Zitadel¶
Open-source identity and access management (IAM) platform written in Go. Combines Auth0-like ease of setup with Keycloak-level openness, built on event sourcing and CQRS for an immutable audit trail.
Why Zitadel¶
- Event-sourced architecture — every state change is an immutable event, providing a complete audit trail without extra tooling
- Multi-tenancy first-class — hierarchical Instance > Organization > Project model with delegated role management
- Passkeys-first — FIDO2/WebAuthn as a primary authentication method, not a bolt-on
- API-first — every UI feature is also accessible via gRPC, REST (OpenAPI), and gRPC-Web
- OpenID Connect certified — listed on openid.net/certification
When Zitadel Fits¶
| Scenario | Fit |
|---|---|
| B2B SaaS needing multi-tenant auth with org-level delegation | Excellent — project grants and org hierarchy are core primitives |
| Replacing Auth0 with a self-hosted alternative | Strong — similar developer experience, OIDC certified |
| Replacing Keycloak with lighter, API-first tool | Strong — no Java overhead, gRPC/REST APIs |
| CIAM (customer identity) with passwordless/passkeys | Strong — first-class WebAuthn support |
| Enterprise SSO with SAML 2.0 and SCIM provisioning | Good — full SAML IdP + SCIM 2.0 server |
| Simple API key management for microservices | Moderate — machine users and PATs supported but not the primary focus |
Use Cases¶
- B2B SaaS authentication — multi-tenant org isolation with project grants for customer access
- Internal developer platforms — SSO for Kubernetes, CI/CD, and internal tools
- Customer-facing applications — social login, passkeys, passwordless flows
- Compliance-heavy environments — immutable event log satisfies audit requirements
- Platform engineering — Terraform provider for infrastructure-as-code identity management
Licensing & Pricing¶
| Edition | License | Cost |
|---|---|---|
| Self-hosted | AGPL-3.0 | Free |
| Zitadel Cloud Free | Proprietary | $0/month — 100 DAU, unlimited orgs, 3 IdPs |
| Zitadel Cloud Pro | Proprietary | $100/month base — 25,000 DAU included, pay-as-you-go |
| Extended Support & SLA | Proprietary | $999/month — 99.95% SLA |
| Data Location Add-on | Proprietary | $100/month — US, EU, Switzerland, Australia |
AGPL-3.0 Implications
Anyone running a modified Zitadel as a network service must provide source code to users. This is more restrictive than Apache/MIT but acceptable for most internal deployments.
Ecosystem & Connections¶
- Terraform Provider (
zitadel/terraform-provider-zitadel) — declarative management of all resources - SDKs: Go, Python, TypeScript/Node.js, React, Angular, Java, .NET
- Framework guides: Next.js, Nuxt.js, Django, FastAPI, Express.js, Nest.js, Laravel, Svelte, and more
- SCIM 2.0 Server — enterprise user provisioning (Okta, Azure AD, etc.)
- Observability: OpenTelemetry traces, metrics, and logs
- Reverse proxy: NGINX with TLS termination documented
Compatibility & Requirements¶
- PostgreSQL >= 14 (up to 17 tested) — the only supported database
- CockroachDB: deprecated in v3; migration tool provided for PostgreSQL transition
- Redis: optional but recommended for production caching
- Linux, macOS, Docker, Kubernetes
Latest Version¶
| Line | Version | Status |
|---|---|---|
| v4.x | 4.13.0 (2026-03-23) | Current stable, active development |
| v3.x | 3.4.9 | Maintenance — security fixes only |
| v5.x | In development | Upcoming major version |
Release cadence: approximately bi-weekly to monthly minor releases, patches as needed.
Alternatives¶
| Tool | Key Difference |
|---|---|
| Keycloak | Java-based, mature, larger community, CRUD-over-RDBMS |
| Auth0 | Commercial SaaS, no self-hosting, proprietary |
| Ory Hydra/Kratos | Microservices approach, separate auth/login components |
| Casdoor | Go-based, simpler, less mature multi-tenancy |
| Authentik | Python/Django, good UI, smaller community |
Migration & Lock-in¶
- From Auth0: OIDC standard reduces lock-in; user migration requires ETL
- From Keycloak: OIDC/SAML standards help; data migration requires custom tooling
- From any OIDC provider: Standards-based token formats minimize application-level changes
- Database lock-in: PostgreSQL standard, no proprietary extensions
Community Health¶
| Metric | Value |
|---|---|
| GitHub Stars | ~13,500 |
| GitHub Forks | ~1,000 |
| Open Issues | ~980 |
| License | AGPL-3.0 |
| Primary Language | Go |
| Community Chat | Discord |
| Created | 2020-03 |
Sources¶
Sources¶
Official Documentation¶
| Source | URL | Authority | Retrieved Via |
|---|---|---|---|
| Zitadel Documentation | https://zitadel.com/docs/ | Official | Context7 |
| Zitadel GitHub Repository | https://github.com/zitadel/zitadel | Official | GitHub |
| Zitadel Helm Charts | https://github.com/zitadel/zitadel-charts | Official | GitHub |
| Zitadel Terraform Provider | https://github.com/zitadel/terraform-provider-zitadel | Official | GitHub |
| Zitadel Go SDK | https://github.com/zitadel/zitadel-go | Official | GitHub |
| Zitadel Pricing | https://zitadel.com/pricing | Official | Web |
| Zitadel Roadmap | https://zitadel.com/roadmap | Official | Web |
| Zitadel Changelog | https://zitadel.com/changelog | Official | Web |
| Zitadel Blog | https://zitadel.com/blog | Official | Web |
| Zitadel Releases | https://github.com/zitadel/zitadel/releases | Official | GitHub |
API & Protocol References¶
| Source | URL | Authority | Retrieved Via |
|---|---|---|---|
| OIDC Configuration | https://zitadel.com/docs/concepts/structure/identity-providers | Official | Context7 |
| API Introduction | https://zitadel.com/docs/apis/introduction | Official | Context7 |
| SCIM 2.0 API | https://zitadel.com/docs/apis/resources/scim_service | Official | Context7 |
| Sessions V2 API | https://zitadel.com/docs/apis/resources/session_service_v2 | Official | Context7 |
| Actions V2 Guide | https://zitadel.com/docs/apis/actions | Official | Context7 |
| gRPC/REST API Definitions | https://github.com/zitadel/zitadel/tree/main/proto/zitadel | Official | GitHub |
Technical References¶
| Source | URL | Authority | Retrieved Via |
|---|---|---|---|
| OpenID Connect Certification | https://openid.net/certification/#OPs | Standards Body | Web |
| Event Sourcing in Zitadel | https://zitadel.com/docs/concepts/architecture | Official | Context7 |
| Authorization Concepts | https://zitadel.com/docs/concepts/authorization | Official | Context7 |
| WebAuthn / Passkeys | https://zitadel.com/docs/guides/authentication/login-users | Official | Context7 |
| Terraform Provider Docs | https://zitadel.com/docs/guides/manage/terraform-provider | Official | Context7 |
Community¶
| Source | URL | Authority | Retrieved Via |
|---|---|---|---|
| Discord Community | https://zitadel.com/chat | Official | Web |
| GitHub Discussions | https://github.com/zitadel/zitadel/discussions | Official | GitHub |
| Context7 Zitadel Docs | https://context7.com/zitadel | Aggregator | Context7 |
Questions¶
Answered¶
How does Zitadel compare to Keycloak?¶
Zitadel is Go-based with event sourcing/CQRS, providing an immutable audit trail. Keycloak is Java-based with CRUD-over-RDBMS. Zitadel offers a more modern API-first approach (gRPC + REST from protobuf), while Keycloak has a larger community and more mature ecosystem. See Zitadel Index for the full alternatives comparison.
Can Zitadel handle multi-tenant B2B SaaS?¶
Yes — multi-tenancy is a first-class concept. The Instance > Organization > Project hierarchy with project grants enables tenant isolation and delegated role management. A project owner can grant a subset of roles to another organization, which can then self-manage user assignments.
Is Zitadel production-ready?¶
Yes — Zitadel is v4.x stable with bi-weekly releases, 13.5k+ GitHub stars, and multiple production adopters. Zitadel Cloud (managed SaaS) offers 99.95% SLA. Self-hosted deployments use PostgreSQL HA for production reliability.
What license does Zitadel use?¶
AGPL-3.0. This means anyone running a modified Zitadel as a network service must provide source code. This is acceptable for most internal deployments but requires legal review for SaaS products built on modified Zitadel.
Does Zitadel support SAML 2.0?¶
Yes — full SAML Identity Provider with SP-initiated and IdP-initiated SSO, plus SAML IdP proxy mode for legacy applications.
How does Zitadel handle audit logging?¶
Every state mutation produces an immutable event in the eventstore. This provides a complete, non-repudiable audit trail without additional tooling. Events can be exported via the Events API or forwarded to SIEM via log store senders.
Open¶
How does Zitadel's projection lag affect real-time authorization decisions?¶
If projection workers fall behind, read-model tables may show stale authorization data. How does Zitadel handle authorization checks during projection lag — does it fall back to the event store for critical permission decisions?
What is the migration path from v4 to v5?¶
v5 is in early development. What breaking changes are planned, and will there be an automated migration tool similar to the CockroachDB-to-PostgreSQL mirroring tool?
How does Zitadel handle token revocation at scale?¶
With JWT-based access tokens, revocation requires either short token lifetimes or a revocation list. How does Zitadel balance security (short-lived tokens) with performance (reduced token refreshes)?
What is the performance impact of event sourcing on high-throughput workloads?¶
Every write appends an event and triggers projections. For organizations with millions of users, how does the eventstore handle write amplification and projection rebuild times?
How does the Actions V2 runtime compare to V1 in performance and capabilities?¶
V1 Actions are being deprecated in favor of V2. What are the concrete performance and capability differences, and are there V2 features that cannot be replicated in V1?