Zitadel Login Error after Upgrade

Use-case: Personal services for SSO
Environment: Self-Hosting Docker
Version: 3.3.2
Stack: I use Cloudflare tunnel as a reverse proxy for my external domain. Here's the actual compose file:

services:
  zitadel:
    restart: 'always'
    networks:
      - 'zitadel'
    #image: 'ghcr.io/zitadel/zitadel:latest'
    image: 'ghcr.io/zitadel/zitadel:oldlocal'
    command: 'start --masterkey "keychangedhere" --tlsMode external'
    environment:
      ZITADEL_DATABASE_POSTGRES_HOST: db
      ZITADEL_DATABASE_POSTGRES_PORT: 5432
      ZITADEL_DATABASE_POSTGRES_DATABASE: zitadel
      ZITADEL_DATABASE_POSTGRES_USER_USERNAME: zitadel
      ZITADEL_DATABASE_POSTGRES_USER_PASSWORD: zitadel
      ZITADEL_DATABASE_POSTGRES_USER_SSL_MODE: disable
      ZITADEL_DATABASE_POSTGRES_ADMIN_USERNAME: postgres
      ZITADEL_DATABASE_POSTGRES_ADMIN_PASSWORD: postgres
      ZITADEL_DATABASE_POSTGRES_ADMIN_SSL_MODE: disable
      ZITADEL_ACTIONS_HTTP_DENYLIST: "0.0.0.0/0"
      ZITADEL_EXTERNALSECURE: true
      ZITADEL_EXTERNALDOMAIN: auth.domain.com
      ZITADEL_EXTERNALPORT: 443
    depends_on:
      db:
        condition: 'service_healthy'
    ports:
      - '80:8080'

  db:
    restart: 'always'
    image: postgres:17-alpine
    environment:
      PGUSER: postgres
      POSTGRES_PASSWORD: postgres
    volumes:
      - /data/zitadel/db:/var/lib/postgresql/data
    networks:
      - 'zitadel'
    healthcheck:
      test: ["CMD-SHELL", "pg_isready", "-d", "zitadel", "-U", "postgres"]
      interval: '10s'
      timeout: '30s'
      retries: 5
      start_period: '20s'

networks:
  zitadel:

services:
  zitadel:
    restart: 'always'
    networks:
      - 'zitadel'
    #image: 'ghcr.io/zitadel/zitadel:latest'
    image: 'ghcr.io/zitadel/zitadel:oldlocal'
    command: 'start --masterkey "keychangedhere" --tlsMode external'
    environment:
      ZITADEL_DATABASE_POSTGRES_HOST: db
      ZITADEL_DATABASE_POSTGRES_PORT: 5432
      ZITADEL_DATABASE_POSTGRES_DATABASE: zitadel
      ZITADEL_DATABASE_POSTGRES_USER_USERNAME: zitadel
      ZITADEL_DATABASE_POSTGRES_USER_PASSWORD: zitadel
      ZITADEL_DATABASE_POSTGRES_USER_SSL_MODE: disable
      ZITADEL_DATABASE_POSTGRES_ADMIN_USERNAME: postgres
      ZITADEL_DATABASE_POSTGRES_ADMIN_PASSWORD: postgres
      ZITADEL_DATABASE_POSTGRES_ADMIN_SSL_MODE: disable
      ZITADEL_ACTIONS_HTTP_DENYLIST: "0.0.0.0/0"
      ZITADEL_EXTERNALSECURE: true
      ZITADEL_EXTERNALDOMAIN: auth.domain.com
      ZITADEL_EXTERNALPORT: 443
    depends_on:
      db:
        condition: 'service_healthy'
    ports:
      - '80:8080'

  db:
    restart: 'always'
    image: postgres:17-alpine
    environment:
      PGUSER: postgres
      POSTGRES_PASSWORD: postgres
    volumes:
      - /data/zitadel/db:/var/lib/postgresql/data
    networks:
      - 'zitadel'
    healthcheck:
      test: ["CMD-SHELL", "pg_isready", "-d", "zitadel", "-U", "postgres"]
      interval: '10s'
      timeout: '30s'
      retries: 5
      start_period: '20s'

networks:
  zitadel:

services:
  zitadel:
    restart: 'always'
    networks:
      - 'zitadel'
    #image: 'ghcr.io/zitadel/zitadel:latest'
    image: 'ghcr.io/zitadel/zitadel:oldlocal'
    command: 'start --masterkey "keychangedhere" --tlsMode external'
    environment:
      ZITADEL_DATABASE_POSTGRES_HOST: db
      ZITADEL_DATABASE_POSTGRES_PORT: 5432
      ZITADEL_DATABASE_POSTGRES_DATABASE: zitadel
      ZITADEL_DATABASE_POSTGRES_USER_USERNAME: zitadel
      ZITADEL_DATABASE_POSTGRES_USER_PASSWORD: zitadel
      ZITADEL_DATABASE_POSTGRES_USER_SSL_MODE: disable
      ZITADEL_DATABASE_POSTGRES_ADMIN_USERNAME: postgres
      ZITADEL_DATABASE_POSTGRES_ADMIN_PASSWORD: postgres
      ZITADEL_DATABASE_POSTGRES_ADMIN_SSL_MODE: disable
      ZITADEL_ACTIONS_HTTP_DENYLIST: "0.0.0.0/0"
      ZITADEL_EXTERNALSECURE: true
      ZITADEL_EXTERNALDOMAIN: auth.domain.com
      ZITADEL_EXTERNALPORT: 443
    depends_on:
      db:
        condition: 'service_healthy'
    ports:
      - '80:8080'

  db:
    restart: 'always'
    image: postgres:17-alpine
    environment:
      PGUSER: postgres
      POSTGRES_PASSWORD: postgres
    volumes:
      - /data/zitadel/db:/var/lib/postgresql/data
    networks:
      - 'zitadel'
    healthcheck:
      test: ["CMD-SHELL", "pg_isready", "-d", "zitadel", "-U", "postgres"]
      interval: '10s'
      timeout: '30s'
      retries: 5
      start_period: '20s'

networks:
  zitadel:

services:
  zitadel:
    restart: 'always'
    networks:
      - 'zitadel'
    #image: 'ghcr.io/zitadel/zitadel:latest'
    image: 'ghcr.io/zitadel/zitadel:oldlocal'
    command: 'start --masterkey "keychangedhere" --tlsMode external'
    environment:
      ZITADEL_DATABASE_POSTGRES_HOST: db
      ZITADEL_DATABASE_POSTGRES_PORT: 5432
      ZITADEL_DATABASE_POSTGRES_DATABASE: zitadel
      ZITADEL_DATABASE_POSTGRES_USER_USERNAME: zitadel
      ZITADEL_DATABASE_POSTGRES_USER_PASSWORD: zitadel
      ZITADEL_DATABASE_POSTGRES_USER_SSL_MODE: disable
      ZITADEL_DATABASE_POSTGRES_ADMIN_USERNAME: postgres
      ZITADEL_DATABASE_POSTGRES_ADMIN_PASSWORD: postgres
      ZITADEL_DATABASE_POSTGRES_ADMIN_SSL_MODE: disable
      ZITADEL_ACTIONS_HTTP_DENYLIST: "0.0.0.0/0"
      ZITADEL_EXTERNALSECURE: true
      ZITADEL_EXTERNALDOMAIN: auth.domain.com
      ZITADEL_EXTERNALPORT: 443
    depends_on:
      db:
        condition: 'service_healthy'
    ports:
      - '80:8080'

  db:
    restart: 'always'
    image: postgres:17-alpine
    environment:
      PGUSER: postgres
      POSTGRES_PASSWORD: postgres
    volumes:
      - /data/zitadel/db:/var/lib/postgresql/data
    networks:
      - 'zitadel'
    healthcheck:
      test: ["CMD-SHELL", "pg_isready", "-d", "zitadel", "-U", "postgres"]
      interval: '10s'
      timeout: '30s'
      retries: 5
      start_period: '20s'

networks:
  zitadel:

Attachments:

2025-12-07T20:23:35.284149936Z time=2025-12-07T20:23:35.283Z level=ERROR msg="request error" oidc_error.parent="ID=QUERY-Iuk0s Message=Errors.Internal Parent=(ID=CRYPT-Jaik2R Message=error decrypting value Parent=(invalid character '/' in literal true (expecting 'r')))" oidc_error.description=Errors.Internal oidc_error.type=server_error status_code=500

I'm trying to upgrade from the last version I had, 3.32, to the latest docker image. When I try to authenticate to the initial admin user, I get the above error in attachments. I tried running "zitadel init" and "zitadel setup" in the container and restarting the container, but it still has the same error. Falling back to the old image (which I tagged as oldlocal) resumes functionality.

I tried reviewing the documentation, but the upgrade process doesn't provide much in the way of docker. I also added --init-projections=true to the setup command. I also have google OIDC configured for external users and it also doesn't work after the upgrade.

Let me know if there is anything I might be missing.

Ask Inkeep•12/8/25, 12:24 AM

Hi @DuderGuy, I'm an AI assistant for ZITADEL. While a team member reviews this question, I'll see if I can find relevant sources for your question.

Ask Inkeep•12/8/25, 12:24 AM

Answer

I wasn't able to find a direct answer, here are some relevant sources:

questions-help-bugs4.x Upgrade Issue questions-help-bugs4.x Upgrade Issue : A community discussion about upgrading from version 2.x to 4.x that recommends upgrading one major version at a time and backing up your database before each upgrade step.
Set up Zitadel with Docker Compose (2) : The official Docker Compose setup guide that shows the recommended configuration for running ZITADEL with PostgreSQL, including the use of start-from-initstart-from-init command.

The error you're seeing (error decrypting valueerror decrypting value) suggests an encryption/decryption issue that may be related to the masterkey or stored encrypted data compatibility between versions. I'd recommend clicking the "Ask for help" button to tag a team member who can review your specific upgrade scenario from version 3.3.2.

Ask Inkeep•12/8/25, 12:24 AM

To learn more, see the sources I considered:

questions-help-bugs4.x Upgrade Issue
[2] Set up Zitadel with Docker Compose

Ask Inkeep•12/8/25, 12:24 AM

Feel free to tag @Ask Inkeep with additional questions.

DuderGuyOP•12/8/25, 9:47 PM

@Ask Inkeep Hello!

I already viewed that previous 4.x Upgrade issue. I'm already on version 3.3.2 so it didn't seem necessary. They mentioned some webkey issue, but I'm not sure what they did to resolve that.
I see that the start-from-init does both the init and setup before running the start which is probably best to help with upgrades. I have done that, but I see the same issue.

Let me know if there's anything else I can do to allow you to help me troubleshoot.

Thank you!

Ask Inkeep•12/8/25, 9:47 PM

Thanks for the follow-up, @DuderGuy. I'll get back to you soon.

Ask Inkeep•12/8/25, 9:47 PM

Answer

I don’t have enough explicit information in the available sources to diagnose that specific error decrypting valueerror decrypting value during your 3.3.2 → newer upgrade, especially tied to that exact log message and your Docker setup.

The docs I do have mainly cover:

How init / setup / start are supposed to be separated and when to run them during upgrades (zitadel initzitadel init, zitadel setupzitadel setup, zitadel startzitadel start, and start-from-initstart-from-init) , plus the --init-projections--init-projections flag and its purpose. (1) (2)
General configuration options (including ExternalDomain / ExternalPort / ExternalSecure being applied during setup, and encryption key sections) , but not the concrete failure mode you’re seeing. (3) (1)

Given that, I can’t confidently say more without guessing.

If you want, I can give you a more general, non‑documentation‑backed checklist (things like double‑checking the masterkey consistency across versions and ensuring you’re always running

init

init

setup

setup

with the same config as

start

start

) , but it would not be directly supported by the sources.

Otherwise, for a concrete, version‑specific investigation, please click the “Ask for help” button in this thread so a team member can look at your logs and upgrade path in detail.

Ask Inkeep•12/8/25, 9:47 PM

To learn more, see the sources I considered:

[1] Update and Scale ZITADEL
[2] Technical Advisory 10008
[3] Configuration Options in ZITADEL

Ask Inkeep•12/8/25, 9:47 PM

Feel free to tag @Ask Inkeep with additional questions.

AAsk Inkeep To learn more, see the sources I considered: [[1] Update and Scale ZITADEL](h...

Ask InkeepAPP•12/8/25, 9:52 PM

Got it. Tagging @Rajat for additional help.

Rajat•12/10/25, 10:18 AM

hey @DuderGuy going from v3.3.2v3.3.2 to

latest

latest

is a big jump and that could be a reason why you are hitting the invalid characterinvalid character error, given that --masterkey--masterkey you pass is identical.
You can try upgrading to v3.4.4v3.4.4 as it has been updated recently and see if that works?. And then then try to go to v4.
Please let me know and we can dig this down more.

GitHub

Release v3.4.4 · zitadel/zitadel

3.4.4 (2025-11-12)
Bug Fixes

authz: ignore unready auth methods for mfa requirement check (#11056) (54a395f)
validate IDP linking conditions (4da0c1c)

RRajat hey <@115294031495299073> going from `v3.3.2` to `latest` is a big jump and that...

DuderGuyOP•12/10/25, 8:25 PM

Sorry, I ended up starting from scratch. I took that webkey issue into consideration and I enabled webkeys on 3.3.2 because it was disabled, but then I started getting infinite redirect loops after logging in regardless of the version. I also tried messing with a bunch of other smaller things to the point I decided to give up.

I'm still building it back up from scratch at the moment. Thank you for checking in, but I don't believe I will need any more help with this issue at the moment.

Gigi the Giraffe (Zitadel)•12/11/25, 7:00 AM

Looks like you just helped out another community member! Thanks for being so helpful @115294031495299073! You're now one step closer to leveling up—keep up the amazing peer support!