tyx•3mo ago

Can i create virtual instances in zitadel selfhosted?

This comes from the confusion that what should even be the CUSTOM DOMAIN here, and what would be the token be? (from an existing instance?) https://zitadel.com/docs/apis/resources/system/system-service-create-instance It seems like virtual instances are a feature of hosted zitadel setup?

ZITADEL Docs

Creates a new instance with all needed setup data

19 Replies

tyxOP•3mo ago

my bad: https://zitadel.com/docs/guides/integrate/zitadel-apis/access-zitadel-system-api

ZITADEL Docs

This guide focuses on the ZITADEL System API. To access the other APIs (Admin, Auth, Management), please checkout this guide.

FFO•3mo ago

Haha, yeah through the system api you can manage new instances.

tyxOP•3mo ago

https://github.com/zitadel/zitadel/issues/9494 https://github.com/zitadel/zitadel/issues/7937 @FFO the systemsAPI seems unusable because of this?^ how are people working around this?

GitHub

[Bug]: Token verification failure when accessing system API · Issu...

Preflight Checklist I could not find a solution in the documentation, the existing issues or discussions I have joined the ZITADEL chat Environment Self-hosted Version v2.71.1 Database PostgreSQL D...

GitHub

Use a single token verifier in the auth middleware · Issue #7937 ...

Acceptance criteria Unify the the VerifySystemToken with VerifyAccessToken and return a single error Resolve the different keysources on query level (yaml for system user vs DB for regular user) Or...

tyxOP•3mo ago

used this comment: https://github.com/zitadel/zitadel/issues/7937#issuecomment-2589415764

GitHub

Use a single token verifier in the auth middleware · Issue #7937 ...

tyxOP•3mo ago

will try updating the docs related to this but this still does not work! is the systemsAPI stable?

FFO•3mo ago

The system Api is stable but a little tricky to work with 😄

FFO•3mo ago

https://zitadel.com/docs/guides/integrate/zitadel-apis/access-zitadel-system-api

ZITADEL Docs

This guide focuses on the ZITADEL System API. To access the other APIs (Admin, Auth, Management), please checkout this guide.

FFO•3mo ago

That doc should give you pointers, or did that not work?

tyxOP•3mo ago

No I get the error mentioned in the issue: logs:

 error="issuer does not match: Expected: https://auth.customdomain.com, got: user0"

 error="issuer does not match: Expected: https://auth.customdomain.com, got: user0"

API response

Status: 401 Unauthorized
{
  "code": 16,
  "message": "Errors.Token.Invalid (AUTH-7fs1e)",
  "details": [
    {
      "@type": "type.googleapis.com/zitadel.v1.ErrorDetail",
      "id": "AUTH-7fs1e",
      "message": "Errors.Token.Invalid"
    }
  ]
}

Status: 401 Unauthorized
{
  "code": 16,
  "message": "Errors.Token.Invalid (AUTH-7fs1e)",
  "details": [
    {
      "@type": "type.googleapis.com/zitadel.v1.ErrorDetail",
      "id": "AUTH-7fs1e",
      "message": "Errors.Token.Invalid"
    }
  ]
}

This is exactly following the mentioned docs.

tyxOP•3mo ago

added a comment here: https://github.com/zitadel/zitadel/issues/7937#issuecomment-2984903749

GitHub

Use a single token verifier in the auth middleware · Issue #7937 ...

FFO•3mo ago

How did you create the token, did you use the docs guide? Just trying to complete the picture on my end whats broken 😄

tyxOP•3mo ago

hold on, I am dropping a reproducible example..

tyxOP•3mo ago

Hi @FFO sorry for the delay, I've updated my comment with all details: https://github.com/zitadel/zitadel/issues/7937#issuecomment-2984903749 Please let me know if not enough info, will create a complete version which can be runnable

GitHub

Use a single token verifier in the auth middleware · Issue #7937 ...

tyxOP•3mo ago

@FFO I was finally able to create it!

Status: 200 OK
{
  "instanceId": "325099177186982763",
  "details": {
    "sequence": "479",
    "creationDate": "2025-06-18T18:10:11.544817Z",
    "resourceOwner": "325099177187048299"
  }
}

Status: 200 OK
{
  "instanceId": "325099177186982763",
  "details": {
    "sequence": "479",
    "creationDate": "2025-06-18T18:10:11.544817Z",
    "resourceOwner": "325099177187048299"
  }
}

The issue was filepath! I had an absolute path, in the config! I corrected the absolute path to the actual absolute path. So the fix here would be to catch the incorrect path mentioned (i.e if no file actually exists, which was my case, we should be raising that error instead of the JWT related errors we're raising)

FFO•3mo ago

Oh wow, is it really that easy 😄 Looking at go os.ReadFile(s.Path) should allow absolute and relative :thinkspin:

tyxOP•3mo ago

Looking at go os.ReadFile(s.Path) should allow absolute and relative :thinkspin:

yes but I had a absolutefilepath which had no actual file, so os.ReadFile ought to throw an error about it but guess that got skipped somehow and we ended up trying to figure the issue at JWT claims level instead of looking at the core issue Thanks for your help!

FFO•3mo ago

Ahhhh, we swallow the error somehow Got it

tyxOP•3mo ago

🙂 Now I have to solve for this:

unable to set instance using origin &{narad auth.duck.com https} (ExternalDomain is auth.otherdomain.com): ID=QUERY-1kIjX Message=Instance not found. Make sure you got the domain right. Check out https://zitadel.com/docs/apis/introduction#domains

unable to set instance using origin &{narad auth.duck.com https} (ExternalDomain is auth.otherdomain.com): ID=QUERY-1kIjX Message=Instance not found. Make sure you got the domain right. Check out https://zitadel.com/docs/apis/introduction#domains

now I have to solve this reverse proxy issue, I think some header issue it is. Will get this resolved. Really liking zitadel so far!

now I have to solve this reverse proxy issue, I think some header issue it is. Will get this resolved. Really liking zitadel so far!

resolved.

FFO•3mo ago

yeah the host header is a little a tricky thing 😄 but great you enjoy it so far even with some small kinks

Can i create virtual instances in zitadel selfhosted?

Did you find this page helpful?