ZITADEL doesn't support anonymous clients. Honestly, it's not the best practice anyway.

As for Forward Auth, the concept can be a bit fuzzy, and from what I gather, ZITADEL doesn't really support that.

Trusted Header Auth might work in some scenarios, but that definition is also a bit fuzzy, so hard to say for sure.

> ZITADEL doesn't support anonymous clients. Honestly, it's not the best practice anyway.

How would you accomplish the same thing using best practices? The closest is dynamic client registration without requiring an initial access token, but that still requires clients to support the protocol, and I know at least the Jellyfin and Discourse OIDC plugins do not. And even if they did what do you gain over anonymous auth?