Set instance level features
PUT/v2/features/instance
Configure and set features that apply to a complete instance. Only fields present in the request are set or unset.
Request​
- application/json
- application/grpc
- application/grpc-web+proto
Body
required
The login UI will use the settings of the default org (and not from the instance) if no organization context is set
Enable projection triggers during an introspection request. This can act as workaround if there are noticeable consistency issues in the introspection response but can have an impact on performance. We are planning to remove triggers for introspection requests in the future. Please raise an issue if you needed to enable this feature.
We have recently refactored the introspection endpoint for performance reasons. This feature can be used to rollback to the legacy implementation if unexpected bugs arise. Please raise an issue if you needed to enable this feature.
User Schemas allow to manage data schemas of user. If the flag is enabled, you'll be able to use the new API and its features. Note that it is still in an early stage.
Enable the experimental urn:ietf:params:oauth:grant-type:token-exchange
grant type for the OIDC token endpoint. Token exchange can be used to request tokens with a lesser scope or impersonate other users. See the security policy to allow impersonation on an instance.
Actions allow to manage data executions and targets. If the flag is enabled, you'll be able to use the new API and its features. Note that it is still in an early stage.
Possible values: [IMPROVED_PERFORMANCE_UNSPECIFIED
, IMPROVED_PERFORMANCE_ORG_BY_ID
, IMPROVED_PERFORMANCE_PROJECT_GRANT
, IMPROVED_PERFORMANCE_PROJECT
, IMPROVED_PERFORMANCE_USER_GRANT
, IMPROVED_PERFORMANCE_ORG_DOMAIN_VERIFIED
]
Improves performance of specified execution paths.
Enable the webkey/v3alpha API. The first time this feature is enabled, web keys are generated and activated.
Return parent errors to OIDC clients for debugging purposes. Parent errors may contain sensitive data or unwanted details about the system status of zitadel. Only enable if really needed.
If the flag is enabled, you'll be able to terminate a single session from the login UI by providing an id_token with a sid
claim as id_token_hint on the end_session endpoint. Note that currently all sessions from the same user agent (browser) are terminated in the login UI. Sessions managed through the Session API already allow the termination of single sessions.
Do not push user token meta-event user.token.v2.added to improve performance on many concurrent single (machine-)user logins
If the flag is enabled, you'll be able to use the OIDC Back-Channel Logout to be notified in your application about terminated user sessions.
loginV2
object
Specify the login UI for all users and applications regardless of their preference.
Require that all users must use the new login UI. If enabled, all users will be redirected to the login V2 regardless of the application's preference.
Optionally specify a base uri of the login UI. If unspecified the default URI will be used.
Body
required
The login UI will use the settings of the default org (and not from the instance) if no organization context is set
Enable projection triggers during an introspection request. This can act as workaround if there are noticeable consistency issues in the introspection response but can have an impact on performance. We are planning to remove triggers for introspection requests in the future. Please raise an issue if you needed to enable this feature.
We have recently refactored the introspection endpoint for performance reasons. This feature can be used to rollback to the legacy implementation if unexpected bugs arise. Please raise an issue if you needed to enable this feature.
User Schemas allow to manage data schemas of user. If the flag is enabled, you'll be able to use the new API and its features. Note that it is still in an early stage.
Enable the experimental urn:ietf:params:oauth:grant-type:token-exchange
grant type for the OIDC token endpoint. Token exchange can be used to request tokens with a lesser scope or impersonate other users. See the security policy to allow impersonation on an instance.
Actions allow to manage data executions and targets. If the flag is enabled, you'll be able to use the new API and its features. Note that it is still in an early stage.
Possible values: [IMPROVED_PERFORMANCE_UNSPECIFIED
, IMPROVED_PERFORMANCE_ORG_BY_ID
, IMPROVED_PERFORMANCE_PROJECT_GRANT
, IMPROVED_PERFORMANCE_PROJECT
, IMPROVED_PERFORMANCE_USER_GRANT
, IMPROVED_PERFORMANCE_ORG_DOMAIN_VERIFIED
]
Improves performance of specified execution paths.
Enable the webkey/v3alpha API. The first time this feature is enabled, web keys are generated and activated.
Return parent errors to OIDC clients for debugging purposes. Parent errors may contain sensitive data or unwanted details about the system status of zitadel. Only enable if really needed.
If the flag is enabled, you'll be able to terminate a single session from the login UI by providing an id_token with a sid
claim as id_token_hint on the end_session endpoint. Note that currently all sessions from the same user agent (browser) are terminated in the login UI. Sessions managed through the Session API already allow the termination of single sessions.
Do not push user token meta-event user.token.v2.added to improve performance on many concurrent single (machine-)user logins
If the flag is enabled, you'll be able to use the OIDC Back-Channel Logout to be notified in your application about terminated user sessions.
loginV2
object
Specify the login UI for all users and applications regardless of their preference.
Require that all users must use the new login UI. If enabled, all users will be redirected to the login V2 regardless of the application's preference.
Optionally specify a base uri of the login UI. If unspecified the default URI will be used.
Body
required
The login UI will use the settings of the default org (and not from the instance) if no organization context is set
Enable projection triggers during an introspection request. This can act as workaround if there are noticeable consistency issues in the introspection response but can have an impact on performance. We are planning to remove triggers for introspection requests in the future. Please raise an issue if you needed to enable this feature.
We have recently refactored the introspection endpoint for performance reasons. This feature can be used to rollback to the legacy implementation if unexpected bugs arise. Please raise an issue if you needed to enable this feature.
User Schemas allow to manage data schemas of user. If the flag is enabled, you'll be able to use the new API and its features. Note that it is still in an early stage.
Enable the experimental urn:ietf:params:oauth:grant-type:token-exchange
grant type for the OIDC token endpoint. Token exchange can be used to request tokens with a lesser scope or impersonate other users. See the security policy to allow impersonation on an instance.
Actions allow to manage data executions and targets. If the flag is enabled, you'll be able to use the new API and its features. Note that it is still in an early stage.
Possible values: [IMPROVED_PERFORMANCE_UNSPECIFIED
, IMPROVED_PERFORMANCE_ORG_BY_ID
, IMPROVED_PERFORMANCE_PROJECT_GRANT
, IMPROVED_PERFORMANCE_PROJECT
, IMPROVED_PERFORMANCE_USER_GRANT
, IMPROVED_PERFORMANCE_ORG_DOMAIN_VERIFIED
]
Improves performance of specified execution paths.
Enable the webkey/v3alpha API. The first time this feature is enabled, web keys are generated and activated.
Return parent errors to OIDC clients for debugging purposes. Parent errors may contain sensitive data or unwanted details about the system status of zitadel. Only enable if really needed.
If the flag is enabled, you'll be able to terminate a single session from the login UI by providing an id_token with a sid
claim as id_token_hint on the end_session endpoint. Note that currently all sessions from the same user agent (browser) are terminated in the login UI. Sessions managed through the Session API already allow the termination of single sessions.
Do not push user token meta-event user.token.v2.added to improve performance on many concurrent single (machine-)user logins
If the flag is enabled, you'll be able to use the OIDC Back-Channel Logout to be notified in your application about terminated user sessions.
loginV2
object
Specify the login UI for all users and applications regardless of their preference.
Require that all users must use the new login UI. If enabled, all users will be redirected to the login V2 regardless of the application's preference.
Optionally specify a base uri of the login UI. If unspecified the default URI will be used.
Responses​
- 200
- 403
- 404
- default
OK
- application/json
- application/grpc
- application/grpc-web+proto
- Schema
- Example (from schema)
Schema
details
object
on read: the sequence of the last event reduced by the projection
on manipulation: the timestamp of the event(s) added by the manipulation
on read: the timestamp of the last event reduced by the projection
on manipulation: the timestamp of the event(s) added by the manipulation
{
"details": {
"sequence": "2",
"changeDate": "2025-01-10T04:38:15.103Z",
"resourceOwner": "69629023906488334"
}
}
- Schema
- Example (from schema)
Schema
details
object
on read: the sequence of the last event reduced by the projection
on manipulation: the timestamp of the event(s) added by the manipulation
on read: the timestamp of the last event reduced by the projection
on manipulation: the timestamp of the event(s) added by the manipulation
{
"details": {
"sequence": "2",
"changeDate": "2025-01-10T04:38:15.104Z",
"resourceOwner": "69629023906488334"
}
}
- Schema
- Example (from schema)
Schema
details
object
on read: the sequence of the last event reduced by the projection
on manipulation: the timestamp of the event(s) added by the manipulation
on read: the timestamp of the last event reduced by the projection
on manipulation: the timestamp of the event(s) added by the manipulation
{
"details": {
"sequence": "2",
"changeDate": "2025-01-10T04:38:15.104Z",
"resourceOwner": "69629023906488334"
}
}
Returned when the user does not have permission to access the resource.
- application/json
- application/grpc
- application/grpc-web+proto
- Schema
- Example (from schema)
Schema
Array [
]
details
object[]
{
"code": 0,
"message": "string",
"details": [
{
"@type": "string"
}
]
}
- Schema
- Example (from schema)
Schema
Array [
]
details
object[]
{
"code": 0,
"message": "string",
"details": [
{
"@type": "string"
}
]
}
- Schema
- Example (from schema)
Schema
Array [
]
details
object[]
{
"code": 0,
"message": "string",
"details": [
{
"@type": "string"
}
]
}
Returned when the resource has no feature flag settings and inheritance from the parent is disabled.
- application/json
- application/grpc
- application/grpc-web+proto
- Schema
- Example (from schema)
Schema
Array [
]
details
object[]
{
"code": 0,
"message": "string",
"details": [
{
"@type": "string"
}
]
}
- Schema
- Example (from schema)
Schema
Array [
]
details
object[]
{
"code": 0,
"message": "string",
"details": [
{
"@type": "string"
}
]
}
- Schema
- Example (from schema)
Schema
Array [
]
details
object[]
{
"code": 0,
"message": "string",
"details": [
{
"@type": "string"
}
]
}
An unexpected error response.
- application/json
- application/grpc
- application/grpc-web+proto
- Schema
- Example (from schema)
Schema
Array [
]
details
object[]
{
"code": 0,
"message": "string",
"details": [
{
"@type": "string"
}
]
}
- Schema
- Example (from schema)
Schema
Array [
]
details
object[]
{
"code": 0,
"message": "string",
"details": [
{
"@type": "string"
}
]
}
- Schema
- Example (from schema)
Schema
Array [
]
details
object[]
{
"code": 0,
"message": "string",
"details": [
{
"@type": "string"
}
]
}