TERMINOLOGY.md
Authoritative naming reference derived from issue #5888. All user-facing wording in docs, UI, and API descriptions must follow this table.
| Action | Meaning |
|---|---|
| keep | Already correct — no change needed |
| replace | Discouraged term found — use the canonical term instead |
| remove | Term must be removed entirely |
| internal | Internal use only — must not appear in user-facing text |
| proposed | Under discussion — agents should flag but not block |
| Scope | Files |
|---|---|
| UI | Console (console/src/assets/i18n/) and Login UI (apps/login/locales/) |
| UI + Docs | UI files plus documentation content (apps/docs/content/) |
| UI dialogs | Subset of UI: modal and confirmation dialog strings |
| UI section | Subset of UI: labels tied to a specific page section |
| UI indicator | Subset of UI: inline status or indicator labels |
| UI notifications | Subset of UI: toast, banner, and notification strings |
| Docs | Documentation content (apps/docs/content/) |
| API | Proto files and API description/comment text (proto/**) |
| Everywhere | UI + Docs + API |
| — | Internal only — no user-facing file scope |
| Canonical term | Meaning / explanation | Search for (discouraged) | Replace with / enforce | Action | Scope |
|---|---|---|---|---|---|
| Customer Portal | Central hub for all customer interactions for cloud and self-hosting customers | (none — already canonical) | Customer Portal | keep | Everywhere |
| Management Console | Web interface where customers configure and manage ZITADEL resources. Must be visible as the UI app name. | Console, ZITADEL Console, Admin Console, Administration Console | Management Console | replace | UI |
| Instance | Private, isolated top-level ZITADEL environment | IAM, System, Type IAM | Instance / Type Instance | replace | Everywhere |
| Policies | Enforcement rules governing checks and constraints. Use only in enforcement contexts, always scoped (Instance / Organization). | Instance Policies, IAM Policies, Org Policies, Policies (unscoped), Instance Settings (when enforcing), Org Settings (when enforcing) | Instance Policies / Organization Policies | replace | Everywhere |
| Settings | Resource-specific configuration values (not rules). Use only in configuration contexts, always scoped (Instance / Organization). | Instance Settings, Org Settings, Instance Policies (when config), Org Policies (when config), IAM Policies (when config) | Instance Settings / Organization Settings | replace | Everywhere |
| Organization | Group of users within an instance | Organisation | Organization | replace | Everywhere |
| Organization Domain | Domain giving context where a user belongs | Primary Domain, Verified Domains, Org domains, verify your domain | Organization Domain | replace | UI + Docs |
| User (Human) | User with interactive authentication flows | Human, Human User, User: Type Human | User (Human) | replace | UI + Docs |
| Service Account | User with non-interactive authentication flows | Machine User, machine user, Service User, Machine Account, Technical Account, User: Type Machine | Service Account | replace | UI + Docs |
| User | UI display label for user identity | Display Name | User | replace | UI |
| Project | Container for applications sharing a role context | (none — already canonical) | Project | keep | Everywhere |
| Project Grant | Delegation of project access to another organization | Grant, Grants, Organization Grant, Delegated Access | Project Grant / Project Grants | replace | UI + Docs |
| Application | Software or service secured using ZITADEL | (none — already canonical) | Application | keep | Everywhere |
| Role Assignment | What a user is allowed to do (roles + org + user) | Authorization, external authorization, User Grant, Roles and Authorizations | Role Assignment | replace | Everywhere |
| Administrator | Role granting administrative privileges (role context only, not as a person label) | Manager, Add Manager, Add a Manager, Membership, Member, Member grants | Administrator / Add Administrator / Add an Administrator | replace | UI + Docs |
| Organization Administrators | Org-level admin role holders | ZITADEL Organization Managers | Organization Administrators | replace | UI + Docs |
| Project Administrators | Project-level admin role holders | Project A Managers | Project Administrators | replace | UI + Docs |
| Administrator Roles | Set of admin roles | Manager Roles, Membership Roles | Administrator Roles | replace | UI + Docs |
| ZITADEL Administrator Roles | ZITADEL-specific admin role set | ZITADEL Manager Roles, Zitadel Manager Roles, Zitadel Membership Roles, ZITADEL Membership Roles | ZITADEL Administrator Roles | replace | UI + Docs |
| Permission | Internal permission backing admin roles | (internal term) | (do not surface in user-facing text) | internal | — |
| Metadata | Key-value custom data attached to resources | Meta Data | Metadata | replace | Everywhere |
| Custom Domain | Domain identifying a ZITADEL instance (globally unique) | Custom domain, Installed domains, Instance Domains, Zitadel Domain, your_domain, your-domain | Custom Domain | replace | UI + Docs |
| Trusted Domain | Domain used for API/email contexts | (none — already canonical) | Trusted Domain | keep | Everywhere |
| Passkey | Passwordless auth using device-bound credentials | passwordless, passwordless login, passwordless auth, Multifactor (fingerprint/security keys), Fingerprint, Security Keys, WebAuthn, Webauthn | Passkey | replace | UI + Docs |
| TOTP | Time-based one-time password via authenticator app | OTP (authenticator), Authenticator App | TOTP | replace | UI + Docs |
| U2F | Legacy hardware authentication (deprecated) | U2F | (remove) | remove | Everywhere |
| OTP Email | One-time password delivered via email | Email OTP | OTP Email | replace | UI + Docs |
| OTP SMS | One-time password delivered via SMS | SMS OTP | OTP SMS | replace | UI + Docs |
| Organization ID | Explicit organization identifier | Resource Owner, OrgID, OrganizationID | organization_id | replace | API |
| Explicit object IDs | Explicit identifier per resource type | Resource ID, ResourceID | user_id / project_id / application_id / instance_id / organization_id | replace | API |
| Instance ID | Instance identifier label in UI | Resource Id (Instance) | Instance ID | replace | UI + Docs |
| ID | Generic identifier label in UI | Resource Id | ID | replace | UI |
| First Name | Personal given name field | Given Name | First Name | replace | Everywhere |
| Last Name | Personal family name field | Family Name | Last Name | replace | Everywhere |
| Add Administrator (dialog) | Consistent wording for admin-add dialog | Add Manager, Add a Manager | Add Administrator / Add an Administrator | replace | UI dialogs |
| Administrator (memberships section) | UI section on the user detail page showing admin memberships — should be labeled "Administrator", not "Memberships" | Memberships | Administrator | replace | UI section |
| Project Grants (section) | Project grant listing section | Grants | Project Grants | replace | UI section |
| Internal / External indicator | Shows if a user belongs to the same or a different org | (missing indicator) | internal / external | replace | UI indicator |
| Password changed | Past-tense wording for password change notification | Password change | Password changed | replace | UI notifications |
| Object descriptions | All resource descriptions must use end-user language | internal / technical wording | clear end-user language | replace | UI + Docs |
| Complement Token | Flow type for actions executed during token creation. In UI use "Complement Token"; in API use flowType = 2 (CustomiseToken). Docs must not show PreUserinfoCreation=3 for this type. | Compliment Token, CustomiseToken, CustomizeToken | Complement Token | replace | Everywhere |
proposed — agents will flag but not block.