perf(oidc): optimize client verification (#6999)

* fix some spelling errors * client credential auth * implementation of client auth * improve error handling * unit test command package * unit test database package * unit test query package * cleanup unused tracing func * fix integration tests * errz to zerrors * fix linting and import issues * fix another linting error * integration test with client secret * Revert "integration test with client secret" This reverts commit 0814ba522f. * add integration tests * client credentials integration test * resolve comments * pin oidc v3.5.0
2025-08-12 01:47:33 +00:00 · 2023-12-05 19:01:03 +02:00
parent 51cfb9564a
commit ec03340b67
46 changed files with 1666 additions and 781 deletions
--- a/internal/query/embed/oidc_client_by_id.sql
+++ b/internal/query/embed/oidc_client_by_id.sql
@@ -0,0 +1,46 @@
+--deallocate q;
+--prepare q(text, text, boolean) as
+
+with client as (
+	select c.instance_id,
+		c.app_id, c.client_id, c.client_secret, c.redirect_uris, c.response_types, c.grant_types,
+		c.application_type, c.auth_method_type, c.post_logout_redirect_uris, c.is_dev_mode,
+		c.access_token_type, c.access_token_role_assertion, c.id_token_role_assertion,
+		c.id_token_userinfo_assertion, c.clock_skew, c.additional_origins, a.project_id, a.state
+	from projections.apps6_oidc_configs c
+	join projections.apps6 a on a.id = c.app_id and a.instance_id = c.instance_id
+	where c.instance_id = $1
+		and c.client_id = $2
+),
+roles as (
+	select p.project_id, json_agg(p.role_key) as project_role_keys
+	from projections.project_roles4 p
+	join client c on c.project_id = p.project_id
+		and p.instance_id = c.instance_id
+	group by p.project_id
+),
+keys as (
+	select identifier as client_id, json_object_agg(id, encode(public_key, 'base64')) as public_keys
+	from projections.authn_keys2
+	where $3 = true -- when argument is false, don't waste time on trying to query for keys.
+		and instance_id = $1
+		and identifier = $2
+		and expiration > current_timestamp
+	group by identifier
+),
+settings as (
+	select instance_id, access_token_lifetime, id_token_lifetime
+	from projections.oidc_settings2
+	where aggregate_id = $1
+		and instance_id = $1
+)
+
+select row_to_json(r) as client from (
+	select c.*, r.project_role_keys, k.public_keys, s.access_token_lifetime, s.id_token_lifetime
+	from client c
+	left join roles r on r.project_id = c.project_id
+	left join keys k on k.client_id = c.client_id
+	join settings s on s.instance_id = s.instance_id
+) r;
+
+--execute q('230690539048009730', '236647088211951618@tests', true);
--- a/internal/query/embed/userinfo_by_id.sql
+++ b/internal/query/embed/userinfo_by_id.sql
@@ -1,6 +1,6 @@
 with usr as (
 	select u.id, u.creation_date, u.change_date, u.sequence, u.state, u.resource_owner, u.username, n.login_name as preferred_login_name
-	from projections.users9 u
+	from projections.users10 u
 	left join projections.login_names3 n on u.id = n.user_id and u.instance_id = n.instance_id
 	where u.id = $1
 	and u.instance_id = $2
@@ -9,7 +9,7 @@ with usr as (
 human as (
 	select $1 as user_id, row_to_json(r) as human from (
 		select first_name, last_name, nick_name, display_name, avatar_key, preferred_language, gender, email, is_email_verified, phone, is_phone_verified
-		from projections.users9_humans
+		from projections.users10_humans
 		where user_id = $1
 		and instance_id = $2
 	) r
@@ -17,7 +17,7 @@ human as (
 machine as (
 	select $1 as user_id, row_to_json(r) as machine from (
 		select name, description
-		from projections.users9_machines
+		from projections.users10_machines
 		where user_id = $1
 		and instance_id = $2
 	) r
--- a/internal/query/iam_member_test.go
+++ b/internal/query/iam_member_test.go
@@ -21,21 +21,21 @@ var (
 		", members.user_id" +
 		", members.roles" +
 		", projections.login_names3.login_name" +
-		", projections.users9_humans.email" +
-		", projections.users9_humans.first_name" +
-		", projections.users9_humans.last_name" +
-		", projections.users9_humans.display_name" +
-		", projections.users9_machines.name" +
-		", projections.users9_humans.avatar_key" +
-		", projections.users9.type" +
+		", projections.users10_humans.email" +
+		", projections.users10_humans.first_name" +
+		", projections.users10_humans.last_name" +
+		", projections.users10_humans.display_name" +
+		", projections.users10_machines.name" +
+		", projections.users10_humans.avatar_key" +
+		", projections.users10.type" +
 		", COUNT(*) OVER () " +
 		"FROM projections.instance_members4 AS members " +
-		"LEFT JOIN projections.users9_humans " +
-		"ON members.user_id = projections.users9_humans.user_id AND members.instance_id = projections.users9_humans.instance_id " +
-		"LEFT JOIN projections.users9_machines " +
-		"ON members.user_id = projections.users9_machines.user_id AND members.instance_id = projections.users9_machines.instance_id " +
-		"LEFT JOIN projections.users9 " +
-		"ON members.user_id = projections.users9.id AND members.instance_id = projections.users9.instance_id " +
+		"LEFT JOIN projections.users10_humans " +
+		"ON members.user_id = projections.users10_humans.user_id AND members.instance_id = projections.users10_humans.instance_id " +
+		"LEFT JOIN projections.users10_machines " +
+		"ON members.user_id = projections.users10_machines.user_id AND members.instance_id = projections.users10_machines.instance_id " +
+		"LEFT JOIN projections.users10 " +
+		"ON members.user_id = projections.users10.id AND members.instance_id = projections.users10.instance_id " +
 		"LEFT JOIN projections.login_names3 " +
 		"ON members.user_id = projections.login_names3.user_id AND members.instance_id = projections.login_names3.instance_id " +
 		"AS OF SYSTEM TIME '-1 ms' " +
--- a/internal/query/oidc_client.go
+++ b/internal/query/oidc_client.go
@@ -0,0 +1,61 @@
+package query
+
+import (
+	"context"
+	"database/sql"
+	_ "embed"
+	"errors"
+	"time"
+
+	"github.com/zitadel/zitadel/internal/api/authz"
+	"github.com/zitadel/zitadel/internal/crypto"
+	"github.com/zitadel/zitadel/internal/database"
+	"github.com/zitadel/zitadel/internal/domain"
+	zerrors "github.com/zitadel/zitadel/internal/errors"
+	"github.com/zitadel/zitadel/internal/telemetry/tracing"
+)
+
+type OIDCClient struct {
+	InstanceID               string                     `json:"instance_id,omitempty"`
+	AppID                    string                     `json:"app_id,omitempty"`
+	State                    domain.AppState            `json:"state,omitempty"`
+	ClientID                 string                     `json:"client_id,omitempty"`
+	ClientSecret             *crypto.CryptoValue        `json:"client_secret,omitempty"`
+	RedirectURIs             []string                   `json:"redirect_uris,omitempty"`
+	ResponseTypes            []domain.OIDCResponseType  `json:"response_types,omitempty"`
+	GrantTypes               []domain.OIDCGrantType     `json:"grant_types,omitempty"`
+	ApplicationType          domain.OIDCApplicationType `json:"application_type,omitempty"`
+	AuthMethodType           domain.OIDCAuthMethodType  `json:"auth_method_type,omitempty"`
+	PostLogoutRedirectURIs   []string                   `json:"post_logout_redirect_uris,omitempty"`
+	IsDevMode                bool                       `json:"is_dev_mode,omitempty"`
+	AccessTokenType          domain.OIDCTokenType       `json:"access_token_type,omitempty"`
+	AccessTokenRoleAssertion bool                       `json:"access_token_role_assertion,omitempty"`
+	IDTokenRoleAssertion     bool                       `json:"id_token_role_assertion,omitempty"`
+	IDTokenUserinfoAssertion bool                       `json:"id_token_userinfo_assertion,omitempty"`
+	ClockSkew                time.Duration              `json:"clock_skew,omitempty"`
+	AdditionalOrigins        []string                   `json:"additional_origins,omitempty"`
+	PublicKeys               map[string][]byte          `json:"public_keys,omitempty"`
+	ProjectID                string                     `json:"project_id,omitempty"`
+	ProjectRoleKeys          []string                   `json:"project_role_keys,omitempty"`
+	AccessTokenLifetime      time.Duration              `json:"access_token_lifetime,omitempty"`
+	IDTokenLifetime          time.Duration              `json:"id_token_lifetime,omitempty"`
+}
+
+//go:embed embed/oidc_client_by_id.sql
+var oidcClientQuery string
+
+func (q *Queries) GetOIDCClientByID(ctx context.Context, clientID string, getKeys bool) (client *OIDCClient, err error) {
+	ctx, span := tracing.NewSpan(ctx)
+	defer func() { span.EndWithError(err) }()
+
+	client, err = database.QueryJSONObject[OIDCClient](ctx, q.client, oidcClientQuery,
+		authz.GetInstance(ctx).InstanceID(), clientID, getKeys,
+	)
+	if errors.Is(err, sql.ErrNoRows) {
+		return nil, zerrors.ThrowNotFound(err, "QUERY-wu6Ee", "Errors.App.NotFound")
+	}
+	if err != nil {
+		return nil, zerrors.ThrowInternal(err, "QUERY-ieR7R", "Errors.Internal")
+	}
+	return client, err
+}
--- a/internal/query/oidc_client_test.go
+++ b/internal/query/oidc_client_test.go
@@ -0,0 +1,167 @@
+package query
+
+import (
+	"database/sql"
+	"database/sql/driver"
+	_ "embed"
+	"regexp"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+
+	"github.com/zitadel/zitadel/internal/api/authz"
+	"github.com/zitadel/zitadel/internal/crypto"
+	"github.com/zitadel/zitadel/internal/database"
+	"github.com/zitadel/zitadel/internal/domain"
+	zerrors "github.com/zitadel/zitadel/internal/errors"
+)
+
+var (
+	//go:embed testdata/oidc_client_jwt.json
+	testdataOidcClientJWT string
+	//go:embed testdata/oidc_client_public.json
+	testdataOidcClientPublic string
+	//go:embed testdata/oidc_client_secret.json
+	testdataOidcClientSecret string
+)
+
+func TestQueries_GetOIDCClientByID(t *testing.T) {
+	expQuery := regexp.QuoteMeta(oidcClientQuery)
+	cols := []string{"client"}
+	pubkey := `-----BEGIN RSA PUBLIC KEY-----
+MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA2ufAL1b72bIy1ar+Ws6b
+GohJJQFB7dfRapDqeqM8Ukp6CVdPzq/pOz1viAq50yzWZJryF+2wshFAKGF9A2/B
+2Yf9bJXPZ/KbkFrYT3NTvYDkvlaSTl9mMnzrU29s48F1PTWKfB+C3aMsOEG1BufV
+s63qF4nrEPjSbhljIco9FZq4XppIzhMQ0fDdA/+XygCJqvuaL0LibM1KrlUdnu71
+YekhSJjEPnvOisXIk4IXywoGIOwtjxkDvNItQvaMVldr4/kb6uvbgdWwq5EwBZXq
+low2kyJov38V4Uk2I8kuXpLcnrpw5Tio2ooiUE27b0vHZqBKOei9Uo88qCrn3EKx
+6QIDAQAB
+-----END RSA PUBLIC KEY-----
+`
+
+	tests := []struct {
+		name    string
+		mock    sqlExpectation
+		want    *OIDCClient
+		wantErr error
+	}{
+		{
+			name:    "no rows",
+			mock:    mockQueryErr(expQuery, sql.ErrNoRows, "instanceID", "clientID", true),
+			wantErr: zerrors.ThrowNotFound(sql.ErrNoRows, "QUERY-wu6Ee", "Errors.App.NotFound"),
+		},
+		{
+			name:    "internal error",
+			mock:    mockQueryErr(expQuery, sql.ErrConnDone, "instanceID", "clientID", true),
+			wantErr: zerrors.ThrowInternal(sql.ErrConnDone, "QUERY-ieR7R", "Errors.Internal"),
+		},
+		{
+			name: "jwt client",
+			mock: mockQuery(expQuery, cols, []driver.Value{testdataOidcClientJWT}, "instanceID", "clientID", true),
+			want: &OIDCClient{
+				InstanceID:               "230690539048009730",
+				AppID:                    "236647088211886082",
+				State:                    domain.AppStateActive,
+				ClientID:                 "236647088211951618@tests",
+				ClientSecret:             nil,
+				RedirectURIs:             []string{"http://localhost:9999/auth/callback"},
+				ResponseTypes:            []domain.OIDCResponseType{domain.OIDCResponseTypeCode},
+				GrantTypes:               []domain.OIDCGrantType{domain.OIDCGrantTypeAuthorizationCode, domain.OIDCGrantTypeRefreshToken},
+				ApplicationType:          domain.OIDCApplicationTypeWeb,
+				AuthMethodType:           domain.OIDCAuthMethodTypePrivateKeyJWT,
+				PostLogoutRedirectURIs:   []string{"https://example.com/logout"},
+				IsDevMode:                true,
+				AccessTokenType:          domain.OIDCTokenTypeJWT,
+				AccessTokenRoleAssertion: true,
+				IDTokenRoleAssertion:     true,
+				IDTokenUserinfoAssertion: true,
+				ClockSkew:                1000000000,
+				AdditionalOrigins:        []string{"https://example.com"},
+				ProjectID:                "236645808328409090",
+				PublicKeys:               map[string][]byte{"236647201860747266": []byte(pubkey)},
+				ProjectRoleKeys:          []string{"role1", "role2"},
+				AccessTokenLifetime:      43200000000000,
+				IDTokenLifetime:          43200000000000,
+			},
+		},
+		{
+			name: "public client",
+			mock: mockQuery(expQuery, cols, []driver.Value{testdataOidcClientPublic}, "instanceID", "clientID", true),
+			want: &OIDCClient{
+				InstanceID:               "230690539048009730",
+				AppID:                    "236646457053020162",
+				State:                    domain.AppStateActive,
+				ClientID:                 "236646457053085698@tests",
+				ClientSecret:             nil,
+				RedirectURIs:             []string{"http://localhost:9999/auth/callback"},
+				ResponseTypes:            []domain.OIDCResponseType{domain.OIDCResponseTypeCode},
+				GrantTypes:               []domain.OIDCGrantType{domain.OIDCGrantTypeAuthorizationCode},
+				ApplicationType:          domain.OIDCApplicationTypeWeb,
+				AuthMethodType:           domain.OIDCAuthMethodTypeNone,
+				PostLogoutRedirectURIs:   nil,
+				IsDevMode:                true,
+				AccessTokenType:          domain.OIDCTokenTypeBearer,
+				AccessTokenRoleAssertion: false,
+				IDTokenRoleAssertion:     false,
+				IDTokenUserinfoAssertion: false,
+				ClockSkew:                0,
+				AdditionalOrigins:        nil,
+				PublicKeys:               nil,
+				ProjectID:                "236645808328409090",
+				ProjectRoleKeys:          []string{"role1", "role2"},
+				AccessTokenLifetime:      43200000000000,
+				IDTokenLifetime:          43200000000000,
+			},
+		},
+		{
+			name: "secret client",
+			mock: mockQuery(expQuery, cols, []driver.Value{testdataOidcClientSecret}, "instanceID", "clientID", true),
+			want: &OIDCClient{
+				InstanceID: "230690539048009730",
+				AppID:      "236646858984783874",
+				State:      domain.AppStateActive,
+				ClientID:   "236646858984849410@tests",
+				ClientSecret: &crypto.CryptoValue{
+					CryptoType: crypto.TypeHash,
+					Algorithm:  "bcrypt",
+					Crypted:    []byte(`$2a$14$OzZ0XEZZEtD13py/EPba2evsS6WcKZ5orVMj9pWHEGEHmLu2h3PFq`),
+				},
+				RedirectURIs:             []string{"http://localhost:9999/auth/callback"},
+				ResponseTypes:            []domain.OIDCResponseType{0},
+				GrantTypes:               []domain.OIDCGrantType{0},
+				ApplicationType:          domain.OIDCApplicationTypeWeb,
+				AuthMethodType:           domain.OIDCAuthMethodTypeBasic,
+				PostLogoutRedirectURIs:   nil,
+				IsDevMode:                true,
+				AccessTokenType:          domain.OIDCTokenTypeBearer,
+				AccessTokenRoleAssertion: false,
+				IDTokenRoleAssertion:     false,
+				IDTokenUserinfoAssertion: false,
+				ClockSkew:                0,
+				AdditionalOrigins:        nil,
+				PublicKeys:               nil,
+				ProjectID:                "236645808328409090",
+				ProjectRoleKeys:          []string{"role1", "role2"},
+				AccessTokenLifetime:      43200000000000,
+				IDTokenLifetime:          43200000000000,
+			},
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			execMock(t, tt.mock, func(db *sql.DB) {
+				q := &Queries{
+					client: &database.DB{
+						DB:       db,
+						Database: &prepareDB{},
+					},
+				}
+				ctx := authz.NewMockContext("instanceID", "orgID", "loginClient")
+				got, err := q.GetOIDCClientByID(ctx, "clientID", true)
+				require.ErrorIs(t, err, tt.wantErr)
+				assert.Equal(t, tt.want, got)
+			})
+		})
+	}
+}
--- a/internal/query/org_member_test.go
+++ b/internal/query/org_member_test.go
@@ -21,24 +21,24 @@ var (
 		", members.user_id" +
 		", members.roles" +
 		", projections.login_names3.login_name" +
-		", projections.users9_humans.email" +
-		", projections.users9_humans.first_name" +
-		", projections.users9_humans.last_name" +
-		", projections.users9_humans.display_name" +
-		", projections.users9_machines.name" +
-		", projections.users9_humans.avatar_key" +
-		", projections.users9.type" +
+		", projections.users10_humans.email" +
+		", projections.users10_humans.first_name" +
+		", projections.users10_humans.last_name" +
+		", projections.users10_humans.display_name" +
+		", projections.users10_machines.name" +
+		", projections.users10_humans.avatar_key" +
+		", projections.users10.type" +
 		", COUNT(*) OVER () " +
 		"FROM projections.org_members4 AS members " +
-		"LEFT JOIN projections.users9_humans " +
-		"ON members.user_id = projections.users9_humans.user_id " +
-		"AND members.instance_id = projections.users9_humans.instance_id " +
-		"LEFT JOIN projections.users9_machines " +
-		"ON members.user_id = projections.users9_machines.user_id " +
-		"AND members.instance_id = projections.users9_machines.instance_id " +
-		"LEFT JOIN projections.users9 " +
-		"ON members.user_id = projections.users9.id " +
-		"AND members.instance_id = projections.users9.instance_id " +
+		"LEFT JOIN projections.users10_humans " +
+		"ON members.user_id = projections.users10_humans.user_id " +
+		"AND members.instance_id = projections.users10_humans.instance_id " +
+		"LEFT JOIN projections.users10_machines " +
+		"ON members.user_id = projections.users10_machines.user_id " +
+		"AND members.instance_id = projections.users10_machines.instance_id " +
+		"LEFT JOIN projections.users10 " +
+		"ON members.user_id = projections.users10.id " +
+		"AND members.instance_id = projections.users10.instance_id " +
 		"LEFT JOIN projections.login_names3 " +
 		"ON members.user_id = projections.login_names3.user_id " +
 		"AND members.instance_id = projections.login_names3.instance_id " +
--- a/internal/query/project_grant_member_test.go
+++ b/internal/query/project_grant_member_test.go
@@ -21,24 +21,24 @@ var (
 		", members.user_id" +
 		", members.roles" +
 		", projections.login_names3.login_name" +
-		", projections.users9_humans.email" +
-		", projections.users9_humans.first_name" +
-		", projections.users9_humans.last_name" +
-		", projections.users9_humans.display_name" +
-		", projections.users9_machines.name" +
-		", projections.users9_humans.avatar_key" +
-		", projections.users9.type" +
+		", projections.users10_humans.email" +
+		", projections.users10_humans.first_name" +
+		", projections.users10_humans.last_name" +
+		", projections.users10_humans.display_name" +
+		", projections.users10_machines.name" +
+		", projections.users10_humans.avatar_key" +
+		", projections.users10.type" +
 		", COUNT(*) OVER () " +
 		"FROM projections.project_grant_members4 AS members " +
-		"LEFT JOIN projections.users9_humans " +
-		"ON members.user_id = projections.users9_humans.user_id " +
-		"AND members.instance_id = projections.users9_humans.instance_id " +
-		"LEFT JOIN projections.users9_machines " +
-		"ON members.user_id = projections.users9_machines.user_id " +
-		"AND members.instance_id = projections.users9_machines.instance_id " +
-		"LEFT JOIN projections.users9 " +
-		"ON members.user_id = projections.users9.id " +
-		"AND members.instance_id = projections.users9.instance_id " +
+		"LEFT JOIN projections.users10_humans " +
+		"ON members.user_id = projections.users10_humans.user_id " +
+		"AND members.instance_id = projections.users10_humans.instance_id " +
+		"LEFT JOIN projections.users10_machines " +
+		"ON members.user_id = projections.users10_machines.user_id " +
+		"AND members.instance_id = projections.users10_machines.instance_id " +
+		"LEFT JOIN projections.users10 " +
+		"ON members.user_id = projections.users10.id " +
+		"AND members.instance_id = projections.users10.instance_id " +
 		"LEFT JOIN projections.login_names3 " +
 		"ON members.user_id = projections.login_names3.user_id " +
 		"AND members.instance_id = projections.login_names3.instance_id " +
--- a/internal/query/project_member_test.go
+++ b/internal/query/project_member_test.go
@@ -21,24 +21,24 @@ var (
 		", members.user_id" +
 		", members.roles" +
 		", projections.login_names3.login_name" +
-		", projections.users9_humans.email" +
-		", projections.users9_humans.first_name" +
-		", projections.users9_humans.last_name" +
-		", projections.users9_humans.display_name" +
-		", projections.users9_machines.name" +
-		", projections.users9_humans.avatar_key" +
-		", projections.users9.type" +
+		", projections.users10_humans.email" +
+		", projections.users10_humans.first_name" +
+		", projections.users10_humans.last_name" +
+		", projections.users10_humans.display_name" +
+		", projections.users10_machines.name" +
+		", projections.users10_humans.avatar_key" +
+		", projections.users10.type" +
 		", COUNT(*) OVER () " +
 		"FROM projections.project_members4 AS members " +
-		"LEFT JOIN projections.users9_humans " +
-		"ON members.user_id = projections.users9_humans.user_id " +
-		"AND members.instance_id = projections.users9_humans.instance_id " +
-		"LEFT JOIN projections.users9_machines " +
-		"ON members.user_id = projections.users9_machines.user_id " +
-		"AND members.instance_id = projections.users9_machines.instance_id " +
-		"LEFT JOIN projections.users9 " +
-		"ON members.user_id = projections.users9.id " +
-		"AND members.instance_id = projections.users9.instance_id " +
+		"LEFT JOIN projections.users10_humans " +
+		"ON members.user_id = projections.users10_humans.user_id " +
+		"AND members.instance_id = projections.users10_humans.instance_id " +
+		"LEFT JOIN projections.users10_machines " +
+		"ON members.user_id = projections.users10_machines.user_id " +
+		"AND members.instance_id = projections.users10_machines.instance_id " +
+		"LEFT JOIN projections.users10 " +
+		"ON members.user_id = projections.users10.id " +
+		"AND members.instance_id = projections.users10.instance_id " +
 		"LEFT JOIN projections.login_names3 " +
 		"ON members.user_id = projections.login_names3.user_id " +
 		"AND members.instance_id = projections.login_names3.instance_id " +
--- a/internal/query/projection/user.go
+++ b/internal/query/projection/user.go
@@ -15,7 +15,7 @@ import (
 )

 const (
-	UserTable        = "projections.users9"
+	UserTable        = "projections.users10"
 	UserHumanTable   = UserTable + "_" + UserHumanSuffix
 	UserMachineTable = UserTable + "_" + UserMachineSuffix
 	UserNotifyTable  = UserTable + "_" + UserNotifySuffix
@@ -57,7 +57,7 @@ const (
 	MachineUserInstanceIDCol  = "instance_id"
 	MachineNameCol            = "name"
 	MachineDescriptionCol     = "description"
-	MachineHasSecretCol       = "has_secret"
+	MachineSecretCol          = "secret"
 	MachineAccessTokenTypeCol = "access_token_type"

 	// notify
@@ -122,7 +122,7 @@ func (*userProjection) Init() *old_handler.Check {
 			handler.NewColumn(MachineUserInstanceIDCol, handler.ColumnTypeText),
 			handler.NewColumn(MachineNameCol, handler.ColumnTypeText),
 			handler.NewColumn(MachineDescriptionCol, handler.ColumnTypeText, handler.Nullable()),
-			handler.NewColumn(MachineHasSecretCol, handler.ColumnTypeBool, handler.Default(false)),
+			handler.NewColumn(MachineSecretCol, handler.ColumnTypeJSONB, handler.Nullable()),
 			handler.NewColumn(MachineAccessTokenTypeCol, handler.ColumnTypeEnum, handler.Default(0)),
 		},
 			handler.NewPrimaryKey(MachineUserInstanceIDCol, MachineUserIDCol),
@@ -936,7 +936,7 @@ func (p *userProjection) reduceMachineSecretSet(event eventstore.Event) (*handle
 		),
 		handler.AddUpdateStatement(
 			[]handler.Column{
-				handler.NewCol(MachineHasSecretCol, true),
+				handler.NewCol(MachineSecretCol, e.ClientSecret),
 			},
 			[]handler.Condition{
 				handler.NewCond(MachineUserIDCol, e.Aggregate().ID),
@@ -967,7 +967,7 @@ func (p *userProjection) reduceMachineSecretRemoved(event eventstore.Event) (*ha
 		),
 		handler.AddUpdateStatement(
 			[]handler.Column{
-				handler.NewCol(MachineHasSecretCol, false),
+				handler.NewCol(MachineSecretCol, nil),
 			},
 			[]handler.Condition{
 				handler.NewCond(MachineUserIDCol, e.Aggregate().ID),
--- a/internal/query/projection/user_test.go
+++ b/internal/query/projection/user_test.go
@@ -4,6 +4,7 @@ import (
 	"database/sql"
 	"testing"

+	"github.com/zitadel/zitadel/internal/crypto"
 	"github.com/zitadel/zitadel/internal/domain"
 	"github.com/zitadel/zitadel/internal/errors"
 	"github.com/zitadel/zitadel/internal/eventstore"
@@ -50,7 +51,7 @@ func TestUserProjection_reduces(t *testing.T) {
 				executer: &testExecuter{
 					executions: []execution{
 						{
-							expectedStmt: "INSERT INTO projections.users9 (id, creation_date, change_date, resource_owner, instance_id, state, sequence, username, type) VALUES ($1, $2, $3, $4, $5, $6, $7, $8, $9)",
+							expectedStmt: "INSERT INTO projections.users10 (id, creation_date, change_date, resource_owner, instance_id, state, sequence, username, type) VALUES ($1, $2, $3, $4, $5, $6, $7, $8, $9)",
 							expectedArgs: []interface{}{
 								"agg-id",
 								anyArg{},
@@ -64,7 +65,7 @@ func TestUserProjection_reduces(t *testing.T) {
 							},
 						},
 						{
-							expectedStmt: "INSERT INTO projections.users9_humans (user_id, instance_id, first_name, last_name, nick_name, display_name, preferred_language, gender, email, phone) VALUES ($1, $2, $3, $4, $5, $6, $7, $8, $9, $10)",
+							expectedStmt: "INSERT INTO projections.users10_humans (user_id, instance_id, first_name, last_name, nick_name, display_name, preferred_language, gender, email, phone) VALUES ($1, $2, $3, $4, $5, $6, $7, $8, $9, $10)",
 							expectedArgs: []interface{}{
 								"agg-id",
 								"instance-id",
@@ -79,7 +80,7 @@ func TestUserProjection_reduces(t *testing.T) {
 							},
 						},
 						{
-							expectedStmt: "INSERT INTO projections.users9_notifications (user_id, instance_id, last_email, last_phone, password_set) VALUES ($1, $2, $3, $4, $5)",
+							expectedStmt: "INSERT INTO projections.users10_notifications (user_id, instance_id, last_email, last_phone, password_set) VALUES ($1, $2, $3, $4, $5)",
 							expectedArgs: []interface{}{
 								"agg-id",
 								"instance-id",
@@ -119,7 +120,7 @@ func TestUserProjection_reduces(t *testing.T) {
 				executer: &testExecuter{
 					executions: []execution{
 						{
-							expectedStmt: "INSERT INTO projections.users9 (id, creation_date, change_date, resource_owner, instance_id, state, sequence, username, type) VALUES ($1, $2, $3, $4, $5, $6, $7, $8, $9)",
+							expectedStmt: "INSERT INTO projections.users10 (id, creation_date, change_date, resource_owner, instance_id, state, sequence, username, type) VALUES ($1, $2, $3, $4, $5, $6, $7, $8, $9)",
 							expectedArgs: []interface{}{
 								"agg-id",
 								anyArg{},
@@ -133,7 +134,7 @@ func TestUserProjection_reduces(t *testing.T) {
 							},
 						},
 						{
-							expectedStmt: "INSERT INTO projections.users9_humans (user_id, instance_id, first_name, last_name, nick_name, display_name, preferred_language, gender, email, phone) VALUES ($1, $2, $3, $4, $5, $6, $7, $8, $9, $10)",
+							expectedStmt: "INSERT INTO projections.users10_humans (user_id, instance_id, first_name, last_name, nick_name, display_name, preferred_language, gender, email, phone) VALUES ($1, $2, $3, $4, $5, $6, $7, $8, $9, $10)",
 							expectedArgs: []interface{}{
 								"agg-id",
 								"instance-id",
@@ -148,7 +149,7 @@ func TestUserProjection_reduces(t *testing.T) {
 							},
 						},
 						{
-							expectedStmt: "INSERT INTO projections.users9_notifications (user_id, instance_id, last_email, last_phone, password_set) VALUES ($1, $2, $3, $4, $5)",
+							expectedStmt: "INSERT INTO projections.users10_notifications (user_id, instance_id, last_email, last_phone, password_set) VALUES ($1, $2, $3, $4, $5)",
 							expectedArgs: []interface{}{
 								"agg-id",
 								"instance-id",
@@ -183,7 +184,7 @@ func TestUserProjection_reduces(t *testing.T) {
 				executer: &testExecuter{
 					executions: []execution{
 						{
-							expectedStmt: "INSERT INTO projections.users9 (id, creation_date, change_date, resource_owner, instance_id, state, sequence, username, type) VALUES ($1, $2, $3, $4, $5, $6, $7, $8, $9)",
+							expectedStmt: "INSERT INTO projections.users10 (id, creation_date, change_date, resource_owner, instance_id, state, sequence, username, type) VALUES ($1, $2, $3, $4, $5, $6, $7, $8, $9)",
 							expectedArgs: []interface{}{
 								"agg-id",
 								anyArg{},
@@ -197,7 +198,7 @@ func TestUserProjection_reduces(t *testing.T) {
 							},
 						},
 						{
-							expectedStmt: "INSERT INTO projections.users9_humans (user_id, instance_id, first_name, last_name, nick_name, display_name, preferred_language, gender, email, phone) VALUES ($1, $2, $3, $4, $5, $6, $7, $8, $9, $10)",
+							expectedStmt: "INSERT INTO projections.users10_humans (user_id, instance_id, first_name, last_name, nick_name, display_name, preferred_language, gender, email, phone) VALUES ($1, $2, $3, $4, $5, $6, $7, $8, $9, $10)",
 							expectedArgs: []interface{}{
 								"agg-id",
 								"instance-id",
@@ -212,7 +213,7 @@ func TestUserProjection_reduces(t *testing.T) {
 							},
 						},
 						{
-							expectedStmt: "INSERT INTO projections.users9_notifications (user_id, instance_id, last_email, last_phone, password_set) VALUES ($1, $2, $3, $4, $5)",
+							expectedStmt: "INSERT INTO projections.users10_notifications (user_id, instance_id, last_email, last_phone, password_set) VALUES ($1, $2, $3, $4, $5)",
 							expectedArgs: []interface{}{
 								"agg-id",
 								"instance-id",
@@ -252,7 +253,7 @@ func TestUserProjection_reduces(t *testing.T) {
 				executer: &testExecuter{
 					executions: []execution{
 						{
-							expectedStmt: "INSERT INTO projections.users9 (id, creation_date, change_date, resource_owner, instance_id, state, sequence, username, type) VALUES ($1, $2, $3, $4, $5, $6, $7, $8, $9)",
+							expectedStmt: "INSERT INTO projections.users10 (id, creation_date, change_date, resource_owner, instance_id, state, sequence, username, type) VALUES ($1, $2, $3, $4, $5, $6, $7, $8, $9)",
 							expectedArgs: []interface{}{
 								"agg-id",
 								anyArg{},
@@ -266,7 +267,7 @@ func TestUserProjection_reduces(t *testing.T) {
 							},
 						},
 						{
-							expectedStmt: "INSERT INTO projections.users9_humans (user_id, instance_id, first_name, last_name, nick_name, display_name, preferred_language, gender, email, phone) VALUES ($1, $2, $3, $4, $5, $6, $7, $8, $9, $10)",
+							expectedStmt: "INSERT INTO projections.users10_humans (user_id, instance_id, first_name, last_name, nick_name, display_name, preferred_language, gender, email, phone) VALUES ($1, $2, $3, $4, $5, $6, $7, $8, $9, $10)",
 							expectedArgs: []interface{}{
 								"agg-id",
 								"instance-id",
@@ -281,7 +282,7 @@ func TestUserProjection_reduces(t *testing.T) {
 							},
 						},
 						{
-							expectedStmt: "INSERT INTO projections.users9_notifications (user_id, instance_id, last_email, last_phone, password_set) VALUES ($1, $2, $3, $4, $5)",
+							expectedStmt: "INSERT INTO projections.users10_notifications (user_id, instance_id, last_email, last_phone, password_set) VALUES ($1, $2, $3, $4, $5)",
 							expectedArgs: []interface{}{
 								"agg-id",
 								"instance-id",
@@ -321,7 +322,7 @@ func TestUserProjection_reduces(t *testing.T) {
 				executer: &testExecuter{
 					executions: []execution{
 						{
-							expectedStmt: "INSERT INTO projections.users9 (id, creation_date, change_date, resource_owner, instance_id, state, sequence, username, type) VALUES ($1, $2, $3, $4, $5, $6, $7, $8, $9)",
+							expectedStmt: "INSERT INTO projections.users10 (id, creation_date, change_date, resource_owner, instance_id, state, sequence, username, type) VALUES ($1, $2, $3, $4, $5, $6, $7, $8, $9)",
 							expectedArgs: []interface{}{
 								"agg-id",
 								anyArg{},
@@ -335,7 +336,7 @@ func TestUserProjection_reduces(t *testing.T) {
 							},
 						},
 						{
-							expectedStmt: "INSERT INTO projections.users9_humans (user_id, instance_id, first_name, last_name, nick_name, display_name, preferred_language, gender, email, phone) VALUES ($1, $2, $3, $4, $5, $6, $7, $8, $9, $10)",
+							expectedStmt: "INSERT INTO projections.users10_humans (user_id, instance_id, first_name, last_name, nick_name, display_name, preferred_language, gender, email, phone) VALUES ($1, $2, $3, $4, $5, $6, $7, $8, $9, $10)",
 							expectedArgs: []interface{}{
 								"agg-id",
 								"instance-id",
@@ -350,7 +351,7 @@ func TestUserProjection_reduces(t *testing.T) {
 							},
 						},
 						{
-							expectedStmt: "INSERT INTO projections.users9_notifications (user_id, instance_id, last_email, last_phone, password_set) VALUES ($1, $2, $3, $4, $5)",
+							expectedStmt: "INSERT INTO projections.users10_notifications (user_id, instance_id, last_email, last_phone, password_set) VALUES ($1, $2, $3, $4, $5)",
 							expectedArgs: []interface{}{
 								"agg-id",
 								"instance-id",
@@ -385,7 +386,7 @@ func TestUserProjection_reduces(t *testing.T) {
 				executer: &testExecuter{
 					executions: []execution{
 						{
-							expectedStmt: "INSERT INTO projections.users9 (id, creation_date, change_date, resource_owner, instance_id, state, sequence, username, type) VALUES ($1, $2, $3, $4, $5, $6, $7, $8, $9)",
+							expectedStmt: "INSERT INTO projections.users10 (id, creation_date, change_date, resource_owner, instance_id, state, sequence, username, type) VALUES ($1, $2, $3, $4, $5, $6, $7, $8, $9)",
 							expectedArgs: []interface{}{
 								"agg-id",
 								anyArg{},
@@ -399,7 +400,7 @@ func TestUserProjection_reduces(t *testing.T) {
 							},
 						},
 						{
-							expectedStmt: "INSERT INTO projections.users9_humans (user_id, instance_id, first_name, last_name, nick_name, display_name, preferred_language, gender, email, phone) VALUES ($1, $2, $3, $4, $5, $6, $7, $8, $9, $10)",
+							expectedStmt: "INSERT INTO projections.users10_humans (user_id, instance_id, first_name, last_name, nick_name, display_name, preferred_language, gender, email, phone) VALUES ($1, $2, $3, $4, $5, $6, $7, $8, $9, $10)",
 							expectedArgs: []interface{}{
 								"agg-id",
 								"instance-id",
@@ -414,7 +415,7 @@ func TestUserProjection_reduces(t *testing.T) {
 							},
 						},
 						{
-							expectedStmt: "INSERT INTO projections.users9_notifications (user_id, instance_id, last_email, last_phone, password_set) VALUES ($1, $2, $3, $4, $5)",
+							expectedStmt: "INSERT INTO projections.users10_notifications (user_id, instance_id, last_email, last_phone, password_set) VALUES ($1, $2, $3, $4, $5)",
 							expectedArgs: []interface{}{
 								"agg-id",
 								"instance-id",
@@ -444,7 +445,7 @@ func TestUserProjection_reduces(t *testing.T) {
 				executer: &testExecuter{
 					executions: []execution{
 						{
-							expectedStmt: "UPDATE projections.users9 SET state = $1 WHERE (id = $2) AND (instance_id = $3)",
+							expectedStmt: "UPDATE projections.users10 SET state = $1 WHERE (id = $2) AND (instance_id = $3)",
 							expectedArgs: []interface{}{
 								domain.UserStateInitial,
 								"agg-id",
@@ -472,7 +473,7 @@ func TestUserProjection_reduces(t *testing.T) {
 				executer: &testExecuter{
 					executions: []execution{
 						{
-							expectedStmt: "UPDATE projections.users9 SET state = $1 WHERE (id = $2) AND (instance_id = $3)",
+							expectedStmt: "UPDATE projections.users10 SET state = $1 WHERE (id = $2) AND (instance_id = $3)",
 							expectedArgs: []interface{}{
 								domain.UserStateInitial,
 								"agg-id",
@@ -500,7 +501,7 @@ func TestUserProjection_reduces(t *testing.T) {
 				executer: &testExecuter{
 					executions: []execution{
 						{
-							expectedStmt: "UPDATE projections.users9 SET state = $1 WHERE (id = $2) AND (instance_id = $3)",
+							expectedStmt: "UPDATE projections.users10 SET state = $1 WHERE (id = $2) AND (instance_id = $3)",
 							expectedArgs: []interface{}{
 								domain.UserStateActive,
 								"agg-id",
@@ -528,7 +529,7 @@ func TestUserProjection_reduces(t *testing.T) {
 				executer: &testExecuter{
 					executions: []execution{
 						{
-							expectedStmt: "UPDATE projections.users9 SET state = $1 WHERE (id = $2) AND (instance_id = $3)",
+							expectedStmt: "UPDATE projections.users10 SET state = $1 WHERE (id = $2) AND (instance_id = $3)",
 							expectedArgs: []interface{}{
 								domain.UserStateActive,
 								"agg-id",
@@ -556,7 +557,7 @@ func TestUserProjection_reduces(t *testing.T) {
 				executer: &testExecuter{
 					executions: []execution{
 						{
-							expectedStmt: "UPDATE projections.users9 SET (change_date, state, sequence) = ($1, $2, $3) WHERE (id = $4) AND (instance_id = $5)",
+							expectedStmt: "UPDATE projections.users10 SET (change_date, state, sequence) = ($1, $2, $3) WHERE (id = $4) AND (instance_id = $5)",
 							expectedArgs: []interface{}{
 								anyArg{},
 								domain.UserStateLocked,
@@ -586,7 +587,7 @@ func TestUserProjection_reduces(t *testing.T) {
 				executer: &testExecuter{
 					executions: []execution{
 						{
-							expectedStmt: "UPDATE projections.users9 SET (change_date, state, sequence) = ($1, $2, $3) WHERE (id = $4) AND (instance_id = $5)",
+							expectedStmt: "UPDATE projections.users10 SET (change_date, state, sequence) = ($1, $2, $3) WHERE (id = $4) AND (instance_id = $5)",
 							expectedArgs: []interface{}{
 								anyArg{},
 								domain.UserStateActive,
@@ -616,7 +617,7 @@ func TestUserProjection_reduces(t *testing.T) {
 				executer: &testExecuter{
 					executions: []execution{
 						{
-							expectedStmt: "UPDATE projections.users9 SET (change_date, state, sequence) = ($1, $2, $3) WHERE (id = $4) AND (instance_id = $5)",
+							expectedStmt: "UPDATE projections.users10 SET (change_date, state, sequence) = ($1, $2, $3) WHERE (id = $4) AND (instance_id = $5)",
 							expectedArgs: []interface{}{
 								anyArg{},
 								domain.UserStateInactive,
@@ -646,7 +647,7 @@ func TestUserProjection_reduces(t *testing.T) {
 				executer: &testExecuter{
 					executions: []execution{
 						{
-							expectedStmt: "UPDATE projections.users9 SET (change_date, state, sequence) = ($1, $2, $3) WHERE (id = $4) AND (instance_id = $5)",
+							expectedStmt: "UPDATE projections.users10 SET (change_date, state, sequence) = ($1, $2, $3) WHERE (id = $4) AND (instance_id = $5)",
 							expectedArgs: []interface{}{
 								anyArg{},
 								domain.UserStateActive,
@@ -676,7 +677,7 @@ func TestUserProjection_reduces(t *testing.T) {
 				executer: &testExecuter{
 					executions: []execution{
 						{
-							expectedStmt: "DELETE FROM projections.users9 WHERE (id = $1) AND (instance_id = $2)",
+							expectedStmt: "DELETE FROM projections.users10 WHERE (id = $1) AND (instance_id = $2)",
 							expectedArgs: []interface{}{
 								"agg-id",
 								"instance-id",
@@ -705,7 +706,7 @@ func TestUserProjection_reduces(t *testing.T) {
 				executer: &testExecuter{
 					executions: []execution{
 						{
-							expectedStmt: "UPDATE projections.users9 SET (change_date, username, sequence) = ($1, $2, $3) WHERE (id = $4) AND (instance_id = $5)",
+							expectedStmt: "UPDATE projections.users10 SET (change_date, username, sequence) = ($1, $2, $3) WHERE (id = $4) AND (instance_id = $5)",
 							expectedArgs: []interface{}{
 								anyArg{},
 								"username",
@@ -737,7 +738,7 @@ func TestUserProjection_reduces(t *testing.T) {
 				executer: &testExecuter{
 					executions: []execution{
 						{
-							expectedStmt: "UPDATE projections.users9 SET (change_date, username, sequence) = ($1, $2, $3) WHERE (id = $4) AND (instance_id = $5)",
+							expectedStmt: "UPDATE projections.users10 SET (change_date, username, sequence) = ($1, $2, $3) WHERE (id = $4) AND (instance_id = $5)",
 							expectedArgs: []interface{}{
 								anyArg{},
 								"id@temporary.domain",
@@ -774,7 +775,7 @@ func TestUserProjection_reduces(t *testing.T) {
 				executer: &testExecuter{
 					executions: []execution{
 						{
-							expectedStmt: "UPDATE projections.users9 SET (change_date, sequence) = ($1, $2) WHERE (id = $3) AND (instance_id = $4)",
+							expectedStmt: "UPDATE projections.users10 SET (change_date, sequence) = ($1, $2) WHERE (id = $3) AND (instance_id = $4)",
 							expectedArgs: []interface{}{
 								anyArg{},
 								uint64(15),
@@ -783,7 +784,7 @@ func TestUserProjection_reduces(t *testing.T) {
 							},
 						},
 						{
-							expectedStmt: "UPDATE projections.users9_humans SET (first_name, last_name, nick_name, display_name, preferred_language, gender) = ($1, $2, $3, $4, $5, $6) WHERE (user_id = $7) AND (instance_id = $8)",
+							expectedStmt: "UPDATE projections.users10_humans SET (first_name, last_name, nick_name, display_name, preferred_language, gender) = ($1, $2, $3, $4, $5, $6) WHERE (user_id = $7) AND (instance_id = $8)",
 							expectedArgs: []interface{}{
 								"first-name",
 								"last-name",
@@ -823,7 +824,7 @@ func TestUserProjection_reduces(t *testing.T) {
 				executer: &testExecuter{
 					executions: []execution{
 						{
-							expectedStmt: "UPDATE projections.users9 SET (change_date, sequence) = ($1, $2) WHERE (id = $3) AND (instance_id = $4)",
+							expectedStmt: "UPDATE projections.users10 SET (change_date, sequence) = ($1, $2) WHERE (id = $3) AND (instance_id = $4)",
 							expectedArgs: []interface{}{
 								anyArg{},
 								uint64(15),
@@ -832,7 +833,7 @@ func TestUserProjection_reduces(t *testing.T) {
 							},
 						},
 						{
-							expectedStmt: "UPDATE projections.users9_humans SET (first_name, last_name, nick_name, display_name, preferred_language, gender) = ($1, $2, $3, $4, $5, $6) WHERE (user_id = $7) AND (instance_id = $8)",
+							expectedStmt: "UPDATE projections.users10_humans SET (first_name, last_name, nick_name, display_name, preferred_language, gender) = ($1, $2, $3, $4, $5, $6) WHERE (user_id = $7) AND (instance_id = $8)",
 							expectedArgs: []interface{}{
 								"first-name",
 								"last-name",
@@ -867,7 +868,7 @@ func TestUserProjection_reduces(t *testing.T) {
 				executer: &testExecuter{
 					executions: []execution{
 						{
-							expectedStmt: "UPDATE projections.users9 SET (change_date, sequence) = ($1, $2) WHERE (id = $3) AND (instance_id = $4)",
+							expectedStmt: "UPDATE projections.users10 SET (change_date, sequence) = ($1, $2) WHERE (id = $3) AND (instance_id = $4)",
 							expectedArgs: []interface{}{
 								anyArg{},
 								uint64(15),
@@ -876,7 +877,7 @@ func TestUserProjection_reduces(t *testing.T) {
 							},
 						},
 						{
-							expectedStmt: "UPDATE projections.users9_humans SET (phone, is_phone_verified) = ($1, $2) WHERE (user_id = $3) AND (instance_id = $4)",
+							expectedStmt: "UPDATE projections.users10_humans SET (phone, is_phone_verified) = ($1, $2) WHERE (user_id = $3) AND (instance_id = $4)",
 							expectedArgs: []interface{}{
 								domain.PhoneNumber("+41 00 000 00 00"),
 								false,
@@ -885,7 +886,7 @@ func TestUserProjection_reduces(t *testing.T) {
 							},
 						},
 						{
-							expectedStmt: "UPDATE projections.users9_notifications SET last_phone = $1 WHERE (user_id = $2) AND (instance_id = $3)",
+							expectedStmt: "UPDATE projections.users10_notifications SET last_phone = $1 WHERE (user_id = $2) AND (instance_id = $3)",
 							expectedArgs: []interface{}{
 								&sql.NullString{String: "+41 00 000 00 00", Valid: true},
 								"agg-id",
@@ -915,7 +916,7 @@ func TestUserProjection_reduces(t *testing.T) {
 				executer: &testExecuter{
 					executions: []execution{
 						{
-							expectedStmt: "UPDATE projections.users9 SET (change_date, sequence) = ($1, $2) WHERE (id = $3) AND (instance_id = $4)",
+							expectedStmt: "UPDATE projections.users10 SET (change_date, sequence) = ($1, $2) WHERE (id = $3) AND (instance_id = $4)",
 							expectedArgs: []interface{}{
 								anyArg{},
 								uint64(15),
@@ -924,7 +925,7 @@ func TestUserProjection_reduces(t *testing.T) {
 							},
 						},
 						{
-							expectedStmt: "UPDATE projections.users9_humans SET (phone, is_phone_verified) = ($1, $2) WHERE (user_id = $3) AND (instance_id = $4)",
+							expectedStmt: "UPDATE projections.users10_humans SET (phone, is_phone_verified) = ($1, $2) WHERE (user_id = $3) AND (instance_id = $4)",
 							expectedArgs: []interface{}{
 								domain.PhoneNumber("+41 00 000 00 00"),
 								false,
@@ -933,7 +934,7 @@ func TestUserProjection_reduces(t *testing.T) {
 							},
 						},
 						{
-							expectedStmt: "UPDATE projections.users9_notifications SET last_phone = $1 WHERE (user_id = $2) AND (instance_id = $3)",
+							expectedStmt: "UPDATE projections.users10_notifications SET last_phone = $1 WHERE (user_id = $2) AND (instance_id = $3)",
 							expectedArgs: []interface{}{
 								&sql.NullString{String: "+41 00 000 00 00", Valid: true},
 								"agg-id",
@@ -961,7 +962,7 @@ func TestUserProjection_reduces(t *testing.T) {
 				executer: &testExecuter{
 					executions: []execution{
 						{
-							expectedStmt: "UPDATE projections.users9 SET (change_date, sequence) = ($1, $2) WHERE (id = $3) AND (instance_id = $4)",
+							expectedStmt: "UPDATE projections.users10 SET (change_date, sequence) = ($1, $2) WHERE (id = $3) AND (instance_id = $4)",
 							expectedArgs: []interface{}{
 								anyArg{},
 								uint64(15),
@@ -970,7 +971,7 @@ func TestUserProjection_reduces(t *testing.T) {
 							},
 						},
 						{
-							expectedStmt: "UPDATE projections.users9_humans SET (phone, is_phone_verified) = ($1, $2) WHERE (user_id = $3) AND (instance_id = $4)",
+							expectedStmt: "UPDATE projections.users10_humans SET (phone, is_phone_verified) = ($1, $2) WHERE (user_id = $3) AND (instance_id = $4)",
 							expectedArgs: []interface{}{
 								nil,
 								nil,
@@ -979,7 +980,7 @@ func TestUserProjection_reduces(t *testing.T) {
 							},
 						},
 						{
-							expectedStmt: "UPDATE projections.users9_notifications SET (last_phone, verified_phone) = ($1, $2) WHERE (user_id = $3) AND (instance_id = $4)",
+							expectedStmt: "UPDATE projections.users10_notifications SET (last_phone, verified_phone) = ($1, $2) WHERE (user_id = $3) AND (instance_id = $4)",
 							expectedArgs: []interface{}{
 								nil,
 								nil,
@@ -1008,7 +1009,7 @@ func TestUserProjection_reduces(t *testing.T) {
 				executer: &testExecuter{
 					executions: []execution{
 						{
-							expectedStmt: "UPDATE projections.users9 SET (change_date, sequence) = ($1, $2) WHERE (id = $3) AND (instance_id = $4)",
+							expectedStmt: "UPDATE projections.users10 SET (change_date, sequence) = ($1, $2) WHERE (id = $3) AND (instance_id = $4)",
 							expectedArgs: []interface{}{
 								anyArg{},
 								uint64(15),
@@ -1017,7 +1018,7 @@ func TestUserProjection_reduces(t *testing.T) {
 							},
 						},
 						{
-							expectedStmt: "UPDATE projections.users9_humans SET (phone, is_phone_verified) = ($1, $2) WHERE (user_id = $3) AND (instance_id = $4)",
+							expectedStmt: "UPDATE projections.users10_humans SET (phone, is_phone_verified) = ($1, $2) WHERE (user_id = $3) AND (instance_id = $4)",
 							expectedArgs: []interface{}{
 								nil,
 								nil,
@@ -1026,7 +1027,7 @@ func TestUserProjection_reduces(t *testing.T) {
 							},
 						},
 						{
-							expectedStmt: "UPDATE projections.users9_notifications SET (last_phone, verified_phone) = ($1, $2) WHERE (user_id = $3) AND (instance_id = $4)",
+							expectedStmt: "UPDATE projections.users10_notifications SET (last_phone, verified_phone) = ($1, $2) WHERE (user_id = $3) AND (instance_id = $4)",
 							expectedArgs: []interface{}{
 								nil,
 								nil,
@@ -1055,7 +1056,7 @@ func TestUserProjection_reduces(t *testing.T) {
 				executer: &testExecuter{
 					executions: []execution{
 						{
-							expectedStmt: "UPDATE projections.users9 SET (change_date, sequence) = ($1, $2) WHERE (id = $3) AND (instance_id = $4)",
+							expectedStmt: "UPDATE projections.users10 SET (change_date, sequence) = ($1, $2) WHERE (id = $3) AND (instance_id = $4)",
 							expectedArgs: []interface{}{
 								anyArg{},
 								uint64(15),
@@ -1064,7 +1065,7 @@ func TestUserProjection_reduces(t *testing.T) {
 							},
 						},
 						{
-							expectedStmt: "UPDATE projections.users9_humans SET is_phone_verified = $1 WHERE (user_id = $2) AND (instance_id = $3)",
+							expectedStmt: "UPDATE projections.users10_humans SET is_phone_verified = $1 WHERE (user_id = $2) AND (instance_id = $3)",
 							expectedArgs: []interface{}{
 								true,
 								"agg-id",
@@ -1072,7 +1073,7 @@ func TestUserProjection_reduces(t *testing.T) {
 							},
 						},
 						{
-							expectedStmt: "UPDATE projections.users9_notifications SET verified_phone = last_phone WHERE (user_id = $1) AND (instance_id = $2)",
+							expectedStmt: "UPDATE projections.users10_notifications SET verified_phone = last_phone WHERE (user_id = $1) AND (instance_id = $2)",
 							expectedArgs: []interface{}{
 								"agg-id",
 								"instance-id",
@@ -1099,7 +1100,7 @@ func TestUserProjection_reduces(t *testing.T) {
 				executer: &testExecuter{
 					executions: []execution{
 						{
-							expectedStmt: "UPDATE projections.users9 SET (change_date, sequence) = ($1, $2) WHERE (id = $3) AND (instance_id = $4)",
+							expectedStmt: "UPDATE projections.users10 SET (change_date, sequence) = ($1, $2) WHERE (id = $3) AND (instance_id = $4)",
 							expectedArgs: []interface{}{
 								anyArg{},
 								uint64(15),
@@ -1108,7 +1109,7 @@ func TestUserProjection_reduces(t *testing.T) {
 							},
 						},
 						{
-							expectedStmt: "UPDATE projections.users9_humans SET is_phone_verified = $1 WHERE (user_id = $2) AND (instance_id = $3)",
+							expectedStmt: "UPDATE projections.users10_humans SET is_phone_verified = $1 WHERE (user_id = $2) AND (instance_id = $3)",
 							expectedArgs: []interface{}{
 								true,
 								"agg-id",
@@ -1116,7 +1117,7 @@ func TestUserProjection_reduces(t *testing.T) {
 							},
 						},
 						{
-							expectedStmt: "UPDATE projections.users9_notifications SET verified_phone = last_phone WHERE (user_id = $1) AND (instance_id = $2)",
+							expectedStmt: "UPDATE projections.users10_notifications SET verified_phone = last_phone WHERE (user_id = $1) AND (instance_id = $2)",
 							expectedArgs: []interface{}{
 								"agg-id",
 								"instance-id",
@@ -1145,7 +1146,7 @@ func TestUserProjection_reduces(t *testing.T) {
 				executer: &testExecuter{
 					executions: []execution{
 						{
-							expectedStmt: "UPDATE projections.users9 SET (change_date, sequence) = ($1, $2) WHERE (id = $3) AND (instance_id = $4)",
+							expectedStmt: "UPDATE projections.users10 SET (change_date, sequence) = ($1, $2) WHERE (id = $3) AND (instance_id = $4)",
 							expectedArgs: []interface{}{
 								anyArg{},
 								uint64(15),
@@ -1154,7 +1155,7 @@ func TestUserProjection_reduces(t *testing.T) {
 							},
 						},
 						{
-							expectedStmt: "UPDATE projections.users9_humans SET (email, is_email_verified) = ($1, $2) WHERE (user_id = $3) AND (instance_id = $4)",
+							expectedStmt: "UPDATE projections.users10_humans SET (email, is_email_verified) = ($1, $2) WHERE (user_id = $3) AND (instance_id = $4)",
 							expectedArgs: []interface{}{
 								domain.EmailAddress("email@zitadel.com"),
 								false,
@@ -1163,7 +1164,7 @@ func TestUserProjection_reduces(t *testing.T) {
 							},
 						},
 						{
-							expectedStmt: "UPDATE projections.users9_notifications SET last_email = $1 WHERE (user_id = $2) AND (instance_id = $3)",
+							expectedStmt: "UPDATE projections.users10_notifications SET last_email = $1 WHERE (user_id = $2) AND (instance_id = $3)",
 							expectedArgs: []interface{}{
 								&sql.NullString{String: "email@zitadel.com", Valid: true},
 								"agg-id",
@@ -1193,7 +1194,7 @@ func TestUserProjection_reduces(t *testing.T) {
 				executer: &testExecuter{
 					executions: []execution{
 						{
-							expectedStmt: "UPDATE projections.users9 SET (change_date, sequence) = ($1, $2) WHERE (id = $3) AND (instance_id = $4)",
+							expectedStmt: "UPDATE projections.users10 SET (change_date, sequence) = ($1, $2) WHERE (id = $3) AND (instance_id = $4)",
 							expectedArgs: []interface{}{
 								anyArg{},
 								uint64(15),
@@ -1202,7 +1203,7 @@ func TestUserProjection_reduces(t *testing.T) {
 							},
 						},
 						{
-							expectedStmt: "UPDATE projections.users9_humans SET (email, is_email_verified) = ($1, $2) WHERE (user_id = $3) AND (instance_id = $4)",
+							expectedStmt: "UPDATE projections.users10_humans SET (email, is_email_verified) = ($1, $2) WHERE (user_id = $3) AND (instance_id = $4)",
 							expectedArgs: []interface{}{
 								domain.EmailAddress("email@zitadel.com"),
 								false,
@@ -1211,7 +1212,7 @@ func TestUserProjection_reduces(t *testing.T) {
 							},
 						},
 						{
-							expectedStmt: "UPDATE projections.users9_notifications SET last_email = $1 WHERE (user_id = $2) AND (instance_id = $3)",
+							expectedStmt: "UPDATE projections.users10_notifications SET last_email = $1 WHERE (user_id = $2) AND (instance_id = $3)",
 							expectedArgs: []interface{}{
 								&sql.NullString{String: "email@zitadel.com", Valid: true},
 								"agg-id",
@@ -1239,7 +1240,7 @@ func TestUserProjection_reduces(t *testing.T) {
 				executer: &testExecuter{
 					executions: []execution{
 						{
-							expectedStmt: "UPDATE projections.users9 SET (change_date, sequence) = ($1, $2) WHERE (id = $3) AND (instance_id = $4)",
+							expectedStmt: "UPDATE projections.users10 SET (change_date, sequence) = ($1, $2) WHERE (id = $3) AND (instance_id = $4)",
 							expectedArgs: []interface{}{
 								anyArg{},
 								uint64(15),
@@ -1248,7 +1249,7 @@ func TestUserProjection_reduces(t *testing.T) {
 							},
 						},
 						{
-							expectedStmt: "UPDATE projections.users9_humans SET is_email_verified = $1 WHERE (user_id = $2) AND (instance_id = $3)",
+							expectedStmt: "UPDATE projections.users10_humans SET is_email_verified = $1 WHERE (user_id = $2) AND (instance_id = $3)",
 							expectedArgs: []interface{}{
 								true,
 								"agg-id",
@@ -1256,7 +1257,7 @@ func TestUserProjection_reduces(t *testing.T) {
 							},
 						},
 						{
-							expectedStmt: "UPDATE projections.users9_notifications SET verified_email = last_email WHERE (user_id = $1) AND (instance_id = $2)",
+							expectedStmt: "UPDATE projections.users10_notifications SET verified_email = last_email WHERE (user_id = $1) AND (instance_id = $2)",
 							expectedArgs: []interface{}{
 								"agg-id",
 								"instance-id",
@@ -1283,7 +1284,7 @@ func TestUserProjection_reduces(t *testing.T) {
 				executer: &testExecuter{
 					executions: []execution{
 						{
-							expectedStmt: "UPDATE projections.users9 SET (change_date, sequence) = ($1, $2) WHERE (id = $3) AND (instance_id = $4)",
+							expectedStmt: "UPDATE projections.users10 SET (change_date, sequence) = ($1, $2) WHERE (id = $3) AND (instance_id = $4)",
 							expectedArgs: []interface{}{
 								anyArg{},
 								uint64(15),
@@ -1292,7 +1293,7 @@ func TestUserProjection_reduces(t *testing.T) {
 							},
 						},
 						{
-							expectedStmt: "UPDATE projections.users9_humans SET is_email_verified = $1 WHERE (user_id = $2) AND (instance_id = $3)",
+							expectedStmt: "UPDATE projections.users10_humans SET is_email_verified = $1 WHERE (user_id = $2) AND (instance_id = $3)",
 							expectedArgs: []interface{}{
 								true,
 								"agg-id",
@@ -1300,7 +1301,7 @@ func TestUserProjection_reduces(t *testing.T) {
 							},
 						},
 						{
-							expectedStmt: "UPDATE projections.users9_notifications SET verified_email = last_email WHERE (user_id = $1) AND (instance_id = $2)",
+							expectedStmt: "UPDATE projections.users10_notifications SET verified_email = last_email WHERE (user_id = $1) AND (instance_id = $2)",
 							expectedArgs: []interface{}{
 								"agg-id",
 								"instance-id",
@@ -1329,7 +1330,7 @@ func TestUserProjection_reduces(t *testing.T) {
 				executer: &testExecuter{
 					executions: []execution{
 						{
-							expectedStmt: "UPDATE projections.users9 SET (change_date, sequence) = ($1, $2) WHERE (id = $3) AND (instance_id = $4)",
+							expectedStmt: "UPDATE projections.users10 SET (change_date, sequence) = ($1, $2) WHERE (id = $3) AND (instance_id = $4)",
 							expectedArgs: []interface{}{
 								anyArg{},
 								uint64(15),
@@ -1338,7 +1339,7 @@ func TestUserProjection_reduces(t *testing.T) {
 							},
 						},
 						{
-							expectedStmt: "UPDATE projections.users9_humans SET avatar_key = $1 WHERE (user_id = $2) AND (instance_id = $3)",
+							expectedStmt: "UPDATE projections.users10_humans SET avatar_key = $1 WHERE (user_id = $2) AND (instance_id = $3)",
 							expectedArgs: []interface{}{
 								"users/agg-id/avatar",
 								"agg-id",
@@ -1366,7 +1367,7 @@ func TestUserProjection_reduces(t *testing.T) {
 				executer: &testExecuter{
 					executions: []execution{
 						{
-							expectedStmt: "UPDATE projections.users9 SET (change_date, sequence) = ($1, $2) WHERE (id = $3) AND (instance_id = $4)",
+							expectedStmt: "UPDATE projections.users10 SET (change_date, sequence) = ($1, $2) WHERE (id = $3) AND (instance_id = $4)",
 							expectedArgs: []interface{}{
 								anyArg{},
 								uint64(15),
@@ -1375,7 +1376,7 @@ func TestUserProjection_reduces(t *testing.T) {
 							},
 						},
 						{
-							expectedStmt: "UPDATE projections.users9_humans SET avatar_key = $1 WHERE (user_id = $2) AND (instance_id = $3)",
+							expectedStmt: "UPDATE projections.users10_humans SET avatar_key = $1 WHERE (user_id = $2) AND (instance_id = $3)",
 							expectedArgs: []interface{}{
 								nil,
 								"agg-id",
@@ -1406,7 +1407,7 @@ func TestUserProjection_reduces(t *testing.T) {
 				executer: &testExecuter{
 					executions: []execution{
 						{
-							expectedStmt: "INSERT INTO projections.users9 (id, creation_date, change_date, resource_owner, instance_id, state, sequence, username, type) VALUES ($1, $2, $3, $4, $5, $6, $7, $8, $9)",
+							expectedStmt: "INSERT INTO projections.users10 (id, creation_date, change_date, resource_owner, instance_id, state, sequence, username, type) VALUES ($1, $2, $3, $4, $5, $6, $7, $8, $9)",
 							expectedArgs: []interface{}{
 								"agg-id",
 								anyArg{},
@@ -1420,7 +1421,7 @@ func TestUserProjection_reduces(t *testing.T) {
 							},
 						},
 						{
-							expectedStmt: "INSERT INTO projections.users9_machines (user_id, instance_id, name, description, access_token_type) VALUES ($1, $2, $3, $4, $5)",
+							expectedStmt: "INSERT INTO projections.users10_machines (user_id, instance_id, name, description, access_token_type) VALUES ($1, $2, $3, $4, $5)",
 							expectedArgs: []interface{}{
 								"agg-id",
 								"instance-id",
@@ -1454,7 +1455,7 @@ func TestUserProjection_reduces(t *testing.T) {
 				executer: &testExecuter{
 					executions: []execution{
 						{
-							expectedStmt: "INSERT INTO projections.users9 (id, creation_date, change_date, resource_owner, instance_id, state, sequence, username, type) VALUES ($1, $2, $3, $4, $5, $6, $7, $8, $9)",
+							expectedStmt: "INSERT INTO projections.users10 (id, creation_date, change_date, resource_owner, instance_id, state, sequence, username, type) VALUES ($1, $2, $3, $4, $5, $6, $7, $8, $9)",
 							expectedArgs: []interface{}{
 								"agg-id",
 								anyArg{},
@@ -1468,7 +1469,7 @@ func TestUserProjection_reduces(t *testing.T) {
 							},
 						},
 						{
-							expectedStmt: "INSERT INTO projections.users9_machines (user_id, instance_id, name, description, access_token_type) VALUES ($1, $2, $3, $4, $5)",
+							expectedStmt: "INSERT INTO projections.users10_machines (user_id, instance_id, name, description, access_token_type) VALUES ($1, $2, $3, $4, $5)",
 							expectedArgs: []interface{}{
 								"agg-id",
 								"instance-id",
@@ -1501,7 +1502,7 @@ func TestUserProjection_reduces(t *testing.T) {
 				executer: &testExecuter{
 					executions: []execution{
 						{
-							expectedStmt: "UPDATE projections.users9 SET (change_date, sequence) = ($1, $2) WHERE (id = $3) AND (instance_id = $4)",
+							expectedStmt: "UPDATE projections.users10 SET (change_date, sequence) = ($1, $2) WHERE (id = $3) AND (instance_id = $4)",
 							expectedArgs: []interface{}{
 								anyArg{},
 								uint64(15),
@@ -1510,7 +1511,7 @@ func TestUserProjection_reduces(t *testing.T) {
 							},
 						},
 						{
-							expectedStmt: "UPDATE projections.users9_machines SET (name, description) = ($1, $2) WHERE (user_id = $3) AND (instance_id = $4)",
+							expectedStmt: "UPDATE projections.users10_machines SET (name, description) = ($1, $2) WHERE (user_id = $3) AND (instance_id = $4)",
 							expectedArgs: []interface{}{
 								"machine-name",
 								"description",
@@ -1541,7 +1542,7 @@ func TestUserProjection_reduces(t *testing.T) {
 				executer: &testExecuter{
 					executions: []execution{
 						{
-							expectedStmt: "UPDATE projections.users9 SET (change_date, sequence) = ($1, $2) WHERE (id = $3) AND (instance_id = $4)",
+							expectedStmt: "UPDATE projections.users10 SET (change_date, sequence) = ($1, $2) WHERE (id = $3) AND (instance_id = $4)",
 							expectedArgs: []interface{}{
 								anyArg{},
 								uint64(15),
@@ -1550,7 +1551,7 @@ func TestUserProjection_reduces(t *testing.T) {
 							},
 						},
 						{
-							expectedStmt: "UPDATE projections.users9_machines SET name = $1 WHERE (user_id = $2) AND (instance_id = $3)",
+							expectedStmt: "UPDATE projections.users10_machines SET name = $1 WHERE (user_id = $2) AND (instance_id = $3)",
 							expectedArgs: []interface{}{
 								"machine-name",
 								"agg-id",
@@ -1580,7 +1581,7 @@ func TestUserProjection_reduces(t *testing.T) {
 				executer: &testExecuter{
 					executions: []execution{
 						{
-							expectedStmt: "UPDATE projections.users9 SET (change_date, sequence) = ($1, $2) WHERE (id = $3) AND (instance_id = $4)",
+							expectedStmt: "UPDATE projections.users10 SET (change_date, sequence) = ($1, $2) WHERE (id = $3) AND (instance_id = $4)",
 							expectedArgs: []interface{}{
 								anyArg{},
 								uint64(15),
@@ -1589,7 +1590,7 @@ func TestUserProjection_reduces(t *testing.T) {
 							},
 						},
 						{
-							expectedStmt: "UPDATE projections.users9_machines SET description = $1 WHERE (user_id = $2) AND (instance_id = $3)",
+							expectedStmt: "UPDATE projections.users10_machines SET description = $1 WHERE (user_id = $2) AND (instance_id = $3)",
 							expectedArgs: []interface{}{
 								"description",
 								"agg-id",
@@ -1627,7 +1628,7 @@ func TestUserProjection_reduces(t *testing.T) {
 						user.MachineSecretSetType,
 						user.AggregateType,
 						[]byte(`{
-						"client_secret": {}
+							"clientSecret": {"CryptoType":1,"Algorithm":"bcrypt","Crypted":"deadbeef"}
 					}`),
 					), user.MachineSecretSetEventMapper),
 			},
@@ -1638,7 +1639,7 @@ func TestUserProjection_reduces(t *testing.T) {
 				executer: &testExecuter{
 					executions: []execution{
 						{
-							expectedStmt: "UPDATE projections.users9 SET (change_date, sequence) = ($1, $2) WHERE (id = $3) AND (instance_id = $4)",
+							expectedStmt: "UPDATE projections.users10 SET (change_date, sequence) = ($1, $2) WHERE (id = $3) AND (instance_id = $4)",
 							expectedArgs: []interface{}{
 								anyArg{},
 								uint64(15),
@@ -1647,9 +1648,13 @@ func TestUserProjection_reduces(t *testing.T) {
 							},
 						},
 						{
-							expectedStmt: "UPDATE projections.users9_machines SET has_secret = $1 WHERE (user_id = $2) AND (instance_id = $3)",
+							expectedStmt: "UPDATE projections.users10_machines SET secret = $1 WHERE (user_id = $2) AND (instance_id = $3)",
 							expectedArgs: []interface{}{
-								true,
+								&crypto.CryptoValue{
+									CryptoType: crypto.TypeHash,
+									Algorithm:  "bcrypt",
+									Crypted:    []byte{117, 230, 157, 109, 231, 159},
+								},
 								"agg-id",
 								"instance-id",
 							},
@@ -1659,7 +1664,7 @@ func TestUserProjection_reduces(t *testing.T) {
 			},
 		},
 		{
-			name: "reduceMachineSecretSet",
+			name: "reduceMachineSecretRemoved",
 			args: args{
 				event: getEvent(
 					testEvent(
@@ -1675,7 +1680,7 @@ func TestUserProjection_reduces(t *testing.T) {
 				executer: &testExecuter{
 					executions: []execution{
 						{
-							expectedStmt: "UPDATE projections.users9 SET (change_date, sequence) = ($1, $2) WHERE (id = $3) AND (instance_id = $4)",
+							expectedStmt: "UPDATE projections.users10 SET (change_date, sequence) = ($1, $2) WHERE (id = $3) AND (instance_id = $4)",
 							expectedArgs: []interface{}{
 								anyArg{},
 								uint64(15),
@@ -1684,9 +1689,9 @@ func TestUserProjection_reduces(t *testing.T) {
 							},
 						},
 						{
-							expectedStmt: "UPDATE projections.users9_machines SET has_secret = $1 WHERE (user_id = $2) AND (instance_id = $3)",
+							expectedStmt: "UPDATE projections.users10_machines SET secret = $1 WHERE (user_id = $2) AND (instance_id = $3)",
 							expectedArgs: []interface{}{
-								false,
+								nil,
 								"agg-id",
 								"instance-id",
 							},
@@ -1712,7 +1717,7 @@ func TestUserProjection_reduces(t *testing.T) {
 				executer: &testExecuter{
 					executions: []execution{
 						{
-							expectedStmt: "DELETE FROM projections.users9 WHERE (instance_id = $1) AND (resource_owner = $2)",
+							expectedStmt: "DELETE FROM projections.users10 WHERE (instance_id = $1) AND (resource_owner = $2)",
 							expectedArgs: []interface{}{
 								"instance-id",
 								"agg-id",
@@ -1739,7 +1744,7 @@ func TestUserProjection_reduces(t *testing.T) {
 				executer: &testExecuter{
 					executions: []execution{
 						{
-							expectedStmt: "DELETE FROM projections.users9 WHERE (instance_id = $1)",
+							expectedStmt: "DELETE FROM projections.users10 WHERE (instance_id = $1)",
 							expectedArgs: []interface{}{
 								"agg-id",
 							},
--- a/internal/query/quota_notifications.go
+++ b/internal/query/quota_notifications.go
@@ -3,12 +3,11 @@ package query
 import (
 	"context"
 	"database/sql"
-	errs "errors"
+	"errors"
 	"math"
 	"time"

 	sq "github.com/Masterminds/squirrel"
-	"github.com/pkg/errors"

 	"github.com/zitadel/zitadel/internal/api/call"
 	zitadel_errors "github.com/zitadel/zitadel/internal/errors"
@@ -166,7 +165,7 @@ func prepareQuotaNotificationsQuery(ctx context.Context, db prepareDatabase) (sq
 				var nextDueThreshold sql.NullInt16
 				err := rows.Scan(&cfg.ID, &cfg.CallURL, &cfg.Percent, &cfg.Repeat, &nextDueThreshold)
 				if err != nil {
-					if errs.Is(err, sql.ErrNoRows) {
+					if errors.Is(err, sql.ErrNoRows) {
 						return nil, zitadel_errors.ThrowNotFound(err, "QUERY-bbqWb", "Errors.QuotaNotification.NotExisting")
 					}
 					return nil, zitadel_errors.ThrowInternal(err, "QUERY-8copS", "Errors.Internal")
--- a/internal/query/sessions_test.go
+++ b/internal/query/sessions_test.go
@@ -31,7 +31,7 @@ var (
 		` projections.sessions8.user_resource_owner,` +
 		` projections.sessions8.user_checked_at,` +
 		` projections.login_names3.login_name,` +
-		` projections.users9_humans.display_name,` +
+		` projections.users10_humans.display_name,` +
 		` projections.sessions8.password_checked_at,` +
 		` projections.sessions8.intent_checked_at,` +
 		` projections.sessions8.webauthn_checked_at,` +
@@ -48,8 +48,8 @@ var (
 		` projections.sessions8.expiration` +
 		` FROM projections.sessions8` +
 		` LEFT JOIN projections.login_names3 ON projections.sessions8.user_id = projections.login_names3.user_id AND projections.sessions8.instance_id = projections.login_names3.instance_id` +
-		` LEFT JOIN projections.users9_humans ON projections.sessions8.user_id = projections.users9_humans.user_id AND projections.sessions8.instance_id = projections.users9_humans.instance_id` +
-		` LEFT JOIN projections.users9 ON projections.sessions8.user_id = projections.users9.id AND projections.sessions8.instance_id = projections.users9.instance_id` +
+		` LEFT JOIN projections.users10_humans ON projections.sessions8.user_id = projections.users10_humans.user_id AND projections.sessions8.instance_id = projections.users10_humans.instance_id` +
+		` LEFT JOIN projections.users10 ON projections.sessions8.user_id = projections.users10.id AND projections.sessions8.instance_id = projections.users10.instance_id` +
 		` AS OF SYSTEM TIME '-1 ms'`)
 	expectedSessionsQuery = regexp.QuoteMeta(`SELECT projections.sessions8.id,` +
 		` projections.sessions8.creation_date,` +
@@ -62,7 +62,7 @@ var (
 		` projections.sessions8.user_resource_owner,` +
 		` projections.sessions8.user_checked_at,` +
 		` projections.login_names3.login_name,` +
-		` projections.users9_humans.display_name,` +
+		` projections.users10_humans.display_name,` +
 		` projections.sessions8.password_checked_at,` +
 		` projections.sessions8.intent_checked_at,` +
 		` projections.sessions8.webauthn_checked_at,` +
@@ -75,8 +75,8 @@ var (
 		` COUNT(*) OVER ()` +
 		` FROM projections.sessions8` +
 		` LEFT JOIN projections.login_names3 ON projections.sessions8.user_id = projections.login_names3.user_id AND projections.sessions8.instance_id = projections.login_names3.instance_id` +
-		` LEFT JOIN projections.users9_humans ON projections.sessions8.user_id = projections.users9_humans.user_id AND projections.sessions8.instance_id = projections.users9_humans.instance_id` +
-		` LEFT JOIN projections.users9 ON projections.sessions8.user_id = projections.users9.id AND projections.sessions8.instance_id = projections.users9.instance_id` +
+		` LEFT JOIN projections.users10_humans ON projections.sessions8.user_id = projections.users10_humans.user_id AND projections.sessions8.instance_id = projections.users10_humans.instance_id` +
+		` LEFT JOIN projections.users10 ON projections.sessions8.user_id = projections.users10.id AND projections.sessions8.instance_id = projections.users10.instance_id` +
 		` AS OF SYSTEM TIME '-1 ms'`)

 	sessionCols = []string{
--- a/internal/query/testdata/oidc_client_jwt.json
+++ b/internal/query/testdata/oidc_client_jwt.json
@@ -0,0 +1,27 @@
+{
+  "instance_id": "230690539048009730",
+  "app_id": "236647088211886082",
+  "client_id": "236647088211951618@tests",
+  "client_secret": null,
+  "redirect_uris": ["http://localhost:9999/auth/callback"],
+  "response_types": [0],
+  "grant_types": [0, 2],
+  "application_type": 0,
+  "auth_method_type": 3,
+  "post_logout_redirect_uris": ["https://example.com/logout"],
+  "is_dev_mode": true,
+  "access_token_type": 1,
+  "access_token_role_assertion": true,
+  "id_token_role_assertion": true,
+  "id_token_userinfo_assertion": true,
+  "clock_skew": 1000000000,
+  "additional_origins": ["https://example.com"],
+  "project_id": "236645808328409090",
+  "state": 1,
+  "project_role_keys": ["role1", "role2"],
+  "public_keys": {
+    "236647201860747266": "LS0tLS1CRUdJTiBSU0EgUFVCTElDIEtFWS0tLS0tCk1JSUJJakFOQmdrcWhraUc5dzBCQVFFRkFB\nT0NBUThBTUlJQkNnS0NBUUVBMnVmQUwxYjcyYkl5MWFyK1dzNmIKR29oSkpRRkI3ZGZSYXBEcWVx\nTThVa3A2Q1ZkUHpxL3BPejF2aUFxNTB5eldaSnJ5Risyd3NoRkFLR0Y5QTIvQgoyWWY5YkpYUFov\nS2JrRnJZVDNOVHZZRGt2bGFTVGw5bU1uenJVMjlzNDhGMVBUV0tmQitDM2FNc09FRzFCdWZWCnM2\nM3FGNG5yRVBqU2JobGpJY285RlpxNFhwcEl6aE1RMGZEZEEvK1h5Z0NKcXZ1YUwwTGliTTFLcmxV\nZG51NzEKWWVraFNKakVQbnZPaXNYSWs0SVh5d29HSU93dGp4a0R2Tkl0UXZhTVZsZHI0L2tiNnV2\nYmdkV3dxNUV3QlpYcQpsb3cya3lKb3YzOFY0VWsySThrdVhwTGNucnB3NVRpbzJvb2lVRTI3YjB2\nSFpxQktPZWk5VW84OHFDcm4zRUt4CjZRSURBUUFCCi0tLS0tRU5EIFJTQSBQVUJMSUMgS0VZLS0t\nLS0K"
+  },
+  "access_token_lifetime": 43200000000000,
+  "id_token_lifetime": 43200000000000
+}
--- a/internal/query/testdata/oidc_client_public.json
+++ b/internal/query/testdata/oidc_client_public.json
@@ -0,0 +1,25 @@
+{
+  "instance_id": "230690539048009730",
+  "app_id": "236646457053020162",
+  "client_id": "236646457053085698@tests",
+  "client_secret": null,
+  "redirect_uris": ["http://localhost:9999/auth/callback"],
+  "response_types": [0],
+  "grant_types": [0],
+  "application_type": 0,
+  "auth_method_type": 2,
+  "post_logout_redirect_uris": null,
+  "is_dev_mode": true,
+  "access_token_type": 0,
+  "access_token_role_assertion": false,
+  "id_token_role_assertion": false,
+  "id_token_userinfo_assertion": false,
+  "clock_skew": 0,
+  "additional_origins": null,
+  "project_id": "236645808328409090",
+  "state": 1,
+  "project_role_keys": ["role1", "role2"],
+  "public_keys": null,
+  "access_token_lifetime": 43200000000000,
+  "id_token_lifetime": 43200000000000
+}
--- a/internal/query/testdata/oidc_client_secret.json
+++ b/internal/query/testdata/oidc_client_secret.json
@@ -0,0 +1,30 @@
+{
+  "instance_id": "230690539048009730",
+  "app_id": "236646858984783874",
+  "client_id": "236646858984849410@tests",
+  "client_secret": {
+    "KeyID": "",
+    "Crypted": "JDJhJDE0JE96WjBYRVpaRXREMTNweS9FUGJhMmV2c1M2V2NLWjVvclZNajlwV0hFR0VIbUx1MmgzUEZx",
+    "Algorithm": "bcrypt",
+    "CryptoType": 1
+  },
+  "redirect_uris": ["http://localhost:9999/auth/callback"],
+  "response_types": [0],
+  "grant_types": [0],
+  "application_type": 0,
+  "auth_method_type": 0,
+  "post_logout_redirect_uris": null,
+  "is_dev_mode": true,
+  "access_token_type": 0,
+  "access_token_role_assertion": false,
+  "id_token_role_assertion": false,
+  "id_token_userinfo_assertion": false,
+  "clock_skew": 0,
+  "additional_origins": null,
+  "project_id": "236645808328409090",
+  "state": 1,
+  "project_role_keys": ["role1", "role2"],
+  "public_keys": null,
+  "access_token_lifetime": 43200000000000,
+  "id_token_lifetime": 43200000000000
+}
--- a/internal/query/user.go
+++ b/internal/query/user.go
@@ -12,6 +12,7 @@ import (

 	"github.com/zitadel/zitadel/internal/api/authz"
 	"github.com/zitadel/zitadel/internal/api/call"
+	"github.com/zitadel/zitadel/internal/crypto"
 	"github.com/zitadel/zitadel/internal/database"
 	"github.com/zitadel/zitadel/internal/domain"
 	"github.com/zitadel/zitadel/internal/errors"
@@ -91,7 +92,7 @@ type Phone struct {
 type Machine struct {
 	Name            string               `json:"name,omitempty"`
 	Description     string               `json:"description,omitempty"`
-	HasSecret       bool                 `json:"has_secret,omitempty"`
+	Secret          *crypto.CryptoValue  `json:"secret,omitempty"`
 	AccessTokenType domain.OIDCTokenType `json:"access_token_type,omitempty"`
 }

@@ -270,8 +271,8 @@ var (
 		name:  projection.MachineDescriptionCol,
 		table: machineTable,
 	}
-	MachineHasSecretCol = Column{
-		name:  projection.MachineHasSecretCol,
+	MachineSecretCol = Column{
+		name:  projection.MachineSecretCol,
 		table: machineTable,
 	}
 	MachineAccessTokenTypeCol = Column{
@@ -740,7 +741,7 @@ func prepareUserQuery(ctx context.Context, db prepareDatabase) (sq.SelectBuilder
 			MachineUserIDCol.identifier(),
 			MachineNameCol.identifier(),
 			MachineDescriptionCol.identifier(),
-			MachineHasSecretCol.identifier(),
+			MachineSecretCol.identifier(),
 			MachineAccessTokenTypeCol.identifier(),
 			countColumn.identifier(),
 		).
@@ -777,7 +778,7 @@ func prepareUserQuery(ctx context.Context, db prepareDatabase) (sq.SelectBuilder
 			machineID := sql.NullString{}
 			name := sql.NullString{}
 			description := sql.NullString{}
-			hasSecret := sql.NullBool{}
+			var secret *crypto.CryptoValue
 			accessTokenType := sql.NullInt32{}

 			err := row.Scan(
@@ -806,7 +807,7 @@ func prepareUserQuery(ctx context.Context, db prepareDatabase) (sq.SelectBuilder
 				&machineID,
 				&name,
 				&description,
-				&hasSecret,
+				&secret,
 				&accessTokenType,
 				&count,
 			)
@@ -838,7 +839,7 @@ func prepareUserQuery(ctx context.Context, db prepareDatabase) (sq.SelectBuilder
 				u.Machine = &Machine{
 					Name:            name.String,
 					Description:     description.String,
-					HasSecret:       hasSecret.Bool,
+					Secret:          secret,
 					AccessTokenType: domain.OIDCTokenType(accessTokenType.Int32),
 				}
 			}
@@ -1210,7 +1211,7 @@ func prepareUsersQuery(ctx context.Context, db prepareDatabase) (sq.SelectBuilde
 			MachineUserIDCol.identifier(),
 			MachineNameCol.identifier(),
 			MachineDescriptionCol.identifier(),
-			MachineHasSecretCol.identifier(),
+			MachineSecretCol.identifier(),
 			MachineAccessTokenTypeCol.identifier(),
 			countColumn.identifier()).
 			From(userTable.identifier()).
@@ -1249,7 +1250,7 @@ func prepareUsersQuery(ctx context.Context, db prepareDatabase) (sq.SelectBuilde
 				machineID := sql.NullString{}
 				name := sql.NullString{}
 				description := sql.NullString{}
-				hasSecret := sql.NullBool{}
+				secret := new(crypto.CryptoValue)
 				accessTokenType := sql.NullInt32{}

 				err := rows.Scan(
@@ -1278,7 +1279,7 @@ func prepareUsersQuery(ctx context.Context, db prepareDatabase) (sq.SelectBuilde
 					&machineID,
 					&name,
 					&description,
-					&hasSecret,
+					secret,
 					&accessTokenType,
 					&count,
 				)
@@ -1309,7 +1310,7 @@ func prepareUsersQuery(ctx context.Context, db prepareDatabase) (sq.SelectBuilde
 					u.Machine = &Machine{
 						Name:            name.String,
 						Description:     description.String,
-						HasSecret:       hasSecret.Bool,
+						Secret:          secret,
 						AccessTokenType: domain.OIDCTokenType(accessTokenType.Int32),
 					}
 				}
--- a/internal/query/user_auth_method_test.go
+++ b/internal/query/user_auth_method_test.go
@@ -39,38 +39,38 @@ var (
 		"method_type",
 		"count",
 	}
-	prepareActiveAuthMethodTypesStmt = `SELECT projections.users9_notifications.password_set,` +
+	prepareActiveAuthMethodTypesStmt = `SELECT projections.users10_notifications.password_set,` +
 		` auth_method_types.method_type,` +
 		` user_idps_count.count` +
-		` FROM projections.users9` +
-		` LEFT JOIN projections.users9_notifications ON projections.users9.id = projections.users9_notifications.user_id AND projections.users9.instance_id = projections.users9_notifications.instance_id` +
+		` FROM projections.users10` +
+		` LEFT JOIN projections.users10_notifications ON projections.users10.id = projections.users10_notifications.user_id AND projections.users10.instance_id = projections.users10_notifications.instance_id` +
 		` LEFT JOIN (SELECT DISTINCT(auth_method_types.method_type), auth_method_types.user_id, auth_method_types.instance_id FROM projections.user_auth_methods4 AS auth_method_types` +
 		` WHERE auth_method_types.state = $1) AS auth_method_types` +
-		` ON auth_method_types.user_id = projections.users9.id AND auth_method_types.instance_id = projections.users9.instance_id` +
+		` ON auth_method_types.user_id = projections.users10.id AND auth_method_types.instance_id = projections.users10.instance_id` +
 		` LEFT JOIN (SELECT user_idps_count.user_id, user_idps_count.instance_id, COUNT(user_idps_count.user_id) AS count FROM projections.idp_user_links3 AS user_idps_count` +
 		` GROUP BY user_idps_count.user_id, user_idps_count.instance_id) AS user_idps_count` +
-		` ON user_idps_count.user_id = projections.users9.id AND user_idps_count.instance_id = projections.users9.instance_id` +
+		` ON user_idps_count.user_id = projections.users10.id AND user_idps_count.instance_id = projections.users10.instance_id` +
 		` AS OF SYSTEM TIME '-1 ms`
 	prepareActiveAuthMethodTypesCols = []string{
 		"password_set",
 		"method_type",
 		"idps_count",
 	}
-	prepareAuthMethodTypesRequiredStmt = `SELECT projections.users9_notifications.password_set,` +
+	prepareAuthMethodTypesRequiredStmt = `SELECT projections.users10_notifications.password_set,` +
 		` auth_method_types.method_type,` +
 		` user_idps_count.count,` +
 		` auth_methods_force_mfa.force_mfa,` +
 		` auth_methods_force_mfa.force_mfa_local_only` +
-		` FROM projections.users9` +
-		` LEFT JOIN projections.users9_notifications ON projections.users9.id = projections.users9_notifications.user_id AND projections.users9.instance_id = projections.users9_notifications.instance_id` +
+		` FROM projections.users10` +
+		` LEFT JOIN projections.users10_notifications ON projections.users10.id = projections.users10_notifications.user_id AND projections.users10.instance_id = projections.users10_notifications.instance_id` +
 		` LEFT JOIN (SELECT DISTINCT(auth_method_types.method_type), auth_method_types.user_id, auth_method_types.instance_id FROM projections.user_auth_methods4 AS auth_method_types` +
 		` WHERE auth_method_types.state = $1) AS auth_method_types` +
-		` ON auth_method_types.user_id = projections.users9.id AND auth_method_types.instance_id = projections.users9.instance_id` +
+		` ON auth_method_types.user_id = projections.users10.id AND auth_method_types.instance_id = projections.users10.instance_id` +
 		` LEFT JOIN (SELECT user_idps_count.user_id, user_idps_count.instance_id, COUNT(user_idps_count.user_id) AS count FROM projections.idp_user_links3 AS user_idps_count` +
 		` GROUP BY user_idps_count.user_id, user_idps_count.instance_id) AS user_idps_count` +
-		` ON user_idps_count.user_id = projections.users9.id AND user_idps_count.instance_id = projections.users9.instance_id` +
+		` ON user_idps_count.user_id = projections.users10.id AND user_idps_count.instance_id = projections.users10.instance_id` +
 		` LEFT JOIN (SELECT auth_methods_force_mfa.force_mfa, auth_methods_force_mfa.force_mfa_local_only, auth_methods_force_mfa.instance_id, auth_methods_force_mfa.aggregate_id FROM projections.login_policies5 AS auth_methods_force_mfa ORDER BY auth_methods_force_mfa.is_default) AS auth_methods_force_mfa` +
-		` ON (auth_methods_force_mfa.aggregate_id = projections.users9.instance_id OR auth_methods_force_mfa.aggregate_id = projections.users9.resource_owner) AND auth_methods_force_mfa.instance_id = projections.users9.instance_id` +
+		` ON (auth_methods_force_mfa.aggregate_id = projections.users10.instance_id OR auth_methods_force_mfa.aggregate_id = projections.users10.resource_owner) AND auth_methods_force_mfa.instance_id = projections.users10.instance_id` +
 		` AS OF SYSTEM TIME '-1 ms
 `
 	prepareAuthMethodTypesRequiredCols = []string{
--- a/internal/query/user_grant_test.go
+++ b/internal/query/user_grant_test.go
@@ -23,14 +23,14 @@ var (
 			", projections.user_grants3.roles" +
 			", projections.user_grants3.state" +
 			", projections.user_grants3.user_id" +
-			", projections.users9.username" +
-			", projections.users9.type" +
-			", projections.users9.resource_owner" +
-			", projections.users9_humans.first_name" +
-			", projections.users9_humans.last_name" +
-			", projections.users9_humans.email" +
-			", projections.users9_humans.display_name" +
-			", projections.users9_humans.avatar_key" +
+			", projections.users10.username" +
+			", projections.users10.type" +
+			", projections.users10.resource_owner" +
+			", projections.users10_humans.first_name" +
+			", projections.users10_humans.last_name" +
+			", projections.users10_humans.email" +
+			", projections.users10_humans.display_name" +
+			", projections.users10_humans.avatar_key" +
 			", projections.login_names3.login_name" +
 			", projections.user_grants3.resource_owner" +
 			", projections.orgs1.name" +
@@ -38,8 +38,8 @@ var (
 			", projections.user_grants3.project_id" +
 			", projections.projects4.name" +
 			" FROM projections.user_grants3" +
-			" LEFT JOIN projections.users9 ON projections.user_grants3.user_id = projections.users9.id AND projections.user_grants3.instance_id = projections.users9.instance_id" +
-			" LEFT JOIN projections.users9_humans ON projections.user_grants3.user_id = projections.users9_humans.user_id AND projections.user_grants3.instance_id = projections.users9_humans.instance_id" +
+			" LEFT JOIN projections.users10 ON projections.user_grants3.user_id = projections.users10.id AND projections.user_grants3.instance_id = projections.users10.instance_id" +
+			" LEFT JOIN projections.users10_humans ON projections.user_grants3.user_id = projections.users10_humans.user_id AND projections.user_grants3.instance_id = projections.users10_humans.instance_id" +
 			" LEFT JOIN projections.orgs1 ON projections.user_grants3.resource_owner = projections.orgs1.id AND projections.user_grants3.instance_id = projections.orgs1.instance_id" +
 			" LEFT JOIN projections.projects4 ON projections.user_grants3.project_id = projections.projects4.id AND projections.user_grants3.instance_id = projections.projects4.instance_id" +
 			" LEFT JOIN projections.login_names3 ON projections.user_grants3.user_id = projections.login_names3.user_id AND projections.user_grants3.instance_id = projections.login_names3.instance_id" +
@@ -78,14 +78,14 @@ var (
 			", projections.user_grants3.roles" +
 			", projections.user_grants3.state" +
 			", projections.user_grants3.user_id" +
-			", projections.users9.username" +
-			", projections.users9.type" +
-			", projections.users9.resource_owner" +
-			", projections.users9_humans.first_name" +
-			", projections.users9_humans.last_name" +
-			", projections.users9_humans.email" +
-			", projections.users9_humans.display_name" +
-			", projections.users9_humans.avatar_key" +
+			", projections.users10.username" +
+			", projections.users10.type" +
+			", projections.users10.resource_owner" +
+			", projections.users10_humans.first_name" +
+			", projections.users10_humans.last_name" +
+			", projections.users10_humans.email" +
+			", projections.users10_humans.display_name" +
+			", projections.users10_humans.avatar_key" +
 			", projections.login_names3.login_name" +
 			", projections.user_grants3.resource_owner" +
 			", projections.orgs1.name" +
@@ -94,8 +94,8 @@ var (
 			", projections.projects4.name" +
 			", COUNT(*) OVER ()" +
 			" FROM projections.user_grants3" +
-			" LEFT JOIN projections.users9 ON projections.user_grants3.user_id = projections.users9.id AND projections.user_grants3.instance_id = projections.users9.instance_id" +
-			" LEFT JOIN projections.users9_humans ON projections.user_grants3.user_id = projections.users9_humans.user_id AND projections.user_grants3.instance_id = projections.users9_humans.instance_id" +
+			" LEFT JOIN projections.users10 ON projections.user_grants3.user_id = projections.users10.id AND projections.user_grants3.instance_id = projections.users10.instance_id" +
+			" LEFT JOIN projections.users10_humans ON projections.user_grants3.user_id = projections.users10_humans.user_id AND projections.user_grants3.instance_id = projections.users10_humans.instance_id" +
 			" LEFT JOIN projections.orgs1 ON projections.user_grants3.resource_owner = projections.orgs1.id AND projections.user_grants3.instance_id = projections.orgs1.instance_id" +
 			" LEFT JOIN projections.projects4 ON projections.user_grants3.project_id = projections.projects4.id AND projections.user_grants3.instance_id = projections.projects4.instance_id" +
 			" LEFT JOIN projections.login_names3 ON projections.user_grants3.user_id = projections.login_names3.user_id AND projections.user_grants3.instance_id = projections.login_names3.instance_id" +
--- a/internal/query/user_test.go
+++ b/internal/query/user_test.go
@@ -10,6 +10,7 @@ import (

 	"golang.org/x/text/language"

+	"github.com/zitadel/zitadel/internal/crypto"
 	"github.com/zitadel/zitadel/internal/database"
 	"github.com/zitadel/zitadel/internal/domain"
 	errs "github.com/zitadel/zitadel/internal/errors"
@@ -22,43 +23,43 @@ var (
 	preferredLoginNameQuery = `SELECT preferred_login_name.user_id, preferred_login_name.login_name, preferred_login_name.instance_id` +
 		` FROM projections.login_names3 AS preferred_login_name` +
 		` WHERE  preferred_login_name.is_primary = $1`
-	userQuery = `SELECT projections.users9.id,` +
-		` projections.users9.creation_date,` +
-		` projections.users9.change_date,` +
-		` projections.users9.resource_owner,` +
-		` projections.users9.sequence,` +
-		` projections.users9.state,` +
-		` projections.users9.type,` +
-		` projections.users9.username,` +
+	userQuery = `SELECT projections.users10.id,` +
+		` projections.users10.creation_date,` +
+		` projections.users10.change_date,` +
+		` projections.users10.resource_owner,` +
+		` projections.users10.sequence,` +
+		` projections.users10.state,` +
+		` projections.users10.type,` +
+		` projections.users10.username,` +
 		` login_names.loginnames,` +
 		` preferred_login_name.login_name,` +
-		` projections.users9_humans.user_id,` +
-		` projections.users9_humans.first_name,` +
-		` projections.users9_humans.last_name,` +
-		` projections.users9_humans.nick_name,` +
-		` projections.users9_humans.display_name,` +
-		` projections.users9_humans.preferred_language,` +
-		` projections.users9_humans.gender,` +
-		` projections.users9_humans.avatar_key,` +
-		` projections.users9_humans.email,` +
-		` projections.users9_humans.is_email_verified,` +
-		` projections.users9_humans.phone,` +
-		` projections.users9_humans.is_phone_verified,` +
-		` projections.users9_machines.user_id,` +
-		` projections.users9_machines.name,` +
-		` projections.users9_machines.description,` +
-		` projections.users9_machines.has_secret,` +
-		` projections.users9_machines.access_token_type,` +
+		` projections.users10_humans.user_id,` +
+		` projections.users10_humans.first_name,` +
+		` projections.users10_humans.last_name,` +
+		` projections.users10_humans.nick_name,` +
+		` projections.users10_humans.display_name,` +
+		` projections.users10_humans.preferred_language,` +
+		` projections.users10_humans.gender,` +
+		` projections.users10_humans.avatar_key,` +
+		` projections.users10_humans.email,` +
+		` projections.users10_humans.is_email_verified,` +
+		` projections.users10_humans.phone,` +
+		` projections.users10_humans.is_phone_verified,` +
+		` projections.users10_machines.user_id,` +
+		` projections.users10_machines.name,` +
+		` projections.users10_machines.description,` +
+		` projections.users10_machines.secret,` +
+		` projections.users10_machines.access_token_type,` +
 		` COUNT(*) OVER ()` +
-		` FROM projections.users9` +
-		` LEFT JOIN projections.users9_humans ON projections.users9.id = projections.users9_humans.user_id AND projections.users9.instance_id = projections.users9_humans.instance_id` +
-		` LEFT JOIN projections.users9_machines ON projections.users9.id = projections.users9_machines.user_id AND projections.users9.instance_id = projections.users9_machines.instance_id` +
+		` FROM projections.users10` +
+		` LEFT JOIN projections.users10_humans ON projections.users10.id = projections.users10_humans.user_id AND projections.users10.instance_id = projections.users10_humans.instance_id` +
+		` LEFT JOIN projections.users10_machines ON projections.users10.id = projections.users10_machines.user_id AND projections.users10.instance_id = projections.users10_machines.instance_id` +
 		` LEFT JOIN` +
 		` (` + loginNamesQuery + `) AS login_names` +
-		` ON login_names.user_id = projections.users9.id AND login_names.instance_id = projections.users9.instance_id` +
+		` ON login_names.user_id = projections.users10.id AND login_names.instance_id = projections.users10.instance_id` +
 		` LEFT JOIN` +
 		` (` + preferredLoginNameQuery + `) AS preferred_login_name` +
-		` ON preferred_login_name.user_id = projections.users9.id AND preferred_login_name.instance_id = projections.users9.instance_id` +
+		` ON preferred_login_name.user_id = projections.users10.id AND preferred_login_name.instance_id = projections.users10.instance_id` +
 		` AS OF SYSTEM TIME '-1 ms'`
 	userCols = []string{
 		"id",
@@ -71,7 +72,7 @@ var (
 		"username",
 		"loginnames",
 		"login_name",
-		//human
+		// human
 		"user_id",
 		"first_name",
 		"last_name",
@@ -84,29 +85,29 @@ var (
 		"is_email_verified",
 		"phone",
 		"is_phone_verified",
-		//machine
+		// machine
 		"user_id",
 		"name",
 		"description",
-		"has_secret",
+		"secret",
 		"access_token_type",
 		"count",
 	}
-	profileQuery = `SELECT projections.users9.id,` +
-		` projections.users9.creation_date,` +
-		` projections.users9.change_date,` +
-		` projections.users9.resource_owner,` +
-		` projections.users9.sequence,` +
-		` projections.users9_humans.user_id,` +
-		` projections.users9_humans.first_name,` +
-		` projections.users9_humans.last_name,` +
-		` projections.users9_humans.nick_name,` +
-		` projections.users9_humans.display_name,` +
-		` projections.users9_humans.preferred_language,` +
-		` projections.users9_humans.gender,` +
-		` projections.users9_humans.avatar_key` +
-		` FROM projections.users9` +
-		` LEFT JOIN projections.users9_humans ON projections.users9.id = projections.users9_humans.user_id AND projections.users9.instance_id = projections.users9_humans.instance_id` +
+	profileQuery = `SELECT projections.users10.id,` +
+		` projections.users10.creation_date,` +
+		` projections.users10.change_date,` +
+		` projections.users10.resource_owner,` +
+		` projections.users10.sequence,` +
+		` projections.users10_humans.user_id,` +
+		` projections.users10_humans.first_name,` +
+		` projections.users10_humans.last_name,` +
+		` projections.users10_humans.nick_name,` +
+		` projections.users10_humans.display_name,` +
+		` projections.users10_humans.preferred_language,` +
+		` projections.users10_humans.gender,` +
+		` projections.users10_humans.avatar_key` +
+		` FROM projections.users10` +
+		` LEFT JOIN projections.users10_humans ON projections.users10.id = projections.users10_humans.user_id AND projections.users10.instance_id = projections.users10_humans.instance_id` +
 		` AS OF SYSTEM TIME '-1 ms'`
 	profileCols = []string{
 		"id",
@@ -123,16 +124,16 @@ var (
 		"gender",
 		"avatar_key",
 	}
-	emailQuery = `SELECT projections.users9.id,` +
-		` projections.users9.creation_date,` +
-		` projections.users9.change_date,` +
-		` projections.users9.resource_owner,` +
-		` projections.users9.sequence,` +
-		` projections.users9_humans.user_id,` +
-		` projections.users9_humans.email,` +
-		` projections.users9_humans.is_email_verified` +
-		` FROM projections.users9` +
-		` LEFT JOIN projections.users9_humans ON projections.users9.id = projections.users9_humans.user_id AND projections.users9.instance_id = projections.users9_humans.instance_id` +
+	emailQuery = `SELECT projections.users10.id,` +
+		` projections.users10.creation_date,` +
+		` projections.users10.change_date,` +
+		` projections.users10.resource_owner,` +
+		` projections.users10.sequence,` +
+		` projections.users10_humans.user_id,` +
+		` projections.users10_humans.email,` +
+		` projections.users10_humans.is_email_verified` +
+		` FROM projections.users10` +
+		` LEFT JOIN projections.users10_humans ON projections.users10.id = projections.users10_humans.user_id AND projections.users10.instance_id = projections.users10_humans.instance_id` +
 		` AS OF SYSTEM TIME '-1 ms'`
 	emailCols = []string{
 		"id",
@@ -144,16 +145,16 @@ var (
 		"email",
 		"is_email_verified",
 	}
-	phoneQuery = `SELECT projections.users9.id,` +
-		` projections.users9.creation_date,` +
-		` projections.users9.change_date,` +
-		` projections.users9.resource_owner,` +
-		` projections.users9.sequence,` +
-		` projections.users9_humans.user_id,` +
-		` projections.users9_humans.phone,` +
-		` projections.users9_humans.is_phone_verified` +
-		` FROM projections.users9` +
-		` LEFT JOIN projections.users9_humans ON projections.users9.id = projections.users9_humans.user_id AND projections.users9.instance_id = projections.users9_humans.instance_id` +
+	phoneQuery = `SELECT projections.users10.id,` +
+		` projections.users10.creation_date,` +
+		` projections.users10.change_date,` +
+		` projections.users10.resource_owner,` +
+		` projections.users10.sequence,` +
+		` projections.users10_humans.user_id,` +
+		` projections.users10_humans.phone,` +
+		` projections.users10_humans.is_phone_verified` +
+		` FROM projections.users10` +
+		` LEFT JOIN projections.users10_humans ON projections.users10.id = projections.users10_humans.user_id AND projections.users10.instance_id = projections.users10_humans.instance_id` +
 		` AS OF SYSTEM TIME '-1 ms'`
 	phoneCols = []string{
 		"id",
@@ -165,14 +166,14 @@ var (
 		"phone",
 		"is_phone_verified",
 	}
-	userUniqueQuery = `SELECT projections.users9.id,` +
-		` projections.users9.state,` +
-		` projections.users9.username,` +
-		` projections.users9_humans.user_id,` +
-		` projections.users9_humans.email,` +
-		` projections.users9_humans.is_email_verified` +
-		` FROM projections.users9` +
-		` LEFT JOIN projections.users9_humans ON projections.users9.id = projections.users9_humans.user_id AND projections.users9.instance_id = projections.users9_humans.instance_id` +
+	userUniqueQuery = `SELECT projections.users10.id,` +
+		` projections.users10.state,` +
+		` projections.users10.username,` +
+		` projections.users10_humans.user_id,` +
+		` projections.users10_humans.email,` +
+		` projections.users10_humans.is_email_verified` +
+		` FROM projections.users10` +
+		` LEFT JOIN projections.users10_humans ON projections.users10.id = projections.users10_humans.user_id AND projections.users10.instance_id = projections.users10_humans.instance_id` +
 		` AS OF SYSTEM TIME '-1 ms'`
 	userUniqueCols = []string{
 		"id",
@@ -182,40 +183,40 @@ var (
 		"email",
 		"is_email_verified",
 	}
-	notifyUserQuery = `SELECT projections.users9.id,` +
-		` projections.users9.creation_date,` +
-		` projections.users9.change_date,` +
-		` projections.users9.resource_owner,` +
-		` projections.users9.sequence,` +
-		` projections.users9.state,` +
-		` projections.users9.type,` +
-		` projections.users9.username,` +
+	notifyUserQuery = `SELECT projections.users10.id,` +
+		` projections.users10.creation_date,` +
+		` projections.users10.change_date,` +
+		` projections.users10.resource_owner,` +
+		` projections.users10.sequence,` +
+		` projections.users10.state,` +
+		` projections.users10.type,` +
+		` projections.users10.username,` +
 		` login_names.loginnames,` +
 		` preferred_login_name.login_name,` +
-		` projections.users9_humans.user_id,` +
-		` projections.users9_humans.first_name,` +
-		` projections.users9_humans.last_name,` +
-		` projections.users9_humans.nick_name,` +
-		` projections.users9_humans.display_name,` +
-		` projections.users9_humans.preferred_language,` +
-		` projections.users9_humans.gender,` +
-		` projections.users9_humans.avatar_key,` +
-		` projections.users9_notifications.user_id,` +
-		` projections.users9_notifications.last_email,` +
-		` projections.users9_notifications.verified_email,` +
-		` projections.users9_notifications.last_phone,` +
-		` projections.users9_notifications.verified_phone,` +
-		` projections.users9_notifications.password_set,` +
+		` projections.users10_humans.user_id,` +
+		` projections.users10_humans.first_name,` +
+		` projections.users10_humans.last_name,` +
+		` projections.users10_humans.nick_name,` +
+		` projections.users10_humans.display_name,` +
+		` projections.users10_humans.preferred_language,` +
+		` projections.users10_humans.gender,` +
+		` projections.users10_humans.avatar_key,` +
+		` projections.users10_notifications.user_id,` +
+		` projections.users10_notifications.last_email,` +
+		` projections.users10_notifications.verified_email,` +
+		` projections.users10_notifications.last_phone,` +
+		` projections.users10_notifications.verified_phone,` +
+		` projections.users10_notifications.password_set,` +
 		` COUNT(*) OVER ()` +
-		` FROM projections.users9` +
-		` LEFT JOIN projections.users9_humans ON projections.users9.id = projections.users9_humans.user_id AND projections.users9.instance_id = projections.users9_humans.instance_id` +
-		` LEFT JOIN projections.users9_notifications ON projections.users9.id = projections.users9_notifications.user_id AND projections.users9.instance_id = projections.users9_notifications.instance_id` +
+		` FROM projections.users10` +
+		` LEFT JOIN projections.users10_humans ON projections.users10.id = projections.users10_humans.user_id AND projections.users10.instance_id = projections.users10_humans.instance_id` +
+		` LEFT JOIN projections.users10_notifications ON projections.users10.id = projections.users10_notifications.user_id AND projections.users10.instance_id = projections.users10_notifications.instance_id` +
 		` LEFT JOIN` +
 		` (` + loginNamesQuery + `) AS login_names` +
-		` ON login_names.user_id = projections.users9.id AND login_names.instance_id = projections.users9.instance_id` +
+		` ON login_names.user_id = projections.users10.id AND login_names.instance_id = projections.users10.instance_id` +
 		` LEFT JOIN` +
 		` (` + preferredLoginNameQuery + `) AS preferred_login_name` +
-		` ON preferred_login_name.user_id = projections.users9.id AND preferred_login_name.instance_id = projections.users9.instance_id` +
+		` ON preferred_login_name.user_id = projections.users10.id AND preferred_login_name.instance_id = projections.users10.instance_id` +
 		` AS OF SYSTEM TIME '-1 ms'`
 	notifyUserCols = []string{
 		"id",
@@ -228,7 +229,7 @@ var (
 		"username",
 		"loginnames",
 		"login_name",
-		//human
+		// human
 		"user_id",
 		"first_name",
 		"last_name",
@@ -237,7 +238,7 @@ var (
 		"preferred_language",
 		"gender",
 		"avatar_key",
-		//machine
+		// machine
 		"user_id",
 		"last_email",
 		"verified_email",
@@ -246,43 +247,43 @@ var (
 		"password_set",
 		"count",
 	}
-	usersQuery = `SELECT projections.users9.id,` +
-		` projections.users9.creation_date,` +
-		` projections.users9.change_date,` +
-		` projections.users9.resource_owner,` +
-		` projections.users9.sequence,` +
-		` projections.users9.state,` +
-		` projections.users9.type,` +
-		` projections.users9.username,` +
+	usersQuery = `SELECT projections.users10.id,` +
+		` projections.users10.creation_date,` +
+		` projections.users10.change_date,` +
+		` projections.users10.resource_owner,` +
+		` projections.users10.sequence,` +
+		` projections.users10.state,` +
+		` projections.users10.type,` +
+		` projections.users10.username,` +
 		` login_names.loginnames,` +
 		` preferred_login_name.login_name,` +
-		` projections.users9_humans.user_id,` +
-		` projections.users9_humans.first_name,` +
-		` projections.users9_humans.last_name,` +
-		` projections.users9_humans.nick_name,` +
-		` projections.users9_humans.display_name,` +
-		` projections.users9_humans.preferred_language,` +
-		` projections.users9_humans.gender,` +
-		` projections.users9_humans.avatar_key,` +
-		` projections.users9_humans.email,` +
-		` projections.users9_humans.is_email_verified,` +
-		` projections.users9_humans.phone,` +
-		` projections.users9_humans.is_phone_verified,` +
-		` projections.users9_machines.user_id,` +
-		` projections.users9_machines.name,` +
-		` projections.users9_machines.description,` +
-		` projections.users9_machines.has_secret,` +
-		` projections.users9_machines.access_token_type,` +
+		` projections.users10_humans.user_id,` +
+		` projections.users10_humans.first_name,` +
+		` projections.users10_humans.last_name,` +
+		` projections.users10_humans.nick_name,` +
+		` projections.users10_humans.display_name,` +
+		` projections.users10_humans.preferred_language,` +
+		` projections.users10_humans.gender,` +
+		` projections.users10_humans.avatar_key,` +
+		` projections.users10_humans.email,` +
+		` projections.users10_humans.is_email_verified,` +
+		` projections.users10_humans.phone,` +
+		` projections.users10_humans.is_phone_verified,` +
+		` projections.users10_machines.user_id,` +
+		` projections.users10_machines.name,` +
+		` projections.users10_machines.description,` +
+		` projections.users10_machines.secret,` +
+		` projections.users10_machines.access_token_type,` +
 		` COUNT(*) OVER ()` +
-		` FROM projections.users9` +
-		` LEFT JOIN projections.users9_humans ON projections.users9.id = projections.users9_humans.user_id AND projections.users9.instance_id = projections.users9_humans.instance_id` +
-		` LEFT JOIN projections.users9_machines ON projections.users9.id = projections.users9_machines.user_id AND projections.users9.instance_id = projections.users9_machines.instance_id` +
+		` FROM projections.users10` +
+		` LEFT JOIN projections.users10_humans ON projections.users10.id = projections.users10_humans.user_id AND projections.users10.instance_id = projections.users10_humans.instance_id` +
+		` LEFT JOIN projections.users10_machines ON projections.users10.id = projections.users10_machines.user_id AND projections.users10.instance_id = projections.users10_machines.instance_id` +
 		` LEFT JOIN` +
 		` (` + loginNamesQuery + `) AS login_names` +
-		` ON login_names.user_id = projections.users9.id AND login_names.instance_id = projections.users9.instance_id` +
+		` ON login_names.user_id = projections.users10.id AND login_names.instance_id = projections.users10.instance_id` +
 		` LEFT JOIN` +
 		` (` + preferredLoginNameQuery + `) AS preferred_login_name` +
-		` ON preferred_login_name.user_id = projections.users9.id AND preferred_login_name.instance_id = projections.users9.instance_id` +
+		` ON preferred_login_name.user_id = projections.users10.id AND preferred_login_name.instance_id = projections.users10.instance_id` +
 		` AS OF SYSTEM TIME '-1 ms'`
 	usersCols = []string{
 		"id",
@@ -295,7 +296,7 @@ var (
 		"username",
 		"loginnames",
 		"login_name",
-		//human
+		// human
 		"user_id",
 		"first_name",
 		"last_name",
@@ -308,11 +309,11 @@ var (
 		"is_email_verified",
 		"phone",
 		"is_phone_verified",
-		//machine
+		// machine
 		"user_id",
 		"name",
 		"description",
-		"has_secret",
+		"secret",
 		"access_token_type",
 		"count",
 	}
@@ -365,7 +366,7 @@ func Test_UserPrepares(t *testing.T) {
 						"username",
 						database.TextArray[string]{"login_name1", "login_name2"},
 						"login_name1",
-						//human
+						// human
 						"id",
 						"first_name",
 						"last_name",
@@ -378,7 +379,7 @@ func Test_UserPrepares(t *testing.T) {
 						true,
 						"phone",
 						true,
-						//machine
+						// machine
 						nil,
 						nil,
 						nil,
@@ -432,7 +433,7 @@ func Test_UserPrepares(t *testing.T) {
 						"username",
 						database.TextArray[string]{"login_name1", "login_name2"},
 						"login_name1",
-						//human
+						// human
 						nil,
 						nil,
 						nil,
@@ -445,11 +446,11 @@ func Test_UserPrepares(t *testing.T) {
 						nil,
 						nil,
 						nil,
-						//machine
+						// machine
 						"id",
 						"name",
 						"description",
-						true,
+						nil,
 						domain.OIDCTokenTypeBearer,
 						1,
 					},
@@ -469,7 +470,71 @@ func Test_UserPrepares(t *testing.T) {
 				Machine: &Machine{
 					Name:            "name",
 					Description:     "description",
-					HasSecret:       true,
+					Secret:          nil,
+					AccessTokenType: domain.OIDCTokenTypeBearer,
+				},
+			},
+		},
+		{
+			name:    "prepareUserQuery machine with secret found",
+			prepare: prepareUserQuery,
+			want: want{
+				sqlExpectations: mockQuery(
+					regexp.QuoteMeta(userQuery),
+					userCols,
+					[]driver.Value{
+						"id",
+						testNow,
+						testNow,
+						"resource_owner",
+						uint64(20211108),
+						domain.UserStateActive,
+						domain.UserTypeMachine,
+						"username",
+						database.TextArray[string]{"login_name1", "login_name2"},
+						"login_name1",
+						// human
+						nil,
+						nil,
+						nil,
+						nil,
+						nil,
+						nil,
+						nil,
+						nil,
+						nil,
+						nil,
+						nil,
+						nil,
+						// machine
+						"id",
+						"name",
+						"description",
+						`{"CryptoType":1,"Algorithm":"bcrypt","Crypted":"deadbeef"}`,
+						domain.OIDCTokenTypeBearer,
+						1,
+					},
+				),
+			},
+			object: &User{
+				ID:                 "id",
+				CreationDate:       testNow,
+				ChangeDate:         testNow,
+				ResourceOwner:      "resource_owner",
+				Sequence:           20211108,
+				State:              domain.UserStateActive,
+				Type:               domain.UserTypeMachine,
+				Username:           "username",
+				LoginNames:         database.TextArray[string]{"login_name1", "login_name2"},
+				PreferredLoginName: "login_name1",
+				Machine: &Machine{
+					Name:        "name",
+					Description: "description",
+					Secret: &crypto.CryptoValue{
+						CryptoType: crypto.TypeHash,
+						Algorithm:  "bcrypt",
+						Crypted:    []byte{117, 230, 157, 109, 231, 159},
+					},
 					AccessTokenType: domain.OIDCTokenTypeBearer,
 				},
 			},
@@ -875,7 +940,7 @@ func Test_UserPrepares(t *testing.T) {
 						"username",
 						database.TextArray[string]{"login_name1", "login_name2"},
 						"login_name1",
-						//human
+						// human
 						"id",
 						"first_name",
 						"last_name",
@@ -938,7 +1003,7 @@ func Test_UserPrepares(t *testing.T) {
 						"username",
 						database.TextArray[string]{"login_name1", "login_name2"},
 						"login_name1",
-						//human
+						// human
 						"id",
 						"first_name",
 						"last_name",
@@ -1019,7 +1084,7 @@ func Test_UserPrepares(t *testing.T) {
 							"username",
 							database.TextArray[string]{"login_name1", "login_name2"},
 							"login_name1",
-							//human
+							// human
 							"id",
 							"first_name",
 							"last_name",
@@ -1032,7 +1097,7 @@ func Test_UserPrepares(t *testing.T) {
 							true,
 							"phone",
 							true,
-							//machine
+							// machine
 							nil,
 							nil,
 							nil,
@@ -1094,7 +1159,7 @@ func Test_UserPrepares(t *testing.T) {
 							"username",
 							database.TextArray[string]{"login_name1", "login_name2"},
 							"login_name1",
-							//human
+							// human
 							"id",
 							"first_name",
 							"last_name",
@@ -1107,7 +1172,7 @@ func Test_UserPrepares(t *testing.T) {
 							true,
 							"phone",
 							true,
-							//machine
+							// machine
 							nil,
 							nil,
 							nil,
@@ -1125,7 +1190,7 @@ func Test_UserPrepares(t *testing.T) {
 							"username",
 							database.TextArray[string]{"login_name1", "login_name2"},
 							"login_name1",
-							//human
+							// human
 							nil,
 							nil,
 							nil,
@@ -1138,11 +1203,11 @@ func Test_UserPrepares(t *testing.T) {
 							nil,
 							nil,
 							nil,
-							//machine
+							// machine
 							"id",
 							"name",
 							"description",
-							true,
+							`{"CryptoType":1,"Algorithm":"bcrypt","Crypted":"deadbeef"}`,
 							domain.OIDCTokenTypeBearer,
 						},
 					},
@@ -1190,9 +1255,13 @@ func Test_UserPrepares(t *testing.T) {
 						LoginNames:         database.TextArray[string]{"login_name1", "login_name2"},
 						PreferredLoginName: "login_name1",
 						Machine: &Machine{
-							Name:            "name",
-							Description:     "description",
-							HasSecret:       true,
+							Name:        "name",
+							Description: "description",
+							Secret: &crypto.CryptoValue{
+								CryptoType: crypto.TypeHash,
+								Algorithm:  "bcrypt",
+								Crypted:    []byte{117, 230, 157, 109, 231, 159},
+							},
 							AccessTokenType: domain.OIDCTokenTypeBearer,
 						},
 					},
--- a/internal/query/userinfo.go
+++ b/internal/query/userinfo.go
@@ -4,12 +4,12 @@ import (
 	"context"
 	"database/sql"
 	_ "embed"
-	"encoding/json"
+	"errors"
 	"sync"

 	"github.com/zitadel/zitadel/internal/api/authz"
 	"github.com/zitadel/zitadel/internal/database"
-	"github.com/zitadel/zitadel/internal/errors"
+	zerrors "github.com/zitadel/zitadel/internal/errors"
 	"github.com/zitadel/zitadel/internal/eventstore/handler/v2"
 	"github.com/zitadel/zitadel/internal/query/projection"
 	"github.com/zitadel/zitadel/internal/telemetry/tracing"
@@ -40,23 +40,17 @@ func (q *Queries) GetOIDCUserInfo(ctx context.Context, userID string, roleAudien
 	ctx, span := tracing.NewSpan(ctx)
 	defer func() { span.EndWithError(err) }()

-	var data []byte
-	err = q.client.QueryRowContext(ctx, func(row *sql.Row) error {
-		return row.Scan(&data)
-	},
-		oidcUserInfoQuery,
+	userInfo, err := database.QueryJSONObject[OIDCUserInfo](ctx, q.client, oidcUserInfoQuery,
 		userID, authz.GetInstance(ctx).InstanceID(), database.TextArray[string](roleAudience),
 	)
-	if err != nil {
-		return nil, errors.ThrowInternal(err, "QUERY-Oath6", "Errors.Internal")
+	if errors.Is(err, sql.ErrNoRows) {
+		return nil, zerrors.ThrowNotFound(err, "QUERY-Eey2a", "Errors.User.NotFound")
 	}
-
-	userInfo := new(OIDCUserInfo)
-	if err = json.Unmarshal(data, userInfo); err != nil {
-		return nil, errors.ThrowInternal(err, "QUERY-Vohs6", "Errors.Internal")
+	if err != nil {
+		return nil, zerrors.ThrowInternal(err, "QUERY-Oath6", "Errors.Internal")
 	}
 	if userInfo.User == nil {
-		return nil, errors.ThrowNotFound(nil, "QUERY-ahs4S", "Errors.User.NotFound")
+		return nil, zerrors.ThrowNotFound(nil, "QUERY-ahs4S", "Errors.User.NotFound")
 	}

 	return userInfo, nil
--- a/internal/query/userinfo_test.go
+++ b/internal/query/userinfo_test.go
@@ -68,14 +68,6 @@ func TestQueries_GetOIDCUserInfo(t *testing.T) {
 			mock:    mockQueryErr(expQuery, sql.ErrConnDone, "231965491734773762", "instanceID", nil),
 			wantErr: sql.ErrConnDone,
 		},
-		{
-			name: "unmarshal error",
-			args: args{
-				userID: "231965491734773762",
-			},
-			mock:    mockQuery(expQuery, []string{"json_build_object"}, []driver.Value{`~~~`}, "231965491734773762", "instanceID", nil),
-			wantErr: errors.ThrowInternal(nil, "QUERY-Vohs6", "Errors.Internal"),
-		},
 		{
 			name: "user not found",
 			args: args{