4.0.0-rc.1 (2025-07-04)
Highlights
API v2: The New Resource-Based Standard
With this release, we've completed the migration of core resources – including instances, organizations, projects, applications and users – to our powerful new resource-based API. This modernization provides a more consistent, efficient, and scalable foundation for interacting with ZITADEL.
- Full API Documentation: https://zitadel.com/docs/apis/v2
- Seamless Transition with our Migration Guide: https://zitadel.com/docs/apis/migration_v1_to_v2
GRPC APIs with ConnectRPC
All new v2 APIs will exclusively leverage gRPC with ConnectRPC, discontinuing support for OpenAPI 2.0 for new endpoints. This ensures a robust, high-performance, and future-proof integration experience.
Note: Existing APIs from previous releases remain unaffected by this change.
Login V2 as default
Our re-engineered Login UI, leveraging the Session API, is now feature-complete (all features from login v1 supported) and will be the default experience for all new customers.
Service Ping
Introducing Service Ping, a new mechanism for securely sending anonymized metrics and usage data from Zitadel instances to our customer portal. This opt-out feature is crucial for understanding product usage and will serve as the foundation for exciting upcoming features, including decentralized AI model training based on aggregated data.
Full Changelog
Bug Fixes
-
Actions V2 improve deleted target handling in executions (#9822) (48c1f7e)
-
actions: default sorting column to creation date (#9795) (74ace1a), closes #9763
-
add current state for execution handler into setup (#9863) (21167a4)
-
allow invite codes for users with verified mails (#9962) (833f627)
-
api: correct mapping of user state queries (#9956) (eb0eed2)
-
api: return typed saml form post data in idp intent (#10136) (64a03fb), closes zitadel/typescript#410
-
Auto cleanup failed Setup steps if process is killed (#9736) (aa9ef8b)
-
cache: prevent org cache overwrite by other instances (#10012) (15902f5)
-
console: correct count for users list, show create timestamp in user details (#9705) (bb59192)
-
correct permissions for projects on v2 api (#9973) (85e3b74), closes #9972
-
correct unmarshalling of IdP user when using Google (#9799) (3953879)
-
correct user v2 api docs for v3 (#10112) (5da5ccd), closes #10083
-
correctly "or"-join ldap userfilters (#9855) (1383cb0), closes #7003
-
correctly use single matching user (by loginname) (#9865) (867e9cb)
-
enable opentelemetry metrics for river queue (#10044) (83839fc), closes #10043
-
FE: allow only enabled factors to be displayed on user page (#9313) (839c761)
-
features: remove the improved performance enumer (#9819) (0465d50)
-
import/export: fix for deactivated user/organization being imported as active (#9992) (77f0a10)
-
Improve Actions V2 Texts and reenable in settings (#9814) (d930a09), closes #7248 #9688
-
instance: add web key generation to instance defaults (#9815) (91bc71d)
-
login: Copy to clipboard button in MFA login step now compatible in non-chrome browser (#9880) (77b4333), closes #9379
-
login: email or phone query, session context from loginname (#10158) (47f0486)
-
login: ensure correct i18n locale context (#10156) (325aa1f)
-
login: render error properly when auto creation fails (#9871) (a73acbc), closes #9766
-
mirror: add max auth request age configuration (#9812) (181186e)
-
queue: reset projection list before each
Registercall (#10001) (b660d6a) -
remove action feature flag and include execution (#9727) (b8ba7bd), closes #9759 #9710
-
remove index es_instance_position (#9862) (d71795c), closes #9837 #9837 #9863
-
service ping: correct endpoint, validate and randomize default interval (#10166) (82cd1ce)
-
settings: fix for setting restricted languages (#9947) (b46c41e)
-
text buttons overflow in login page (#9637) (257bef9), closes #7619
-
typoe in "Migrate from ZITADEL" documentation (#9867) (056b01f)
-
update link to postgres-insecure example in docs (#9802) (205beb6)
-
Use ID ordering for the executions in Actions v2 (#9820) (002c3eb), closes #9688
-
validate proto header and provide https enforcement (#9975) (c097887)
-
webauthn: allow to use "old" passkeys/u2f credentials on session API (#10150) (71575e8)
-
BREAKING CHANGE: release candidate v4 (8f0b7eb)
Features
- Actions V2 improvements in console (#9759) (56e0df6), closes #7248
- add custom org ID to AddOrganizationRequest (#9720) (6889d6a), closes /github.com/zitadel/zitadel/discussions/9202#discussioncomment-11929464 #9202
- api: moving organization API resourced based (#9943) (ae1a2e9)
- api: reworking AddOrganization() API call to return all admins (#9900) (7df4f76)
- App API v2 (#10077) (2691dae), closes #9450 #9450
- App Keys API v2 (#10140) (fce9e77), closes #9450 #9450 #9450
- console: Add organization ID filter to organization list (#9823) (2885601), closes #8792
- crypto: support for SHA2 and PHPass password hashes (#9809) (38013d0)
- Display Authentication Method Name on Application Page (#9639) (6aeaa89), closes #9435
- exchange gRPC server implementation to connectRPC (#10145) (9ebf231), closes #9483
- federated logout for SAML IdPs (#9931) (2cf3ef4), closes #9228
- generate webkeys setup step (#10105) (fa9de9a)
- Hosted login translation API (#10011) (28f7218), closes #9850
- implement service ping (#10080) (f93a35c), closes #9869
- initial admin PAT has IAM_LOGIN_CLIENT (#10143) (a02a534), closes #10116
- instance requests implementation for resource API (#9830) (490e4bd), closes #9452
- JWT IdP intent (#9966) (4d66a78), closes #9758
- permissions: project member permission filter (#9757) (658ca36)
- project v2beta resource API (#9742) (7eb45c6), closes #9177
- projections: resource counters (#9979) (b9c1cdf)
- user api requests to resource API (#9794) (8fc11a7)
- user profile requests in resource APIs (#10151) (5403be7), closes #9165
Performance Improvements
- eventstore: add instance position index (#9837) (bb56b36)
- query: org permission function for resources (#9677) (a2f60f2)
- query: reduce user query duration (#10037) (4df1382)
BREAKING CHANGES
- release candidate v4