Custom OTP code
Is it possible to choose our own OTP number for the SMS OTP challange?
I'm using the session API....
Build error while migration
Hi team , I am using M1 processor and I am facing bulid errors while migration. I am facing different migration errors for different versions.
The build is working fine for intel processors in MacBook , would there be any different configuration for different processors?
The zitadel config we are using is:
...
Search User Grants sorting order does not work
hello team,
for : https://zitadel.com/docs/apis/resources/mgmt/management-service-list-user-grants
Can you please explain how the asc parameter works?...
Monitoring Zitadel http latencies via internal prometheus metrics
In order to monitor and alert on Zitadel app/pods http latencies, we have configured 95 percentile stats on ...
http_server_duration_milliseconds_bucket internal Prometheus metric (which Zitadel itself exposes):
(histogram_quantile(0.95, sum(rate(http_server_duration_milliseconds_bucket{container=~".*zitadel.*"}[5m]))
by (le, pod, net_host_name))) > 2000
(histogram_quantile(0.95, sum(rate(http_server_duration_milliseconds_bucket{container=~".*zitadel.*"}[5m]))
by (le, pod, net_host_name))) > 2000
Terminate all the active sessions at once.
Hi team, I have a user who has more than 20 sessions when I search the sessions that he has with https://zitadel.com/docs/apis/resources/session_service_v2/session-service-list-sessions. Do we have an option to terminate all the sessions at once instead of terminating the session one at a time with https://zitadel.com/docs/apis/resources/session_service_v2/session-service-delete-session ?
This termination at once would help us a lot. Thanks...
Need help upgrading form v2.55.8 to v2.67.1
I have an instance of Zitadel running on EKS that uses PostgreSQL running on RDS.
Current Zitadel Version: v2.55.8
Upgrade Version: v2.67.1
...
Options for storing zitadel's session api's token
Hi, as far as I know, the best option to storing a token is an httpOnly cookie, set by the backend. I was trying to figure out how I could do that using Zitadel, but couldn't really find a fully satisfying option, so here are the options I'm seeing:
1) have access to a zitadel's api method that would allow to have session token set as a httponly cookie (couldn't find it)
2) use the instance of the zitadel's typescript login ui running next to our zitadel's instances (non-standardized, afaik)
3) roll our own backend that will do the session creation...
Dockerfile for running zitadel/typescript?
Does anyone have a working Dockerfile for building zitadel/typescript as a docker image? I don't want to deplyo it to Vercel.
I've tried using this file, but it doesn't work:
```
FROM node:22-alpine AS base...
React - how to enable use of refresh token?
I followed this guide:
https://zitadel.com/docs/examples/login/react
which works well with my React app, however the access token valid time is set to 1 hour and my refresh token to 15 hours. After an hour I have to login again so the refresh token is not used. How do we enable the use of the refresh token?...
migration requires enterprise license?
When I want to use any version higher than 2.67.2 I get following error:
zitadel | time="2025-01-24T13:36:07Z" level=fatal msg="migration failed" caller="/home/runner/work/zitadel/zitadel/cmd/setup/setup.go:277" error="40_init_push_func_v4 40_init_push_func.sql: ERROR: use of PL/pgSQL requires an enterprise license. see https://cockroachlabs.com/pricing for details on how to enable enterprise features (SQLSTATE XXC02)" name=40_init_push_func_v4
Is there anything I can do? I am using the free version. This problem does not exist on an instance using psql...
Actions not triggered
Are actions currently working on the hosted Zitadel Version?
I tested with a simple webhook by using the official example here: https://github.com/zitadel/actions/blob/main/examples/make_api_call.js
I added as API_URL a webhook service, tested the service with curl and then added the trigger for the action through Zitadel Console. I used three combinations:...
Creating a user with the same email could lock out other accounts
Hi, I found a problem while testing user creation, my scenario happenned to be this:
1) have an instance admin/IAM owner that has preferred login set to be same as an email
2) register another user that has a different preferred login, but same email
Now the IAM owner cannot log in, because login form is throwing an error "User not found"
...
Introspect endpoint vs local JWT validation
I have a question regarding our implemention regarding our Frontend/Backend communication.
Currently I am doing a PoC where every time our frontend makes a request to our backend, the backend is reaching out to Zitadel's introspection endpoint to validate that the token is active. Is this the best practice for validating the token as it would mean a lot of requests going to the introspect endpoint? Is there throttling for this endpoint?
The alternative from what I understand would be to get the public keys JSON Web Key Set (JWKS) and doing a local validation, with the caveout that we don't know when the keys change...
Error: Failed to extract ServerMetadata from context
I was running zitadel with docker compose and zitadel is running on port 4455. And I was able to access console on http://127.0.0.1:4455/ui/console. I was able to perform all actions on ui console. But with zitadel apis for example http://127.0.0.1:4455/v2/users then getting an ERROR: Failed to extract ServerMetadata from context with relevant headers are passed. Apis in discovery endpoints are working fine.
Multi Tenancy
Hi all, a contracted software development team is building a web app for me where clients will login with Zitadel, my internal users already login with Zitadel integrated with Google workspace SSO. Both user types are in different orgs. How can I set it up such that some internal users are allowed access to this new app?
Internal Users (signing in with workspace SSO) = org A
External Users (signing in with Zitadel - email+password) = org B
App is being designed to integrate with org B using domain app.domain.com...
Getting redirect_uri does not correspond even though the redirect URI in the URL is correct
Hi, I have a issue where I get the error
redirect_uri does not correspond when trying to use PKCE flow with the Typescript app, I've checked the the request logs and the redirect_uri matches what is in Zitadel's UI
https://github.com/zitadel/zitadel/blob/94cbf97534d3712c7223208160b900c6733b096b/internal/api/oidc/token_code.go#L70...Benchmark of zitadel v2.66.0 - more details on your testing setup is needed
We have looked into your zitadel v2.66.0 benchmarking results provided at https://zitadel.com/docs/apis/benchmarks/v2.66.0/machine_jwt_profile_grant
In our setup we are getting significantly worse performance and it looks like the postgresql db cluster can be a bottleneck.
We are looking to make our postgresql db config similar to yours, but are lacking some details.
1. In yours "Database specification" it is specified "vCPU: 8 memory: 32Gib". Is it per 1 db cluster node, or an overall summed resources per all nodes?
2. How many write/read replicas are in your postgresql db cluster? Are you distributing zitadel sql queries between write/read somehow? (as zitadel doesn't support that, maybe some middleware query routing/loadbalancing solution is used?)...
Getting GrantRequired error when user has a grant
Created a new OIDC app to mirror the config of another app which works without issue. With the new app, all but one user are getting
The users all have identical grants (they're created via terraform using a loop, so I'm sure they're identical).
...
Login not possible. The user is required to have at least one grant on the application. Please contact your administrator. (Internal)
Login not possible. The user is required to have at least one grant on the application. Please contact your administrator. (Internal)
Clarifying System API Users
Hello everyone,
I'm following the Access ZITADEL APIs docs and I'm unclear abotu a couple things concerning the System API configuration, as shown here.
Can anyone confirm that if I provide the SystemAPIUsers with the IAM_OWNER and ORG_OWNER roles that I can create Users and Service Users for an organization I am authorized for as a System User?...
Restoring backup DB doesn't work
When I
pg_dump Zitadel and psql zitadel < backup.sql and boot it can't start as X already exists and fails migration.
I guess I thought they'd be inside the DB I dumped 🤔.
Use case, in case there a better solution:...