You're looking for specific ZITADEL Management API endpoints to manage project members and their custom roles. Here's a more detailed breakdown: ----- ### Understanding ZITADEL's Role Management ZITADEL distinguishes between: * **Project Roles:** These are the custom roles you define within a specific project (like "ADMIN1", "SUPPORT"). They are keys that represent a set of permissions relevant to your application's logic. You create these at `management/v1/projects/{projectId}/roles`. * **Project Members / User Grants:** This is where you assign a specific user (from your organization or a granted organization) one or more of these defined Project Roles for a given project. When a user is assigned a role in a project, it's essentially a "user grant." Your initial `_search` query for `/projects/grants/members/roles/_search` seems to be for *Project Grant Member Roles*, which are roles related to a project grant (when one organization grants a project to another organization), not necessarily the custom roles assigned to individual users within your primary project. ----- ### ZITADEL Management API Endpoints for Your Use Case Based on ZITADEL's API documentation, here are the likely endpoints you need: #### 1\. Listing Project Members and Their Assigned Custom Roles To get all members under a specific project and see the custom roles they hold, you should use the **`List Project Members`** endpoint. * **Endpoint:** `POST /management/v1/projects/{projectId}/members/_search` * **Method:** `POST` * **Headers:** * `Accept: application/json` * `Authorization: Bearer ` * `x-zitadel-orgid: ` (e.g., `330990436153819140`) * **URL Path Parameter:** * `projectId`: The ID of your project (e.g., `330990437781209092`). * **Request Body (JSON):** You can send an empty object or include query parameters for pagination, sorting, or filtering. ```json { "query": { "offset": "0", "limit": 100, "asc": true } } ``` * **Expected Response Structure:** This endpoint should return a list of member objects. Each member object will contain `userId` and an array of `roles` (your custom role keys like "ADMIN1", "SUPPORT"). ```json { "details": { "totalResult": "...", "viewTimestamp": "..." }, "result": [ { "userId": "some_user_id_1", "roles": ["ADMIN1", "SUPPORT"], "preferredLoginName": "user1@example.com", "displayName": "User One", // ... other user details }, { "userId": "some_user_id_2", "roles": ["SUPPORT"], "preferredLoginName": "user2@example.com", "displayName": "User Two", // ... other user details } ] } ``` #### 2\. Assigning Custom Roles to a User within a Project To assign a user your custom roles, you'll use the **`Add Project Member`** or **`Update Project Member`** endpoint. * **To add a new member with roles:** * **Endpoint:** `POST /management/v1/projects/{projectId}/members` * **Method:** `POST` * **Headers:** (Same as above) * **URL Path Parameter:** `projectId` * **Request Body (JSON):** ```json { "user_id": "YOUR_USER_ID", "roles": [ "ADMIN1", "SUPPORT" ] } ``` * **To update roles for an existing member:** * **Endpoint:** `PUT /management/v1/projects/{projectId}/members/{userId}` * **Method:** `PUT` (or potentially `POST` if the "Add" endpoint handles updates implicitly, but `PUT` is standard for full replacement) * **Headers:** (Same as above) * **URL Path Parameters:** * `projectId`: The ID of your project. * `userId`: The ID of the user whose roles you want to update. * **Request Body (JSON):** **Important:** When using `PUT` for member updates in ZITADEL, you usually need to send the *entire list of roles* that the user should have. Any roles not included in the `roles` array in the payload will be removed from the user for that project. ```json { "roles": [ "ADMIN1" ] } ``` (This example would remove "SUPPORT" and leave only "ADMIN1" for `YOUR_USER_ID` in that project). ----- ### Why Your Original Call Failed The endpoint `POST /management/v1/projects/grants/members/roles/_search` is for listing roles that are relevant to *project grants*, which is a different concept than directly assigned roles within a project. It seems to enumerate system-defined roles applicable to a project being granted, rather than the custom roles you've created for users of your project. ----- **In summary:** Focus on the `management/v1/projects/{projectId}/members` endpoints for managing users and their custom roles within your specific project. Always refer to the official ZITADEL API documentation for the most accurate and up-to-date details.