Skip to main content
C1 provides identity governance for ZITADEL. Integrate your ZITADEL instance with C1 for unified visibility and governance over user access.

Capabilities

ResourceSyncProvision
Users
Projects
The connector models ZITADEL Projects as groups, each project’s roles as entitlements on that group, and user grants (a user’s assigned roles in a project) as the grant edges.

Gather ZITADEL credentials

The connector authenticates with a ZITADEL Personal Access Token (PAT) issued to a service user that holds Management API read access. Add an instance IAM read role only if you want the connector to auto-detect the organization.
1
In the ZITADEL console, create a service user (a machine user) in the organization you want to sync.
2
Grant the service user a Management read role on that organization — an Org Owner Viewer manager role, or a custom role covering project.read, user.read, project.role.read, and user.grant.read.If you plan to leave the Organization ID empty so the connector auto-detects the org, also grant the service user an instance-level IAM read role (for example IAM Owner Viewer / iam.read).
3
Generate a Personal Access Token for the service user. PATs are opaque bearer tokens and automatically carry the reserved ZITADEL audience, so no additional scope plumbing is required. Copy the token value.
4
Copy your ZITADEL instance URL (for ZITADEL Cloud, this is https://<instance>.zitadel.cloud; for self-hosted, use your custom domain). If your instance hosts more than one organization, also note the organization ID you want to sync.

Configuration fields

FieldRequiredDescription
instance-urlYesYour ZITADEL instance base URL, with scheme and no trailing path (for example https://acme.zitadel.cloud).
patYesA ZITADEL Personal Access Token for a service user with Management API read roles.
org-idNoOrganization ID to scope the sync to. Leave empty for single-organization instances (auto-detected). Required only when the instance hosts more than one organization.

Synced resource types

  • Users: ZITADEL users (human and machine) from POST /management/v1/users/_search.
  • Projects (as groups): ZITADEL projects from POST /management/v1/projects/_search.
  • Project roles (as entitlements): each project’s roles from POST /management/v1/projects/{projectId}/roles/_search.
  • Role assignments (as grants): user grants from POST /management/v1/users/grants/_search, filtered per project.

Special notes

  • Provisioning is not supported in the current build; the connector is read-only.
  • The connector scopes a sync to a single organization. For an instance with one organization, leave Organization ID empty and it is auto-detected. For an instance with more than one organization, set Organization ID to the org you want to sync.
  • Project grants (inter-organization project delegation) are not synced.

Configure the ZITADEL connector

Follow these instructions to use a built-in, no-code connector hosted by C1.
1
In C1, navigate to Integrations > Connectors and click Add connector.
2
Search for ZITADEL and click Add.
3
Choose how to set up the new ZITADEL connector.
4
Set the owner for this connector.
5
Click Next.
6
Find the Settings area of the page and click Edit.
7
Enter the ZITADEL credentials:
  • Instance URL: Your ZITADEL instance base URL.
  • Personal Access Token: The PAT for the service user.
  • Organization ID: Leave empty for single-org instances; set it for multi-org instances.
8
Click Save.
9
The connector’s label changes to Syncing, followed by Connected. You can view the logs to ensure that information is syncing.
Done. Your ZITADEL connector is now pulling access data into C1.