キ

Inconsistent state when creating users in ZITADEL + local DB (NestJS + Drizzle ORM)

I’m facing an issue where a user is successfully created in ZITADEL, but the insert into my PostgreSQL database (via Drizzle ORM) fails.

This leaves me with a user that exists in ZITADEL but not in my local DB.

To handle this, I tried creating the user in my DB first with a status = "pending" (waiting for confirmation), then calling ZITADEL, and finally updating the status to "active".
However, if the status update fails, I end up with garbage data — the user exists in both systems but the local record stays stuck in "pending" state.

Wrapping both operations in a Drizzle transaction doesn’t help since ZITADEL is an external service.

Has anyone experienced this kind of inconsistency between ZITADEL and their own DB?
What’s the recommended way to handle this properly?

Ask Inkeep•10/25/25, 11:15 AM

Hi @キリト, I'm an AI assistant for ZITADEL. While a team member reviews this question, I'll see if I can find relevant sources for your question.

Ask Inkeep•10/25/25, 11:16 AM

Answer

I wasn't able to find a direct answer in the ZITADEL documentation about handling distributed transaction patterns between ZITADEL and external databases.

However, based on general distributed systems patterns, you'd typically handle this with one of these approaches:

Create in your DB first, then ZITADEL
- If your DB insert fails, you never call ZITADEL. If ZITADEL fails, you can roll back your DB transaction.
Idempotency + retry logic
- Store the ZITADEL user ID in your DB insert. If the DB insert fails after ZITADEL creation, retry the DB insert with the same ZITADEL user ID.
Event-driven reconciliation
- Use ZITADEL's Events API (1) to pull audit logs and reconcile your local DB state. You can filter for specific event types like "user created" and ensure your DB reflects ZITADEL's state.
Saga pattern
- Implement compensating transactions where if your DB insert fails, you delete the ZITADEL user.

For monitoring and reconciliation, ZITADEL provides an Events API that lets you pull audit logs with filters for event types, aggregates, and time frames . This could help you identify and fix inconsistencies.

Would you like me to suggest a general implementation approach for one of these patterns?

Ask Inkeep•10/25/25, 11:16 AM

To learn more, see the sources I considered:

[1] Streaming audit logs to external systems (SIEM/SOC)

Ask Inkeep•10/25/25, 11:16 AM

Feel free to tag @Ask Inkeep with additional questions.

AAsk Inkeep To learn more, see the sources I considered: [[1] Streaming audit logs to ext...

Ask InkeepAPP•10/26/25, 9:08 AM

Got it. Tagging @Rajat for additional help.

Rajat•10/27/25, 1:55 PM

hey @キリト thank you for your question and welcome to the server, while I look into it, could you please tell me what version fo zitadel are you running AND how are you running it?. I am assuming you are self hosted?.
Thanks

RRajat hey @キリト thank you for your question and welcome to the server, while I look int...

キ

キリトOP•10/27/25, 5:04 PM

Hi, yes — it’s a self-hosted setup.
I’m not the one who implemented or manages the ZITADEL instance, but as far as I know, it’s running the latest version.

To handle the inconsistency issue, I’ve already added logic to delete the user from ZITADEL if the local DB insert fails.
However, I’m wondering if you have any better suggestions or recommended practices for handling this kind of cross-system consistency problem?

キキリト Hi, yes — it’s a self-hosted setup. I’m not the one who implemented or manages t...

Rajat•10/27/25, 5:46 PM

Use Actions v2 to call your backend (user webhook) on user creation and let your service update/upsert your DB.
so Create user in zitadel → get userId → upsert local row (userId, status=active).
If local upsert fails after retries → delete user in zitadel as compensation.
please let me know if this makes sense.

RRajat Use Actions v2 to call your backend (user webhook) on [user creation](https://zi...

キ

キリトOP•10/27/25, 6:10 PM

Thanks a lot for the reply and the suggestion!
That makes sense — I’ll discuss it with my team and we’ll try implementing it that way.