ZITADEL

What Is ZITADEL?

The history of enterprise identity management is largely a story of retrofitting. Platforms built in the early 2000s for single-tenant corporate directories were gradually extended with APIs, multi-factor authentication, and SaaS-era features. The architecture underneath rarely changed. When cloud-native B2B SaaS emerged as a dominant software model — where a single application serves hundreds of customer organisations, each with its own users, permissions, and policies — those retrofitted platforms struggled. Multi-tenancy became a source of complexity, not a first-class feature.

ZITADEL was founded in 2019 in St. Gallen, Switzerland with a different starting point. The founders — drawing on experience building identity infrastructure for enterprise clients — designed ZITADEL for multi-tenancy from day one. Every architectural decision, from the data model to the API design, reflects the assumption that a single ZITADEL instance will serve many independent organisations, each with potentially different authentication policies, branded login experiences, and delegated administration hierarchies.

The result is an open-source identity infrastructure platform that covers authentication (OIDC, SAML, passkeys, MFA), authorisation, and user management, with built-in multi-tenancy that B2B SaaS companies can deploy without building custom organisation management layers. CAOS Ltd., the company behind ZITADEL, raised a Series A of $15.5M and operates cloud infrastructure in EU, Swiss, US, and Australian regions — reflecting the global demand for sovereignty-conscious identity tooling.

Key Features

Native Multi-Tenancy for B2B SaaS

The distinction between a platform with multi-tenancy support and one built for multi-tenancy becomes apparent when you examine ZITADEL's organisation model. Each "organisation" in ZITADEL is a first-class entity with its own user pool, authentication policies (password rules, MFA requirements, allowed social providers), login UI branding, and role assignments. An administrator at the platform level can set defaults; an organisation administrator can override them within allowed bounds.

For a B2B SaaS company, this maps directly to the customer-tenant model: each customer organisation gets isolated user management, their own SSO configuration, and delegated admin access — without the SaaS vendor needing to build a custom organisation management system from scratch. Auth0 and Okta offer multi-tenancy but typically require multiple tenants to be represented as separate Auth0 applications or organisations, with the complexity of cross-tenant policy management left to the integrating team. ZITADEL's model is more opinionated and more complete.

Event-Sourced Audit Logging

ZITADEL uses event sourcing as its persistence architecture: every mutation to a user, organisation, policy, or credential is written as an immutable event to an append-only log. The current state of any entity is derived by replaying its event history. This has two significant compliance implications.

First, the audit log is not a supplementary feature — it is the primary data store. Every login, every policy change, every user creation or deletion is captured with full context and cannot be retroactively modified. For organisations subject to SOC 2 Type II, ISO 27001, or regulatory audits, this removes a common gap: the audit trail exists by design rather than by configuration.

Second, the event log is API-accessible and streamable via webhooks to external SIEM systems (Splunk, Elastic, and others). Security teams can centralise identity events alongside application and infrastructure logs without building custom extraction pipelines.

Passkeys, OIDC, SAML, and Protocol Breadth

ZITADEL supports the full stack of modern identity protocols without requiring additional modules or licences. OpenID Connect and OAuth 2.0 cover application authentication and authorisation; ZITADEL's OIDC implementation is certified by the OpenID Foundation, which matters when selecting an identity provider for regulated environments. SAML 2.0 supports enterprise SSO integrations with legacy enterprise applications. SCIM 2.0 handles automated user provisioning and deprovisioning from HR systems.

Passkeys (FIDO2/WebAuthn) are supported natively for passwordless authentication. Users can register a passkey on any FIDO2-capable device — Face ID, Touch ID, Windows Hello, or a hardware security key — and authenticate without passwords. For B2B SaaS platforms with security-conscious enterprise customers, offering passkey authentication via ZITADEL requires no additional configuration beyond enabling the option in the organisation policy.

ZITADEL Actions: Serverless Hooks on Identity Events

Actions are ZITADEL's extensibility mechanism: small JavaScript functions that execute during defined points in the authentication flow. An Action can run at login time to enrich the token with data from an external service, enforce custom business logic before registration, or trigger downstream processes on user creation. This is analogous to Auth0's Rules and Hooks, but running inside ZITADEL's event pipeline rather than as a separate serverless function.

The practical use case for B2B SaaS is token enrichment: adding organisation-specific claims, subscription status, or entitlement data to OIDC tokens so that application backends can make authorisation decisions without additional API calls on each request.

Self-Hosted With Full Feature Parity

ZITADEL's self-hosted option runs the same codebase as ZITADEL Cloud, deployed via Docker or Kubernetes, with no feature limitations. All authentication protocols, multi-tenancy, audit logging, and management APIs are available on self-hosted deployments. For organisations with strict data sovereignty requirements — financial services, healthcare, government — this means deploying production-grade identity infrastructure without routing authentication events through a third-party cloud.

The open-source licence (Apache 2.0) means no per-user fees, no expiring trial licences, and no vendor dependency. A Kubernetes Operator and Terraform provider are available for infrastructure-as-code management of ZITADEL deployments.

Pricing

ZITADEL's pricing model reflects its open-source roots. Self-hosting is free under Apache 2.0 — there are no user limits, instance limits, or feature gates. This is the strongest value proposition for organisations with the infrastructure capacity to self-host and the compliance need for full data sovereignty.

For teams that prefer managed infrastructure, ZITADEL Cloud Free provides a single instance with unlimited monthly active users (MAUs) in the US region at no cost. The Pro tier unlocks EU and Swiss region selection (essential for GDPR data residency), custom domains, and multiple instances, on a pay-as-you-go basis per MAU. Enterprise agreements provide custom pricing, dedicated SLAs, and onboarding support for organisations with specific contractual or compliance requirements.

The competitive comparison is stark: Auth0's free tier caps at 7,500 MAUs before per-user charges begin, which can reach several thousand dollars monthly at enterprise scale. ZITADEL's self-hosted path eliminates the per-user cost entirely. Even on ZITADEL Cloud, the pay-as-you-go model is more transparent than Auth0's tiered pricing, which includes platform fees and MAU charges that compound at scale.

EU Compliance & Data Privacy

Switzerland's data protection framework is recognised by the European Commission as providing an adequate level of protection under GDPR's adequacy decision mechanism. CAOS Ltd., the legal entity behind ZITADEL, operates under Swiss law, and ZITADEL Cloud provides explicit data residency choice: EU (Frankfurt), Switzerland (Zurich), US (Virginia), and Australia.

For GDPR-subject organisations, choosing the EU or CH region means end-user authentication data — login events, user records, credentials — is stored within GDPR jurisdiction without requiring additional SCCs or transfer impact assessments. ZITADEL maintains a Trust Center and provides data processing agreements for cloud customers.

The event-sourced architecture has a direct compliance benefit: the audit log's immutability satisfies the integrity and non-repudiation requirements in frameworks like SOC 2 Type II and ISO 27001. The ability to stream events to external SIEM systems means compliance teams can work with identity audit data in their existing toolchain rather than logging into a separate admin console.

Self-hosted deployments offer the strongest compliance posture: no authentication data leaves the organisation's infrastructure, DPA relationships with third parties are minimised, and the organisation controls every aspect of data retention, encryption, and access logging.

Who It's Best For

B2B SaaS companies building multi-tenant products where each customer organisation needs isolated user management, SSO configuration, and delegated admin access. ZITADEL's native organisation model eliminates the need to build a custom tenant management layer.

Security and compliance-focused teams that need immutable audit logging, SOC 2 readiness, and the ability to stream identity events to external SIEM systems. The event-sourced architecture makes ZITADEL a natural fit for regulated industries.

Infrastructure teams that prefer self-hosted identity infrastructure with no per-user costs or vendor dependency. The Apache 2.0 licence, Terraform provider, and Kubernetes Operator make ZITADEL compatible with modern GitOps workflows.

European software companies that want an authentication provider under European (Swiss) jurisdiction with explicit EU or CH data residency — without the compliance overhead of using US-based identity platforms.

ZITADEL is not ideal for teams that need a simple, fast-to-configure auth solution for a single-tenant consumer application. In that context, the multi-tenancy features add complexity without benefit, and platforms like Hanko (for passkey-first auth) or simpler OIDC libraries may be more appropriate.

The Verdict

ZITADEL occupies a specific and well-defined niche: open-source identity infrastructure for B2B SaaS companies that need multi-tenancy by design, comprehensive audit logging, and European data sovereignty. On those dimensions, it outperforms Auth0, Okta, and Keycloak alike. The tradeoff is configuration depth — ZITADEL requires more upfront investment than managed identity services, and the ecosystem of third-party guides is still smaller than for its US-based counterparts.

ZITADEL scores 8.1/10 overall, with standout marks for value for money (9.0/10) and EU compliance (9.5/10) — the highest EU compliance score in the identity-authentication category. Feature depth reaches 8.5/10, integration ecosystem 7.5/10, and ease of use 6.5/10, which honestly reflects the configuration investment required before first deployment.

With a Series A behind it and active development across protocols, features, and managed cloud regions, ZITADEL's trajectory is positive. For B2B SaaS companies planning identity infrastructure that will scale to enterprise customers with real compliance requirements, the investment in understanding ZITADEL pays back considerably.

Frequently Asked Questions

Is ZITADEL GDPR compliant?

Yes. ZITADEL (CAOS Ltd.) is headquartered in Switzerland, which the European Commission recognises as providing an adequate level of data protection. ZITADEL Cloud allows data to be stored in EU or Swiss regions, and self-hosting eliminates any cross-border data transfer entirely.

Can I self-host ZITADEL for free?

Yes. ZITADEL is open-source under the Apache 2.0 licence. The self-hosted version is fully featured, has no user or instance limits, and is free to use. You pay only for your own infrastructure.

How does ZITADEL compare to Auth0?

ZITADEL is open-source with built-in multi-tenancy designed for B2B SaaS, while Auth0 is a US-based closed-source platform owned by Okta. ZITADEL's self-hosting eliminates per-user costs that make Auth0 expensive at scale. Auth0 has a larger ecosystem and more polished documentation; ZITADEL offers stronger data sovereignty and a more natural multi-tenant architecture.

Does ZITADEL support passkeys?

Yes. ZITADEL supports passkey authentication via FIDO2/WebAuthn natively. Passkeys can be used as the primary authentication method alongside TOTP, SMS OTP, and social login.

What protocols does ZITADEL support?

ZITADEL supports OpenID Connect (OIDC), OAuth 2.0, SAML 2.0, and SCIM 2.0 for user provisioning. The OIDC implementation is certified by the OpenID Foundation.