Zitadel — Open Source Identity Infrastructure

What it is

Zitadel is an open-source identity management platform that handles authentication and authorization for applications and APIs. It supports OIDC, SAML, SSO, multi-factor authentication (TOTP, WebAuthn, passkeys), and multi-tenancy out of the box. The platform provides a management console, API-first design, and event-sourced architecture.

Developers building SaaS products, platform engineers managing multi-tenant identity, and security teams needing audit trails will find Zitadel a capable alternative to Auth0 or Keycloak. It runs as a single binary with embedded CockroachDB or connects to external PostgreSQL.

How it saves time or tokens

Implementing authentication from scratch requires handling token issuance, session management, MFA flows, and user provisioning. Zitadel provides all of these as a single service with pre-built login pages, OIDC-compliant token endpoints, and a management API. The event-sourced architecture means every identity change is auditable without additional logging infrastructure. Multi-tenancy support eliminates building tenant isolation logic in your application layer.

How to use

1. Start Zitadel with Docker:

docker run --name zitadel -p 8080:8080 \
  ghcr.io/zitadel/zitadel:latest start-from-init \
  --masterkey "MasterkeyNeedsToHave32Characters" \
  --tlsMode disabled

1. Open http://localhost:8080 and log in with the default admin credentials.
2. Create a project and application in the management console to get your OIDC client ID and secret.
3. Integrate with your app using any OIDC client library:

// Example: Node.js with openid-client
import { Issuer } from 'openid-client';

const issuer = await Issuer.discover('http://localhost:8080');
const client = new issuer.Client({
  client_id: 'your-client-id',
  client_secret: 'your-client-secret',
  redirect_uris: ['http://localhost:3000/callback'],
  response_types: ['code'],
});

Example

# Docker Compose production setup
version: '3.8'
services:
  zitadel:
    image: ghcr.io/zitadel/zitadel:latest
    command: start-from-init --masterkey "${ZITADEL_MASTERKEY}"
    environment:
      ZITADEL_EXTERNALSECURE: true
      ZITADEL_EXTERNALPORT: 443
      ZITADEL_EXTERNALDOMAIN: auth.example.com
      ZITADEL_DATABASE_POSTGRES_HOST: db
      ZITADEL_DATABASE_POSTGRES_PORT: 5432
    ports:
      - '8080:8080'
    depends_on:
      - db
  db:
    image: postgres:16
    environment:
      POSTGRES_PASSWORD: zitadel-pg-password
    volumes:
      - pgdata:/var/lib/postgresql/data
volumes:
  pgdata:

Related on TokRepo

• Security Tools -- explore identity and security tools for applications
• Self-Hosted Tools -- discover self-hosted alternatives to SaaS identity providers

Common pitfalls

• The masterkey must be exactly 32 characters. A shorter or longer key causes a startup failure with a non-obvious error message.
• Running with --tlsMode disabled is for local development only. Production deployments require TLS termination via a reverse proxy or the built-in TLS configuration.
• Multi-tenancy in Zitadel uses Organizations. Each Organization has its own users, policies, and branding. Forgetting to scope API calls to the correct Organization returns unexpected results.

Before adopting this tool, evaluate whether it fits your team's existing workflow. Read the official documentation thoroughly, and start with a small proof-of-concept rather than a full migration. Community forums, GitHub issues, and Stack Overflow are valuable resources when you encounter edge cases not covered in the documentation.