Breaking Changes 2

• Actions V2 API - General Availability (#10364, #10303, #10138) breaking

  Actions v2 API promoted from beta to stable GA release. Provides production-ready action execution and target management capabilities with improved API design.

  api actions
• Actions V2 API Design Corrections (#10303, #10138) breaking

  Corrected API design before GA promotion including body usage for ListExecutions, REST paths for ListTargets and ListExecutions, attribute names for responses, and pagination/filter naming to adhere to standards.

  api actions

Security 3

• Proto Header Validation and HTTPS Enforcement (#9975) high

  Validate proto header and provide https enforcement for better security

  api security
• CORS Configuration for ConnectRPC (#10227) high

  Proper CORS configuration for connectRPC and grpc-web to prevent cross-origin attacks

  api security
• Organization Cache Isolation (#10012) critical

  Prevent org cache overwrite by other instances to ensure data isolation in multi-tenant deployments

  cache security

Features 29

• Actions V2 API - General Availability (#10364, #10303, #10138) breaking

  Actions v2 API promoted from beta to stable GA release. Provides production-ready action execution and target management capabilities with improved API design.

  api actions
• ConnectRPC Server Implementation (#10145, #9483)

  All v2 services now use connectRPC implementation, enabling gRPC, gRPC-web, and HTTP/1.1/REST support without additional gateway. V1 services remain as pure gRPC for backward compatibility.

  api grpc
• App API v2 - Resource-Based Application Management (#10077, #9450)

  New resource-based API for managing applications (OIDC, SAML, API apps) with unified endpoints and partial update support. Includes CreateApplication, PatchApplication, and RegenerateClientSecret endpoints.

  api applications
• App Keys API v2 (#10140, #9450)

  Resource-based API for application keys management

  api applications
• Project v2beta Resource API (#9742, #9177)

  Resource-based API for project management in beta

  api projects
• Federated Logout for SAML IdPs (#9931, #9228)

  Support for federated logout with SAML identity providers for proper session termination across federated systems

  saml idp
• JWT IdP Intent Support (#9966, #9758)

  Support for JWT-based IdP intent handling for better integration with JWT-based identity providers

  idp jwt
• Service Ping Implementation (#10080, #10166, #9869)

  Opt-out mechanism for sending anonymized metrics and usage data to help improve ZITADEL. Includes secure data collection with privacy-conscious design.

  telemetry
• Hosted Login Translation API (#10011, #9850)

  API for managing hosted login page translations for better customization of multi-language deployments

  api login i18n
• Turkish Language Support (#10198)

  Added Turkish language support to ZITADEL

  i18n
• SHA2 and PHPass Password Hash Support (#9809)

  Support for SHA2 and PHPass password hash algorithms for better migration from legacy systems

  crypto authentication
• Custom Organization ID (#9720, #9202)

  Allow custom organization ID in AddOrganizationRequest for better control during creation/import

  api organizations
• Organization API - Resource-Based (#9943, #9900)

  Moving organization API to resource-based design for consistent API patterns

  api organizations
• User API - Resource-Based (#9794)

  User API requests migrated to resource API for consistent resource-based user management

  api users
• User Profile Requests in Resource APIs (#10151, #9165)

  User profile management in resource-based APIs

  api users
• Instance Requests for Resource API (#9830, #9452)

  Instance service implementation for resource API

  api instances
• Generate WebKeys Setup Step (#10105)

  Automated web key generation during setup for simplified initial configuration

  setup crypto
• Initial Admin PAT with IAM_LOGIN_CLIENT (#10143, #10116)

  Initial admin Personal Access Token includes IAM_LOGIN_CLIENT scope for better initial admin capabilities

  authentication setup
• OIDC Logout Hint Handling (#10039, #9847)

  Handle logout hint on end_session_endpoint for improved OIDC logout flow

  oidc
• Actions Context Information - ClientID (#10339, #9377)

  Add clientID to actions context information for more context in action executions

  actions
• Display Authentication Method Name on Application Page (#9639, #9435)

  Show authentication method names in console for better visibility

  console
• Organization ID Filter in Console (#9823, #8792)

  Add organization ID filter to organization list for easier management

  console
• Actions V2 Console Improvements (#9759, #7248)

  UI improvements for Actions V2 in console for better user experience

  console actions
• Project Member Permission Filter (#9757)

  Permission filtering for project members for better access control granularity

  permissions projects
• Resource Counters Projections (#9979)

  Projection-based resource counting for better performance

  projections
• Login V2 i18n for Required Messages (#10288)

  Internationalization for all input required messages in Login V2

  login i18n
• User ID Index on Sessions (#9834)

  Add user id index on sessions for performance improvement

  database sessions
• Invite Codes for Verified Emails (#9962)

  Allow invite codes for users with verified emails for more flexible usage

  authentication
• User Self Deletion (#9828, #9763)

  Allow users to delete their own accounts

  users

Bug Fixes 62

• Actions V2 Deleted Target Handling (#9822) high

  Improved handling of deleted targets in executions to prevent errors

  actions
• Actions Empty Deny List Handling (#9753) medium

  Correctly handle empty deny lists in action execution filtering

  actions
• User State Queries Mapping (#9956) medium

  Correct mapping of user state queries in API for accurate filtering

  api users
• CORS for ConnectRPC and gRPC-web (#10227) high

  Proper CORS configuration for connectRPC and grpc-web to fix cross-origin issues

  api cors
• SAML Form Post Data in IDP Intent (#10136) medium

  Return typed SAML form post data in idp intent for better integration

  saml idp
• Cache Org Overwrite Prevention (#10012) critical

  Prevent org cache overwrite by other instances to fix data consistency issues in multi-instance deployments

  cache organizations
• Console User List Count and Timestamps (#9705) medium

  Correct count for users list and show create timestamp in user details

  console
• Console V2 Sessions List Uniqueness (#9778) medium

  List of unique v2 sessions to prevent duplicate display

  console sessions
• Console Org Context for V2 User Creation (#9971) medium

  Proper org context for V2 user creation to ensure users created in correct organization

  console users
• Project Service ID Filter (#10035) medium

  Correct id filter for project service for accurate filtering

  projects
• Project Permissions on V2 API (#9973, #9972) medium

  Correct permissions for projects on v2 api for proper authorization

  api projects permissions
• Google IDP User Unmarshalling (#9799) medium

  Correct unmarshalling of IdP user when using Google OAuth

  idp google
• User V2 API Documentation for V3 (#10112, #10083) low

  Correct user v2 api docs for v3

  documentation
• LDAP User Filters OR-Join (#9855, #7003) medium

  Correctly 'or'-join ldap userfilters for proper query construction

  ldap
• Single Matching User by Loginname (#9865) medium

  Correctly use single matching user by loginname to prevent ambiguous lookups

  authentication
• OpenTelemetry Metrics for River Queue (#10044, #10043) medium

  Enable opentelemetry metrics for river queue for better observability

  queue telemetry
• Eventstore Decimal and Mirror Correction (#9914) high

  Use decimal and correct mirror in eventstore for data consistency

  eventstore
• MFA Factors Display (#9313) low

  Allow only enabled factors to be displayed on user page for cleaner UI

  console mfa
• Project Fields by ID and Resource Owner (#10034) medium

  Correct project field retrieval by id and resource owner

  projects
• Login Image Display (#10355) low

  Fix login image display issue

  login
• IDP User Information Mapping (#9892) medium

  Correct idp user information mapping for proper user data from external IdPs

  idp
• Import/Export Deactivated State Preservation (#9992) high

  Fix for deactivated user/organization being imported as active - preserves deactivation state

  import export
• Instance Web Key Generation Defaults (#9815) medium

  Add web key generation to instance defaults for automated setup

  instances crypto
• Invite Code Generation After Verification Failures (#10323, #9860) medium

  Correct invite code generation after multiple verification failures

  authentication
• Login V1 Auto-Link with Suffixed Usernames (#10205) medium

  Correctly auto-link users on organizations with suffixed usernames

  login organizations
• Login V1 Organization Token Context (#10221) critical

  Ensure the user's organization is always set into the token context to prevent authorization issues

  login authentication
• Login V1 Password Reset with Email/Phone (#10228) medium

  Handle password reset when authenticating with email or phone number

  login authentication
• Login SAML Cookie Serialization Error Handling (#10259) medium

  Better error handling for saml cookie serialization with more graceful error messages

  login saml
• Login Invite Code Permission Check (#10197) medium

  Changed permission check for sending invite code on log in for proper authorization

  login permissions
• Login Copy to Clipboard Browser Compatibility (#9880, #9379) medium

  Copy to clipboard button in MFA login step now compatible in non-chrome browsers

  login mfa
• Login Email/Phone Query and Session Context (#10158) medium

  Email or phone query with session context from loginname for flexible login identifiers

  login
• Login FormPost Data Cookie Encoding (#10173) medium

  Encode formpost data to cookie for proper SAML flow data handling

  login saml
• Login i18n Locale Context (#10156) medium

  Ensure correct i18n locale context for proper language display

  login i18n
• Login Auto Creation Error Rendering (#9871, #9766) medium

  Render error properly when auto creation fails for better user experience

  login
• Login SAML Cookie Settings (#10266) medium

  Correct SAML cookie settings for proper session handling

  login saml
• Metadata Encoding and Decoding (#10024) medium

  Correct metadata decoding and encoding for proper metadata handling

  metadata
• Mirror Max Auth Request Age Configuration (#9812) low

  Add max auth request age configuration to mirror for better lifecycle management

  mirror
• Organization Unique Constraints (#10243) critical

  Adding unique constraints to not allow an org to be added twice with same id

  organizations database
• Packages CJS and Module Resolution (#10322) medium

  CJS and module resolution fix for better package compatibility

  packages
• Project Grant Permissions V2 Remove (#10337) medium

  Project grant permissions v2 remove functionality for proper cleanup

  projects permissions
• Projection Users with Factors Removal (#9877) medium

  Remove users with factors from projection for data consistency

  projections
• Queue Projection List Reset (#10001) medium

  Reset projection list before each Register call to prevent registration issues

  queue projections
• SAML AuthenticationSucceededOnApplication Milestone (#10263, #9592) medium

  Push AuthenticationSucceededOnApplication milestone for SAML sessions for proper tracking

  saml
• SCIM Random Password Metadata Config (#10296, #10009) medium

  Add a metadata config to ignore random password sent during SCIM create for better integration flexibility

  scim
• SCIM Email Type Attribute (#9690) low

  Add type attribute to ScimEmail for SCIM spec compliance

  scim
• Service Ping Endpoint and Validation (#10166) medium

  Correct endpoint, validate and randomize default interval for proper operation

  telemetry
• Settings Restricted Languages (#9947) low

  Fix for setting restricted languages to work correctly

  settings
• Setup S54 Execution (#9849) medium

  Execute s54 setup step for complete setup process

  setup
• Setup Index Creation Re-enable (#9868) medium

  Reenable index creation in setup for proper database indexing

  setup database
• ListInstanceTrustedDomains Sorting (#10172, #9839) low

  Sorting options of the ListInstanceTrustedDomains() gRPC endpoint

  api instances
• Login Page Text Buttons Overflow (#9637, #7619) low

  Text buttons overflow in login page UI layout fix

  login
• Documentation Typo in Migration Guide (#9867) low

  Typo in 'Migrate from ZITADEL' documentation

  documentation
• Documentation Link Update (#9802) low

  Update link to postgres-insecure example in docs for correct references

  documentation
• Session Recordings for PostHog (#9775) low

  Update session recordings for posthog analytics

  analytics
• Actions V2 Execution Ordering (#9820, #9688) medium

  Use ID ordering for the executions in Actions v2 for predictable execution order

  actions
• WebAuthn Old Credentials on Session API (#10150) medium

  Allow to use 'old' passkeys/u2f credentials on session API for backward compatibility

  webauthn sessions
• Auto Cleanup Failed Setup Steps (#9736) medium

  Auto cleanup failed Setup steps if process is killed for cleaner recovery

  setup
• Execution Handler Current State in Setup (#9863) medium

  Add current state for execution handler into setup for proper state tracking

  setup actions
• Removed Targets Handling (#9824) medium

  Correct handling of removed targets to prevent errors

  actions
• Actions V2 Texts Improvement (#9814) low

  Improve Actions V2 Texts and reenable in settings for better UI

  actions console
• Actions V2 Translations (#9826) low

  Improve Actions V2 translations for better multilingual support

  actions i18n
• Default SystemAPIUsers Comment (#9813) low

  Comment default SystemAPIUsers for configuration clarity

  configuration

Deprecations 2

• V1 API Endpoints

  Multiple V1 endpoints deprecated including Organization Objects V1 (Users, Projects, Members) and Instance Lifecycle V1. These endpoints remain functional but users should migrate to v2 resource-based APIs.

  api
• OpenAPI 2.0 for New Endpoints

  OpenAPI 2.0 discontinued for new v2 endpoints in favor of connectRPC

  api

Removed 3

• Improved Performance Feature Enumer (#9819)

  Removed the improved performance enumer as part of code cleanup

  features
• Action Feature Flag (#9727, #9710, #9759)

  Removed action feature flag - Actions V2 now always available

  actions features
• Index es_instance_position (#9862)

  Removed index es_instance_position for database optimization

  database

Maintenance & Chores 4

• Actions V2 API Design Corrections (#10303, #10138) breaking

  Corrected API design before GA promotion including body usage for ListExecutions, REST paths for ListTargets and ListExecutions, attribute names for responses, and pagination/filter naming to adhere to standards.

  api actions
• Actions Default Sorting to Creation Date (#9795, #9763)

  Default sorting column set to creation date for more predictable action listing

  actions
• Login Session Lifetime and Expiration Display (#10297)

  Default lifetime configuration and show expiration on accounts page

  login sessions
• AddOrganization API Returns All Admins (#9900)

  Reworked AddOrganization() API call to return all administrators for better visibility

  api organizations

Contributors 1