As soon as you successfully deployed ZITADEL as a proof of concept using one of our deployment guides, you are ready to configure ZITADEL for production usage.
We recommend running ZITADEL highly available using an orchestrator that schedules ZITADEL on multiple servers, like Kubernetes. For keeping startup times fast when scaling ZITADEL, you should also consider using separate jobs with
zitadel init and
zitadel setup, so your workload containers just have to execute
Read on the configure page about the available options you have to configure ZITADEL.
- To make ZITADEL available at the domain of your choice, you need to configure the ExternalDomain property.
- To enable and restrict access to HTTPS, head over to the description of your TLS options.
- If you want to front ZITADEL with a reverse proxy, web application firewall or content delivery network, make sure to support HTTP/2.
- You can also refer to some example reverse proxy configurations.
- Serving and caching the assets using a content delivery network could improve network latencies and shield your ZITADEL runtime.
By default, metrics are exposed at /debug/metrics in OpenTelemetry (otel) format.
Also, you can enable tracing in the ZITADEL configuration.
# Choose one in "otel", "google", "log" and "none"
ZITADEL supports CockroachDB and PostgreSQL. We highly recommend using CockroachDB, as horizontal scaling is much easier than with PostgreSQL. Also, if you are concerned about multi-regional data locality, the way to go is with CockroachDB.
Depending on your environment, you maybe would want to tweak some settings about how ZITADEL interacts with the database in the database section of your ZITADEL configuration. Read more about your database configuration options.
You also might want to configure how projections are computed. These are the default values:
Manage your Data
When designing your backup strategy, it is worth knowing that ZITADEL is event sourced. That means, ZITADEL itself is able to recompute its whole state from the records in the table eventstore.events. The timestamp of your last record in the events table defines up to which point in time ZITADEL can restore its state.
The ZITADEL binary itself is stateless, so there is no need for a special backup job.
- You can configure instance defaults in the DefaultInstance section. If you plan to eventually create multiple virtual instances, these defaults take effect. Also, these configurations apply to the first instance, that ZITADEL automatically creates for you. Especially the following properties are of special interest for your production setup.
RefreshTokenIdleExpiration: 720h #30d
RefreshTokenExpiration: 2160h #90d
# this configuration sets the default email configuration
# configuration of the host
#for example smtp.mailtrap.io:2525
# if the host of the sender is different from ExternalDomain set DefaultInstance.DomainPolicy.SMTPSenderAddressMatchesInstanceDomain to false
- If you don't want to use the DefaultInstance configuration for the first instance that ZITADEL automatically creates for you during the setup phase, you can provide a FirstInstance YAML section using the --steps argument.
- Learn how to configure ZITADEL via the Console user interface.
- Probably, you also want to apply your custom branding, hook into certain events, customize texts or add metadata to your users.
- If you want to automatically create ZITADEL resources, you can use the ZITADEL Terraform Provider.