Authentication flow without WebView/Redirect in the native app.

HI, I was looking through the docs, and failed to find any information. Is it possible to implement an login/registration screen in the native apps without browser redirect or webview in a B2C scenario? When user is not coming from other source like Google/Facebbok account but is directly registered with ZITADEL?

Ask Inkeep•9/11/25, 6:15 PM

Hi @MarkNefedov, I'm an AI assistant for ZITADEL. While a team member reviews this question, I'll see if I can find relevant sources for your question.

Ask Inkeep•9/11/25, 6:15 PM

Answer

I wasn't able to find a direct answer, here are some relevant sources:

Authenticate users with OpenID Connect (1) :

This covers the standard OIDC flows for native applications using PKCE, which typically require browser-based authentication flows.

questions-help-bugsAvailable authentication flows? questions-help-bugsAvailable authentication flows? :

A community discussion confirming that ZITADEL is designed for OIDC/OAuth2 flows rather than custom authentication implementations.

Ask Inkeep•9/11/25, 6:15 PM

To learn more, see the sources I considered:

[1] Authenticate users with OpenID Connect
questions-help-bugsAvailable authentication flows?

Ask Inkeep•9/11/25, 6:15 PM

Feel free to tag @Ask Inkeep with additional questions.

AAsk Inkeep To learn more, see the sources I considered: [[1] Authenticate users with Ope...

Ask InkeepAPP•9/13/25, 9:16 AM

Got it. Tagging @Rajat for additional help.

MarkNefedovOP•9/13/25, 9:25 AM

Have looked at it a bit more, it looks like the Session Api is what I need? Do I understand correctly that I'll need to front Zitadel Session api with my backend, that will forward authentication/registration requirests, and as CAPTCHA is not yet present I'll also will be able to add it there?

MMarkNefedov HI, I was looking through the docs, and failed to find any information. Is it po...

Rajat•9/15/25, 10:23 AM

hey @MarkNefedov
Yes,Session API v2 is exactly what you need for a browser-free, web-view-free native login / registration screen. Your backend sits in front of the Session API (ZITADEL never sees the raw password from the device).
Device posts username + password → your backend forwards it to POST /v2/sessions
and returns the session Token to the device.

Rajat•9/15/25, 10:24 AM

also, because you own the backend you can put CAPTCHA before you hit ZITADEL.

SebastianB•9/22/25, 10:02 AM

@Rajat if you do it like you just proposed you will get a session token, but how do you get an access/refresh token this way? How do scopes fit into the Session API?

Rajat•9/22/25, 11:38 AM

hey @SebastianB
Session API != OAuth tokens
session api v2 lets you do username/password/MFA without a browser and create a zitadel session.
for getting the access/refresh tokens, you can read about it here

RRajat hey @SebastianB Session API != OAuth tokens session api v2 lets you do usernam...

SebastianB•9/23/25, 6:11 AM

Thanks for the response. So scopes are only attached to access/refresh tokens, and not sessions?

SSebastianB Thanks for the response. So scopes are only attached to access/refresh tokens, a...

Rajat•9/23/25, 7:11 AM

hey @SebastianB good morning!
yes, this is v2 sessions api and these are scopes

Rajat•9/23/25, 7:12 AM

they both are unrelated