NachoNacho
EN|FR
Zitadel

Zitadel IAM Provider

🇨🇭

Open-source (Apache 2.0) cloud-native CIAM and IAM platform from Switzerland. Designed for multi-tenant B2B SaaS with built-in Organizations for tenant isolation, branding, and per-org login policies. Supports OIDC, SAML 2.0, passkeys, TOTP, and JavaScript-based Actions for extensibility. Available as Zitadel Cloud (SaaS with free tier) or fully self-hosted on any infrastructure. SOC 2 Type II and ISO 27001 certified.

Features

If you want to compare IAM features of different providers, please check out the (C)IAM Identity Providers benchmark.

Looking for Zitadel’s OpenID Connect protocol compatibility? View Zitadel on the OpenID Connect Providers benchmark.

Frequently Asked Questions

Does Zitadel support Username and Password authentication method?

Zitadel supports Username and Password authentication method. Read more

Does Zitadel support Social Sign-in authentication method?

Zitadel supports Social Sign-in authentication method. Built-in templates for Google, GitHub, GitLab, Apple, Entra ID, Okta, and any generic OIDC or SAML 2.0 identity provider. Read more

Does Zitadel support Passkey authentication method?

Zitadel supports Passkey authentication method. FIDO2/WebAuthn passkeys as a first-factor passwordless method. Supports platform authenticators (Face ID, Touch ID, Windows Hello) and roaming security keys. Read more

Does Zitadel support Email Passwordless authentication method?

Zitadel supports Email Passwordless authentication method. One-time passcode sent to email for passwordless login. Read more

Does Zitadel support Phone Passwordless authentication method?

Zitadel supports Phone Passwordless authentication method. SMS OTP for passwordless phone-based authentication. Read more

Does Zitadel support Magic Link authentication method?

Zitadel partially supports Magic Link authentication method. Email OTP can be used as a one-time login link. No dedicated magic-link authenticator out of the box. Read more

Does Zitadel support Anonymous / Guest authentication method?

Zitadel does not support Anonymous / Guest authentication method. Zitadel requires authenticated user identity. Anonymous or guest sessions are not a built-in feature.

Does Zitadel support Time-based One-Time Password (TOTP) MFA?

Zitadel supports Time-based One-Time Password (TOTP) MFA. Time-based OTP via any TOTP-compatible authenticator app (Google Authenticator, Authy, etc.). Read more

Does Zitadel support HMAC-based One-Time Password (HOTP) MFA?

Zitadel does not support HMAC-based One-Time Password (HOTP) MFA. Only TOTP (time-based) is supported. HOTP (counter-based OTP) is not available.

Does Zitadel support Universal 2nd Factor (U2F) MFA?

Zitadel supports Universal 2nd Factor (U2F) MFA. FIDO2/WebAuthn security keys (YubiKey, etc.) as a second factor. Read more

Does Zitadel support WebAuthn MFA?

Zitadel supports WebAuthn MFA. WebAuthn as second factor, supporting both platform authenticators and roaming security keys. Read more

Does Zitadel support Email Code MFA?

Zitadel supports Email Code MFA. One-time code sent via email as a second factor. Read more

Does Zitadel support Phone Code MFA?

Zitadel supports Phone Code MFA. SMS OTP as a second factor. Read more

Does Zitadel support Recovery Code MFA?

Zitadel supports Recovery Code MFA. Single-use recovery codes generated at MFA enrollment for account recovery. Read more

Does Zitadel support Push Notification MFA?

Zitadel does not support Push Notification MFA. No built-in push notification MFA. Not available as a native feature.

Does Zitadel support Adaptive / Risk-Based MFA MFA?

Zitadel partially supports Adaptive / Risk-Based MFA MFA. Login Policies allow enforcing MFA at the instance or per-organization level. No risk-based or fully adaptive MFA engine built in. Read more

Does Zitadel support Cisco Duo MFA?

Zitadel does not support Cisco Duo MFA. No native Cisco Duo integration.

Does Zitadel support Step-Up Authentication MFA?

Zitadel supports Step-Up Authentication MFA. Step-up authentication via ACR values and Login Policies that enforce re-authentication or additional factors for sensitive operations. Read more

Does Zitadel support OpenID Connect (OIDC) integration protocol?

Zitadel supports OpenID Connect (OIDC) integration protocol. Read more

Does Zitadel support SAML 2.0 integration protocol?

Zitadel supports SAML 2.0 integration protocol. SAML 2.0 Identity Provider support for enterprise SSO. Read more

Does Zitadel support WS-Federation integration protocol?

Zitadel does not support WS-Federation integration protocol.

Does Zitadel support Machine-to-Machine (M2M) Authentication integration protocol?

Zitadel supports Machine-to-Machine (M2M) Authentication integration protocol. Service users with OAuth 2.0 client credentials grant for M2M and backend-to-backend authentication. Read more

Does Zitadel support OpenID Connect (OIDC) Federation identity federation?

Zitadel supports OpenID Connect (OIDC) Federation identity federation. Generic OIDC identity provider template for federating with any OpenID Connect provider. Pre-built templates for Google, GitHub, GitLab, Apple, Entra ID, Okta. Read more

Does Zitadel support SAML 2.0 Federation identity federation?

Zitadel supports SAML 2.0 Federation identity federation. SAML 2.0 identity provider federation for enterprise SSO. Pre-built templates for Entra ID and Okta SAML. Read more

Does Zitadel support Active Directory / LDAP identity federation?

Zitadel supports Active Directory / LDAP identity federation. LDAP identity provider for federating with Active Directory and LDAP-compatible directories. Read more

Does Zitadel support Azure Active Directory (Entra ID) identity federation?

Zitadel supports Azure Active Directory (Entra ID) identity federation. Built-in Entra ID (Azure AD) identity provider templates for both OIDC and SAML 2.0 federation. Read more

Does Zitadel support Bulk User Import user management?

Zitadel supports Bulk User Import user management. Bulk import via the admin import API endpoint supporting multiple users, organizations, and associated data simultaneously. Read more

Does Zitadel support Password Hash Import (Multiple Formats) user management?

Zitadel supports Password Hash Import (Multiple Formats) user management. Import users with existing password hashes. Supported formats: bcrypt, argon2, PBKDF2, and MD5 via legacy verifiers. Hashes are transparently re-hashed on first login. Read more

Does Zitadel support Bulk User Export user management?

Zitadel supports Bulk User Export user management. Export users via the management API. Read more

Does Zitadel support Bulk User Update / Delete user management?

Zitadel supports Bulk User Update / Delete user management. Bulk user update and delete operations via the management and admin APIs. Read more

Does Zitadel support Upsert on Import user management?

Zitadel supports Upsert on Import user management. ImportHumanUser endpoint supports creating or updating existing users during import. Read more

Does Zitadel support Legacy Username Import (Non-Allowed Characters) user management?

Zitadel partially supports Legacy Username Import (Non-Allowed Characters) user management. Username constraints depend on instance configuration. No built-in universal legacy username normalization for special characters.

Does Zitadel support MFA Enrollment Import user management?

Zitadel partially supports MFA Enrollment Import user management. OTP (TOTP) secrets can be imported alongside user accounts during migration. Passkey migration is not supported via direct import. Read more

Does Zitadel support Inbound SCIM Provisioning user management?

Zitadel supports Inbound SCIM Provisioning user management. SCIM 2.0 server for inbound user provisioning. Enables automated user creation, updates, deactivation, and deprovisioning from external IdPs (e.g., Okta). Currently in preview. Read more

Does Zitadel support Outbound SCIM Provisioning user management?

Zitadel does not support Outbound SCIM Provisioning user management. Outbound SCIM provisioning (acting as a SCIM client) is on the roadmap but not yet released.

Does Zitadel support SCIM Groups Provisioning user management?

Zitadel partially supports SCIM Groups Provisioning user management. SCIM 2.0 implementation is primarily user-focused. Group synchronization support is limited in the current preview. Read more

Does Zitadel support Just-In-Time (JIT) User Provisioning user management?

Zitadel supports Just-In-Time (JIT) User Provisioning user management. Users are automatically created on first login via a federated identity provider without pre-provisioning. Read more

Does Zitadel support Lazy / Trickle Migration from Legacy Database user management?

Zitadel partially supports Lazy / Trickle Migration from Legacy Database user management. Lazy migration from a legacy user store can be implemented via Zitadel Actions (JavaScript hooks). No built-in lazy migration UI or credential proxy feature. Read more

Does Zitadel support Self-Service Profile Management Portal user management?

Zitadel supports Self-Service Profile Management Portal user management. Built-in self-service account management for end users including profile, MFA device enrollment, and passkey management. Read more

Does Zitadel support User Account Linking user management?

Zitadel supports User Account Linking user management. Link external identity providers (social, enterprise, LDAP) to an existing Zitadel user account. Read more

Does Zitadel support User Blocking / Banning user management?

Zitadel supports User Blocking / Banning user management. User accounts can be deactivated via the management API or admin console, preventing authentication. Read more

Does Zitadel support User Metadata user management?

Zitadel supports User Metadata user management. Custom key-value metadata can be stored on user accounts via the management API. Read more

Does Zitadel support Application Metadata user management?

Zitadel supports Application Metadata user management. Custom metadata can be stored at the project and application level. Read more

Does Zitadel support Metadata Size Limits user management?

Zitadel partially supports Metadata Size Limits user management. Metadata key and value size limits exist but are not prominently documented for all tiers.

Does Zitadel support User Search user management?

Zitadel supports User Search user management. Search and filter users by profile attributes via the management API and admin console. Read more

Does Zitadel support Role-Based Access Control (RBAC) user management?

Zitadel supports Role-Based Access Control (RBAC) user management. Role-based access control via project roles assigned to users and organizations. Roles are surfaced in tokens as claims. Read more

Does Zitadel support Organizations (Multi-Tenancy B2B) user management?

Zitadel supports Organizations (Multi-Tenancy B2B) user management. First-class multi-tenancy via Organizations. Each org can have isolated users, identity providers, branding, and login policies. Supports B2B SaaS with self-service enterprise federation. Read more

Does Zitadel support Password Strength Policies user management?

Zitadel supports Password Strength Policies user management. Configurable password complexity policies (minimum length, character requirements) at instance and organization level. Read more

Does Zitadel support Username Restrictions user management?

Zitadel supports Username Restrictions user management. Username format and character restrictions configurable via login policies. Read more

Does Zitadel support Progressive Profiling / Forms user management?

Zitadel does not support Progressive Profiling / Forms user management. No built-in progressive profiling flow. Custom Actions can trigger additional data collection during login, but there is no native visual form builder.

Does Zitadel support Attribute-Based Access Control (ABAC) access control?

Zitadel partially supports Attribute-Based Access Control (ABAC) access control. Attribute-based access control can be built using user metadata and custom claims injected via Actions, but there is no native ABAC policy engine. Read more

Does Zitadel support Fine-Grained Authorization (FGA / ReBAC) access control?

Zitadel does not support Fine-Grained Authorization (FGA / ReBAC) access control. No built-in ReBAC or fine-grained authorization engine (e.g., Google Zanzibar-style). Authorization is scope and role-based.

Does Zitadel support API Authorization (Scopes / Permissions) access control?

Zitadel supports API Authorization (Scopes / Permissions) access control. OAuth 2.0 scopes and project roles for API authorization. Supports token introspection for API resource servers. Read more

Does Zitadel support Audit Log Retention security feature?

Zitadel supports Audit Log Retention security feature. Immutable append-only event store retains all changes and authentication events for an unlimited period. Read more

Does Zitadel support Audit Log Streaming security feature?

Zitadel supports Audit Log Streaming security feature. Event streaming via webhooks and the event API. Supports integration with external SIEM and observability platforms. Read more

Does Zitadel support Security Center (Threat Monitoring Dashboard) security feature?

Zitadel does not support Security Center (Threat Monitoring Dashboard) security feature. No dedicated security center or threat monitoring dashboard. Authentication events are accessible via the event store and admin console.

Does Zitadel support Encryption at Rest security feature?

Zitadel supports Encryption at Rest security feature. Data encrypted at rest. Keys managed by the cloud provider for Zitadel Cloud; fully operator-controlled for self-hosted. Read more

Does Zitadel support Encryption in Transit security feature?

Zitadel supports Encryption in Transit security feature. All endpoints enforced over TLS 1.2+. Read more

Does Zitadel support Customer Managed Keys (BYOK) security feature?

Zitadel partially supports Customer Managed Keys (BYOK) security feature. Full customer-managed key control available in self-hosted deployments. Zitadel Cloud does not offer BYOK/customer-managed keys.

Does Zitadel support Bot Detection security feature?

Zitadel does not support Bot Detection security feature. No built-in CAPTCHA or ML-based bot detection. DDoS mitigation is provided at the infrastructure level for Zitadel Cloud.

Does Zitadel support Brute Force Protection security feature?

Zitadel supports Brute Force Protection security feature. Configurable lockout policy: lock user accounts after a defined number of failed login attempts. Read more

Does Zitadel support Suspicious IP Throttling security feature?

Zitadel partially supports Suspicious IP Throttling security feature. Rate limiting at infrastructure level for Zitadel Cloud. No per-IP suspicious activity detection built into the application layer.

Does Zitadel support Breached Password Detection security feature?

Zitadel does not support Breached Password Detection security feature. No built-in integration with breach databases (e.g., Have I Been Pwned).

Does Zitadel support Credential Guard (Dark Web Monitoring) security feature?

Zitadel does not support Credential Guard (Dark Web Monitoring) security feature.

Does Zitadel support Tenant Access Control List (IP ACL) security feature?

Zitadel partially supports Tenant Access Control List (IP ACL) security feature. Allowed origins and CORS configuration available at instance level. No IP-based access control lists built into the application layer. Read more

Does Zitadel support Device Fingerprinting security feature?

Zitadel does not support Device Fingerprinting security feature. No built-in device fingerprinting or device tracking feature.

Does Zitadel support Per-Organization Branding multi-tenancy?

Zitadel supports Per-Organization Branding multi-tenancy. Full branding customization (logo, colors, fonts) independently configured per organization via the admin console. Read more

Does Zitadel support Per-Organization MFA Policy multi-tenancy?

Zitadel supports Per-Organization MFA Policy multi-tenancy. Login Policies configurable per organization, allowing different MFA requirements per tenant. Read more

Does Zitadel support Hosted / Universal Login Page branding feature?

Zitadel supports Hosted / Universal Login Page branding feature. Centrally hosted login UI managed by Zitadel, fully customizable with branding settings. Read more

Does Zitadel support Embedded / Native Login Components branding feature?

Zitadel does not support Embedded / Native Login Components branding feature. No pre-built embedded login component library. Developers can build custom login UI using the Zitadel Session API. Read more

Does Zitadel support White-Label / Full Brand Removal branding feature?

Zitadel supports White-Label / Full Brand Removal branding feature. Full white-labeling: custom logos, colors, fonts, and domain. Zitadel watermark can be hidden. Read more

Does Zitadel support Localization / i18n branding feature?

Zitadel supports Localization / i18n branding feature. Multi-language support for the hosted login UI and email communications. Read more

Does Zitadel support Prebuilt UI Components (SDK) branding feature?

Zitadel partially supports Prebuilt UI Components (SDK) branding feature. SDK quickstarts available for multiple frameworks. No comprehensive pre-built UI component library; custom login UI built using the Session and OIDC APIs. Read more

Does Zitadel support Login / Auth Analytics Dashboard analytics?

Zitadel partially supports Login / Auth Analytics Dashboard analytics. Admin console shows basic authentication event data. No dedicated analytics dashboard; full event history accessible via the event store API. Read more

Does Zitadel support SOC 2 Type II Certification compliance?

Zitadel supports SOC 2 Type II Certification compliance. Read more

Does Zitadel support ISO 27001 / 27017 / 27018 Certification compliance?

Zitadel supports ISO 27001 / 27017 / 27018 Certification compliance. Read more

Does Zitadel support FedRAMP Authorization compliance?

Zitadel does not support FedRAMP Authorization compliance.

Does Zitadel support GDPR: Data Export (Portability) compliance?

Zitadel supports GDPR: Data Export (Portability) compliance. User data exportable via management API. Immutable event store enables full audit history export. Read more

Does Zitadel support GDPR: Right to be Forgotten (User Deletion) compliance?

Zitadel supports GDPR: Right to be Forgotten (User Deletion) compliance. Users can be fully deleted via the management API to satisfy GDPR right to erasure. Read more

Does Zitadel support Consent Management compliance?

Zitadel supports Consent Management compliance. OAuth 2.0 consent screen presented to users during authorization. Consent can be configured per project. Read more

Does Zitadel support Region Deployment compliance?

Zitadel supports Region Deployment compliance. Zitadel Cloud available in EU, US, Switzerland, and Australia regions for data residency requirements. Read more

Does Zitadel support Private Cloud Deployment compliance?

Zitadel supports Private Cloud Deployment compliance. Self-hosted deployment on any cloud provider (AWS, GCP, Azure) or on-premises via Docker or Kubernetes (Helm chart). Full data sovereignty. Read more

Does Zitadel support SDK Coverage developer integration?

Zitadel supports SDK Coverage developer integration. Official SDKs and quickstarts for Go, TypeScript/Node.js, Python, Java, .NET, Angular, React, and more. Read more

Does Zitadel support Management API developer integration?

Zitadel supports Management API developer integration. Full gRPC and REST management APIs for users, organizations, projects, and IAM configuration. Read more

Does Zitadel support Authentication API Rate Limits developer integration?

Zitadel supports Authentication API Rate Limits developer integration. Rate limits enforced on authentication endpoints. Configurable per instance. Read more

Does Zitadel support Actions / Extensibility Pipeline developer integration?

Zitadel supports Actions / Extensibility Pipeline developer integration. Actions: JavaScript code snippets that execute at defined hook points in authentication flows (pre/post authentication, pre token creation, custom claims, etc.). Read more

Does Zitadel support TypeScript Support in Extensibility developer integration?

Zitadel does not support TypeScript Support in Extensibility developer integration. Actions use JavaScript only. TypeScript is not supported in the runtime. Read more

Does Zitadel support Custom Domain developer integration?

Zitadel supports Custom Domain developer integration. Custom domain supported on Pro and Enterprise plans for Zitadel Cloud; fully supported in self-hosted. Read more

Does Zitadel support Deploy CLI (Infrastructure as Code) developer integration?

Zitadel supports Deploy CLI (Infrastructure as Code) developer integration. ZITADEL CLI for managing instances and configuration. Supports GitOps workflows alongside the Terraform provider. Read more

Does Zitadel support Terraform Provider developer integration?

Zitadel supports Terraform Provider developer integration. Official Terraform provider (registry.terraform.io/providers/zitadel/zitadel) for managing all Zitadel resources as code. Read more

Does Zitadel support Custom Database Connections developer integration?

Zitadel does not support Custom Database Connections developer integration. Zitadel uses its own internal user store. Custom or legacy database connections for credential validation are not supported natively.

Does Zitadel support Native Webhook Support developer integration?

Zitadel supports Native Webhook Support developer integration. Native webhook support via event-based Actions that can push data to external HTTP endpoints on authentication events. Read more

Does Zitadel support Universal Login / Hosted Login Page Customization developer integration?

Zitadel supports Universal Login / Hosted Login Page Customization developer integration. Hosted login page fully customizable with logos, color themes, fonts, and custom text via the branding settings. Read more

Does Zitadel support Custom Email Provider (SMTP) developer integration?

Zitadel supports Custom Email Provider (SMTP) developer integration. Custom SMTP server configuration for sending transactional emails from your own domain. Read more

Does Zitadel support Email Templates developer integration?

Zitadel supports Email Templates developer integration. Fully customizable email templates for OTP, invitation, and notification flows. Read more

Does Zitadel support Custom OIDC Claims / Token Enrichment developer integration?

Zitadel supports Custom OIDC Claims / Token Enrichment developer integration. Custom claims added to access tokens and ID tokens via Actions pre-token-creation hooks. Read more

Does Zitadel support No-Code Auth Flow Builder / Orchestration feature?

Zitadel does not support No-Code Auth Flow Builder / Orchestration feature. No visual drag-and-drop flow builder. Authentication flow customization requires JavaScript Actions code.

Does Zitadel support Identity Verification / Document Proofing feature?

Zitadel does not support Identity Verification / Document Proofing feature. No built-in identity verification or document proofing. Can be integrated via custom Actions calling external verification services.

Does Zitadel support Decentralized / Verifiable Credentials feature?

Zitadel does not support Decentralized / Verifiable Credentials feature. No built-in support for W3C Verifiable Credentials or decentralized identity (DID) standards.

Does Zitadel support Built-in Billing / Subscription Management feature?

Zitadel does not support Built-in Billing / Subscription Management feature. No built-in billing or subscription management integration.

Does Zitadel support Agentic AI / MCP Server Authentication feature?

Zitadel partially supports Agentic AI / MCP Server Authentication feature. Service users with OAuth 2.0 client credentials grant and JWT profile support machine and AI agent authentication. No dedicated MCP server auth or agentic identity features. Read more