your_domain

docs/docs/apis/openidoauth/endpoints.mdx

@@ -12,13 +12,13 @@ import TokenExchangeTypes from "./_token_exchange_types.mdx";
 ## OpenID Connect 1.0 Discovery
 
 The OpenID Connect Discovery Endpoint is located within the issuer domain.
-This would give us `{your_domain}/.well-known/openid-configuration`.
+This would give us `{CUSTOM_DOMAIN}/.well-known/openid-configuration`.
 
 **Link to spec.** [OpenID Connect Discovery 1.0 incorporating errata set 1](https://openid.net/specs/openid-connect-discovery-1_0.html)
 
 ## authorization_endpoint
 
-`{your_domain}/oauth/v2/authorize`
+`{CUSTOM_DOMAIN}/oauth/v2/authorize`
 
 :::note
 The authorization_endpoint is located with the login page, due to the need of accessing the same cookie domain
@@ -172,7 +172,7 @@ the error will be display directly to the user on the auth server
 
 ## token_endpoint
 
-`{your_domain}/oauth/v2/token`
+`{CUSTOM_DOMAIN}/oauth/v2/token`
 
 The token_endpoint will as the name suggests return various tokens (access, id and refresh) depending on the used `grant_type`.
 When using [`authorization_code`](#authorization-code-grant-code-exchange) flow call this endpoint after receiving the code from the authorization_endpoint.
@@ -262,7 +262,7 @@ Send a client assertion as JWT for us to validate the signature against the regi
 
 ```BASH
 curl --request POST \
-  --url {your_domain}/oauth/v2/token \
+  --url {CUSTOM_DOMAIN}/oauth/v2/token \
   --header 'Content-Type: application/x-www-form-urlencoded' \
   --data grant_type=urn:ietf:params:oauth:grant-type:jwt-bearer \
   --data assertion=eyJhbGciOiJSUzI1Ni...
@@ -360,7 +360,7 @@ Check [Client Secret Basic Auth Method](authn-methods#client-secret-basic) on ho
 
 ```BASH
 curl --request POST \
-  --url {your_domain}/oauth/v2/token \
+  --url {CUSTOM_DOMAIN}/oauth/v2/token \
   --header 'Content-Type: application/x-www-form-urlencoded' \
   --header 'Authorization: Basic ${BASIC_AUTH}' \
   --data grant_type=client_credentials \
@@ -376,7 +376,7 @@ Or you can also send your `client_id` and `client_secret` as parameters in the b
 
 ```BASH
 curl --request POST \
-  --url {your_domain}/oauth/v2/token \
+  --url {CUSTOM_DOMAIN}/oauth/v2/token \
   --header 'Content-Type: application/x-www-form-urlencoded' \
   --data grant_type=client_credentials \
   --data client_id=${CLIENT_ID} \
@@ -472,7 +472,7 @@ Send a `client_assertion` as JWT for us to validate the signature against the re
 
 ## introspection_endpoint
 
-`{your_domain}/oauth/v2/introspect`
+`{CUSTOM_DOMAIN}/oauth/v2/introspect`
 
 This endpoint enables clients to validate an `acccess_token`, either opaque or JWT. Unlike client side JWT validation,
 this endpoint will check if the token is not revoked (by client or logout).
@@ -497,7 +497,7 @@ Send your `client_id` and `client_secret` as Basic Auth Header. Check [Client Se
 
 ```BASH
 curl --request POST \
-  --url {your_domain}/oauth/v2/introspect \
+  --url {CUSTOM_DOMAIN}/oauth/v2/introspect \
   --header 'Content-Type: application/x-www-form-urlencoded' \
   --header 'Authorization: Basic {your_basic_auth_header}' \
   --data token=VjVxyCZmRmWYqd3_F5db9Pb9mHR5fqzhn...
@@ -516,7 +516,7 @@ Send a `client_assertion` as JWT for us to validate the signature against the re
 
 ```BASH
 curl --request POST \
-  --url {your_domain}/oauth/v2/introspect \
+  --url {CUSTOM_DOMAIN}/oauth/v2/introspect \
   --header 'Content-Type: application/x-www-form-urlencoded' \
   --data client_assertion_type=urn:ietf:params:oauth:client-assertion-type:jwt-bearer \
   --data client_assertion=eyJhbGciOiJSUzI1Ni... \
@@ -555,7 +555,7 @@ If the authorization fails, an HTTP 401 with `invalid_client` will be returned.
 
 ## userinfo_endpoint
 
-`{your_domain}/oidc/v1/userinfo`
+`{CUSTOM_DOMAIN}/oidc/v1/userinfo`
 
 This endpoint will return information about the authorized user.
 
@@ -563,7 +563,7 @@ Send the `access_token` of the **user** (not the client) as Bearer Token in the
 
 ```BASH
 curl --request GET \
-  --url {your_domain}/oidc/v1/userinfo
+  --url {CUSTOM_DOMAIN}/oidc/v1/userinfo
   --header 'Authorization: Bearer dsfdsjk29fm2as...'
 ```
 
@@ -578,7 +578,7 @@ If the token is invalid or expired, an HTTP 401 will be returned.
 
 ## revocation_endpoint
 
-`{your_domain}/oauth/v2/revoke`
+`{CUSTOM_DOMAIN}/oauth/v2/revoke`
 
 This endpoint enables clients to revoke an `access_token` or `refresh_token` they have been granted.
 
@@ -638,7 +638,7 @@ Send a `client_assertion` as JWT for ZITADEL to verify the signature against the
 
 ```BASH
 curl --request POST \
-  --url {your_domain}/oauth/v2/revoke \
+  --url {CUSTOM_DOMAIN}/oauth/v2/revoke \
   --header 'Content-Type: application/x-www-form-urlencoded' \
   --data client_assertion_type=urn:ietf:params:oauth:client-assertion-type:jwt-bearer \
   --data client_assertion=eyJhbGciOiJSUzI1Ni... \
@@ -650,7 +650,7 @@ curl --request POST \
 
 ## end_session_endpoint
 
-`{your_domain}/oidc/v1/end_session`
+`{CUSTOM_DOMAIN}/oidc/v1/end_session`
 
 The endpoint has to be opened in the user agent (browser) to terminate the user sessions.
 
@@ -672,7 +672,7 @@ If neither an `id_token_hint` nor a `client_id` parameter is provided, the `post
 
 ## jwks_uri
 
-`{your_domain}/oauth/v2/keys`
+`{CUSTOM_DOMAIN}/oauth/v2/keys`
 
 The endpoint returns a JSON Web Key Set (JWKS) containing the public keys that can be used to locally validate JWTs you received from ZITADEL.
 The alternative would be to validate tokens with the [introspection endpoint](#introspection_endpoint).

docs/docs/guides/integrate/identity-providers/linkedin_oauth.mdx

@@ -23,7 +23,7 @@ import TestSetup from './_test_setup.mdx';
 2. Add your App Name, your Company Page and a Logo
 3. Add "Sign In with LinkedIn using OpenID Connect" by clicking "Request access"
 4. Go to the Auth Settings of the App and add the following URL to the "Authorized redirect URLs"
- - `{your_domain}/ui/login/login/externalidp/callback`
+ - `{CUSTOM_DOMAIN}/ui/login/login/externalidp/callback`
  - Example redirect url for the domain `https://acme.zitadel.cloud` would look like this:  `https://acme.zitadel.cloud/ui/login/login/externalidp/callback`
 5. Verify the app as your company
 6. In the Auth - OAuth 2.0 scopes section you should see `openid`, `profile` and `email` listed

docs/docs/guides/integrate/login/hosted-login.mdx

@@ -202,7 +202,7 @@ Your contributions will play a crucial role in shaping the future of our login s
         The simplest way to deploy the new login for yourself is by using the [“Deploy” button in our repository](https://github.com/zitadel/typescript?tab=readme-ov-file#deploy-to-vercel) to deploy the login directly to your Vercel.
 
         1. [Create a service user](https://zitadel.com/docs/guides/integrate/service-users/personal-access-token#create-a-service-user-with-a-pat) with a PAT in your instance
-        2. Give the user IAM_LOGIN_CLIENT Permissions in the default settings (YOUR_DOMAIN/ui/console/instance?id=organizations)
+        2. Give the user IAM_LOGIN_CLIENT Permissions in the default settings (CUSTOM_DOMAIN/ui/console/instance?id=organizations)
         Note: [Zitadel Manager Guide](https://zitadel.com/docs/guides/manage/console/managers)
         3. Deploy login to Vercel: You can do so by directly clicking the [“Deploy” button](https://github.com/zitadel/typescript?tab=readme-ov-file#deploy-to-vercel) at the bottom of the readme in our [repository](https://github.com/zitadel/typescript)
         4. If you have used the deploy button in the steps before, you will automatically be asked for this step. Enter the environment variables in Vercel

docs/docs/guides/integrate/login/oidc/webkeys.md

@@ -296,7 +296,7 @@ Next month, Key ID 6 will be activated, an new key added and Key ID 2 can be del
 ## JSON web key set
 
 The JSON web key set (JWKS) endpoint serves all available public keys for the instance on
-`{your_domain}/oauth/v2/keys`. This includes activated, newly non-activated and deactivated web keys. The response format is defined in [RFC7517, section 5: JWK Set Format](https://www.rfc-editor.org/rfc/rfc7517#section-5).
+`{CUSTOM_DOMAIN}/oauth/v2/keys`. This includes activated, newly non-activated and deactivated web keys. The response format is defined in [RFC7517, section 5: JWK Set Format](https://www.rfc-editor.org/rfc/rfc7517#section-5).
 
 And looks like:
 

docs/docs/guides/integrate/services/auth0-oidc.mdx

@@ -28,7 +28,7 @@ In Authentication > Enterprise
 1. Press the "+" button right to "OpenID Connect"  
   ![Create new connection](/img/oidc/auth0/auth0-create-app.png)
 2. Set a connection name for example "ZITADEL"
-3. The issuer url is `https://<YOUR_DOMAIN>/.well-known/openid-configuration`
+3. The issuer url is `{CUSTOM_DOMAIN}/.well-known/openid-configuration`
 4. Copy the callback URL (ending with `/login/callback`)
 
 The configuration should look like this:

docs/docs/guides/integrate/services/cloudflare-oidc.mdx

@@ -30,7 +30,7 @@ Cloudflare will return an error "User email was not returned. API permissions ar
 
 1. On the Cloudflare dashboard go to Zero Trust, click settings, and then select "Authentication"
 2. Add a new login method with the type "OpenID Connect"
-3. Fill in the required information. Check the discovery endpoint of your instance `https://{your_domain}/.well-known/openid-configuration` for the urls. As mentioned in the Cloudflare docs the Certificate Url is jwks_uri.
+3. Fill in the required information. Check the discovery endpoint of your instance `https://{CUSTOM_DOMAIN}/.well-known/openid-configuration` for the urls. As mentioned in the Cloudflare docs the Certificate Url is jwks_uri.
 4. Disable PKCE (Cloudflare requires a client secret for PKCE, which is currently not supported)
 5. Add the following claims: "openid", "profile", "email"
 6. Test the connection
@@ -42,9 +42,9 @@ Cloudflare will return an error "User email was not returned. API permissions ar
   "config": {
     "client_id": "<your client id>",
     "client_secret": "<your client secret>",
-    "auth_url": "https://{your_domain}.zitadel.cloud/oauth/v2/authorize",
-    "token_url": "https://{your_domain}.zitadel.cloud/oauth/v2/token",
-    "certs_url": "https://{your_domain}.zitadel.cloud/oauth/v2/keys",
+    "auth_url": "https://{CUSTOM_DOMAIN}.zitadel.cloud/oauth/v2/authorize",
+    "token_url": "https://{CUSTOM_DOMAIN}.zitadel.cloud/oauth/v2/token",
+    "certs_url": "https://{CUSTOM_DOMAIN}.zitadel.cloud/oauth/v2/keys",
     "scopes": ["openid", "email", "profile"],
     "pkce_enabled": false,
   },

docs/docs/guides/integrate/services/gitlab-self-hosted.mdx

@@ -36,12 +36,12 @@ gitlab_rails['omniauth_providers'] = [
   {
     name: "openid_connect",
     label: "ZITADEL",
-    icon: "https://<YOUR_DOMAIN>/ui/console/assets/icons/favicon-32x32.png",
+    icon: "https://<CUSTOM_DOMAIN>/ui/console/assets/icons/favicon-32x32.png",
     args: {
       name: "openid_connect",
       scope: ["openid","profile","email"],
       response_type: "code",
-      issuer: "https://<YOUR_DOMAIN>",
+      issuer: "https://<CUSTOM_DOMAIN>",
       discovery: true,
       client_options: {
         identifier: "<CLIENT ID from ZITADEL>",

docs/docs/guides/integrate/services/google-workspace.md

@@ -33,25 +33,25 @@ Open the Google settings for [SSO with third-party IdP](https://admin.google.com
 
 ![SSO with third-party IdP](/img/guides/integrate/services/google-workspace-sso-overview.png)
 
-Download the public certificate from your ZITADEL instance by requesting `$YOUR_DOMAIN/saml/v2/certificate`
+Download the public certificate from your ZITADEL instance by requesting `$CUSTOM_DOMAIN/saml/v2/certificate`
 
 ```bash
- wget $YOUR_DOMAIN/saml/v2/certificate -O idp.crt
+ wget $CUSTOM_DOMAIN/saml/v2/certificate -O idp.crt
 ```
 
-Always replace `$YOUR_DOMAIN` with your custom domain.
+Always replace `$CUSTOM_DOMAIN` with your custom domain.
 
 Use the following configuration
 
 | Setting | Value |
 | --- | --- |
 | Set up SSO with third-party identity provider | Enable (check) |
-| Sign-in page URL | $YOUR_DOMAIN/saml/v2/SSO |
-| Sign-out page URL | $YOUR_DOMAIN/saml/v2/SLO |
+| Sign-in page URL | $CUSTOM_DOMAIN/saml/v2/SSO |
+| Sign-out page URL | $CUSTOM_DOMAIN/saml/v2/SLO |
 | Verification Certificate | Upload the certificate (idp.crt) |
 | Use a domain-specific issuer | Enable (check) |
 | Network masks | Leave blank|
-| Change password URL | $YOUR_DOMAIN/ui/console/users/me?id=security |
+| Change password URL | $CUSTOM_DOMAIN/ui/console/users/me?id=security |
 
 ### Create a SAML application in ZITADEL
 

docs/docs/guides/integrate/token-introspection/basic-auth.mdx

@@ -78,7 +78,7 @@ The request from the API to the introspection endpoint should be in the followin
 
 ```bash
 curl --request POST \
- --url {your_domain}/oauth/v2/introspect \
+ --url {CUSTOM_DOMAIN}/oauth/v2/introspect \
  --header 'Content-Type: application/x-www-form-urlencoded' \
  --header 'Authorization: Basic {your_basic_auth_header}' \
  --data token=VjVxyCZmRmWYqd3_F5db9Pb9mHR5fqzhn...

docs/docs/guides/integrate/token-introspection/private-key-jwt.mdx

@@ -135,7 +135,7 @@ Payload:
 {
    "iss": "78366401571920522@acme", (clientId from your key file)
    "sub": "78366401571920522@acme", (clientId from your key file)
-   "aud": "https://{your_domain}", (your ZITADEL domain/issuer URL)
+   "aud": "https://{CUSTOM_DOMAIN}", (your ZITADEL domain/issuer URL)
    "exp": 1605183582, (Unix timestamp of the expiry)
    "iat": 1605179982   (Unix timestamp of the creation signing time of the JWT, MUST NOT be older than 1h)
 }
@@ -146,7 +146,7 @@ Create the JSON Web Token with the above header and payload, and sign it with th
 The request from the API to the introspection endpoint should be in the following format:
 ```bash
 curl --request POST \
- --url {your_domain}/oauth/v2/introspect \
+ --url {CUSTOM_DOMAIN}/oauth/v2/introspect \
  --header 'Content-Type: application/x-www-form-urlencoded' \
  --data client_assertion_type=urn:ietf:params:oauth:client-assertion-type:jwt-bearer \
  --data client_assertion=eyJhbGciOiJSUzI1Ni... \

docs/docs/guides/integrate/tools/apache2.mdx

@@ -26,7 +26,7 @@ You can find a minimal configuration in the [official documentation](https://git
 The following parameters must be set with the values from ZITADEL.
 
 ```yaml
-OIDCProviderMetadataURL https://<your_domain>.zitadel.cloud/.well-known/openid-configuration
+OIDCProviderMetadataURL https://<CUSTOM_DOMAIN>.zitadel.cloud/.well-known/openid-configuration
 OIDCClientID <client_id, eg 227791....@apache_test>
 # OIDCRedirectURI is a vanity URL that must point to a path protected by this module but must NOT point to any content
 OIDCRedirectURI <redirect_uri, eg http://localhost:8080/secure/callback>
@@ -40,7 +40,7 @@ With the following parameters
 
 | Parameter | Description | Example value|
 |---|---|---|
-| OIDCProviderMetadataURL | Is the url to the discovery endpoint, which is typically located at `{CUSTOM_DOMAIN}/.well-known/openid-configuration`| `https://<your_domain>.zitadel.cloud/.well-known/openid-configuration` |
+| OIDCProviderMetadataURL | Is the url to the discovery endpoint, which is typically located at `{CUSTOM_DOMAIN}/.well-known/openid-configuration`| `https://<CUSTOM_DOMAIN>.zitadel.cloud/.well-known/openid-configuration` |
 | OIDCClientID | Is the ID of the zitadel application. You can find it on the settings page of the application.  | 123456789123@apache_test |
 | OIDCRedirectURI | Users will be redirected to this page after successful login. If you are using localhost or any other non-https endpoint, make sure to enable development mode in ZITADEL. | https://mysecureapp.io/secure/callback |
 | OIDCCryptoPassphrase | Create a secure passphrase. Consult the module's documentation for more details. | ... |

docs/docs/guides/manage/console/organizations.mdx

@@ -135,7 +135,7 @@ Read more about the [scopes](/docs/apis/openidoauth/scopes#reserved-scopes) or t
 
 ## Default organization
 
-On the Default settings page ($YOUR_DOMAIN//ui/console/orgs) you can set an organization as default organization.
+On the Default settings page ($CUSTOM_DOMAIN//ui/console/orgs) you can set an organization as default organization.
 Click the "..." on the right hand side of the table and select "Set as default organization".
 
 The current default organization is marked by a label "Default".

docs/docs/guides/manage/console/projects.mdx

@@ -18,7 +18,7 @@ You would have to create roles for administration and your clients in this very
 
 ## Create a project
 
-To create a project, navigate to your organization, then projects or directly via `https://{your_domain}.zitadel.cloud/ui/console/projects`, and then click the button to create a new project.
+To create a project, navigate to your organization, then projects or directly via `https://{CUSTOM_DOMAIN}.zitadel.cloud/ui/console/projects`, and then click the button to create a new project.
 
 <img
   alt="Empty Project"

docs/docs/guides/solution-scenarios/b2b.mdx

@@ -58,7 +58,7 @@ In our sample scenario, we assume to have the following users:
 - **Michael:** a trainee of Pentagon only using the portal to access his workspace apps. Michael uses his Google Account in combination with his laptops fingerprint.
 - **Bill:** is employed at Octagon as Administrator of the Portal Application. Bill also uses a Microsoft Account in combination with a Security Key to secure his account.
 
-After having determined the constellation of the organizations and its users, all the necessary data (Portal project with roles and app, users, login requirements, identity providers, branding) should be set up in [Console](https://{your_domain}.zitadel.cloud/ui/console/org).
+After having determined the constellation of the organizations and its users, all the necessary data (Portal project with roles and app, users, login requirements, identity providers, branding) should be set up in [Console](https://{CUSTOM_DOMAIN}.zitadel.cloud/ui/console/org).
 A B2B [sample application](https://github.com/zitadel/zitadel-nextjs-b2b). for NextJS can be found [here](../../examples/login/nextjs-b2b).
 
 To allow another organization to use a project, a project grant has to be created. Upon creation, roles for a grant can be limited to a subset of the total project roles.

docs/docs/guides/solution-scenarios/b2c.mdx

@@ -14,7 +14,7 @@ When planning your applications, investing time in researching your apps archite
 This guide introduces you to the grouping and structuring of ZITADEL projects which forms the base for all projects. This can be used as a quick start to the [B2B scenario](./b2b), which is merely focused on planning considerations if you are having projects with multiple organizations.
 
 The journey of this guide starts with creating an Organization, the outermost layer of ZITADEL within your instance, as it is the vessel for projects, roles, applications and users.
-Creation can be done from [ZITADEL Console](https://{your_domain}.zitadel.cloud/ui/console/orgs/create). You can choose your current account for the organization owner or create a new one.
+Creation can be done from [ZITADEL Console](https://{CUSTOM_DOMAIN}.zitadel.cloud/ui/console/orgs/create). You can choose your current account for the organization owner or create a new one.
 
 Depending on your Software Development Life Cycle (SDLC) you can create multiple organizations or projects to keep your applications environments seperated.
 
@@ -40,7 +40,7 @@ Requests to the management API are rate limited. Read our [Rate limit Policy](/d
 
 User Authentication can be performed in multiple ways. Default method in ZITADEL is username and password with MFA enabled.
 ZITADEL allows you to configure Multifactor- and Passwordless Authentication in order to enhance security for your users. All authentication methods are available from the FREE Tier.
-To setup your organizations login policy, go to your organizations detail in [Console](https://{your_domain}.zitadel.cloud/ui/console/org).
+To setup your organizations login policy, go to your organizations detail in [Console](https://{CUSTOM_DOMAIN}.zitadel.cloud/ui/console/org).
 
 When planning your application consider the following questions about User Authentication: