apps/docs/content/apis/introduction.mdx
import { ApiCard } from "@/components/apicard"; import Column from "@/components/column";
ZITADEL exposes all features via different gRPC and REST APIs and provides SDKs for popular languages and frameworks.
The OpenID Connect & OAuth endpoints and SAML 2.0 endpoints are implemented and exposed according to the specific standards. Managing resources such as users, organizations, instances, or settings must be done with the different ZITADEL APIs.
Actions allow extending ZITADEL with custom code to change default behaviors or calling external systems.
ZITADEL implements industry standards such as OpenID Connect, OAuth 2.0, or SAML for authentication. Please refer to our guides on how to authenticate users through an interactive authentication process.
For user authentication on devices with limited accessibility (eg, SmartTV, Smartwatch, etc.) use the device authorization grant.
Additionally, you can use the session API to authenticate users, for example, by building a custom login UI.
Service accounts allow for machine-to-machine (M2M) communication. Follow the guides to learn how to authenticate service accounts.
Accessing the ZITADEL APIs through a service account might require additional steps, please follow the guide on how to access ZITADEL APIs to include the correct audience scope in your requests.
The OIDC Playground is for testing OpenID authentication requests and their parameters.
For building a custom login flow, you have access to purpose-built v2 APIs:
User role assignments can be retrieved as roles from our APIs.
Refer to our guide to learn how to build your own login UI
Use the v2 APIs for all new integrations. They are the recommended, resource-based API surface for ZITADEL and where all new development is happening. The v1 APIs are legacy: fully supported and still required in some places, but not being extended.
If the resource you need is not yet available in v2, use the corresponding legacy v1 API for that operation and check the migration guide to plan your transition.
ZITADEL provides v2 APIs for the following resources:
Not finding a resource here? It has not yet been migrated to v2 — use the legacy v1 APIs below for that operation.
The following APIs predate the v2 resource-based design. They are still fully supported and required for capabilities not yet covered by v2, but they are no longer being extended. If you are building something new, check the v2 section above first.
Looking to move an existing integration off v1? See the v1 to v2 migration guide.
<ApiCard title="Authentication" type="AUTH"> <Column> <div>The Auth API covers operations on the currently authenticated user. The user is identified from the sub claim in the access token.
For new integrations, prefer the User v2 API and Session v2 API which provide the same capabilities in a resource-based design.
</div> <div className="apicard-right min-w-0 overflow-x-auto [&_code]:!whitespace-nowrap">Endpoint:
${CUSTOM_DOMAIN}/zitadel.auth.v1.AuthService/
Definition: Auth Proto
Endpoint:
${CUSTOM_DOMAIN}/auth/v1/
API Reference: OpenAPI Docs
</div> </Column> </ApiCard> <ApiCard title="Management" type="MGMT"> <Column> <div>The Management API lets systems read and mutate resources within an organization — users, projects, applications, roles, and more. The target organization is determined by the x-zitadel-orgid request header, or falls back to the organization of the authenticated user.
For new integrations, prefer the User v2 API for user management, which handles both instance-level and organization-level access automatically based on caller permissions.
</div> <div className="apicard-right min-w-0 overflow-x-auto [&_code]:!whitespace-nowrap">Endpoint:
${CUSTOM_DOMAIN}/zitadel.management.v1.ManagementService/
Definition: Management Proto
Endpoint:
${CUSTOM_DOMAIN}/management/v1/
API Reference: OpenAPI Docs
</div> </Column> </ApiCard> <ApiCard title="Administration" type="ADMIN"> <Column> <div>This API is intended to configure and manage one ZITADEL instance itself.
</div> <div className="apicard-right min-w-0 overflow-x-auto [&_code]:!whitespace-nowrap">Endpoint:
${CUSTOM_DOMAIN}/zitadel.admin.v1.AdminService/
Definition: Admin Proto
Endpoint:
${CUSTOM_DOMAIN}/admin/v1/
API Reference: OpenAPI Docs
</div> </Column> </ApiCard> <ApiCard title="System" type="SYSTEM"> <Column> <div>This API is intended to manage the different ZITADEL instances within the system.
Checkout the guide how to access the ZITADEL System API.
</div> <div className="apicard-right min-w-0 overflow-x-auto [&_code]:!whitespace-nowrap">Endpoint:
${CUSTOM_DOMAIN}/zitadel.system.v1.SystemService/
Definition: System Proto
Endpoint:
${CUSTOM_DOMAIN}/system/v1/
API Reference: OpenAPI Docs
</div> </Column> </ApiCard> <ApiCard title="Assets" type="ASSET"> <Column> <div>The Assets API allows you to up- and download all kinds of assets. This can be files such as logos, fonts or user avatar.
</div> <div>Endpoint:
${CUSTOM_DOMAIN}/assets/v1/
Definition: Assets
</div> </Column> </ApiCard>ZITADEL publishes official and community-supported SDKs for multiple languages and frameworks. All API services are defined as proto definitions on GitHub — most languages let you generate a type-safe client directly from them.
ZITADEL hosts everything under a single domain: {instance}.zitadel.cloud or your Custom Domain ${CUSTOM_DOMAIN}
The domain is used as the OIDC issuer and as the base URL for the gRPC and REST APIs, the Management Console (${CUSTOM_DOMAIN}/ui/console/), and the hosted Login UI (${CUSTOM_DOMAIN}/ui/v2/login).
Are you self-hosting and having troubles with Instance not found errors? Check out this page.
If you run ZITADEL on a Custom Domain, you may want to reuse that domain for other applications. For easy copying to your reverse proxy configuration, here is the list of URL path prefixes, ZITADEL uses.
# v2 APIs (recommended for new integrations)
# REST (HTTP/JSON transcoding):
/v2/
# gRPC + Connect protocol (binary or JSON via connectRPC):
/zitadel.action.v2.ActionService/
/zitadel.application.v2.ApplicationService/
/zitadel.authorization.v2.AuthorizationService/
/zitadel.feature.v2.FeatureService/
/zitadel.group.v2.GroupService/
/zitadel.idp.v2.IdentityProviderService/
/zitadel.instance.v2.InstanceService/
/zitadel.oidc.v2.OIDCService/
/zitadel.org.v2.OrganizationService/
/zitadel.project.v2.ProjectService/
/zitadel.saml.v2.SAMLService/
/zitadel.session.v2.SessionService/
/zitadel.settings.v2.SettingsService/
/zitadel.user.v2.UserService/
/zitadel.webkey.v2.WebKeyService/
# v2beta — kept for backward compatibility, use /v2/ for new work
/v2beta/
# Legacy v1 APIs
/zitadel.admin.v1.AdminService/
/admin/v1/
/zitadel.auth.v1.AuthService/
/auth/v1/
/zitadel.management.v1.ManagementService/
/management/v1/
/zitadel.system.v1.SystemService/
/system/v1/
/assets/v1/
# OpenID Connect, OAuth 2.0, SAML 2.0 & standards
/oidc/v1/
/saml/v2/
/oauth/v2/
/device
/.well-known/openid-configuration
/openapi/
/idps/callback
# UIs
/ui/console/ # Management Console (Angular admin UI)
/ui/v2/login # Login UI v2 (Next.js; routes to a separate container in self-hosted deployments)
/ui/login/ # Login UI v1 (legacy, built into the ZITADEL binary)
We published an official Postman collection to help you explore and test the ZITADEL APIs.
The collection is organized by services and includes a script to automatically authenticate requests. Before using it, make sure to configure the required environment variables in Postman:
| Variable Name | Description |
|---|---|
protocol | http for local testing, or https for cloud/self hosted instances |
custom_domain | The domain of your Zitadel instance. |
service_client_id | Client ID of service account with IAM_OWNER role in your Zitadel instance. |
service_client_secret | Client secret for the service account. |
api_client_id | Client ID of an API application. |
api_client_secret | Client secret for the API application. |
project_id | A project ID within your Zitadel instance. |
This release is currently in beta, and we welcome your feedback to improve it.