Zitadel
Open-source identity and access management (IAM) platform written in Go. Combines Auth0-like ease of setup with Keycloak-level openness, built on event sourcing and CQRS for an immutable audit trail.
← Secrets
Why Zitadel
- Event-sourced architecture — every state change is an immutable event, providing a complete audit trail without extra tooling
- Multi-tenancy first-class — hierarchical Instance > Organization > Project model with delegated role management
- Passkeys-first — FIDO2/WebAuthn as a primary authentication method, not a bolt-on
- API-first — every UI feature is also accessible via gRPC, REST (OpenAPI), and gRPC-Web
- OpenID Connect certified — listed on openid.net/certification
When Zitadel Fits
| Scenario |
Fit |
| B2B SaaS needing multi-tenant auth with org-level delegation |
Excellent — project grants and org hierarchy are core primitives |
| Replacing Auth0 with a self-hosted alternative |
Strong — similar developer experience, OIDC certified |
| Replacing Keycloak with lighter, API-first tool |
Strong — no Java overhead, gRPC/REST APIs |
| CIAM (customer identity) with passwordless/passkeys |
Strong — first-class WebAuthn support |
| Enterprise SSO with SAML 2.0 and SCIM provisioning |
Good — full SAML IdP + SCIM 2.0 server |
| Simple API key management for microservices |
Moderate — machine users and PATs supported but not the primary focus |
Use Cases
- B2B SaaS authentication — multi-tenant org isolation with project grants for customer access
- Internal developer platforms — SSO for Kubernetes, CI/CD, and internal tools
- Customer-facing applications — social login, passkeys, passwordless flows
- Compliance-heavy environments — immutable event log satisfies audit requirements
- Platform engineering — Terraform provider for infrastructure-as-code identity management
Licensing & Pricing
| Edition |
License |
Cost |
| Self-hosted |
AGPL-3.0 |
Free |
| Zitadel Cloud Free |
Proprietary |
$0/month — 100 DAU, unlimited orgs, 3 IdPs |
| Zitadel Cloud Pro |
Proprietary |
$100/month base — 25,000 DAU included, pay-as-you-go |
| Extended Support & SLA |
Proprietary |
$999/month — 99.95% SLA |
| Data Location Add-on |
Proprietary |
$100/month — US, EU, Switzerland, Australia |
AGPL-3.0 Implications
Anyone running a modified Zitadel as a network service must provide source code to users. This is more restrictive than Apache/MIT but acceptable for most internal deployments.
Ecosystem & Connections
- Terraform Provider (
zitadel/terraform-provider-zitadel) — declarative management of all resources
- SDKs: Go, Python, TypeScript/Node.js, React, Angular, Java, .NET
- Framework guides: Next.js, Nuxt.js, Django, FastAPI, Express.js, Nest.js, Laravel, Svelte, and more
- SCIM 2.0 Server — enterprise user provisioning (Okta, Azure AD, etc.)
- Observability: OpenTelemetry traces, metrics, and logs
- Reverse proxy: NGINX with TLS termination documented
Compatibility & Requirements
- PostgreSQL >= 14 (up to 17 tested) — the only supported database
- CockroachDB: deprecated in v3; migration tool provided for PostgreSQL transition
- Redis: optional but recommended for production caching
- Linux, macOS, Docker, Kubernetes
Latest Version
| Line |
Version |
Status |
| v4.x |
4.13.0 (2026-03-23) |
Current stable, active development |
| v3.x |
3.4.9 |
Maintenance — security fixes only |
| v5.x |
In development |
Upcoming major version |
Release cadence: approximately bi-weekly to monthly minor releases, patches as needed.
Alternatives
| Tool |
Key Difference |
| Keycloak |
Java-based, mature, larger community, CRUD-over-RDBMS |
| Auth0 |
Commercial SaaS, no self-hosting, proprietary |
| Ory Hydra/Kratos |
Microservices approach, separate auth/login components |
| Casdoor |
Go-based, simpler, less mature multi-tenancy |
| Authentik |
Python/Django, good UI, smaller community |
Migration & Lock-in
- From Auth0: OIDC standard reduces lock-in; user migration requires ETL
- From Keycloak: OIDC/SAML standards help; data migration requires custom tooling
- From any OIDC provider: Standards-based token formats minimize application-level changes
- Database lock-in: PostgreSQL standard, no proprietary extensions
| Metric |
Value |
| GitHub Stars |
~13,500 |
| GitHub Forks |
~1,000 |
| Open Issues |
~980 |
| License |
AGPL-3.0 |
| Primary Language |
Go |
| Community Chat |
Discord |
| Created |
2020-03 |
Sources