Authorization sits at the heart of every secure application. While authentication answers "who are you?", authorization tackles the more complex question: "what are you allowed to do or see?" For identity and security professionals, getting authorization right means balancing security with usability—ensuring legitimate users can access what they need while keeping unauthorized access at bay.

This challenge becomes more complex in modern distributed architectures. Where applications likely span across multiple services, APIs, and user types. Each component needs to make authorization decisions quickly and accurately, often with limited context about the user's broader permissions and organizational relationships.

Zitadel approaches this challenge through a structured authorization model built around projects, roles, and audience-restricted tokens. The goal is creating a foundation that scales with your organization while maintaining security principles that actually work in practice.
## Understanding Zitadel's Authorization Architecture
Authorization in Zitadel starts with understanding how permissions flow through your system. Rather than treating authorization as an afterthought, Zitadel structures it around clear organizational concepts that map to how your business actually operates.

**Projects serve as logical containers** for related applications and services. Think of a project as a business domain or product area where multiple applications need to share authorization context. For example, your customer portal, mobile app, and backend APIs for customer management might all belong to the same project because they operate on the same business logic and user permissions. Google Drive is another example of this. Whether accessing Google Drive via mobile, web, or desktop app, your authorization remains consistent. All three share the same access but are distinct clients..

**Roles define what users can do** within those projects. You might have heard this referred to as RBAC or Role-Based Access Control. The important thing to know is these roles aren't just labels—they represent specific permissions that your applications can check when making authorization decisions. The key insight here is that roles belong to projects, not individual applications, which means you can maintain consistent permissions across all the applications in a business domain.

**Authorizations connect users to roles** within specific projects. This three-way relationship between users, roles, and projects gives you fine-grained control over who can do what, where. You can also create external user grants, which allow users from other organizations to access specific roles in your projects—essential for B2B scenarios where partner organizations need limited access to your systems.

This structure solves a common problem in enterprise authorization: the tension between centralized control and distributed decision-making. Your security team can define roles and projects centrally, while individual applications can make authorization decisions locally using the tokens they receive.
## How Scopes and Claims Create Authorization Context
When applications request access or ID tokens, they use scopes to specify what information they need about the user. The real purpose here is building the authorization context that your backend services need to make security decisions.

Zitadel translates [specific scopes into claims within the token](https://zitadel.com/docs/apis/openidoauth/scopes). Claims carry the authorization information your applications need, including role assignments, organizational membership, and project-specific permissions. You can then approach this in 1 of 2 ways: 

1. JSON Web Tokens (JWTs): This approach means your backend services don't need to make additional calls to determine what a user can do—the authorization information travels with the token.  
2. Opaque Tokens: This approach means additional calls are needed since a lookup is required for associated claims retrieval.

Each approach has advantages and disadvantages. You can find out more about both in our post [JWT vs. Opaque Tokens](https://zitadel.com/blog/jwt-vs-opaque-tokens).

Custom claims extend this concept further. Using [Zitadel Actions](https://zitadel.com/docs/concepts/features/actions), you can add business-specific information to tokens based on your authorization logic.This is known as attribute-based access control (ABAC). ABAC manages access to resources through the use of attributes and might include department codes, security clearance levels, or dynamic permissions based on current context like time of day or geographic location.

The practical benefit here is reduced latency and improved reliability. Your applications can make authorization decisions locally using information in the token, rather than making additional network calls to authorization services for every protected resource access.
## Controlling Token Audience for Better Security
One of the most important security practices in token-based authorization is [audience restriction](https://zitadel.com/docs/guides/integrate/retrieve-user-roles#determine-the-audience). Without proper audience controls, a token intended for one application might be accepted by another, creating unintended access paths that attackers can exploit.

Zitadel addresses this through reserved scopes that explicitly define token audiences. When requesting a token, you can include the scope `urn:zitadel:iam:org:project:id:{projectId}:aud` to restrict that token to a specific project. The resulting token will include the project ID in its audience claim, ensuring it can only be used with applications that belong to that project.

This audience restriction works alongside [two additional authentication controls](https://zitadel.com/docs/guides/manage/console/projects#role-settings) that strengthen your security posture. The "Check authorization on Authentication" setting ensures users can only authenticate if they have at least one role assigned to their account. This prevents unauthorized users from obtaining tokens at all, even if they have valid credentials.

The "Check for Project on Authentication" setting adds another layer by verifying that the user's organization has access to the project they're trying to authenticate against. This is particularly valuable in multi-tenant scenarios where you need to ensure users from one organization can't access another organization's resources.

These controls work together to create defense in depth: unauthorized users can't get tokens, authorized users get tokens restricted to appropriate audiences, and your applications can verify those audience restrictions before granting access.
## Implementing Token Validation in Your Backend
Your backend applications play a crucial role in the authorization chain. Even with properly scoped and audience-restricted tokens, your applications need to validate those tokens correctly to maintain security.

The first validation step is checking the token's audience claim. Every token your application receives should include your project ID in its audience claim. If it doesn't, reject the token immediately. This prevents tokens issued for other applications or projects from being used against your services.

Token introspection provides a second validation mechanism that also retrieves detailed token information. The introspection endpoint allows your backend to verify token validity and extract claims in a single API call. Please note, this only works with client authorization:

```
curl --request POST \
  --url {your_domain}/oauth/v2/introspect \
  --header 'Content-Type: application/x-www-form-urlencoded' \
  --data client_assertion_type=urn:ietf:params:oauth:client-assertion-type:jwt-bearer \
  --data client_assertion=dxQxghCaq1MOUXnvuR... \
  --data token=D1FEN5o1SVkEvcX_sG4ce0521sFpgrfF4...
```

This approach gives you both security validation and authorization information in one step. The introspection response includes all the claims your application needs to make authorization decisions, including role assignments and custom claims you've configured.

The introspection pattern also handles token lifecycle management automatically. Revoked tokens will fail introspection, expired tokens are rejected, and you get current authorization information even if user permissions have changed since the token was issued.
## Building Authorization That Scales
Effective authorization requires creating systems that remain manageable as your organization grows. Zitadel's project-based approach scales naturally because it mirrors how businesses actually organize work and permissions.

As you add new applications, they inherit the authorization structure of their project. New roles apply across all applications in a project automatically. User permissions remain consistent whether they're accessing your web portal, mobile app, or API directly.

This consistency reduces the administrative overhead that often makes authorization systems difficult to maintain. Security teams can focus on defining business-appropriate roles and projects, while development teams can trust that the authorization information in tokens accurately reflects current user permissions.

The audience restriction and validation patterns also scale effectively because they push authorization decisions to the edge—your applications can make security decisions locally using information in tokens, rather than creating bottlenecks with centralized authorization services.
![image title](https://cdn.sanity.io/images/y3uu7rkl/production/04415b353ff0ea82e08a2211124202dc3df08522-1500x1000.png)
## Next Steps for Your Authorization Strategy
Getting authorization right requires both technical implementation and organizational clarity about roles and permissions. Start by mapping your current applications to logical projects, then define roles that reflect real business permissions rather than technical implementation details.

Zitadel provides the technical foundation for scalable authorization, but the success of your implementation depends on thoughtful role design and consistent application of audience restrictions and token validation patterns.

Ready to implement robust authorization in your applications? Explore Zitadel's authorization features hands-on with our [cloud account (for free)](https://zitadel.com/docs/quickstart). You can set up projects, define roles, and test token flows in minutes, giving you practical experience with the concepts covered in this guide.

For organizations evaluating identity infrastructure solutions, our team can help you design an authorization strategy that fits your specific requirements. [Contact us](mailto:hi@zitadel.com) to discuss how Zitadel's authorization model can simplify security while supporting your business objectives.

Stop authorization chaos with Zitadel's structured approach. Real-world guide to projects, roles, and secure token management for identity professionals.

Building Secure Authorization: A Practical Guide to Token Management in Zitadel

Delegated access management

Hosted Login

Multifactor Authentication

Passwordless Authentication

Audit Trail

Identity Brokering

Platform

Service Accounts

Features

Easy integration

B2B (Business to Business)

Self Service

Existing identities

Secure authentication

Use Cases

Learn how to install, setup, and use ZITADEL.

Documentation

ZITADEL Cloud

Self-hosting

Trust center

Examples and Guides

Github Repository

Develop

Get Started

Contribute

Roadmap

Changelog

About Us

Jobs

Contact

Company

Read the blog

Sign up

Login

Pricing

Blog

Twice a year, we block our calendars, say goodbye to the familiar lag of Google Meet, and trade our home offices for the buzz of in-person conversations, shared meals, and the kind of spontaneous laughter you just can't schedule. These retreats are more than just a change of scenery and pace - they are how we stay connected. Through moments that spark important conversations, ideation over gentle rain and warm kebabs, or much needed pauses during late-night board games, we reconnect not just as coworkers, but collaborators united by a shared vision. 

In alignment with the fresh energy that spring brings, we experienced our own season (buh-dum-tss) of growth. Since our last retreat in Zurich, Switzerland, the Zitadel team  has nearly doubled , welcoming a vibrant mix of fresh faces across Sales, Support, Data Engineering, Marketing, and other functions  - expanding the talented team that drives us forward. 

Nestled between a lake and mountains in Switzerland, Thun gave us the perfect backdrop for this retreat: misty weather, glistening water, and just the perfect amount of old-town charm to settle in, slow down, and welcome our newest members. 
## Arrivals
![image title](https://cdn.sanity.io/images/y3uu7rkl/production/e55f3b611eb4a375f96472f9cd5ff5066fe13a74-4032x3024.jpg)

As the team found their way to the beautiful city of Thun through the surrounding snow capped mountain range, much of the crew settled in from 20+ hours of travel adventure having traversed a wide variety of trains and airports. The laughter and camaraderie filled the air of the hotel lobby as the “long timers” welcomed “newbies” to the Zitadel crew. 

White table cloths and delicious local cuisine lined the restaurant tables as discussions unfolded from the team around what they hoped to get out of the offsite and excitement on topic discussions ahead that were sure to make a positive impact ahead. Smiles filled the room as the vision alignment connected effortlessly across the room and secured the fact that this was going to be a productive trip!
## Activities and Exploration 
![image title](https://cdn.sanity.io/images/y3uu7rkl/production/504b9a1fa31d273a2c00aad55c7e19fbbd287bc2-4032x2268.jpg)

Over the next several days, the team participated in planned and ad hoc discussions on topics including how to deliver value through our content strategy, tooling deep dives, empowering our developer community, and elevating our user onboarding experience.

Key takeaways are:
* **Enhancing Onboarding experience**: With the recent additions of the initial account setup checklist for new account creations, it is important to continue improving onboarding with Zitadel!
* **Elevating Zitadel’s Content**: Our community's feedback on which content delivers the most practical value drives our commitment to creating content that matters. We are strengthening our blog articles and documentation by prioritizing high-impact topics such initial setup, feature use cases, and competitor platform migrations to address the real-world challenges technical teams face in their IAM implementations.
* **Internal Tools and Team Efficiency**: With team expansion in mind, discussions centered on how strategic use of tools like GitHub and Asana can proactively address communication challenges that emerge at scale. The focus was on implementing robust processes and workflows now that will reduce communication friction and maintain team efficiency as headcount increases.   
![image title](https://cdn.sanity.io/images/y3uu7rkl/production/8cd38eb26f4fcfd27ac0719fa327b03027bc5e67-3024x4032.jpg)
When we stepped away from the meeting room we had a chance to bond as a team at a few different special locations. The St. Beatus Höhlen  cave tour showcased a stunning cave’s inner workings that is millions of years old. The Rubigencenter offered fun and games for some team competitions. Finally the walk through the Aare Gorge (Aareschlucht) set the stage for the perfect backdrop for an updated team photo as Zitadel nears 25 employees from access the globe. 
![image title](https://cdn.sanity.io/images/y3uu7rkl/production/137220f4f5f4201ef363ac15afc982dc7529f6b2-2048x1365.jpg)
## Wrapping Up 
Every retreat leaves us more connected, aligned, and certainly more inspired! We returned home energized (after recovering from the jet-lag, of course!), full of fresh ideas, shared memories, and the kind of momentum that only comes from in-person connection. We are not only committed to building a great product, but a company we are proud to be part of - and this retreat reinforced just how far we've come, and how much possibility lies ahead as we keep growing together.

💜 **Here are quotes from some of our newest team members about their retreat experience:** 

![image_title](https://cdn.sanity.io/images/y3uu7rkl/production/aff121838a620b1d4bbab21dcf79a4876d1cd831-4032x3024.jpg)
“What an amazing week! I feel truly privileged to have finally met my teammates in person and to experience the beauty of Switzerland together—it was one of the best bonding experiences I’ve had. I had meaningful conversations, lots of fun, and walked away feeling truly part of something great.” 
- **Matías Racedo, Sales Engineer** 

![image title](https://cdn.sanity.io/images/y3uu7rkl/production/505bdcbc55ccf35b76577b6ccad59080c1fbbcb3-3072x4080.jpg)

“The Zitadel team retreat in Thun was an amazing experience, both professionally and personally. I really enjoyed getting to know the team — all the insightful and fun conversations had a very positive impact on me. Having joined the company less than two months ago, it felt great to meet everyone and see firsthand the culture that drives the team. It's inspiring to be surrounded by so many smart people. I’m genuinely excited to start contributing and help take Zitadel to new heights!”
- **Federico Coppede, Sales Engineer**

![image title](https://cdn.sanity.io/images/y3uu7rkl/production/49df071b34177410f79c4cc2f66466bc1bdffa47-4032x2268.jpg)
"The retreat in Thun is something that I'll remember for the rest of my life. As a new joiner, being with a new team in a foreign place, I'll admit I may have been a tad nervous. But I quickly realized that this was all for not. Though I met many people for the first time, it felt like I was talking to old friends that I've known for years and every day I got to experience different personalities and different conversations. I feel very fortunate to be working with such an intelligent, talented group of genuinely good people. I learned a lot from the workshops and it didn't hurt that we were surrounded by crystal clear waters and beautiful mountains. I got back feeling recharged and I'm chomping at the bit to work with this team to take Zitadel to new heights! 5 stars-would highly recommend :)"
- **Joshua Chae,  Account Executive**

![image title](https://cdn.sanity.io/images/y3uu7rkl/production/ac77971915306fbc54296f2fe68001da9f655e42-4032x2268.jpg)
“The team retreat in Thun has been a fantastic event on so many levels. I had the chance to meet the team for the first time and connect with everyone. It was my first time seriously visiting Switzerland, despite not living that far from it. It was such a great discovery, such a beautiful place with its mountains and lakes. The scheduled workshops we had were also very insightful and they helped me to know the company better, how it operates in the OSS world and its objectives for the future. It has also been a moment for rediscovering Magic The Gathering, one of my hobbies, with my coworkers: the draft game we had was amazing and it was so exciting to teach others how to play!”
- **Marco Ardizzone, Backend Engineer**

![image title](https://cdn.sanity.io/images/y3uu7rkl/production/14c82bc8eb8ef2bbade1157aaf99fc12d3484bc3-3072x4080.jpg)
“Joining a remote team can be a puzzle, but this retreat instantly clicked everything into place. It was wonderful to finally put faces to names and feel like I'm part of a genuinely fun and supportive family right from the start.”
- **Mridang Agarwalla, Product Engineer (SDKs)**

Discover how the recent annual company retreat in Thun, Switzerland set the backdrop for Zitadel’s 2025 second half priorities and strategies.

Mountains, Milestones, and Magic - Company Retreat V5

Recently, I wrote a blog post on [Token Management](https://zitadel.com/blog/token-management-in-zitadel). While the main focus there was on building secure authorization and what that means, I also briefly discussed the differences between authentication and authorization.That post is fairly technical. However, I realize not everyone learns that way nor will everyone fully understand the differences between the two. With that in mind, I decided to share a couple of real world examples with you that have helped me better understand things.

First, think of authentication and authorization as two separate but connected security gates. Authentication answers "Who are you?" while authorization answers "What are you allowed to do?" Once you grasp this core distinction, the examples become much clearer.
![image title](https://cdn.sanity.io/images/y3uu7rkl/production/f13f7ecf8c61b9024295d1af14c87a47cff9402d-940x788.png)
## Starting with Streaming Services
When you open your favorite streaming service (we are going to use Netflix in this post) on your device, you first encounter authentication. This happens when you enter your email and password on the login screen. Netflix is asking you to prove who you are. Just like showing an ID card to a bouncer at a club, you are providing credentials that only you should know. The streaming service checks these credentials against their database to confirm your identity.

Once Netflix knows who you are, authorization kicks in. This is where the service determines which content you can access. Your subscription tier decides whether you can watch in 4K or just standard definition. Your account's age settings control whether you see R-rated movies. Your geographic location determines if you can stream certain shows that might be licensed differently in various countries. Even though you are the same authenticated person, your authorization levels change based on these factors.
## Moving to Security Systems
Physical security systems work the same way but often make the distinction more obvious. When you approach a secured building, authentication might involve swiping or scanning your employee badge or entering a PIN code. The system is verifying that the badge belongs to you and that you are indeed the person authorized to use it.

Authorization happens next, even though it might seem instantaneous. The security system checks your employee record to see which areas you are permitted to enter. A custodian might have access to all floors but not the server room. An executive might access the top floors but not the laboratory areas. A contractor might only access specific floors during business hours. Your identity stays the same, but your permissions vary based on your role and current circumstances.
## A Helpful Mental Framework
To remember the difference, think of authentication as the key to your house and authorization as the different rooms you are allowed to enter once inside. Your house key proves you belong there, but your family might have rules about which rooms different people can access.

Here's another way to cement this understanding: authentication is typically something you prove once per session, while authorization gets checked continuously. When you log into a streaming service, you authenticate once, but the service keeps checking your authorization status for each piece of content you try to watch.
![image title](https://cdn.sanity.io/images/y3uu7rkl/production/d22dd45d6c8c4d83832b31798240bee5ec401265-940x788.png)
## Why Both Matter Equally
These concepts work together to create layered security. Strong authentication without proper authorization might let someone access everything once they're in. Good authorization without strong authentication might control access well, but to the wrong people. The most secure systems excel at both, creating multiple checkpoints that verify identity and continuously validate permissions.

Try thinking of other examples in your daily life where you notice this two-step process of proving who you are, then having a system determine what you can do. What are some of your favorites? I look forward to seeing what you share.

Learn about Authentication and Authorization and how these essential concepts work together to protect systems and data.

Authorization vs Authentication

When developers think about adding authentication to their applications, they often reach for the most familiar approach — a quick login form, maybe some social providers, and call it done. Imagine a startup creates a new project management SaaS application. Following the familiar approach, their developers implement a simple login page with email/password and add a "Sign in with Google" option, and consider authentication handled.

This works well for their initial individual and small-team users. However, their application gains popularity and they land their first major business-to-business (B2B) customer. This new customer requires that its 500 employees sign in using the company's existing identity provider (like Okta or Entra ID) to enforce their own security policies.

Suddenly, the simple login system becomes a crucial bottleneck. The development team must halt work on new features to spend weeks building a custom, one-off integration for this single B2B client. When a second B2B client signs up with a different identity provider, the process repeats, turning every major sale into a slow and costly engineering project. The initial, simple approach does not scale and is ill-suited for the evolving requirements of a multi-tenant application.

The reality is that modern applications don't just need authentication. They need a whole suite of capabilities often called **identity infrastructure**.
### The Infrastructure Mindset
Consider how you approach other critical components of your application stack. You don't build your own database from scratch; you choose infrastructure that can grow with your needs like postgres, mongoDB and so on. You don't write your own monitoring system; you pick tools like grafana, datadog, that provide the foundation for observability across your entire system.

We believe Identity should be no different.

When we built Zitadel, we started with a fundamental principle: [identity is infrastructure, not just a feature]. This means designing for flexibility, scalability, and integration from day one, rather than retrofitting these capabilities as an afterthought.
### What an Identity Infrastructure Looks Like
True identity infrastructure provides more than just username and password authentication. It offers:
* Multi-tenancy at its core: Your business-to-business (B2B) customers should not have to manage separate systems or lose the ability to use their existing identity providers. True multi-tenancy means each organization can maintain their own users, policies, and integrations while you maintain a single system regardless of size or complexity.
* API-first design: Every feature accessible through clean, well documented APIs means you can integrate identity into your business processes, not work around them. Whether you need custom onboarding flows or integration with HR systems, the infrastructure adapts to your needs.
* Deployment flexibility: Sometimes you need cloud convenience, sometimes you need on-premises control. Infrastructure-grade platforms give you options without forcing architectural compromises.
* Customization without complexity: From hosted login pages that match your brand to custom workflows that trigger on specific events, you should be able to adapt the system without deploying custom code.
### The Open Source Foundation
Open source is not just about licensing.  It is about transparency, community-driven security, and avoiding vendor lock-in. When your identity system is open source, you gain access to a collective security intelligence that closed-source systems cannot match.

At Zitadel, our open source approach provides several concrete advantages:
Community-driven security: Our community regularly identifies and reports security vulnerabilities that might otherwise go unnoticed. This distributed security review process means potential issues are caught and addressed faster than any internal team could manage alone.

**Complete transparency:** You can inspect exactly how your users' data is handled, how authentication decisions are made, and how security measures are implemented. There are no black boxes in critical security functions.
**Deployment flexibility:** Migrate between self-hosted and cloud deployments as your needs change, without vendor lock-in or architectural constraints.
**Collaborative improvement:** The community contributes improvements that benefit everyone, from protocol implementations to performance optimizations.

This transparency becomes especially important when you're dealing with critical infrastructure. Modern identity protocols provide standardized "plugs" that demonstrate an application's readiness for enterprise deployment, but open source ensures you can verify and control the implementation. When security researchers can examine your identity infrastructure, you get continuous, free security auditing from experts worldwide.
### Growing Beyond Simple Auth
Many organizations start with authentication but quickly discover that they need more:
**Customer identity management** for external users with different requirements than employees
**Non-human authentication** for APIs and services
**Fine-grained authorization** that goes beyond simple role checks
**Identity analytics** to understand usage patterns and detect anomalies
**Compliance capabilities** like solid audit and access trails, especially for regulated industries

Starting with identity infrastructure means you are prepared for these requirements rather than scrambling to retrofit them.
### The Path Forward
The identity landscape is evolving rapidly. Passwordless authentication, zero trust architectures, and artificial intelligence (AI)-powered threat detection are becoming table stakes. Organizations that treat identity as infrastructure, not just a checkbox feature, will be best positioned to adopt these advances.
This means choosing platforms that prioritize developer experience, such as Zitadel, while meeting enterprise requirements, provide clear migration paths between deployment models, and support both current needs and future requirements with transparent pricing that scales with growth.  Our customers’ and community’s feedback helps our team build out the [Zitadel product roadmap](https://zitadel.com/docs/product/roadmap).
### Building for Tomorrow
At Zitadel, we believe that identity infrastructure should disappear into the background, letting you focus on building great applications rather than managing authentication complexity. Whether you are a startup building your first multi-tenant SaaS (software-as-a-service) application or an enterprise modernizing legacy systems, the infrastructure approach scales with your needs.

*The question isn't whether you need an identity platform. It is whether you want to build it yourself or focus on what makes your business unique.* 

Want to see how identity infrastructure works in practice? Try Zitadel Cloud or explore our open source project to get started.


Stop treating identity as an afterthought. Build scalable applications with enterprise-ready identity infrastructure using modern protocols and open source transparency.

Beyond Authentication: Why Modern Applications Still Need Identity Infrastructure

Curious who helps drive Zitadel’s product roadmap from theory to reality? I recently sat down with  Fabienne Bühler, Co-founder and Chief Product Officer (CPO) at Zitadel, to discuss her strategy to build an impactful open-source identity and access management (IAM) platform with Zitadel.

<div className="mt-8" style={{ marginBottom: '-3.5rem' }}>
  <YouTubeExtended
    videoId={"ftoaNKhPlbM"}
    containerClassName={"youtube-container"}
		stopList={[]}
  />
</div>

We also transcribed the conversation if you prefer to read through a quick summary instead.

### Getting to know Fabienne
Fabienne—Fabi to the team—brings a solid software engineering background that proved invaluable when co-founding Zitadel. As the company grew, she shifted into product management and now serves as Chief Product Officer (CPO). In this role, Fabi connects the dots between critical product paths, keeping both the team and our customers front and center. When she is not at her desk, you will find her hiking through the Swiss mountains or relaxing by the lake—making the most of Switzerland's natural playground.

### Early Days: The Founding Story of Zitadel
In 2019, Fabi joined forces with Florian Forster, Maximilian Panne, Stefan Benz, Silvan Reusser, Elio Bischof, Livio Armstutz, and Max Peintner to launch Zitadel. The spark? While building an identity solution for a Swiss public sector company, they spotted a gap in the market for a robust open source IAM solution. They set out to create something different—a platform that nailed self-hosting, multi-tenancy, and flexibility. And Zitadel was born.

**Fun fact**: Before there was  a proper office, the team turned coffee shops into their headquarters. They even commandeered a local bar during daylight hours—wrapping up their coding sessions just before the evening crowd rolled in!

### The Daily CPO Routine at Zitadel
Fabi shares that the daily rhythm as CPO at a fast-growing startup like Zitadel varies and she often needs to strike a balance between product delivery and product discovery.  She is constantly in the mix — jumping between Discord conversations, GitHub discussions, and sales calls to understand how customers are putting Zitadel to work in the wild. 

Fabi enables the product ecosystem by connecting the stakeholders across our growing organization and community, making sure everyone is in the loop and the right teams tackle the right challenges. This hands-on approach shapes how we build our product roadmap—always grounded in what users actually need.

### The Reality Check: What IAM Implementation Actually Looks Like 
When talking about IAM implementation pitfalls, Fabi does not mince words: identity management looks deceptively simple until it isn’t.  You can start with the basic usernames and passwords, but as your business grows, complexity snowballs fast. 

She recommends scoping your organization’s requirements, keeping both long and short term for your identity needs. Then evaluate if you want to build and maintain all the identity infrastructure yourself?  Building an IAM platform is one challenge, but keeping it running smoothly is an entirely different challenge. This is where partnering with a team like Zitadel is pragmatic.  We meet wherever you are in your journey—whether you are a small team looking for cloud solutions or an enterprise that needs data ownership and self-hosting.

### Zitadel’s Unique Market Advantage
Fabi excitedly shares that Zitadel offers many advantages to businesses looking to implement or migrate their identity infrastructure: 
* **Multi-tenancy that actually works**: We built multi-tenancy into Zitadel’s DNA from day one—not as an afterthought or a hacky add-on you will find in some of the alternatives in the market today.  If you are juggling complex org structures, you need an IAM solution that was designed for it, not patched together. 
* **Build whatever you need**: Out of the box, Zitadel handles your standard authentication needs.  And this is when it gets more exciting—webhooks, actions, APIs, and pre-built connectors enable you to tackle any edge cases to meet your business needs. No matter the complexing of your use case, the Zitadel team and the platform has you covered.
* **Deploy it your way**: Whether you want the simplicity of our cloud offering (zero maintenance headaches) or need self-hosting for data residency requirements, our Zitadel platform supports it.  Fabi highlights how you own your identity data either way—without burning resources to maintain a custom-built system. 

### Choosing the Right Feature for the Product Roadmap
Fabi articulates that building a roadmap is not just about picking features—it is about balance.  She breaks it down: “We listen to our community members, enterprise customers, and open source contributors, and share that feedback publicly.  Stemming from our roots in open source, transparency is critical for us.”

Then comes the harder aspect of aligning the feedback with features.  Every decision needs to align with Zitadel’s vision while delivering real value to our entire ecosystem.  It is a constant balancing act and that openness keeps us honest.

### Zitadel’s 2025 Product Roadmap
Fabi shares her excitement for 2025—it is all about making developers’ lives easier!  Here’s what’s cooking:
* **Better APIs everywhere**: We are overhauling our APIs from the ground up.  Better integrations, clearer documentation, and smoother developer experience to ensure your API calls are frictionless.  
* **Developer-friendly SDKs**: Starting with Python, we are building SDKs that streamline your integrations. 
* **Smoother Onboarding**: No more wrestling with configs for hours. We are rebuilding onboarding so you can go from zero to authenticated in minutes. 
* **Enterprise-readiness**
	* **Performance, at scale**: Performance improvements built to support organizations managing millions of users.
	* **Groups management**: Groups, one of your most requested features, is coming soon. This enables you to manage user groups at scale.
	* **Actionable Analytics**: Monitor logins, daily active users (DAUs), monthly active users (MAUs), and identify potential issues before they escalate. 
	* **AI-powered threat detection**: This leverages anonymized data to proactively identify security risks. 

### Quarterly Release Schedule for Zitadel
We have made a strategic shift to a quarterly release cycle, and here’s why it matters: our customers get predictable updates and a clearer path to staying current. Plus, it helps us tackle a real problem—too many legacy versions of Zitadel floating around in production.

For our team, this gives  more time to prepare for releases and limit the possibility of a chaotic product roadmap. As Fabi points out, we can now share  release candidates with the community a full month before releasing the stable release. This means better testing, clearer documentation, and a smoother plan for deprecating outdated features.

The bottom line is that you get more reliable updates and we deliver higher quality releases.

### Evolution of Zitadel’s Licensing Model
Zitadel launched under Apache 2.0 license—a great choice for building community and getting our code into developers’ hands.  But as Fabi explains, our commitment to open source has not wavered; it has actually grown stronger.  The move to AGPL 3.0 was about protecting what we have all built together.  This license ensures that the years of work from our core team and community contributions stay open and benefit everyone. 

What does this mean in practice?  If you are building with Zitadel, you are contributing back—either through code or through financial support.  This creates a sustainable model that keeps the project healthy and the community thriving.

*Note: Learn more about the AGPL 3.0 licensing change in [this blog post](https://zitadel.com/blog/zitadel-v3-announcement).* 

### Contributing to the Zitadel Ecosystem
Fabi highlights  that there are many ways one can contribute to the Zitadel community, regardless of your technical background .  Our [GitHub issues](https://github.com/zitadel/zitadel/issues) are a goldmine for contributors—you will find everything from documentation updates, typo fixes to SDK examples, and bug squashing.  Not a coder?  Join our [Discord community](http://zitadel.com/chat) and help someone troubleshoot their setup or share product feedback that makes a real difference. 

We are also constantly looking for beta testers through our community newsletter. Your hands-on feedback helps us catch issues and refine features before they hit production.  Sometimes the best contribution is telling others about your experience with Zitadel. 

Fabi still remembers the team's excitement when that first pull request landed. Watching the community help each other and grow together remains one of the most rewarding parts of building Zitadel. Every contribution—big or small—keeps that spirit alive.

### Envisioning the Future at Zitadel
Fabi outlines Zitadel’s vision in three strategic phases: 
1. **Build the foundation right**: We are creating a comprehensive platform that unifies authentication and authorization.  Seamless integration with your existing business tools is critical—we know switching costs are real, and integration complexity impedes adoption. 
2. **Enable powerful customization**: Our APIs and Actions framework give you the flexibility to adapt Zitadel to your specific workflows. We are exploring a community marketplace for Action templates, where teams can share proven solutions for common scenarios. It’s about empowering your organization to leverage the platform fully. 
3. **Advance security intelligently**: By training models on anonymized data, we can proactively identify threats and neutralize bot attacks. The collective intelligence approach means every Zitadel user contributes to and benefits from stronger security across the platform.

Our immediate priorities remain clear: enhanced threat detection, comprehensive analytics, group management, and expanded  Actions capabilities.  We are also investigating Fine Grain Authorization (FGA) in response to  customer feedback—because our roadmap reflects real-world requirements, not theoretical features.    

### “If Not Tech…”: Alternative Career Paths
What would Fabi be up to in a parallel universe without keyboards and code? As it turns out, she would still be in the business of helping folks—just with different tools in her toolkit. Picture Fabi as a Nutrition Advisor, swapping API documentation for meal plans, or perhaps as a Psychologist, debugging minds instead of software.

No matter which universe we peek into, there's Fabi—putting people first, solving problems, and probably still organizing everything into neat little systems. Some things are simply written in the stars! ✨


Zitadel’s CPO Fabienne Bühler shares the company’s product strategy and working with customers to drive the product roadmap forward.

The HOW behind Zitadel with Fabienne Bühler, Co-Founder & CPO

## What is Identity and Access Management?
In today’s digital world, securing your organization’s resources is non-negotiable.  Identity and Access Management (IAM) serves as the cornerstone of modern security infrastructure, yet many find it intimidating.  At its core, IAM answers two critical questions:
* Is this user who they claim to be?
* Which resources should this user be allowed to access?

IAM is the foundation of digital trust that enables secure collaboration in our interconnected business landscape.

## Evolution of Identity Solutions
### The Past: Custom In-House Solutions
Organizations, regardless of size, historically invested heavily in building custom IAM platforms in house.  The reasons:
* Solutions can be tailored precisely to organizational needs
* Ability to achieve complete control over data residency and sovereignty
* Freedom from vendor lock-in and associated costs
However, this approach eventually created more problems than it solved. Security vulnerabilities, astronomical maintenance costs, and technical debt quickly transformed these “ideal” custom solutions into unwieldy legacy systems hindering innovation rather than enabling it.  

### The Present: Specialized IAM Solutions
Today’s landscape features purpose-built IAM solutions built by identity specialists.  These platforms offer:
* Industry-leading security expertise out-of-the-box
* Continuous updates to counter evolving threats
* Significantly reduced implementation timelines and costs
Zitadel stands out by offering flexible deployments and extensive integration options through our open-source multi-tenant platform, combining the best of both worlds.

💡We recently wrote an article on the [pros and cons of “build vs. buy” approaches of IAM platforms](https://zitadel.com/blog/build-vs-buy)💡

## Evolution of Identity Infrastructure for Cloud-Native Architectures
### First Wave: Virtual Machine-Based Identity (2005-2015)
Early cloud adoption simply migrated traditional identity infrastructure to virtual machines (VMs). Organizations lifted-and-shifted their directory services and authentication systems to cloud VMs, maintaining the same architecture but changing the hosting model. This approach provided minimal cloud advantages while carrying over legacy limitations.
### Second Wave: Identity-as-a-Service Emergence (2015-2020)
As cloud adoption accelerated, specialized IDaaS (Identity-as-a-Service) providers emerged, offering streamlined authentication services through APIs and managed services. These solutions introduced:
* Standardized OAuth and OIDC implementations
* Developer-friendly SDKs and APIs
* Reduced operational overhead
However, most solutions remained proprietary with limited customization options, creating new forms of vendor lock-in.
### Third Wave: Cloud-Native Identity (2020-Present)
Today's cloud-native identity infrastructure embraces key cloud principles:
* Containerization and microservices architecture
* Infrastructure-as-code deployment models
* API-first design philosophy
* Kubernetes-native operation
Modern platforms like Zitadel are designed to deploy anywhere — from managed cloud services to on-premises Kubernetes clusters — while maintaining consistent security postures across environments. This approach enables true hybrid and multi-cloud identity strategies without sacrificing security or developer experience.

### Future Trends: Decentralized and Portable Identity
The emerging horizon includes:
* Self-sovereign identity models giving users more control
* Portable identity credentials functioning across organizational boundaries
* Zero-trust architectures replacing perimeter-based security
* Increased use of biometrics and behavioral analytics
Organizations embracing cloud-native identity solutions today are best positioned to adopt these innovations as they mature.

## Business/B2B Use Cases for Open Source Identity Solutions
Business-to-business identity management presents unique challenges. Zitadel's comprehensive feature set addresses these needs through: 
* **Transparency of Open Source** : With open source software accessible to the entire developer community, projects benefit from rapid advancement. Improvements span  security fixes, package updates, and feature enhancements, ensuring  full transparency and reduced costs.
* **Multi-tenancy**: Today’s complex business ecosystems require seamless resource sharing. Whether connecting with business partners or managing tenants, robust multi-tenancy capabilities bridge organizational boundaries securely. 
* **Flexible deployment**: Open Source Identity platforms like Zitadel offer data sovereignty benefits of custom solutions without the maintenance burden. Organizations have the ability to choose between the convenience of Zitadel Cloud’s zero-maintenance approach or the complete control of self-hosting in your own infrastructure.
* **Faster Time to Market**: Implementing production-ready IAM solutions accelerates deployment timelines dramatically.  Projects that would take months or years to develop in-house can be operational in weeks or even days with open source IAM solutions, allowing you to
	* Launch core products faster
	* Implement security enhancements rapidly
	* Focus development resources on your unique value proposition
	* Realize return-on-investment sooner

* **Enable Developers**: Leverage open source IAM offerings with robust  API capabilities like Zitadel to automate repetitive tasks.  This eliminates the need to architect authentication systems from scratch, saving both  on employee resources and infrastructure costs.   
* **Self-management**: Organizations experience constant change.  Effective IAM solutions must scale with your needs, whether accommodating promotions, new hires, or departmental reorganizations.  Self-service capabilities for role management makes all the difference. 
* **Enhanced Security through Consolidation**: By implementing  SSO and MFA, organizations significantly  increase their security posture while decreasing account exposure and management overhead.

## Let’s Transform Your Identity Management Experience!
Modernize your organization’s authentication and access control infrastructure with Zitadel. Our team will work with you to:
* Assess your current identity needs and challenges
* Design a tailored implementation strategy aligned with your business goals
* Create a scalable roadmap that grows with your organization
* Implement best practices for maximum security and usability

Book a consultation today to begin your journey towards simplified, secure identity management that enables, rather than restricts your business growth.

<CTA
	label={'Book a Consultation'}
	href={'https://meetings-eu1.hubspot.com/jason-burkhead/zitadel-discovery-call'}
	external={false}
	layout={'primary'}
	noreferrer={false}
	align={'center'}
/>



Get started in understanding the basics of the Identity and Access Management ecosystem.

Understanding Identity and Access Management basics

# Meet Gigi the Giraffe: The Towering Personality Behind Zitadel!
Ever spotted that long-necked charmer popping up throughout Zitadel’s [documentation](https://zitadel.com/docs)?  Wonder no more.  Today, we are diving into the delightful story of Gigi the Giraffe, Zitadel’s head-above-the-rest mascot, with none other than Florian Forster, Zitadel’s CEO and Co-Founder.

<div className="mt-8" style={{ marginBottom: '-3.5rem' }}>
  <YouTubeExtended
    videoId={"pCXXuYNUzvY"}
    containerClassName={"youtube-container"}
		stopList={[]}
  />
</div>

**Prefer skimming to streaming?** We got you covered!  Here is the transcribed version of the conversation for your reading pleasure.

### The Tall Tale of Gigi’s Beginnings
As it turns out, Gigi wasn’t born with mascot status!  Florian revealed that before Zitadel existed, the co-founders worked at another organization where they developed a rather elevated reward system—giraffe stickers for standout contributions!  Talk about reaching new heights of recognition!

The giraffe love reached spectacular proportions when Florian received a human-sized giraffe plushie for his birthday.  And just like that, Gigi was born!  The team has been neck-deep in giraffe appreciation ever since.  While Gigi typically lounges in Florian’s home office, our spotted friend is currently safely packed away for Florian’s move to the US—first-class accommodations, we presume!

### Standing Tall in Company Culture
With that famously long neck, Gigi naturally has quite the perspective on Zitadel’s future (someone’s always looking ahead!).  Florian shared how Gigi’s playful spirit reflects the team’s culture—proving that even serious security solutions can have a splash of fun. 

**Ready to join the herd?** Gallop over to our [Discord community](https://zitadel.com/chat) today and enjoy our collection of Gigi-themed emojis!  Because who says identity management cannot be both secure AND adorable? 



Find out more about Zitadel’s mascot, Gigi, the Giraffe, and where he came from!

Meet Gigi, Zitadel’s Mascot

Since its launch in May 2021, the Zitadel Identity and Access Management (IAM) Platform has served over 150 customers.  We are honored by their continued confidence in our solution. As a company committed to continuous innovation, our primary focus remains delivering exceptional user experiences while expanding our platform's capabilities and features. 
## 1. Developer-first Multi-tenancy:
Our users often face the challenging task of building and maintaining complex multi-tenant identity infrastructure.  From customers standardizing authentication across development platforms with multi-tenant support to those requiring both internal and customer-facing authentication allowing clients to manage their own users, the pain points typically gravitate towards requiring a turnkey [multi-tenant IAM platform](https://zitadel.com/docs/guides/solution-scenarios/b2b) that reduces development complexity while maintaining enterprise-grade security.  

Zitadel’s comprehensive feature set—including social login options, OIDC and SAML 2.0 support, custom logins, and an API-first approach—establishes our platform as a truly developer-first multi-tenant identity solution.
> 💡 Read: [The Complexities and Pitfalls of Multi-Tenant Identity and Access Management](https://zitadel.com/blog/navigating-pitfalls-of-multitenancy) 💡
💡 [Feature Highlight](https://zitadel.com/features#brokering): Explore how Zitadel enables users to self-manage identity brokering and link multiple external identity providers to their identity 💡

## 2. Cloud or Self-Hosted Deployment
Before choosing Zitadel, our customers consistently expressed concerns about vendor lock-in, data control, and compliance requirements. Whether they needed control over identity infrastructure while maintaining security and compliance, or flexibility between [self-hosted and cloud deployment options](https://zitadel.com/docs/guides/overview#cloud-or-self-hosting), the feedback was clear. We purposefully built the Zitadel platform as an enterprise-grade solution that offers freedom in deployment model selection.

**Customers who begin their Zitadel journey in the Cloud prefer:**
* A ready-to-do turnkey solution with a free tier and a true pay-as-you-go pricing
* Global scalability without management complexity
* Data-residency compliance capabilities 

**Customers who choose the self-hosted path require:**
* Complete control over all components and data
* The ability to run Zitadel in air-gapped or regulated environments
 * Flexibility in update deployment schedules

> 💡 Read: [SaaS vs. Self-Hosted: How to Choose the Right Deployment Option](https://zitadel.com/blog/saas-vs-self-hosted) 💡
## 3. Extensibility and Integrations
The [Zitadel Identity and Access Management platform](https://zitadel.com/features#platform) is built for cloud-native deployments requiring multi-tenant solutions with seamless, turnkey integrations into existing infrastructure stacks.  With our API-first philosophy, Zitadel offers extensive functionality through robust APIs. When creating projects, you can rely on [Zitadel's APIs](https://zitadel.com/docs/apis/introduction) to handle the complex work of access and identity management.
## 4. Committed to Community and Open Source
With a strong dedication to the [open source community](https://zitadel.com/opensource) and collaborative development, we founded Zitadel with one clear mission – to build an open source IAM platform tailored for the cloud era. Our commitment to open source means:
* Building trust through transparency by providing access to our source code
* Giving users the flexibility to customize and add features needed for their specific use cases
* Incorporating feedback and input from the community to build the best possible solution
* Creating a collaborative ecosystem where improvements benefit everyone
* Ensuring long-term sustainability through community-driven development
The project is actively maintained and developed by both [the Zitadel team](https://zitadel.com/team) and our community. We welcome and appreciate all [contributions](https://github.com/zitadel) as we continue to advance the platform.

> ⭐️ Become a stargazer: https://github.com/zitadel/zitadel ⭐️
## 5. Accessible and Actionable Usage Metrics 
Security incidents are often detected too late. By the time an incident is identified, log files may be deleted or lack context. The Zitadel IAM platform provides a [comprehensive built-in audit trail](https://zitadel.com/features#audit) that tracks all changes over an unlimited period. This enables you to review any modifications to all your resources over extended timeframes, including changes to policies and settings, as well as user interactions such as login attempts, authenticator replacements, or profile data updates.
## Conclusion
As we move through 2025, we want to thank you for your continued trust in Zitadel. As summarized in our [end of year wrap-up blog post](https://zitadel.com/blog/end-of-year-product-wrap-up), our focus for 2025 centers on three key areas:
* Creating a Seamless Onboarding Journey
* Delivering Enterprise-Grade Performance and Scalability
* Providing Proactive System Insights

We are excited about making 2025 a successful year and I look forward to hearing your feedback.  Please feel free to connect with us anytime through our [Zitadel Discord Server](https://zitadel.com/chat) or [Bluesky](https://bsky.app/profile/zitadel.bsky.social), [Linkedin](https://www.linkedin.com/company/zitadel/), [GitHub](https://github.com/zitadel/zitadel), or our [website](https://zitadel.com/contact). 

Zitadel Identity and Access Management (IAM) platform is best suited for cloud-native users looking for an open-source, multi-tenant, and developer-first solution that is available to self-host or as a cloud offering.

5 Reasons Why You Should Choose Zitadel IAM

Ever wonder who’s at the helm of your favorite open source Identity platform, Zitadel? I recently spent time talking with Florian Forster, CEO and recorded his insights on [Zitadel's YouTube channel](https://youtu.be/m-Tg-KRqYlA).

<div className="mt-8" style={{ marginBottom: '-3.5rem' }}>
  <YouTubeExtended
    videoId={"m-Tg-KRqYlA"}
    containerClassName={"youtube-container"}
		stopList={[]}
  />
</div>

Looking for a quick read instead? We also transcribed the conversation.
### Getting to know Florian 
Florian shares with us his technical background that has helped drive his entrepreneurial spirit as he operates as Zitadel’s CEO. His vision for Zitadel’s positive impact on organizations helps drive the future course of the company.

### Early Days: The Founding Story of Zitadel
Florian teamed up with Fabienne Buhler, Maximilian Panne, Stefan Benz, Silvan Reusser, Elio Bischof, Livio Armstutz, Max Peintner, and founded Zitadel in 2019. The idea came to fruition when this group was working at a public sector company in Switzerland. Identifying the market gap for a developer-focused identity solution that supports both self-hosting and multi-tenancy, they set out to create and deliver this tool to the community.

### Day in the life of the Zitadel CEO
Florian chuckles that his daily rhythm varies based on which global office he is working from. In Switzerland, his day unfolds at a measured pace, whereas starting in San Francisco means an immediate deluge of over 100 notifications. Despite his systematic approach to triage, priorities, and essential meetings, Florian always carves out time to engage with the Zitadel community and participate in GitHub discussions. He particularly values his diverse interactions with team members, customers, and the broader developer ecosystem. As a dedicated family man, Florian ensures that regardless of his professional commitments, he reserves quality time with his wife and young children before the day concludes.

### Key Identity Management Challenges That Organizations Should Navigate
Florian challenges the tendency to either oversimplify or overcomplicate identity management. Often dismissed as a simple login, he emphasizes how identity fundamentally shapes your entire software security posture. The true challenge lies in accurately assessing risks and implementing appropriate security measures that protect users without creating friction.. Custom-built or homegrown solutions often fall short — developing robust identity systems requires specialized expertise, not a quick implementation.  Engaging with industry experts and specialists provides invaluable peace of mind and enhances your organization’s security outcomes.

### Zitadel’s Market Advantage
Zitadel distinguishes itself with a developer-centric approach that addresses gaps left by the legacy identity solutions.  The platform offers exceptional flexibility, allowing it to adapt to your infrastructure requirements. This pairs well with Zitadel's modern self-hosting solution, which has seen an acceleration in adoption and growth over the recent years.

### Multi-tenancy in Practice
Florian shares how most systems across the internet are inherently multi-tenant. He illustrates this with an e-commerce example where customers and employees require  different roles and permissions.  This complexity, Florian notes, rapidly intensifies as organizations grow. When multi-tenancy is built into  the system’s foundational architecture, it provides sustainable scalability benefits  This intentional design allows administrators to implement distinct security policies — such as customized two-factor authentication requirements — for different groups across tenants.

### How Zitadel Enables Data Residency
Florian highlights two key dimensions of Zitadel’s approach to data residency:
The first addresses geographic hosting requirements through the strategic regional deployments of Zitadel Cloud across the United States, Australia, European Union, and Switzerland, allowing customers to meet their compliance needs.
The second offers complete flexibility through Zitadel’s self-hosting option, giving organizations complete control over database location, instance deployment, and access management according to their requirements.
 
### The Shift to Self-Hosting Solutions
Florian notes that historical data breaches from third-party suppliers have created lasting concern among organizations. A significant segment of customers now prioritizes maintaining complete control over their data, viewing access management as a critical defensive strategy. He also highlights that technical teams have regained confidence in managing essential workloads internally, largely due to operational enablement from technologies like Kubernetes. 

### Evolution of Zitadel’s Licensing Model
Zitadel initially launched under the Apache 2.0 license, which effectively supported its distribution and helped build the community. Florian explains that over the past 18 months, while usage increased significantly, there wasn’t a proportional reciprocity with meaningful contributions back to the community, whether in the form of code contributions or financial support.  The transition to the AGPL 3.0 license has enabled Zitadel to safeguard the substantial  investment made by the core team and the broader community. This strategic licensing shirt ensures Zitadel can maintain its fundamental commitment to open source principles.

*Note: Learn more about the AGPL 3.0 licensing change in [this blog post](https://zitadel.com/blog/zitadel-v3-announcement)*.

### Zitadel’s Strategic Vision for 2025 & Beyond
While Florian proudly acknowledges Zitadel’s exceptional login experience, he emphasizes that the company’s  mission extends far beyond authentication. 

He identifies three strategic pillars driving Zitadel’s future:
**1. Identity Transactions:** The authentication component of user login workflows represents Zitadel's foundational strength.  With over 80% market coverage in this area, Florian is confident in the substantial value this functionality delivers to organizations.
**2. Integrations and Workflows:** This growing focus area recognizes that while customers can already build plugins for third-party applications, Zitadel aims to significantly enhance this capability.  By expanding APIs and improving extensibility, Zitadel will provide developers with even greater flexibility and powerful incentives for adoption.
**3. Analytics and Intelligence:** This pillar, positioned to have the most transformative long-term impact, comprises three critical components:
	* Audit and Forensics Reporting: Enabling customers to comprehensively track and analyze user activities
	* Aggregation Reporting: Providing administrators with deeper insights into identity infrastructure performance through metrics on user behaviors, login failures, and other usage patterns
	* Threat Detection and Mitigation: Empowering security teams with advanced tools to better understand and rapidly respond to potential attacks

### Zitadel Establishes American Presence
Florian recounts that while Zitadel was born and initially flourished in Switzerland, maintaining strong Swiss heritage, the company's expanding footprint in the North American market naturally led to establishing a US headquarters. This strategic expansion positions Zitadel to better serve its growing American and global customer base and address its evolving recruitment requirements.

### “If Not Tech…”: Alternative Career Paths
Florian reveals that if he was not securing identity in the Tech industry, there were several alternative career paths he would have pursued. 

Initially, becoming a helicopter pilot captured his imagination, though he eventually dismissed this path, seeking to make a more substantial impact.

Following his military service, Florian considered joining the close protection field as a security operative.  However, after careful consideration, he determined the inherent risks didn’t align with his personal values and life goals.

Surprisingly, citrus farming ultimately emerged as his most compelling alternative career path. Florian believes that through data-driven approaches and thoughtful agricultural practices, the field offers fascinating opportunities for innovation.

*While the world might have gained an innovative orange juice producer, the Zitadel team remains grateful to have Florian’s leadership in his current role 😁.
*


Zitadel’s CEO Florian Forster shares the company’s values and vision for 2025 and some of the common challenges when approaching IAM. 

“The WHY behind Zitadel” with Florian Forster, Co-Founder & CEO

When exploring a new application, one of the first touchpoints a user encounters is the login experience. While a simple, generic screen can be an effective and efficient way to approach the beginning of your user flow, building out a custom login interface allows you to deliver a branded, seamless, memorable experience that aligns with your app’s functionality, user interface (UI), user experience (UX), and design. 

For scenarios where a simple username/password and  'forgot your password?' buttons aren't enough, Zitadel offers a robust, API-driven solution that supports advanced authentication methods, including passkeys, multi-factor authentication (MFA), and enterprise or social login integrations, allowing you to create and smoothly integrate a fully customized login UI.
## Custom Login: The Use Case
While we provide a [powerful built-in authentication flow](https://zitadel.com/docs/guides/integrate/login/hosted-login) compatible with OIDC & SAML standards, we recognize that some organizations require more flexibility to create more customized and advanced workflows that align with specific business logic, compliance requirements, security policies, or user experience needs. This is why we support customized logins where you have the ability to integrate your system while using our robust authentication and authorization capabilities. This gives you complete  control of branding, user experience, and flows without compromising security.

Your login page isn't just a gateway to your app; it is an opportunity to present a strong first impression. By using our customizable APIs, you will improve the aesthetic experience and tailor authentication to meet your needs. Whether you are managing [multi-factor authentication](https://zitadel.com/docs/guides/integrate/login-ui/mfa), [adding external login capabilities](https://zitadel.com/docs/guides/integrate/login-ui/external-login), or even exploring [integrating passkeys](https://zitadel.com/docs/guides/integrate/login-ui/passkey) into your workflow, Zitadel makes it easier to implement advanced authentication flows while ensuring a smooth user journey.

Below is an example of a login flow implementation shown in our [TypeScript repository](https://zitadel.com/docs/guides/integrate/login-ui/typescript-repo), which provides all of the packages and components you need to build your own branded login user interface using Zitadel's APIs.

![](https://cdn.sanity.io/images/y3uu7rkl/production/fbbb86dfe32182ba8aa326c127f96c12b5568e4a-2544x825.png)


## How does Zitadel Support Custom Logins?
	
With Zitadel, you can implement custom logins through our [session](https://zitadel.com/docs/apis/resources/session_service_v2) and user APIs. These APIs allow you to authenticate users through various methods, including traditional username/password, passkeys, or external Identity Providers (IDPs). 
You have full  control over the session lifecycle, starting from initiating the login process to managing user sessions after authentication. This includes configuring session expiration, integrating multi-factor authentication (MFA), and deploying any additional security mechanisms that strengthen the user verification process while maintaining compliance with authentication standards.
### Exploring How Our Users Leverage Custom Logins
Building out your custom login with Zitadel is use-case-agnostic. Our users utilize custom logins with Zitadel in a variety of approaches. 

Here are two examples:

**Example 1: Exploring authentication and accessibility**

One of our users, [Melvin Weiershäuser](https://github.com/mweiershaeuser), was exploring authentication methods and accessibility for his academic thesis. For this project, he required a custom login to compare traditional authentication and passkey methods to assess their impact on accessibility and the development of more accessible user experiences. Initially, he evaluated both Zitadel and Keycloak and ultimately chose Zitadel due to the flexibility in integrating a custom login interface. To complete the project, he built his solution with Zitadel and Next.js, with the implementation supporting both multi-factor authentication (MFA) and passkeys. Key features included passkey registration, service user integration for login control, and session management. By leveraging Zitadel’s authentication capabilities, he was able to provide valuable insights into how login methods can influence accessibility and usability while maintaining a smooth authentication experience. The project is [publicly available on GitHub](https://github.com/mweiershaeuser/sso) for those interested in exploring it further.

**Example 2: Designing a secure login for a banking app**

Security is key when developing a user authentication flow for a mobile application for fintech companies. One such fintech company, an IT and digitalization partner for leading financial and insurance service providers, set out to provide a more seamless and branded login process that integrated better with their own application.  They built out a custom login using Swift and Android Java while integrating a .NET backend with our session API to ensure a secure, device-bound auth process. By customizing their login experience with Zitadel, they were able to enable multi-user handling, token rotation, and enhance security through session revocation. This addressed their need for heightened protection, paired with a frictionless user experience. 
## Looking Ahead
We are committed to further enhancing our API and SDK offerings and make it easier for developers to implement custom logins. We  recently launched our ready-to-use [TypeScript-based login system](https://zitadel.com/blog/typescript-login) that reduces development time and effort for our users. 

Start building your custom login UI today, and join a growing community of developers shaping the future of authentication. If you have any  questions as you are building out a custom login and integrating it with Zitadel, contact us through [our community](http://zitadel.com/chat). 






Learn more about building out your own login UI integrated with Zitadel and explore real-world approaches building out secure custom login flows.

Designing a Login Flow That Fits with Zitadel

A common task for many developer and security-centric teams is to provide an identity and access management (IAM) service.  Whether that component only consists of a sign-up form and a login page or a more complex infrastructure, the number one priority is always to provide a seamless functionality for your users.  Failure in implementation can have severe consequences. To reduce your risk and feel confident in your IAM platform, partnering seasoned professionals in the space ensures success.

Companies looking for authentication servers have the option to consider the solutions available in the market or build it themselves.  As each option presents its own set of benefits and drawbacks, teams are often overwhelmed to make the right choice.  In this article, we will cover the key pros and cons of each of the two options that help companies make the right decision for both short-term and long-term benefits.

### Benefits of a Custom-built Platform
1.  Built to your needs: Custom-built IAM platforms can be tailored to your organization's specific requirements.  With a custom solution, you have complete control over the user experience and the technology choices. You can design authentication flows that align with your brand and user journey, creating a seamless experience that doesn't feel disconnected from the rest of your application. This customization extends to crucial workflows like user onboarding, password resets, and permission management—all of which can be optimized for your specific use cases rather than following a generic approach.
2. Enterprise Integrations: Enterprise environments often present complex integration challenges that off-the-shelf IAM solutions struggle to address effectively. A custom-built IAM platform can be architected from the ground up to integrate seamlessly with your existing technology ecosystem, regardless of its complexity or uniqueness.
Legacy systems present a particular advantage for custom solutions. While many modern IAM platforms have limited support for older technologies or protocols, a custom solution can be built to bridge these gaps. Whether you're dealing with mainframe applications, custom LDAP schemas, or proprietary single sign-on systems developed in-house decades ago, a custom solution can be tailored to interface with these systems without compromise.
3. Control Over Data and Infrastructure: A custom-built IAM platform puts you in the driver's seat when it comes to data sovereignty and infrastructure decisions. This complete control means your organization retains ownership of user credentials, access patterns, and authentication logs—data that is often among the most sensitive your company manages.
For organizations in regulated industries such as healthcare, finance, or government, this control can become crucial. Custom solutions allow you to construct specific data residency requirements, ensuring user information never leaves particular geographic boundaries or jurisdictions. You can also implement custom encryption schemes that go beyond standard offerings, creating multiple layers of protection for particularly sensitive identity data.
4. No Vendor Lock-in: Building your own IAM platform frees your organization from the constraints of vendor dependencies. This independence means you're not tied to a particular company's business decisions, product roadmap, or pricing strategies. If a vendor decides to sunset a feature your business relies on or dramatically increases licensing costs, organizations using off-the-shelf solutions may find themselves scrambling to adapt.
Custom solutions also shield you from the impacts of acquisitions and mergers in the IAM market, which can often lead to discontinued products or significant changes in service quality and support. With your own platform, you maintain continuity regardless of market fluctuations.
5. Customized Compliance Implementation: Regulatory compliance requirements for identity management vary significantly across industries and regions. A custom IAM platform allows you to design compliance features that precisely address your specific regulatory landscape without unnecessary overhead.
For example, a custom platform can be built with GDPR's right to be forgotten as a core architectural principle rather than an afterthought. Healthcare organizations can design authentication workflows that inherently enforce HIPAA requirements. Financial institutions can implement multi-factor authentication schemas that directly align with specific banking regulations in their operating regions.
### Drawbacks of a Custom-built IAM Platform
While the benefits of custom-built IAM solutions are compelling, they come with significant challenges that organizations must carefully consider. The reality is that identity management is a specialized field requiring deep expertise in security, performance optimization, and regulatory compliance. Building your own platform means taking on the full burden of these complexities—often pulling focus and resources away from your core business objectives. The following drawbacks highlight why many organizations ultimately find that the apparent freedom of a custom solution can become a costly constraint.
1. Security Issues: A significant risk of building your own authentication server lies in its generally higher probability of security issues, which is usually due to a disproportionate time spent on building and not security implementation. Since keeping your users’ data safe is among the greatest responsibilities of the platform and the primary task of an IAM , it is essential to make sure an adequately established security system is given. One of the most obvious advantages specialized vendors have over DIY developers is the possession of a dedicated team with cybersecurity and software engineering expertise. The members of these teams can utilize their knowledge to create the best possible security system based on their diverse experiences.
IAM vendors commonly offer advanced security features, such as support for multi-factor authentication (MFA) and security keys (Yubikey etc.). Another security aspect where third-party IAM solutions prevail is pattern recognition: they can prevent attacks more easily due to their large user base, whereas a custom-made solution does not possess enough data to recognize suspicious patterns.
Keeping up with authentication best practices and standards becomes another insurmountable task for custom-built platforms, whereas IAM vendors can ensure compliance and adherence to standards.
2. Cost of Maintenance: Contrary to popular belief, you will likely find that building your own authentication server is not cheaper in the long run. While you might initially save money, that will quickly be compensated by the cost of development, maintenance, troubleshooting, upgrades, and the resources themselves that are needed for these procedures. Furthermore, you might find that unexpected expenses arise later on in your software’s lifetime: while initially you will likely implement a simple username + password login system, due to the high security requirements of a well-functioning authentication solution, you will most likely need to expand it with more complex features (f.e. Multi-Factor-Authentication, passwordless login options and more social logins).  Also, since your primary business is likely in an unrelated field to the IAM itself, the inevitable shift in your working context would entail additional costs. When considering a custom-built solution, it is therefore beneficial to evaluate if the needed investments over the lifetime of your product are ultimately less than the amount you would have to pay for the one-time fee of the purchasable alternative.  
Add in the scale by a factor of (n) to address a multi-tenancy requirement for each customer with their own settings, and the cost of maintenance grows exponentially.
3. Expensive, in all aspects: When creating anything from scratch, you should probably reckon with a lengthy production process. This not only delays the “time to value” of your business-critical applications as you first need to build the IAM platform before you can make your application available to your users.  This also applies to developing a service; given that authentication solutions require lots of API programming and complicated security features, fully building one might take at least a year as a full-time job. Since this service will handle sensitive data, the development of an adequately functioning security system also involves constant testing and optimizing, which should not be neglected to save time. The need for custom features also extends to the product phases well beyond the initial development: keeping your application functional and up to date requires you to additionally establish a maintenance system that will serve this purpose. Using an already established IAM solution would therefore likely save you several years of time, and money spent on essential resources.

![](https://cdn.sanity.io/images/y3uu7rkl/production/deeec64e2aa7e46f68c8de9addac4090ae2f3c80-2940x1656.png)
*Calculations based on our analysis*
### Benefits of Buying an IAM Platform
While custom-built IAM solutions offer some advantages, after examining the complex challenges of building one, it becomes clear why many organizations ultimately choose to purchase a dedicated IAM platform from specialized vendors. These purpose-built solutions offer numerous advantages that directly address the pain points of custom development.
1. Industry-Leading Security Expertise: Specialized IAM vendors focus exclusively on identity security, employing teams of security experts who dedicate their careers to staying ahead of emerging threats. This concentrated expertise translates into robust security practices that would be difficult for most organizations to replicate internally. Professional IAM solutions typically offer:
Regular security audits and penetration testing with third party partners
Rapid response and mitigation of vulnerabilities
Advanced threat detection and prevention capabilities
Compliance with the latest security standards and best practices and certifications
2. Faster Time to Market: Implementing a pre-built IAM solution dramatically accelerates your deployment timeline. What can typically take months or years to develop in-house can often be set up in weeks or even days with a vendor solution. This quick implementation means:
Your core products and services launch faster
Security enhancements reach your users more quickly
Development resources stay focused on your business differentiators
You realize return on investment sooner
3. Reduced Total Cost of Ownership: While the upfront licensing costs of purchased IAM solutions are visible line items in your budget, they typically represent a fraction of the total cost of building and maintaining a custom platform especially if you factor in the development time. A comprehensive IAM solution hence eliminates:
* Development costs for initial implementation of the security features
* Ongoing expenses for security updates and patching
* Infrastructure and operational overhead, especially for SaaS users
* Costs associated with specialized security talent acquisition and retention
* Expenses related to compliance certification and auditing

![](https://cdn.sanity.io/images/y3uu7rkl/production/6b2ba627a001746cc86e4499c29d15ae5f898fc1-2940x1648.png)

4. Continuous Innovation Without Internal Resources: Professional IAM vendors continuously improve their platforms, incorporating new authentication methods, security enhancements, and usability features as they emerge in the market. This ongoing innovation happens without draining your internal resources, allowing you to:
* Benefit from industry advancements automatically
* Support new standards and protocols without additional development
* Offer cutting-edge security features to your users
* Stay competitive with larger organizations that have more resources
5. Scalability and Reliability: Enterprise-grade IAM platforms are built from the ground up to handle massive scale with exceptional reliability. These solutions typically offer:
* High-availability architectures with redundancy built in
* Elastic scaling to handle usage spikes
* Global distribution for performance optimization
* Proven reliability under extreme load conditions
* Comprehensive monitoring and alerting options
6. Simplified Compliance Management: Managing compliance across multiple regulations (GDPR, HIPAA, SOC2, ISO27001, etc.) requires significant expertise and ongoing attention. Dedicated IAM platforms typically:
* Maintain compliance certifications so you don't have to
* Provide detailed audit logs and reporting
* Offer pre-built compliance frameworks for various industries
* Stay updated with evolving regulatory requirements
* Simplify your compliance audits with ready documentation
7. Professional Support and Expertise On-Demand: When issues arise (as they inevitably do), having access to specialized support can mean the difference between minor inconvenience and major business disruption. Established IAM vendors provide:
* 24/7 technical support from identity specialists
* Comprehensive documentation and implementation guides
* Professional services for complex deployments
* User community and knowledge sharing
* Training and certification programs


![](https://cdn.sanity.io/images/y3uu7rkl/production/18106bcce85f266ce752a3e24d3d7cba3b115fd6-2940x1654.png)

### Bringing the Best of Both Worlds with Zitadel 
Zitadel delivers enterprise-grade identity and access management without the development overhead of building your own solution from scratch. Unlike custom-built IAM systems that require significant engineering resources, ongoing maintenance, and security expertise, Zitadel provides a battle-tested, comprehensive solution out of the box. 
With Zitadel, organizations gain immediate access to modern authentication protocols, multi-tenancy support, robust user management, and authorization controls —all while avoiding the hidden costs, security vulnerabilities, and compliance challenges that often plague homegrown IAM implementations. By choosing Zitadel, your team can focus on core business objectives rather than reinventing complex identity infrastructure.
1. Developer-first, multi-tenant platform: As a developer-first multi-tenant platform, Zitadel gives you custom-level control with turnkey implementation - offering intuitive APIs, comprehensive SDKs, and detailed documentation that drastically reduces development resources while supporting complex multi-organization structures that would typically require months of custom coding. You can even build your own custom login UI using Zitadel's APIs while relying on its battle-tested security and standards implementation behind the scenes.
2. Flexible deployment: Zitadel offers the data sovereignty of custom solutions without the infrastructure burden. You have the ability to choose between the convenience of Zitadel Cloud with its zero-maintenance approach or the control of self-hosting in your own infrastructure - either way, you maintain full ownership of your identity data without the ongoing operational costs of a custom-built IAM platform.
3. Extensibility and Enterprise Integrations: Zitadel delivers adaptability at the level of a custom-built solution without the associated complexity of a custom-built IAM solution. Its extensive extensibility and enterprise integrations ensure seamless connection to your existing ecosystem through webhooks, actions, and pre-built connectors for enterprise systems, allowing for the same customization you get from building in-house without forking code, managing separate codebases, or compromising security.
### Get Started
Get started with  Zitadel, the comprehensive, ready-to-deploy Identity and Access Management platform  rather than building one from scratch. We offer the ideal authentication platform with flexible pricing, a variety of deployment options, extensive features, enterprise-grade security, and unlimited identities across all instances.

Have questions about authentication or anything else? Connect with us on the [Zitadel Discord Server](https://zitadel.com/chat). You can also find us on [LinkedIn](https://www.linkedin.com/company/zitadel/), [GitHub](https://github.com/caos/zitadel), [Bluesky](https://bsky.app/profile/zitadel.com), [Twitter](https://twitter.com/zitadel) or through our [website](https://zitadel.com/).

If you appreciate our work, please consider [giving us a star on GitHub](https://github.com/zitadel/zitadel). We value your support!

The Zitadel Identity and Access Management (IAM) platform offers a turnkey enterprise-grade platform for cloud-native organizations looking to move away from a custom-built IAM platform with modules that are expensive to maintain.

Stop Building and Maintaining Frankenstein IAM Platforms

When choosing the right authentication provider for your application it can be hard to narrow down one that works not just for your organization internally but also for your customer and partners. Recognizing the diverse needs of a modern identity management system that is both flexible and secure can become an overwhelming task, especially in a market that offers a plethora of alternatives. That’s why it is important to understand the value proposition of the vendor offerings and evaluate how they fit your organizational requirements.

In this article, we will compare and contrast two open source alternatives - Keycloak and Zitadel.

## What is Keycloak and Zitadel
### Keycloak
Keycloak is an Open Source Identity and Access Management platform built for the foundational commercial solution “Red Hat Single Sign-On” that serves both the Business to Business (B2B) and Business to Consumer (B2C) markets. Keycloak was initially developed by WildFly, a division of Red Hat and was adopted to the [Cloud Native Computing Foundation](https://www.cncf.io/projects/keycloak/) (CNCF) on April 10, 2023 as an incubation project. Keycloak has been maintained by the CNCF community ever since. It brings functions like identity-brokering, multi-factor / passwordless authentication, access management, OpenID Connect, OAuth 2.0, SAML 2.0, and to some degree, multi-tenancy.

### Zitadel
Zitadel is an API-first identity platform that is built for developers. It offers easier integration into your tech stack to support the authentication, authorization, and self-service needs.  Extended as an open source and a commercial solution, it also provides a long-term audit trail out-of-the-box to ensure the security and compliance posture for your organization. Zitadel provides free and cloud subscription tiers, along with a self-hosted version for organizations that require complete data ownership. Zitadel’s comprehensive identity platform supports business-to-business (B2B) use cases including multi-tenancy, identity brokering, multi-factor or passwordless authentication, delegated access management, and in-context audit trail. Zitadel supports the standard integration protocols such as OpenID Connect, SAML 2.0, and OAuth 2.0.

## Main Differences
### Source Code
Keycloak leverages the open source friendly Apache 2.0 license on their platform repository. This license is catered towards community support and common across the open source  landscape. Up to version 2, Zitadel leveraged the Apache 2.0 license but will transition to the GNU Affero General Public License v3.0 (AGPL-3.0) with the upcoming version 3. The AGPL license ensures that any modifications to Zitadel need to be made available to the community. This creates a more reciprocal relationship between Zitadel and organizations that leverage and build upon our platform. It protects the open nature of our project while encouraging contributions back to the community.

For most of Zitadel’s community, this change will have minimal impact:

* **For end-users**: If you are only using Zitadel as an identity platform, the license change doesn't affect you.
* **For contributors**: Your future contributions will be licensed under AGPL-3.0 and we will introduce a contributor license agreement (CLA).
* **For service providers**: If you modify Zitadel and provide it as a service to others, you'll need to make your modifications available under the AGPL-3.0 license.
* **For developers**: If you are using our Examples, Libraries, SDKs, APIs, do not worry we will keep those under their existing license.

Our commercial licensing options remain available for organizations that require different terms. Please reach out to us if you have any questions about licensing, we have compiled a detailed [blog post](https://zitadel.com/blog/apache-to-agpl) and an [FAQ](https://zitadel.com/license-faq) for you.

### Operating Model
Self-hosting is easy with either Keycloak and Zitadel. While choosing a platform is important, both solutions have the ability to use custom-built operators for Kubernetes to install and operate the Identity and Access Management (IAM) solution. 

In addition, Zitadel offers the ability to run your instance in the cloud, managed by Zitadel directly. There is a wide range of managed service providers for Keycloak from managed instances to extensions.

If you are evaluating between cloud or self-hosting options, we recently wrote a blog post laying out the pros and cons of the [self-hosting and cloud approaches](https://zitadel.com/blog/cloud-or-selfhosted).

### Pricing
With open source as a driving force for Keycloak and Zitadel, the code is freely available on GitHub. However in the case of Keycloak, the community is the only contributor to their product ecosystem. Red Hat does offer a paid service “Red Hat Single Sign-On” leveraging Keycloak. 

Zitadel’s pricing model is tailored to your organization’s needs, focusing on three core elements: Support Level Agreements (SLA), Daily Active Users (DAUs), and Technical Account Management (TAM). We include essential features such as multifactor authentication and passkeys at no additional cost, and we don’t charge based on the total number of users stored in your system.

### Project Structure
Zitadel has a unique way to group clients that belong to the same security context into what we call “Project”. Projects help users bundle together clients, for example a web-application and a mobile-application, that share the same authorization mechanics. This ensures developers see consistent results across all clients without needing to manually configure audience scopes. The project allows you to delegate the access control and permission management to a third party. More details on how our “project grants” work [are here](https://zitadel.com/docs/apis/resources/mgmt/project-grants).

Keycloak historically has used a tenancy model that was constructed around the idea of realms as means of separation of concern for close to all resources, including users, clients, roles, policies and so on. In the summer of 2024, Keycloak announced a change in their project structure with the addition of [Organizations](https://www.keycloak.org/2024/06/announcement-keycloak-organizations). This enables support for multi-tenancy through the Organization management model and its inherent members.

### Self-service
Keycloak and Zitadel both offer extensive self-service capabilities including user profile management, access control delegation, and the ability for business customers to configure their own identity providers.

### Data Residency
Both Zitadel and Keycloak empower organizations with data residency through their self hosted solutions. With Zitadel, enterprise customers choose self-hosted deployments to maintain maximum control over their infrastructure and data governance. 

For strict data residency requirements, Zitadel supports regional cloud hosting and self-hosted deployments, giving organizations complete control over their data location and security protocols. Zitadel offers flexible data residency options with hosting regions in the United States, Europe, Switzerland, or Australia. Keycloak also has unaffiliated third parties that offer cloud hosting for prospective customers.

### Location Of Incorporation
Keycloak is a CNCF steered project which is not incorporated per se. They rely on their distributed developer community to maintain and drive their open source project forward. With headquarters in the United States and a principal office in Switzerland, Zitadel provides flexible contracting options through its dual-entity structure. Organizations serving European Union customers can contract through Zitadel's Swiss entity, leveraging Switzerland's data protection adequacy status granted by the European Commission. This simplifies EU data transfer compliance compared to the more complex requirements for US-based providers.

### Extensibility
Keycloak’s extensibility relies on Service Provider Interfaces (SPI) to fill customers' technical needs; otherwise custom code becomes a necessity.  This creates the risk of maintaining and upgrading Keycloak's environment.

Zitadel’s event-driven architecture enables organizations to customize workflows by responding to any authentication or audit event. The Zitadel platform’s [Session API](https://zitadel.com/docs/apis/v2) and Login Experience features offer extensive customization options for both functionality and branding to align with your organization’s requirements. As a fast-growing open-source company, Zitadel rapidly incorporates customer feedback through strategic partnerships and contributions on GitHub.

![](https://cdn.sanity.io/images/y3uu7rkl/production/e49d52a11a0387798a318d1eabcaf8d2d25adea4-1024x768.png)

## What’s Next for Zitadel: Development Priorities for 2025
Zitadel maintains a [public product roadmap](https://zitadel.com/roadmap) and operates with full transparency as an open-source platform. It includes significant feature releases planned for platform development and performance optimization in 2025.

* **Performance Optimization**: Comprehensive platform-wide performance enhancements that focus on core authentication service response times, API endpoint optimization across new and existing services, enhanced resource management efficiency, and improved system scalability. 
* **TypeScript Login with OIDC**: A new, highly customizable login interface for our customers, built in with [TypeScript and OpenID Connect](https://zitadel.com/blog/typescript-login) support. Self-hosting customers will soon be able to use the hosted login option with OIDC.
* **User Schema Management**: This feature offers [advanced user profile customization](https://github.com/zitadel/zitadel/issues/8140) enabling granular control over field management permissions between users and administrators. 
* **Configurable Caching System**: Beta release of [flexible caching](https://zitadel.com/docs/self-hosting/manage/cache) infrastructure supporting Redis integration for improved object lookup performance.
*  **SCIM Interoperability**: This is [the implementation](https://github.com/zitadel/zitadel/issues/8140) of System for Cross-domain Identity Management (SCIM) protocol for automated user provisioning, synchronization, and lifecycle management across external systems. 
*  **Actions Framework v2**: This feature offers [enhanced extensibility framework](https://github.com/orgs/zitadel/projects/6/views/1?pane=issue&itemId=50259306&issue=zitadel%7Czitadel%7C7235) supporting custom triggers and executions through API endpoints for advanced workflow customization. 
*  **User Group Authorization**: The implementation of [user group management](https://github.com/orgs/zitadel/projects/6/views/1?pane=issue&itemId=48898543&issue=zitadel%7Czitadel%7C5822) capabilities enable efficient authorization management at scale, expanding beyond individual user permissions. 

## Decision Framework: Selecting Zitadel for your Identity Needs
Zitadel is particularly suitable for organizations that prioritize these capabilities:

**Security and Control**:
Your organization requires complete control over infrastructure through self-hosting options, and you need robust data protection measures. Zitadel’s staff publish and fix security issues across the Zitadel ecosystem. Unlike Keycloak which is reliant on the good will of the community members. This presents the opportunity to feel confident in Zitadel's comprehensive audit trails that provide detailed long-term tracking of all authentication and authorization activities.

**Business Architecture**:
Zitadel excels in multi-tenant environments, making it ideal for organizations managing multiple client organizations or separate business units. Zitadel’s B2B-focused approach is designed to handle complex organizational relationships and hierarchies.

**Technology Philosophy**:
If your organization values open-source solutions, Zitadel offers full transparency and the ability to customize the platform to your needs. It is built on cloud-native and serverless principles, making it a natural fit for modern, scalable architectures.

**Community Engagement**:
As an open-source platform, Zitadel welcomes direct contributions from its user community. This means you can actively participate in improving the platform and adapting it to meet emerging needs in identity management.

## Let’s Make Your Identity Management Easier!
Transform your organization’s authentication and access control with Zitadel. Connect with our team to:
* Assess your current identity infrastructure needs
* Design a tailored implementation strategy
* Learn how to scale seamlessly as your organization grows

Book a consultation today to start your journey towards simplified, secure identity management.
<CTA
	label={'Book a Consultation'}
	href={'https://meetings-eu1.hubspot.com/jason-burkhead/zitadel-discovery-call'}
	external={false}
	layout={'primary'}
	noreferrer={false}
	align={'center'}
/>

*Please [share your feedback](mailto:hi@zitadel.com) to ensure this guide remains accurate and valuable for the community. Your insights help us maintain the quality and relevance of our documentation.*



Understanding why Zitadel best fits your organization in comparison to Keycloak will ensure a streamlined deployment and authentication experience for your organization and customers.

Zitadel vs. Keycloak: What makes Zitadel the best Keycloak alternative

Last week marked an incredible milestone for our team and community:
* We announced [Zitadel Version 3](https://zitadel.com/blog/zitadel-v3-announcement) 
* 🎉⭐️Zitadel crossed  10,000 stars on GitHub! 🎉⭐️ 

Achieving 10,000 stars on GitHub is more than just a number to us—it represents the trust, support, and enthusiasm of thousands of developers who believe in our vision for a modern identity platform.

Zitadel is the leading provider of cloud-native identity infrastructure solutions.  Its platform offers a comprehensive suite of tools for multi-tenant, authentication, authorization, and user management.  Designed for scalability, flexibility, and security, Zitadel empowers organizations to protect their cloud infrastructure and applications across the globe. 
### Our Journey to the first 10,000 stars
When we first launched Zitadel as an open-source project, we already embarked on a clear mission: to create a secure, scalable, and developer-friendly identity and access management platform that would simplify authentication and identity management for modern applications especially in multi-tenant scenarios. What began as a small team's passion project has blossomed into a thriving ecosystem of contributors, users, and advocates.
Our journey hasn't always been straightforward. From our initial commit to reaching our first 100 stars took a lot of dedication and persistence and we fully celebrated our first 1,000 stars as a major achievement, never imagining we'd be here today, announcing this new milestone that puts us among the top open-source identity projects globally.

![](https://cdn.sanity.io/images/y3uu7rkl/production/2acac30edb656e48d5734613f9a992662f9750ad-3628x940.png)

### Community Spotlight
None of this would have been possible without our incredible community. From the developer who fixed that critical bug at 2 AM to the companies that have built their entire identity infrastructure on Zitadel, every contribution has mattered for our ongoing success.

![](https://cdn.sanity.io/images/y3uu7rkl/production/4b0ce733f8e6d6f37ad78c9e772ce6e27afe9ecb-2116x1144.png)

-----

*“Zitadel powers our lab initiative by enabling rapid, secure prototyping with its modern, open source identity management platform. Its multi-tenant design and expansive ecosystem make it the ideal partner for testing our next-generation SaaS solutions, positioning itself as a dynamic alternative to traditional giants like Azure Active Directory. Backed by an engaged community and a forward-thinking team, Zitadel not only safeguards our ideas but also accelerates innovation across the board, ensuring that security remains our top priority. There is just no excuses to not using it :-)”
Florent Cenedese, Principal Solution Architect*

*“Zitadel’s domain expertise drives effortless scaling for startups and enterprises. Its event-driven, event-sourced architecture delivers robust scalability, extensibility, reliability, and thorough auditability—supported by a sustainable business model for the free and open source community”
Yordis Prieto, Principal Software Engineer*

-----

### Technical Evolution
Our codebase and architecture has evolved significantly since our initial release.  Our platform has transformed into a highly scalable, cloud-native platform that can handle millions of authentication requests while maintaining sub-100ms response times and we see this proven in customer hosting multiple millions of tenants in Zitadel.

Some of the most impactful technical achievements:
* Transitioning to resources based APIs for easier integration
* Implementing event sourcing as the basis for robust audit trails and event driven integrations with actions
* Updating actions into an extensibility framework that allows customer full control over each http request and event 
* Expanding our protocol support beyond OIDC and OAuth2 to include SAML, WebAuthn, SCIM and LDAP
* Building a comprehensive set of API that developers can even use to build their own login ui

We made all these improvements while maintaining our commitment to security—undergoing regular penetration testing and security audits to ensure we're providing a solution our users can trust with their most sensitive data.
### Lessons Learned
Building an open-source project at this scale has taught us valuable lessons:
* **Documentation matters deeply.** Some of our most appreciated contributions haven't been code but clear, thorough documentation that makes complex identity concepts accessible.
* **Community feedback is gold.** Our best features often came from community suggestions, and our most significant improvements stemmed from user feedback.
* **Balancing innovation with stability is an art.** We've learned to maintain a stable core while allowing for experimentation in new features.
* **Security is never "done."** We've built security into every aspect of our development process, from design to deployment.
* **Open source is about people, not just code.** Building relationships with our contributors and users has been as important as building the product itself.
### Looking Forward
Reaching this milestone matters beyond the satisfaction of seeing a big number on GitHub.  A developer-first, open-source identity solution is the future; it enables enterprises with a choice.  A choice between self-hosted or cloud solution, a choice between open source and commercial offering, and a choice between building and managing a custom-build platform vs. buying one that offers flexibility and control without the burden of engineering efforts.

In the identity space, this achievement puts Zitadel in the top tier of open-source projects—a significant accomplishment for a specialized security tool in a field dominated by much broader infrastructure projects.

While we're taking a moment to celebrate, we're even more excited about what's next in 2025:
* **Performance Optimization:** Comprehensive platform-wide performance enhancements that focus on core authentication service response times, API endpoint optimization across new and existing services, enhanced resource management efficiency, and improved system scalability. 
* **TypeScript Login with OIDC:** A new, highly customizable login interface for our customers, built in with [TypeScript and OpenID Connect](https://zitadel.com/blog/typescript-login) support. Self-hosting customers will soon be able to use the hosted login option with OIDC.
* **User Schema Management:** This feature offers [advanced user profile customization](https://github.com/zitadel/zitadel/issues/8140) enabling granular control over field management permissions between users and administrators. 
* **Configurable Caching System:** Beta release of [flexible caching](https://zitadel.com/docs/self-hosting/manage/cache) infrastructure supporting Redis integration for improved object lookup performance.  
* **SCIM Integration:** This is [the implementation](https://github.com/zitadel/zitadel/issues/8140) of System for Cross-domain Identity Management (SCIM) protocol for automated user provisioning, synchronization, and lifecycle management across external systems. 
* **Actions Framework v2:** This feature offers [enhanced extensibility framework](https://github.com/orgs/zitadel/projects/6/views/1?pane=issue&itemId=50259306&issue=zitadel%7Czitadel%7C7235) supporting custom triggers and executions through API endpoints for advanced workflow customization. 
* **User Group Authorization:** The implementation of [user group management](https://github.com/orgs/zitadel/projects/6/views/1?pane=issue&itemId=48898543&issue=zitadel%7Czitadel%7C5822) capabilities enable efficient authorization management at scale, expanding beyond individual user permissions.

Our vision remains consistent: to be the most developer-friendly, secure identity platform that grows with your needs from side project to scale-up.
### Thank You!
This milestone belongs to everyone who has been part of the Zitadel journey:
* Our 54 code contributors who have submitted everything from typo fixes to major feature implementations
* The companies who have sponsored development or provided resources
* The thousands of developers who have chosen Zitadel for their projects
* The investors who continue to support Zitadel’s growth and success 
* Everyone who has reported bugs, suggested improvements, or simply spread the word

### Join Us As We Build the Future of Identity
If you are not yet part of the Zitadel community, there has never been a better time to join:
* [Star us](https://github.com/zitadel/zitadel) on GitHub (if you haven't already!)
* Check out our [documentation](https://docs.zitadel.com/) to get started
* Join our [Discord community](https://zitadel.com/chat) to connect with other users and our team
* [Contribute](https://github.com/zitadel/zitadel/blob/main/CONTRIBUTING.md) to the codebase—we welcome contributions of all sizes
* Join our [upcoming AMA](https://discord.gg/jRA3nhv8?event=1344022255759528027) with our CEO, Florian Dorster, on Discord

![](https://cdn.sanity.io/images/y3uu7rkl/production/494896893ec4af602036b3dae7b88f51050b0f05-800x320.png)

Whether you are building a personal project or enterprise-scale software, we are honored to help secure your applications and manage your users' identities.

Here's to the next 10,000 stars and beyond! 🚀

![](https://cdn.sanity.io/images/y3uu7rkl/production/ceb66bc9ab5d1dbc9bcc6b6183a73dcc2f16ae10-1200x627.png)




Zitadel Identity and Access Management (IAM) platform celebrates the milestone for the open source project reaching 10,000 github stars.

Thank you for 10,000 Stars!

At Zitadel, open source is more than just a development model; it's fundamental to our identity. We firmly believe in the power of community-driven development and the unparalleled innovation that it fosters. Our commitment to open source is unwavering, and as our project experiences significant growth, we are proactively adapting our approach to ensure Zitadel's enduring vibrancy and sustainability.

Today, we are sharing our decision to transition Zitadel to the GNU Affero General Public License (AGPL) 3.0. This decision reflects our dedication to providing a secure and transparent identity management platform while ensuring the project's long-term sustainability.
#### Why Open Source?
We strongly believe that the open source ethos provides significant value through increased transparency and security.  Unlike "security by obscurity," open source allows for inspection and verification.

Inspection allows you to thoroughly examine the code, verify the build pipeline, and ensure that the artifacts running in your environment originate from the authentic source while verification allows you to conduct "open-box" security testing, similar to the approach taken by G.E. ([1](https://github.com/zitadel/zitadel/security/advisories/GHSA-f3gh-529w-v32x), [2](https://github.com/zitadel/zitadel/security/advisories/GHSA-hr5w-cwwq-2v4m), [3](https://github.com/zitadel/zitadel/security/advisories/GHSA-mq4x-r2w3-j7mr)), without needing to navigate complex hurdles.

To maintain these benefits and ensure Zitadel's continued development, we have chosen AGPL 3.0.  We often describe our philosophy as "Code or Contribution": to build a valuable project for everyone, we need either community contributions of time and effort, or the resources to hire people to invest their time. The AGPL 3.0 license allows us to strike a crucial balance by:
* Protecting our investment: It ensures that those who commercially leverage Zitadel, especially when offering it as a managed service, contribute back to the community by sharing their modifications.
* Encouraging community engagement: It keeps the core of Zitadel free and open source, actively promoting collaboration and innovation within our growing community.
#### Embracing Sustainability Through Reciprocity
Open source thrives when there is a healthy ecosystem of contribution.  After careful consideration, we believe AGPL 3.0 helps us foster this balance by strengthening the commons and supporting community collaboration.

Strengthening the commons ensures that improvements to Zitadel—especially when offered as a service, flow back to the community, and enriches the ecosystem for everyone.  And supporting community collaboration ensures that Zitadel remains free and open source, continuing to foster the collaborative spirit that has driven our growth.

We see this as embodying the spirit of "Code or Contribution"—recognizing that a healthy open source ecosystem needs either code contributions or support that enables us to sustain development.
#### What is Changing?
Core (our backend), Console, and the Hosted-Login are moving to AGPL 3.0

Proto Service Definitions, APIs, and SDKs remain under Apache 2.0 to avoid virality concerns

Examples, Docs, Helm-chart, Terraform remain under Apache 2.0, with documentation potentially moving to CC-BY-SA4

Contributor License Agreement (CLA): We will implement a CLA to ensure legal clarity.
#### What Remains the Same: Enhanced Security and Transparency
The value you receive from Zitadel remains the same: a secure and transparent product. 

With open source and the AGPL 3.0, you will continue to benefit from:
* **Enhanced Security:** Open source fosters a community-driven approach to identifying and addressing potential vulnerabilities. You aren't relying on "security by obscurity" but on the power of collaborative scrutiny. You can inspect the code, the pipeline, and verify the artifacts.
* **Transparency and Trust:** You have the freedom to inspect the codebase, ensuring that what you deploy is exactly what was built. This transparency builds trust and empowers you to conduct thorough security assessments. You can also do an "open-box" security testing approach without obstacles.
#### Choosing the License
We gave considerable thought to various licensing options before zeroing in on AGPL 3.0.
1. **Apache 2.0:** While this license has served us well and fostered wide adoption, we observed that it sometimes creates an imbalance where commercial use doesn't always lead to reciprocal contribution.
2. **Open Core:** While popular, this approach often creates complex boundaries between open and proprietary features.  Even mature projects like GitLab have faced challenges with this model.
3. **Source-available:** These licenses limit certain freedoms that we believe are important to our mission of providing accessible security tools.
4. **Proprietary:** This would fundamentally conflict with our open source values and community focus.

AGPL 3.0 provides a balanced path forward that preserves the openness we value while encouraging a sustainable ecosystem around Zitadel.
#### Why Now?
2024 has been a remarkable year for Zitadel's growth, both as an open source project and as a solution for organizations of all sizes.  This success brings responsibility—to ensure that Zitadel can continue to evolve and innovate for years to come.

We observed that our current licensing approach sometimes enables using Zitadel's value without corresponding contribution back to its sustainability.  This transition aims to create a balanced relationship that ensures Zitadel's long-term health for everyone's benefit.
#### Understanding AGPL 3.0 in Practice
We want to be clear about how we interpret AGPL 3.0:
* **API usage:** Using Zitadel's APIs without modifying the code doesn't trigger reciprocal requirements.
* **Derivative works:** Creating derivatives using AGPL 3.0 components requires sharing those works under the same license.
* **Distribution:** Sharing unmodified Zitadel is generally permissible.
*Disclaimer: This information is not legal advice. We encourage consulting with your legal counsel for your specific use case.*
#### Commercial Licensing Options
We understand that AGPL 3.0 may not align with every organization's needs.  For those scenarios, we are offering commercial licensing options with additional flexibility, including a free tier.  Please [contact us](mailto:product@zitadel.com) to discuss these alternatives.

We believe this evolution will help Zitadel flourish as a sustainable open-source project, continuing to provide robust and secure identity management solutions that benefit the entire community.
#### The How
We are committed to a thoughtful and transparent transition through clear communication and gradual implementation. 

We will keep our community informed throughout the process with clear and consistent communications.  We will continue to update these [FAQs](https://zitadel.com/license-faq); however, you can also contact us [via email](mailto:product@zitadel.com), on [GitHub](https://github.com/zitadel/zitadel/discussions/9529), or on [Discord](http://zitadel.com/chat) at any time.

With gradual implementation, only new code contributions will use AGPL 3.0 while existing code remains under its original license.

Our goal is to ensure that your questions and concerns are resolved and you have a clear transition path to adopt the license change.
#### Timeline
The license change will take effect with the official release of Zitadel v3.0, scheduled for March 31, 2025.  All previous versions will maintain their original licensing terms.
#### Questions and Support
We will continue to publish and update a Q&A resource during our transition to address common questions about how this might affect different projects and use cases. Please [reach out to us](mailto:product@zitadel.com) with any questions at any time.

I will also be [hosting an AMA (ask me anything) session](https://discord.com/events/927474939156643850/1344022255759528027) on Discord on **March 25 at 15:00 UTC |  08:00 US Pacific** to help answer questions from the community.

We are committed to ensuring Zitadel's long-term sustainability as a leading open-source identity management platform. This license change is a significant step toward that goal, allowing us to continue delivering a secure, transparent, and innovative product.

Zitadel aims to build a sustainable ecosystem and business as it continues to stay committed to open with a license change from Apache 2.0 to AGPL 3.0.