From f898422c1b8c4f7e0d51e75c8fadb25a53480711 Mon Sep 17 00:00:00 2001
From: Maximilian Panne <mpa@zitadel.com>
Date: Fri, 1 Aug 2025 11:19:14 +0200
Subject: [PATCH] your_domain

---
 docs/docs/apis/openidoauth/endpoints.mdx      | 30 +++++++++----------
 .../identity-providers/linkedin_oauth.mdx     |  2 +-
 .../guides/integrate/login/hosted-login.mdx   |  2 +-
 .../guides/integrate/login/oidc/webkeys.md    |  2 +-
 .../guides/integrate/services/auth0-oidc.mdx  |  2 +-
 .../integrate/services/cloudflare-oidc.mdx    |  8 ++---
 .../integrate/services/gitlab-self-hosted.mdx |  4 +--
 .../integrate/services/google-workspace.md    | 12 ++++----
 .../token-introspection/basic-auth.mdx        |  2 +-
 .../token-introspection/private-key-jwt.mdx   |  4 +--
 docs/docs/guides/integrate/tools/apache2.mdx  |  4 +--
 .../guides/manage/console/organizations.mdx   |  2 +-
 docs/docs/guides/manage/console/projects.mdx  |  2 +-
 docs/docs/guides/solution-scenarios/b2b.mdx   |  2 +-
 docs/docs/guides/solution-scenarios/b2c.mdx   |  4 +--
 15 files changed, 41 insertions(+), 41 deletions(-)

diff --git a/docs/docs/apis/openidoauth/endpoints.mdx b/docs/docs/apis/openidoauth/endpoints.mdx
index 79d533ab3a..4be2048f09 100644
--- a/docs/docs/apis/openidoauth/endpoints.mdx
+++ b/docs/docs/apis/openidoauth/endpoints.mdx
@@ -12,13 +12,13 @@ import TokenExchangeTypes from "./_token_exchange_types.mdx";
 ## OpenID Connect 1.0 Discovery
 
 The OpenID Connect Discovery Endpoint is located within the issuer domain.
-This would give us `{your_domain}/.well-known/openid-configuration`.
+This would give us `{CUSTOM_DOMAIN}/.well-known/openid-configuration`.
 
 **Link to spec.** [OpenID Connect Discovery 1.0 incorporating errata set 1](https://openid.net/specs/openid-connect-discovery-1_0.html)
 
 ## authorization_endpoint
 
-`{your_domain}/oauth/v2/authorize`
+`{CUSTOM_DOMAIN}/oauth/v2/authorize`
 
 :::note
 The authorization_endpoint is located with the login page, due to the need of accessing the same cookie domain
@@ -172,7 +172,7 @@ the error will be display directly to the user on the auth server
 
 ## token_endpoint
 
-`{your_domain}/oauth/v2/token`
+`{CUSTOM_DOMAIN}/oauth/v2/token`
 
 The token_endpoint will as the name suggests return various tokens (access, id and refresh) depending on the used `grant_type`.
 When using [`authorization_code`](#authorization-code-grant-code-exchange) flow call this endpoint after receiving the code from the authorization_endpoint.
@@ -262,7 +262,7 @@ Send a client assertion as JWT for us to validate the signature against the regi
 
 ```BASH
 curl --request POST \
-  --url {your_domain}/oauth/v2/token \
+  --url {CUSTOM_DOMAIN}/oauth/v2/token \
   --header 'Content-Type: application/x-www-form-urlencoded' \
   --data grant_type=urn:ietf:params:oauth:grant-type:jwt-bearer \
   --data assertion=eyJhbGciOiJSUzI1Ni...
@@ -360,7 +360,7 @@ Check [Client Secret Basic Auth Method](authn-methods#client-secret-basic) on ho
 
 ```BASH
 curl --request POST \
-  --url {your_domain}/oauth/v2/token \
+  --url {CUSTOM_DOMAIN}/oauth/v2/token \
   --header 'Content-Type: application/x-www-form-urlencoded' \
   --header 'Authorization: Basic ${BASIC_AUTH}' \
   --data grant_type=client_credentials \
@@ -376,7 +376,7 @@ Or you can also send your `client_id` and `client_secret` as parameters in the b
 
 ```BASH
 curl --request POST \
-  --url {your_domain}/oauth/v2/token \
+  --url {CUSTOM_DOMAIN}/oauth/v2/token \
   --header 'Content-Type: application/x-www-form-urlencoded' \
   --data grant_type=client_credentials \
   --data client_id=${CLIENT_ID} \
@@ -472,7 +472,7 @@ Send a `client_assertion` as JWT for us to validate the signature against the re
 
 ## introspection_endpoint
 
-`{your_domain}/oauth/v2/introspect`
+`{CUSTOM_DOMAIN}/oauth/v2/introspect`
 
 This endpoint enables clients to validate an `acccess_token`, either opaque or JWT. Unlike client side JWT validation,
 this endpoint will check if the token is not revoked (by client or logout).
@@ -497,7 +497,7 @@ Send your `client_id` and `client_secret` as Basic Auth Header. Check [Client Se
 
 ```BASH
 curl --request POST \
-  --url {your_domain}/oauth/v2/introspect \
+  --url {CUSTOM_DOMAIN}/oauth/v2/introspect \
   --header 'Content-Type: application/x-www-form-urlencoded' \
   --header 'Authorization: Basic {your_basic_auth_header}' \
   --data token=VjVxyCZmRmWYqd3_F5db9Pb9mHR5fqzhn...
@@ -516,7 +516,7 @@ Send a `client_assertion` as JWT for us to validate the signature against the re
 
 ```BASH
 curl --request POST \
-  --url {your_domain}/oauth/v2/introspect \
+  --url {CUSTOM_DOMAIN}/oauth/v2/introspect \
   --header 'Content-Type: application/x-www-form-urlencoded' \
   --data client_assertion_type=urn:ietf:params:oauth:client-assertion-type:jwt-bearer \
   --data client_assertion=eyJhbGciOiJSUzI1Ni... \
@@ -555,7 +555,7 @@ If the authorization fails, an HTTP 401 with `invalid_client` will be returned.
 
 ## userinfo_endpoint
 
-`{your_domain}/oidc/v1/userinfo`
+`{CUSTOM_DOMAIN}/oidc/v1/userinfo`
 
 This endpoint will return information about the authorized user.
 
@@ -563,7 +563,7 @@ Send the `access_token` of the **user** (not the client) as Bearer Token in the
 
 ```BASH
 curl --request GET \
-  --url {your_domain}/oidc/v1/userinfo
+  --url {CUSTOM_DOMAIN}/oidc/v1/userinfo
   --header 'Authorization: Bearer dsfdsjk29fm2as...'
 ```
 
@@ -578,7 +578,7 @@ If the token is invalid or expired, an HTTP 401 will be returned.
 
 ## revocation_endpoint
 
-`{your_domain}/oauth/v2/revoke`
+`{CUSTOM_DOMAIN}/oauth/v2/revoke`
 
 This endpoint enables clients to revoke an `access_token` or `refresh_token` they have been granted.
 
@@ -638,7 +638,7 @@ Send a `client_assertion` as JWT for ZITADEL to verify the signature against the
 
 ```BASH
 curl --request POST \
-  --url {your_domain}/oauth/v2/revoke \
+  --url {CUSTOM_DOMAIN}/oauth/v2/revoke \
   --header 'Content-Type: application/x-www-form-urlencoded' \
   --data client_assertion_type=urn:ietf:params:oauth:client-assertion-type:jwt-bearer \
   --data client_assertion=eyJhbGciOiJSUzI1Ni... \
@@ -650,7 +650,7 @@ curl --request POST \
 
 ## end_session_endpoint
 
-`{your_domain}/oidc/v1/end_session`
+`{CUSTOM_DOMAIN}/oidc/v1/end_session`
 
 The endpoint has to be opened in the user agent (browser) to terminate the user sessions.
 
@@ -672,7 +672,7 @@ If neither an `id_token_hint` nor a `client_id` parameter is provided, the `post
 
 ## jwks_uri
 
-`{your_domain}/oauth/v2/keys`
+`{CUSTOM_DOMAIN}/oauth/v2/keys`
 
 The endpoint returns a JSON Web Key Set (JWKS) containing the public keys that can be used to locally validate JWTs you received from ZITADEL.
 The alternative would be to validate tokens with the [introspection endpoint](#introspection_endpoint).
diff --git a/docs/docs/guides/integrate/identity-providers/linkedin_oauth.mdx b/docs/docs/guides/integrate/identity-providers/linkedin_oauth.mdx
index 5709c4e321..2e6093bd9e 100644
--- a/docs/docs/guides/integrate/identity-providers/linkedin_oauth.mdx
+++ b/docs/docs/guides/integrate/identity-providers/linkedin_oauth.mdx
@@ -23,7 +23,7 @@ import TestSetup from './_test_setup.mdx';
 2. Add your App Name, your Company Page and a Logo
 3. Add "Sign In with LinkedIn using OpenID Connect" by clicking "Request access"
 4. Go to the Auth Settings of the App and add the following URL to the "Authorized redirect URLs"
- - `{your_domain}/ui/login/login/externalidp/callback`
+ - `{CUSTOM_DOMAIN}/ui/login/login/externalidp/callback`
  - Example redirect url for the domain `https://acme.zitadel.cloud` would look like this:  `https://acme.zitadel.cloud/ui/login/login/externalidp/callback`
 5. Verify the app as your company
 6. In the Auth - OAuth 2.0 scopes section you should see `openid`, `profile` and `email` listed
diff --git a/docs/docs/guides/integrate/login/hosted-login.mdx b/docs/docs/guides/integrate/login/hosted-login.mdx
index 80c9311674..a7863e1d01 100644
--- a/docs/docs/guides/integrate/login/hosted-login.mdx
+++ b/docs/docs/guides/integrate/login/hosted-login.mdx
@@ -202,7 +202,7 @@ Your contributions will play a crucial role in shaping the future of our login s
         The simplest way to deploy the new login for yourself is by using the [“Deploy” button in our repository](https://github.com/zitadel/typescript?tab=readme-ov-file#deploy-to-vercel) to deploy the login directly to your Vercel.
 
         1. [Create a service user](https://zitadel.com/docs/guides/integrate/service-users/personal-access-token#create-a-service-user-with-a-pat) with a PAT in your instance
-        2. Give the user IAM_LOGIN_CLIENT Permissions in the default settings (YOUR_DOMAIN/ui/console/instance?id=organizations)
+        2. Give the user IAM_LOGIN_CLIENT Permissions in the default settings (CUSTOM_DOMAIN/ui/console/instance?id=organizations)
         Note: [Zitadel Manager Guide](https://zitadel.com/docs/guides/manage/console/managers)
         3. Deploy login to Vercel: You can do so by directly clicking the [“Deploy” button](https://github.com/zitadel/typescript?tab=readme-ov-file#deploy-to-vercel) at the bottom of the readme in our [repository](https://github.com/zitadel/typescript)
         4. If you have used the deploy button in the steps before, you will automatically be asked for this step. Enter the environment variables in Vercel
diff --git a/docs/docs/guides/integrate/login/oidc/webkeys.md b/docs/docs/guides/integrate/login/oidc/webkeys.md
index 288284fefc..a84fd3080d 100644
--- a/docs/docs/guides/integrate/login/oidc/webkeys.md
+++ b/docs/docs/guides/integrate/login/oidc/webkeys.md
@@ -296,7 +296,7 @@ Next month, Key ID 6 will be activated, an new key added and Key ID 2 can be del
 ## JSON web key set
 
 The JSON web key set (JWKS) endpoint serves all available public keys for the instance on
-`{your_domain}/oauth/v2/keys`. This includes activated, newly non-activated and deactivated web keys. The response format is defined in [RFC7517, section 5: JWK Set Format](https://www.rfc-editor.org/rfc/rfc7517#section-5).
+`{CUSTOM_DOMAIN}/oauth/v2/keys`. This includes activated, newly non-activated and deactivated web keys. The response format is defined in [RFC7517, section 5: JWK Set Format](https://www.rfc-editor.org/rfc/rfc7517#section-5).
 
 And looks like:
 
diff --git a/docs/docs/guides/integrate/services/auth0-oidc.mdx b/docs/docs/guides/integrate/services/auth0-oidc.mdx
index ec574dd6d9..ab90157894 100644
--- a/docs/docs/guides/integrate/services/auth0-oidc.mdx
+++ b/docs/docs/guides/integrate/services/auth0-oidc.mdx
@@ -28,7 +28,7 @@ In Authentication > Enterprise
 1. Press the "+" button right to "OpenID Connect"  
   ![Create new connection](/img/oidc/auth0/auth0-create-app.png)
 2. Set a connection name for example "ZITADEL"
-3. The issuer url is `https://<YOUR_DOMAIN>/.well-known/openid-configuration`
+3. The issuer url is `{CUSTOM_DOMAIN}/.well-known/openid-configuration`
 4. Copy the callback URL (ending with `/login/callback`)
 
 The configuration should look like this:
diff --git a/docs/docs/guides/integrate/services/cloudflare-oidc.mdx b/docs/docs/guides/integrate/services/cloudflare-oidc.mdx
index cd3624b32f..f23b8a5fc4 100644
--- a/docs/docs/guides/integrate/services/cloudflare-oidc.mdx
+++ b/docs/docs/guides/integrate/services/cloudflare-oidc.mdx
@@ -30,7 +30,7 @@ Cloudflare will return an error "User email was not returned. API permissions ar
 
 1. On the Cloudflare dashboard go to Zero Trust, click settings, and then select "Authentication"
 2. Add a new login method with the type "OpenID Connect"
-3. Fill in the required information. Check the discovery endpoint of your instance `https://{your_domain}/.well-known/openid-configuration` for the urls. As mentioned in the Cloudflare docs the Certificate Url is jwks_uri.
+3. Fill in the required information. Check the discovery endpoint of your instance `https://{CUSTOM_DOMAIN}/.well-known/openid-configuration` for the urls. As mentioned in the Cloudflare docs the Certificate Url is jwks_uri.
 4. Disable PKCE (Cloudflare requires a client secret for PKCE, which is currently not supported)
 5. Add the following claims: "openid", "profile", "email"
 6. Test the connection
@@ -42,9 +42,9 @@ Cloudflare will return an error "User email was not returned. API permissions ar
   "config": {
     "client_id": "<your client id>",
     "client_secret": "<your client secret>",
-    "auth_url": "https://{your_domain}.zitadel.cloud/oauth/v2/authorize",
-    "token_url": "https://{your_domain}.zitadel.cloud/oauth/v2/token",
-    "certs_url": "https://{your_domain}.zitadel.cloud/oauth/v2/keys",
+    "auth_url": "https://{CUSTOM_DOMAIN}.zitadel.cloud/oauth/v2/authorize",
+    "token_url": "https://{CUSTOM_DOMAIN}.zitadel.cloud/oauth/v2/token",
+    "certs_url": "https://{CUSTOM_DOMAIN}.zitadel.cloud/oauth/v2/keys",
     "scopes": ["openid", "email", "profile"],
     "pkce_enabled": false,
   },
diff --git a/docs/docs/guides/integrate/services/gitlab-self-hosted.mdx b/docs/docs/guides/integrate/services/gitlab-self-hosted.mdx
index 17e3cc3af6..7bb6f122ea 100644
--- a/docs/docs/guides/integrate/services/gitlab-self-hosted.mdx
+++ b/docs/docs/guides/integrate/services/gitlab-self-hosted.mdx
@@ -36,12 +36,12 @@ gitlab_rails['omniauth_providers'] = [
   {
     name: "openid_connect",
     label: "ZITADEL",
-    icon: "https://<YOUR_DOMAIN>/ui/console/assets/icons/favicon-32x32.png",
+    icon: "https://<CUSTOM_DOMAIN>/ui/console/assets/icons/favicon-32x32.png",
     args: {
       name: "openid_connect",
       scope: ["openid","profile","email"],
       response_type: "code",
-      issuer: "https://<YOUR_DOMAIN>",
+      issuer: "https://<CUSTOM_DOMAIN>",
       discovery: true,
       client_options: {
         identifier: "<CLIENT ID from ZITADEL>",
diff --git a/docs/docs/guides/integrate/services/google-workspace.md b/docs/docs/guides/integrate/services/google-workspace.md
index e3f7259ada..7a1c0118f7 100644
--- a/docs/docs/guides/integrate/services/google-workspace.md
+++ b/docs/docs/guides/integrate/services/google-workspace.md
@@ -33,25 +33,25 @@ Open the Google settings for [SSO with third-party IdP](https://admin.google.com
 
 ![SSO with third-party IdP](/img/guides/integrate/services/google-workspace-sso-overview.png)
 
-Download the public certificate from your ZITADEL instance by requesting `$YOUR_DOMAIN/saml/v2/certificate`
+Download the public certificate from your ZITADEL instance by requesting `$CUSTOM_DOMAIN/saml/v2/certificate`
 
 ```bash
- wget $YOUR_DOMAIN/saml/v2/certificate -O idp.crt
+ wget $CUSTOM_DOMAIN/saml/v2/certificate -O idp.crt
 ```
 
-Always replace `$YOUR_DOMAIN` with your custom domain.
+Always replace `$CUSTOM_DOMAIN` with your custom domain.
 
 Use the following configuration
 
 | Setting | Value |
 | --- | --- |
 | Set up SSO with third-party identity provider | Enable (check) |
-| Sign-in page URL | $YOUR_DOMAIN/saml/v2/SSO |
-| Sign-out page URL | $YOUR_DOMAIN/saml/v2/SLO |
+| Sign-in page URL | $CUSTOM_DOMAIN/saml/v2/SSO |
+| Sign-out page URL | $CUSTOM_DOMAIN/saml/v2/SLO |
 | Verification Certificate | Upload the certificate (idp.crt) |
 | Use a domain-specific issuer | Enable (check) |
 | Network masks | Leave blank|
-| Change password URL | $YOUR_DOMAIN/ui/console/users/me?id=security |
+| Change password URL | $CUSTOM_DOMAIN/ui/console/users/me?id=security |
 
 ### Create a SAML application in ZITADEL
 
diff --git a/docs/docs/guides/integrate/token-introspection/basic-auth.mdx b/docs/docs/guides/integrate/token-introspection/basic-auth.mdx
index 6beb244ed0..a4aa06a1b3 100644
--- a/docs/docs/guides/integrate/token-introspection/basic-auth.mdx
+++ b/docs/docs/guides/integrate/token-introspection/basic-auth.mdx
@@ -78,7 +78,7 @@ The request from the API to the introspection endpoint should be in the followin
 
 ```bash
 curl --request POST \
- --url {your_domain}/oauth/v2/introspect \
+ --url {CUSTOM_DOMAIN}/oauth/v2/introspect \
  --header 'Content-Type: application/x-www-form-urlencoded' \
  --header 'Authorization: Basic {your_basic_auth_header}' \
  --data token=VjVxyCZmRmWYqd3_F5db9Pb9mHR5fqzhn...
diff --git a/docs/docs/guides/integrate/token-introspection/private-key-jwt.mdx b/docs/docs/guides/integrate/token-introspection/private-key-jwt.mdx
index 6f7b26c7e6..3c8b641c51 100644
--- a/docs/docs/guides/integrate/token-introspection/private-key-jwt.mdx
+++ b/docs/docs/guides/integrate/token-introspection/private-key-jwt.mdx
@@ -135,7 +135,7 @@ Payload:
 {
    "iss": "78366401571920522@acme", (clientId from your key file)
    "sub": "78366401571920522@acme", (clientId from your key file)
-   "aud": "https://{your_domain}", (your ZITADEL domain/issuer URL)
+   "aud": "https://{CUSTOM_DOMAIN}", (your ZITADEL domain/issuer URL)
    "exp": 1605183582, (Unix timestamp of the expiry)
    "iat": 1605179982   (Unix timestamp of the creation signing time of the JWT, MUST NOT be older than 1h)
 }
@@ -146,7 +146,7 @@ Create the JSON Web Token with the above header and payload, and sign it with th
 The request from the API to the introspection endpoint should be in the following format:
 ```bash
 curl --request POST \
- --url {your_domain}/oauth/v2/introspect \
+ --url {CUSTOM_DOMAIN}/oauth/v2/introspect \
  --header 'Content-Type: application/x-www-form-urlencoded' \
  --data client_assertion_type=urn:ietf:params:oauth:client-assertion-type:jwt-bearer \
  --data client_assertion=eyJhbGciOiJSUzI1Ni... \
diff --git a/docs/docs/guides/integrate/tools/apache2.mdx b/docs/docs/guides/integrate/tools/apache2.mdx
index 0d7b481176..7ac4a36063 100644
--- a/docs/docs/guides/integrate/tools/apache2.mdx
+++ b/docs/docs/guides/integrate/tools/apache2.mdx
@@ -26,7 +26,7 @@ You can find a minimal configuration in the [official documentation](https://git
 The following parameters must be set with the values from ZITADEL.
 
 ```yaml
-OIDCProviderMetadataURL https://<your_domain>.zitadel.cloud/.well-known/openid-configuration
+OIDCProviderMetadataURL https://<CUSTOM_DOMAIN>.zitadel.cloud/.well-known/openid-configuration
 OIDCClientID <client_id, eg 227791....@apache_test>
 # OIDCRedirectURI is a vanity URL that must point to a path protected by this module but must NOT point to any content
 OIDCRedirectURI <redirect_uri, eg http://localhost:8080/secure/callback>
@@ -40,7 +40,7 @@ With the following parameters
 
 | Parameter | Description | Example value|
 |---|---|---|
-| OIDCProviderMetadataURL | Is the url to the discovery endpoint, which is typically located at `{CUSTOM_DOMAIN}/.well-known/openid-configuration`| `https://<your_domain>.zitadel.cloud/.well-known/openid-configuration` |
+| OIDCProviderMetadataURL | Is the url to the discovery endpoint, which is typically located at `{CUSTOM_DOMAIN}/.well-known/openid-configuration`| `https://<CUSTOM_DOMAIN>.zitadel.cloud/.well-known/openid-configuration` |
 | OIDCClientID | Is the ID of the zitadel application. You can find it on the settings page of the application.  | 123456789123@apache_test |
 | OIDCRedirectURI | Users will be redirected to this page after successful login. If you are using localhost or any other non-https endpoint, make sure to enable development mode in ZITADEL. | https://mysecureapp.io/secure/callback |
 | OIDCCryptoPassphrase | Create a secure passphrase. Consult the module's documentation for more details. | ... |
diff --git a/docs/docs/guides/manage/console/organizations.mdx b/docs/docs/guides/manage/console/organizations.mdx
index d9336421e9..15ada0ce17 100644
--- a/docs/docs/guides/manage/console/organizations.mdx
+++ b/docs/docs/guides/manage/console/organizations.mdx
@@ -135,7 +135,7 @@ Read more about the [scopes](/docs/apis/openidoauth/scopes#reserved-scopes) or t
 
 ## Default organization
 
-On the Default settings page ($YOUR_DOMAIN//ui/console/orgs) you can set an organization as default organization.
+On the Default settings page ($CUSTOM_DOMAIN//ui/console/orgs) you can set an organization as default organization.
 Click the "..." on the right hand side of the table and select "Set as default organization".
 
 The current default organization is marked by a label "Default".
diff --git a/docs/docs/guides/manage/console/projects.mdx b/docs/docs/guides/manage/console/projects.mdx
index 53abea2dac..11dcb3c783 100644
--- a/docs/docs/guides/manage/console/projects.mdx
+++ b/docs/docs/guides/manage/console/projects.mdx
@@ -18,7 +18,7 @@ You would have to create roles for administration and your clients in this very
 
 ## Create a project
 
-To create a project, navigate to your organization, then projects or directly via `https://{your_domain}.zitadel.cloud/ui/console/projects`, and then click the button to create a new project.
+To create a project, navigate to your organization, then projects or directly via `https://{CUSTOM_DOMAIN}.zitadel.cloud/ui/console/projects`, and then click the button to create a new project.
 
 <img
   alt="Empty Project"
diff --git a/docs/docs/guides/solution-scenarios/b2b.mdx b/docs/docs/guides/solution-scenarios/b2b.mdx
index 144853b3f8..d1701baee3 100644
--- a/docs/docs/guides/solution-scenarios/b2b.mdx
+++ b/docs/docs/guides/solution-scenarios/b2b.mdx
@@ -58,7 +58,7 @@ In our sample scenario, we assume to have the following users:
 - **Michael:** a trainee of Pentagon only using the portal to access his workspace apps. Michael uses his Google Account in combination with his laptops fingerprint.
 - **Bill:** is employed at Octagon as Administrator of the Portal Application. Bill also uses a Microsoft Account in combination with a Security Key to secure his account.
 
-After having determined the constellation of the organizations and its users, all the necessary data (Portal project with roles and app, users, login requirements, identity providers, branding) should be set up in [Console](https://{your_domain}.zitadel.cloud/ui/console/org).
+After having determined the constellation of the organizations and its users, all the necessary data (Portal project with roles and app, users, login requirements, identity providers, branding) should be set up in [Console](https://{CUSTOM_DOMAIN}.zitadel.cloud/ui/console/org).
 A B2B [sample application](https://github.com/zitadel/zitadel-nextjs-b2b). for NextJS can be found [here](../../examples/login/nextjs-b2b).
 
 To allow another organization to use a project, a project grant has to be created. Upon creation, roles for a grant can be limited to a subset of the total project roles.
diff --git a/docs/docs/guides/solution-scenarios/b2c.mdx b/docs/docs/guides/solution-scenarios/b2c.mdx
index ab350fe60d..9b04c2c0a6 100644
--- a/docs/docs/guides/solution-scenarios/b2c.mdx
+++ b/docs/docs/guides/solution-scenarios/b2c.mdx
@@ -14,7 +14,7 @@ When planning your applications, investing time in researching your apps archite
 This guide introduces you to the grouping and structuring of ZITADEL projects which forms the base for all projects. This can be used as a quick start to the [B2B scenario](./b2b), which is merely focused on planning considerations if you are having projects with multiple organizations.
 
 The journey of this guide starts with creating an Organization, the outermost layer of ZITADEL within your instance, as it is the vessel for projects, roles, applications and users.
-Creation can be done from [ZITADEL Console](https://{your_domain}.zitadel.cloud/ui/console/orgs/create). You can choose your current account for the organization owner or create a new one.
+Creation can be done from [ZITADEL Console](https://{CUSTOM_DOMAIN}.zitadel.cloud/ui/console/orgs/create). You can choose your current account for the organization owner or create a new one.
 
 Depending on your Software Development Life Cycle (SDLC) you can create multiple organizations or projects to keep your applications environments seperated.
 
@@ -40,7 +40,7 @@ Requests to the management API are rate limited. Read our [Rate limit Policy](/d
 
 User Authentication can be performed in multiple ways. Default method in ZITADEL is username and password with MFA enabled.
 ZITADEL allows you to configure Multifactor- and Passwordless Authentication in order to enhance security for your users. All authentication methods are available from the FREE Tier.
-To setup your organizations login policy, go to your organizations detail in [Console](https://{your_domain}.zitadel.cloud/ui/console/org).
+To setup your organizations login policy, go to your organizations detail in [Console](https://{CUSTOM_DOMAIN}.zitadel.cloud/ui/console/org).
 
 When planning your application consider the following questions about User Authentication: