Questions

Answered

How does Zitadel compare to Keycloak?

Zitadel is Go-based with event sourcing/CQRS, providing an immutable audit trail. Keycloak is Java-based with CRUD-over-RDBMS. Zitadel offers a more modern API-first approach (gRPC + REST from protobuf), while Keycloak has a larger community and more mature ecosystem. See Zitadel Index for the full alternatives comparison.

Can Zitadel handle multi-tenant B2B SaaS?

Yes — multi-tenancy is a first-class concept. The Instance > Organization > Project hierarchy with project grants enables tenant isolation and delegated role management. A project owner can grant a subset of roles to another organization, which can then self-manage user assignments.

Is Zitadel production-ready?

Yes — Zitadel is v4.x stable with bi-weekly releases, 13.5k+ GitHub stars, and multiple production adopters. Zitadel Cloud (managed SaaS) offers 99.95% SLA. Self-hosted deployments use PostgreSQL HA for production reliability.

What license does Zitadel use?

AGPL-3.0. This means anyone running a modified Zitadel as a network service must provide source code. This is acceptable for most internal deployments but requires legal review for SaaS products built on modified Zitadel.

Does Zitadel support SAML 2.0?

Yes — full SAML Identity Provider with SP-initiated and IdP-initiated SSO, plus SAML IdP proxy mode for legacy applications.

How does Zitadel handle audit logging?

Every state mutation produces an immutable event in the eventstore. This provides a complete, non-repudiable audit trail without additional tooling. Events can be exported via the Events API or forwarded to SIEM via log store senders.

Open

How does Zitadel's projection lag affect real-time authorization decisions?

If projection workers fall behind, read-model tables may show stale authorization data. How does Zitadel handle authorization checks during projection lag — does it fall back to the event store for critical permission decisions?

What is the migration path from v4 to v5?

v5 is in early development. What breaking changes are planned, and will there be an automated migration tool similar to the CockroachDB-to-PostgreSQL mirroring tool?

How does Zitadel handle token revocation at scale?

With JWT-based access tokens, revocation requires either short token lifetimes or a revocation list. How does Zitadel balance security (short-lived tokens) with performance (reduced token refreshes)?

What is the performance impact of event sourcing on high-throughput workloads?

Every write appends an event and triggers projections. For organizations with millions of users, how does the eventstore handle write amplification and projection rebuild times?

How does the Actions V2 runtime compare to V1 in performance and capabilities?

V1 Actions are being deprecated in favor of V2. What are the concrete performance and capability differences, and are there V2 features that cannot be replicated in V1?