smartive · sprudel · Mar 17, 2026 · Mar 14, 2026 · Mar 14, 2026 · Mar 14, 2026
diff --git a/.github/workflows/testing.yml b/.github/workflows/testing.yml
@@ -25,3 +25,21 @@ jobs:
         run: just
       - run: cargo clippy --all-features --no-deps
       - run: cargo test --all-features
+
+  package_check:
+    name: Package Verification
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v6
+      - uses: actions-rust-lang/setup-rust-toolchain@v1
+      - uses: bufbuild/buf-setup-action@v1
+        with:
+          github_token: ${{ secrets.GITHUB_TOKEN }}
+      - uses: extractions/setup-just@v3
+        with:
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+      - run: cargo install protoc-gen-prost-crate
+      - name: generated grpc code
+        run: just
+      - name: Verify package
+        run: cargo package --allow-dirty
diff --git a/.gitignore b/.gitignore
@@ -2,5 +2,4 @@
 Cargo.lock
 temp*
 src/api/generated
-crates/zitadel-gen/src/api/
-.idea
+.idea
diff --git a/Cargo.toml b/Cargo.toml
@@ -1,13 +1,219 @@
-[workspace]
-resolver = "2"
-members = [
-    "crates/zitadel",
-    "crates/zitadel-gen",
+[package]
+name = "zitadel"
+description = "An implementation of ZITADEL API access and authentication in Rust."
+version = "0.0.0-development"
+edition = "2021"
+license = "MIT OR Apache-2.0"
+authors = ["Christoph Bühler <christoph@smartive.ch>"]
+repository = "https://github.com/buehler/zitadel-rust"
+keywords = ["ZITADEL", "gRPC", "clients", "authentication", "oidc"]
+categories = ["authentication", "api-bindings"]
+include = [
+  "src/**/*.rs",
+  "Cargo.toml",
+  "LICENSE*",
+  "README.md",
 ]
 
-[workspace.package]
-version = "0.1.0"
-authors = ["Christoph Bühler <christoph@smartive.ch>"]
-description = "Rust Microservices for labs gallery"
-license = "MIT OR Apache-2.0"
-edition = "2021"
+[features]
+default = ["tls-roots"]
+
+## Feature that enables support for the [actix framework](https://actix.rs/).
+actix = ["credentials", "oidc", "dep:actix-web"]
+
+## The API feature enables all gRPC service clients to access the ZITADEL API.
+api = [
+  "api-admin-v1",
+  "api-auth-v1",
+  "api-management-v1",
+  "api-system-v1",
+  "api-oidc-v2",
+  "api-org-v2",
+  "api-session-v2",
+  "api-settings-v2",
+  "api-user-v2"
+]
+## The API feature enables all gRPC service clients to access the respective ZITADEL API.
+api-admin-v1 = ["api-common", "zitadel-admin-v1" ]
+## The API feature enables all gRPC service clients to access the respective ZITADEL API.
+api-auth-v1 = ["api-common", "zitadel-auth-v1" ]
+## The API feature enables all gRPC service clients to access the respective ZITADEL API.
+api-management-v1 = ["api-common", "zitadel-v1-v1" ]
+## The API feature enables all gRPC service clients to access the respective ZITADEL API.
+api-system-v1 = ["api-common", "zitadel-system-v1", "zitadel-authn-v1" ]
+## The API feature enables all gRPC service clients to access the respective ZITADEL API.
+api-oidc-v2 = ["api-common", "zitadel-oidc-v2" ]
+## The API feature enables all gRPC service clients to access the respective ZITADEL API.
+api-org-v2 = ["api-common", "zitadel-org-v2", "zitadel-user-v2" ]
+## The API feature enables all gRPC service clients to access the respective ZITADEL API.
+api-session-v2 = ["api-common", "zitadel-session-v2" ]
+## The API feature enables all gRPC service clients to access the respective ZITADEL API.
+api-settings-v2 = ["api-common", "zitadel-settings-v2" ]
+## The API feature enables all gRPC service clients to access the respective ZITADEL API.
+api-user-v2 = ["api-common", "zitadel-user-v2" ]
+api-common = ["dep:prost", "dep:prost-types", "dep:tonic", "dep:tonic-prost", "dep:pbjson-types" ]
+
+tls-roots = ["tonic/tls-native-roots"]
+tls-webpki-roots = ["tonic/tls-webpki-roots"]
+
+
+## Feature that enables support for the [axum framework](https://docs.rs/axum/latest/axum/).
+axum = ["credentials", "oidc", "dep:axum", "dep:axum-extra"]
+
+## The credentials feature enables special credentials helpers for ZITADEL.
+## For example, it allows the user to create a ZITADEL service account and
+## authenticate against ZITADEL.
+credentials = ["dep:jsonwebtoken", "dep:openidconnect", "dep:reqwest", "dep:serde", "dep:serde_json", "dep:serde_urlencoded", "dep:time"]
+
+## The interceptors feature enables specific gRPC interceptors and
+## new convenience functions to create a gRPC client with interceptors.
+## The interceptors provide easy access to an authenticated ZITADEL API client.
+## The interceptors work with the credentials from this crate.
+interceptors = ["credentials", "dep:time", "dep:tokio"]
+
+## This feature enables caching of the OIDC discovery and introspection results.
+## By default, only the in-memory cache is available. To use a different cache,
+## enable specific features of this crate, or implement your own cache with
+## the trait.
+introspection_cache = ["dep:async-trait", "dep:time", "dep:moka"]
+
+## The OIDC module enables basic OIDC (OpenID Connect) features to communicate
+## with ZITADEL. Two examples are the `discover` and `introspect` functions.
+## The OIDC features are required for some of the web framework features.
+oidc = ["credentials", "dep:base64-compat"]
+
+## Feature that enables support for the [rocket framework](https://rocket.rs/).
+## It enables authentication features for rocket in the form of route guards.
+## Refer to the rocket module for more information.
+rocket = ["credentials", "oidc", "dep:rocket"]
+
+## Feature that enables support for the [rocket okapi](https://github.com/GREsau/okapi).
+rocket_okapi = ["rocket", "dep:rocket_okapi", "dep:schemars"]
+
+# @@protoc_deletion_point(features)
+# This section is automatically generated by protoc-gen-prost-crate.
+# Changes in this area may be lost on regeneration.
+proto_full = ["zitadel-action-v1","zitadel-admin-v1","zitadel-app-v1","zitadel-auth-v1","zitadel-authn-v1","zitadel-change-v1","zitadel-event-v1","zitadel-feature-v1","zitadel-feature-v2","zitadel-feature-v2beta","zitadel-idp-v1","zitadel-idp-v2","zitadel-instance-v1","zitadel-management-v1","zitadel-member-v1","zitadel-metadata-v1","zitadel-milestone-v1","zitadel-object-v2","zitadel-object-v2beta","zitadel-object-v3alpha","zitadel-oidc-v2","zitadel-oidc-v2beta","zitadel-org-v1","zitadel-org-v2","zitadel-org-v2beta","zitadel-policy-v1","zitadel-project-v1","zitadel-protoc_gen_zitadel-v2","zitadel-quota-v1","zitadel-resources-action-v3alpha","zitadel-resources-debug_events-v3alpha","zitadel-resources-object-v3alpha","zitadel-resources-user-v3alpha","zitadel-resources-userschema-v3alpha","zitadel-resources-webkey-v3alpha","zitadel-saml-v2","zitadel-session-v2","zitadel-session-v2beta","zitadel-settings-object-v3alpha","zitadel-settings-v1","zitadel-settings-v2","zitadel-settings-v2beta","zitadel-system-v1","zitadel-text-v1","zitadel-user-v1","zitadel-user-v2","zitadel-user-v2beta","zitadel-v1","zitadel-v1-v1"]
+"zitadel-action-v1" = ["zitadel-v1"]
+"zitadel-admin-v1" = ["zitadel-event-v1","zitadel-idp-v1","zitadel-instance-v1","zitadel-management-v1","zitadel-member-v1","zitadel-milestone-v1","zitadel-org-v1","zitadel-policy-v1","zitadel-settings-v1","zitadel-text-v1","zitadel-v1","zitadel-v1-v1"]
+"zitadel-app-v1" = ["zitadel-v1"]
+"zitadel-auth-v1" = ["zitadel-change-v1","zitadel-idp-v1","zitadel-metadata-v1","zitadel-org-v1","zitadel-policy-v1","zitadel-user-v1","zitadel-v1"]
+"zitadel-authn-v1" = ["zitadel-v1"]
+"zitadel-change-v1" = ["zitadel-v1"]
+"zitadel-event-v1" = ["zitadel-v1"]
+"zitadel-feature-v1" = []
+"zitadel-feature-v2" = ["zitadel-object-v2"]
+"zitadel-feature-v2beta" = ["zitadel-object-v2beta"]
+"zitadel-idp-v1" = ["zitadel-v1"]
+"zitadel-idp-v2" = ["zitadel-object-v2"]
+"zitadel-instance-v1" = ["zitadel-v1"]
+"zitadel-management-v1" = ["zitadel-action-v1","zitadel-app-v1","zitadel-authn-v1","zitadel-change-v1","zitadel-idp-v1","zitadel-member-v1","zitadel-metadata-v1","zitadel-org-v1","zitadel-policy-v1","zitadel-project-v1","zitadel-text-v1","zitadel-user-v1","zitadel-v1"]
+"zitadel-member-v1" = ["zitadel-user-v1","zitadel-v1"]
+"zitadel-metadata-v1" = ["zitadel-v1"]
+"zitadel-milestone-v1" = []
+"zitadel-object-v2" = []
+"zitadel-object-v2beta" = []
+"zitadel-object-v3alpha" = []
+"zitadel-oidc-v2" = ["zitadel-object-v2"]
+"zitadel-oidc-v2beta" = ["zitadel-object-v2beta"]
+"zitadel-org-v1" = ["zitadel-v1"]
+"zitadel-org-v2" = ["zitadel-object-v2"]
+"zitadel-org-v2beta" = ["zitadel-object-v2beta"]
+"zitadel-policy-v1" = ["zitadel-idp-v1","zitadel-v1"]
+"zitadel-project-v1" = ["zitadel-v1"]
+"zitadel-protoc_gen_zitadel-v2" = []
+"zitadel-quota-v1" = []
+"zitadel-resources-action-v3alpha" = ["zitadel-object-v3alpha","zitadel-resources-object-v3alpha"]
+"zitadel-resources-debug_events-v3alpha" = ["zitadel-object-v3alpha","zitadel-resources-object-v3alpha"]
+"zitadel-resources-object-v3alpha" = ["zitadel-object-v3alpha"]
+"zitadel-resources-user-v3alpha" = ["zitadel-object-v3alpha","zitadel-resources-object-v3alpha"]
+"zitadel-resources-userschema-v3alpha" = ["zitadel-object-v3alpha","zitadel-resources-object-v3alpha"]
+"zitadel-resources-webkey-v3alpha" = ["zitadel-object-v3alpha","zitadel-resources-object-v3alpha"]
+"zitadel-saml-v2" = ["zitadel-object-v2"]
+"zitadel-session-v2" = ["zitadel-object-v2","zitadel-v1"]
+"zitadel-session-v2beta" = ["zitadel-object-v2beta","zitadel-v1"]
+"zitadel-settings-object-v3alpha" = ["zitadel-object-v3alpha"]
+"zitadel-settings-v1" = ["zitadel-v1"]
+"zitadel-settings-v2" = ["zitadel-idp-v2","zitadel-object-v2"]
+"zitadel-settings-v2beta" = ["zitadel-object-v2beta"]
+"zitadel-system-v1" = ["zitadel-feature-v1","zitadel-instance-v1","zitadel-member-v1","zitadel-quota-v1","zitadel-v1"]
+"zitadel-text-v1" = ["zitadel-v1"]
+"zitadel-user-v1" = ["zitadel-v1"]
+"zitadel-user-v2" = ["zitadel-object-v2"]
+"zitadel-user-v2beta" = ["zitadel-object-v2beta"]
+"zitadel-v1" = []
+"zitadel-v1-v1" = ["zitadel-authn-v1","zitadel-idp-v1","zitadel-management-v1","zitadel-org-v1","zitadel-v1"]
+# @@protoc_insertion_point(features)
+
+[dependencies]
+actix-web = { version = "4.5.1", optional = true }
+async-trait = { version = "0.1.80", optional = true }
+axum = { version = "0.8.0", optional = true, features = ["macros"] }
+axum-extra = { version = "0.12.0", optional = true, features = ["typed-header"] }
+base64-compat = { version = "1", optional = true }
+custom_error = "1.9.2"
+document-features = { version = "0.2.8", optional = true }
+jsonwebtoken = { version = "10.3.0", optional = true, features = ["aws_lc_rs"] }
+moka = { version = "0.12.8", features = ["future"], optional = true }
+openidconnect = { version = "4.0.0", optional = true }
+pbjson-types = { version = "0.9.0", optional = true }
+prost = { version = "0.14.1", optional = true }
+prost-types = { version = "0.14.1", optional = true }
+tonic-prost = { version = "0.14.2", optional = true }
+reqwest = { version = "0.12.12", features = ["json", "rustls-tls"], default-features = false, optional = true }
+rocket = { version = "0.5.0", optional = true }
+serde = { version = "1.0.200", features = ["derive"], optional = true }
+serde_json = { version = "1.0.116", optional = true }
+serde_urlencoded = { version = "0.7.1", optional = true }
+time = { version = "0.3.36", optional = true }
+tokio = { version = "1.37.0", optional = true, features = [
+  "macros",
+  "rt-multi-thread",
+] }
+tonic = { version = "0.14.2", features = [
+  "tls-aws-lc",
+], optional = true }
+rocket_okapi = { version = "0.9.0", optional = true, default-features = false }
+schemars = {version = "0.8.21", optional = true}
+
+[dev-dependencies]
+chrono = "0.4.38"
+tokio = { version = "1.37.0", features = ["macros", "rt-multi-thread"] }
+tower = { version = "0.5.0" }
+http-body-util = "0.1.0"
+
+[package.metadata.docs.rs]
+all-features = true
+
+
+[[example]]
+name = "actix_webapi_oauth_interception_basic"
+required-features = ["actix"]
+
+[[example]]
+name = "axum_webapi_oauth_interception_basic"
+required-features = ["axum"]
+
+[[example]]
+name = "fetch_profile_with_pat"
+required-features = ["api", "interceptors"]
+
+[[example]]
+name = "fetch_profile_with_service_account"
+required-features = ["api", "interceptors"]
+
+[[example]]
+name = "rocket_webapi_oauth_interception_basic"
+required-features = ["rocket"]
+
+[[example]]
+name = "rocket_webapi_oauth_interception_jwtprofile_cached"
+required-features = ["rocket", "introspection_cache"]
+
+[[example]]
+name = "rocket_webapi_oauth_interception_jwtprofile"
+required-features = ["rocket"]
+
+[[example]]
+name = "service_account_authentication"
+required-features = ["credentials"]
diff --git a/buf.gen.yaml b/buf.gen.yaml
@@ -4,19 +4,19 @@ managed:
   enabled: true
 plugins:
   - remote: buf.build/community/neoeinstein-prost:v0.5.0
-    out: crates/zitadel-gen/src/api/
+    out: src/api/generated
     opt:
       - compile_well_known_types
       - extern_path=.google.protobuf=::pbjson_types
   - remote: buf.build/community/neoeinstein-tonic:v0.5.0
-    out: crates/zitadel-gen/src/api/
+    out: src/api/generated
     opt:
       - compile_well_known_types
       - extern_path=.google.protobuf=::pbjson_types
       - no_server
   - local: protoc-gen-prost-crate
-    out: ./crates/zitadel-gen
+    out: .
     strategy: all
     opt:
-      - gen_crate=./crates/zitadel-gen/Cargo.toml
-      - include_file=src/api/mod.rs
+      - gen_crate
+      - include_file=src/api/generated/mod.rs
diff --git a/crates/zitadel-gen/Cargo.toml b/crates/zitadel-gen/Cargo.toml