Breaking Changes 1

• Authenticated encryption for opaque tokens (Breaking) (#12017, #11315) breaking

  Opaque tokens now use authenticated encryption (AES GCM). Includes a fallback for existing tokens, but tokens issued after the upgrade cannot be verified by older versions of ZITADEL.

  OIDC

Features 7

• X.509 certificate support for system-api-user tokens (#11876, #11442)

  Allow System API users to authenticate using X.509 certificates, supporting standard PKI tooling.

  System API
• ECDSA and ED25519 public keys support for machine users (#11819)

  Allow usage of ECDSA and ED25519 public keys for machine user authentication via jwt-bearer grant.

  Authentication
• Improved organization search performance in project grants (#12057, #11121)

  Refactored organization search to use server-side filtering and infinite scrolling to handle instances with large datasets (40k+ organizations).

  Console
• Portuguese (pt) translations for Login V2 (#11897, #11782)

  Login UI (V2)
• Support for polling backend readiness in login container spinning up (#12032)

  Added `ZITADEL_API_AWAITINITIALCONN` environment variable to poll backend readiness before starting the server.

  Login UI (V2)
• Simplified login client auth and PKCS#1 key support (#11888, #11442)

  Renamed `ZITADEL_LOGIN_SERVICE_KEY_FILE` to `ZITADEL_LOGINCLIENT_KEYFILE` and added support for PKCS#1 keys.

  Login UI (V2)
• Support for standard OTEL environment variables (#11864)

  Added 'auto' exporter type to delegate configuration to standard OpenTelemetry environment variables via autoexport.

  Observability

Bug Fixes 11

• Authenticated encryption for opaque tokens (Breaking) (#12017, #11315) breaking

  Opaque tokens now use authenticated encryption (AES GCM). Includes a fallback for existing tokens, but tokens issued after the upgrade cannot be verified by older versions of ZITADEL.

  OIDC
• Fix clearing OIDC redirect URIs in Console and Terraform (#12067, #12053)

  Console
• Prevent duplicate email verification codes (#11893, #11857)

  Removed side-effectful email-code sending from server component render path to prevent duplicate codes being sent during React Server Component re-fetches.

  Login UI (V2)
• Return 401 instead of 500 for unauthenticated gateway errors (#11786, #11730)

  Preserve native gRPC status errors to ensure unauthenticated requests return HTTP 401 instead of 500 via the gateway.

  gRPC API
• Improved error classification for Login V2 interface (#11926, #12022, #11923)

  New transport interceptor to enrich `ConnectError` with proper status codes, preventing 4xx range errors from appearing as 500 Internal Server Errors.

  Login UI (V2)
• Always show Settings page to admins in Console (#11779, #10912)

  The settings tab is now always visible to admins even in single-org environments to avoid confusion when using automation tools like Terraform.

  Console
• Respect branding themeMode for UI toggle and CSP (#11903, #11721)

  Hides the theme toggle when branding is fixed to a specific mode and corrects Content Security Policy (CSP) application.

  Login UI (V2)
• Preserve OIDC/SAML context during email flows (#11927, #11990, #11837)

  Preserves requestId during verification and email resends to maintain OIDC/SAML context and ensure proper redirection.

  Login UI (V2)
• Disable duplicate SMTP provider creation clicks (#11868, #8964)

  Console
• Fix JWT assertion error handling on token endpoint (#11933)

  Map invalid JWT assertion errors to 'invalid_grant' (HTTP 400) instead of returning a generic HTTP 500.

  OAuth 2.0
• Increase gRPC MaxSendMsgSize for large exports (#12066)

  Increased `MaxSendMsgSize` to 10 MiB to support the export of larger organizations.

  gRPC API

Contributors 12