ZITADEL Docs
Deploy & Operate

ZITADEL Cloud Production Checklist

This checklist is specifically designed for teams deploying on ZITADEL Cloud. Following these steps ensures your managed instance is resilient, branded and recovery-ready.

Self-Hosting ZITADEL If you are managing your own infrastructure this list does not cover host-level concerns like database maintenance, high availability, or TLS termination. Please refer to our Self-Hosting Production Guide for infrastructure-specific requirements.

Infrastructure

Prioritize environment isolation to prevent development testing from impacting live users.

  • Multi-Instance Isolation: Never test configurations in production. Use the ZITADEL Customer Portal to spin up dedicated instances for dev, test, and prod.
  • Custom Domain Implementation: Configure a custom domain (e.g., auth.yourdomain.com) to ensure brand consistency and avoid problems with domain bound authentication methods such as passkey.
  • Production SMTP Server: Replace the default ZITADEL Email Provider with your own SMTP Provider (SendGrid, Postmark, Google, Microsoft, etc) for reliable delivery of MFA codes and welcome emails.
  • Verified Sender Identity: Ensure the "From" address matches your custom domain and has valid SPF/DKIM/DMARC records to prevent emails from landing in spam.

Account Lockout & Access Lost Prevention

Eliminate Single Points of Failure (SPOF) for administrative access.

  • Secondary Administrator: Invite at least one other trusted team member as Customer Portal Administrator and as an IAM Owner into your specific ZITADEL instances
    • Why: This prevents a single point of failure. If your primary account (e.g., via a lost Passkey or MFA device) is locked, the secondary admin can restore your access.
  • Diverse MFA Methods: Ensure your administrators enroll multiple MFA methods (e.g., one on a YubiKey, one on an Authenticator app) to maximize recovery options.
  • Backup Service Account: Create a dedicated Service Account with a PAT and with administrative roles (IAM_OWNER).
    • Why: If a misconfigured "Action" or a CSS error breaks the Management Console UI, you can still revert changes or manage the instance directly via the ZITADEL Management API using this PAT.

ZITADEL Setup and Configuration

Finalize the user experience and security policies before going live.

  • Branding: Apply your logo, colors, fonts for your Custom Branding if required
  • SMS Provider: Set up a valid SMS Service such as Twilio if needed
  • Terms of Service & Privacy Links: Set your privacy policy, terms of service and a help Link if needed
  • Security Policy Audit: Review your Login Policy and Password Complexity settings.
  • Token & Session Lifetimes: Audit your OIDC Token settings to ensure they match your application's security needs.

Was this page helpful?

Caches [Beta]

Configure cache connectors for frequently needed objects to speed up internal business logic and improve performance with ZITADEL caching

Deployment Architecture

Overview of ZITADEL's high-availability and multi-region deployment strategies for scalable and resilient identity services

On this page

InfrastructureAccount Lockout & Access Lost PreventionZITADEL Setup and Configuration