Zitadel

ZITADEL is a cloud-native identity management platform founded in 2019 and headquartered in St. Gallen, Switzerland. Built from the ground up with a developer-first philosophy, ZITADEL provides comprehensive identity infrastructure including authentication, authorization, user management, and multi-tenancy capabilities. The platform positions itself as combining the best aspects of Auth0's developer experience with Keycloak's self-hosting flexibility, all wrapped in a modern, event-sourced architecture built in Go. With $15.5 million in total funding including a Series A round in late 2024, ZITADEL is rapidly maturing into a serious contender in the identity management space.

What distinguishes ZITADEL from other identity providers is its native multi-tenancy architecture, which was designed into the system from day one rather than bolted on as an afterthought. For B2B SaaS companies that need to manage multiple organizations, each with their own users, roles, policies, and branding, ZITADEL provides an elegantly simple solution where other platforms require complex workarounds. This architectural advantage, combined with its Swiss data sovereignty and open-source license, makes ZITADEL a compelling choice for European companies building modern cloud applications.

Authentication and Security

ZITADEL supports a comprehensive range of authentication methods that cover virtually every modern security requirement. The platform provides passwordless authentication through Passkeys and FIDO2 standards, which allow users to sign in using biometrics or hardware security keys without ever needing a traditional password. For organizations that still require passwords, ZITADEL enforces configurable password policies including minimum length, complexity requirements, and breach detection that checks passwords against known compromised credential databases.

Multi-factor authentication (MFA) is deeply integrated into ZITADEL, supporting Time-based One-Time Passwords (TOTP) via authenticator apps, SMS verification, email verification, and hardware security keys (U2F/FIDO2). Administrators can configure MFA policies at the organization or project level, requiring specific authentication methods for different risk levels. This granular control allows businesses to enforce strong authentication for sensitive operations while maintaining a smooth experience for routine access.

Multi-Tenancy Architecture

ZITADEL's multi-tenancy support is its defining feature and the primary reason many B2B SaaS companies choose it over alternatives. The platform uses a hierarchical structure of Instances, Organizations, and Projects that maps naturally to how B2B software is typically structured. An Instance represents the top-level ZITADEL deployment. Within an Instance, multiple Organizations can be created, each representing a customer or partner with their own users, roles, identity providers, and branding. Projects within organizations define the applications and their access policies.

This architecture means that a SaaS company can onboard a new customer by simply creating a new Organization in ZITADEL, configure their specific authentication requirements (perhaps they need SAML federation with their corporate Active Directory, or they want to enforce hardware security keys), and the customer's users are completely isolated from other organizations. Each organization can have its own login screen with custom branding, its own password policies, and its own identity provider connections. This level of isolation and customization per tenant is what sets ZITADEL apart from solutions like Keycloak, which only recently added basic organization support.

Protocol Support

ZITADEL provides comprehensive support for industry-standard identity protocols. OpenID Connect (OIDC) and OAuth 2.x are fully implemented, making it straightforward to integrate with any modern web or mobile application. SAML 2.0 support enables federation with enterprise identity providers like Microsoft Active Directory Federation Services (ADFS), Azure AD, and other corporate directories. LDAP connectivity allows organizations to sync users from existing directory services, bridging the gap between legacy infrastructure and modern identity management.

The platform also supports SCIM 2.0 (System for Cross-domain Identity Management) for automated user provisioning and deprovisioning. This is particularly valuable for enterprise customers who need to automatically create and remove accounts across multiple applications when employees join, move between departments, or leave the organization. SCIM support reduces administrative overhead and ensures that access permissions are kept up to date across all connected systems.

Event-Sourced Architecture

One of ZITADEL's most distinctive technical features is its event-sourced architecture. Unlike traditional identity systems that store the current state of user accounts in a database, ZITADEL stores every change as an immutable event: every login, password change, role assignment, policy update, and administrative action is recorded as a chronological sequence of events. The current state of any entity can be reconstructed by replaying its event history.

This architecture provides several significant advantages. First, it creates a comprehensive and tamper-proof audit trail that records everything that has ever happened in the system. For regulated industries that require detailed security auditing, this is invaluable. Second, it enables powerful debugging and troubleshooting capabilities, as administrators can trace exactly how any user's state arrived at its current configuration. Third, it supports high-performance read models through event projections, where optimized read-only views of the data are continuously updated as new events arrive.

Developer Experience and API

ZITADEL follows an API-first design philosophy, meaning that everything that can be done through the management console can also be done programmatically through well-documented APIs. The platform provides both gRPC and REST APIs for full programmatic control over users, organizations, projects, roles, and policies. This makes it straightforward to integrate ZITADEL into CI/CD pipelines, infrastructure-as-code workflows, and custom management tooling.

The developer documentation is comprehensive and includes quickstart guides for popular frameworks and languages including Go, Python, Node.js, React, Angular, Flutter, and more. ZITADEL also provides official client libraries and SDKs that simplify integration, along with example applications that demonstrate common patterns. The management console itself is a modern, responsive web application that provides a visual interface for all administrative tasks, making it accessible to both developers and non-technical administrators.

Self-Hosting and Deployment

ZITADEL is open source under the Apache 2.0 license, one of the most permissive open-source licenses available. This means organizations can freely download, deploy, modify, and even redistribute the software. Self-hosted deployments can run on bare metal, virtual machines, Kubernetes, or Docker, with official Helm charts and Docker Compose configurations available for streamlined deployment. The platform is written in Go, resulting in a single binary deployment with minimal dependencies, which simplifies operations compared to Java-based alternatives like Keycloak.

For organizations that prefer a managed service, ZITADEL Cloud provides a fully hosted offering with infrastructure in Switzerland and other European locations. The cloud service handles all operational aspects including updates, scaling, backups, and monitoring, allowing teams to focus on building their applications rather than managing identity infrastructure. Self-hosted and cloud deployments are feature-equivalent, ensuring that organizations can migrate between deployment models without losing functionality.

Swiss Data Sovereignty

ZITADEL's Swiss headquarters provides a strong data sovereignty foundation. Switzerland has some of the world's strictest data protection laws, and while not an EU member, its data protection framework has been recognized as adequate by the European Commission. For companies that need to keep identity data in Switzerland specifically -- which is common in finance, healthcare, and government sectors -- ZITADEL Cloud offers hosting on Swiss infrastructure. The combination of Swiss data protection law, the Apache 2.0 open-source license, and the option to self-host provides organizations with maximum control over their most sensitive data: user identities and authentication credentials.

Unlike US-based identity providers such as Auth0 (owned by Okta) and Amazon Cognito, which are subject to the CLOUD Act and other US surveillance laws, ZITADEL's Swiss jurisdiction ensures that identity data cannot be compelled to be shared with foreign governments. For European businesses operating under GDPR, this provides an additional layer of compliance assurance that goes beyond what US vendors can offer, regardless of where they claim to store data.

ZITADEL vs. Auth0 and Keycloak

The two most common comparisons for ZITADEL are Auth0 (now part of Okta) and Keycloak (backed by Red Hat/CNCF). Auth0 provides an excellent developer experience and a rich feature set, but it is a proprietary, US-based SaaS platform with no self-hosting option and pricing that scales with monthly active users, which can become expensive at scale. ZITADEL matches much of Auth0's developer experience while offering open-source transparency, self-hosting flexibility, and European data sovereignty.

Keycloak is the incumbent open-source identity platform with a massive community and battle-tested track record in enterprise deployments. However, its Java-based architecture can be resource-intensive, its multi-tenancy support (through the recently added Organizations feature) is less mature than ZITADEL's native implementation, and its API and developer experience are generally considered less polished. ZITADEL's Go-based architecture results in lower resource consumption and simpler deployment, while its native multi-tenancy and event-sourced design offer architectural advantages for modern SaaS applications.

Pricing

ZITADEL's pricing model is straightforward. The open-source self-hosted version is completely free with no user limits or feature restrictions. ZITADEL Cloud offers a free tier for development and small projects, with paid plans starting at $100 per month for production workloads. Enterprise plans with custom SLAs, dedicated support, and advanced features are available for larger organizations. Compared to Auth0's usage-based pricing, which can quickly reach thousands of dollars per month for applications with many users, ZITADEL's pricing is predictable and typically more affordable.

Final Verdict

ZITADEL is an impressive identity management platform that fills an important gap in the European technology landscape. Its native multi-tenancy architecture, event-sourced design, comprehensive protocol support, and Swiss data sovereignty make it a compelling choice for B2B SaaS companies, enterprises, and any organization that values transparency and data control. The combination of open-source licensing, modern Go-based architecture, and a developer-first approach positions ZITADEL as a forward-looking alternative to both Auth0 and Keycloak. For European companies building cloud-native applications that need robust, compliant identity infrastructure, ZITADEL deserves serious consideration.