Membership Not Found AUTHZN-AUTHZ-cdgFk

R

Rajat•4/17/25, 3:26 PM

hi @SkirmishUg can you please share both the curl requests here, will help me to see what exactly you did.
Thanks

R

Rajat Singh•4/22/25, 8:48 AM

hi @SkirmishUg looking into this rn

A

Arnau•4/22/25, 8:54 AM

Edit: solved

Membership Not Found AUTHZN-AUTHZ-cdgFk

Hello. FYI, we are having the same issue with v3.0.0-rc2 when trying to enable "Use new Login UI" in one of our OIDC apps.

Zitadel logs:

time="2025-04-22T08:47:58Z" level=error msg="query authRequest by ID" caller="/home/runner/work/zitadel/zitadel/internal/api/grpc/oidc/v2/oidc.go:24" error="ID=AUTHZ-cdgFk Message=membership not found"

time="2025-04-22T08:47:58Z" level=error msg="query authRequest by ID" caller="/home/runner/work/zitadel/zitadel/internal/api/grpc/oidc/v2/oidc.go:24" error="ID=AUTHZ-cdgFk Message=membership not found"

time="2025-04-22T08:47:58Z" level=error msg="query authRequest by ID" caller="/home/runner/work/zitadel/zitadel/internal/api/grpc/oidc/v2/oidc.go:24" error="ID=AUTHZ-cdgFk Message=membership not found"

time="2025-04-22T08:47:58Z" level=error msg="query authRequest by ID" caller="/home/runner/work/zitadel/zitadel/internal/api/grpc/oidc/v2/oidc.go:24" error="ID=AUTHZ-cdgFk Message=membership not found"

Log from the NEXT app (redirected to

login?authRequest=V2_3xxxxxxxxxxxxxxx

login?authRequest=V2_3xxxxxxxxxxxxxxx

login?authRequest=V2_3xxxxxxxxxxxxxxx

login?authRequest=V2_3xxxxxxxxxxxxxxx)

⨯ Error [ConnectError]: [not_found] membership not found (AUTHZ-cdgFk)
    at v (.next/server/chunks/3461.js:9:98753)
    at _ (.next/server/chunks/3461.js:9:99901)
    at next (.next/server/chunks/3461.js:9:136516)
    at async Object.unary (.next/server/chunks/3461.js:9:135248)
    at async Object.getAuthRequest (.next/server/chunks/3461.js:9:142556)
    at async v (.next/server/app/login/route.js:1:5686) {
  rawMessage: 'membership not found (AUTHZ-cdgFk)',
  code: 5,
  metadata: Headers {
    'grpc-message': 'membership not found (AUTHZ-cdgFk)',
    'grpc-status': '5',
    'grpc-status-details-bin': 'CAUSIm1lbWJlcnNoaXAgbm90IGZvdW5kIChBVVRIWi1jZGdGaykaUQoqdHlwZS5nb29nbGVhcGlzLmNvbS96aXRhZGVsLnYxLkVycm9yRGV0YWlsEiMKC0FVVEhaLWNkZ0ZrEhRtZW1iZXJzaGlwIG5vdCBmb3VuZA',
    'cache-control': 'no-store',
    'content-type': 'application/grpc+proto',
    date: 'Tue, 22 Apr 2025 08:50:48 GMT',
    expires: 'Tue, 22 Apr 2025 08:50:48 GMT',
    'grpc-metadata-cache-control': 'no-store',
    'grpc-metadata-expires': 'Tue, 22 Apr 2025 08:50:48 GMT',
    'grpc-metadata-pragma': 'no-cache',
    pragma: 'no-cache',
    server: 'awselb/2.0',
    trailer: 'Grpc-Status, Grpc-Message, Grpc-Status-Details-Bin',
    'x-robots-tag': 'none'
  },
  details: [Array],
  cause: undefined
}

⨯ Error [ConnectError]: [not_found] membership not found (AUTHZ-cdgFk)
    at v (.next/server/chunks/3461.js:9:98753)
    at _ (.next/server/chunks/3461.js:9:99901)
    at next (.next/server/chunks/3461.js:9:136516)
    at async Object.unary (.next/server/chunks/3461.js:9:135248)
    at async Object.getAuthRequest (.next/server/chunks/3461.js:9:142556)
    at async v (.next/server/app/login/route.js:1:5686) {
  rawMessage: 'membership not found (AUTHZ-cdgFk)',
  code: 5,
  metadata: Headers {
    'grpc-message': 'membership not found (AUTHZ-cdgFk)',
    'grpc-status': '5',
    'grpc-status-details-bin': 'CAUSIm1lbWJlcnNoaXAgbm90IGZvdW5kIChBVVRIWi1jZGdGaykaUQoqdHlwZS5nb29nbGVhcGlzLmNvbS96aXRhZGVsLnYxLkVycm9yRGV0YWlsEiMKC0FVVEhaLWNkZ0ZrEhRtZW1iZXJzaGlwIG5vdCBmb3VuZA',
    'cache-control': 'no-store',
    'content-type': 'application/grpc+proto',
    date: 'Tue, 22 Apr 2025 08:50:48 GMT',
    expires: 'Tue, 22 Apr 2025 08:50:48 GMT',
    'grpc-metadata-cache-control': 'no-store',
    'grpc-metadata-expires': 'Tue, 22 Apr 2025 08:50:48 GMT',
    'grpc-metadata-pragma': 'no-cache',
    pragma: 'no-cache',
    server: 'awselb/2.0',
    trailer: 'Grpc-Status, Grpc-Message, Grpc-Status-Details-Bin',
    'x-robots-tag': 'none'
  },
  details: [Array],
  cause: undefined
}

⨯ Error [ConnectError]: [not_found] membership not found (AUTHZ-cdgFk)
    at v (.next/server/chunks/3461.js:9:98753)
    at _ (.next/server/chunks/3461.js:9:99901)
    at next (.next/server/chunks/3461.js:9:136516)
    at async Object.unary (.next/server/chunks/3461.js:9:135248)
    at async Object.getAuthRequest (.next/server/chunks/3461.js:9:142556)
    at async v (.next/server/app/login/route.js:1:5686) {
  rawMessage: 'membership not found (AUTHZ-cdgFk)',
  code: 5,
  metadata: Headers {
    'grpc-message': 'membership not found (AUTHZ-cdgFk)',
    'grpc-status': '5',
    'grpc-status-details-bin': 'CAUSIm1lbWJlcnNoaXAgbm90IGZvdW5kIChBVVRIWi1jZGdGaykaUQoqdHlwZS5nb29nbGVhcGlzLmNvbS96aXRhZGVsLnYxLkVycm9yRGV0YWlsEiMKC0FVVEhaLWNkZ0ZrEhRtZW1iZXJzaGlwIG5vdCBmb3VuZA',
    'cache-control': 'no-store',
    'content-type': 'application/grpc+proto',
    date: 'Tue, 22 Apr 2025 08:50:48 GMT',
    expires: 'Tue, 22 Apr 2025 08:50:48 GMT',
    'grpc-metadata-cache-control': 'no-store',
    'grpc-metadata-expires': 'Tue, 22 Apr 2025 08:50:48 GMT',
    'grpc-metadata-pragma': 'no-cache',
    pragma: 'no-cache',
    server: 'awselb/2.0',
    trailer: 'Grpc-Status, Grpc-Message, Grpc-Status-Details-Bin',
    'x-robots-tag': 'none'
  },
  details: [Array],
  cause: undefined
}

⨯ Error [ConnectError]: [not_found] membership not found (AUTHZ-cdgFk)
    at v (.next/server/chunks/3461.js:9:98753)
    at _ (.next/server/chunks/3461.js:9:99901)
    at next (.next/server/chunks/3461.js:9:136516)
    at async Object.unary (.next/server/chunks/3461.js:9:135248)
    at async Object.getAuthRequest (.next/server/chunks/3461.js:9:142556)
    at async v (.next/server/app/login/route.js:1:5686) {
  rawMessage: 'membership not found (AUTHZ-cdgFk)',
  code: 5,
  metadata: Headers {
    'grpc-message': 'membership not found (AUTHZ-cdgFk)',
    'grpc-status': '5',
    'grpc-status-details-bin': 'CAUSIm1lbWJlcnNoaXAgbm90IGZvdW5kIChBVVRIWi1jZGdGaykaUQoqdHlwZS5nb29nbGVhcGlzLmNvbS96aXRhZGVsLnYxLkVycm9yRGV0YWlsEiMKC0FVVEhaLWNkZ0ZrEhRtZW1iZXJzaGlwIG5vdCBmb3VuZA',
    'cache-control': 'no-store',
    'content-type': 'application/grpc+proto',
    date: 'Tue, 22 Apr 2025 08:50:48 GMT',
    expires: 'Tue, 22 Apr 2025 08:50:48 GMT',
    'grpc-metadata-cache-control': 'no-store',
    'grpc-metadata-expires': 'Tue, 22 Apr 2025 08:50:48 GMT',
    'grpc-metadata-pragma': 'no-cache',
    pragma: 'no-cache',
    server: 'awselb/2.0',
    trailer: 'Grpc-Status, Grpc-Message, Grpc-Status-Details-Bin',
    'x-robots-tag': 'none'
  },
  details: [Array],
  cause: undefined
}

A

Arnau•4/22/25, 9:59 AM

Edit: solved

Membership Not Found AUTHZN-AUTHZ-cdgFk

Update: seems that by granting IAM_OWNER role to the Service User that the NEXT application uses that issue is solved. Then, when enabling the new login UI and trying to login in the OIDC app, the new login is presented and can be used.

But: after a successful login with a regular user (in this case using a SAML IdP) a new error appears: [permission_denied] No matching permissions found (AUTH-AWfge).

Login with session: 316786834032040867 and authRequest: V2_316786812624313251
Found session 316786834032040867
Session is valid: true
Error [ConnectError]: [permission_denied] No matching permissions found (AUTH-AWfge)
    at v (.next/server/chunks/3461.js:9:98753)
    at _ (.next/server/chunks/3461.js:9:99901)
    at next (.next/server/chunks/3461.js:9:136516)
    at async Object.unary (.next/server/chunks/3461.js:9:135248)
    at async Object.createCallback (.next/server/chunks/3461.js:9:142556)
    at async m (.next/server/app/login/route.js:1:2219) {
  rawMessage: 'No matching permissions found (AUTH-AWfge)',
  code: 7,
  metadata: Headers {
    'grpc-message': 'No matching permissions found (AUTH-AWfge)',
    'grpc-status': '7',
    'grpc-status-details-bin': 'CAcSKk5vIG1hdGNoaW5nIHBlcm1pc3Npb25zIGZvdW5kIChBVVRILUFXZmdlKRpZCip0eXBlLmdvb2dsZWFwaXMuY29tL3ppdGFkZWwudjEuRXJyb3JEZXRhaWwSKwoKQVVUSC1BV2ZnZRIdTm8gbWF0Y2hpbmcgcGVybWlzc2lvbnMgZm9
    'cache-control': 'no-store',
    'content-type': 'application/grpc+proto',
    date: 'Tue, 22 Apr 2025 09:55:51 GMT',
    expires: 'Tue, 22 Apr 2025 09:55:51 GMT',
    'grpc-metadata-cache-control': 'no-store',
    'grpc-metadata-expires': 'Tue, 22 Apr 2025 09:55:51 GMT',
    'grpc-metadata-pragma': 'no-cache',
    pragma: 'no-cache',
    server: 'awselb/2.0',
    trailer: 'Grpc-Status, Grpc-Message, Grpc-Status-Details-Bin',
    'x-robots-tag': 'none'
  },
  details: [Array],
  cause: undefined
}

Login with session: 316786834032040867 and authRequest: V2_316786812624313251
Found session 316786834032040867
Session is valid: true
Error [ConnectError]: [permission_denied] No matching permissions found (AUTH-AWfge)
    at v (.next/server/chunks/3461.js:9:98753)
    at _ (.next/server/chunks/3461.js:9:99901)
    at next (.next/server/chunks/3461.js:9:136516)
    at async Object.unary (.next/server/chunks/3461.js:9:135248)
    at async Object.createCallback (.next/server/chunks/3461.js:9:142556)
    at async m (.next/server/app/login/route.js:1:2219) {
  rawMessage: 'No matching permissions found (AUTH-AWfge)',
  code: 7,
  metadata: Headers {
    'grpc-message': 'No matching permissions found (AUTH-AWfge)',
    'grpc-status': '7',
    'grpc-status-details-bin': 'CAcSKk5vIG1hdGNoaW5nIHBlcm1pc3Npb25zIGZvdW5kIChBVVRILUFXZmdlKRpZCip0eXBlLmdvb2dsZWFwaXMuY29tL3ppdGFkZWwudjEuRXJyb3JEZXRhaWwSKwoKQVVUSC1BV2ZnZRIdTm8gbWF0Y2hpbmcgcGVybWlzc2lvbnMgZm9
    'cache-control': 'no-store',
    'content-type': 'application/grpc+proto',
    date: 'Tue, 22 Apr 2025 09:55:51 GMT',
    expires: 'Tue, 22 Apr 2025 09:55:51 GMT',
    'grpc-metadata-cache-control': 'no-store',
    'grpc-metadata-expires': 'Tue, 22 Apr 2025 09:55:51 GMT',
    'grpc-metadata-pragma': 'no-cache',
    pragma: 'no-cache',
    server: 'awselb/2.0',
    trailer: 'Grpc-Status, Grpc-Message, Grpc-Status-Details-Bin',
    'x-robots-tag': 'none'
  },
  details: [Array],
  cause: undefined
}

Login with session: 316786834032040867 and authRequest: V2_316786812624313251
Found session 316786834032040867
Session is valid: true
Error [ConnectError]: [permission_denied] No matching permissions found (AUTH-AWfge)
    at v (.next/server/chunks/3461.js:9:98753)
    at _ (.next/server/chunks/3461.js:9:99901)
    at next (.next/server/chunks/3461.js:9:136516)
    at async Object.unary (.next/server/chunks/3461.js:9:135248)
    at async Object.createCallback (.next/server/chunks/3461.js:9:142556)
    at async m (.next/server/app/login/route.js:1:2219) {
  rawMessage: 'No matching permissions found (AUTH-AWfge)',
  code: 7,
  metadata: Headers {
    'grpc-message': 'No matching permissions found (AUTH-AWfge)',
    'grpc-status': '7',
    'grpc-status-details-bin': 'CAcSKk5vIG1hdGNoaW5nIHBlcm1pc3Npb25zIGZvdW5kIChBVVRILUFXZmdlKRpZCip0eXBlLmdvb2dsZWFwaXMuY29tL3ppdGFkZWwudjEuRXJyb3JEZXRhaWwSKwoKQVVUSC1BV2ZnZRIdTm8gbWF0Y2hpbmcgcGVybWlzc2lvbnMgZm9
    'cache-control': 'no-store',
    'content-type': 'application/grpc+proto',
    date: 'Tue, 22 Apr 2025 09:55:51 GMT',
    expires: 'Tue, 22 Apr 2025 09:55:51 GMT',
    'grpc-metadata-cache-control': 'no-store',
    'grpc-metadata-expires': 'Tue, 22 Apr 2025 09:55:51 GMT',
    'grpc-metadata-pragma': 'no-cache',
    pragma: 'no-cache',
    server: 'awselb/2.0',
    trailer: 'Grpc-Status, Grpc-Message, Grpc-Status-Details-Bin',
    'x-robots-tag': 'none'
  },
  details: [Array],
  cause: undefined
}

Login with session: 316786834032040867 and authRequest: V2_316786812624313251
Found session 316786834032040867
Session is valid: true
Error [ConnectError]: [permission_denied] No matching permissions found (AUTH-AWfge)
    at v (.next/server/chunks/3461.js:9:98753)
    at _ (.next/server/chunks/3461.js:9:99901)
    at next (.next/server/chunks/3461.js:9:136516)
    at async Object.unary (.next/server/chunks/3461.js:9:135248)
    at async Object.createCallback (.next/server/chunks/3461.js:9:142556)
    at async m (.next/server/app/login/route.js:1:2219) {
  rawMessage: 'No matching permissions found (AUTH-AWfge)',
  code: 7,
  metadata: Headers {
    'grpc-message': 'No matching permissions found (AUTH-AWfge)',
    'grpc-status': '7',
    'grpc-status-details-bin': 'CAcSKk5vIG1hdGNoaW5nIHBlcm1pc3Npb25zIGZvdW5kIChBVVRILUFXZmdlKRpZCip0eXBlLmdvb2dsZWFwaXMuY29tL3ppdGFkZWwudjEuRXJyb3JEZXRhaWwSKwoKQVVUSC1BV2ZnZRIdTm8gbWF0Y2hpbmcgcGVybWlzc2lvbnMgZm9
    'cache-control': 'no-store',
    'content-type': 'application/grpc+proto',
    date: 'Tue, 22 Apr 2025 09:55:51 GMT',
    expires: 'Tue, 22 Apr 2025 09:55:51 GMT',
    'grpc-metadata-cache-control': 'no-store',
    'grpc-metadata-expires': 'Tue, 22 Apr 2025 09:55:51 GMT',
    'grpc-metadata-pragma': 'no-cache',
    pragma: 'no-cache',
    server: 'awselb/2.0',
    trailer: 'Grpc-Status, Grpc-Message, Grpc-Status-Details-Bin',
    'x-robots-tag': 'none'
  },
  details: [Array],
  cause: undefined
}

R

Rajat Singh•4/22/25, 1:56 PM

hi @Arnau @SkirmishUg
can you please check your scopes?
instead of this

urn:zitadel:iam:org:project🆔zitadel:aud

urn:zitadel:iam:org:project🆔zitadel:aud

urn:zitadel:iam:org:project🆔zitadel:aud

urn:zitadel:iam:org:project🆔zitadel:aud try this

urn:zitadel:iam:org:project🆔{projectid}:aud

urn:zitadel:iam:org:project🆔{projectid}:aud

urn:zitadel:iam:org:project🆔{projectid}:aud

urn:zitadel:iam:org:project🆔{projectid}:aud and pass your project Id in the scope.And also as @Arnau mentioned, use

ORG_OWNER

ORG_OWNER

ORG_OWNER

ORG_OWNER permission

SSkirmishUg This next one is the one that returns the error curl -X GET https://$ZITADEL_DO...

R

Rajat Singh•4/22/25, 2:00 PM

hi @SkirmishUg you can decode your access token on jwt.io to verify if

aud

aud

aud

aud matches your

project ID

project ID

project ID

project ID and scope includes

urn:zitadel:iam:org:project🆔YOUR_PROJECT_ID:aud

urn:zitadel:iam:org:project🆔YOUR_PROJECT_ID:aud

urn:zitadel:iam:org:project🆔YOUR_PROJECT_ID:aud

urn:zitadel:iam:org:project🆔YOUR_PROJECT_ID:aud to double check what you generated

A

Arnau•4/22/25, 3:07 PM

Hi @Rajat, thanks. No luck, seems it does not take any effect sending

urn:zitadel:iam:org:project🆔xxxxxxxxxxx:aud

urn:zitadel:iam:org:project🆔xxxxxxxxxxx:aud

urn:zitadel:iam:org:project🆔xxxxxxxxxxx:aud

urn:zitadel:iam:org:project🆔xxxxxxxxxxx:aud in the OIDC scopes in combination with

openid profile email

openid profile email

openid profile email

openid profile email.

Still getting the

"No matching permissions found (AUTH-AWfge)"

"No matching permissions found (AUTH-AWfge)"

"No matching permissions found (AUTH-AWfge)"

"No matching permissions found (AUTH-AWfge)"

R

Rajat Singh•4/22/25, 3:29 PM

can you check pls verify your token on jwt.io just to see if tou are getting the right thing?

A

Arnau•4/22/25, 3:42 PM

In both OIDC profile,

access_token

access_token

and

id_token

id_token

:

I verified
```
aud
```
aud
```
aud
```
aud
array contains the target project ID of the application that triggers the OIDC authentication flow.
I verified the
```
scope
```
scope
```
scope
```
scope
contains
```
urn:zitadel:iam:org:project🆔xxxxxxxxxxx:aud
```
urn:zitadel:iam:org:project🆔xxxxxxxxxxx:aud
```
urn:zitadel:iam:org:project🆔xxxxxxxxxxx:aud
```
urn:zitadel:iam:org:project🆔xxxxxxxxxxx:aud
I verified it also contains
```
urn:zitadel:iam:org:project:xxxxxxxxxxx:roles
```
urn:zitadel:iam:org:project:xxxxxxxxxxx:roles
```
urn:zitadel:iam:org:project:xxxxxxxxxxx:roles
```
urn:zitadel:iam:org:project:xxxxxxxxxxx:roles
claim as this project makes uses of Roles.

Made this checks by using the Zitadel Login UI and checking the

oidc.user:....

oidc.user:....

oidc.user:....

oidc.user:.... localstorage entry.

With the new login UI enabled, as it fails on

/login?sessionId=xxxxxxxxxxx&requestId=oidc_V2_xxxxxxxxxxx&organization=xxxxxxxxxxx

/login?sessionId=xxxxxxxxxxx&requestId=oidc_V2_xxxxxxxxxxx&organization=xxxxxxxxxxx

/login?sessionId=xxxxxxxxxxx&requestId=oidc_V2_xxxxxxxxxxx&organization=xxxxxxxxxxx

/login?sessionId=xxxxxxxxxxx&requestId=oidc_V2_xxxxxxxxxxx&organization=xxxxxxxxxxx I can't check it directly from the browser. Is there any way to check it via DB?

Edit: I verified the scopes and audiences are present in the auth request via Instance events

EventTypes.auth_request.added

EventTypes.auth_request.added

EventTypes.auth_request.added

EventTypes.auth_request.added.

A

Arnau•4/22/25, 4:00 PM

Ah, I found it. The Service User it also needs the "Iam Login Client" role!

Found it here:
(NEW!) Typescript Login - Beta Feature

A

Arnau•4/22/25, 4:19 PM

Now that it's working I've verified the scope

urn:zitadel:iam:org:project🆔xxxxxxxxxxx:aud

urn:zitadel:iam:org:project🆔xxxxxxxxxxx:aud

urn:zitadel:iam:org:project🆔xxxxxxxxxxx:aud

urn:zitadel:iam:org:project🆔xxxxxxxxxxx:aud is not needed.

G

Gigi the Giraffe (Zitadel)•4/23/25, 12:13 PM

Looks like you just helped out another community member! Thanks for being so helpful @1089771102315753532! You're now one step closer to leveling up—keep up the amazing peer support!

AArnau Hi @Rajat, thanks. No luck, seems it does not take any effect sending `urn:zitad...

A

Ayoub•6/12/25, 11:47 AM

Hi, I have the same issue — I created both roles, but it doesn't seem to be the solution.

curl https://<DOMAIN>/v2/users/human \ 
  --request POST \
  --header 'Content-Type: application/json' \
  --header 'Authorization: Bearer <TOKEN> \
  --data '{
  "email": {
    "email": "nuevo.usuario@example.com"
  },
  "metadata": [],
  "password": {
    "changeRequired": false,
    "password": "SecurePassword123!"
  },
  "profile": {
    "displayName": "Nuevo Usuario",
    "familyName": "Usuario",
    "givenName": "Nuevo"
  },
  "userId": "",
  "username": "nuevo.usuario@example.com"
}'
{"code":7, "message":"No matching permissions found (AUTH-5mWD2)", "details":[{"@type":"type.googleapis.com/zitadel.v1.ErrorDetail", "id":"AUTH-5mWD2", "message":"No matching permissions found"}]}%

curl https://<DOMAIN>/v2/users/human \ 
  --request POST \
  --header 'Content-Type: application/json' \
  --header 'Authorization: Bearer <TOKEN> \
  --data '{
  "email": {
    "email": "nuevo.usuario@example.com"
  },
  "metadata": [],
  "password": {
    "changeRequired": false,
    "password": "SecurePassword123!"
  },
  "profile": {
    "displayName": "Nuevo Usuario",
    "familyName": "Usuario",
    "givenName": "Nuevo"
  },
  "userId": "",
  "username": "nuevo.usuario@example.com"
}'
{"code":7, "message":"No matching permissions found (AUTH-5mWD2)", "details":[{"@type":"type.googleapis.com/zitadel.v1.ErrorDetail", "id":"AUTH-5mWD2", "message":"No matching permissions found"}]}%

curl https://<DOMAIN>/v2/users/human \ 
  --request POST \
  --header 'Content-Type: application/json' \
  --header 'Authorization: Bearer <TOKEN> \
  --data '{
  "email": {
    "email": "nuevo.usuario@example.com"
  },
  "metadata": [],
  "password": {
    "changeRequired": false,
    "password": "SecurePassword123!"
  },
  "profile": {
    "displayName": "Nuevo Usuario",
    "familyName": "Usuario",
    "givenName": "Nuevo"
  },
  "userId": "",
  "username": "nuevo.usuario@example.com"
}'
{"code":7, "message":"No matching permissions found (AUTH-5mWD2)", "details":[{"@type":"type.googleapis.com/zitadel.v1.ErrorDetail", "id":"AUTH-5mWD2", "message":"No matching permissions found"}]}%

curl https://<DOMAIN>/v2/users/human \ 
  --request POST \
  --header 'Content-Type: application/json' \
  --header 'Authorization: Bearer <TOKEN> \
  --data '{
  "email": {
    "email": "nuevo.usuario@example.com"
  },
  "metadata": [],
  "password": {
    "changeRequired": false,
    "password": "SecurePassword123!"
  },
  "profile": {
    "displayName": "Nuevo Usuario",
    "familyName": "Usuario",
    "givenName": "Nuevo"
  },
  "userId": "",
  "username": "nuevo.usuario@example.com"
}'
{"code":7, "message":"No matching permissions found (AUTH-5mWD2)", "details":[{"@type":"type.googleapis.com/zitadel.v1.ErrorDetail", "id":"AUTH-5mWD2", "message":"No matching permissions found"}]}%

I'm missing something?

AAyoub Hi, I have the same issue — I created both roles, but it doesn't seem to be the ...

A

Arnau•6/12/25, 11:51 AM

These are not project roles but Instance roles. Those are granted via Instance configuration as if you wanted to add a new Instance Manager.

https://zitadel.com/docs/guides/manage/console/managers

The roles are built in from ZITADEL, you don't need to create them manually in a Project.

ZITADEL Docs

To configure managers in ZITADEL go to the resource where you like to add it (e.g Instance, Organization, Project, GrantedProject).

A

Ayoub•6/12/25, 11:52 AM

Ah, sorry, I was confused.

A

Ayoub•6/12/25, 11:59 AM

Thanks, it worked. Sorry if the question was obvious. Appreciate your help.