Overview:
ZITADEL is an open-source identity and access management platform designed for developers securing SaaS products, building B2B platforms, or self-hosting a production IAM stack. It provides an API-first system for authentication, authorization, and multi-tenancy. Built with a relational core and event-driven architecture, ZITADEL aims to handle complex IAM challenges at scale, offering a single codebase for both its SaaS cloud offering and self-hosted deployments.
Core Features:
Authentication: Supports Single Sign-On (SSO), Passkeys (FIDO2/WebAuthn), MFA (OTP, U2F, email, SMS), LDAP, OIDC, SAML 2.0, and machine-to-machine authentication via JWT, PAT, and Client Credentials.
Multi-Tenancy: Provides a strict hierarchical model (Identity System → Organizations → Projects) with native, unlimited B2B organizations, identity brokering, customizable onboarding, and delegated role management.
API-First Design: Exposes every resource and action via connectRPC, gRPC, and HTTP/JSON APIs for comprehensive programmatic control.
Comprehensive Audit Trail: Every mutation is recorded as an immutable event in an API-accessible event stream, supporting full auditing and integration with external systems via webhooks.
Integration: Includes Actions (webhooks, custom code), RBAC, SCIM 2.0 Server, and pre-built IdP templates for enterprise and social logins.
Deployment: Self-hostable via Docker Compose or Kubernetes, using PostgreSQL (≥ 14) with support for zero-downtime updates and horizontal scalability.
Use Cases:
Securing B2B SaaS platforms: Developers can manage customer identities with native B2B organizations, self-service onboarding, and delegated role management.
Self-hosting a production IAM stack: Teams requiring full data control and isolation can deploy ZITADEL on their own infrastructure via Docker or Kubernetes.
Building custom authentication flows: Engineers can use the typed API (gRPC, REST) and Actions system to implement custom sessions, token enrichment, and webhook-based integrations.
Why It Matters:
ZITADEL offers a self-hostable, API-first identity platform with a focus on multi-tenancy and event-driven auditing. Its single codebase for SaaS and self-hosted versions ensures feature parity, while the relational core with an immutable event stream provides a comprehensive audit trail accessible via API. This design, combined with support for OIDC, SAML, SCIM, and Actions, makes it a relevant option for teams needing granular control over identity infrastructure without relying on external session stores.
