ZITADEL

ZITADEL is an open-source identity and access management platform from Switzerland that competes head-on with Auth0, Keycloak, and Authentik. We rate it 86/100 — it is the strongest pick if you are building a B2B SaaS, need real multi-tenancy, and want the option to self-host on your own Postgres without giving up modern features like passkeys, SCIM 2.0, and a full event-sourced audit trail.

What is ZITADEL?

ZITADEL is built by CAOS AG, a Swiss company founded in 2019 by Florian Forster (CEO), Fabienne Bühler (CPO), and a team of identity infrastructure veterans in St. Gallen, Switzerland. The company has raised roughly $11.5M across a 2022 $2.5M seed and a follow-on Series A, and runs a hosted ZITADEL Cloud product alongside the open-source repo on GitHub.

The reason teams reach for ZITADEL instead of rolling their own auth or paying Auth0's per-MAU bill is that it gives you everything modern identity platforms ship — SSO, MFA, OIDC, SAML 2.0, SCIM 2.0, passkeys, social and enterprise IdP brokering — but with a strict multi-tenant hierarchy (Identity System → Organizations → Projects) and the same codebase running on ZITADEL Cloud and your own server. Every mutation is written as an immutable event, so the audit trail is the database, not an afterthought.

Key Features of ZITADEL

• Native multi-tenancy: A two-level hierarchy of Organizations and Projects with isolated policies, branding, and IdPs at every level — far closer to a real B2B model than Keycloak realms or Auth0 organizations.
• Event-sourced audit trail: Every change is an immutable event in Postgres. You can replay state at any point in time and stream events out via webhooks for SOC/SIEM integration.
• Passkeys, MFA, and modern protocols: FIDO2/WebAuthn passkeys, OTP via authenticator apps, email, and SMS, plus OpenID Connect Certified, SAML 2.0, LDAP, and machine-to-machine auth via JWT Profile, PAT, and Client Credentials.
• API-first, gRPC + connectRPC + REST: Every resource is callable from typed APIs across three transports — a meaningful upgrade over Keycloak and Auth0, which expose REST only.
• Actions v2: Webhooks and custom code that run inside the auth flow for token enrichment, custom claims, B2B onboarding, and approval gates.
• SCIM 2.0 server: Inbound user and group provisioning from Okta, Entra ID, and JumpCloud — without the Auth0 enterprise add-on tax.
• Hosted Login V2: A new fully customizable login experience released with v3 in 2025 that you can self-host or call programmatically.
• Self-host parity: Up and running with Docker Compose in under three minutes, or production-ready on Kubernetes with documented zero-downtime updates.

What Users Say About ZITADEL

The longest-running ZITADEL discussion on Hacker News (item 31408059) is titled "Zitadel: The best of Auth0 and Keycloak combined," and the recurring praise across that thread, GitHub Discussions, and r/selfhosted is that the same image runs on Cloud and on a homelab Postgres without configuration drift. Developers also call out the docs and the Discord community — the team is genuinely responsive on issues.

The honest pushback is twofold. First, the 2025 license change from Apache 2.0 to AGPL 3.0 on the main repo was unpopular with some adopters who had built downstream products against the older license; you'll see this come up on Reddit threads about open-source identity in 2025 and 2026. Second, ZITADEL Cloud's lowest paid tier sits at $100/month for 25,000 daily active users, which is excellent for production SaaS but a meaningful jump for hobby projects that outgrow the 100-DAU free tier — several Product Hunt and Reddit comments flag this gap.

ZITADEL Pricing

ZITADEL is dual-licensed: the main repo is AGPL 3.0 (post-2025) for free self-hosting, with Apache 2.0 and MIT carve-outs for SDKs and selected directories. ZITADEL Cloud is pay-as-you-go and starts free.

Plan	Price	Daily Active Users	Notes
Free (Cloud)	$0/month	100 DAUs	Unlimited total users, MFA, passkeys, audit logs, 3 IdPs.
Pro (Cloud)	$100/month base	Up to 25,000 DAUs	Custom domain, additional usage billed per volume.
Enterprise	Contact sales	Custom	Dedicated SLA, premium support, technical account manager.
Self-hosted	Free (AGPL)	Unlimited	Run on your own Postgres; commercial support available.

Who Should Use ZITADEL?

Best for: B2B SaaS teams that need real multi-tenant identity (think project-management tools, vertical SaaS, dev platforms), regulated companies that need a self-hostable IdP with a complete audit log, and anyone who has been quoted a six-figure Auth0 enterprise contract and wants an open-source escape hatch with feature parity.

Not ideal for: Pure consumer apps with a single tenant where Clerk, Stack Auth, or Better Auth ship faster, and homelab users who can't tolerate the AGPL obligations on derivative works.

Pros and Cons

Pros:

• Same codebase in Cloud and self-hosted — no parity drift between environments.
• Native multi-tenancy with strict isolation; B2B onboarding flows are first-class, not bolted on.
• Event-sourced architecture gives you a real audit trail without a separate logging pipeline.
• OpenID Connect Certified, SAML, SCIM 2.0, LDAP, gRPC, connectRPC, REST — basically every protocol you'd ask for.
• 3-minute Docker Compose start; production-grade Kubernetes deployment is documented.

Cons:

• 2025 license switch to AGPL 3.0 introduced friction for some commercial adopters.
• The jump from the 100-DAU free tier to the $100/month Pro plan is steep for small side projects.
• Initial admin console UI has a learning curve compared to Auth0's polished dashboard.
• Postgres-only — teams running MySQL or CockroachDB-only stacks will need to provision Postgres specifically for ZITADEL.

Alternatives to ZITADEL

The closest competitors are Keycloak (the long-standing open-source IAM from Red Hat — more mature, less opinionated, no built-in B2B model), Better Auth (TypeScript-first, code-as-config, far simpler but lacks SCIM and SAML at the same depth), and Stack Auth (the open-source Auth0 alternative, strong DX, less mature multi-tenancy than ZITADEL).

Verdict: Is ZITADEL Worth It?

If you are shipping a B2B product and your auth requirements include organizations, projects, SCIM provisioning, and a real audit trail — ZITADEL is the most capable open-source option on the market in 2026, and it earns the 86/100 rating despite the AGPL friction. The pricing gap between free and Pro is a real consideration for hobbyists, but for any team building a commercial SaaS, $100/month for production-grade multi-tenant identity is a bargain compared to Auth0 or Okta. Self-host first, move to ZITADEL Cloud when you don't want to operate Postgres anymore.

Frequently Asked Questions

Is ZITADEL free?

Yes. The self-hosted version is free under AGPL 3.0, and ZITADEL Cloud has a free tier with 100 daily active users, unlimited total users, MFA, passkeys, and audit logs. Paid Cloud plans start at $100/month for up to 25,000 DAUs.

Is ZITADEL open source?

Yes. The main repo at github.com/zitadel/zitadel is licensed under AGPL 3.0 (it switched from Apache 2.0 in 2025), with Apache 2.0 and MIT carve-outs for SDKs and selected directories.

How does ZITADEL compare to Keycloak?

Both are open-source and self-hostable. Keycloak is older, more mature, and uses realms for multi-tenancy. ZITADEL is more modern, API-first across gRPC/connectRPC/REST, and has stronger native multi-tenancy with Organizations and Projects designed specifically for B2B SaaS.

How does ZITADEL compare to Auth0?

Auth0 is closed-source SaaS only. ZITADEL is open-source and runs the same codebase on Cloud and self-hosted, so you avoid vendor lock-in. ZITADEL also bills on actual daily active users instead of Auth0's peak-MAU model, which often produces unexpected invoices.

What database does ZITADEL require?

PostgreSQL 14 or newer. Earlier versions also supported CockroachDB, but the modern deployment story is Postgres-only.

Does ZITADEL support passkeys and MFA?

Yes. ZITADEL ships FIDO2/WebAuthn passkeys, U2F, OTP via authenticator apps, OTP via email and SMS, and is OpenID Connect Certified. All MFA features are included on the free Cloud tier.