ZITADEL
Open-source, API-first identity platform delivering multi-tenancy, Passkeys, OIDC, SAML, and SCIM without vendor lock-in.
ZITADEL is an open-source identity and access management platform built for teams that need enterprise-grade authentication and authorization without sacrificing control. Whether you are securing a SaaS product, building a B2B platform, or self-hosting a production IAM stack, ZITADEL delivers SSO, MFA, Passkeys, OIDC, SAML, SCIM, and a battle-tested multi-tenancy model out of the box.
The platform is built on a strict hierarchical containment model — System, Instance, Organization, Project — giving SaaS operators true tenant isolation at the infrastructure level rather than bolted-on workarounds. Every mutation is persisted as an immutable event, creating a comprehensive audit trail accessible via API or streamed to external SIEM systems via webhooks.
ZITADEL exposes all capabilities over connectRPC, gRPC, and REST APIs generated from protobuf contracts, making it straightforward to automate identity workflows, enrich tokens with custom claims, or integrate with LDAP, social IdPs, and enterprise identity systems like Azure AD. Both the cloud SaaS offering and the self-hosted deployment run the same codebase, ensuring full feature parity.
With over 14,000 GitHub stars, 2,000+ releases, and a strong contributor community, ZITADEL has become a trusted choice for organizations seeking a modern, auditable, and horizontally scalable identity infrastructure that they fully own.
What You Get
- Native Multi-Tenant Hierarchy - Infrastructure-level tenancy with System → Instance → Organization → Project scoping, giving each B2B customer fully isolated data, policies, and branding without database-level workarounds.
- Passkeys and FIDO2/WebAuthn - Built-in passwordless authentication via biometrics and hardware security keys with complete registration and login flows, reducing phishing risk and friction.
- OpenID Connect Certified Provider - Fully certified OIDC implementation supporting authorization code, device authorization, and token exchange flows, with back-channel logout now GA.
- SCIM 2.0 Server - Automated user provisioning and deprovisioning for integration with enterprise identity systems like Azure AD, Okta, and Google Workspace.
- Comprehensive Event-Driven Audit Trail - Every identity event is stored as an immutable event in a queryable stream, with API access and webhook streaming to external SIEM or audit systems.
- Actions V2 and Webhooks - Execute custom JavaScript code or trigger external HTTP endpoints on identity events to enrich tokens, enforce custom policies, or integrate with downstream services.
- Machine-to-Machine Authentication - Service accounts with JWT profiles, Personal Access Tokens, and client credentials for authenticating microservices and CI pipelines without storing plaintext secrets.
- Hosted Login V2 - Fully customizable, embeddable login pages with SSO, social logins, MFA, and Passkeys — no custom UI required, with per-organization branding support.
Common Use Cases
- Running a multi-tenant B2B SaaS platform - A SaaS company provisions each enterprise customer as a ZITADEL Organization with isolated users, custom SSO configuration, and delegated role management, enabling self-service administration without contacting support.
- Replacing Okta or Auth0 in a self-hosted environment - A compliance-focused engineering team migrates from a SaaS identity provider to ZITADEL to eliminate data residency concerns, reduce costs, and maintain full audit control over every authentication event.
- Passwordless authentication for consumer apps - A fintech startup deploys ZITADEL Passkeys to offer biometric logins on mobile and desktop, eliminating password-related support tickets and improving account security.
- Securing internal tooling with enterprise SSO - An IT team uses ZITADEL as a central SAML and OIDC identity provider for internal applications, enforcing MFA and generating structured audit logs for SOC 2 compliance.
- Authenticating microservices at scale - A platform team uses ZITADEL service accounts with JWT profiles and token introspection to handle machine-to-machine authentication across hundreds of internal APIs without distributing shared secrets.
Under The Hood
Architecture ZITADEL is organized as a modular Go monolith coordinated by a Cobra CLI, where distinct subcommands — start, setup, init, mirror, admin — map to well-defined operational lifecycle phases. The system is undergoing an active architectural transition: while events remain persisted as an immutable audit log, the v3 backend introduces a relational design layer where the event store is no longer the primary system of record, separating concerns between durable audit history and authoritative query state. Command and query responsibilities are cleanly separated, with the command layer owning all writes through event aggregates and the query layer maintaining materialized projections in PostgreSQL. Dependency injection is constructor-based throughout, with Viper managing layered configuration from embedded YAML defaults, files, and environment variables, making the entire system fully configurable without code changes.
Tech Stack
The backend is written in Go and serves APIs over gRPC, gRPC-Gateway, and ConnectRPC, all generated from protobuf contracts defined in proto/. PostgreSQL 14+ is the sole supported database, accessed via pgx and Squirrel for query building, with CockroachDB support retained for existing deployments. The login UI is a Next.js application in apps/login/, and the admin console is Angular, both residing in an Nx monorepo coordinated with pnpm. OpenTelemetry is integrated for distributed tracing and metrics across all transport layers. The platform also embeds a JavaScript engine via Goja to execute custom Actions logic server-side without spawning external processes. FIPS 140-3 compliance is supported via a dedicated build configuration and defaults file.
Code Quality
Test coverage is extensive, with over 800 test files spanning unit, integration, and end-to-end scenarios. The codebase uses testify for assertions, custom event-driven test helpers for IAM scenarios, and a dedicated integration test suite against a real PostgreSQL instance. Error handling is explicit throughout — typed domain errors via a zerrors package, gRPC status propagation, and deliberate avoidance of silent swallows. Naming conventions are consistent across Go and TypeScript, and CI enforces linting via golangci-lint with appropriate exclusions for generated protobuf code. Functional UI tests are maintained with Cypress in tests/functional-ui/.
What Makes It Unique ZITADEL’s most distinctive technical choice is treating every identity mutation as a first-class immutable event, creating a comprehensive audit stream that can be queried via API or streamed externally — unlike competitors that log only selected activities. The ConnectRPC layer unifies gRPC and HTTP handlers from a single protobuf source of truth, with auto-generated authz mappings and OpenAPI artifacts. The multi-tenant hierarchy is implemented at the infrastructure level — Instance → Organization → Project — providing true data isolation without schema gymnastics. The v3 backend’s transition to a relational primary store while preserving the event log as an audit artifact is an architecturally honest evolution that balances auditability with query performance, and the FIPS 140-3 build target makes ZITADEL one of the few open-source identity platforms targeting regulated industries out of the box.
Self-Hosting
ZITADEL is licensed under the GNU Affero General Public License v3.0 (AGPL-3.0-only) for its core platform, with notable exceptions: the proto/ and apps/docs/ directories are Apache 2.0, and the apps/login/ package and TypeScript client libraries are MIT licensed. In practice, AGPL-3.0 means you can freely self-host ZITADEL for any purpose, but if you modify the core and expose it as a network service, you are required to make those modifications available under the same license. Organizations that cannot comply with this obligation — for example, because they want to build proprietary features on top of the platform without releasing them — must obtain a commercial license by contacting the ZITADEL team.
Running ZITADEL in production requires a PostgreSQL 14+ database, a reverse proxy or ingress (Traefik and nginx configs are provided), and sufficient compute for your expected authentication volume. The platform is designed for horizontal scalability without external session stores, and zero-downtime upgrades are supported via built-in migration tooling. However, you are responsible for database backups, certificate rotation, monitoring, and applying security advisories — ZITADEL publishes Technical Advisories and a Vulnerability Disclosure Policy, but there is no automatic update mechanism for self-hosted instances. Operational complexity is moderate: the Docker Compose quickstart gets you running in under three minutes, but a production Kubernetes deployment requires meaningful platform engineering investment.
ZITADEL Cloud, the managed SaaS offering, adds pay-as-you-go pricing, multi-region availability (US, EU, AU, CH), managed upgrades, dedicated support contracts, and SLA guarantees that are impractical to replicate in most self-hosted environments. Cloud users also benefit from the ZITADEL team’s expertise managing the platform at scale and faster access to new features. Self-hosters trade these operational conveniences for full data sovereignty, the ability to run air-gapped, cost predictability at high volume, and freedom from per-MAU pricing — a trade-off that particularly favors regulated industries and organizations with existing Kubernetes infrastructure.
Related Apps
Supabase
Developer Tools · Databases · Search
The open-source Postgres development platform that replaces Firebase with authentication, real-time APIs, edge functions, storage, and vector embeddings — all built on PostgreSQL.
Supabase
Apache 2.0PocketBase
Databases · Ecommerce · Authentication
Open Source realtime backend in 1 file — embedded SQLite, auth, file storage, and admin UI as a single Go binary.
PocketBase
MITAppwrite
Developer Tools · Databases · Authentication
Open-source backend platform with Auth, Databases, Storage, Functions, Messaging, Realtime, and Sites — deploy via Docker or use Appwrite Cloud.