ZITADEL API Reference Overview
ZITADEL exposes all features via different gRPC and REST APIs and provides SDKs for popular languages and frameworks.
The OpenID Connect & OAuth endpoints and SAML 2.0 endpoints are implemented and exposed according to the specific standards. Managing resources such as users, organizations, instances, or settings must be done with the different ZITADEL APIs.
Actions allow extending ZITADEL with custom code to change default behaviors or calling external systems.
Authentication & Authorization
Authentication for users (interactive)
ZITADEL implements industry standards such as OpenID Connect, OAuth 2.0, or SAML for authentication. Please refer to our guides on how to authenticate users through an interactive authentication process.
For user authentication on devices with limited accessibility (eg, SmartTV, Smartwatch, etc.) use the device authorization grant.
Additionally, you can use the session API to authenticate users, for example, by building a custom login UI.
Authenticate service accounts
Service accounts allow for machine-to-machine (M2M) communication. Follow the guides to learn how to authenticate service accounts.
Accessing the ZITADEL APIs through a service account might require additional steps, please follow the guide on how to access ZITADEL APIs to include the correct audience scope in your requests.
OpenID Connect & OAuth
- OpenID Connect endpoints definition
- Standard and reserved scopes reference
- Standard, custom, and reserved claims reference
The OIDC Playground is for testing OpenID authentication requests and their parameters.
SAML 2.0
- SAML 2.0 endpoints definition
- Custom attributes can be added with an action
Session-based and custom login
For building a custom login flow, you have access to purpose-built v2 APIs:
- Create or update a session to authenticate users step by step
- Get OIDC auth request details when acting as an OIDC provider
- Get SAML request details when acting as a SAML provider
User role assignments can be retrieved as roles from our APIs.
Refer to our guide to learn how to build your own login UI
ZITADEL APIs
Use the v2 APIs for all new integrations. They are the recommended, resource-based API surface for ZITADEL and where all new development is happening. The v1 APIs are legacy: fully supported and still required in some places, but not being extended.
If the resource you need is not yet available in v2, use the corresponding legacy v1 API for that operation and check the migration guide to plan your transition.
APIs v2 (resource-based)
ZITADEL provides v2 APIs for the following resources:
- User — manage users and their authentication methods
- Session — create and manage user sessions
- Organization — manage organizations
- Instance — manage your ZITADEL instance
- Project — manage projects and granted projects
- Application — manage OIDC, SAML, and API applications
- IDP — manage identity providers
- Group — manage user groups
- Settings — read login and instance settings
- Feature — manage feature flags
- Authorization — check and manage user permissions
- Action — manage execution targets and action flows
- WebKey — manage signing keys
- OIDC — handle OIDC authorization flows (used when building a custom login UI)
- SAML — handle SAML authorization flows (used when building a custom login UI)
Not finding a resource here? It has not yet been migrated to v2 — use the legacy v1 APIs below for that operation.
Legacy v1 APIs
The following APIs predate the v2 resource-based design. They are still fully supported and required for capabilities not yet covered by v2, but they are no longer being extended. If you are building something new, check the v2 section above first.
Looking to move an existing integration off v1? See the v1 to v2 migration guide.
Authentication
The Auth API covers operations on the currently authenticated user. The user is identified from the sub claim in the access token.
For new integrations, prefer the User v2 API and Session v2 API which provide the same capabilities in a resource-based design.
Auth GRPC
Endpoint:
${CUSTOM_DOMAIN}/zitadel.auth.v1.AuthService/
Definition: Auth Proto
Auth REST
Endpoint:
${CUSTOM_DOMAIN}/auth/v1/
API Reference: OpenAPI Docs
Management
The Management API lets systems read and mutate resources within an organization — users, projects, applications, roles, and more. The target organization is determined by the x-zitadel-orgid request header, or falls back to the organization of the authenticated user.
For new integrations, prefer the User v2 API for user management, which handles both instance-level and organization-level access automatically based on caller permissions.
Mgmt GRPC
Endpoint:
${CUSTOM_DOMAIN}/zitadel.management.v1.ManagementService/
Definition: Management Proto
Mgmt REST
Endpoint:
${CUSTOM_DOMAIN}/management/v1/
API Reference: OpenAPI Docs
Administration
This API is intended to configure and manage one ZITADEL instance itself.
Admin GRPC
Endpoint:
${CUSTOM_DOMAIN}/zitadel.admin.v1.AdminService/
Definition: Admin Proto
Admin REST
Endpoint:
${CUSTOM_DOMAIN}/admin/v1/
API Reference: OpenAPI Docs
System
This API is intended to manage the different ZITADEL instances within the system.
Checkout the guide how to access the ZITADEL System API.
System GRPC
Endpoint:
${CUSTOM_DOMAIN}/zitadel.system.v1.SystemService/
Definition: System Proto
System REST
Endpoint:
${CUSTOM_DOMAIN}/system/v1/
API Reference: OpenAPI Docs
Assets
The Assets API allows you to up- and download all kinds of assets. This can be files such as logos, fonts or user avatar.
Client libraries & schemas
ZITADEL publishes official and community-supported SDKs for multiple languages and frameworks. All API services are defined as proto definitions on GitHub — most languages let you generate a type-safe client directly from them.
Domains
ZITADEL hosts everything under a single domain: {instance}.zitadel.cloud or your Custom Domain ${CUSTOM_DOMAIN}
The domain is used as the OIDC issuer and as the base URL for the gRPC and REST APIs, the Management Console (${CUSTOM_DOMAIN}/ui/console/), and the hosted Login UI (${CUSTOM_DOMAIN}/ui/v2/login).
Are you self-hosting and having troubles with Instance not found errors? Check out this page.
API path prefixes
If you run ZITADEL on a Custom Domain, you may want to reuse that domain for other applications. For easy copying to your reverse proxy configuration, here is the list of URL path prefixes, ZITADEL uses.
# v2 APIs (recommended for new integrations)
# REST (HTTP/JSON transcoding):
/v2/
# gRPC + Connect protocol (binary or JSON via connectRPC):
/zitadel.action.v2.ActionService/
/zitadel.application.v2.ApplicationService/
/zitadel.authorization.v2.AuthorizationService/
/zitadel.feature.v2.FeatureService/
/zitadel.group.v2.GroupService/
/zitadel.idp.v2.IdentityProviderService/
/zitadel.instance.v2.InstanceService/
/zitadel.oidc.v2.OIDCService/
/zitadel.org.v2.OrganizationService/
/zitadel.project.v2.ProjectService/
/zitadel.saml.v2.SAMLService/
/zitadel.session.v2.SessionService/
/zitadel.settings.v2.SettingsService/
/zitadel.user.v2.UserService/
/zitadel.webkey.v2.WebKeyService/
# v2beta — kept for backward compatibility, use /v2/ for new work
/v2beta/
# Legacy v1 APIs
/zitadel.admin.v1.AdminService/
/admin/v1/
/zitadel.auth.v1.AuthService/
/auth/v1/
/zitadel.management.v1.ManagementService/
/management/v1/
/zitadel.system.v1.SystemService/
/system/v1/
/assets/v1/
# OpenID Connect, OAuth 2.0, SAML 2.0 & standards
/oidc/v1/
/saml/v2/
/oauth/v2/
/device
/.well-known/openid-configuration
/openapi/
/idps/callback
# UIs
/ui/console/ # Management Console (Angular admin UI)
/ui/v2/login # Login UI v2 (Next.js; routes to a separate container in self-hosted deployments)
/ui/login/ # Login UI v1 (legacy, built into the ZITADEL binary)Postman Collection (Beta)
We published an official Postman collection to help you explore and test the ZITADEL APIs.
The collection is organized by services and includes a script to automatically authenticate requests. Before using it, make sure to configure the required environment variables in Postman:
| Variable Name | Description |
|---|---|
protocol | http for local testing, or https for cloud/self hosted instances |
custom_domain | The domain of your Zitadel instance. |
service_client_id | Client ID of service account with IAM_OWNER role in your Zitadel instance. |
service_client_secret | Client secret for the service account. |
api_client_id | Client ID of an API application. |
api_client_secret | Client secret for the API application. |
project_id | A project ID within your Zitadel instance. |
This release is currently in beta, and we welcome your feedback to improve it.
Was this page helpful?