Zitadel example Go Webapp encryption key

Question

I'm looking into Zitadel, trying to follow this guide here: https://zitadel.com/docs/examples/login/go

At the end this requires me to have an aes encryption key:

from the example: go run main.go --domain my-domain.zitadel.cloud --key XKv2Lqd7YAq13NUZVUWZEWZeruqyzViM --clientID 243861220627644836@example --redirectURI http://localhost:8089/auth/callback

But I have not seen where can I obtain such key? I went through the docs, but have not seen anything for this issue.

Trying to leave it empty, I receive this error: crypto/aes: invalid key size 0 which I guess is from Go. Writing a 32 byte long random something in it will result: {"error":"invalid_request","error_description":"Errors.App.NotFound"}

The only thing I have found is a master key setting, but I'm not self hosting.

also the docs say: key: The path to the downloaded key.json But the guide never mentioned downloading any json, nor do I see the option to it with webapp.

Answer 1

It seems you made a mistake with the client ID. You should adjust the example command with the data from the application you added during the initial steps of the documentation. If you didn't copy the client ID from the final dialog, it can still be obtained from the application overview. Note that the client ID is not the same as the application ID. This sometimes seems a source of confusion.

You need to use the ID highlighted in the green square.

When I run the command against that application on my demo instance, it works fine. Feel free to try it out my app:

go run . --domain tims-zitadel-instance-oj7iry.zitadel.cloud --key XKv2Lqd7YAq13NUZVUWZEWZeruqyzViM --clientID 256326546925681353@dev --redirectURI http://localhost:8089/auth/callback

also the docs say: key: The path to the downloaded key.json But the guide never mentioned downloading any json, nor do I see the option to it with webapp

That is an error on our side. The key is a unique secret used to perform symmetric encryption of state parameters. This should be treated as a secret. Don't reuse the ones published here or documentation.