Zitadel
Securing a SaaS product, running B2B onboarding, or replacing Auth0 and Keycloak with a stack
they own - teams needing more than basic auth reach for ZITADEL, an open-source identity and
access management platform built in Go. Its multi-tenancy model is the differentiator: a
strict Instance, Organization, Project hierarchy isolates data and scopes policy at each
level, with identity brokering (pre-built templates for Google, GitHub, Microsoft, Apple, plus
generic OIDC, OAuth, SAML, and LDAP), domain discovery that routes users to the right
organization by email domain, and delegated management so customers administer their own users
and roles. Authentication covers OpenID Connect (certified, including device authorization and
token exchange), SAML 2.0 as both IdP and SP, SCIM, FIDO2 passkeys for phishing-resistant
passwordless login, and MFA via OTP, email, SMS, and U2F; machine-to-machine flows support JWT
profile, PATs, and client credentials. The architecture is event-sourced - every mutation is
an immutable event, yielding a complete audit trail - with relational projections for queries
and no external session store, so it scales horizontally. API-first with gRPC and REST,
extensible via Actions webhooks, and the same codebase self-hosted (Docker Compose or Helm on
PostgreSQL) as in the cloud.
Deploy