Zitadel Provider

Resources

Setup

Callback URL

https://example.com/api/auth/callback/zitadel

https://example.com/auth/callback/zitadel

https://example.com/auth/callback/zitadel

Environment Variables

AUTH_ZITADEL_ID
AUTH_ZITADEL_SECRET

Configuration

/auth.ts

import NextAuth from "next-auth"
import Zitadel from "next-auth/providers/zitadel"
 
export const { handlers, auth, signIn, signOut } = NextAuth({
  providers: [Zitadel],
})

/src/routes/plugin@auth.ts

import { QwikAuth$ } from "@auth/qwik"
import Zitadel from "@auth/qwik/providers/zitadel"
 
export const { onRequest, useSession, useSignIn, useSignOut } = QwikAuth$(
  () => ({
    providers: [Zitadel],
  })
)

/src/auth.ts

import { SvelteKitAuth } from "@auth/sveltekit"
import Zitadel from "@auth/sveltekit/providers/zitadel"
 
export const { handle, signIn, signOut } = SvelteKitAuth({
  providers: [Zitadel],
})

/src/app.ts

import { ExpressAuth } from "@auth/express"
import Zitadel from "@auth/express/providers/zitadel"
 
app.use("/auth/*", ExpressAuth({ providers: [Zitadel] }))

Notes

The Redirect URIs used when creating the credentials must include your full domain and end in the callback path. For example:

For production: https://{YOUR_DOMAIN}/api/auth/callback/zitadel
For development: http://localhost:3000/api/auth/callback/zitadel

Make sure to enable dev mode in ZITADEL console to allow redirects for local development.

ZITADEL also returns a email_verified boolean property in the profile. You can use this property to restrict access to people with verified accounts.

const options = {
  ...
  callbacks: {
    async signIn({ account, profile }) {
      if (account.provider === "zitadel") {
        return profile.email_verified;
      }
      return true; // Do different verification for other providers that don't have `email_verified`
    },
  }
  ...
}

Yandex Zoho