Python Client

This guide covers the official Zitadel Management API Client for Python (3.9+), which allows you to programmatically manage resources in your Zitadel instance.

info

This is a Management API Client, not an Authentication SDK.

This library is designed for server-to-server communication to manage your Zitadel instance (e.g., creating users, managing projects, and updating settings). It is not intended for handling end-user login flows in your web application. For user authentication, you should use a standard OIDC library with your Python framework of choice, such as mozilla-django-oidc for Django or Authlib for Flask.

The Zitadel Python Client provides an idiomatic way to access the full gamut of Zitadel's v2 Management APIs from your Python backend.

Please be aware that this client library is currently in an incubating stage. While it is available for use, the API and its functionality may evolve, potentially introducing breaking changes in future updates. We advise caution when considering it for production environments.

Installation

You can add the client library to your project using pip:

pip install --pre zitadel-client

Using the SDK

Your SDK offers three ways to authenticate with Zitadel. Each method has its own benefits—choose the one that fits your situation best.

1. Private Key JWT Authentication

What is it? You use a JSON Web Token (JWT) that you sign with a private key stored in a JSON file. This process creates a secure token.

When should you use it?

• Best for production: It offers strong security.
• Advanced control: You can adjust token settings like expiration.

How do you use it?

1. Save your private key in a JSON file.
2. Use the provided method to load this key and create a JWT-based authenticator.

Example:

import zitadel_client as zitadel
from zitadel_client.exceptions import ApiError
from zitadel_client.models import (
    UserServiceAddHumanUserRequest,
    UserServiceSetHumanEmail,
    UserServiceSetHumanProfile,
)

zitadel = zitadel.Zitadel.with_private_key("https://example.us1.zitadel.cloud", "path/to/jwt-key.json")

try:
    request = UserServiceAddHumanUserRequest(
        username="john.doe",
        profile=UserServiceSetHumanProfile(
            givenName="John",
            familyName="Doe"
        ),
        email=UserServiceSetHumanEmail(
            email="john@doe.com"
        ),
    )
    response = zitadel.users.add_human_user(request)
    print("User created:", response)
except ApiError as e:
    print("Error:", e)

2. Client Credentials Grant

What is it? This method uses a client ID and client secret to get a secure access token, which is then used to authenticate.

When should you use it?

• Simple and straightforward: Good for server-to-server communication.
• Trusted environments: Use it when both servers are owned or trusted.

How do you use it?

1. Provide your client ID and client secret.
2. Build the authenticator

Example:

import zitadel_client as zitadel
from zitadel_client.exceptions import ApiError
from zitadel_client.models import (
    UserServiceAddHumanUserRequest,
    UserServiceSetHumanEmail,
    UserServiceSetHumanProfile,
)

zitadel = zitadel.Zitadel.with_client_credentials("https://example.us1.zitadel.cloud", "id", "secret")

try:
    request = UserServiceAddHumanUserRequest(
        username="john.doe",
        profile=UserServiceSetHumanProfile(
            givenName="John",
            familyName="Doe"
        ),
        email=UserServiceSetHumanEmail(
            email="john@doe.com"
        ),
    )
    response = zitadel.users.add_human_user(request)
    print("User created:", response)
except ApiError as e:
    print("Error:", e)

3. Personal Access Tokens (PATs)

What is it? A Personal Access Token (PAT) is a pre-generated token that you can use to authenticate without exchanging credentials every time.

When should you use it?

• Easy to use: Great for development or testing scenarios.
• Quick setup: No need for dynamic token generation.

How do you use it?

1. Obtain a valid personal access token from your account.
2. Create the authenticator with: PersonalAccessTokenAuthenticator

Example:

import zitadel_client as zitadel
from zitadel_client.exceptions import ApiError
from zitadel_client.models import (
    UserServiceAddHumanUserRequest,
    UserServiceSetHumanEmail,
    UserServiceSetHumanProfile,
)

zitadel = zitadel.Zitadel.with_access_token("https://example.us1.zitadel.cloud", "token")

try:
    request = UserServiceAddHumanUserRequest(
        username="john.doe",
        profile=UserServiceSetHumanProfile(
            givenName="John",
            familyName="Doe"
        ),
        email=UserServiceSetHumanEmail(
            email="john@doe.com"
        ),
    )
    response = zitadel.users.add_human_user(request)
    print("User created:", response)
except ApiError as e:
    print("Error:", e)

---

Choose the authentication method that best suits your needs based on your environment and security requirements. For more details, please refer to the Zitadel documentation on authenticating service users.

Versioning

The client library's versioning is aligned with the Zitadel core project. The major version of the client corresponds to the major version of Zitadel it is designed to work with. For example, v2.x.x of the client is built for and tested against Zitadel v2, ensuring a predictable and stable integration.

Resources

• GitHub Repository: For source code, examples, and to report issues.
• PyPI Package: The official package artifact for pip.