ory
diff --git a/‎.github/workflows/acceptance-test.yml‎
Lines changed: 12 additions & 8 deletions b/‎.github/workflows/acceptance-test.yml‎
Lines changed: 12 additions & 8 deletions
diff --git a/‎.github/workflows/release.yml‎
Lines changed: 1 addition & 0 deletions b/‎.github/workflows/release.yml‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎Makefile‎
Lines changed: 2 additions & 0 deletions b/‎Makefile‎
Lines changed: 2 additions & 0 deletions
diff --git a/‎README.md‎
Lines changed: 69 additions & 42 deletions b/‎README.md‎
Lines changed: 69 additions & 42 deletions
diff --git a/‎docs/data-sources/identity.md‎
Lines changed: 50 additions & 0 deletions b/‎docs/data-sources/identity.md‎
Lines changed: 50 additions & 0 deletions
diff --git a/‎docs/data-sources/identity_schemas.md‎
Lines changed: 40 additions & 0 deletions b/‎docs/data-sources/identity_schemas.md‎
Lines changed: 40 additions & 0 deletions
@@ -1,8 +1,6 @@
 name: Acceptance Tests
 
 on:
-  push:
-    branches: [main]
   pull_request:
     branches: [main]
   workflow_dispatch:
@@ -37,11 +35,16 @@ on:
         required: false
         default: false
         type: boolean
+      enable_event_stream_tests:
+        description: 'Event stream tests (requires Enterprise plan)'
+        required: false
+        default: false
+        type: boolean
 
 concurrency:
   group: acceptance-tests
   cancel-in-progress: false
-          
+
 permissions:
   contents: read
   pull-requests: read
@@ -94,9 +97,10 @@ jobs:
 
       - name: Run Acceptance Tests
         env:
-          ORY_KETO_TESTS_ENABLED: ${{ github.event_name == 'pull_request' || github.event_name == 'push' || github.event.inputs.run_all == 'true' || github.event.inputs.enable_keto_tests == 'true' }}
-          ORY_B2B_ENABLED: ${{ github.event_name == 'pull_request' || github.event_name == 'push' || github.event.inputs.run_all == 'true' || github.event.inputs.enable_b2b_tests == 'true' }}
-          ORY_SOCIAL_PROVIDER_TESTS_ENABLED: ${{ github.event_name == 'pull_request' || github.event_name == 'push' || github.event.inputs.run_all == 'true' || github.event.inputs.enable_social_provider_tests == 'true' }}
-          ORY_SCHEMA_TESTS_ENABLED: ${{ github.event_name == 'pull_request' || github.event_name == 'push' || github.event.inputs.run_all == 'true' || github.event.inputs.enable_schema_tests == 'true' }}
-          ORY_PROJECT_TESTS_ENABLED: ${{ github.event_name == 'pull_request' || github.event_name == 'push' || github.event.inputs.run_all == 'true' || github.event.inputs.enable_project_tests == 'true' }}
+          ORY_KETO_TESTS_ENABLED: ${{ github.event_name == 'pull_request' || github.event.inputs.run_all == 'true' || github.event.inputs.enable_keto_tests == 'true' }}
+          ORY_B2B_ENABLED: ${{ github.event_name == 'pull_request' || github.event.inputs.run_all == 'true' || github.event.inputs.enable_b2b_tests == 'true' }}
+          ORY_SOCIAL_PROVIDER_TESTS_ENABLED: ${{ github.event_name == 'pull_request' || github.event.inputs.run_all == 'true' || github.event.inputs.enable_social_provider_tests == 'true' }}
+          ORY_SCHEMA_TESTS_ENABLED: ${{ github.event_name == 'pull_request' || github.event.inputs.run_all == 'true' || github.event.inputs.enable_schema_tests == 'true' }}
+          ORY_PROJECT_TESTS_ENABLED: ${{ github.event_name == 'pull_request' || github.event.inputs.run_all == 'true' || github.event.inputs.enable_project_tests == 'true' }}
+          ORY_EVENT_STREAM_TESTS_ENABLED: ${{ github.event.inputs.enable_event_stream_tests == 'true' }}
         run: ./scripts/run-acceptance-tests.sh -v -timeout 20m ./...
@@ -37,6 +37,7 @@ jobs:
           ORY_SOCIAL_PROVIDER_TESTS_ENABLED: true
           ORY_SCHEMA_TESTS_ENABLED: true
           ORY_PROJECT_TESTS_ENABLED: true
+          ORY_EVENT_STREAM_TESTS_ENABLED: true
         run: ./scripts/run-acceptance-tests.sh -v -timeout 20m ./...
 
   goreleaser:
 
@@ -152,6 +152,7 @@ test-acc-all: env-check ## Run all acceptance tests including optional ones
 		ORY_B2B_ENABLED=true \
 		ORY_SOCIAL_PROVIDER_TESTS_ENABLED=true \
 		ORY_SCHEMA_TESTS_ENABLED=true \
+		ORY_EVENT_STREAM_TESTS_ENABLED=true \
 		./scripts/run-acceptance-tests.sh -p 1 -v -timeout 30m ./...
 
 # ==============================================================================
@@ -224,3 +225,4 @@ env-check: ## Check required environment variables
 	@if [ "$$ORY_SOCIAL_PROVIDER_TESTS_ENABLED" = "true" ]; then echo "  ORY_SOCIAL_PROVIDER_TESTS_ENABLED: true"; else echo "  ORY_SOCIAL_PROVIDER_TESTS_ENABLED: (not set)"; fi
 	@if [ "$$ORY_SCHEMA_TESTS_ENABLED" = "true" ]; then echo "  ORY_SCHEMA_TESTS_ENABLED: true"; else echo "  ORY_SCHEMA_TESTS_ENABLED: (not set - schema tests will be skipped)"; fi
 	@if [ "$$ORY_PROJECT_TESTS_ENABLED" = "true" ]; then echo "  ORY_PROJECT_TESTS_ENABLED: true"; else echo "  ORY_PROJECT_TESTS_ENABLED: (not set - project resource tests will be skipped)"; fi
+	@if [ "$$ORY_EVENT_STREAM_TESTS_ENABLED" = "true" ]; then echo "  ORY_EVENT_STREAM_TESTS_ENABLED: true"; else echo "  ORY_EVENT_STREAM_TESTS_ENABLED: (not set - event stream tests will be skipped, requires Enterprise plan)"; fi
@@ -21,9 +21,12 @@ A Terraform provider for managing [Ory Network](https://www.ory.sh/) resources u
 - **Project Configuration**: CORS, session settings, password policies, MFA
 - **Webhooks/Actions**: Trigger webhooks on identity flow events
 - **Email Templates**: Customize verification, recovery, and login code emails
-- **OAuth2 Clients**: Manage OAuth2/OIDC client applications
+- **OAuth2 Clients**: Manage OAuth2/OIDC client applications and dynamic client registration (RFC 7591)
+- **JWT Grant Trust**: Trust external identity providers for RFC 7523 JWT Bearer grants
+- **Event Streams**: Publish Ory events to external systems like AWS SNS (Enterprise)
 - **Organizations**: Multi-tenancy support for B2B applications
 - **Permissions (Keto)**: Manage relationship tuples for fine-grained authorization
+- **API Key Management**: Manage project API keys
 
 ## Requirements
 
@@ -135,27 +138,35 @@ resource "ory_action" "welcome_email" {
 
 ## Resources
 
-| Resource                                                     | Description                          |
-| ------------------------------------------------------------ | ------------------------------------ |
-| [`ory_project`](docs/resources/project.md)                   | Ory Network projects                 |
-| [`ory_workspace`](docs/resources/workspace.md)               | Ory workspaces                       |
-| [`ory_organization`](docs/resources/organization.md)         | Organizations for multi-tenancy      |
-| [`ory_identity`](docs/resources/identity.md)                 | User identities                      |
-| [`ory_identity_schema`](docs/resources/identity_schema.md)   | Custom identity schemas              |
-| [`ory_oauth2_client`](docs/resources/oauth2_client.md)       | OAuth2/OIDC client applications      |
-| [`ory_project_config`](docs/resources/project_config.md)     | Project configuration settings       |
-| [`ory_action`](docs/resources/action.md)                     | Webhooks for identity flows          |
-| [`ory_social_provider`](docs/resources/social_provider.md)   | Social sign-in providers             |
-| [`ory_email_template`](docs/resources/email_template.md)     | Email template customization         |
-| [`ory_project_api_key`](docs/resources/project_api_key.md)   | Project API keys                     |
-| [`ory_json_web_key_set`](docs/resources/json_web_key_set.md) | JSON Web Key Sets for signing        |
-| [`ory_relationship`](docs/resources/relationship.md)         | Ory Permissions (Keto) relationships |
+| Resource                                                                                        | Description                               | Plan Requirement     |
+| ----------------------------------------------------------------------------------------------- | ----------------------------------------- | -------------------- |
+| [`ory_project`](docs/resources/project.md)                                                      | Ory Network projects                      | All plans            |
+| [`ory_workspace`](docs/resources/workspace.md)                                                  | Ory workspaces (import-only)              | All plans            |
+| [`ory_organization`](docs/resources/organization.md)                                            | Organizations for multi-tenancy           | Growth+ (B2B)        |
+| [`ory_identity`](docs/resources/identity.md)                                                    | User identities                           | All plans            |
+| [`ory_identity_schema`](docs/resources/identity_schema.md)                                      | Custom identity schemas                   | All plans            |
+| [`ory_oauth2_client`](docs/resources/oauth2_client.md)                                          | OAuth2/OIDC client applications           | All plans            |
+| [`ory_oidc_dynamic_client`](docs/resources/oidc_dynamic_client.md)                              | RFC 7591 dynamic OIDC client registration | All plans            |
+| [`ory_project_config`](docs/resources/project_config.md)                                        | Project configuration settings            | All plans            |
+| [`ory_action`](docs/resources/action.md)                                                        | Webhooks for identity flows               | All plans            |
+| [`ory_social_provider`](docs/resources/social_provider.md)                                      | Social sign-in providers                  | All plans            |
+| [`ory_email_template`](docs/resources/email_template.md)                                        | Email template customization              | All plans            |
+| [`ory_project_api_key`](docs/resources/project_api_key.md)                                      | Project API keys                          | All plans            |
+| [`ory_json_web_key_set`](docs/resources/json_web_key_set.md)                                    | JSON Web Key Sets for signing             | All plans            |
+| [`ory_relationship`](docs/resources/relationship.md)                                            | Ory Permissions (Keto) relationships      | All plans            |
+| [`ory_event_stream`](docs/resources/event_stream.md)                                            | Event streams (e.g., AWS SNS)             | Enterprise           |
+| [`ory_trusted_oauth2_jwt_grant_issuer`](docs/resources/trusted_oauth2_jwt_grant_issuer.md)      | RFC 7523 JWT grant trust relationships    | All plans            |
 
 ## Data Sources
 
-| Data Source                                   | Description              |
-| --------------------------------------------- | ------------------------ |
-| [`ory_project`](docs/data-sources/project.md) | Read project information |
+| Data Source                                                        | Description                    | Plan Requirement     |
+| ------------------------------------------------------------------ | ------------------------------ | -------------------- |
+| [`ory_project`](docs/data-sources/project.md)                     | Read project information       | All plans            |
+| [`ory_workspace`](docs/data-sources/workspace.md)                 | Read workspace information     | All plans            |
+| [`ory_identity`](docs/data-sources/identity.md)                   | Read identity details          | All plans            |
+| [`ory_oauth2_client`](docs/data-sources/oauth2_client.md)         | Read OAuth2 client details     | All plans            |
+| [`ory_organization`](docs/data-sources/organization.md)           | Read organization details      | Growth+ (B2B)        |
+| [`ory_identity_schemas`](docs/data-sources/identity_schemas.md)   | List project identity schemas  | All plans            |
 
 ## Examples
 
@@ -272,15 +283,18 @@ resource "ory_email_template" "recovery" {
 
 ## Known Limitations
 
-| Resource              | Limitation                                                                          |
-| --------------------- | ----------------------------------------------------------------------------------- |
-| `ory_organization`    | Requires B2B features AND project environment must be `prod` or `stage` (not `dev`) |
-| `ory_identity_schema` | Immutable - content cannot be updated after creation                                |
-| `ory_identity_schema` | Delete not supported by Ory API (resource removed from state only)                  |
-| `ory_workspace`       | Delete not supported by Ory API                                                     |
-| `ory_oauth2_client`   | `client_secret` only returned on create                                             |
-| `ory_email_template`  | Delete resets to Ory defaults                                                       |
-| `ory_relationship`    | Requires Ory Permissions (Keto) to be enabled                                       |
+| Resource                                | Limitation                                                                          |
+| --------------------------------------- | ----------------------------------------------------------------------------------- |
+| `ory_organization`                      | Requires B2B features AND project environment must be `prod` or `stage` (not `dev`) |
+| `ory_identity_schema`                   | Immutable - content cannot be updated after creation                                |
+| `ory_identity_schema`                   | Delete not supported by Ory API (resource removed from state only)                  |
+| `ory_workspace`                         | Import-only; create/delete not supported by Ory API                                 |
+| `ory_oauth2_client`                     | `client_secret` only returned on create                                             |
+| `ory_oidc_dynamic_client`               | `client_secret`, `registration_access_token`, `registration_client_uri` only returned on create |
+| `ory_email_template`                    | Delete resets to Ory defaults                                                       |
+| `ory_relationship`                      | Requires Ory Permissions (Keto) to be enabled                                       |
+| `ory_event_stream`                      | Requires Enterprise plan; authenticates with workspace API key                      |
+| `ory_trusted_oauth2_jwt_grant_issuer`   | Create and delete only; any changes require resource recreation                     |
 
 ## Development
 
@@ -347,20 +361,24 @@ Some tests require additional feature flags or specific Ory plan features:
 | `ORY_SOCIAL_PROVIDER_TESTS_ENABLED=true` | Run social provider tests                           | Skipped  |
 | `ORY_SCHEMA_TESTS_ENABLED=true`          | Run IdentitySchema tests (schemas can't be deleted) | Skipped  |
 | `ORY_PROJECT_TESTS_ENABLED=true`         | Run Project create/delete tests                     | Skipped  |
+| `ORY_EVENT_STREAM_TESTS_ENABLED=true`    | Run Event Stream tests (requires Enterprise plan)   | Skipped  |
 
 #### Test Coverage by Plan
 
-| Test Suite          | Free Plan | Growth Plan | Enterprise |
-| ------------------- | --------- | ----------- | ---------- |
-| Identity            | ✅        | ✅          | ✅         |
-| OAuth2 Client       | ✅        | ✅          | ✅         |
-| Project Config      | ✅        | ✅          | ✅         |
-| Action (webhooks)   | ✅        | ✅          | ✅         |
-| Email Template      | ✅        | ✅          | ✅         |
-| Social Provider     | ✅        | ✅          | ✅         |
-| JWK                 | ✅        | ✅          | ✅         |
-| Organization        | ❌        | ✅\*        | ✅         |
-| Relationship (Keto) | ❌        | ✅          | ✅         |
+| Test Suite                      | Free Plan | Growth Plan | Enterprise |
+| ------------------------------- | --------- | ----------- | ---------- |
+| Identity                        | ✅        | ✅          | ✅         |
+| OAuth2 Client                   | ✅        | ✅          | ✅         |
+| OIDC Dynamic Client             | ✅        | ✅          | ✅         |
+| Project Config                  | ✅        | ✅          | ✅         |
+| Action (webhooks)               | ✅        | ✅          | ✅         |
+| Email Template                  | ✅        | ✅          | ✅         |
+| Social Provider                 | ✅        | ✅          | ✅         |
+| JWK                             | ✅        | ✅          | ✅         |
+| Trusted JWT Grant Issuer        | ✅        | ✅          | ✅         |
+| Organization                    | ❌        | ✅\*        | ✅         |
+| Relationship (Keto)             | ❌        | ✅          | ✅         |
+| Event Stream                    | ❌        | ❌          | ✅         |
 
 \*Organizations require B2B features to be enabled on your plan.
 
@@ -381,12 +399,21 @@ Templates use Go template syntax with these variables:
 
 ```
 templates/
-├── index.md.tmpl                    # Provider-level docs
+├── index.md.tmpl                                  # Provider-level docs
 ├── resources/
-│   ├── oauth2_client.md.tmpl        # Each resource has a template
+│   ├── oauth2_client.md.tmpl                      # Each resource has a template
+│   ├── oidc_dynamic_client.md.tmpl
+│   ├── event_stream.md.tmpl
+│   ├── trusted_oauth2_jwt_grant_issuer.md.tmpl
 │   └── ...
 └── data-sources/
-    └── project.md.tmpl              # Data source template
+    ├── project.md.tmpl                            # Data source templates
+    ├── workspace.md.tmpl
+    ├── identity.md.tmpl
+    ├── oauth2_client.md.tmpl
+    ├── organization.md.tmpl
+    ├── identity_schemas.md.tmpl
+    └── ...
 ```
 
 ## Contributing
 
@@ -0,0 +1,50 @@
+---
+page_title: "ory_identity Data Source - ory"
+subcategory: ""
+description: |-
+  Fetches information about an Ory identity.
+---
+
+# ory_identity (Data Source)
+
+Fetches information about an Ory identity.
+
+This data source retrieves details about a specific identity including its traits, metadata, schema, and state.
+
+The `traits` and `metadata_public` attributes are returned as JSON strings.
+
+-> **Plan:** Available on all Ory Network plans.
+
+## Example Usage
+
+```terraform
+# Look up an identity by ID
+data "ory_identity" "user" {
+  id = "identity-uuid"
+}
+
+output "identity_state" {
+  value = data.ory_identity.user.state
+}
+
+output "identity_traits" {
+  value = data.ory_identity.user.traits
+}
+```
+
+<!-- schema generated by tfplugindocs -->
+## Schema
+
+### Required
+
+- `id` (String) The identity ID to look up.
+
+### Read-Only
+
+- `created_at` (String) Timestamp when the identity was created.
+- `metadata_public` (String) Public metadata as a JSON string.
+- `schema_id` (String) The identity schema ID.
+- `schema_url` (String) The URL of the identity schema.
+- `state` (String) The identity state (active or inactive).
+- `traits` (String) Identity traits as a JSON string.
+- `updated_at` (String) Timestamp when the identity was last updated.
@@ -0,0 +1,40 @@
+---
+page_title: "ory_identity_schemas Data Source - ory"
+subcategory: ""
+description: |-
+  Fetches the list of identity schemas for the project.
+---
+
+# ory_identity_schemas (Data Source)
+
+Fetches the list of identity schemas for the project.
+
+This data source retrieves all identity schemas configured for the current project. Each schema includes its ID and the full JSON schema content.
+
+-> **Plan:** Available on all Ory Network plans.
+
+## Example Usage
+
+```terraform
+# List all identity schemas
+data "ory_identity_schemas" "all" {}
+
+output "schemas" {
+  value = data.ory_identity_schemas.all.schemas
+}
+```
+
+<!-- schema generated by tfplugindocs -->
+## Schema
+
+### Read-Only
+
+- `schemas` (List of Object) List of identity schemas. Each schema has an `id` and a `schema` (JSON string of the schema content). (see [below for nested schema](#nestedatt--schemas))
+
+<a id="nestedatt--schemas"></a>
+### Nested Schema for `schemas`
+
+Read-Only:
+
+- `id` (String)
+- `schema` (String)