Purpose of Zitadel Project API apps

[corepay]

Still reasoning through the Zitadel setup and how to make it work for my uniquely common setup.

Question I have right now is want are the Management-API, Auth-API, and Admin-API entities here for? Are they functional and there for a reason or placeholders? I do not see any keys, grants, roles or authorizations assocaited with these so what do they do and why are there there? Should I use these to manage my API for say adding new Organizations or Users via API from the top level org or do I need to create my own? Can I delete or rename them?

[dakshitha]

Hi! As the warning message indicates, this project belongs to ZITADEL and includes APIs and apps that does the underlying IAM work for your org—creating users, apps, projects etc. in the database and token issuing and handling among other IAM tasks. You can directly call these APIs. More information here -https://zitadel.com/docs/apis/introduction#zitadel-apis-service-based

This project can be found in your parent organization and shouldn't be tampered with. What I suggest you do is create a separate project in the parent organization (the org you registered at the start) and start adding apps there. If you want to create projects for another client org, then you can create a separate organization, create a project there and add the apps.

These resources will help you with understanding the org structure -
https://www.youtube.com/watch?v=Cx_WgyY4TOo
https://zitadel.com/docs/concepts
https://zitadel.com/docs/guides/manage/console/organizations
https://zitadel.com/docs/guides/manage/console/projects
https://zitadel.com/docs/guides/manage/console/applications

[corepay]

Yes thank you. I think I finally have my head around Organizations. What I keep stumbling on in my learning are bits and parts in the UI that I can click on or add values to that are not explained or addressed in the docs.

Now regardnig these and you suggestion to add a separate project -ok I understand I was going to use the Zitadel API's there for things like adding Zitadel super user(s) and system management / settings management without loggin into the zitadel console. If I understand you recommend creating a new Project but if I do that the APIs created in that project can be setup as IAM Owner also?. If so, I would recommend removing the Zitadel Project APIs (Management-API, Auth-API, Admin-API) becuase they are not needed, confusing as to why they are there in the first place and can cause great harm...si?

[hifabienne]

The pre existing project and apps should not be removed or changed.
They are used for internal things also that the management console ui does work.
Client ids of those apps are used in audiences, so ZITADEL does know when a token is issued for those applications. The audience is part of the oidc specification. this is also why you will have to request the zitadel project scope in an auth request if you do want to access zitadel apis with one of your users.

[corepay]

ok thank you - I will leave them alone.