Skip to main content


Installation and configuration details are described in the open source ZITADEL charts repo. By default, the chart installs a secure and highly available ZITADEL instance. For running an easily testable, insecure, non-HA ZITADEL instance, run the following commands.


Add the helm repository

helm repo add zitadel

Install an insecure zitadel release that works with localhost

helm install --namespace zitadel --create-namespace my-zitadel zitadel/zitadel \
--set zitadel.masterkey="MasterkeyNeedsToHave32Characters" \
--set zitadel.configmapConfig.ExternalSecure=false \
--set zitadel.configmapConfig.TLS.Enabled=false \
--set zitadel.secretConfig.Database.cockroach.User.Password="a-zitadel-db-user-password" \
--set replicaCount=1 \
--set cockroachdb.single-node=true \
--set cockroachdb.statefulset.replicas=1

Forward the ZITADEL service port to your local machine

kubectl -n zitadel port-forward svc/my-zitadel 8080:8080

Open your favorite internet browser and navigate to http://localhost:8080/ui/console. This is the default IAM admin users login:

  • username: zitadel-admin@zitadel.localhost
  • password: Password1!

In the above username, replace localhost with your configured external domain, if any. e.g. with

What's next

For running a production grade ZITADEL instance in your environment, go on with the configure ZITADEL section.


The ZITADEL management console requires end-to-end HTTP/2 support


This guide is for development / demonstration purpose only and does NOT reflect a production setup.

Things such as TLS termination and email verification will not be available unless you

  • Use an API gateway with valid certificates in front of the service
  • Configure an appropriate email server