ZITADEL

ZITADEL - Identity infrastructure, simplified for you.

Join

ZITADEL

ZITADEL - Identity infrastructure, simplified for you.

Join

questions-help-bugs

product-feedback-requests

Avlambertucci

7/18/2025

Bulk import

Dear Zitadel team, I'm currently exploring the bulk import functionality with the goal of migrating users from my existing system to Zitadel. I'm leveraging the feature to send an initialization email to users, which is very helpful. However, I've noticed that once a user completes the initialization process, they are directed to the Zitadel user page. My objective is to guide the user seamlessly from the initialization email directly to our application after they've completed the setup, rather than having them land on the Zitadel user page, which could be confusing....

spicypixel

7/18/2025

Sharing an organization from production to preproduction instance?

Is it possible to log into a preproduction instance of zitadel with the login credentials from an organization in the production instance? I'd like to avoid duplicating data for the internal staff organization and have all the other orgs different between the instances (customer data).

anhtuan159

7/17/2025

Dear team, I'm looking to implement a feature where users can register using their phone number instead of an email and password. I'd like to ask whether this is technically feasible and what the best way to approach it would be....

Perrotti

7/17/2025

Multiple Identity Providers across different organizations

guys, can we show only the organization's identity providers on the login page based on the URL that's being called? I added custom domains to my instance (so I can acess it through iam.domain.com, client1.iam.domain.com, client2.iam.domain.com and etc), but when I access the login page I can only see the default identity provider that was configured on the default org. For example, I see that we have this on the docs (screenshots attached of everything), and I configured 3 different IDP throughout my orgs, but any custom domain that I use to try to login shows me only the Zitadel's configured IDP. Is it possible to configure it this way?...

Gaia

7/17/2025

SAML response is not accepted by Zitadel?

I have configured an EntraID SAML organization in zitadel. I have set up an action on external post authenticate. When I print the following values ``` let logger = require("zitadel/log"); ...

Light

7/17/2025

4.0.0-rc.2 - V2 Login Issues

I am running Zitadel as a Docker container and it runs nicely. However for some reason the Login V2 never works for me, even on a fresh setup. I always run into "status_code: 5, Not found". Version 3.3.1 on the other hand works flawlessly for me, which still uses v1. If I enable v2 for an app in 3.3.1 I run into the same issue as I do no with 4.0.0.-rc.2. Am I missing some crucial configuration somewhere? Here is my minimal zitadel service: ``` zitadel:...

miello

7/17/2025

Role field scope in token introspection

Hi Zitadel team, I have some questions about token introspection endpoint for OIDC. I have a setup in zitadel with two projects, let's named it project A and B, I would like to design the "shared role" for every projects in organization in project A and access it via token introspection from API application in project B because it's possible to have more additional roles in project B Currently, token introspection endpoint for OIDC only return role from current project and ignore role from other projects in audience field. Is it possible for token introspection endpoint to access role from external project that API key does not reside on, especially in audience field ?...

Nathan

7/16/2025

Issue with Cloud Account Creation - Can't create an email support ticket without logging in

Hi Zitadel, I'm brand new to your platform and I'm having immediate issues with the account onboarding. There was an error message during the initial account creation, immediately after the GitLab SSO auth step. Now, I'm unable to login: Error image attached from the following URL: https://zitadel.cloud/ui/login/login?authRequestID=329153918942585249...

Jenkins

7/16/2025

How to query project users belonging to a certain role

Hi, I'm trying to write a Zitadel backend for the Apricot project (An LDAP proxy for OIDC backends), but I'm running into some API limitations that I am hoping you could potentially assist with. I am making a couple (unqualified) assumptions about both Zitadel and LDAP (as I'm inexperienced with both, please let me know if I'm completely off chart here):...

Neymar is dood

7/16/2025

Service User - Oauth token fetch Fails with 500 Internal Error

Use-case: A multitenant SaaS solution where a tenant superuser can manage users from their own application through the SaaS platform. The Admin API will be handled via my Service account and it will manage the users on the super user's request Environment: Zitadel Cloud Version: V2 (for the Admin API requests) Stack: Python + React ...

test_zitadel_jwt.py

nullsense

7/15/2025

Search Organization Metadata API Not Found

Hello, It seems that Searching Organization Metadata is deprecated with the following API: https://zitadel.com/docs/apis/resources/mgmt/management-service-list-org-metadata ...

Guyzeroth

7/15/2025

SSO + Password users?

Hello, our customer wants to have their staff use SSO to login and their customers use password login. We don't want to enable account creation as we need to create accounts via our own portal. The problem is that SSO users are being prompted to set passwords upon logging in (we create them first with emails) so they can link their SSO to the users we created. We want to link them to their emails but not need passwords if that makes sense? Any tips?

Michael_Builder

7/15/2025

Protocol error: missing status

Hi, I followed the documentation, but I'm encountering an error when accessing the app. API URL: https://auth.heykernel.com...

pivwan

7/14/2025

Zitadel hanging due to freshrss config

I'm using zitadel to secure almost all my self-hosted applications. Everything is hosted in docker containers, zitadel included. i'm encountering a problem with FreshRSS, a feed aggregator app allowing OIDC (https://freshrss.github.io/FreshRSS/en/admins/16_OpenID-Connect.html): After a while, and I don't have any logs for now, Zitadel hangs then fails with a gateway timeout error. I need to restart the freshrss app so Zitadel can work again. App in zitadel is configured in POST mode with refresh token enabled. The same setup works with others apps....

STAS

7/14/2025

Ask the user to re-accept the privacy policy when it changes

Hi everyone. I have set up a privacy policy using external links and everything works fine, the user is asked for consent when logging in. But if the privacy policy changes, I will have to ask the user to accept it again. Is it possible to achieve this using only Zitadel or do I need to change the logic of the application?

Sergio

7/14/2025

Forced mfa but root user doesnt have it

I enabled MFA forcing for local users but my sole local admin user, zitadel-admin@zitadel.zitadel.<mydomain>, doesn't have it so when I try to login I get Errors.Login.LoginPolicy.MFA.ForceAndNotConfigured and am now locked out.

Sergio

7/11/2025

custom login html or background

Can I change the html of the login page or set a picture as the background? My instance has no passwords (except for the root account) and has no mfa (all users are federated). I want to change the login page to use USWDS or at least change the background picture

jesperwe

7/11/2025

How to create basic auth needed for /oauth/v2/token API

I am trying to figure out how to use the token exchange endpoint documented on https://zitadel.com/docs/guides/integrate/token-exchange#impersonation-by-user-id-example The examples use curl with the -u parameter for basic auth. But I cannot find anywhere how to generate this basic auth user:password pair. The Zitadel project in the admin UI has an Auth API Application app, but it only supports generating a private key JSON, and I can only find docs on how to generate a JWT from this, not a user:password for basic auth....

Krishna

7/11/2025

Pangolin Identity Provider config

I am trying to add zitadel as IdP in Pangolin. I can get it to work without having any organization policy assigned but when the user logs in, there is no org assigned in pangolin. However, when I try to request roles in the openid scopes and then write a JMESPath as below for org policy: contains(urn:zitadel:iam:org:projects:roles, 'Admin') && 'Admin' contains(urn:zitadel:iam:org:projects:roles, 'Family') && 'Family' 'Member' The login method does not work. I have created Family and Admin Roles in zitadel and assigned it to the only user currently on zitadel. But still roles dont show up in the openid scope. How do I manage to set it ?...

Sergio

7/11/2025

Globally disable email auth

Hey team I have all of my users logging in through sso - they each have their own because they have their own idps - how can I disable email verification? see below for an explaination of my use case ```Federation Broker is a technology that enables users to access resources using credentials at their own identity provider. Furthermore, it enables users to provide access to other users without creating individual federation connections to each and every user. Here’s the typical setup. Users make or verify the setup of their own identity provider - it can be Okta, Microsoft Entra/Azure AD, Authentik, or anything else. They then connect their own IdP to their personal Cloudflare Zero Trust account. Next, a SaaS application is added to their Cloudflare Zero Trust application which is added as a IdP source within the Federation Broker Cloudflare Zero Trust account. Finally, the Federation Broker Cloudflare Zero Trust account is set as an IdP for resources and other destinations....

Previous Next