Skip to main content

The Identity Infrastructure for Developers

ZITADEL is an open-source identity and access management platform built for teams that need more than basic auth. Whether you’re securing a SaaS product, building a B2B platform, or self-hosting a production IAM stack — ZITADEL gives you everything out of the box: SSO, MFA, Passkeys, OIDC, SAML, SCIM, and a battle-tested multi-tenancy model. No vendor lock-in. No compromise on control. Just a robust, API-first identity platform you can own.

Why ZITADEL?

We built ZITADEL to handle the hardest IAM challenges at scale — starting with multi-tenancy.

Key Differentiators

Every mutation is written as an immutable event for a complete, API-accessible audit trail. Unlike systems that log only select activities, ZITADEL provides a comprehensive event stream that can be audited or streamed to external systems via Webhooks.
Identity System → Organizations → Projects, with isolated data and policy scoping at multiple levels. Each instance is a fully isolated environment with its own users, policies, and configuration.
Every resource and action is available via connectRPC, gRPC, and HTTP/JSON APIs. No feature is UI-only — everything is programmable.
Update ZITADEL without taking your identity system offline. New versions participate in leader election, update database schemas automatically, and signal readiness when ready to accept traffic.
Scale linearly across multiple servers, data centers, or regions without external session stores. Distribute traffic by path, hostname, or any metadata.

Core Features

Authentication

  • Single Sign On (SSO) — Unified login across all your applications
  • PasswordlessPasskeys (FIDO2 / WebAuthn) for phishing-resistant authentication
  • Multi-Factor Authentication — OTP, U2F, OTP Email, OTP SMS
  • Enterprise & Social IdPsLDAP, SAML, OIDC providers
  • OpenID Connect certified — Full OIDC compliance with device authorization support
  • SAML 2.0 — Enterprise-grade federation
  • Machine-to-Machine — JWT Profile, PAT, Client Credentials
  • Token Exchange — Impersonation and delegation support
  • Hosted Login V2 — Fully customizable authentication UI

Multi-Tenancy & B2B

  • Infrastructure-level tenants — Instances (high scale), Organizations, Projects
  • Identity Brokering — Pre-built IdP templates for customer authentication
  • B2B Onboarding — Customizable self-service for your customers
  • Delegated Management — Allow third parties to manage their own roles and users
  • Domain Discovery — Route users to the right organization based on email domain

Integration & APIs

  • Triple API AccessconnectRPC, gRPC, and REST for every resource
  • Actions & Webhooks — Custom code execution, token enrichment, external integrations
  • RBAC — Fine-grained role-based access control
  • SCIM 2.0 Server — Automated user provisioning
  • Audit Log — Complete event stream for SOC/SIEM integration
  • SDKs — Official libraries for major languages and frameworks

Administration

  • Self-Service Portal — User registration with email/phone verification
  • Management Console — Web-based admin UI for organizations and projects
  • Custom Branding — Per-organization login page customization
  • Policy Engine — Configurable password, login, and security policies

Deployment Options

ZITADEL Cloud (SaaS)

Start for free at zitadel.com — no credit card required.
  • Regions: US · EU · AU · CH
  • Pricing: Pay-as-you-go
  • Managed: Zero infrastructure management
  • Same Codebase: Cloud and self-hosted run identical code

ZITADEL Self-Hosted

Full control over your identity infrastructure.

Docker Compose

Single-node deployment for development and homelab setups

Kubernetes

Production-ready Helm charts for high availability
Database: PostgreSQL 14+ (event store + relational model)

Architecture Highlights

How ZITADEL Works

  1. Dual Storage Model: Events (audit trail) + relational projections (queries)
  2. No External Session Store: Stateless design enables horizontal scaling
  3. Event Sourcing: Every mutation creates an immutable event
  4. Multi-Tenancy: Instance → Organization → Project hierarchy
  5. API Gateway: gRPC-gateway exposes all APIs as REST/JSON

Compliance & Standards

OpenID Connect Certified
FIDO2 / WebAuthn Support
SAML 2.0 Compatible
SCIM 2.0 Server
SOC 2 Compliance (Cloud)
GDPR Ready

Community & Support

Discord

Join our community for discussions and support

GitHub

Contribute, report issues, and track development

Documentation

Comprehensive guides and API references

Blog

Product updates, tutorials, and identity insights

Next Steps

1

Get Started

Follow the Quickstart Guide to run ZITADEL locally in 3 minutes
2

Understand the Concepts

Read about ZITADEL’s architecture and multi-tenancy model
3

Integrate Your App

Explore authentication examples for your framework
4

Deploy to Production

Review production deployment guides for Kubernetes or Docker Compose

License

ZITADEL is licensed under AGPL-3.0 with Apache 2.0 and MIT exceptions for specific directories. See LICENSING.md for the full licensing policy.

Build docs developers (and LLMs) love

Get started for freeTalk to us