Skip to main content

Production Checklist

To apply best practices to your production setup we created a step by step checklist you may wish to follow.

Infrastructure Configuration

  • make use of configmanagement such as Terraform to provision all of the below
  • use version control to store the provisioning
  • use a secrets manager to save your sensible informations
  • reduce the manual interaction with your platform to an absolute minimum

HA Setup

  • High Availability for ZITADEL containers
    • use container orchestrator such as Kubernetes or
    • use serverless architecture such as Knative or a hyperscaler equivalent (e.g. CloudRun from Google)
    • separate zitadel init and zitadel setup for fast startup times when scaling ZITADEL
  • High Availability for database
    • follow the Production Checklist for CockroachDB if you selfhost the database or use CockroachDB cloud
    • configure backups on a regular basis for the Database
    • test a restore scenario before going live
    • secure database connections from outside your network and/or use an internal subnet for database connectivity
  • High Availability for critical infrastructure components (depending on your setup)


  • Use a Layer 7 Web Application Firewall to secure ZITADEL that supports HTTP/2
    • secure the access by IP if needed
    • secure the access by rate limits for specific endpoints (e.g. API vs frontend) to secure availability on high load. See the ZITADEL Cloud rate limits for reference.
    • doublecheck your firewall for IPv6 connectivity and change accordingly

ZITADEL configuration

  • configure a valid SMTP Server and test emails
  • Add Custom Branding if required
  • configure a valid SMS Service such as Twilio if needed
  • configure your privacy policy, terms of service and a help Link if needed
  • secure your masterkey
  • declare and apply zitadel configuration using the zitadel terraform provider


  • use a FQDN and a trusted valid certificate for external TLS connections
  • make use of different service accounts to secure ZITADEL within your hyperscaler or Kubernetes
  • make use of a CDN service if needed to ease maintainability and firewall/DNS/WAF configuration
  • make use of a security scanner to test your application and cluster


Use an appropriate monitoring solution to have an overview about your ZITADEL instance. In particular you may want to watch out for things like:

  • CPU and memory of ZITADEL and the database
  • open database connections
  • running instances of ZITADEL and the database
  • latency of requests
  • requests per second
  • requests by URL/endpoint
  • lifetime of TLS certificates
  • ZITADEL and database logs
  • ZITADEL metrics