;
+    bool is_phone_verified = 2;
+}
+
+message Address {
+    string country = 1;
+    string locality = 2;
+    string postal_code = 3;
+    string region = 4;
+    string street_address = 5;
+}
+
+enum Gender {
+    GENDER_UNSPECIFIED = 0;
+    GENDER_FEMALE = 1;
+    GENDER_MALE = 2;
+    GENDER_DIVERSE = 3;
+}
+
+message SearchQuery {
+    oneof query {
+        option (validate.required) = true;
+
+        UserNameQuery user_name_query = 1;
+        FirstNameQuery first_name_query = 2;
+        LastNameQuery last_name_query = 3;
+        NickNameQuery nick_name_query = 4;
+        DisplayNameQuery display_name_query = 5;
+        EmailQuery email_query = 6;
+        StateQuery state_query = 7;
+        TypeQuery type_query = 8;
+    }
+}
+
+message UserNameQuery {
+    string user_name = 1 [(validate.rules).string = {max_len: 200}];
+    zitadel.v1.TextQueryMethod method = 2 [(validate.rules).enum.defined_only = true];
+}
+
+message FirstNameQuery {
+    string first_name = 1 [(validate.rules).string = {max_len: 200}];
+    zitadel.v1.TextQueryMethod method = 2 [(validate.rules).enum.defined_only = true];
+}
+
+message LastNameQuery {
+    string last_name = 1 [(validate.rules).string = {max_len: 200}];
+    zitadel.v1.TextQueryMethod method = 2 [(validate.rules).enum.defined_only = true];
+}
+
+message NickNameQuery {
+    string nick_name = 1 [(validate.rules).string = {max_len: 200}];
+    zitadel.v1.TextQueryMethod method = 2 [(validate.rules).enum.defined_only = true];
+}
+
+message DisplayNameQuery {
+    string display_name = 1 [(validate.rules).string = {max_len: 200}];
+    zitadel.v1.TextQueryMethod method = 2 [(validate.rules).enum.defined_only = true];
+}
+
+message EmailQuery {
+    string email_address = 1 [(validate.rules).string = {max_len: 200}];
+    zitadel.v1.TextQueryMethod method = 2 [(validate.rules).enum.defined_only = true];
+}
+
+//UserStateQuery is always equals
+message StateQuery {
+    UserState state = 1 [(validate.rules).enum.defined_only = true];
+}
+
+//UserTypeQuery is always equals
+message TypeQuery {
+    Type type = 1 [(validate.rules).enum.defined_only = true];
+}
+
+enum Type {
+    TYPE_UNSPECIFIED = 0;
+    TYPE_HUMAN = 1;
+    TYPE_MACHINE = 2;
+}
+
+enum UserFieldName {
+    USER_FIELD_NAME_UNSPECIFIED = 0;
+    USER_FIELD_NAME_USER_NAME = 1;
+    USER_FIELD_NAME_FIRST_NAME = 2;
+    USER_FIELD_NAME_LAST_NAME = 3;
+    USER_FIELD_NAME_NICK_NAME = 4;
+    USER_FIELD_NAME_DISPLAY_NAME = 5;
+    USER_FIELD_NAME_EMAIL = 6;
+    USER_FIELD_NAME_STATE = 7;
+    USER_FIELD_NAME_TYPE = 8;
+}
+
+message AuthFactor {
+    AuthFactorState state = 1;
+    oneof type {
+        AuthFactorOTP otp = 2;
+        AuthFactorU2F u2f = 3;
+    }
+}
+
+enum AuthFactorState {
+    AUTH_FACTOR_STATE_UNSPECIFIED = 0;
+    AUTH_FACTOR_STATE_NOT_READY = 1;
+    AUTH_FACTOR_STATE_READY = 2;
+    AUTH_FACTOR_STATE_REMOVED = 3;
+}
+
+message AuthFactorOTP {}
+
+message AuthFactorU2F {
+    string id = 1;
+    string name = 2;
+}
+
+message WebAuthNKey {
+    string id = 1;
+    bytes public_key = 2;
+}
+
+message WebAuthNVerification {
+    bytes public_key_credential = 1 [(validate.rules).bytes.min_len = 50]; //TODO: define correct min and max len
+    string token_name = 2 [(validate.rules).string = {min_len: 1, max_len: 200}];
+}
+
+message WebAuthNToken {
+    string id = 1;
+    AuthFactorState state = 2;
+    string name = 3;
+}
+
+message Membership {
+    string user_id = 1;
+    zitadel.v1.ObjectDetails details = 2;
+    repeated string roles = 3;
+    string display_name = 4;
+    oneof type {
+        bool iam = 5;
+        string org_id = 6;
+        string project_id = 7;
+        string project_grant_id = 8;
+    }
+}
+
+message MembershipQuery {
+    oneof query {
+        option (validate.required) = true;
+
+        MembershipOrgQuery org_query = 1;
+        MembershipProjectQuery project_query = 2;
+        MembershipProjectGrantQuery project_grant_query = 3;
+        MembershipIAMQuery iam_query = 4;
+    }
+}
+
+message MembershipOrgQuery {
+    string org_id = 1 [(validate.rules).string = {max_len: 200}];
+}
+
+message MembershipProjectQuery {
+    string project_id = 1 [(validate.rules).string = {max_len: 200}];
+}
+
+message MembershipProjectGrantQuery {
+    string project_grant_id = 1 [(validate.rules).string = {max_len: 200}];
+}
+
+message MembershipIAMQuery {
+    bool iam = 1;
+}
+
+message Session {
+    string session_id = 1;
+    string agent_id = 2;
+    SessionState auth_state = 3;
+    string user_id = 4;
+    string user_name = 5;
+    string login_name = 7;
+    string display_name = 8;
+    zitadel.v1.ObjectDetails details = 9;
+}
+
+enum SessionState {
+    SESSION_STATE_UNSPECIFIED = 0;
+    SESSION_STATE_ACTIVE = 1;
+    SESSION_STATE_TERMINATED = 2;
+}
+
+message UserGrant {
+    string grant_id = 1;
+    zitadel.v1.ObjectDetails details = 2;
+    repeated string role_keys = 3;
+    UserGrantState state = 4;
+    
+    string user_id = 5;
+    string user_name = 6;
+    string first_name = 7;
+    string last_name = 8;
+    string email = 9;
+    string display_name = 10;
+    
+    string org_id = 11;
+    string org_name = 12;
+    string org_domain = 13;
+    
+    string project_id = 14;
+    string project_name = 15;
+}
+
+enum UserGrantState {
+    USER_GRANT_STATE_UNSPECIFIED = 0;
+    USER_GRANT_STATE_ACTIVE = 1;
+    USER_GRANT_STATE_INACTIVE = 2;
+}
+
+message UserGrantQuery {
+    oneof query {
+        option (validate.required) = true;
+
+        UserGrantProjectIDQuery project_id_query = 1;
+        UserGrantUserIDQuery user_id_query = 2;
+        UserGrantWithGrantedQuery with_granted_query = 3;
+        UserGrantRoleKeyQuery role_key_query = 4;
+        UserGrantProjectGrantIDQuery project_grant_id_query = 5;
+        UserGrantUserNameQuery user_name_query = 6;
+        UserGrantFirstNameQuery first_name_query = 7;
+        UserGrantLastNameQuery last_name_query = 8;
+        UserGrantEmailQuery email_query = 9;
+        UserGrantOrgNameQuery org_name_query = 10;
+        UserGrantOrgDomainQuery org_domain_query = 11;
+        UserGrantProjectNameQuery project_name_query = 12;
+        UserGrantDisplayNameQuery display_name_query = 13;
+    }
+}
+
+message UserGrantProjectIDQuery {
+    string project_id = 1 [(validate.rules).string = {max_len: 200}];
+}
+
+message UserGrantUserIDQuery {
+    string user_id = 1 [(validate.rules).string = {max_len: 200}];
+}
+
+message UserGrantWithGrantedQuery {
+    bool with_granted = 1;
+}
+
+message UserGrantRoleKeyQuery {
+    string role_key = 1 [(validate.rules).string = {max_len: 200}];
+    zitadel.v1.TextQueryMethod method = 2 [(validate.rules).enum.defined_only = true];
+}
+
+message UserGrantProjectGrantIDQuery {
+    string project_grant_id = 1 [(validate.rules).string = {max_len: 200}];
+}
+
+message UserGrantUserNameQuery {
+    string user_name = 1 [(validate.rules).string = {max_len: 200}];
+    zitadel.v1.TextQueryMethod method = 2 [(validate.rules).enum.defined_only = true];
+}
+
+message UserGrantFirstNameQuery {
+    string first_name = 1 [(validate.rules).string = {max_len: 200}];
+    zitadel.v1.TextQueryMethod method = 2 [(validate.rules).enum.defined_only = true];
+}
+
+message UserGrantLastNameQuery {
+    string last_name = 1 [(validate.rules).string = {max_len: 200}];
+    zitadel.v1.TextQueryMethod method = 2 [(validate.rules).enum.defined_only = true];
+}
+
+message UserGrantEmailQuery {
+    string email = 1 [(validate.rules).string = {max_len: 200}];
+    zitadel.v1.TextQueryMethod method = 2 [(validate.rules).enum.defined_only = true];
+}
+
+message UserGrantOrgNameQuery {
+    string org_name = 1 [(validate.rules).string = {max_len: 200}];
+    zitadel.v1.TextQueryMethod method = 2 [(validate.rules).enum.defined_only = true];
+}
+
+message UserGrantOrgDomainQuery {
+    string org_domain = 1 [(validate.rules).string = {max_len: 200}];
+    zitadel.v1.TextQueryMethod method = 2 [(validate.rules).enum.defined_only = true];
+}
+
+message UserGrantProjectNameQuery {
+    string project_name = 1 [(validate.rules).string = {max_len: 200}];
+    zitadel.v1.TextQueryMethod method = 2 [(validate.rules).enum.defined_only = true];
+}
+
+//TODO: needed as you can search first and last name?
+message UserGrantDisplayNameQuery {
+    string display_name = 1;
+    zitadel.v1.TextQueryMethod method = 2 [(validate.rules).enum.defined_only = true];
+}
+
+//PLANNED: login name query