Overview
The Zitadel API Edge Function provides comprehensive integration with Zitadel identity provider, enabling OIDC authentication, user synchronization, group mapping, and role-based access control. Endpoint:/functions/v1/zitadel-api
Authentication: Requires Supabase authorization header for most actions
Actions
Test Connection
Tests connectivity to a Zitadel instance and validates API credentials. Action:test-connection
Zitadel issuer URL (e.g.,
https://gate.kappa4.com)Zitadel Management API token for testing group/user access
Indicates if connection was successful
Whether API token is valid and working
Number of groups/roles discovered
Example Request
List Groups
Retrieve and sync Zitadel project roles/groups with local database. Action:list-groups or sync-groups
Zitadel configuration ID from
zitadel_configurations tableOptional Zitadel project ID to scope roles
Array of groups/roles from Zitadel
Local group mappings
Count of new groups discovered and added
Source of roles:
project_roles, user_grants, or org_membersExample Request
List Project Users
Retrieve users with grants/roles on a specific Zitadel project. Action:list-project-users
Zitadel configuration ID
Zitadel project ID (uses config default if not provided)
Array of users with project access
Data source:
grants, project_members, or org_usersSearch Users
Search for users in the Zitadel organization. Action:search-users
Zitadel configuration ID
Search query (searches username, case-insensitive)
Matching users
Get User Groups
Retrieve groups/roles for a specific user. Action:get-user-groups
Zitadel configuration ID
Zitadel user ID
Array of role keys assigned to user
SSO Callback
Handles OIDC callback after user authentication, creates/updates local user. Action:sso-callback
Zitadel configuration ID
Authorization code from OAuth flow
PKCE code verifier for authorization code flow
Whether authentication succeeded
User’s email address
Temporary password for Supabase sign-in
User information from Zitadel
Get Auth URL
Generates Zitadel authorization URL for OIDC login flow. Action:get-auth-url
Zitadel configuration ID
OAuth state parameter
SHA-256 hashed code challenge for PKCE
Complete authorization URL to redirect user to
State value for verification
Nonce for ID token validation
TypeScript Interfaces
TypeScript
Role Mapping
The function automatically maps Zitadel roles to local roles:| Zitadel Role | Local Role |
|---|---|
global_admin, admin, administrator | global_admin |
org_admin, org_manager | org_admin |
support, helpdesk | support |
user, member, viewer | user |
Error Handling
Error message if request fails
Configuration not found- Invalid configIdAPI token not configured- Missing API token for actionOIDC Discovery failed- Cannot reach Zitadel instanceFailed to fetch user grants- Insufficient permissions
Related Tables
zitadel_configurations- Zitadel instance configurationszitadel_group_mappings- Maps Zitadel roles to local groupsuser_zitadel_identities- Links users to Zitadel identities