Zitadel is an open-source identity and access management platform built with a modern tech stack including Go (API), Next.js/React (Login), Angular (Console), and Fumadocs (Docs) - all orchestrated through an Nx monorepo with pnpm for efficient development workflows.
-
Clone the repository:
git clone https://github.com/zitadel/zitadelor open it in a local Dev Container or create a GitHub Codespace -
If you cloned the repository to your local machine, install the required development dependencies
- Node.js v22.x - Required for UI development and to run development commands
pnpm nx ... - Go - Required for API development. Use the version declared in
go.mod. - Docker - Required for supporting services like the development database and for tests.
- Cypress runtime dependencies - Required for Browser UI tests
WSL2 on Windows 10 users (click to expand)
For Cypress tests on WSL2, you may need to configure X11 forwarding. Following suggestions on Stackoverflow and Github. Use at your own risk.
- Install
VcXsrv Windows X Server - Set shortcut target to
"C:\Program Files\VcXsrv\xlaunch.exe" -ac - In WSL2:
export DISPLAY=$(cat /etc/resolv.conf | grep nameserver | awk '{print $2}'):0 - Disable access control when starting XLaunch
- Node.js v22.x - Required for UI development and to run development commands
-
Use Corepack to make sure you have pnpm installed in the correct version:
corepack enable. -
Install node module dependencies:
pnpm install -
Generate code
pnpm nx run-many --target generate -
Optionally, install the following VSCode plugins:
- Go - For API development. Use golangci-lint v2 as linter.
- Angular Language Service - For Management Console development
- ESLint - Code linting
- Prettier - Code formatting
- Nx Console - Nx task runner tooling
Jump to the dedicated sections for developing a specific project:
- Contributing to the API
- Contributing to the Login
- Contributing to the Management Console
- Contributing to the Docs
- Contributing translations
This repository contains multiple interconnected projects. You can build and start any project with Nx commands.
| Task | Command | Notes | Details |
|---|---|---|---|
| Production | pnpm nx run PROJECT:prod |
Production server | |
| Develop | pnpm nx run PROJECT:dev |
Development server | |
| Generate | pnpm nx run PROJECT:generate |
Generate .gitignored files | |
| Generate Go Files | pnpm nx run @zitadel/api:generate-go |
Regenerate checked-in files | This is needed to generate files using Stringer, Enumer or gomock |
| Install Proto Plugins | pnpm nx run @zitadel/api:generate-install |
Install proto toolchain | Installs Go-based plugins (protoc-gen-go, connect-go, …) to .artifacts/bin/. Run automatically by generate targets; Nx caches the outputs. |
| Test - Unit | pnpm nx run PROJECT:test-unit |
Run unit tests | |
| Test - Integration | pnpm nx run PROJECT:test-integration |
Run integration tests | Learn more about how to debug API integration tests |
| Test - Integration Stop | pnpm nx run PROJECT:test-integration-stop |
Stop integration containers | |
| Test - Functional UI | pnpm nx run @zitadel/functional-ui:test |
Run functional UI tests | Learn more about how to develop the Management Console and opening the interactive Test Suite |
| Test - Functional UI Stop | pnpm nx run @zitadel/functional-ui:stop |
Run functional UI containers | |
| Test | pnpm nx run PROJECT:test |
Run all tests | |
| Lint | pnpm nx run PROJECT:lint |
Check code style | |
| Lint Fix | pnpm nx run PROJECT:lint-fix |
Auto-fix style issues |
Replace PROJECT with one of the following:
@zitadel/zitadel(you can omit this root level project when usingpnpm nx run, likepnpm nx run db)@zitadel/api@zitadel/login@zitadel/console@zitadel/docs@zitadel/client@zitadel/proto
Instead of the project names, you can also use their directory names for PROJECT, like pnpm nx run login:dev.
Alternatively, you can use the infix-notation, like pnpm nx dev @zitadel/login or pnpm nx dev login.
To stream all logs instead of opening the interactive terminal, disable the TUI with pnpm nx --tui false ....
If a command is stuck because a process is already running, stop the Nx daemon and try again: pnpm nx daemon --stop.
Thank you for your interest in contributing! As you might know there is more than code to contribute. You can find all information needed to start contributing here.
Please give us and our community the chance to get rid of security vulnerabilities by responsibly disclosing these issues to security@zitadel.com.
The strongest part of a community is the possibility to share thoughts. That's why we try to react as soon as possible to your ideas, thoughts and feedback. We love to discuss as much as possible in an open space like in the issues and discussions section here or in our chat, but we understand your doubts and provide further contact options here.
If you want to give an answer or be part of discussions please be kind. Treat others like you want to be treated. Read more about our code of conduct here.
For people who are new to Zitadel: We flag issues which are a good starting point to start contributing. You can find them here. We add the label "good first issue" for problems we think are a good starting point to contribute to Zitadel.
Help shape the future of Zitadel:
- Join our chat and discuss with us or others.
- Ask or answer questions in the issues section
- Share your thoughts and ideas in the discussions section
Make Zitadel more popular and give it a ⭐
Follow @zitadel on twitter
- Contribute API code
- Contribute frontend code
- If you found a mistake on our Docs page or something is missing please read the Docs section
- Translate and improve texts
We strongly recommend talking to us before you start contributing to streamline your work with ours.
We accept contributions through pull requests. You need a github account for that. If you are unfamiliar with git have a look at Github's documentation on creating forks and creating pull requests. Please draft the pull request as soon as possible. Go through the following checklist before you submit the final pull request:
The code consists of the following parts:
| name | description | language | where to find | Development Guide |
|---|---|---|---|---|
| API implementation | Service that serves the grpc(-web) and RESTful API | go | API implementation | Contribute to API |
| API definitions | Specifications of the API | Protobuf | ./proto/zitadel | Contribute to API |
| Management Console | Frontend the user interacts with after log in | Angular, Typescript | ./console | Contribute to Frontend |
| Login | Modern authentication UI built with Next.js | Next.js, React, TypeScript | ./apps/login | Contribute to Frontend |
| Docs | Project documentation made with Fumadocs | Fumadocs | ./apps/docs | Contribute to Frontend |
| translations | Internationalization files for default languages | YAML | ./console and ./internal | Contribute Translations |
Please follow the guides to validate and test the code before you contribute.
-
Fork the zitadel/zitadel repository on GitHub
-
On your fork, commit your changes to a new branch
git checkout -b my-fix-branch main -
Make your changes following the guidelines in this guide. Make sure that all tests pass.
-
Commit the changes on the new branch
git commit --all -
Merge the latest commit of the
main-branch -
Push the changes to your branch on Github
git push origin my-fix-branch -
Use Semantic Release commit messages to simplify creation of release notes. In the title of the pull request correct tagging is required and will be requested by the reviewers.
-
On GitHub, send a pull request to
zitadel:main. Request review from one of the maintainers.
The reviewers will provide you feedback and approve your changes as soon as they are satisfied. If we ask you for changes in the code, you can follow the GitHub Guide to incorporate feedback in your pull request.
Make sure you use semantic release messages format.
<type>(<scope>): <short summary>
Allowed values are listed in .github/semantic.yml under types:.
This is optional to indicate which component is affected.
Allowed values are listed in .github/semantic.yml under scopes:.
When in doubt, omit the scope — <type>: <short summary> is always valid.
Provide a brief description of the change.
Please make sure you cover your changes with tests before marking a Pull Request as ready for review:
- Integration tests against the gRPC server ensure that one or multiple API calls that belong together return the expected results.
- Integration tests against the gRPC server ensure that probable good and bad read and write permissions are tested.
- Integration tests against the gRPC server ensure that the API is easily usable despite eventual consistency.
- Integration tests against the gRPC server ensure that all probable login and registration flows are covered."
- Integration tests ensure that certain commands emit expected events that trigger notifications.
- Integration tests ensure that certain events trigger expected notifications.
We are committed to creating a welcoming and inclusive community for all developers, regardless of their gender identity or expression. To achieve this, we are actively working to ensure that our contribution guidelines are gender-neutral and use inclusive language.
Use gender-neutral pronouns: Don't use gender-specific pronouns unless the person you're referring to is actually that gender. In particular, don't use he, him, his, she, or her as gender-neutral pronouns, and don't use he/she or (s)he or other such punctuational approaches. Instead, use the singular they.
Choose gender-neutral alternatives: Opt for gender-neutral terms instead of gendered ones whenever possible. Replace "policeman" with "police officer," "manpower" with "workforce," and "businessman" with "entrepreneur" or "businessperson."
Avoid ableist language: Ableist language includes words or phrases such as crazy, insane, blind to or blind eye to, cripple, dumb, and others. Choose alternative words depending on the context.
Zitadel follows an API first approach. This means all features can not only be accessed via the UI but also via the API. The API is designed to be used by different clients, such as web applications, mobile applications, and other services. Therefore, the API is designed to be easy to use, consistent, and reliable. Please check out the dedicated API guidelines page when contributing to the API.
To start developing, make sure you followed the quick start steps.
Important
For stable v2 API services, add import "zitadel/error/v2/error.proto"; to each *_service.proto.
This enables reflection-aware clients to resolve zitadel.error.v2.ErrorDetail and use the slug field for programmatic handling.
Scope note: this is relevant for backend/domain flows that run with relational-storage-backed logic.
Do not apply this to v1, v2beta, or v3alpha APIs.
Important
The relational database migrations are work in progress on main. Therefore they are objectives to change. To simplify the development process you can add the following configuration to your setup step config (--steps /path/to/config.yaml). This re-initiates the relational tables on each restart.
RelationalTables:
ShouldRecreateSchema: trueOptionally build the Management Console
pnpm nx run @zitadel/api:build-consoleOptionally start the Login in another terminal
pnpm nx run @zitadel/login:prodRun the local development database.
pnpm nx dbStart a debug session in your IDE.
For example, in VSCode, you can use a launch.json configuration like this.
{
"name": "Debug Zitadel API",
"type": "go",
"request": "launch",
"mode": "debug",
"env": {
"ZITADEL_DATABASE_POSTGRES_HOST": "${env:DEVCONTAINER_DB_HOST}"
},
"program": "main.go",
"args": [
"start-from-init",
"--config",
"${workspaceFolder}/apps/api/prod-default.yaml",
"--steps",
"${workspaceFolder}/apps/api/prod-default.yaml",
"--masterkey",
"MasterkeyNeedsToHave32Characters"
]
}If you have built the Management Console and started the Login, visit http://localhost:8080/ui/console?login_hint=zitadel-admin@zitadel.localhost and enter Password1! to log in.
Call the API using the generated with grpcurl or grpcui, for example:
grpcurl -plaintext -H "Authorization: Bearer $(cat admin.pat)" localhost:8080 zitadel.user.v2.UserService.ListUsersTo connect to the database and explore Zitadel data, run psql "host=${DEVCONTAINER_DB_HOST:-localhost} dbname=zitadel sslmode=disable".
To test the code without dependencies, run the unit tests:
pnpm nx run @zitadel/api:test-unitAPI tests are run as gRPC clients against a running Zitadel server binary. The server binary is built with coverage enabled.
pnpm nx run @zitadel/api:test-integrationTo develop and run the test cases from within your IDE or by the command line, start only the database and the API.
The actual integration test clients reside in the integration_test subdirectory of the package they aim to test.
Integration test files use the integration build tag, in order to be excluded from regular unit tests.
Because of the server-client split, Go is usually unaware of changes in server code and tends to cache test results.
Pass -count 1 to disable test caching.
Start the ephemeral database for integration tests.
pnpm nx run @zitadel/api:test-integration-run-dbIn another terminal, start the API.
pnpm nx run @zitadel/api:test-integration-run-apiExample command to run a single package integration test:
go test -count 1 -tags integration ./internal/api/grpc/management/integration_testTo run all available integration tests:
go test -count 1 -tags integration -parallel 1 $(go list -tags integration ./... | grep -e \"integration_test\" -e \"events_testing\")It is also possible to run the API in a debugger and run the integrations tests against it.
First, start the ephemeral database for integration tests.
pnpm nx run @zitadel/api:test-integration-run-dbWhen starting the debugger, make sure the Zitadel binary starts with start-from-init --config=./apps/api/test-integration-api.yaml --steps=./apps/api/test-integration-api.yaml --masterkey=MasterkeyNeedsToHave32Characters"
To cleanup after testing (deletes the ephemeral database!):
pnpm nx run @zitadel/devcontainer:compose down db-api-integration cache-api-integrationTo test the whole system, including the Management Console UI and the Login UI, run the Functional UI tests.
# If you made changes in the tests/functional-ui directory, make sure you reformat the files
pnpm nx run @zitadel/functional-ui:lint-fix
# Run the tests
pnpm nx run @zitadel/functional-ui:testThis repository uses pnpm as package manager and Nx for build orchestration.
Choose your contribution area:
- Login App (Next.js/React) - Modern authentication flows
- Console (Angular) - Admin dashboard and user management
- Docs (Fumadocs) - Project documentation
- Client Packages - Shared libraries for API communication
apps/login → packages/zitadel-client → packages/zitadel-proto
console → packages/zitadel-client → packages/zitadel-proto
docs → (independent)
Nx handles this automatically - when you change zitadel-proto, Nx rebuilds dependent projects.
The Login UI is a Next.js application that provides the user interface for authentication flows.
It is MIT-licensed, so you are free to change and deploy it as you like.
It's located in the apps/login directory and uses pnpm and Nx for development.
Get familiar with the Login ui docs.
To start developing, make sure you followed the quick start steps.
Run the local development database.
pnpm nx dbIn another terminal, start the API
pnpm nx run @zitadel/api:prodIn another terminal, start the Login development server
pnpm nx run @zitadel/login:devVisit http://localhost:8080/ui/console?login_hint=zitadel-admin@zitadel.localhost and enter Password1! to log in.
Make some changes to the source code and see how the browser is automatically updated.
If you don't want to build and run a local API, you can just run the Login development server and point it to a cloud instance.
- Create a personal access token and point your instance to your local Login, as described in the Docs.
- Save the following file to
apps/login/.env.dev.local
ZITADEL_API_URL=https://[your-cloud-instance-domain]
ZITADEL_SERVICE_USER_TOKEN=[personal access token for an instance Login Client]- Start the development server.
pnpm nx run @zitadel/login:devVisit http://localhost:8080/ui/console?login_hint=zitadel-admin@zitadel.localhost and enter Password1! to log in.
The Login application consists of multiple packages:
@zitadel/login- Main Next.js application@zitadel/client- TypeScript client library for Zitadel APIs@zitadel/proto- Protocol buffer definitions and generated code
The build process uses Nx and pnpm to orchestrate dependencies:
Reproduce the pipeline quality checks for the code you changed.
# Run Login-related linting builds and unit tests
pnpm nx run-many --projects @zitadel/login @zitadel/client @zitadel/proto --targets lint build testFix the quality checks, add new checks that cover your changes and mark your pull request as ready for review when the pipeline checks pass.
- Build and deploy with Docker:
pnpm nx run @zitadel/login:build && docker build -t my-zitadel-login apps/login - Build and deploy with NodeJS:
pnpm nx run @zitadel/login:prod
To learn more about the Management Console, go to the Management Consoles README.md.
To start developing, make sure you followed the quick start steps.
Run the local development database.
pnpm nx dbIn another terminal, start the API
pnpm nx run @zitadel/api:prodIn another terminal, start the Login
pnpm nx run @zitadel/login:prodAllow the API to redirect to your dev server.
In another terminal, start the Management Console development server
pnpm nx run @zitadel/console:devVisit http://localhost:4200/?login_hint=zitadel-admin@zitadel.localhost and enter Password1! to log in.
Make some changes to the source code and see how the browser is automatically updated.
If you don't want to build and run a local API, you can just run the management console development server and point it to a cloud instance.
Save the following file to console/.env.local
ENVIRONMENT_JSON_URL=https://[your-cloud-instance-domain]/ui/console/assets/environment.jsonStart the development server.
pnpm nx run @zitadel/console:devAllow the API to redirect to your dev server.
Visit http://localhost:4200/?login_hint=zitadel-admin@zitadel.localhost and enter Password1! to log in.
To allow the Management Console access via http://localhost:4200, you have to configure the Zitadel API.
- Navigate to http://localhost:8080/ui/console/projects.
- Select the ZITADEL project.
- Select the Console application.
- Select Redirect Settings
- Add http://localhost:4200/auth/callback to the Redirect URIs
- Add http://localhost:4200/signedout to the Post Logout URIs
- Select the Save button
Run the quality checks for the code you changed.
# Run the management console-related linting builds and unit tests
pnpm nx run-many --projects @zitadel/console @zitadel/client @zitadel/proto @zitadel/functional-ui --targets lint build testRun functional UI tests against a locally built API and a dev server Management Console.
Allow the API to redirect to your dev server.
Alternatively, create the file tests/functional-ui/.env.open.local with the following content:
CYPRESS_BASE_URL=http://localhost:8080/ui/console
# Run the API and the Management Console dev server
# Beware this doesn't work from within a dev container.
pnpm nx run @zitadel/functional-ui:openOr run all tests to completion.
# Run the tests
pnpm nx run @zitadel/functional-ui:testFix the quality checks, add new checks that cover your changes and mark your pull request as ready for review when the pipeline checks pass.
To start developing, make sure you followed the quick start steps.
@zitadel/proto: Protocol buffer definitions and generated TypeScript/JavaScript clients.
pnpm nx run @zitadel/proto:generate # Regenerate after proto changes@zitadel/client: High-level TypeScript client library with utilities for API interaction.
pnpm nx run @zitadel/client:build # Build after changesAll binary proto plugins are installed to .artifacts/bin/<GOOS>/<GOARCH>/ and declared as Nx target outputs, making them eligible for Nx remote cache.
| Scope | Target | Installs |
|---|---|---|
@zitadel/api |
generate-install |
Go-based plugins: buf, protoc-gen-go, protoc-gen-connect-go, protoc-gen-openapiv2, protoc-gen-validate, protoc-gen-authoption, … |
@zitadel/console |
install-proto-plugins |
protoc-gen-grpc-web, protoc-gen-js, protoc-gen-openapiv2 (pre-built binaries, no Go required) |
@zitadel/docs |
install-proto-plugins |
protoc-gen-connect-openapi (pre-built binary, no Go required) |
generate targets depend on the appropriate install targets and prepend .artifacts/bin/ to $PATH automatically. Running pnpm nx run PROJECT:generate is sufficient — no manual plugin installation needed.
Project documentation is located under ./apps/docs. Please refer to the Docs README for detailed instructions on how to contribute to the documentation.
Zitadel loads translations from four files:
- Console texts
- Login interface
- Email notification
- Common texts for success or error toasts
You may edit the texts in these files or create a new file for additional language support. Make sure you set the locale (ISO 639-1 code) as the name of the new language file. Please make sure that the languages within the files remain in their own language, e.g. German must always be `Deutsch. If you have added support for a new language, please also ensure that it is added in the list of languages in all the other language files.
You also have to add some changes to the following files:
- Register Local File - Import and register the Angular locale, register
i18n-iso-countrieslocale - Exclude from Angular prebundle - Add
i18n-iso-countries/langs/<locale>.jsontoprebundle.exclude - Add Supported Language
- Customized Text Docs
- Add language option
The new Login UI (Next.js) has its own translation files that are maintained separately:
- Login v2 locale files - Add a new
<locale>.jsonfile with translations - Register language in LANGS - Add the language to the
LANGSarray with native name and code - System default translations - Add translations to the backend default translations file (required for Login v2 to work correctly)
Important: The v2-default.json file contains system default translations served by the API. If a language is not present in this file, the API will fall back to the instance's default language (typically English), which will override the locale-specific translations. This is why adding translations to both apps/login/locales/<locale>.json AND internal/query/v2-default.json is required for Login v2.
- Please read Security Policy.
The Zitadel Team works with an agile product management methodology. You can find all the issues prioritized and ordered in the product board.
We want to deliver a new release every second week. So we plan everything in two-week sprints. Each Tuesday we estimate new issues and on Wednesday the last sprint will be reviewed and the next one will be planned. After a sprint ends a new version of Zitadel will be released, and publish to Zitadel Cloud the following Monday.
If there are some critical or urgent issues we will have a look at it earlier, than the two weeks. To show the community the needed information, each issue gets attributes and labels.
You can find the attributes on the project "Product Management".
The state should reflect the progress of the issue and what is going on right now.
- No status: Issue just got added and has to be looked at.
- 🧐 Investigating: We are currently investigating to find out what the problem is, which priority it should have and what has to be implemented. Or we need some more information from the author.
- 📨 Product backlog: If an issue is in the backlog, it is not currently being worked on. These are recorded so that they can be worked on in the future. Issues with this state do not have to be completely defined yet.
- 📝 Prioritized product backlog: An issue with the state "Prioritized Backlog" is ready for the refinement from the perspective of the product owner (PO) to implement. This means the developer can find all the relevant information and acceptance criteria in the issue.
- 🔖 Ready: The issue is ready to take into a sprint. Difference to "prioritized..." is that the complexity is defined by the team.
- 📋 Sprint backlog: The issue is scheduled for the current sprint.
- 🏗 In progress: Someone is working on this issue right now. The issue will get an assignee as soon as it is in progress.
- ❌ Blocked: The issue is blocked until another issue is resolved/done.
- 👀 In review: The issue is in review. Please add someone to review your issue or let us know that it is ready to review with a comment on your pull request.
- ✅ Done: The issue is implemented and merged to main.
Priority shows you the priority the Zitadel team has given this issue. In general the higher the demand from customers and community for the feature, the higher the priority.
- 🌋 Critical: This is a security issue or something that has to be fixed urgently, because the software is not usable or highly vulnerable.
- 🏔 High: These are the issues the Zitadel team is currently focusing on and will be implemented as soon as possible.
- 🏕 Medium: After all the high issues are done these will be next.
- 🏝 Low: This is low in priority and will probably not be implemented in the next time or just if someone has some time in between.
This should give you an indication how complex the issue is. It's not about the hours or effort it takes. Everything that is higher than 8 should be split in smaller parts.
1, 2, 3, 5, 8, 13
There are a few general labels that don't belong to a specific category.
- good first issue: This label shows contributors, that it is an easy entry point to start developing on Zitadel.
- help wanted: The author is seeking help on this topic, this may be from an internal Zitadel team member or external contributors.
The category shows which part of Zitadel is affected.
- category: backend: The backend includes the APIs, event store, command and query side. This is developed in golang.
- category: ci: ci is all about continuous integration and pipelines.
- category: design: All about the ux/ui of Zitadel
- category: docs: Adjustments or new documentations, this can be found in the apps/docs folder.
- category: frontend: The frontend concerns on the one hand the Zitadel Management Console (Angular) and on the other hand the Login (gohtml)
- category: infra: Infrastructure does include many different parts. E.g Terraform-provider, docker, metrics, etc.
- category: translation: Everything concerning translations or new languages
The language shows you in which programming language the affected part is written
- lang: angular
- lang: go
- lang: javascript