Docs / Self-Hosted Applications / Zitadel Identity Provider

Zitadel Identity Provider

By Admin · Mar 15, 2026 · Updated Apr 24, 2026 · 262 views · 2 min read

What is Zitadel?

Zitadel is an open-source identity management platform providing authentication, authorization, and user management. It supports OIDC, SAML, and OAuth2 protocols, offering a modern alternative to Auth0 and Okta that you can self-host.

Docker Installation

mkdir -p /opt/zitadel && cd /opt/zitadel

cat > docker-compose.yml << EOF
version: "3.8"
services:
  zitadel:
    image: ghcr.io/zitadel/zitadel:latest
    command: start-from-init --masterkey "YOUR-32-CHAR-MASTERKEY" --tlsMode disabled
    environment:
      ZITADEL_DATABASE_POSTGRES_HOST: db
      ZITADEL_DATABASE_POSTGRES_PORT: 5432
      ZITADEL_DATABASE_POSTGRES_DATABASE: zitadel
      ZITADEL_DATABASE_POSTGRES_USER_USERNAME: zitadel
      ZITADEL_DATABASE_POSTGRES_USER_PASSWORD: zitadel_pass
      ZITADEL_DATABASE_POSTGRES_USER_SSL_MODE: disable
      ZITADEL_EXTERNALDOMAIN: auth.example.com
      ZITADEL_EXTERNALSECURE: "true"
      ZITADEL_EXTERNALPORT: 443
    ports:
      - "8080:8080"
    depends_on:
      db:
        condition: service_healthy
  db:
    image: postgres:16-alpine
    environment:
      POSTGRES_USER: zitadel
      POSTGRES_PASSWORD: zitadel_pass
      POSTGRES_DB: zitadel
    volumes:
      - pgdata:/var/lib/postgresql/data
    healthcheck:
      test: ["CMD-SHELL", "pg_isready -U zitadel"]
      interval: 5s
      timeout: 5s
      retries: 5
volumes:
  pgdata:
EOF

docker compose up -d

Nginx Reverse Proxy

server {
    listen 443 ssl http2;
    server_name auth.example.com;

    ssl_certificate /etc/letsencrypt/live/auth.example.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/auth.example.com/privkey.pem;

    location / {
        grpc_pass grpc://127.0.0.1:8080;
        proxy_pass http://127.0.0.1:8080;
        proxy_set_header Host $host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
    }
}

Integrating with Applications

# Create a new project and application in Zitadel console
# Configure OIDC settings:
# - Redirect URIs: https://myapp.com/callback
# - Post Logout URIs: https://myapp.com
# - Grant Types: Authorization Code
# Use the client ID and discovery URL in your app

Features

  • Multi-tenancy with organizations
  • Social login (Google, GitHub, Microsoft)
  • Multi-factor authentication
  • Branding and custom login pages
  • Audit logging and compliance
  • Actions (serverless functions on auth events)

Was this article helpful?

Related Articles