Skip to main content


Built-in Zitadel integration.


default<P>(options): OIDCConfig< P >

Add ZITADEL login to your page.


Callback URL​


import Auth from "@auth/core"
import ZITADEL from "@auth/core/providers/zitadel"

const request = new Request(origin)
const response = await Auth(request, {
providers: [ZITADEL({ clientId: ZITADEL_CLIENT_ID, clientSecret: ZITADEL_CLIENT_SECRET })],



By default, Auth.js assumes that the ZITADEL provider is based on the Open ID Connect specification.

The Redirect URIs used when creating the credentials must include your full domain and end in the callback path. For example:

  • For production: https://{YOUR_DOMAIN}/api/auth/callback/zitadel
  • For development: http://localhost:3000/api/auth/callback/zitadel

Make sure to enable dev mode in ZITADEL console to allow redirects for local development.


The ZITADEL provider comes with a default configuration. To override the defaults for your use case, check out customizing a built-in OAuth provider.


ZITADEL also returns a email_verified boolean property in the profile. You can use this property to restrict access to people with verified accounts.

const options = {
callbacks: {
async signIn({ account, profile }) {
if (account.provider === "zitadel") {
return profile.email_verified;
return true; // Do different verification for other providers that don't have `email_verified`

If you think you found a bug in the default configuration, you can open an issue.

Auth.js strictly adheres to the specification and it cannot take responsibility for any deviation from the spec by the provider. You can open an issue, but if the problem is non-compliance with the spec, we might not pursue a resolution. You can ask for more help in Discussions.

Type parameters​

β–ͺ P extends ZitadelProfile


β–ͺ options: OAuthUserConfig< P >


OIDCConfig< P >


The returned user profile from ZITADEL when using the profile callback. See the standard claims reference here. If you need access to ZITADEL APIs or need additional information, make sure to add the corresponding scopes.


  • Record< string, any >