๐ฉบ Vitals
- ๐ฆ Version: v4.13.0 (Released 2026-03-23)
- ๐ Velocity: Active (Last commit 2026-03-30)
- ๐ Community: 13.4k Stars ยท 1.0k Forks
- ๐ Backlog: 976 Open Issues
๐๏ธ Profile
- Official: zitadel.com
- Source: github.com/zitadel/zitadel
- License: AGPL-3.0
- Deployment: Docker | Kubernetes
- Data Model: PostgreSQL / CockroachDB (Event-Sourced)
- Jurisdiction: Switzerland ๐จ๐ญ (CAOS Ltd., St. Gallen)
- Compliance (SaaS): SOC 2 Type II | ISO 27001 | GDPR Ready
- Compliance (Self-Hosted): Self-Hosted (User Managed)
- Complexity: Moderate (3/5) โ Single binary deployment available; production requires managing an event-sourced PostgreSQL or CockroachDB store
- Maintenance: Moderate (3/5) โ Database schema migrations on upgrades; CockroachDB cluster management adds operational surface for HA deployments
- Enterprise Ready: High (4/5) โ No MAU limits, B2B multi-tenancy, SAML, MFA, and FIDO2/Passkeys included in the self-hosted edition; compliance certifications are infrastructure-dependent when self-hosted
1. The Executive Summary
What is it? ZITADEL is an open-source Identity and Access Management platform built in Go by CAOS Ltd. (St. Gallen, Switzerland). It provides authentication and authorization infrastructure for multi-tenant B2B SaaS environments โ OIDC, SAML, SCIM, MFA, FIDO2/Passkeys, and delegated role management are all included in the self-hosted Community Edition at no cost. Its event-sourcing architecture means every authentication and authorization state change is written to an immutable log, providing a built-in audit trail without additional tooling. ZITADEL Cloud (SaaS) carries verified SOC 2 Type II (January 2026) and ISO 27001:2022 (June 2024) certifications. The enterprise tax on the SaaS tier is primarily around scale (100 DAU free tier limit), custom domains, geographic data residency selection, and SLA guarantees โ none of which apply to self-hosted deployments.
The Strategic Verdict:
- ๐ด For Single-App Consumer Authentication: Overkill. ZITADEL's multi-tenancy, event-sourced data model, and B2B delegation primitives are architectural overhead for a single-tenant consumer application โ a lighter OIDC library or hosted service is a more proportionate choice.
- ๐ข For Multi-Tenant B2B SaaS or Regulated Enterprise IAM: Strong Buy. Native organisation-level tenancy, SAML federation, and an immutable audit log are included in the self-hosted edition with no MAU paywall. Swiss jurisdiction avoids US CLOUD Act exposure โ a meaningful differentiator over Auth0/Okta for EU-regulated or sovereignty-sensitive deployments.
2. The "Hidden" Costs (TCO Analysis)
| Cost Component | Auth0 (SaaS) | Zitadel (Self-Hosted) |
|---|---|---|
| MAU Fees | $0.07+/MAU overage | $0 (Unlimited MAU) |
| B2B Multi-Tenancy | Enterprise tier | Native (Included) |
| SSO / SAML | Enterprise tier | Included (Default) |
| Data Residency | Auth0-managed cloud | Operator-controlled (VPC) |
| Audit Trail | Paid log retention add-on | Event-sourced (Immutable, Default) |
3. The "Day 2" Reality Check
๐ Deployment & Operations
- Installation: ZITADEL ships as a single Go binary with Docker and Kubernetes Helm chart support. The event-sourcing data model requires PostgreSQL or CockroachDB as the backing store โ CockroachDB is preferred for multi-region high availability but adds its own operational complexity. PostgreSQL is the simpler operational choice for single-region deployments. All database schema migrations are handled by the ZITADEL binary on startup.
- Architecture: The event-sourcing model means every state change (user creation, role assignment, permission grant) is appended as an immutable event rather than overwritten. This provides a built-in, tamper-evident audit history at no additional tooling cost โ directly applicable to SOC 2 CC6.x access review requirements and GDPR Article 30 record-keeping obligations.
๐ก๏ธ Security & Governance (Risk Assessment)
- Jurisdiction & Geopolitics (Switzerland ๐จ๐ญ): CAOS Ltd. is incorporated in St. Gallen, Switzerland โ outside US CLOUD Act jurisdiction, outside EU regulatory jurisdiction, and covered by Switzerland's Federal Act on Data Protection (nDSG). Switzerland holds EU adequacy status for GDPR purposes, meaning identity data processed by ZITADEL Cloud transfers legally between EU and Swiss infrastructure without Standard Contractual Clauses. For self-hosted deployments, the operator's chosen hosting jurisdiction applies entirely โ CAOS Ltd. holds zero access to identity data.
- The Compliance Shift: ZITADEL Cloud holds verified SOC 2 Type II and ISO 27001:2022 certifications โ verifiable at zitadel.com/trust. These certifications do not extend to self-hosted instances; operators assume full responsibility for infrastructure hardening, database encryption, network access controls, and key management. The event-sourcing architecture materially reduces audit preparation effort: every access event is logged immutably by default, producing the access review artifacts required by SOC 2 and ISO 27001 without additional SIEM configuration.
- License Risk (AGPL-3.0 โ Network Copyleft): AGPL-3.0 closes the SaaS loophole: any party operating a modified ZITADEL instance accessible over a network must release those source modifications. For standard enterprise IAM deployment โ an organisation running ZITADEL as its internal identity provider โ AGPL-3.0 is operationally neutral. The risk applies specifically to managed service providers or SaaS platforms wishing to offer ZITADEL-based authentication as a product; those operators must either open-source their modifications or negotiate a commercial licence with CAOS Ltd.
4. Market Landscape
๐ข Proprietary Incumbents
- Auth0 (Okta): The dominant IDaaS platform โ mature developer experience and an extensive integration catalog, but MAU-based pricing ($0.07+/MAU) compounds rapidly at scale, B2B multi-tenancy requires the enterprise tier, and all identity data resides in Okta's US-managed cloud infrastructure.
- Firebase Authentication: Google's serverless authentication service โ low implementation friction for consumer apps, but zero data portability (vendor-managed identity store), no self-hosting option, and full US CLOUD Act exposure via Google's infrastructure make it unsuitable for regulated enterprise or sovereignty-sensitive deployments.
๐ค Open Source Ecosystem
- Keycloak: The Java-based enterprise IAM standard with the broadest protocol support and longest production track record โ the incumbent for organizations already running JVM infrastructure or requiring deep Kerberos/legacy enterprise federation support.
- Authentik: The DevOps-oriented modern alternative โ broader out-of-the-box proxy and outpost support, with a Python/Django stack that trades ZITADEL's Go performance profile for a more extensible policy engine.