At a Glance:
ZITADEL is an open-source identity and access management platform providing SSO, MFA, Passkeys, OIDC, SAML, and SCIM, built with a relational, event-driven architecture for a complete, API-accessible audit trail across a strict multi-tenant hierarchy.
Overview:
ZITADEL is an open-source identity and access management platform engineered for teams securing SaaS products or building B2B platforms. It delivers a full identity stack, from authentication protocols like OpenID Connect and SAML to B2B multi-tenancy with native organizations and delegated administration. The platform is built on an event-sourced core, recording every mutation as an immutable event for a comprehensive audit trail that can be streamed to external systems. Exposed through gRPC, connectRPC, and REST APIs, ZITADEL is deployable as a self-hosted solution or consumed as a cloud service, both running the same codebase.
Key Decision Points:
Deployment model: ZITADEL can be deployed as a self-hosted instance via Docker Compose or Kubernetes, or consumed as a SaaS (ZITADEL Cloud) with the same underlying codebase.
Audit architecture: Every data mutation is written as an immutable event, creating a comprehensive, API-accessible event stream that can be audited or streamed out via Webhooks, moving beyond typical selective audit logs.
Multi-tenancy design: The platform implements a strict hierarchy of Identity System → Organizations → Projects with isolated data and policy scoping, supporting native and unlimited B2B organizations.
API access: All platform capabilities are available through gRPC, connectRPC, and HTTP/JSON REST APIs, targeting backend service-to-service integration.
Authentication scope: Supports a wide range of methods including Passkeys, MFA (OTP, U2F, Email, SMS), LDAP, enterprise IdPs, and machine-to-machine flows like JWT Profile and Client Credentials.
Core Features:
Hosted Login V2: Provides a customizable login experience for end users.
Event stream audit trail: Writes every mutation as an immutable event, creating a full, queryable history for auditing or streaming to SIEM/SOC systems via webhooks.
B2B multi-tenancy: Delivers native support for organizational hierarchies with delegated role management, self-service onboarding, and domain discovery for customer identity scenarios.
API-first design: Exposes all resources through gRPC, connectRPC, and REST APIs, including capabilities for token exchange, user impersonation, and custom session management.
Actions & Webhooks: Allows custom code execution and token enrichment (Actions) and integration with external systems (Webhooks) to react to identity events.
SCIM 2.0 Server: Includes a server for automated provisioning and de-provisioning of users and groups across supported applications.
Use Cases:
Developers building a B2B SaaS platform requiring a native and scalable multi-tenancy identity system with delegated customer administration.
System architects needing a self-hosted identity provider with a comprehensive, immutable audit trail for every identity operation which can be streamed for external monitoring.
Teams securing applications with a broad set of modern authentication methods, including Passkeys, SAML 2.0, and machine-to-machine JWT Profile authorization.
Open-Source Alternative Value:
As an open-source IAM platform, ZITADEL offers a deployable identity stack where self-hosted installations run the same codebase as the vendor's cloud service, providing operational flexibility without feature divergence. The project's event-driven, relational architecture makes the complete identity history programmatically accessible, offering a depth of operational transparency distinct from systems that log only selective activities. This design, combined with API-first resource access and an unlimited B2B organization model, provides a foundationally different approach to integration and multi-tenancy. ZITADEL's documented comparison identifies it as an alternative to platforms like Keycloak and Auth0/Okta.
