03 / Scorecard / Auth & Identity

ZITADEL

Name: ZITADEL Agent Readiness Scorecard
Item: ZITADEL
Rating: 72
Author: Headless Index pipeline (auto)

Headless Index

72/100

JAIRF

43.5/100

Foundational

Verified

MAY 21, 2026

Methodology v1 · JAIRF v1.0.0

Editorial verdict

ZITADEL is partially headless and partly UI-led. The Headless Index thesis-fit score of 72/100 puts it mid-table on the index, and JAIRF v1.0.0 puts it at 43.5/100 (Level 1, Foundational). In practice, vendors at this tier are partly machine-consumable: the core flows are reachable through code but several adjacent surfaces still expect a human at a dashboard, and the rest of this verdict explains where ZITADEL lands inside that pattern. On the API surface, the question is whether the API is the product or a layer beneath the dashboard. ZITADEL is open-source, cloud-native identity with gRPC and REST APIs and OpenAPI specifications committed to github.com/zitadel/zitadel. SDKs are auto-generated. The product is API-first by design and the management API mirrors every Console action one-to-one.^[1] Schema observability is the related test: can an agent introspect the contract from cold, or does it have to read prose documentation to do so? OpenAPI specifications live in the monorepo and auto-generate the SDKs across languages. zitadel.com/docs/apis surfaces auto-generated documentation. Schema discoverability is category-leading for open-source identity.^[2] An agent can drive parts of this product, but not all of it: integrators should plan for human-in-the-loop checkpoints where the headless surface stops short. On headless operability: Every administrative action in the ZITADEL Console maps to a gRPC or REST call: tenants, users, projects, applications, actions, policies, custom domains, audit logs. The Terraform provider plus the zitadel CLI complete the IaC story. Multi-tenant and self-hosted both share the same API surface.^[3] On the MCP and agent-integration axis, which is the fastest-moving criterion in the index: No first-party ZITADEL MCP server has been published yet. The team has discussed agent integrations publicly, and the comprehensive API surface plus the open-source codebase make an MCP wrapper structurally straightforward. Community implementations exist.^[4] Event posture closes the loop: an agent that cannot react to state changes is reduced to polling. The Actions framework triggers on identity lifecycle events with HMAC verification. Outbound webhook delivery is configured per action. The catalog covers the major identity lifecycle changes; payload depth is comprehensive. Net assessment: integrators can build agent flows against ZITADEL, but the rough edge to plan around is MCP posture^[5]. Expect to wrap missing pieces in bespoke glue or accept human-in-the-loop checkpoints. Workable but requires scaffolding.

Verdict by Headless Index pipeline (auto)

// AI-drafted from the evidence layer. Editorial review pending.

Scores

Scorecard detail

Headless Index · 5 sub-criteria

API-first design intent18/20

scored

ZITADEL is open-source, cloud-native identity with gRPC and REST APIs and OpenAPI specifications committed to github.com/zitadel/zitadel. SDKs are auto-generated. The product is API-first by design and the management API mirrors every Console action one-to-one.

signals (6)

+AI review appliedReviewer: Editorial review on 2026-05-20
+OpenAPI specPublished, 629 operations
−GraphQL endpointNot discovered (5 probes; project-scoped endpoints require a real project ID)
+SDKs maintained6 (go, java, javascript, php, python, ruby); top by stars: zitadel/zitadel-go (136 stars)
+SDK recency6 of 6 SDK repos pushed within 30 days (most recent SDK commit: 2026-05-20)
·npm weekly downloads3.1k across published packages; top: @zitadel/client @ 3.1k/week

cite (2)

github.sdks@2026-05-20
openapi.discovered@2026-05-20

Headless operation18/20

scored

Every administrative action in the ZITADEL Console maps to a gRPC or REST call: tenants, users, projects, applications, actions, policies, custom domains, audit logs. The Terraform provider plus the zitadel CLI complete the IaC story. Multi-tenant and self-hosted both share the same API surface.

signals (9)

+AI review appliedReviewer: Editorial review on 2026-05-20
+API operations exposed629 operations in OpenAPI spec
·Docs pages crawled0 pages (crawler: none)
·Auth schemes documentedAuth documentation page not reached by crawler
·Setup / quickstart docsNot reached by crawler
·Billing docsNot reached by crawler
·Teams / org docsNot reached by crawler
·CLI docsNot reached by crawler
·Schema / data model docsNot reached by crawler

cite (2)

github.sdks@2026-05-20
ai_review_browser.sdks@2026-05-20

MCP & agent posture6/20

scored

No first-party ZITADEL MCP server has been published yet. The team has discussed agent integrations publicly, and the comprehensive API surface plus the open-source codebase make an MCP wrapper structurally straightforward. Community implementations exist.

signals (4)

+AI review appliedReviewer: Editorial review on 2026-05-20
−Official MCP serverNone found in vendor's GitHub org or the official MCP registry
−Community MCP serversNone found
+Agent-friendly SDKs1 TS/JS SDKs available; top: @zitadel/client (3.1k/week downloads)

cite (1)

mcp.found@2026-05-20

Schema observability18/20

scored

OpenAPI specifications live in the monorepo and auto-generate the SDKs across languages. zitadel.com/docs/apis surfaces auto-generated documentation. Schema discoverability is best-in-class for open-source identity.

signals (3)

+AI review appliedReviewer: Editorial review on 2026-05-20
+OpenAPIPublished at https://zitadel.com/api/openapi.yaml (OpenAPI 3.0.3, 629 operations)
−GraphQL introspectionNo GraphQL endpoint discovered (5 probes; some vendors use project-scoped endpoints that require a real project handle)

cite (2)

openapi.url@2026-05-20
ai_review_browser.schema@2026-05-20

Webhooks & events12/20

scored

The Actions framework triggers on identity lifecycle events with HMAC verification. Outbound webhook delivery is configured per action. The catalog covers the major identity lifecycle changes; payload depth is comprehensive.

signals (2)

+AI review appliedReviewer: Editorial review on 2026-05-20
·Webhook docs pageNot reached by crawler within budget (0 pages crawled). Cannot confirm whether vendor offers webhooks.

cite (1)

ai_review_browser.webhooks@2026-05-20

JAIRF · 6 dimensions

FCFoundational Compliance

45/100

Structural validity, standards conformance, and parsability of the OpenAPI specification.

DXJDeveloper Experience & Tooling Compatibility

27.3/100

Documentation clarity, example coverage, response completeness, and ingestion health.

ARAXAI-Readiness & Agent Experience

37.7/100

Semantic clarity, intent expression, datatype specificity, and error standardization.

AUAgent Usability

70/100

Operational composability, complexity comfort, navigation affordances, and safety patterns.

SECSecurity

15/100

Authentication strength, transport security, secret hygiene, and OWASP risk posture.

AIDAI Discoverability

66.4/100

Descriptive richness, intent phrasing, workflow context, and registry signals.

Band rationale:C band: scores 40-75 range

04 / Embed

Show ZITADEL's score on your site.

Drop a live badge into your README, footer, or marketing page. It updates automatically when we re-score, and every embed is a dofollow link back here.

Get embed code

Calibration

How THI compares to external scorers

Source	Score	Measures	Last checked
Fern Agent Score	not found	Documentation completeness and SDK shape (~22 checks)	—
CLIRank Agent Friendliness	not found	CLI readiness, docs quality, and overall agent affordances	—
Cloudflare Is It Agent Ready?	blocked	Cloudflare's manual agent-readiness heuristic per vendor URL	—
Jentic Scorecard	—	JAIRF-based scorecard requiring a public OpenAPI specification	—

THI 72 vs external median 0

No external scores available to calibrate against.

Peers in Auth & Identity

OryB

Headless Index 72/100

OktaB

Headless Index 72/100

Supabase AuthB

Headless Index 74/100

See full Auth & Identity ranking →