diff --git a/go.mod b/go.mod
index b2256cbd49..d6ffe46cdf 100644
--- a/go.mod
+++ b/go.mod
@@ -5,8 +5,22 @@ go 1.14
 require (
 	github.com/BurntSushi/toml v0.3.1
 	github.com/caos/logging v0.0.0-20191210002624-b3260f690a6a
-	github.com/caos/utils v0.0.0-20200305060859-ac2fa70f313e // indirect
 	github.com/ghodss/yaml v1.0.0
-	golang.org/x/sys v0.0.0-20200317113312-5766fd39f98d // indirect
+	github.com/golang/mock v1.4.3
+	github.com/golang/protobuf v1.3.5
+	github.com/google/go-cmp v0.4.0 // indirect
+	github.com/gorilla/schema v1.1.0
+	github.com/gorilla/securecookie v1.1.1
+	github.com/grpc-ecosystem/go-grpc-middleware v1.2.0
+	github.com/kr/pretty v0.1.0 // indirect
+	github.com/stretchr/testify v1.5.1
+	golang.org/x/crypto v0.0.0-20200320181102-891825fb96df
+	golang.org/x/net v0.0.0-20200320220750-118fecf932d8 // indirect
+	golang.org/x/sys v0.0.0-20200321134203-328b4cd54aae // indirect
+	golang.org/x/text v0.3.2 // indirect
+	google.golang.org/genproto v0.0.0-20200319113533-08878b785e9c // indirect
+	google.golang.org/grpc v1.28.0
+	gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127 // indirect
 	gopkg.in/yaml.v2 v2.2.8 // indirect
+	rsc.io/sampler v1.99.99 // indirect
 )
diff --git a/go.sum b/go.sum
index d0bf2fad7f..f39134d478 100644
--- a/go.sum
+++ b/go.sum
@@ -1,289 +1,135 @@
 cloud.google.com/go v0.26.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw=
-cloud.google.com/go v0.34.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw=
-cloud.google.com/go v0.38.0/go.mod h1:990N+gfupTy94rShfmMCWGDn0LpTmnzTp2qbd1dvSRU=
-cloud.google.com/go v0.44.1/go.mod h1:iSa0KzasP4Uvy3f1mN/7PiObzGgflwredwwASm/v6AU=
-cloud.google.com/go v0.44.2/go.mod h1:60680Gw3Yr4ikxnPRS/oxxkBccT6SA1yMk63TGekxKY=
-cloud.google.com/go v0.45.1/go.mod h1:RpBamKRgapWJb87xiFSdk4g1CME7QZg3uwTez+TSTjc=
-cloud.google.com/go v0.46.3/go.mod h1:a6bKKbmY7er1mI7TEI4lsAkts/mkhTSZK8w33B4RAg0=
-cloud.google.com/go v0.50.0/go.mod h1:r9sluTvynVuxRIOHXQEHMFffphuXHOMZMycpNR5e6To=
-cloud.google.com/go v0.53.0/go.mod h1:fp/UouUEsRkN6ryDKNW/Upv/JBKnv6WDthjR6+vze6M=
-cloud.google.com/go/bigquery v1.0.1/go.mod h1:i/xbL2UlR5RvWAURpBYZTtm/cXjCha9lbfbpx4poX+o=
-cloud.google.com/go/bigquery v1.3.0/go.mod h1:PjpwJnslEMmckchkHFfq+HTD2DmtT67aNFKH1/VBDHE=
-cloud.google.com/go/datastore v1.0.0/go.mod h1:LXYbyblFSglQ5pkeyhO+Qmw7ukd3C+pD7TKLgZqpHYE=
-cloud.google.com/go/pubsub v1.0.1/go.mod h1:R0Gpsv3s54REJCy4fxDixWD93lHJMoZTyQ2kNxGRt3I=
-cloud.google.com/go/pubsub v1.1.0/go.mod h1:EwwdRX2sKPjnvnqCa270oGRyludottCI76h+R3AArQw=
-cloud.google.com/go/storage v1.0.0/go.mod h1:IhtSnM/ZTZV8YYJWCY8RULGVqBDmpoyjwiyrjsg+URw=
-cloud.google.com/go/storage v1.5.0/go.mod h1:tpKbwo567HUNpVclU5sGELwQWBDZ8gh0ZeosJ0Rtdos=
-contrib.go.opencensus.io/exporter/stackdriver v0.13.0/go.mod h1:z2tyTZtPmQ2HvWH4cOmVDgtY+1lomfKdbLnkJvZdc8c=
-dmitri.shuralyov.com/gpu/mtl v0.0.0-20190408044501-666a987793e9/go.mod h1:H6x//7gZCb22OMCxBHrMx7a5I7Hp++hsVxbQ4BYO7hU=
 github.com/BurntSushi/toml v0.3.1 h1:WXkYYl6Yr3qBf1K79EBnL4mak0OimBfB0XUf9Vl28OQ=
 github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU=
-github.com/BurntSushi/xgb v0.0.0-20160522181843-27f122750802/go.mod h1:IVnqGOEym/WlBOVXweHU+Q+/VP0lqqI8lqeDx9IjBqo=
-github.com/VictoriaMetrics/fastcache v1.5.7/go.mod h1:ptDBkNMQI4RtmVo8VS/XwRY6RoTu1dAWCbrk+6WsEM8=
-github.com/allegro/bigcache v1.2.1-0.20190218064605-e24eb225f156/go.mod h1:Cb/ax3seSYIx7SuZdm2G2xzfwmv3TPSk2ucNfQESPXM=
-github.com/allegro/bigcache v1.2.1/go.mod h1:Cb/ax3seSYIx7SuZdm2G2xzfwmv3TPSk2ucNfQESPXM=
-github.com/antihax/optional v0.0.0-20180407024304-ca021399b1a6/go.mod h1:V8iCPQYkqmusNa815XgQio277wI47sdRh1dUOLdyC6Q=
-github.com/aws/aws-sdk-go v1.23.20/go.mod h1:KmX6BPdI08NWTb3/sm4ZGu5ShLoqVDhKgpiN924inxo=
-github.com/aws/aws-sdk-go v1.29.16/go.mod h1:1KvfttTE3SPKMpo8g2c6jL3ZKfXtFvKscTgahTma5Xg=
 github.com/caos/logging v0.0.0-20191210002624-b3260f690a6a h1:HOU/3xL/afsZ+2aCstfJlrzRkwYMTFR1TIEgps5ny8s=
 github.com/caos/logging v0.0.0-20191210002624-b3260f690a6a/go.mod h1:9LKiDE2ChuGv6CHYif/kiugrfEXu9AwDiFWSreX7Wp0=
-github.com/caos/utils v0.0.0-20200305060859-ac2fa70f313e h1:QSbTeoLPW7c1rWNJA2GOKunDJnRAfyg8+cb73qMYESM=
-github.com/caos/utils v0.0.0-20200305060859-ac2fa70f313e/go.mod h1:CLEkNe7rs12GkdBWZxadA/mFiKeF6HzuA1BOKq+fX+Y=
 github.com/census-instrumentation/opencensus-proto v0.2.1/go.mod h1:f6KPmirojxKA12rnyqOA5BBL4O983OfeGPqjHWSTneU=
-github.com/cespare/xxhash/v2 v2.1.1/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs=
-github.com/chzyer/logex v1.1.10/go.mod h1:+Ywpsq7O8HXn0nuIou7OrIPyXbp3wmkHB+jjWRnGsAI=
-github.com/chzyer/readline v0.0.0-20180603132655-2972be24d48e/go.mod h1:nSuG5e5PlCu98SY8svDHJxuZscDgtXS6KTTbou5AhLI=
-github.com/chzyer/test v0.0.0-20180213035817-a1ea475d72b1/go.mod h1:Q3SI9o4m/ZMnBNeIyt5eFwwo7qiLfzFZmjNmxjkiQlU=
 github.com/client9/misspell v0.3.4/go.mod h1:qj6jICC3Q7zFZvVWo7KLAzC3yx5G7kyvSDkc90ppPyw=
+github.com/cncf/udpa/go v0.0.0-20191209042840-269d4d468f6f/go.mod h1:M8M6+tZqaGXZJjfX53e64911xZQV5JYwmTeXPW+k8Sc=
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
+github.com/envoyproxy/go-control-plane v0.9.0/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4=
 github.com/envoyproxy/go-control-plane v0.9.1-0.20191026205805-5f8ba28d4473/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4=
+github.com/envoyproxy/go-control-plane v0.9.4/go.mod h1:6rpuAdCZL397s3pYoYcLgu1mIlRU8Am5FuJP05cCM98=
 github.com/envoyproxy/protoc-gen-validate v0.1.0/go.mod h1:iSmxcyjqTsJpI2R4NaDN7+kN2VEUnK/pcBlmesArF7c=
 github.com/ghodss/yaml v1.0.0 h1:wQHKEahhL6wmXdzwWG11gIVCkOv05bNOh+Rxn0yngAk=
 github.com/ghodss/yaml v1.0.0/go.mod h1:4dBDuWmgqj2HViK6kFavaiC9ZROes6MMH2rRYeMEF04=
-github.com/go-gl/glfw v0.0.0-20190409004039-e6da0acd62b1/go.mod h1:vR7hzQXu2zJy9AVAgeJqvqgH9Q5CA+iKCZ2gyEVpxRU=
-github.com/go-gl/glfw/v3.3/glfw v0.0.0-20191125211704-12ad95a8df72/go.mod h1:tQ2UAYgL5IevRw8kRxooKSPJfGvJ9fJQFa0TUsXzTg8=
 github.com/go-kit/kit v0.9.0/go.mod h1:xBxKIO96dXMWWy0MnWVtmwkA9/13aqxPnvrjFYMA2as=
 github.com/go-logfmt/logfmt v0.4.0/go.mod h1:3RMwSq7FuexP4Kalkev3ejPJsZTpXXBr9+V4qmtdjCk=
-github.com/go-sql-driver/mysql v1.5.0/go.mod h1:DCzpHaOWr8IXmIStZouvnhqoel9Qv2LBy8hT2VhHyBg=
 github.com/go-stack/stack v1.8.0/go.mod h1:v0f6uXyyMGvRgIKkXu+yp6POWl0qKG85gN/melR3HDY=
 github.com/gogo/protobuf v1.2.1/go.mod h1:hp+jE20tsWTFYpLwKvXlhS1hjn+gTNwPg2I6zVXpSg4=
 github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b/go.mod h1:SBH7ygxi8pfUlaOkMMuAQtPIUF8ecWP5IEl/CR7VP2Q=
-github.com/golang/groupcache v0.0.0-20190702054246-869f871628b6/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc=
-github.com/golang/groupcache v0.0.0-20191227052852-215e87163ea7/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc=
-github.com/golang/groupcache v0.0.0-20200121045136-8c9f03a8e57e/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc=
 github.com/golang/mock v1.1.1/go.mod h1:oTYuIxOrZwtPieC+H1uAHpcLFnEyAGVDL/k47Jfbm0A=
-github.com/golang/mock v1.2.0/go.mod h1:oTYuIxOrZwtPieC+H1uAHpcLFnEyAGVDL/k47Jfbm0A=
-github.com/golang/mock v1.3.1/go.mod h1:sBzyDLLjw3U8JLTeZvSv8jJB+tU5PVekmnlKIyFUx0Y=
-github.com/golang/mock v1.4.0/go.mod h1:UOMv5ysSaYNkG+OFQykRIcU/QvvxJf3p21QfJ2Bt3cw=
-github.com/golang/mock v1.4.1/go.mod h1:UOMv5ysSaYNkG+OFQykRIcU/QvvxJf3p21QfJ2Bt3cw=
+github.com/golang/mock v1.4.3 h1:GV+pQPG/EUUbkh47niozDcADz6go/dUwhVzdUQHIVRw=
+github.com/golang/mock v1.4.3/go.mod h1:UOMv5ysSaYNkG+OFQykRIcU/QvvxJf3p21QfJ2Bt3cw=
 github.com/golang/protobuf v1.2.0/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
-github.com/golang/protobuf v1.3.1/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
 github.com/golang/protobuf v1.3.2/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
 github.com/golang/protobuf v1.3.3/go.mod h1:vzj43D7+SQXF/4pzW/hwtAqwc6iTitCiVSaWz5lYuqw=
-github.com/golang/protobuf v1.3.4/go.mod h1:vzj43D7+SQXF/4pzW/hwtAqwc6iTitCiVSaWz5lYuqw=
-github.com/golang/snappy v0.0.1/go.mod h1:/XxbfmMg8lxefKM7IXC3fBNl/7bRcc72aCRzEWrmP2Q=
-github.com/google/btree v0.0.0-20180813153112-4030bb1f1f0c/go.mod h1:lNA+9X1NB3Zf8V7Ke586lFgjr2dZNuvo3lPJSGZ5JPQ=
-github.com/google/btree v1.0.0/go.mod h1:lNA+9X1NB3Zf8V7Ke586lFgjr2dZNuvo3lPJSGZ5JPQ=
+github.com/golang/protobuf v1.3.5 h1:F768QJ1E9tib+q5Sc8MkdJi1RxLTbRcTf8LJV56aRls=
+github.com/golang/protobuf v1.3.5/go.mod h1:6O5/vntMXwX2lRkT1hjjk0nAC1IDOTvTlVgjlRvqsdk=
 github.com/google/go-cmp v0.2.0/go.mod h1:oXzfMopK8JAjlY9xF4vHSVASa0yLyX7SntLO5aqRK0M=
-github.com/google/go-cmp v0.3.0/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU=
-github.com/google/go-cmp v0.3.1/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU=
+github.com/google/go-cmp v0.4.0 h1:xsAVV57WRhGj6kEIi8ReJzQlHHqcBYCElAvkovg3B/4=
 github.com/google/go-cmp v0.4.0/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
-github.com/google/martian v2.1.0+incompatible/go.mod h1:9I4somxYTbIHy5NJKHRl3wXiIaQGbYVAs8BPL6v8lEs=
-github.com/google/pprof v0.0.0-20181206194817-3ea8567a2e57/go.mod h1:zfwlbNMJ+OItoe0UupaVj+oy1omPYYDuagoSzA8v9mc=
-github.com/google/pprof v0.0.0-20190515194954-54271f7e092f/go.mod h1:zfwlbNMJ+OItoe0UupaVj+oy1omPYYDuagoSzA8v9mc=
-github.com/google/pprof v0.0.0-20200212024743-f11f1df84d12/go.mod h1:ZgVRPoUq/hfqzAqh7sHMqb3I9Rq5C59dIz2SbBwJ4eM=
-github.com/google/renameio v0.1.0/go.mod h1:KWCgfxg9yswjAJkECMjeO8J8rahYeXnNhOm40UhjYkI=
-github.com/googleapis/gax-go/v2 v2.0.4/go.mod h1:0Wqv26UfaUD9n4G6kQubkQ+KchISgw+vpHVxEJEs9eg=
-github.com/googleapis/gax-go/v2 v2.0.5/go.mod h1:DWXyrwAJ9X0FpwwEdw+IPEYBICEFu5mhpdKc/us6bOk=
+github.com/gorilla/schema v1.1.0 h1:CamqUDOFUBqzrvxuz2vEwo8+SUdwsluFh7IlzJh30LY=
+github.com/gorilla/schema v1.1.0/go.mod h1:kgLaKoK1FELgZqMAVxx/5cbj0kT+57qxUrAlIO2eleU=
+github.com/gorilla/securecookie v1.1.1 h1:miw7JPhV+b/lAHSXz4qd/nN9jRiAFV5FwjeKyCS8BvQ=
+github.com/gorilla/securecookie v1.1.1/go.mod h1:ra0sb63/xPlUeL+yeDciTfxMRAA+MP+HVt/4epWDjd4=
+github.com/grpc-ecosystem/go-grpc-middleware v1.2.0 h1:0IKlLyQ3Hs9nDaiK5cSHAGmcQEIC8l2Ts1u6x5Dfrqg=
 github.com/grpc-ecosystem/go-grpc-middleware v1.2.0/go.mod h1:mJzapYve32yjrKlk9GbyCZHuPgZsrbyIbyKhSzOpg6s=
-github.com/grpc-ecosystem/grpc-gateway v1.13.0/go.mod h1:8XEsbTttt/W+VvjtQhLACqCisSPWTxCZ7sBRjU6iH9c=
-github.com/hashicorp/golang-lru v0.5.0/go.mod h1:/m3WP610KZHVQ1SGc6re/UDhFvYD7pJ4Ao+sR/qLZy8=
-github.com/hashicorp/golang-lru v0.5.1/go.mod h1:/m3WP610KZHVQ1SGc6re/UDhFvYD7pJ4Ao+sR/qLZy8=
-github.com/ianlancetaylor/demangle v0.0.0-20181102032728-5e5cf60278f6/go.mod h1:aSSvb/t6k1mPoxDqO4vJh6VOCGPwU4O0C2/Eqndh1Sc=
-github.com/jmespath/go-jmespath v0.0.0-20180206201540-c2b33e8439af/go.mod h1:Nht3zPeWKUH0NzdCt2Blrr5ys8VGpn0CEB0cQHVjt7k=
-github.com/jstemmer/go-junit-report v0.0.0-20190106144839-af01ea7f8024/go.mod h1:6v2b51hI/fHJwM22ozAgKL4VKDeJcHhJFhtBdhmNjmU=
-github.com/jstemmer/go-junit-report v0.9.1/go.mod h1:Brl9GWCQeLvo8nXZwPNNblvFj/XSXhF0NWZEnDohbsk=
 github.com/kisielk/errcheck v1.1.0/go.mod h1:EZBBE59ingxPouuu3KfxchcWSUPOHkagtvWXihfKN4Q=
 github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck=
 github.com/konsorten/go-windows-terminal-sequences v1.0.1/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ=
 github.com/konsorten/go-windows-terminal-sequences v1.0.2 h1:DB17ag19krx9CFsz4o3enTrPXyIXCl+2iCXH/aMAp9s=
 github.com/konsorten/go-windows-terminal-sequences v1.0.2/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ=
 github.com/kr/logfmt v0.0.0-20140226030751-b84e30acd515/go.mod h1:+0opPa2QZZtGFBFZlji/RkVcI2GknAs/DXo4wKdlNEc=
+github.com/kr/pretty v0.1.0 h1:L/CwN0zerZDmRFUapSPitk6f+Q3+0za1rQkzVuMiMFI=
 github.com/kr/pretty v0.1.0/go.mod h1:dAy3ld7l9f0ibDNOQOHHMYYIIbhfbHSm3C4ZsoJORNo=
 github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ=
+github.com/kr/text v0.1.0 h1:45sCR5RtlFHMR4UwH9sdQ5TC8v0qDQCHnXt+kaKSTVE=
 github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI=
 github.com/opentracing/opentracing-go v1.1.0/go.mod h1:UkNAQd3GIcIGf0SeVgPpRdFStlNbqXla1AfSYxPUl2o=
 github.com/pkg/errors v0.8.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
-github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
 github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
 github.com/prometheus/client_model v0.0.0-20190812154241-14fe0d1b01d4/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA=
-github.com/rogpeppe/fastuuid v1.2.0/go.mod h1:jVj6XXZzXRy/MSR5jhDC/2q6DgLz+nrA6LYCDYWNEvQ=
-github.com/rogpeppe/go-internal v1.3.0/go.mod h1:M8bDsm7K2OlrFYOpmOWEs/qY81heoFRclV5y23lUDJ4=
-github.com/rs/cors v1.7.0/go.mod h1:gFx+x8UowdsKA9AchylcLynDq+nNFfI8FkUZdN/jGCU=
 github.com/sirupsen/logrus v1.4.2 h1:SPIRibHv4MatM3XXNO2BJeFLZwZ2LvZgfQ5+UNI2im4=
 github.com/sirupsen/logrus v1.4.2/go.mod h1:tLMulIdttU9McNUspp0xgXVQah82FyeX6MwdIuYE2rE=
 github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
 github.com/stretchr/objx v0.1.1/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
 github.com/stretchr/testify v1.2.2 h1:bSDNvY7ZPG5RlJ8otE/7V6gMiyenm9RtJ7IUVIAoJ1w=
 github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs=
-github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI=
 github.com/stretchr/testify v1.4.0/go.mod h1:j7eGeouHqKxXV5pUuKE4zz7dFj8WfuZ+81PSLYec5m4=
 github.com/stretchr/testify v1.5.1 h1:nOGnQDM7FYENwehXlg/kFVnos3rEvtKTjRvOWSzb6H4=
 github.com/stretchr/testify v1.5.1/go.mod h1:5W2xD1RspED5o8YsWQXVCued0rvSQ+mT+I5cxcmMvtA=
-go.opencensus.io v0.21.0/go.mod h1:mSImk1erAIZhrmZN+AvHh14ztQfjbGwt4TtuofqLduU=
-go.opencensus.io v0.22.0/go.mod h1:+kGneAE2xo2IficOXnaByMWTGM9T73dGwxeWcUqIpI8=
-go.opencensus.io v0.22.1/go.mod h1:Ap50jQcDJrx6rB6VgeeFPtuPIf3wMRvRfrfYDO6+BmA=
-go.opencensus.io v0.22.2/go.mod h1:yxeiOL68Rb0Xd1ddK5vPZ/oVn4vY4Ynel7k9FzqtOIw=
-go.opencensus.io v0.22.3/go.mod h1:yxeiOL68Rb0Xd1ddK5vPZ/oVn4vY4Ynel7k9FzqtOIw=
 go.uber.org/atomic v1.4.0/go.mod h1:gD2HeocX3+yG+ygLZcrzQJaqmWj9AIm7n08wl/qW/PE=
 go.uber.org/multierr v1.1.0/go.mod h1:wR5kodmAFQ0UK8QlbwjlSNy0Z68gJhDJUG5sjR94q/0=
 go.uber.org/zap v1.10.0/go.mod h1:vwi/ZaCAaUcBkycHslxD9B2zi4UTXhF60s6SWpuDF0Q=
 golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
-golang.org/x/crypto v0.0.0-20190510104115-cbcb75029529/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
-golang.org/x/crypto v0.0.0-20190605123033-f99c8df09eb5/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
-golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
+golang.org/x/crypto v0.0.0-20200320181102-891825fb96df h1:lDWgvUvNnaTnNBc/dwOty86cFeKoKWbwy2wQj0gIxbU=
+golang.org/x/crypto v0.0.0-20200320181102-891825fb96df/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
 golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
-golang.org/x/exp v0.0.0-20190306152737-a1d7652674e8/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
-golang.org/x/exp v0.0.0-20190510132918-efd6b22b2522/go.mod h1:ZjyILWgesfNpC6sMxTJOJm9Kp84zZh5NQWvqDGG3Qr8=
-golang.org/x/exp v0.0.0-20190829153037-c13cbed26979/go.mod h1:86+5VVa7VpoJ4kLfm080zCjGlMRFzhUhsZKEZO7MGek=
-golang.org/x/exp v0.0.0-20191030013958-a1ab85dbe136/go.mod h1:JXzH8nQsPlswgeRAPE3MuO9GYsAcnJvJ4vnMwN/5qkY=
-golang.org/x/exp v0.0.0-20191129062945-2f5052295587/go.mod h1:2RIsYlXP63K8oxa1u096TMicItID8zy7Y6sNkU49FU4=
-golang.org/x/exp v0.0.0-20191227195350-da58074b4299/go.mod h1:2RIsYlXP63K8oxa1u096TMicItID8zy7Y6sNkU49FU4=
-golang.org/x/exp v0.0.0-20200207192155-f17229e696bd/go.mod h1:J/WKrq2StrnmMY6+EHIKF9dgMWnmCNThgcyBT1FY9mM=
-golang.org/x/image v0.0.0-20190227222117-0694c2d4d067/go.mod h1:kZ7UVZpmo3dzQBMxlp+ypCbDeSB+sBbTgSJuh5dn5js=
-golang.org/x/image v0.0.0-20190802002840-cff245a6509b/go.mod h1:FeLwcggjj3mMvU+oOTbSwawSJRM1uh48EjtB4UJZlP0=
 golang.org/x/lint v0.0.0-20181026193005-c67002cb31c3/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE=
 golang.org/x/lint v0.0.0-20190227174305-5b3e6a55c961/go.mod h1:wehouNa3lNwaWXcvxsM5YxQ5yQlVC4a0KAMCusXpPoU=
-golang.org/x/lint v0.0.0-20190301231843-5614ed5bae6f/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE=
 golang.org/x/lint v0.0.0-20190313153728-d0100b6bd8b3/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc=
-golang.org/x/lint v0.0.0-20190409202823-959b441ac422/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc=
-golang.org/x/lint v0.0.0-20190909230951-414d861bb4ac/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc=
-golang.org/x/lint v0.0.0-20190930215403-16217165b5de/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc=
-golang.org/x/lint v0.0.0-20191125180803-fdd1cda4f05f/go.mod h1:5qLYkcX4OjUUV8bRuDixDT3tpyyb+LUpUlRWLxfhWrs=
-golang.org/x/lint v0.0.0-20200130185559-910be7a94367/go.mod h1:3xt1FjdF8hUf6vQPIChWIBhFzV8gjjsPE/fR3IyQdNY=
-golang.org/x/mobile v0.0.0-20190312151609-d3739f865fa6/go.mod h1:z+o9i4GpDbdi3rU15maQ/Ox0txvL9dWGYEHz965HBQE=
-golang.org/x/mobile v0.0.0-20190719004257-d2bd2a29d028/go.mod h1:E/iHnbuqvinMTCcRqshq8CkpyQDoeVncDDYHnLhea+o=
-golang.org/x/mod v0.0.0-20190513183733-4bf6d317e70e/go.mod h1:mXi4GBBbnImb6dmsKGUJ2LatrhH/nqhxcFungHvyanc=
-golang.org/x/mod v0.1.0/go.mod h1:0QHyrYULN0/3qlju5TqG8bIK38QM8yzMo5ekMj3DlcY=
-golang.org/x/mod v0.1.1-0.20191105210325-c90efee705ee/go.mod h1:QqPTAvyqsEbceGzBzNggFXnrqF1CaUcvgkdR5Ot7KZg=
-golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
 golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20180826012351-8a410e7b638d/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
-golang.org/x/net v0.0.0-20190108225652-1e06a53dbb7e/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20190213061140-3a22650c66bd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20190311183353-d8887717615a/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
 golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
-golang.org/x/net v0.0.0-20190501004415-9ce7a6920f09/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
-golang.org/x/net v0.0.0-20190503192946-f4e77d36d62c/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
-golang.org/x/net v0.0.0-20190603091049-60506f45cf65/go.mod h1:HSz+uSET+XFnRR8LxR5pz3Of3rY3CfYBVs4xY44aLks=
-golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
-golang.org/x/net v0.0.0-20190724013045-ca1201d0de80/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
-golang.org/x/net v0.0.0-20190923162816-aa69164e4478/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
-golang.org/x/net v0.0.0-20191002035440-2ec189313ef0/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
-golang.org/x/net v0.0.0-20191209160850-c0dbc17a3553/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
-golang.org/x/net v0.0.0-20200202094626-16171245cfb2/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
-golang.org/x/net v0.0.0-20200301022130-244492dfa37a/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
+golang.org/x/net v0.0.0-20200320220750-118fecf932d8 h1:1+zQlQqEEhUeStBTi653GZAnAuivZq/2hz+Iz+OP7rg=
+golang.org/x/net v0.0.0-20200320220750-118fecf932d8/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
-golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
-golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
-golang.org/x/oauth2 v0.0.0-20191202225959-858c2ad4c8b6/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
-golang.org/x/oauth2 v0.0.0-20200107190931-bf48bf16ab8d/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
 golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.0.0-20181221193216-37e7f081c4d4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.0.0-20190227155943-e225da77a7e6/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
-golang.org/x/sys v0.0.0-20190312061237-fead79001313/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20190422165155-953cdadca894/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20190502145724-3ef323f4f1fd/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20190507160741-ecd444e8653b/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20190606165138-5da285871e9c/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20190624142023-c5567b49c5d0/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20190726091711-fc99dfbffb4e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20191204072324-ce4227a45e2e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20191206220618-eeba5f6aabab h1:FvshnhkKW+LO3HWHodML8kuVX8rnJTxKm9dFPuI68UM=
 golang.org/x/sys v0.0.0-20191206220618-eeba5f6aabab/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20191228213918-04cbcbbfeed8/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20200212091648-12a6c2dcc1e4/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20200302150141-5c8b2ff67527/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20200317113312-5766fd39f98d h1:62ap6LNOjDU6uGmKXHJbSfciMoV+FeI1sRXx/pLDL44=
-golang.org/x/sys v0.0.0-20200317113312-5766fd39f98d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20200321134203-328b4cd54aae h1:3tcmuaB7wwSZtelmiv479UjUB+vviwABz7a133ZwOKQ=
+golang.org/x/sys v0.0.0-20200321134203-328b4cd54aae/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/text v0.0.0-20170915032832-14c0d48ead0c/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
-golang.org/x/text v0.3.1-0.20180807135948-17ff2d5776d2/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
+golang.org/x/text v0.3.2 h1:tW2bmiBqwgJj/UpqtC8EpXEZVYOwU0yG4iWbprSVAcs=
 golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk=
-golang.org/x/time v0.0.0-20181108054448-85acf8d2951c/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
-golang.org/x/time v0.0.0-20190308202827-9d24e82272b4/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/tools v0.0.0-20180221164845-07fd8470d635/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
 golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
 golang.org/x/tools v0.0.0-20190114222345-bf090417da8b/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
 golang.org/x/tools v0.0.0-20190226205152-f727befe758c/go.mod h1:9Yl7xja0Znq3iFh3HoIrodX9oNMXvdceNzlUR8zjMvY=
 golang.org/x/tools v0.0.0-20190311212946-11955173bddd/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs=
-golang.org/x/tools v0.0.0-20190312151545-0bb0c0a6e846/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs=
-golang.org/x/tools v0.0.0-20190312170243-e65039ee4138/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs=
 golang.org/x/tools v0.0.0-20190425150028-36563e24a262/go.mod h1:RgjU9mgBXZiqYHBnxXauZ1Gv1EHHAz9KjViQ78xBX0Q=
-golang.org/x/tools v0.0.0-20190506145303-2d16b83fe98c/go.mod h1:RgjU9mgBXZiqYHBnxXauZ1Gv1EHHAz9KjViQ78xBX0Q=
+golang.org/x/tools v0.0.0-20190524140312-2c0ae7006135 h1:5Beo0mZN8dRzgrMMkDp0jc8YXQKx9DiJ2k1dkvGsn5A=
 golang.org/x/tools v0.0.0-20190524140312-2c0ae7006135/go.mod h1:RgjU9mgBXZiqYHBnxXauZ1Gv1EHHAz9KjViQ78xBX0Q=
-golang.org/x/tools v0.0.0-20190606124116-d0a3d012864b/go.mod h1:/rFqwRUd4F7ZHNgwSSTFct+R/Kf4OFW1sUzUTQQTgfc=
-golang.org/x/tools v0.0.0-20190621195816-6e04913cbbac/go.mod h1:/rFqwRUd4F7ZHNgwSSTFct+R/Kf4OFW1sUzUTQQTgfc=
-golang.org/x/tools v0.0.0-20190628153133-6cdbf07be9d0/go.mod h1:/rFqwRUd4F7ZHNgwSSTFct+R/Kf4OFW1sUzUTQQTgfc=
-golang.org/x/tools v0.0.0-20190816200558-6889da9d5479/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
-golang.org/x/tools v0.0.0-20190911174233-4f2ddba30aff/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
-golang.org/x/tools v0.0.0-20191010075000-0337d82405ff/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
-golang.org/x/tools v0.0.0-20191012152004-8de300cfc20a/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
-golang.org/x/tools v0.0.0-20191113191852-77e3bb0ad9e7/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
-golang.org/x/tools v0.0.0-20191115202509-3a792d9c32b2/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
-golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
-golang.org/x/tools v0.0.0-20191125144606-a911d9008d1f/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
-golang.org/x/tools v0.0.0-20191216173652-a0e659d51361/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28=
-golang.org/x/tools v0.0.0-20191227053925-7b8e75db28f4/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28=
-golang.org/x/tools v0.0.0-20200130002326-2f3ba24bd6e7/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28=
-golang.org/x/tools v0.0.0-20200207183749-b753a1ba74fa/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28=
-golang.org/x/tools v0.0.0-20200212150539-ea181f53ac56/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28=
-golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
-golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
+golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543 h1:E7g+9GITq07hpfrRu66IVDexMakfv52eLZ2CXBWiKr4=
 golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
-google.golang.org/api v0.4.0/go.mod h1:8k5glujaEP+g9n7WNsDg8QP6cUVNI86fCNMcbazEtwE=
-google.golang.org/api v0.7.0/go.mod h1:WtwebWUNSVBH/HAw79HIFXZNqEvBhG+Ra+ax0hx3E3M=
-google.golang.org/api v0.8.0/go.mod h1:o4eAsZoiT+ibD93RtjEohWalFOjRDx6CVaqeizhEnKg=
-google.golang.org/api v0.9.0/go.mod h1:o4eAsZoiT+ibD93RtjEohWalFOjRDx6CVaqeizhEnKg=
-google.golang.org/api v0.10.0/go.mod h1:o4eAsZoiT+ibD93RtjEohWalFOjRDx6CVaqeizhEnKg=
-google.golang.org/api v0.13.0/go.mod h1:iLdEw5Ide6rF15KTC1Kkl0iskquN2gFfn9o9XIsbkAI=
-google.golang.org/api v0.14.0/go.mod h1:iLdEw5Ide6rF15KTC1Kkl0iskquN2gFfn9o9XIsbkAI=
-google.golang.org/api v0.15.0/go.mod h1:iLdEw5Ide6rF15KTC1Kkl0iskquN2gFfn9o9XIsbkAI=
-google.golang.org/api v0.17.0/go.mod h1:BwFmGc8tA3vsd7r/7kR8DY7iEEGSU04BFxCo5jP/sfE=
-google.golang.org/api v0.20.0/go.mod h1:BwFmGc8tA3vsd7r/7kR8DY7iEEGSU04BFxCo5jP/sfE=
 google.golang.org/appengine v1.1.0/go.mod h1:EbEs0AVv82hx2wNQdGPgUI5lhzA/G0D9YwlJXL52JkM=
 google.golang.org/appengine v1.4.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4=
-google.golang.org/appengine v1.5.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4=
-google.golang.org/appengine v1.6.1/go.mod h1:i06prIuMbXzDqacNJfV5OdTW448YApPu5ww/cMBSeb0=
-google.golang.org/appengine v1.6.2/go.mod h1:i06prIuMbXzDqacNJfV5OdTW448YApPu5ww/cMBSeb0=
-google.golang.org/appengine v1.6.5/go.mod h1:8WjMMxjGQR8xUklV/ARdw2HLXBOI7O7uCIDZVag1xfc=
 google.golang.org/genproto v0.0.0-20180817151627-c66870c02cf8/go.mod h1:JiN7NxoALGmiZfu7CAH4rXhgtRTLTxftemlI0sWmxmc=
-google.golang.org/genproto v0.0.0-20190307195333-5fe7a883aa19/go.mod h1:VzzqZJRnGkLBvHegQrXjBqPurQTc5/KpmUdxsrq26oE=
-google.golang.org/genproto v0.0.0-20190418145605-e7d98fc518a7/go.mod h1:VzzqZJRnGkLBvHegQrXjBqPurQTc5/KpmUdxsrq26oE=
-google.golang.org/genproto v0.0.0-20190425155659-357c62f0e4bb/go.mod h1:VzzqZJRnGkLBvHegQrXjBqPurQTc5/KpmUdxsrq26oE=
-google.golang.org/genproto v0.0.0-20190502173448-54afdca5d873/go.mod h1:VzzqZJRnGkLBvHegQrXjBqPurQTc5/KpmUdxsrq26oE=
-google.golang.org/genproto v0.0.0-20190801165951-fa694d86fc64/go.mod h1:DMBHOl98Agz4BDEuKkezgsaosCRResVns1a3J2ZsMNc=
 google.golang.org/genproto v0.0.0-20190819201941-24fa4b261c55/go.mod h1:DMBHOl98Agz4BDEuKkezgsaosCRResVns1a3J2ZsMNc=
-google.golang.org/genproto v0.0.0-20190911173649-1774047e7e51/go.mod h1:IbNlFCBrqXvoKpeg0TB2l7cyZUmoaFKYIwrEpbDKLA8=
-google.golang.org/genproto v0.0.0-20190927181202-20e1ac93f88c/go.mod h1:IbNlFCBrqXvoKpeg0TB2l7cyZUmoaFKYIwrEpbDKLA8=
-google.golang.org/genproto v0.0.0-20191108220845-16a3f7862a1a/go.mod h1:n3cpQtvxv34hfy77yVDNjmbRyujviMdxYliBSkLhpCc=
-google.golang.org/genproto v0.0.0-20191115194625-c23dd37a84c9/go.mod h1:n3cpQtvxv34hfy77yVDNjmbRyujviMdxYliBSkLhpCc=
-google.golang.org/genproto v0.0.0-20191216164720-4f79533eabd1/go.mod h1:n3cpQtvxv34hfy77yVDNjmbRyujviMdxYliBSkLhpCc=
-google.golang.org/genproto v0.0.0-20191230161307-f3c370f40bfb/go.mod h1:n3cpQtvxv34hfy77yVDNjmbRyujviMdxYliBSkLhpCc=
-google.golang.org/genproto v0.0.0-20200212174721-66ed5ce911ce/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c=
-google.golang.org/genproto v0.0.0-20200303153909-beee998c1893/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c=
+google.golang.org/genproto v0.0.0-20200319113533-08878b785e9c h1:5aI3/f/3eCZps9xwoEnmgfDJDhMbnJpfqeGpjVNgVEI=
+google.golang.org/genproto v0.0.0-20200319113533-08878b785e9c/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c=
 google.golang.org/grpc v1.19.0/go.mod h1:mqu4LbDTu4XGKhr4mRzUsmM4RtVoemTSY81AxZiDr8c=
-google.golang.org/grpc v1.20.1/go.mod h1:10oTOabMzJvdu6/UiuZezV6QK5dSlG84ov/aaiqXj38=
-google.golang.org/grpc v1.21.1/go.mod h1:oYelfM1adQP15Ek0mdvEgi9Df8B9CZIaU1084ijfRaM=
 google.golang.org/grpc v1.23.0/go.mod h1:Y5yQAOtifL1yxbo5wqy6BxZv8vAUGQwXBOALyacEbxg=
-google.golang.org/grpc v1.23.1/go.mod h1:Y5yQAOtifL1yxbo5wqy6BxZv8vAUGQwXBOALyacEbxg=
-google.golang.org/grpc v1.24.0/go.mod h1:XDChyiUovWa60DnaeDeZmSW86xtLtjtZbwvSiRnRtcA=
-google.golang.org/grpc v1.26.0/go.mod h1:qbnxyOmOxrQa7FizSgH+ReBfzJrCY1pSN7KXBS8abTk=
+google.golang.org/grpc v1.25.1/go.mod h1:c3i+UQWmh7LiEpx4sFZnkU36qjEYZ0imhYfXVyQciAY=
 google.golang.org/grpc v1.27.0/go.mod h1:qbnxyOmOxrQa7FizSgH+ReBfzJrCY1pSN7KXBS8abTk=
-google.golang.org/grpc v1.27.1/go.mod h1:qbnxyOmOxrQa7FizSgH+ReBfzJrCY1pSN7KXBS8abTk=
+google.golang.org/grpc v1.28.0 h1:bO/TA4OxCOummhSf10siHuG7vJOiwh7SpRpFZDkOgl4=
+google.golang.org/grpc v1.28.0/go.mod h1:rpkK4SK4GF4Ach/+MFLZUBavHOvF2JJB5uozKKal+60=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
+gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127 h1:qIbj1fsPNlZgppZ+VLlY7N33q108Sa+fhmuc+sWQYwY=
 gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
-gopkg.in/errgo.v2 v2.1.0/go.mod h1:hNsd1EY+bozCKY1Ytp96fpM3vjJbqLJn88ws8XvfDNI=
 gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
-gopkg.in/yaml.v2 v2.2.3/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
 gopkg.in/yaml.v2 v2.2.7 h1:VUgggvou5XRW9mHwD/yXxIYSMtY0zoKQf/v226p2nyo=
 gopkg.in/yaml.v2 v2.2.7/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
 gopkg.in/yaml.v2 v2.2.8 h1:obN1ZagJSUGI0Ek/LBmuj4SNLPfIny3KsKFopxRdj10=
 gopkg.in/yaml.v2 v2.2.8/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
 honnef.co/go/tools v0.0.0-20190102054323-c2f93a96b099/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
-honnef.co/go/tools v0.0.0-20190106161140-3f1c8253044a/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
-honnef.co/go/tools v0.0.0-20190418001031-e561f6794a2a/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
 honnef.co/go/tools v0.0.0-20190523083050-ea95bdfd59fc/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
-honnef.co/go/tools v0.0.1-2019.2.3/go.mod h1:a3bituU0lyd329TUQxRnasdCoJDkEUEAqEt0JzvZhAg=
-rsc.io/binaryregexp v0.2.0/go.mod h1:qTv7/COck+e2FymRvadv62gMdZztPaShugOCi3I+8D8=
+rsc.io/quote/v3 v3.1.0 h1:9JKUTTIUgS6kzR9mK1YuGKv6Nl+DijDNIc0ghT58FaY=
 rsc.io/quote/v3 v3.1.0/go.mod h1:yEA65RcK8LyAZtP9Kv3t0HmxON59tX3rD+tICJqUlj0=
+rsc.io/sampler v1.3.0 h1:7uVkIFmeBqHfdjD+gZwtXXI+RODJ2Wc4O7MPEh/QiW4=
 rsc.io/sampler v1.3.0/go.mod h1:T1hPZKmBbMNahiBKFy5HrXp6adAjACjK9JXDnKaTXpA=
+rsc.io/sampler v1.99.99 h1:7i08f/p5TBU5joCPW3GjWG1ZFCmr28ybGqlXtelhEK8=
+rsc.io/sampler v1.99.99/go.mod h1:T1hPZKmBbMNahiBKFy5HrXp6adAjACjK9JXDnKaTXpA=
diff --git a/internal/api/auth/authorization.go b/internal/api/auth/authorization.go
new file mode 100644
index 0000000000..5f7f31ec41
--- /dev/null
+++ b/internal/api/auth/authorization.go
@@ -0,0 +1,108 @@
+package auth
+
+import (
+	"context"
+	"fmt"
+	"reflect"
+	"strings"
+
+	"github.com/caos/zitadel/internal/errors"
+)
+
+const (
+	authenticated = "authenticated"
+)
+
+func CheckUserAuthorization(ctx context.Context, req interface{}, token, orgID string, verifier TokenVerifier, authConfig *Config, requiredAuthOption Option) (context.Context, error) {
+	ctx, err := VerifyTokenAndWriteCtxData(ctx, token, orgID, verifier)
+	if err != nil {
+		return nil, err
+	}
+
+	if requiredAuthOption.Permission == authenticated {
+		return ctx, nil
+	}
+
+	ctx, perms, err := getUserMethodPermissions(ctx, verifier, requiredAuthOption.Permission, authConfig)
+	if err != nil {
+		return nil, err
+	}
+
+	err = checkUserPermissions(req, perms, requiredAuthOption)
+	if err != nil {
+		return nil, err
+	}
+	return ctx, nil
+}
+
+func checkUserPermissions(req interface{}, userPerms []string, authOpt Option) error {
+	if len(userPerms) == 0 {
+		return errors.ThrowPermissionDenied(nil, "AUTH-5mWD2", "No matching permissions found")
+	}
+
+	if authOpt.CheckParam == "" {
+		return nil
+	}
+
+	if HasGlobalPermission(userPerms) {
+		return nil
+	}
+
+	if hasContextPermission(req, authOpt.CheckParam, userPerms) {
+		return nil
+	}
+
+	return errors.ThrowPermissionDenied(nil, "AUTH-3jknH", "No matching permissions found")
+}
+
+func SplitPermission(perm string) (string, string) {
+	splittedPerm := strings.Split(perm, ":")
+	if len(splittedPerm) == 1 {
+		return splittedPerm[0], ""
+	}
+	return splittedPerm[0], splittedPerm[1]
+}
+
+func hasContextPermission(req interface{}, fieldName string, permissions []string) bool {
+	for _, perm := range permissions {
+		_, ctxID := SplitPermission(perm)
+		if checkPermissionContext(req, fieldName, ctxID) {
+			return true
+		}
+	}
+	return false
+}
+
+func checkPermissionContext(req interface{}, fieldName, roleContextID string) bool {
+	field := getFieldFromReq(req, fieldName)
+	return field != "" && field == roleContextID
+}
+
+func getFieldFromReq(req interface{}, field string) string {
+	v := reflect.Indirect(reflect.ValueOf(req)).FieldByName(field)
+	if reflect.ValueOf(v).IsZero() {
+		return ""
+	}
+	return fmt.Sprintf("%v", v.Interface())
+}
+
+func HasGlobalPermission(perms []string) bool {
+	for _, perm := range perms {
+		_, ctxID := SplitPermission(perm)
+		if ctxID == "" {
+			return true
+		}
+	}
+	return false
+}
+
+func GetPermissionCtxIDs(perms []string) []string {
+	ctxIDs := make([]string, 0)
+	for _, perm := range perms {
+		_, ctxID := SplitPermission(perm)
+		if ctxID != "" {
+			ctxIDs = append(ctxIDs, ctxID)
+		}
+	}
+	return ctxIDs
+}
diff --git a/internal/api/auth/authorization_test.go b/internal/api/auth/authorization_test.go
new file mode 100644
index 0000000000..5282e10c92
--- /dev/null
+++ b/internal/api/auth/authorization_test.go
@@ -0,0 +1,280 @@
+package auth
+
+import (
+	"testing"
+
+	"github.com/caos/zitadel/internal/errors"
+)
+
+type TestRequest struct {
+	Test string
+}
+
+func Test_CheckUserPermissions(t *testing.T) {
+	type args struct {
+		req     *TestRequest
+		perms   []string
+		authOpt Option
+	}
+	tests := []struct {
+		name    string
+		args    args
+		wantErr bool
+	}{
+		{
+			name: "no permissions",
+			args: args{
+				req:   &TestRequest{},
+				perms: []string{},
+			},
+			wantErr: true,
+		},
+		{
+			name: "has permission and no context requested",
+			args: args{
+				req:     &TestRequest{},
+				perms:   []string{"project.read"},
+				authOpt: Option{CheckParam: ""},
+			},
+			wantErr: false,
+		},
+		{
+			name: "context requested and has global permission",
+			args: args{
+				req:     &TestRequest{Test: "Test"},
+				perms:   []string{"project.read", "project.read:1"},
+				authOpt: Option{CheckParam: "Test"},
+			},
+			wantErr: false,
+		},
+		{
+			name: "context requested and has specific permission",
+			args: args{
+				req:     &TestRequest{Test: "Test"},
+				perms:   []string{"project.read:Test"},
+				authOpt: Option{CheckParam: "Test"},
+			},
+			wantErr: false,
+		},
+		{
+			name: "context requested and has no permission",
+			args: args{
+				req:     &TestRequest{Test: "Hodor"},
+				perms:   []string{"project.read:Test"},
+				authOpt: Option{CheckParam: "Test"},
+			},
+			wantErr: true,
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			err := checkUserPermissions(tt.args.req, tt.args.perms, tt.args.authOpt)
+			if tt.wantErr && err == nil {
+				t.Errorf("got wrong result, should get err: actual: %v ", err)
+			}
+
+			if !tt.wantErr && err != nil {
+				t.Errorf("shouldn't get err: %v ", err)
+			}
+
+			if tt.wantErr && !errors.IsPermissionDenied(err) {
+				t.Errorf("got wrong err: %v ", err)
+			}
+		})
+	}
+}
+
+func Test_SplitPermission(t *testing.T) {
+	type args struct {
+		perm string
+	}
+	tests := []struct {
+		name      string
+		args      args
+		permName  string
+		permCtxID string
+	}{
+		{
+			name: "permission with context id",
+			args: args{
+				perm: "project.read:ctxID",
+			},
+			permName:  "project.read",
+			permCtxID: "ctxID",
+		},
+		{
+			name: "permission without context id",
+			args: args{
+				perm: "project.read",
+			},
+			permName:  "project.read",
+			permCtxID: "",
+		},
+		{
+			name: "permission to many parts",
+			args: args{
+				perm: "project.read:1:0",
+			},
+			permName:  "project.read",
+			permCtxID: "1",
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			name, id := SplitPermission(tt.args.perm)
+			if name != tt.permName {
+				t.Errorf("got wrong result on name, expecting: %v, actual: %v ", tt.permName, name)
+			}
+			if id != tt.permCtxID {
+				t.Errorf("got wrong result on id, expecting: %v, actual: %v ", tt.permCtxID, id)
+			}
+		})
+	}
+}
+
+func Test_HasContextPermission(t *testing.T) {
+	type args struct {
+		req       *TestRequest
+		fieldname string
+		perms     []string
+	}
+	tests := []struct {
+		name   string
+		args   args
+		result bool
+	}{
+		{
+			name: "existing context permission",
+			args: args{
+				req:       &TestRequest{Test: "right"},
+				fieldname: "Test",
+				perms:     []string{"test:wrong", "test:right"},
+			},
+			result: true,
+		},
+		{
+			name: "not existing context permission",
+			args: args{
+				req:       &TestRequest{Test: "test"},
+				fieldname: "Test",
+				perms:     []string{"test:wrong", "test:wrong2"},
+			},
+			result: false,
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			result := hasContextPermission(tt.args.req, tt.args.fieldname, tt.args.perms)
+			if result != tt.result {
+				t.Errorf("got wrong result, expecting: %v, actual: %v ", tt.result, result)
+			}
+		})
+	}
+}
+
+func Test_GetFieldFromReq(t *testing.T) {
+	type args struct {
+		req       *TestRequest
+		fieldname string
+	}
+	tests := []struct {
+		name   string
+		args   args
+		result string
+	}{
+		{
+			name: "existing field",
+			args: args{
+				req:       &TestRequest{Test: "TestValue"},
+				fieldname: "Test",
+			},
+			result: "TestValue",
+		},
+		{
+			name: "not existing field",
+			args: args{
+				req:       &TestRequest{Test: "TestValue"},
+				fieldname: "Test2",
+			},
+			result: "",
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			result := getFieldFromReq(tt.args.req, tt.args.fieldname)
+			if result != tt.result {
+				t.Errorf("got wrong result, expecting: %v, actual: %v ", tt.result, result)
+			}
+		})
+	}
+}
+
+func Test_HasGlobalPermission(t *testing.T) {
+
+	type args struct {
+		perms []string
+	}
+	tests := []struct {
+		name   string
+		args   args
+		result bool
+	}{
+		{
+			name: "global perm existing",
+			args: args{
+				perms: []string{"perm:1", "perm:2", "perm"},
+			},
+			result: true,
+		},
+		{
+			name: "global perm not existing",
+			args: args{
+				perms: []string{"perm:1", "perm:2", "perm:3"},
+			},
+			result: false,
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			result := HasGlobalPermission(tt.args.perms)
+			if result != tt.result {
+				t.Errorf("got wrong result, expecting: %v, actual: %v ", tt.result, result)
+			}
+		})
+	}
+}
+
+func Test_GetPermissionCtxIDs(t *testing.T) {
+
+	type args struct {
+		perms []string
+	}
+	tests := []struct {
+		name   string
+		args   args
+		result []string
+	}{
+		{
+			name: "no specific permission",
+			args: args{
+				perms: []string{"perm"},
+			},
+			result: []string{},
+		},
+		{
+			name: "ctx id",
+			args: args{
+				perms: []string{"perm:1", "perm", "perm:3"},
+			},
+			result: []string{"1", "3"},
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			result := GetPermissionCtxIDs(tt.args.perms)
+			if !EqualStringArray(result, tt.result) {
+				t.Errorf("got wrong result, expecting: %v, actual: %v ", tt.result, result)
+			}
+		})
+	}
+}
diff --git a/internal/api/auth/config.go b/internal/api/auth/config.go
new file mode 100644
index 0000000000..b678fe377e
--- /dev/null
+++ b/internal/api/auth/config.go
@@ -0,0 +1,26 @@
+package auth
+
+type Config struct {
+	RolePermissionMappings []RoleMapping
+}
+
+type RoleMapping struct {
+	Role        string
+	Permissions []string
+}
+
+type MethodMapping map[string]Option
+
+type Option struct {
+	Permission string
+	CheckParam string
+}
+
+func (a *Config) getPermissionsFromRole(role string) []string {
+	for _, roleMap := range a.RolePermissionMappings {
+		if roleMap.Role == role {
+			return roleMap.Permissions
+		}
+	}
+	return nil
+}
diff --git a/internal/api/auth/context.go b/internal/api/auth/context.go
new file mode 100644
index 0000000000..5638fa40d1
--- /dev/null
+++ b/internal/api/auth/context.go
@@ -0,0 +1,70 @@
+package auth
+
+import (
+	"context"
+	"time"
+
+	"github.com/caos/logging"
+)
+
+const (
+	HeaderOrgID = "x-caos-zitadel-orgid"
+)
+
+type CtxKeyPermissions struct{}
+type CtxKeyData struct{}
+
+type CtxData struct {
+	UserID    string
+	OrgID     string
+	ProjectID string
+	AgentID   string
+}
+
+func (ctxData CtxData) IsZero() bool {
+	return ctxData.UserID == "" || ctxData.OrgID == ""
+}
+
+type Grants []*Grant
+
+type Grant struct {
+	OrgID string
+	Roles []string
+}
+
+type TokenVerifier interface {
+	VerifyAccessToken(ctx context.Context, token string) (string, string, string, error)
+	ResolveGrants(ctx context.Context, sub, orgID string) ([]*Grant, error)
+	GetProjectIDByClientID(ctx context.Context, clientID string) (string, error)
+}
+
+func VerifyTokenAndWriteCtxData(ctx context.Context, token, orgID string, t TokenVerifier) (_ context.Context, err error) {
+	userID, clientID, agentID, err := verifyAccessToken(ctx, token, t)
+	if err != nil {
+		return nil, err
+	}
+
+	projectID, err := t.GetProjectIDByClientID(ctx, clientID)
+	logging.LogWithFields("AUTH-GfAoV", "clientID", clientID).OnError(err).Warn("could not read projectid by clientid")
+
+	return context.WithValue(ctx, CtxKeyData{}, &CtxData{UserID: userID, OrgID: orgID, ProjectID: projectID, AgentID: agentID}), nil
+}
+
+func GetCtxData(ctx context.Context) CtxData {
+	if data := ctx.Value(CtxKeyData{}); data != nil {
+		ctxData, ok := data.(*CtxData)
+		if ok {
+			return *ctxData
+		}
+		time.Now()
+	}
+	return CtxData{}
+}
+
+func GetPermissionsFromCtx(ctx context.Context) []string {
+	if data := ctx.Value(CtxKeyPermissions{}); data != nil {
+		ctxPermission, _ := data.([]string)
+		return ctxPermission
+	}
+	return nil
+}
diff --git a/internal/api/auth/permissions.go b/internal/api/auth/permissions.go
new file mode 100644
index 0000000000..d7ca516a9d
--- /dev/null
+++ b/internal/api/auth/permissions.go
@@ -0,0 +1,61 @@
+package auth
+
+import (
+	"context"
+
+	"github.com/caos/zitadel/internal/errors"
+)
+
+func getUserMethodPermissions(ctx context.Context, t TokenVerifier, requiredPerm string, authConfig *Config) (context.Context, []string, error) {
+	ctxData := GetCtxData(ctx)
+	if ctxData.IsZero() {
+		return nil, nil, errors.ThrowUnauthenticated(nil, "AUTH-rKLWEH", "context missing")
+	}
+	grants, err := t.ResolveGrants(ctx, ctxData.UserID, ctxData.OrgID)
+	if err != nil {
+		return nil, nil, err
+	}
+	permissions := mapGrantsToPermissions(requiredPerm, grants, authConfig)
+	return context.WithValue(ctx, CtxKeyPermissions{}, permissions), permissions, nil
+}
+
+func mapGrantsToPermissions(requiredPerm string, grants []*Grant, authConfig *Config) []string {
+	resolvedPermissions := make([]string, 0)
+	for _, grant := range grants {
+		for _, role := range grant.Roles {
+			resolvedPermissions = mapRoleToPerm(requiredPerm, role, authConfig, resolvedPermissions)
+		}
+	}
+	return resolvedPermissions
+}
+
+func mapRoleToPerm(requiredPerm, actualRole string, authConfig *Config, resolvedPermissions []string) []string {
+	roleName, roleContextID := SplitPermission(actualRole)
+	perms := authConfig.getPermissionsFromRole(roleName)
+
+	for _, p := range perms {
+		if p == requiredPerm {
+			p = addRoleContextIDToPerm(p, roleContextID)
+			if !existsPerm(resolvedPermissions, p) {
+				resolvedPermissions = append(resolvedPermissions, p)
+			}
+		}
+	}
+	return resolvedPermissions
+}
+
+func addRoleContextIDToPerm(perm, roleContextID string) string {
+	if roleContextID != "" {
+		perm = perm + ":" + roleContextID
+	}
+	return perm
+}
+
+func existsPerm(existing []string, perm string) bool {
+	for _, e := range existing {
+		if e == perm {
+			return true
+		}
+	}
+	return false
+}
diff --git a/internal/api/auth/permissions_test.go b/internal/api/auth/permissions_test.go
new file mode 100644
index 0000000000..6d0857d792
--- /dev/null
+++ b/internal/api/auth/permissions_test.go
@@ -0,0 +1,431 @@
+package auth
+
+import (
+	"context"
+	"testing"
+
+	caos_errs "github.com/caos/zitadel/internal/errors"
+)
+
+func getTestCtx(userID, orgID string) context.Context {
+	return context.WithValue(context.Background(), CtxKeyData{}, &CtxData{UserID: userID, OrgID: orgID})
+}
+
+type testVerifier struct {
+	grants []*Grant
+}
+
+func (v *testVerifier) VerifyAccessToken(ctx context.Context, token string) (string, string, string, error) {
+	return "", "", "", nil
+}
+
+func (v *testVerifier) ResolveGrants(ctx context.Context, sub, orgID string) ([]*Grant, error) {
+	return v.grants, nil
+}
+
+func (v *testVerifier) GetProjectIDByClientID(ctx context.Context, clientID string) (string, error) {
+	return "", nil
+}
+
+func EqualStringArray(a, b []string) bool {
+	if len(a) != len(b) {
+		return false
+	}
+	for i, v := range a {
+		if v != b[i] {
+			return false
+		}
+	}
+	return true
+}
+
+func Test_GetUserMethodPermissions(t *testing.T) {
+	type args struct {
+		ctx          context.Context
+		verifier     TokenVerifier
+		requiredPerm string
+		authConfig   *Config
+	}
+	tests := []struct {
+		name    string
+		args    args
+		wantErr bool
+		errFunc func(err error) bool
+		result  []string
+	}{
+		{
+			name: "Empty Context",
+			args: args{
+				ctx: getTestCtx("", ""),
+				verifier: &testVerifier{grants: []*Grant{&Grant{
+					Roles: []string{"ORG_OWNER"}}}},
+				requiredPerm: "project.read",
+				authConfig: &Config{
+					RolePermissionMappings: []RoleMapping{
+						RoleMapping{
+							Role:        "IAM_OWNER",
+							Permissions: []string{"project.read"},
+						},
+						RoleMapping{
+							Role:        "ORG_OWNER",
+							Permissions: []string{"org.read", "project.read"},
+						},
+					},
+				},
+			},
+			wantErr: true,
+			errFunc: func(err error) bool {
+				return caos_errs.IsUnauthenticated(err)
+			},
+			result: []string{"project.read"},
+		},
+		{
+			name: "No Grants",
+			args: args{
+				ctx:          getTestCtx("", ""),
+				verifier:     &testVerifier{grants: []*Grant{}},
+				requiredPerm: "project.read",
+				authConfig: &Config{
+					RolePermissionMappings: []RoleMapping{
+						RoleMapping{
+							Role:        "IAM_OWNER",
+							Permissions: []string{"project.read"},
+						},
+						RoleMapping{
+							Role:        "ORG_OWNER",
+							Permissions: []string{"org.read", "project.read"},
+						},
+					},
+				},
+			},
+			result: make([]string, 0),
+		},
+		{
+			name: "Get Permissions",
+			args: args{
+				ctx: getTestCtx("userID", "orgID"),
+				verifier: &testVerifier{grants: []*Grant{&Grant{
+					Roles: []string{"ORG_OWNER"}}}},
+				requiredPerm: "project.read",
+				authConfig: &Config{
+					RolePermissionMappings: []RoleMapping{
+						RoleMapping{
+							Role:        "IAM_OWNER",
+							Permissions: []string{"project.read"},
+						},
+						RoleMapping{
+							Role:        "ORG_OWNER",
+							Permissions: []string{"org.read", "project.read"},
+						},
+					},
+				},
+			},
+			result: []string{"project.read"},
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			_, perms, err := getUserMethodPermissions(tt.args.ctx, tt.args.verifier, tt.args.requiredPerm, tt.args.authConfig)
+
+			if tt.wantErr && err == nil {
+				t.Errorf("got wrong result, should get err: actual: %v ", err)
+			}
+
+			if tt.wantErr && !tt.errFunc(err) {
+				t.Errorf("got wrong err: %v ", err)
+			}
+
+			if !tt.wantErr && !EqualStringArray(perms, tt.result) {
+				t.Errorf("got wrong result, expecting: %v, actual: %v ", tt.result, perms)
+			}
+		})
+	}
+}
+
+func Test_MapGrantsToPermissions(t *testing.T) {
+	type args struct {
+		requiredPerm string
+		grants       []*Grant
+		authConfig   *Config
+	}
+	tests := []struct {
+		name   string
+		args   args
+		result []string
+	}{
+		{
+			name: "One Role existing perm",
+			args: args{
+				requiredPerm: "project.read",
+				grants: []*Grant{&Grant{
+					Roles: []string{"ORG_OWNER"}}},
+				authConfig: &Config{
+					RolePermissionMappings: []RoleMapping{
+						RoleMapping{
+							Role:        "IAM_OWNER",
+							Permissions: []string{"project.read"},
+						},
+						RoleMapping{
+							Role:        "ORG_OWNER",
+							Permissions: []string{"org.read", "project.read"},
+						},
+					},
+				},
+			},
+			result: []string{"project.read"},
+		},
+		{
+			name: "One Role not existing perm",
+			args: args{
+				requiredPerm: "project.write",
+				grants: []*Grant{&Grant{
+					Roles: []string{"ORG_OWNER"}}},
+				authConfig: &Config{
+					RolePermissionMappings: []RoleMapping{
+						RoleMapping{
+							Role:        "IAM_OWNER",
+							Permissions: []string{"project.read"},
+						},
+						RoleMapping{
+							Role:        "ORG_OWNER",
+							Permissions: []string{"org.read", "project.read"},
+						},
+					},
+				},
+			},
+			result: []string{},
+		},
+		{
+			name: "Multiple Roles one existing",
+			args: args{
+				requiredPerm: "project.read",
+				grants: []*Grant{&Grant{
+					Roles: []string{"ORG_OWNER", "IAM_OWNER"}}},
+				authConfig: &Config{
+					RolePermissionMappings: []RoleMapping{
+						RoleMapping{
+							Role:        "IAM_OWNER",
+							Permissions: []string{"project.read"},
+						},
+						RoleMapping{
+							Role:        "ORG_OWNER",
+							Permissions: []string{"org.read", "project.read"},
+						},
+					},
+				},
+			},
+			result: []string{"project.read"},
+		},
+		{
+			name: "Multiple Roles, global and specific",
+			args: args{
+				requiredPerm: "project.read",
+				grants: []*Grant{&Grant{
+					Roles: []string{"ORG_OWNER", "PROJECT_OWNER:1"}}},
+				authConfig: &Config{
+					RolePermissionMappings: []RoleMapping{
+						RoleMapping{
+							Role:        "PROJECT_OWNER",
+							Permissions: []string{"project.read"},
+						},
+						RoleMapping{
+							Role:        "ORG_OWNER",
+							Permissions: []string{"org.read", "project.read"},
+						},
+					},
+				},
+			},
+			result: []string{"project.read", "project.read:1"},
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			result := mapGrantsToPermissions(tt.args.requiredPerm, tt.args.grants, tt.args.authConfig)
+			if !EqualStringArray(result, tt.result) {
+				t.Errorf("got wrong result, expecting: %v, actual: %v ", tt.result, result)
+			}
+		})
+	}
+}
+
+func Test_MapRoleToPerm(t *testing.T) {
+	type args struct {
+		requiredPerm        string
+		actualRole          string
+		authConfig          *Config
+		resolvedPermissions []string
+	}
+	tests := []struct {
+		name   string
+		args   args
+		result []string
+	}{
+		{
+			name: "first perm without context id",
+			args: args{
+				requiredPerm: "project.read",
+				actualRole:   "ORG_OWNER",
+				authConfig: &Config{
+					RolePermissionMappings: []RoleMapping{
+						RoleMapping{
+							Role:        "IAM_OWNER",
+							Permissions: []string{"project.read"},
+						},
+						RoleMapping{
+							Role:        "ORG_OWNER",
+							Permissions: []string{"org.read", "project.read"},
+						},
+					},
+				},
+				resolvedPermissions: []string{},
+			},
+			result: []string{"project.read"},
+		},
+		{
+			name: "existing perm without context id",
+			args: args{
+				requiredPerm: "project.read",
+				actualRole:   "ORG_OWNER",
+				authConfig: &Config{
+					RolePermissionMappings: []RoleMapping{
+						RoleMapping{
+							Role:        "IAM_OWNER",
+							Permissions: []string{"project.read"},
+						},
+						RoleMapping{
+							Role:        "ORG_OWNER",
+							Permissions: []string{"org.read", "project.read"},
+						},
+					},
+				},
+				resolvedPermissions: []string{"project.read"},
+			},
+			result: []string{"project.read"},
+		},
+		{
+			name: "first perm with context id",
+			args: args{
+				requiredPerm: "project.read",
+				actualRole:   "PROJECT_OWNER:1",
+				authConfig: &Config{
+					RolePermissionMappings: []RoleMapping{
+						RoleMapping{
+							Role:        "PROJECT_OWNER",
+							Permissions: []string{"project.read"},
+						},
+						RoleMapping{
+							Role:        "ORG_OWNER",
+							Permissions: []string{"org.read", "project.read"},
+						},
+					},
+				},
+				resolvedPermissions: []string{},
+			},
+			result: []string{"project.read:1"},
+		},
+		{
+			name: "perm with context id, existing global",
+			args: args{
+				requiredPerm: "project.read",
+				actualRole:   "PROJECT_OWNER:1",
+				authConfig: &Config{
+					RolePermissionMappings: []RoleMapping{
+						RoleMapping{
+							Role:        "PROJECT_OWNER",
+							Permissions: []string{"project.read"},
+						},
+						RoleMapping{
+							Role:        "ORG_OWNER",
+							Permissions: []string{"org.read", "project.read"},
+						},
+					},
+				},
+				resolvedPermissions: []string{"project.read"},
+			},
+			result: []string{"project.read", "project.read:1"},
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			result := mapRoleToPerm(tt.args.requiredPerm, tt.args.actualRole, tt.args.authConfig, tt.args.resolvedPermissions)
+			if !EqualStringArray(result, tt.result) {
+				t.Errorf("got wrong result, expecting: %v, actual: %v ", tt.result, result)
+			}
+		})
+	}
+}
+
+func Test_AddRoleContextIDToPerm(t *testing.T) {
+	type args struct {
+		perm  string
+		ctxID string
+	}
+	tests := []struct {
+		name   string
+		args   args
+		result string
+	}{
+		{
+			name: "with ctx id",
+			args: args{
+				perm:  "perm1",
+				ctxID: "2",
+			},
+			result: "perm1:2",
+		},
+		{
+			name: "with ctx id",
+			args: args{
+				perm:  "perm1",
+				ctxID: "",
+			},
+			result: "perm1",
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			result := addRoleContextIDToPerm(tt.args.perm, tt.args.ctxID)
+			if result != tt.result {
+				t.Errorf("got wrong result, expecting: %v, actual: %v ", tt.result, result)
+			}
+		})
+	}
+}
+
+func Test_ExistisPerm(t *testing.T) {
+
+	type args struct {
+		existing []string
+		perm     string
+	}
+	tests := []struct {
+		name   string
+		args   args
+		result bool
+	}{
+		{
+			name: "not existing perm",
+			args: args{
+				existing: []string{"perm1", "perm2", "perm3"},
+				perm:     "perm4",
+			},
+			result: false,
+		},
+		{
+			name: "existing perm",
+			args: args{
+				existing: []string{"perm1", "perm2", "perm3"},
+				perm:     "perm2",
+			},
+			result: true,
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			result := existsPerm(tt.args.existing, tt.args.perm)
+			if result != tt.result {
+				t.Errorf("got wrong result, expecting: %v, actual: %v ", tt.result, result)
+			}
+		})
+	}
+}
diff --git a/internal/api/auth/token.go b/internal/api/auth/token.go
new file mode 100644
index 0000000000..7aab34eb9e
--- /dev/null
+++ b/internal/api/auth/token.go
@@ -0,0 +1,20 @@
+package auth
+
+import (
+	"context"
+	"strings"
+
+	"github.com/caos/zitadel/internal/errors"
+)
+
+const (
+	BearerPrefix = "Bearer "
+)
+
+func verifyAccessToken(ctx context.Context, token string, t TokenVerifier) (string, string, string, error) {
+	parts := strings.Split(token, BearerPrefix)
+	if len(parts) != 2 {
+		return "", "", "", errors.ThrowUnauthenticated(nil, "AUTH-7fs1e", "invalid auth header")
+	}
+	return t.VerifyAccessToken(ctx, parts[1])
+}
diff --git a/internal/api/auth/token_test.go b/internal/api/auth/token_test.go
new file mode 100644
index 0000000000..827817b3a4
--- /dev/null
+++ b/internal/api/auth/token_test.go
@@ -0,0 +1,63 @@
+package auth
+
+import (
+	"context"
+	"testing"
+
+	"github.com/caos/zitadel/internal/errors"
+)
+
+func Test_VerifyAccessToken(t *testing.T) {
+
+	type args struct {
+		ctx      context.Context
+		token    string
+		verifier *testVerifier
+	}
+	tests := []struct {
+		name    string
+		args    args
+		wantErr bool
+	}{
+		{
+			name: "no auth header set",
+			args: args{
+				ctx:   context.Background(),
+				token: "",
+			},
+			wantErr: true,
+		},
+		{
+			name: "wrong auth header set",
+			args: args{
+				ctx:   context.Background(),
+				token: "Basic sds",
+			},
+			wantErr: true,
+		},
+		{
+			name: "auth header set",
+			args: args{
+				ctx:   context.Background(),
+				token: "Bearer AUTH",
+			},
+			wantErr: false,
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			_, _, _, err := verifyAccessToken(tt.args.ctx, tt.args.token, tt.args.verifier)
+			if tt.wantErr && err == nil {
+				t.Errorf("got wrong result, should get err: actual: %v ", err)
+			}
+
+			if !tt.wantErr && err != nil {
+				t.Errorf("got wrong result, should not get err: actual: %v ", err)
+			}
+
+			if tt.wantErr && !errors.IsUnauthenticated(err) {
+				t.Errorf("got wrong err: %v ", err)
+			}
+		})
+	}
+}
diff --git a/internal/api/grpc/auth_interceptor.go b/internal/api/grpc/auth_interceptor.go
new file mode 100644
index 0000000000..4e91d11714
--- /dev/null
+++ b/internal/api/grpc/auth_interceptor.go
@@ -0,0 +1,34 @@
+package grpc
+
+import (
+	"context"
+
+	"google.golang.org/grpc"
+	"google.golang.org/grpc/codes"
+	"google.golang.org/grpc/status"
+
+	"github.com/caos/zitadel/internal/api/auth"
+)
+
+func AuthorizationInterceptor(verifier auth.TokenVerifier, authConfig *auth.Config, authMethods auth.MethodMapping) func(ctx context.Context, req interface{}, info *grpc.UnaryServerInfo, handler grpc.UnaryHandler) (interface{}, error) {
+	return func(ctx context.Context, req interface{}, info *grpc.UnaryServerInfo, handler grpc.UnaryHandler) (interface{}, error) {
+		authOpt, needsToken := authMethods[info.FullMethod]
+		if !needsToken {
+			return handler(ctx, req)
+		}
+
+		authToken := GetAuthorizationHeader(ctx)
+		if authToken == "" {
+			return nil, status.Error(codes.Unauthenticated, "auth header missing")
+		}
+
+		orgID := GetHeader(ctx, ZitadelOrgID)
+
+		ctx, err := auth.CheckUserAuthorization(ctx, req, authToken, orgID, verifier, authConfig, authOpt)
+		if err != nil {
+			return nil, err
+		}
+
+		return handler(ctx, req)
+	}
+}
diff --git a/internal/api/grpc/caos_errors.go b/internal/api/grpc/caos_errors.go
new file mode 100644
index 0000000000..5ed7fa95da
--- /dev/null
+++ b/internal/api/grpc/caos_errors.go
@@ -0,0 +1,46 @@
+package grpc
+
+import (
+	"google.golang.org/grpc/codes"
+	"google.golang.org/grpc/status"
+
+	caos_errs "github.com/caos/zitadel/internal/errors"
+)
+
+func CaosToGRPCError(err error) error {
+	if err == nil {
+		return nil
+	}
+	code, msg, ok := extract(err)
+	if !ok {
+		return status.Convert(err).Err()
+	}
+	return status.Error(code, msg)
+}
+
+func extract(err error) (c codes.Code, msg string, ok bool) {
+	switch caosErr := err.(type) {
+	case *caos_errs.AlreadyExistsError:
+		return codes.AlreadyExists, caosErr.GetMessage(), true
+	case *caos_errs.DeadlineExceededError:
+		return codes.DeadlineExceeded, caosErr.GetMessage(), true
+	case caos_errs.InternalError:
+		return codes.Internal, caosErr.GetMessage(), true
+	case *caos_errs.InvalidArgumentError:
+		return codes.InvalidArgument, caosErr.GetMessage(), true
+	case *caos_errs.NotFoundError:
+		return codes.NotFound, caosErr.GetMessage(), true
+	case *caos_errs.PermissionDeniedError:
+		return codes.PermissionDenied, caosErr.GetMessage(), true
+	case *caos_errs.PreconditionFailedError:
+		return codes.FailedPrecondition, caosErr.GetMessage(), true
+	case *caos_errs.UnauthenticatedError:
+		return codes.Unauthenticated, caosErr.GetMessage(), true
+	case *caos_errs.UnavailableError:
+		return codes.Unavailable, caosErr.GetMessage(), true
+	case *caos_errs.UnimplementedError:
+		return codes.Unimplemented, caosErr.GetMessage(), true
+	default:
+		return codes.Unknown, err.Error(), false
+	}
+}
diff --git a/internal/api/grpc/error_interceptor.go b/internal/api/grpc/error_interceptor.go
new file mode 100644
index 0000000000..690ab9a2e9
--- /dev/null
+++ b/internal/api/grpc/error_interceptor.go
@@ -0,0 +1,14 @@
+package grpc
+
+import (
+	"context"
+
+	"google.golang.org/grpc"
+)
+
+func ErrorHandler() func(ctx context.Context, req interface{}, info *grpc.UnaryServerInfo, handler grpc.UnaryHandler) (interface{}, error) {
+	return func(ctx context.Context, req interface{}, info *grpc.UnaryServerInfo, handler grpc.UnaryHandler) (interface{}, error) {
+		resp, err := handler(ctx, req)
+		return resp, CaosToGRPCError(err)
+	}
+}
diff --git a/internal/api/grpc/header.go b/internal/api/grpc/header.go
new file mode 100644
index 0000000000..5d217b7518
--- /dev/null
+++ b/internal/api/grpc/header.go
@@ -0,0 +1,21 @@
+package grpc
+
+import (
+	"context"
+
+	"github.com/grpc-ecosystem/go-grpc-middleware/util/metautils"
+)
+
+const (
+	Authorization = "authorization"
+
+	ZitadelOrgID = "x-zitadel-orgid"
+)
+
+func GetHeader(ctx context.Context, headername string) string {
+	return metautils.ExtractIncoming(ctx).Get(headername)
+}
+
+func GetAuthorizationHeader(ctx context.Context) string {
+	return GetHeader(ctx, Authorization)
+}
diff --git a/internal/api/grpc/probes.go b/internal/api/grpc/probes.go
new file mode 100644
index 0000000000..8ec10c585c
--- /dev/null
+++ b/internal/api/grpc/probes.go
@@ -0,0 +1,53 @@
+package grpc
+
+import (
+	"context"
+
+	"github.com/caos/logging"
+	"github.com/golang/protobuf/ptypes/empty"
+	structpb "github.com/golang/protobuf/ptypes/struct"
+
+	"github.com/caos/zitadel/internal/errors"
+	"github.com/caos/zitadel/internal/proto"
+)
+
+type ValidationFunction func(ctx context.Context) error
+
+type Validator struct {
+	validations map[string]ValidationFunction
+}
+
+func NewValidator(validations map[string]ValidationFunction) *Validator {
+	return &Validator{validations: validations}
+}
+
+func (v *Validator) Healthz(_ context.Context, e *empty.Empty) (*empty.Empty, error) {
+	return e, nil
+}
+
+func (v *Validator) Ready(ctx context.Context, e *empty.Empty) (*empty.Empty, error) {
+	return e, ready(ctx, v.validations)
+}
+
+func (v *Validator) Validate(ctx context.Context, _ *empty.Empty) (*structpb.Struct, error) {
+	validations := validate(ctx, v.validations)
+	return proto.ToPBStruct(validations)
+}
+
+func ready(ctx context.Context, validations map[string]ValidationFunction) error {
+	if len(validate(ctx, validations)) == 0 {
+		return nil
+	}
+	return errors.ThrowInternal(nil, "API-2jD9a", "not ready")
+}
+
+func validate(ctx context.Context, validations map[string]ValidationFunction) map[string]error {
+	errors := make(map[string]error)
+	for id, validation := range validations {
+		if err := validation(ctx); err != nil {
+			logging.Log("API-vf823").WithError(err).Error("validation failed")
+			errors[id] = err
+		}
+	}
+	return errors
+}
diff --git a/internal/api/http/cookie.go b/internal/api/http/cookie.go
new file mode 100644
index 0000000000..a28791aafc
--- /dev/null
+++ b/internal/api/http/cookie.go
@@ -0,0 +1,125 @@
+package http
+
+import (
+	"net/http"
+
+	"github.com/gorilla/securecookie"
+
+	"github.com/caos/zitadel/internal/errors"
+)
+
+type CookieHandler struct {
+	securecookie *securecookie.SecureCookie
+	secureOnly   bool
+	sameSite     http.SameSite
+	path         string
+	maxAge       int
+	domain       string
+}
+
+func NewCookieHandler(opts ...CookieHandlerOpt) *CookieHandler {
+	c := &CookieHandler{
+		secureOnly: true,
+		sameSite:   http.SameSiteLaxMode,
+		path:       "/",
+	}
+
+	for _, opt := range opts {
+		opt(c)
+	}
+	return c
+}
+
+type CookieHandlerOpt func(*CookieHandler)
+
+func WithEncryption(hashKey, encryptKey []byte) CookieHandlerOpt {
+	return func(c *CookieHandler) {
+		c.securecookie = securecookie.New(hashKey, encryptKey)
+	}
+}
+
+func WithUnsecure() CookieHandlerOpt {
+	return func(c *CookieHandler) {
+		c.secureOnly = false
+	}
+}
+
+func WithSameSite(sameSite http.SameSite) CookieHandlerOpt {
+	return func(c *CookieHandler) {
+		c.sameSite = sameSite
+	}
+}
+
+func WithPath(path string) CookieHandlerOpt {
+	return func(c *CookieHandler) {
+		c.path = path
+	}
+}
+
+func WithMaxAge(maxAge int) CookieHandlerOpt {
+	return func(c *CookieHandler) {
+		c.maxAge = maxAge
+		c.securecookie.MaxAge(maxAge)
+	}
+}
+
+func WithDomain(domain string) CookieHandlerOpt {
+	return func(c *CookieHandler) {
+		c.domain = domain
+	}
+}
+
+func (c *CookieHandler) GetCookieValue(r *http.Request, name string) (string, error) {
+	cookie, err := r.Cookie(name)
+	if err != nil {
+		return "", err
+	}
+	return cookie.Value, nil
+}
+
+func (c *CookieHandler) GetEncryptedCookieValue(r *http.Request, name string, value interface{}) error {
+	cookie, err := r.Cookie(name)
+	if err != nil {
+		return err
+	}
+	if c.securecookie == nil {
+		return errors.ThrowInternal(nil, "HTTP-X6XpnL", "securecookie not configured")
+	}
+	if err := c.securecookie.Decode(name, cookie.Value, value); err != nil {
+		return err
+	}
+	return nil
+}
+
+func (c *CookieHandler) SetCookie(w http.ResponseWriter, name string, value string) {
+	c.httpSet(w, name, value, c.maxAge)
+}
+
+func (c *CookieHandler) SetEncryptedCookie(w http.ResponseWriter, name string, value interface{}) error {
+	if c.securecookie == nil {
+		return errors.ThrowInternal(nil, "HTTP-s2HUtx", "securecookie not configured")
+	}
+	encoded, err := c.securecookie.Encode(name, value)
+	if err != nil {
+		return err
+	}
+	c.httpSet(w, name, encoded, c.maxAge)
+	return nil
+}
+
+func (c *CookieHandler) DeleteCookie(w http.ResponseWriter, name string) {
+	c.httpSet(w, name, "", -1)
+}
+
+func (c *CookieHandler) httpSet(w http.ResponseWriter, name, value string, maxage int) {
+	http.SetCookie(w, &http.Cookie{
+		Name:     name,
+		Value:    value,
+		Domain:   c.domain,
+		Path:     c.path,
+		MaxAge:   maxage,
+		HttpOnly: true,
+		Secure:   c.secureOnly,
+		SameSite: c.sameSite,
+	})
+}
diff --git a/internal/api/http/parser.go b/internal/api/http/parser.go
new file mode 100644
index 0000000000..fb24460e7d
--- /dev/null
+++ b/internal/api/http/parser.go
@@ -0,0 +1,28 @@
+package http
+
+import (
+	"net/http"
+
+	"github.com/gorilla/schema"
+
+	"github.com/caos/zitadel/internal/errors"
+)
+
+type Parser struct {
+	decoder *schema.Decoder
+}
+
+func NewParser() *Parser {
+	d := schema.NewDecoder()
+	d.IgnoreUnknownKeys(true)
+	return &Parser{d}
+}
+
+func (p *Parser) Parse(r *http.Request, data interface{}) error {
+	err := r.ParseForm()
+	if err != nil {
+		return errors.ThrowInternal(err, "FORM-lCC9zI", "error parsing http form")
+	}
+
+	return p.decoder.Decode(data, r.Form)
+}
diff --git a/internal/proto/struct.go b/internal/proto/struct.go
new file mode 100644
index 0000000000..24a6ce0e36
--- /dev/null
+++ b/internal/proto/struct.go
@@ -0,0 +1,52 @@
+package proto
+
+import (
+	"bytes"
+	"encoding/json"
+
+	"github.com/golang/protobuf/jsonpb"
+	pb_struct "github.com/golang/protobuf/ptypes/struct"
+
+	"github.com/caos/logging"
+)
+
+func MustToPBStruct(object interface{}) *pb_struct.Struct {
+	s, err := ToPBStruct(object)
+	logging.Log("PROTO-7Aa3t").OnError(err).Panic("unable to map object to pb-struct")
+
+	return s
+}
+
+func BytesToPBStruct(b []byte) (*pb_struct.Struct, error) {
+	fields := new(pb_struct.Struct)
+	err := jsonpb.Unmarshal(bytes.NewReader(b), fields)
+	return fields, err
+}
+
+func ToPBStruct(object interface{}) (*pb_struct.Struct, error) {
+	fields := new(pb_struct.Struct)
+
+	marshalled, err := json.Marshal(object)
+	if err != nil {
+		return nil, err
+	}
+
+	err = jsonpb.Unmarshal(bytes.NewReader(marshalled), fields)
+
+	return fields, err
+}
+
+func MustFromPBStruct(object interface{}, s *pb_struct.Struct) {
+	err := FromPBStruct(object, s)
+	logging.Log("PROTO-WeMYY").OnError(err).Panic("unable to map pb-struct into object")
+}
+
+func FromPBStruct(object interface{}, s *pb_struct.Struct) error {
+	marshaller := new(jsonpb.Marshaler)
+	jsonString, err := marshaller.MarshalToString(s)
+	if err != nil {
+		return err
+	}
+
+	return json.Unmarshal([]byte(jsonString), object)
+}
diff --git a/internal/proto/struct_test.go b/internal/proto/struct_test.go
new file mode 100644
index 0000000000..eeed7c63f3
--- /dev/null
+++ b/internal/proto/struct_test.go
@@ -0,0 +1,53 @@
+package proto
+
+import (
+	"testing"
+
+	pb_struct "github.com/golang/protobuf/ptypes/struct"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+)
+
+func TestToPBStruct(t *testing.T) {
+	obj := struct {
+		ID   string
+		Name string
+		Seq  uint64
+	}{
+		ID:   "asdf",
+		Name: "ueli",
+		Seq:  208582075,
+	}
+	fields, err := ToPBStruct(&obj)
+	require.NoError(t, err)
+	require.Len(t, fields.Fields, 3)
+
+	assert.Equal(t, obj.ID, fields.Fields["ID"].GetStringValue())
+	assert.Equal(t, int(obj.Seq), int(fields.Fields["Seq"].GetNumberValue()))
+	assert.Equal(t, obj.Name, fields.Fields["Name"].GetStringValue())
+}
+
+func TestFromPBStruct(t *testing.T) {
+	name := "ueli"
+	id := "asdf"
+	seq := float64(208582075)
+	s := &pb_struct.Struct{Fields: map[string]*pb_struct.Value{
+		"ID":   &pb_struct.Value{Kind: &pb_struct.Value_StringValue{StringValue: id}},
+		"Name": &pb_struct.Value{Kind: &pb_struct.Value_StringValue{StringValue: name}},
+		"Seq":  &pb_struct.Value{Kind: &pb_struct.Value_NumberValue{NumberValue: seq}},
+	}}
+
+	obj := struct {
+		ID   string
+		Name string
+		Seq  uint64
+	}{}
+
+	err := FromPBStruct(&obj, s)
+	require.NoError(t, err)
+
+	assert.Equal(t, id, obj.ID)
+	assert.Equal(t, name, obj.Name)
+	assert.Equal(t, int(seq), int(obj.Seq))
+}