Get Default Login Settings
Returns the default login settings defined on the instance level. The login policy defines what kind of authentication possibilities the user should have. Generally speaking the behavior of the login and register UI.
Header Parameters
- x-zitadel-orgid stringThe default is always the organization of the requesting user. If you like to get/set a result of another organization include the header. Make sure the user has permission to access the requested data. 
- 200
- default
A successful response.
- application/json
- application/grpc
- application/grpc-web+proto
- Schema
- Example (from schema)
Schema
- policy object- details objectsequence uint64- on read: the sequence of the last event reduced by the projection - on manipulation: the timestamp of the event(s) added by the manipulation creationDate date-time- on read: the timestamp of the first event of the object - on create: the timestamp of the event(s) added by the manipulation changeDate date-time- on read: the timestamp of the last event reduced by the projection - on manipulation: the resourceOwner resource_owner is the organization an object belongs toallowUsernamePassword boolean- defines if a user is allowed to log in with his username and password allowRegister boolean- defines if a person is allowed to register a user on this organization allowExternalIdp boolean- defines if a user is allowed to add a defined identity provider. E.g. Google auth forceMfa boolean- defines if a user MUST use a multi-factor to log in passwordlessType - PASSWORDLESS_TYPE_ALLOWED: PLANNED: PASSWORDLESS_TYPE_WITH_CERT- Possible values: [ - PASSWORDLESS_TYPE_NOT_ALLOWED,- PASSWORDLESS_TYPE_ALLOWED]- Default value: - PASSWORDLESS_TYPE_NOT_ALLOWED- defines if passwordless is allowed for users isDefault boolean- defines if the organization's admin changed the policy hidePasswordReset boolean- defines if password reset link should be shown in the login screen ignoreUnknownUsernames boolean- defines if unknown username on login screen directly returns an error or always displays the password screen defaultRedirectUri string- defines where the user will be redirected to if the login is started without app context (e.g. from mail) passwordCheckLifetime stringexternalLoginCheckLifetime stringmfaInitSkipLifetime stringsecondFactorCheckLifetime stringmultiFactorCheckLifetime stringsecondFactors string[]- Possible values: [ - SECOND_FACTOR_TYPE_UNSPECIFIED,- SECOND_FACTOR_TYPE_OTP,- SECOND_FACTOR_TYPE_U2F]multiFactors string[]- Possible values: [ - MULTI_FACTOR_TYPE_UNSPECIFIED,- MULTI_FACTOR_TYPE_U2F_WITH_VERIFICATION]- idps object[]Array [idpId string- the id of the identity provider idpName string- the name of the identity provider idpType authorization framework of the identity provider- Possible values: [ - IDP_TYPE_UNSPECIFIED,- IDP_TYPE_OIDC,- IDP_TYPE_JWT]- Default value: - IDP_TYPE_UNSPECIFIED- the authorization framework of the identity provider ]allowDomainDiscovery boolean- If set to true, the suffix (@domain.com) of an unknown username input on the login screen will be matched against the org domains and will redirect to the registration of that organization on success. disableLoginWithEmail boolean- defines if the user can additionally (to the login name) be identified by their verified email address disableLoginWithPhone boolean- defines if the user can additionally (to the login name) be identified by their verified phone number 
{
  "policy": {
    "details": {
      "sequence": "2",
      "creationDate": "2023-05-12",
      "changeDate": "2023-05-12",
      "resourceOwner": "69629023906488334"
    },
    "allowUsernamePassword": true,
    "allowRegister": true,
    "allowExternalIdp": true,
    "forceMfa": true,
    "passwordlessType": "PASSWORDLESS_TYPE_NOT_ALLOWED",
    "isDefault": true,
    "hidePasswordReset": true,
    "ignoreUnknownUsernames": true,
    "defaultRedirectUri": "https://acme.com/ui/console",
    "passwordCheckLifetime": "864000s",
    "externalLoginCheckLifetime": "864000s",
    "mfaInitSkipLifetime": "2592000s",
    "secondFactorCheckLifetime": "64800s",
    "multiFactorCheckLifetime": "43200s",
    "secondFactors": [
      "SECOND_FACTOR_TYPE_UNSPECIFIED"
    ],
    "multiFactors": [
      "MULTI_FACTOR_TYPE_UNSPECIFIED"
    ],
    "idps": [
      {
        "idpId": "69629023906488334",
        "idpName": "google",
        "idpType": [
          "IDP_TYPE_OIDC"
        ]
      }
    ],
    "allowDomainDiscovery": true,
    "disableLoginWithEmail": true,
    "disableLoginWithPhone": true
  }
}
- Schema
- Example (from schema)
Schema
- policy object- details objectsequence uint64- on read: the sequence of the last event reduced by the projection - on manipulation: the timestamp of the event(s) added by the manipulation creationDate date-time- on read: the timestamp of the first event of the object - on create: the timestamp of the event(s) added by the manipulation changeDate date-time- on read: the timestamp of the last event reduced by the projection - on manipulation: the resourceOwner resource_owner is the organization an object belongs toallowUsernamePassword boolean- defines if a user is allowed to log in with his username and password allowRegister boolean- defines if a person is allowed to register a user on this organization allowExternalIdp boolean- defines if a user is allowed to add a defined identity provider. E.g. Google auth forceMfa boolean- defines if a user MUST use a multi-factor to log in passwordlessType - PASSWORDLESS_TYPE_ALLOWED: PLANNED: PASSWORDLESS_TYPE_WITH_CERT- Possible values: [ - PASSWORDLESS_TYPE_NOT_ALLOWED,- PASSWORDLESS_TYPE_ALLOWED]- Default value: - PASSWORDLESS_TYPE_NOT_ALLOWED- defines if passwordless is allowed for users isDefault boolean- defines if the organization's admin changed the policy hidePasswordReset boolean- defines if password reset link should be shown in the login screen ignoreUnknownUsernames boolean- defines if unknown username on login screen directly returns an error or always displays the password screen defaultRedirectUri string- defines where the user will be redirected to if the login is started without app context (e.g. from mail) passwordCheckLifetime stringexternalLoginCheckLifetime stringmfaInitSkipLifetime stringsecondFactorCheckLifetime stringmultiFactorCheckLifetime stringsecondFactors string[]- Possible values: [ - SECOND_FACTOR_TYPE_UNSPECIFIED,- SECOND_FACTOR_TYPE_OTP,- SECOND_FACTOR_TYPE_U2F]multiFactors string[]- Possible values: [ - MULTI_FACTOR_TYPE_UNSPECIFIED,- MULTI_FACTOR_TYPE_U2F_WITH_VERIFICATION]- idps object[]Array [idpId string- the id of the identity provider idpName string- the name of the identity provider idpType authorization framework of the identity provider- Possible values: [ - IDP_TYPE_UNSPECIFIED,- IDP_TYPE_OIDC,- IDP_TYPE_JWT]- Default value: - IDP_TYPE_UNSPECIFIED- the authorization framework of the identity provider ]allowDomainDiscovery boolean- If set to true, the suffix (@domain.com) of an unknown username input on the login screen will be matched against the org domains and will redirect to the registration of that organization on success. disableLoginWithEmail boolean- defines if the user can additionally (to the login name) be identified by their verified email address disableLoginWithPhone boolean- defines if the user can additionally (to the login name) be identified by their verified phone number 
{
  "policy": {
    "details": {
      "sequence": "2",
      "creationDate": "2023-05-12",
      "changeDate": "2023-05-12",
      "resourceOwner": "69629023906488334"
    },
    "allowUsernamePassword": true,
    "allowRegister": true,
    "allowExternalIdp": true,
    "forceMfa": true,
    "passwordlessType": "PASSWORDLESS_TYPE_NOT_ALLOWED",
    "isDefault": true,
    "hidePasswordReset": true,
    "ignoreUnknownUsernames": true,
    "defaultRedirectUri": "https://acme.com/ui/console",
    "passwordCheckLifetime": "864000s",
    "externalLoginCheckLifetime": "864000s",
    "mfaInitSkipLifetime": "2592000s",
    "secondFactorCheckLifetime": "64800s",
    "multiFactorCheckLifetime": "43200s",
    "secondFactors": [
      "SECOND_FACTOR_TYPE_UNSPECIFIED"
    ],
    "multiFactors": [
      "MULTI_FACTOR_TYPE_UNSPECIFIED"
    ],
    "idps": [
      {
        "idpId": "69629023906488334",
        "idpName": "google",
        "idpType": [
          "IDP_TYPE_OIDC"
        ]
      }
    ],
    "allowDomainDiscovery": true,
    "disableLoginWithEmail": true,
    "disableLoginWithPhone": true
  }
}
- Schema
- Example (from schema)
Schema
- policy object- details objectsequence uint64- on read: the sequence of the last event reduced by the projection - on manipulation: the timestamp of the event(s) added by the manipulation creationDate date-time- on read: the timestamp of the first event of the object - on create: the timestamp of the event(s) added by the manipulation changeDate date-time- on read: the timestamp of the last event reduced by the projection - on manipulation: the resourceOwner resource_owner is the organization an object belongs toallowUsernamePassword boolean- defines if a user is allowed to log in with his username and password allowRegister boolean- defines if a person is allowed to register a user on this organization allowExternalIdp boolean- defines if a user is allowed to add a defined identity provider. E.g. Google auth forceMfa boolean- defines if a user MUST use a multi-factor to log in passwordlessType - PASSWORDLESS_TYPE_ALLOWED: PLANNED: PASSWORDLESS_TYPE_WITH_CERT- Possible values: [ - PASSWORDLESS_TYPE_NOT_ALLOWED,- PASSWORDLESS_TYPE_ALLOWED]- Default value: - PASSWORDLESS_TYPE_NOT_ALLOWED- defines if passwordless is allowed for users isDefault boolean- defines if the organization's admin changed the policy hidePasswordReset boolean- defines if password reset link should be shown in the login screen ignoreUnknownUsernames boolean- defines if unknown username on login screen directly returns an error or always displays the password screen defaultRedirectUri string- defines where the user will be redirected to if the login is started without app context (e.g. from mail) passwordCheckLifetime stringexternalLoginCheckLifetime stringmfaInitSkipLifetime stringsecondFactorCheckLifetime stringmultiFactorCheckLifetime stringsecondFactors string[]- Possible values: [ - SECOND_FACTOR_TYPE_UNSPECIFIED,- SECOND_FACTOR_TYPE_OTP,- SECOND_FACTOR_TYPE_U2F]multiFactors string[]- Possible values: [ - MULTI_FACTOR_TYPE_UNSPECIFIED,- MULTI_FACTOR_TYPE_U2F_WITH_VERIFICATION]- idps object[]Array [idpId string- the id of the identity provider idpName string- the name of the identity provider idpType authorization framework of the identity provider- Possible values: [ - IDP_TYPE_UNSPECIFIED,- IDP_TYPE_OIDC,- IDP_TYPE_JWT]- Default value: - IDP_TYPE_UNSPECIFIED- the authorization framework of the identity provider ]allowDomainDiscovery boolean- If set to true, the suffix (@domain.com) of an unknown username input on the login screen will be matched against the org domains and will redirect to the registration of that organization on success. disableLoginWithEmail boolean- defines if the user can additionally (to the login name) be identified by their verified email address disableLoginWithPhone boolean- defines if the user can additionally (to the login name) be identified by their verified phone number 
{
  "policy": {
    "details": {
      "sequence": "2",
      "creationDate": "2023-05-12",
      "changeDate": "2023-05-12",
      "resourceOwner": "69629023906488334"
    },
    "allowUsernamePassword": true,
    "allowRegister": true,
    "allowExternalIdp": true,
    "forceMfa": true,
    "passwordlessType": "PASSWORDLESS_TYPE_NOT_ALLOWED",
    "isDefault": true,
    "hidePasswordReset": true,
    "ignoreUnknownUsernames": true,
    "defaultRedirectUri": "https://acme.com/ui/console",
    "passwordCheckLifetime": "864000s",
    "externalLoginCheckLifetime": "864000s",
    "mfaInitSkipLifetime": "2592000s",
    "secondFactorCheckLifetime": "64800s",
    "multiFactorCheckLifetime": "43200s",
    "secondFactors": [
      "SECOND_FACTOR_TYPE_UNSPECIFIED"
    ],
    "multiFactors": [
      "MULTI_FACTOR_TYPE_UNSPECIFIED"
    ],
    "idps": [
      {
        "idpId": "69629023906488334",
        "idpName": "google",
        "idpType": [
          "IDP_TYPE_OIDC"
        ]
      }
    ],
    "allowDomainDiscovery": true,
    "disableLoginWithEmail": true,
    "disableLoginWithPhone": true
  }
}
An unexpected error response.
- application/json
- application/grpc
- application/grpc-web+proto
- Schema
- Example (from schema)
Schema
- code int32
- message string
- details object[]Array [@type string]
{
  "code": 0,
  "message": "string",
  "details": [
    {
      "@type": "string"
    }
  ]
}
- Schema
- Example (from schema)
Schema
- code int32
- message string
- details object[]Array [@type string]
{
  "code": 0,
  "message": "string",
  "details": [
    {
      "@type": "string"
    }
  ]
}
- Schema
- Example (from schema)
Schema
- code int32
- message string
- details object[]Array [@type string]
{
  "code": 0,
  "message": "string",
  "details": [
    {
      "@type": "string"
    }
  ]
}