ZITADEL is an open-source identity infrastructure platform built for developers who need enterprise-grade authentication and authorization without vendor lock-in. It solves the complexity of managing user identities across SaaS products, B2B platforms, and multi-tenant applications by offering a unified, API-first solution with built-in support for modern authentication standards like OIDC, SAML, and FIDO2 Passkeys. Unlike traditional identity providers, ZITADEL natively supports infrastructure-level multi-tenancy, event-driven audit trails, and zero-downtime updates.
Built in Go and powered by PostgreSQL, ZITADEL exposes all functionality via gRPC, connectRPC, and REST APIs. It supports both self-hosted deployments (Docker Compose, Kubernetes) and a fully managed cloud service, with identical codebases across environments. The platform integrates with LDAP, social IdPs, and SCIM, and includes a customizable admin console and hosted login pages for seamless user onboarding.
What You Get
- Multi-tenant Identity Hierarchy - Native support for Identity System → Organizations → Projects with isolated data and policy scoping, enabling true B2B SaaS multi-tenancy without workarounds.
- Passkeys (FIDO2/WebAuthn) Support - Full passwordless authentication via biometrics and hardware keys, with built-in registration and login flows.
- OpenID Connect Certified - Fully compliant OIDC Provider with support for authorization code, device flow, and token exchange, certified by the OpenID Foundation.
- SCIM 2.0 Server - Automated user provisioning and deprovisioning via SCIM for integration with enterprise identity systems like Azure AD or Okta.
- Event-Driven Audit Trail - Every identity event (login, role change, MFA setup) is stored as an immutable event in a comprehensive audit stream accessible via API or webhooks.
- Delegated Access Management - Allow customer organizations to self-manage roles and permissions for their users within your SaaS platform, reducing support overhead.
- Actions & Webhooks - Execute custom code or external workflows on identity events (e.g., send Slack alerts on failed logins or enrich tokens with custom claims).
- Hosted Login V2 - Fully customizable, embeddable login pages with support for SSO, social logins, and passwordless authentication without building UI from scratch.
Common Use Cases
- Running a B2B SaaS platform - A SaaS company uses ZITADEL to give each customer organization its own sub-tenant with isolated users, roles, and branding, while enforcing SSO and SCIM provisioning.
- Securing internal enterprise apps with SSO - An IT team deploys ZITADEL to unify authentication across internal tools using SAML and LDAP, with MFA and audit trails for compliance.
- Building a passwordless authentication system - A fintech startup implements ZITADEL’s Passkeys support to eliminate passwords, reduce phishing risk, and improve user onboarding conversion.
- Managing machine identities at scale - A cloud infrastructure team uses ZITADEL’s service accounts and machine-to-machine JWT profiles to authenticate microservices without storing secrets.
Under The Hood
Architecture
- Monolithic Go backend organized around a CLI with modular subcommands using Cobra, enabling clear separation of operational concerns
- Service-layer design with instrumentation (logging, tracing, metrics) decoupled via configurable packages and OpenTelemetry compliance
- Protocol Buffers-first approach with centralized proto definitions generating consistent gRPC, REST, and OpenAPI artifacts
- Constructor-based dependency injection with Viper-managed configuration, eliminating global state and promoting testability
- NX monorepo structure coordinating multiple applications (API, UI, docs) with shared tooling while preserving domain boundaries
- Backend and frontend logically separated but tightly integrated in build pipelines, with Go serving as the authoritative API layer
Tech Stack
- Go backend leveraging gRPC, gRPC-Gateway, and Connect-Go for API services, all generated from protobuf contracts
- NX monorepo with pnpm managing unified builds, caching, and cross-project dependencies across apps and packages
- React and Next.js frontend with Fumadocs for MDX-based documentation and seamless OpenAPI integration
- Comprehensive Go tooling including custom linters with exclusions for generated code and test contexts
- Postgres database provisioned via Docker Compose with infrastructure-as-code for consistent development and deployment
- TypeScript and Tailwind CSS powering the UI, enhanced with Shiki for syntax highlighting and HeadlessUI for accessible components
Code Quality
- Extensive test coverage spanning unit, integration, and end-to-end scenarios with testify and custom event-driven helpers
- Clear separation of command, query, and domain layers with dedicated test suites mirroring production boundaries
- Strong type safety and error handling via custom error wrappers and typed domain models with exhaustive case testing
- Consistent naming conventions and file patterns across Go and TypeScript, improving readability and maintainability
- Comprehensive test validation of critical paths including IAM, event sourcing, and database projections using real infrastructure
- Automated test patterns with context-aware setup, resource cleanup, and assertion utilities for distributed systems
What Makes It Unique
- Native OpenTelemetry integration with configuration-driven tracing and metrics across HTTP, gRPC, and event streams
- Unified API layer using ConnectRPC that synchronizes gRPC and HTTP handlers with auto-generated authz mappings and protobuf contracts
- Protocol-level CQRS implementation with explicit separation of command and query responsibilities, enabling scalable event-driven projections
- Plugin-based CLI architecture with embedded YAML config and zero external dependencies, enabling self-contained administration and migration
- AI-agent-ready design with contract-first development, auto-generated clients, and Nx-powered pipelines that synchronize APIs, docs, and tests
- Full-stack monorepo with atomic changes across backend, frontend, and infrastructure, eliminating version drift and ensuring alignment