FCan you share where you see unauthorised?
FHm that looks like a problem getting the token
FDo you see the http request on zitadel to /oauth/v2/token?
FIs there something the logs on both tools?
FHm, not sure how portainer works.
But I would guess webapp/authorization code flow should work
But I would guess webapp/authorization code flow should work
FCheck the stdout logs for each container
FHm can you share the config you used in portainer?
FMaybe a path is wrong or so
FCan it be that the identifier should be sub?
FHm ok, can you check the portainer logs?
FI think it is a problem getting the token
FOh wow 
FDo you have a proxy in front of zitadel?
FYou can check there for the http call
FOr enable http logs in zitadel
FIn zitadel you can also check the events viewer and see if an access token was issued
FIf KC works we should as well. So I think it could be network related
FOk in that case you could check the access log of traefik for OAuth/v2/token calls
FMaybe you spot an error a non 200 http error code there
FYes now you can filter for your user
FAccess token created events are interesting
FThen you can look for one with the client id you use
FYou created a new project for portainer, right?
FWhat could be is that portainer excpects the access_token as JWT instead of opaque, you could try change that on the application settings in zitadel
FIt is just a guess 
But at least KC uses JWT all the time
But at least KC uses JWT all the time
Fyeah you can try that