Release 2026.5
Highlights
- Account Lockdown: Enterprise A new panic button for compromised accounts that can immediately cut off access, revoke tokens, end sessions, and leave an audit trail.
- Conditional Access: Enterprise New connectors verify device compliance and feed it into conditional access flows: Fleet (via Fleet certificates and an mTLS stage, without the authentik agent) and Google Chrome (via Chrome Enterprise Device Trust).
AKQLis now open source: TheAKQLsearch query language for logs and users, previously enterprise-only, is now free for everyone to use.- Command Palette and wizard upgrades: A new
Cmd + Kcommand palette to search the authentik UI, alongside reworked wizards including a new user creation wizard, improved binding wizard, and new invitation wizard. - Performance improvements: The new Rust worker entrypoint drops memory usage by approximately 200 MB per worker container, and opens one fewer PostgreSQL connection per worker. The Admin interface is less resource-intensive through lazy-loaded modals.
Breaking changes
Listening on multiple IPs
For advanced use cases, authentik now supports setting listening settings to a comma-separated list of IPs. With this change, the default IP we listen on changed from 0.0.0.0 to [::] to better match ecosystem standards. Some IPv4-only environments might need to adapt those settings.
New features and improvements
Account Lockdown: Enterprise
Account Lockdown gives administrators and users a panic button to secure an account when compromise is suspected. From the Admin interface, an administrator can lock down a user directly from their detail page; users can also lock down their own account from Settings if they no longer trust their password or active sessions.
A lockdown can deactivate the account, invalidate the local authentik password, terminate active sessions, revoke API/app/recovery/verification/OAuth tokens and grants, and record the reason in the audit log. authentik includes a packaged blueprint with warnings, reason collection, and completion messages so teams can get started quickly and customize the experience where needed.
For setup details, refer to the Account Lockdown documentation.
Conditional access: Enterprise
We've added two new connectors that verify device compliance and let you use them as a signal in conditional access flows.
Fleet: authentik can now verify user devices based on their Fleet certificates without requiring the authentik agent, using the Fleet Connector together with an mTLS stage. For details, refer to the Fleet Conditional Access documentation.
Google Chrome: authentik now includes a Google Device Trust connector that integrates with Chrome Enterprise Device Trust via the Chrome Verified Access API. This lets authentik validate that a user's Chrome browser or ChromeOS device is compliant — for example, running an up-to-date version with security patches applied. The connector is especially useful for BYOD environments and remote workforces where device compliance can't be assumed.
Tap-to-login Secure Enclave support: Enterprise
Endpoint Devices now support independent Secure Enclave keys for tap-to-login. This allows iPhone and Apple Watch credentials to be bound directly to a user, so tap-to-login can work without first pairing the credential to a specific endpoint device.
2FA attempt throttling
The Authenticator Validation stage can now throttle repeated failed attempts for email and SMS OTP devices, extending the same brute-force protection already available for TOTP and static authenticators. Admins can tune throttling behavior to slow down repeated guessing attempts without changing the user's login flow.
Import hashed passwords
authentik can now bootstrap and import users with pre-hashed Django passwords, making automated installs and migrations safer by avoiding plaintext passwords in deployment workflows.
Use AUTHENTIK_BOOTSTRAP_PASSWORD_HASH for the initial akadmin password, generate hashes with the new hash_password command, or import hashes later through blueprints and the user password-hash API.
Hashed-password imports update authentik's local password verifier only. Because authentik never receives the raw password, these imports are not written back to LDAP or Kerberos sources.
Command Palette
The new command palette lets you quickly navigate authentik without clicking through menus. Press Cmd + K (or Ctrl + K on Windows and Linux) from anywhere in the UI to open it, then start typing to jump to a page, run an action, or look up a user. You can also use Cmd/Ctrl + / to jump straight into search, or Cmd/Ctrl + Shift + K to open directly to the actions list.
Results are grouped by category, including pages within authentik, users, and documentation searches that open on docs.goauthentik.io. The palette is designed to make routine admin tasks faster — useful when you know what you want to do but don't want to hunt for the right menu.
WebAuthn Client Hints support
The WebAuthn Stage now supports the hints parameter from the WebAuthn Level 3 spec. Admins can configure one or more hints (security-key, client-device, or hybrid) to tell the browser which authenticator type to expect. The browser uses this to skip straight to the relevant selection UI during passkey registration and authentication, reducing friction especially in enterprise deployments where security keys are mandatory.
Keep in mind that hints are advisory — they only affect the browser UI, not policy. Authenticator type requirements still need to be enforced server-side.
AKQL is now open source
The AKQL search query language was previously an enterprise-only feature for querying logs and users. AKQL is now free for everyone to use, allowing searches based on specific attributes such as context.geo.country = "Germany".
OAuth2 configurable grant types
OAuth2 providers now have a Grant Types setting that lets admins explicitly choose which grant types a given provider may use. The available options are Authorization Code, Implicit, Hybrid, Refresh token, Client credentials, Password, and Device-code. Existing providers default to having all grant types enabled to preserve current behavior, but you can now disable any grant types you don't want a particular client to use — useful for tightening security on individual integrations and disabling legacy flows like Implicit or Password where they aren't needed.
Improved UI and accessibility
Accessibility and user experience improvements have been made across the admin interface.
Form accessibility
Form labels have been updated to be more descriptive for screen readers, and now informing you of the full action that will be executed when the button is pressed. This change is being rolled out across the entire admin interface, starting with the most commonly used buttons and forms. These changes have all been reflected in the docs as well, helping to make authentik more accessible for all users.
Modal accessibility
In addition to general improvements to form accessibility, many of our modals now use the browser native <dialog> element, fixing several issues which prevented screen readers from properly traversing modal content. We'll be phasing out the remaining non-<dialog> modals over the next few releases to ensure a more consistent and accessible experience across the entire admin interface.
Wizard improvements
Wizards throughout authentik have been reworked to have fewer steps and cover of the most common use cases.
The invitation wizard in particular now makes it easy for administrators to send invites to new users. It guides admins through the process of configuring an invite system and sending the invites to users.
Service accounts are now created through the new user creation wizard, which has been reworked to be more intuitive and faster to use.
Mobile and tablet improvements
While authentik's admin interface is primarily designed for desktop use, we've made several improvements to make it more usable on mobile and tablet devices for those times when you need to make a quick change on the go.
Login improvements
The login flow has additional UI improvements to reduce friction and make it easier to use, including:
- An improved "Remember me" option that autofocuses the most appropriate input field based the presence of a username or password field.
- Better error handling and messaging for failed login attempts, including more specific error messages for WebAuthn when authentication fails.
- Additional mobile optimizations, such as better keyboard handling, field focus, and responsive design improvements to make the login flow easier to use on mobile and tablet devices.
Small general improvements
SAML provider issuer: authentik now automatically generates your SAML issuer URL. You can still override the default SAML issuer.
SAML provider unified endpoints: Instead of an individual endpoint for login and logout for redirect and post, there is now a single SAML endpoint that handles login and logout for both request methods.
Application Dashboard: The My applications page has been renamed to Application Dashboard, and related option labels have been updated to match. Our documentation and integration guides have been updated as well. You can now also hide applications from the Application Dashboard page using the new Hide from Application Dashboard toggle.
Before authentik 2026.5, an application was hidden by setting its Launch URL to blank://blank. Existing applications using that value are automatically migrated to using the Hide from Application Dashboard option upon upgrading.
Dependencies: We've removed 17 packages from authentik. Fewer dependencies mean less code to maintain and keep patched, and a smaller attack surface overall.
Performance improvements
The authentik worker now starts through a Rust entrypoint. Python still runs authentik's worker code, but the Rust process owns worker startup, health checks, metrics, and worker-status reporting. This removes an idle top-level Python process and has led to an approximately 200 MB drop in memory usage for a single worker container. If you're a developer, check the updated Developer Docs to install Rust.
The worker status reporting change also uses one fewer PostgreSQL connection per worker, which should put less load on the database.
The Admin interface is also less resource-intensive in the browser due to lazy-loaded modals.
New out-of-the-box experience
When setting up authentik for the first time, you will now automatically be redirected to the initial-setup flow instead of having to manually go there to complete your authentik installation.
New integration guides
An integration is how authentik connects to third-party applications, directories, and other identity providers. The following integration guides were recently added. A big thanks to our contributors!
- Absorb LMS (Thanks to @dewi-tik!)
- Anthropic (Thanks to @dominic-r!)
- Anthropic Workload Identity Federation (Thanks to @dominic-r!)
- Forgejo (Thanks to @djagoo!)
- grommunio (Thanks to @snxRCS!)
- Okta (Thanks to @dewi-tik!)
- OneUptime (Thanks to @M-Slanec!)
- PhotoPrism (Thanks to @dominic-r!)
- PostHog (Thanks to @dominic-r!)
- RabbitMQ (Thanks to @djooberlee!)
- Splunk Enterprise (Thanks to @jhuesser!)
- Technitium DNS (Thanks to @scinca!)
Integration guide updates
- The GitHub Enterprise integration docs were revamped and split into dedicated guides for GitHub Enterprise Cloud, GitHub Enterprise Managed Users, and GitHub Enterprise Server, making it easier to pick the right SAML and SCIM setup path. (Thanks to @dominic-r!)
- Integration guides that configure application-side roles and permissions now use authentik Application Entitlements, giving admins a more consistent pattern for mapping access. (Thanks to @dominic-r!)
- The Jellyseerr integration guide was updated for the project's move to Seerr. (Thanks to @BreizhHardware!)
- The Home Assistant guide now covers both supported community OIDC integrations,
christiaangoossens/hass-oidc-authandcavefire/hass-openid, with UI and YAML setup options. (Thanks to @christiaangoossens!) - The NetBird guide was refreshed to match NetBird's current authentik provider setup, with separate paths for adding authentik as an external identity provider or fully replacing NetBird's embedded IdP. (Thanks to @dominic-r!)
Upgrading
This release does not introduce any new requirements. You can follow the upgrade instructions below; for more detailed information about upgrading authentik, refer to our Upgrade documentation.
When you upgrade, be aware that the version of the authentik instance and of any outposts must be the same. We recommend that you always upgrade any outposts at the same time you upgrade your authentik instance.
Docker Compose
To upgrade, download the new docker-compose file and update the Docker stack with the new version, using these commands:
wget -O docker-compose.yml https://goauthentik.io/version/2026.5/lifecycle/container/compose.yml
docker compose up -d
The -O flag retains the downloaded file's name, overwriting any existing local file with the same name.
Kubernetes
Upgrade the Helm Chart to the new version, using the following commands:
helm repo update
helm upgrade authentik authentik/authentik -f values.yaml --version ^2026.5
Minor changes/fixes
- admin/files: allow configuring S3 signature version (#20639)
- admin/files: sign custom-domain S3 URLs for the final host (#21704)
- api: cleanup enums (#21201)
- api: make ordering null-aware (#22099)
- api: set authenticated session user agent nullable properties (#22059)
- blueprints: fix mismatched API schema and implementation (cherry-pick #22087 to version-2026.5) (#22171)
- blueprints: rework one-time import (#18074)
- core, web: update translations (#22129)
- core, web: Vendored client follow-ups (#21174)
- core: add cooldown to dependabot (#21286)
- core: add flag for future default behaviour of requiring a binding to access an application (#16247)
- core: add logging when session decode fails (#21514)
- core: add support for hiding applications from the user dashboard (#21530)
- core: allow interfaces to specify alternative stylesheets (#20774)
- core: Application stats, device events & cleanup (#21225)
- core: Apply CSpell corrections. (#20191)
- core: complete rework to oobe and setup experience (#21753)
- core: redirect service accounts away from main UI like external users (#20900)
- core: refresh signed media URLs in flows (#21553)
- core: remove filter_not_expired for QS (#18274)
- core: simplify boolean (#21790)
- core: support hashed password in users API + automated install (#18686)
- core: survive the empty-queryset race in chunked_queryset (#21666)
- core: uncomment failFast in cspell config file (#21116)
- core: users/groups reduce number of database queries (#20431)
- core/applications: Optimize list applications when only_with_launch_url=true (#20428)
- crypto: improve discovery for mounted k8s TLS Secrets (#17636)
- docs,ci: fix main daily compose downloads + release template (#21448)
- docs: Improve docs on webauthn authenticator attachment (#22045)
- endpoints: remove
printline (cherry-pick #22325 to version-2026.5) (#22327) - endpoints/connectors/agent: cleanup leftover (#20808)
- enterprise: account lockdown (#18615)
- enterprise: fix account lockdown target handling (cherry-pick #22246 to version-2026.5) (#22252)
- enterprise/endpoints/connectors: add google_chrome (#19129)
- enterprise/endpoints/connectors: Fleet conditional access stage (#20978)
- enterprise/endpoints/connectors/agent: add independent secure enclave support for tap to login (#20766)
- enterprise/lifecycle: remove one review per object limitation (#21046)
- enterprise/providers/scim: add support for interactive OAuth2 (cherry-pick #22072 to version-2026.5) (#22337)
- enterprise/providers/ssf: more conformance fixes (#21521)
- enterprise/providers/ssf: test conformance (#21383)
- enterprise/search: move QL to open source (#21484)
- enterprise/stages/mtls: attempt fix freezegun (cherry-pick #22474 to version-2026.5) (#22501)
- enterprise/stages/mtls: fix traefik cert encoding (#20483)
- enterprise/stages/mtls: freeze time for expired certs (cherry-pick #22411 to version-2026.5) (#22415)
- events: add helper to log deprecation configuration_warning message (#21115)
- events: add index on Event.user.pk (#19576)
- events: add option to configure webhook CA (#20823)
- events: don't log cacheentry events (#21597)
- events: fix exception in volume endpoint, adjust simple table size (#21230)
- Fix redirect URI in Seafile integration documentation (#20532)
- flows: add warning message for expired password reset links (#21395)
- flows: preserve signed background URLs in CSS (#21868)
- flows: remove link to overview for non-internal user (cherry-pick #22362 to version-2026.5) (#22371)
- internal: Automated internal backport: CVE-2026-40165.sec.patch to authentik-2026.5 (#22290)
- internal: Automated internal backport: CVE-2026-40166.sec.patch to authentik-2026.5 (#22291)
- internal: Automated internal backport: CVE-2026-40172.sec.patch to authentik-2026.5 (#22292)
- internal: Automated internal backport: CVE-2026-41569.sec.patch to authentik-2026.5 (#22293)
- internal: Automated internal backport: CVE-2026-41577.sec.patch to authentik-2026.5 (#22294)
- internal: Automated internal backport: CVE-2026-42849.sec.patch to authentik-2026.5 (#22295)
- internal: Automated internal backport: GHSA-5wcc-hf24-rf5h.sec.patch to authentik-2026.5 (#22296)
- internal: Automated internal backport: GHSA-973w-j457-rp2m.sec.patch to authentik-2026.5 (#22297)
- internal: remove unix sockets on shutdown (#21081)
- internal/outpost: serialize websocket writes to prevent panic (#21728)
- internal/outpost/ak: fix ws URL on outpost restart (#21041)
- internal/web: remove authentication for metrics (#21077)
- lib/config: explicit some defaults (#21079)
- lib/config: support printing multiple values (#21080)
- lifecycle: disable gunicorn control socket (#21408)
- lifecycle/ak: Add manage support (cherry-pick #22176 to version-2026.5) (#22221)
- lifecycle/container: allow cross-compilation from arm64 to amd64 (#21817)
- lifecycle/container: fix OCI image labels (#21574)
- lifecycle/container: fix rust builds and pin toolchain version (#20300)
- lifecycle/container: only mount required packages directories (#21859)
- lifecycle/worker_process: fix healthchecks and metrics not reloading db connections after a failure (#21992)
- locale: fix de_DE locale placeholder (#22130)
- outposts: Create separate metrics service in Kubernetes (#21229)
- outposts: fix stale version in OutpostState (cherry-pick #22487 to version-2026.5) (#22505)
- outposts/controllers/k8s: add option to disable strict x509 checks (#21210)
- packages: use openapi-generator-ignore instead of deleting extra files (#21209)
- packages/ak-axum: init (#21313)
- packages/ak-axum/accept/catch_panic: add acceptor to catch panics in lower acceptors, streams and services (#21860)
- packages/ak-axum/accept/proxy_protocol: init (#21319)
- packages/ak-axum/accept/tls: init (#21318)
- packages/ak-axum/error: init (#21315)
- packages/ak-axum/extract/client_ip: init (#21321)
- packages/ak-axum/extract/host: init (#21323)
- packages/ak-axum/extract/scheme: init (#21322)
- packages/ak-axum/extract/trusted_proxy: init (#21320)
- packages/ak-axum/router: add X-Powered-By to all responses (#21940)
- packages/ak-axum/server: cleanup unix socket (#21477)
- packages/ak-axum/server: fix unix socket cleanup when allow_failure is unset (#21645)
- packages/ak-axum/server: init (#21317)
- packages/ak-axum/tracing: init (#21316)
- packages/ak-common, ak-axum: improve logging (#21476)
- packages/ak-common: rename from ak-lib (#21314)
- packages/ak-common: use imports where possible (#21478)
- packages/ak-common/arbiter: init (#21253)
- packages/ak-common/config: add set helper for tests (#21356)
- packages/ak-common/config: fix boolean parsing from env variable (#21835)
- packages/ak-common/config: fix string load broken after previous fix (#21854)
- packages/ak-common/config: init (#21256)
- packages/ak-common/db: init (#21357)
- packages/ak-common/mode: init (#21259)
- packages/ak-common/tls: init (#21262)
- packages/ak-common/tokio/proxy_protocol: init (#21311)
- packages/ak-common/tracing: get sentry config from API for outposts (#21625)
- packages/ak-common/tracing: init (#21263)
- packages/ak-common/tracing: make log level lowercase (#21991)
- packages/ak-lib: init (#21257)
- packages/client-go: init (#21139)
- packages/client-rust: fix portable sed usage (#21337)
- packages/client-rust: init (#21117)
- packages/client-ts: Fix TypeScript config, ESBuild warnings (#21863)
- packages/client-ts: init (#21120)
- packages/clients: only generate needed endpoints (#21578)
- packages/django-dramatiq-postgres: add index for (queue_name, state, eta) (#21175)
- packages/django-dramatiq-postgres: fix default value for HTTPServerThread (#21216)
- packages/django-postgres-cache: fix expiry and delete (#21307)
- packages/django-postgres-cache: rework to use ORM (#17771)
- packages/docusaurus-config: update config for docusaurus 3.10 (#21471)
- policies: remove BufferedPolicyAccessView (#20521)
- policies: remove BufferedPolicyAccessView leftovers (#21057)
- policies/event_matcher: Add query option to filter events (#21618)
- providers/oauth: make rp init logout oidc certification changes (#21815)
- providers/oauth: post_logout_redirect_uri support (#20011)
- providers/oauth2: Configure allowed grant types (#20363)
- providers/oauth2: evaluate property mappings in client credentials JWT flow (#20979)
- providers/oauth2: override RedirectURITypeEnum capitalization for generated API (#22037)
- providers/oauth2: require client_secret on device_code exchange for confidential clients (#21700)
- providers/proxy: fix oidc client not using socket in embedded outpost (#21280)
- providers/rac: add e2e tests (#21390)
- providers/saml: Add sls to saml overview (cherry-pick #22183 to version-2026.5) (#22368)
- providers/saml: generate issuer url when provider is set on app (#18022)
- providers/saml: handle XML declarations in unified endpoint (cherry-pick #22455 to version-2026.5) (#22539)
- providers/saml: make issuer url metadata url (cherry-pick #22178 to version-2026.5) (#22184)
- providers/saml: make unified saml endpoint (cherry-pick #20026 to version-2026.5) (#22187)
- providers/saml: Properly import audience from metadata. (cherry-pick #22181 to version-2026.5) (#22449)
- providers/saml: send logoutResponse on sp-init logout (#17691)
- providers/SCIM: Add discover support (#20658)
- providers/scim: add webex compatibility mode (#21208)
- providers/scim: ak_groups -> groups in tests (#20580)
- providers/scim: fix vCenter compatibility mode (#21830)
- providers/scim: use modified GroupMember class to support extra attributes on it (#20827)
- release: 2026.5.0-rc1
- release: 2026.5.0-rc2
- revert: web: Consistent use of "User Dashboard" (#22038) (#22046)
- root: add git attributes for generated/vendored (#21177)
- root: add more logging to worker requests (#21989)
- root: allow listening on multiple IPs (#20930)
- root: cleanup API generation (#21172)
- root: configure dependabot for cargo (#21118)
- root: configure freezegun to exclude cryptography (cherry-pick #22442 to version-2026.5) (#22448)
- root: ensure uv sync does not update uv.lock (#22084)
- root: fix
gen-changelogandgen-diff(#20598) - root: fix dependabot config for docker (#20380)
- root: fix gitignore binary paths (cherry-pick #22445 to version-2026.5) (#22485)
- root: fix log function to redirect output to stderr (#20858)
- root: fix rust build with uv-installed Python (#21858)
- root: fix rust setup (#21078)
- root: fix rustfmt config (#21312)
- root: fix scripts compose & gen-diff (#21389)
- root: fix test runner dropping exit code (#20630)
- root: include relative time for each test case in logs (#21445)
- root: init rust worker (#21324)
- root: init rust workspace (#20983)
- root: introduce allinone mode (#21990)
- root: makefile: remove spellcheck from lint-fix (#20924)
- root: misc API client and web typing fixes (#21388)
- root: only allow listen failure in dev (#21987)
- root: optimize api client generation speed (#21141)
- root: refreshed icon (cherry-pick #22265 to version-2026.5) (#22266)
- root: remove unused
django-cte(#20090) - root: run
npm iwithnpm@11.10.1in all subdirectories (#20471) - root: update rustls-webpki (#21769)
- root/channels: use group_send_blocking where possible (#21993)
- scripts/api_filter_schema: fix authentication (#21644)
- security: CVE-2026-25227 (#20239)
- security: CVE-2026-25748 (#20240)
- security: CVE-2026-25922 (#20241)
- source/saml: Add forceauthn to saml authnrequest (#20883)
- sources/ldap: Better Active Directory tests (#21281)
- sources/ldap: catch Google LDAP rate-limit errors during schema fetch (#21638)
- sources/ldap: Switch to new connection tracking, deprecated attribute-based connection (#21392)
- sources/oauth: correctly check requests' exception response (#21386)
- sources/oauth: ensure user ID is returned as str (#21880)
- sources/oauth: pick a single pkce method from OIDC discovery, not the whole list (#21689)
- sources/saml: improve exception handling for saml response parsing (#20125)
- stage/authenticator*: expand attempt throttling to email- and sms-based 2FA (#21751)
- stage/invitation: Send invite via email UI (#19823)
- stages/authenticator_webauthn: Add WebAuthn client hints support (#20700)
- stages/authenticator_webauthn: save attestation certificate when creating credential (#20095)
- stages/authenticator_webauthn: Update FIDO MDS3 & Passkey aaguid blobs (#20305)
- stages/authenticator_webauthn: Update FIDO MDS3 & Passkey aaguid blobs (#20642)
- stages/authenticator_webauthn: Update FIDO MDS3 & Passkey aaguid blobs (#20905)
- stages/authenticator_webauthn: Update FIDO MDS3 & Passkey aaguid blobs (#21290)
- stages/authenticator_webauthn: Update FIDO MDS3 & Passkey aaguid blobs (#21612)
- stages/authenticator_webauthn: Update FIDO MDS3 & Passkey aaguid blobs (#21999)
- stages/authenticator_webauthn: Update FIDO MDS3 & Passkey aaguid blobs (#22128)
- stages/authenticator_webauthn: Update FIDO MDS3 & Passkey aaguid blobs (cherry-pick #22322 to version-2026.5) (#22323)
- stages/invitation: Invitation wizard (#20399)
- stages/user_write: refuse to write id/pk claims onto the user model (#21667)
- tasks: better error message for Retry exceptions (#18235)
- tasks: fix the occasional DatabaseError for no updated fields (#20629)
- tasks: fix workers API URL missing trailing / (#20954)
- tasks: improved tests (#18978)
- tasks: threads instead of forks (#19476)
- tenants: add option to mark flag as deprecated (#22063)
- tenants: fix default schema in initial migration (#21114)
- tenants: fix system flags removeable (cherry-pick #22163 to version-2026.5) (#22182)
- tests: add mixin to launch traefik for tests requiring SSL (#22011)
- tests: refactor test harness to split apart a single file (#21391)
- translate: Updates for project authentik and language bg_BG (#22112)
- translate: Updates for project authentik and language cs_CZ (#22115)
- translate: Updates for project authentik and language de_DE (#21825)
- translate: Updates for project authentik and language de_DE (#22113)
- translate: Updates for project authentik and language es_ES (#22116)
- translate: Updates for project authentik and language fi_FI (#22114)
- translate: Updates for project authentik and language fr_FR (#21056)
- translate: Updates for project authentik and language fr_FR (#21214)
- translate: Updates for project authentik and language fr_FR (#21285)
- translate: Updates for project authentik and language fr_FR (#21378)
- translate: Updates for project authentik and language fr_FR (#21474)
- translate: Updates for project authentik and language fr_FR (#22008)
- translate: Updates for project authentik and language fr_FR (#22015)
- translate: Updates for project authentik and language fr_FR (#22117)
- translate: Updates for project authentik and language it_IT (#22123)
- translate: Updates for project authentik and language ja_JP (#22118)
- translate: Updates for project authentik and language no_NO (#21862)
- translate: Updates for project authentik and language no_NO (#22120)
- translate: Updates for project authentik and language pl_PL (#22124)
- translate: Updates for project authentik and language pt_BR (#22111)
- translate: Updates for project authentik and language pt_PT (#22122)
- translate: Updates for project authentik and language ru_RU (#22119)
- translate: Updates for project authentik and language tr_TR (#22125)
- translate: Updates for project authentik and language zh-Hans (#22121)
- web, website: Update name to application dashboard (cherry-pick #22190 to version-2026.5) (#22374)
- web: Apply CSpell corrections. (#20190)
- web: build system had some legacy stuff that I found confusing while working on the CSS ordering (#20698)
- web: Clear remember me before navigation. (#21647)
- web: Close modal on route navigation (#21622)
- web: CodeSpell -> CSpell migration (#20188)
- web: Consistent use of "User Dashboard" (#22038)
- web: fix a few visual nits reported after the latest release (#22012)
- web: Fix admin table horizontal scrolling (#20960)
- web: Fix element property names with custom attributes. (#20396)
- web: fix identification stage OUIA attributes (#22049)
- web: Fix issue where default user path is not preferred. (cherry-pick #22139 to version-2026.5) (#22364)
- web: Fix table visibility checks, search params. (#21623)
- web: Fix Vendored Lex package. Add Unit Tests (#22083)
- web: Gracefully handle missing element construction. (#21787)
- web: link file picker to docs (#20995)
- web: lint/small type errors (#21179)
- web: merge MFA devices and tokens into unified Credentials tab (#21705)
- web: Normalize use of
.toJSON()over.json()(#21621) - web: Packagify Logger (#20541)
- web: Radio and Checkbox Input Revisions (#21792)
- web: remove native fieldset borders from action groups (#21334)
- web: rename SCIM provider "User filtering" section to "Filtering" (#20879)
- web: revert
tree-sitterremoval from lockfile (#20377) - web: Supply our font and color choices to rapidoc. (#20775)
- web: User Wizard, Modal Revisions Merge Branch (#21336)
- web/a11y: Modal revisions, component name normalization (#21205)
- web/a11y: Modals, Command Palette (Merge branch) (#17812)
- web/admin: add outposts view page (#21167)
- web/admin: Allow binding users/groups in policy binding wizard and existing stage in stage binding wizard (#21697)
- web/admin: Cleanup spacing in and around cards (#21199)
- web/admin: fix log viewer layout for application access check (#21594)
- web/admin: fix missing icon on app view page (#21251)
- web/admin: fix policy/stage wizard label, fix connector create wizard, cleanup (#21781)
- web/admin: fix user list avatar (#21531)
- web/admin: fix user wizard close button (cherry-pick #22222 to version-2026.5) (#22243)
- web/admin: Improve WS-Fed algo selection logic (#20881)
- web/admin: include avatar in user list page (#21518)
- web/admin: legacy modal fixes and fix log viewer in form layout (cherry-pick #22168 to version-2026.5) (#22173)
- web/admin: maintenance: centralize types that are used across stages (#20398)
- web/admin: maintenance: give dialogs default exports (#20397)
- web/admin: more and more polish (#21303)
- web/admin: polish recent events, various button alignments and labels (#21232)
- web/admin: redirect stage: adds mention of static url (#22060)
- web/admin: remove side-padding on user paths (#22088)
- web/admin: show app events on app page (#21203)
- web/admin: use bindings form for app entitlements (#22007)
- web/admin: User wizard label adjust and deactivate navigation when wizard is finished (cherry-pick #22133 to version-2026.5) (#22191)
- web/e2e: accept options in NavigatorFixture.waitForPathname (#21507)
- web/elements: Add preserve-order, no-search and no-status attributes to ak-dual-select (#20749)
- web/elements: add scrollbar helpers and apply to Interface (#21511)
- web/elements: Add static table class (#21181)
- web/elements: add viewport helpers and extend intersection observer (#21508)
- web/elements: allow table per-column options (#21250)
- web/elements: default @listen target to host element and add split-button Dropdown (#21512)
- web/flow: bug: inspector button not hiding when unavailable (#20717)
- web/flow: extract lifecycle events peripheral to stage management into their own controllers (#20898)
- web/flow: fix typo in RedirectStage (#20488)
- web/flow: generate a single API object for network transactions and use it for the lifetime of the FlowExecutor (#20030)
- web/flow: provide labels for the stage import-and-invoke table (#20834)
- web/flow: provide layout url as needed (#20991)
- web/flow: refactor flow executor so component selection is in an easy-to-maintain table (#19999)
- web/flow: separate flow inspector lifecycle from flow executor lifecycle (#20063)
- web/flow: separate out independent behavior tracks from IdentificationStage (autoredirect, webauthn, captcha, remember me) (#20578)
- web/flow: Tidy identification stage (#20261)
- web/flow/stages: permit the form handler to look in the light or shadowDOM for controls (#20832)
- web/flows: fix continuous flow leftovers (#21158)
- web/flows: Fix username autofocus. (#21646)
- web/flows: update flow background (#22032)
- web/maintenance: no unknown attributes part 2 (#19014)
- web/rac: Ignore empty remote clipboard payloads (#22067)
- Web/release202604/nits 2 (#22040)
- web/stages: better wording for webauthn authenticator attachments options (#22062)
- web/style/flow: flow css barrel file (#20833)
- web/styles: add ak-c-loading-skeleton CSS component (#21510)
- web/styles: switch to upstream RedHat variable fonts and brighten orange palette (#21509)
- web/table: fetch on first render when already visible (cherry-pick #22376 to version-2026.5) (#22438)
API Changes
authentik (v 2026.5.0)
What's New
POST /core/users/{id}/set_password_hash/
POST /core/users/account_lockdown/
GET /endpoints/agents/psso/ise/
POST /endpoints/agents/psso/ise/
GET /endpoints/agents/psso/ise/{uuid}/
PUT /endpoints/agents/psso/ise/{uuid}/
DELETE /endpoints/agents/psso/ise/{uuid}/
PATCH /endpoints/agents/psso/ise/{uuid}/
GET /endpoints/agents/psso/ise/{uuid}/used_by/
GET /endpoints/google_chrome/connectors/
POST /endpoints/google_chrome/connectors/
GET /endpoints/google_chrome/connectors/{connector_uuid}/
PUT /endpoints/google_chrome/connectors/{connector_uuid}/
DELETE /endpoints/google_chrome/connectors/{connector_uuid}/
PATCH /endpoints/google_chrome/connectors/{connector_uuid}/
GET /endpoints/google_chrome/connectors/{connector_uuid}/used_by/
GET /events/events/stats/
POST /managed/blueprints/import/
GET /stages/account_lockdown/
POST /stages/account_lockdown/
GET /stages/account_lockdown/{stage_uuid}/
PUT /stages/account_lockdown/{stage_uuid}/
DELETE /stages/account_lockdown/{stage_uuid}/
PATCH /stages/account_lockdown/{stage_uuid}/
GET /stages/account_lockdown/{stage_uuid}/used_by/
POST /stages/invitation/invitations/{invite_uuid}/send_email/
GET /tasks/workers/
DELETE /ssf/streams/{uuid}/
What's Deleted
POST /flows/instances/import/
GET /tasks/workers
What's Changed
GET /admin/file/
Parameters:
Changed: usage in query
DELETE /admin/file/
Parameters:
Changed: usage in query
GET /admin/settings/
Return Type:
Changed response : 200 OK
- Changed content type :
application/json-
Changed property
flags(object)New required properties:
core_default_app_access
New optional properties:
policies_buffered_access_view
-
Added property
core_default_app_access(boolean)Configure if applications without any policy/group/user bindings should be accessible to any user.
-
Deleted property
policies_buffered_access_view(boolean) -
Changed property
enterprise_audit_include_expanded_diff(boolean)Include additional information in audit logs, may incur a performance penalty.
-
Changed property
flows_continuous_login(boolean)Upon successful authentication, re-start authentication in other open tabs.
-
Changed property
flows_refresh_others(boolean)Refresh other tabs after successful authentication.
-
PUT /admin/settings/
Request:
Changed content type : application/json
-
Changed property
flags(object)New required properties:
core_default_app_access
New optional properties:
policies_buffered_access_view
-
Added property
core_default_app_access(boolean)Configure if applications without any policy/group/user bindings should be accessible to any user.
-
Deleted property
policies_buffered_access_view(boolean) -
Changed property
enterprise_audit_include_expanded_diff(boolean)Include additional information in audit logs, may incur a performance penalty.
-
Changed property
flows_continuous_login(boolean)Upon successful authentication, re-start authentication in other open tabs.
-
Changed property
flows_refresh_others(boolean)Refresh other tabs after successful authentication.
Return Type:
Changed response : 200 OK
- Changed content type :
application/json-
Changed property
flags(object)New required properties:
core_default_app_access
New optional properties:
policies_buffered_access_view
-
Added property
core_default_app_access(boolean)Configure if applications without any policy/group/user bindings should be accessible to any user.
-
Deleted property
policies_buffered_access_view(boolean) -
Changed property
enterprise_audit_include_expanded_diff(boolean)Include additional information in audit logs, may incur a performance penalty.
-
Changed property
flows_continuous_login(boolean)Upon successful authentication, re-start authentication in other open tabs.
-
Changed property
flows_refresh_others(boolean)Refresh other tabs after successful authentication.
-
PATCH /admin/settings/
Request:
Changed content type : application/json
-
Changed property
flags(object)New required properties:
core_default_app_access
New optional properties:
policies_buffered_access_view
-
Added property
core_default_app_access(boolean)Configure if applications without any policy/group/user bindings should be accessible to any user.
-
Deleted property
policies_buffered_access_view(boolean) -
Changed property
enterprise_audit_include_expanded_diff(boolean)Include additional information in audit logs, may incur a performance penalty.
-
Changed property
flows_continuous_login(boolean)Upon successful authentication, re-start authentication in other open tabs.
-
Changed property
flows_refresh_others(boolean)Refresh other tabs after successful authentication.
Return Type:
Changed response : 200 OK
- Changed content type :
application/json-
Changed property
flags(object)New required properties:
core_default_app_access
New optional properties:
policies_buffered_access_view
-
Added property
core_default_app_access(boolean)Configure if applications without any policy/group/user bindings should be accessible to any user.
-
Deleted property
policies_buffered_access_view(boolean) -
Changed property
enterprise_audit_include_expanded_diff(boolean)Include additional information in audit logs, may incur a performance penalty.
-
Changed property
flows_continuous_login(boolean)Upon successful authentication, re-start authentication in other open tabs.
-
Changed property
flows_refresh_others(boolean)Refresh other tabs after successful authentication.
-
GET /core/authenticated_sessions/{uuid}/
Return Type:
Changed response : 200 OK
- Changed content type :
application/json-
Changed property
user_agent(object)Get parsed user agent
-
Changed property
device(object)User agent device
-
Changed property
brand(string) -
Changed property
model(string)
-
-
Changed property
os(object)User agent os
-
Changed property
major(string) -
Changed property
minor(string) -
Changed property
patch(string) -
Changed property
patch_minor(string)
-
-
-
GET /core/brands/{brand_uuid}/
Return Type:
Changed response : 200 OK
- Changed content type :
application/json- Added property
flow_lockdown(string)
- Added property
PUT /core/brands/{brand_uuid}/
Request:
Changed content type : application/json
- Added property
flow_lockdown(string)
Return Type:
Changed response : 200 OK
- Changed content type :
application/json- Added property
flow_lockdown(string)
- Added property
PATCH /core/brands/{brand_uuid}/
Request:
Changed content type : application/json
- Added property
flow_lockdown(string)
Return Type:
Changed response : 200 OK
- Changed content type :
application/json- Added property
flow_lockdown(string)
- Added property
POST /events/events/export/
Parameters:
Added: context_device in query
Context Device Primary Key
GET /lifecycle/iterations/latest/{content_type}/{object_id}/
Operation ID:
Changed: lifecycle_iterations_latest_retrieve to lifecycle_iterations_list_latest
Parameters:
Added: ordering in query
Which field to use when ordering the results.
Added: search in query
A search term.
Added: user_is_reviewer in query
Return Type:
Changed response : 200 OK
- Changed content type :
application/json
GET /policies/event_matcher/{policy_uuid}/
Return Type:
Changed response : 200 OK
- Changed content type :
application/json-
Added property
query(string) -
Changed property
app(string)Match events created by selected application. When left empty, all applications are matched.
Added enum values:
-
authentik.enterprise.endpoints.connectors.google_chrome -
authentik.enterprise.stages.account_lockdownRemoved enum value: -
authentik.enterprise.search
-
-
Changed property
model(string)Match events created by selected model. When left empty, all models are matched. When an app is selected, all the application's models are matched.
Added enum values:
authentik_endpoints_connectors_google_chrome.googlechromeconnectorauthentik_stages_account_lockdown.accountlockdownstage
-
PUT /policies/event_matcher/{policy_uuid}/
Request:
Changed content type : application/json
-
Added property
query(string) -
Changed property
app(string)Match events created by selected application. When left empty, all applications are matched.
Added enum values:
-
authentik.enterprise.endpoints.connectors.google_chrome -
authentik.enterprise.stages.account_lockdownRemoved enum value: -
authentik.enterprise.search
-
-
Changed property
model(string)Match events created by selected model. When left empty, all models are matched. When an app is selected, all the application's models are matched.
Added enum values:
authentik_endpoints_connectors_google_chrome.googlechromeconnectorauthentik_stages_account_lockdown.accountlockdownstage
Return Type:
Changed response : 200 OK
- Changed content type :
application/json-
Added property
query(string) -
Changed property
app(string)Match events created by selected application. When left empty, all applications are matched.
Added enum values:
-
authentik.enterprise.endpoints.connectors.google_chrome -
authentik.enterprise.stages.account_lockdownRemoved enum value: -
authentik.enterprise.search
-
-
Changed property
model(string)Match events created by selected model. When left empty, all models are matched. When an app is selected, all the application's models are matched.
Added enum values:
authentik_endpoints_connectors_google_chrome.googlechromeconnectorauthentik_stages_account_lockdown.accountlockdownstage
-
PATCH /policies/event_matcher/{policy_uuid}/
Request:
Changed content type : application/json
-
Added property
query(string) -
Changed property
app(string)Match events created by selected application. When left empty, all applications are matched.
Added enum values:
-
authentik.enterprise.endpoints.connectors.google_chrome -
authentik.enterprise.stages.account_lockdownRemoved enum value: -
authentik.enterprise.search
-
-
Changed property
model(string)Match events created by selected model. When left empty, all models are matched. When an app is selected, all the application's models are matched.
Added enum values:
authentik_endpoints_connectors_google_chrome.googlechromeconnectorauthentik_stages_account_lockdown.accountlockdownstage
Return Type:
Changed response : 200 OK
- Changed content type :
application/json-
Added property
query(string) -
Changed property
app(string)Match events created by selected application. When left empty, all applications are matched.
Added enum values:
-
authentik.enterprise.endpoints.connectors.google_chrome -
authentik.enterprise.stages.account_lockdownRemoved enum value: -
authentik.enterprise.search
-
-
Changed property
model(string)Match events created by selected model. When left empty, all models are matched. When an app is selected, all the application's models are matched.
Added enum values:
authentik_endpoints_connectors_google_chrome.googlechromeconnectorauthentik_stages_account_lockdown.accountlockdownstage
-
GET /providers/saml/{id}/metadata/
Parameters:
Changed: force_binding in query
GET /providers/wsfed/{id}/metadata/
Parameters:
Changed: force_binding in query
GET /core/applications/{slug}/
Return Type:
Changed response : 200 OK
- Changed content type :
application/json- Added property
meta_hide(boolean)Hide this application from the user's My applications page.
- Added property
PUT /core/applications/{slug}/
Request:
Changed content type : application/json
- Added property
meta_hide(boolean)Hide this application from the user's My applications page.
Return Type:
Changed response : 200 OK
- Changed content type :
application/json- Added property
meta_hide(boolean)Hide this application from the user's My applications page.
- Added property
PATCH /core/applications/{slug}/
Request:
Changed content type : application/json
- Added property
meta_hide(boolean)Hide this application from the user's My applications page.
Return Type:
Changed response : 200 OK
- Changed content type :
application/json- Added property
meta_hide(boolean)Hide this application from the user's My applications page.
- Added property
GET /core/authenticated_sessions/
Return Type:
Changed response : 200 OK
- Changed content type :
application/json-
Changed property
results(array)Changed items (object): > AuthenticatedSession Serializer
-
Changed property
user_agent(object)Get parsed user agent
-
Changed property
device(object)User agent device
-
Changed property
brand(string) -
Changed property
model(string)
-
-
Changed property
os(object)User agent os
-
Changed property
major(string) -
Changed property
minor(string) -
Changed property
patch(string) -
Changed property
patch_minor(string)
-
-
-
-
POST /core/brands/
Request:
Changed content type : application/json
- Added property
flow_lockdown(string)
Return Type:
Changed response : 201 Created
- Changed content type :
application/json- Added property
flow_lockdown(string)
- Added property
GET /core/brands/
Parameters:
Added: flow_lockdown in query
Return Type:
Changed response : 200 OK
- Changed content type :
application/json-
Changed property
results(array)Changed items (object): > Brand Serializer
- Added property
flow_lockdown(string)
- Added property
-
GET /core/brands/current/
Return Type:
Changed response : 200 OK
- Changed content type :
application/json-
Added property
flow_lockdown(string) -
Changed property
flags(object)New required properties:
core_default_app_access
New optional properties:
policies_buffered_access_view
-
Added property
core_default_app_access(boolean)Configure if applications without any policy/group/user bindings should be accessible to any user.
-
Deleted property
policies_buffered_access_view(boolean) -
Changed property
enterprise_audit_include_expanded_diff(boolean)Include additional information in audit logs, may incur a performance penalty.
-
Changed property
flows_continuous_login(boolean)Upon successful authentication, re-start authentication in other open tabs.
-
Changed property
flows_refresh_others(boolean)Refresh other tabs after successful authentication.
-
GET /crypto/certificatekeypairs/
Parameters:
Changed: key_type in query
POST /endpoints/agents/connectors/check_in/
Request:
Changed content type : application/json
-
Changed property
os(object)For example: {"family":"linux","name":"Ubuntu","version":"24.04.3 LTS (Noble Numbat)","arch":"amd64"} {"family": "windows","name":"Server 2022 Datacenter","version":"10.0.20348.4405","arch":"amd64"} {"family": "windows","name":"Server 2022 Datacenter","version":"10.0.20348.4405","arch":"amd64"} {"family": "mac_os", "name": "", "version": "26.2", "arch": "arm64"}
New optional properties:
arch
GET /events/events/volume/
Parameters:
Added: context_device in query
Context Device Primary Key
Changed: history_days in query
Return Type:
Changed response : 200 OK
-
Changed content type :
application/jsonChanged items (object): > Count of events of action created on day for a single event action
GET /events/transports/{uuid}/
Return Type:
Changed response : 200 OK
- Changed content type :
application/json- Added property
webhook_ca(string)When set, the selected certificate is used to validate the certificate of the webhook server.
- Added property
PUT /events/transports/{uuid}/
Request:
Changed content type : application/json
- Added property
webhook_ca(string)When set, the selected certificate is used to validate the certificate of the webhook server.
Return Type:
Changed response : 200 OK
- Changed content type :
application/json- Added property
webhook_ca(string)When set, the selected certificate is used to validate the certificate of the webhook server.
- Added property
PATCH /events/transports/{uuid}/
Request:
Changed content type : application/json
- Added property
webhook_ca(string)When set, the selected certificate is used to validate the certificate of the webhook server.
Return Type:
Changed response : 200 OK
- Changed content type :
application/json- Added property
webhook_ca(string)When set, the selected certificate is used to validate the certificate of the webhook server.
- Added property
GET /flows/instances/{slug}/
Return Type:
Changed response : 200 OK
- Changed content type :
application/json-
Changed property
authentication(string)Required level of authentication and authorization to access a flow.
Added enum value:
require_token
-
PUT /flows/instances/{slug}/
Request:
Changed content type : application/json
-
Changed property
authentication(string)Required level of authentication and authorization to access a flow.
Added enum value:
require_token
Return Type:
Changed response : 200 OK
- Changed content type :
application/json-
Changed property
authentication(string)Required level of authentication and authorization to access a flow.
Added enum value:
require_token
-
PATCH /flows/instances/{slug}/
Request:
Changed content type : application/json
-
Changed property
authentication(string)Required level of authentication and authorization to access a flow.
Added enum value:
require_token
Return Type:
Changed response : 200 OK
- Changed content type :
application/json-
Changed property
authentication(string)Required level of authentication and authorization to access a flow.
Added enum value:
require_token
-
POST /lifecycle/iterations/
Return Type:
Changed response : 201 Created
-
Changed content type :
application/jsonNew required properties:
rule
New optional properties:
min_reviewersreviewer_groupsreviewers
-
Added property
rule(object)-
Property
id(string) -
Property
name(string) -
Property
reviewer_groups(array)Items (object):
-
Property
pk(string) -
Property
name(string)
-
-
Property
min_reviewers(integer) -
Property
reviewers(array)Items (object):
-
Property
pk(integer) -
Property
uuid(string) -
Property
username(string)Required. 150 characters or fewer. Letters, digits and @/./+/-/_ only.
-
Property
name(string)User's display name.
-
-
-
Deleted property
reviewer_groups(array) -
Deleted property
min_reviewers(integer) -
Deleted property
reviewers(array)
POST /policies/event_matcher/
Request:
Changed content type : application/json
-
Added property
query(string) -
Changed property
app(string)Match events created by selected application. When left empty, all applications are matched.
Added enum values:
-
authentik.enterprise.endpoints.connectors.google_chrome -
authentik.enterprise.stages.account_lockdownRemoved enum value: -
authentik.enterprise.search
-
-
Changed property
model(string)Match events created by selected model. When left empty, all models are matched. When an app is selected, all the application's models are matched.
Added enum values:
authentik_endpoints_connectors_google_chrome.googlechromeconnectorauthentik_stages_account_lockdown.accountlockdownstage
Return Type:
Changed response : 201 Created
- Changed content type :
application/json-
Added property
query(string) -
Changed property
app(string)Match events created by selected application. When left empty, all applications are matched.
Added enum values:
-
authentik.enterprise.endpoints.connectors.google_chrome -
authentik.enterprise.stages.account_lockdownRemoved enum value: -
authentik.enterprise.search
-
-
Changed property
model(string)Match events created by selected model. When left empty, all models are matched. When an app is selected, all the application's models are matched.
Added enum values:
authentik_endpoints_connectors_google_chrome.googlechromeconnectorauthentik_stages_account_lockdown.accountlockdownstage
-
GET /policies/event_matcher/
Parameters:
Added: query in query
Changed: action in query
Return Type:
Changed response : 200 OK
- Changed content type :
application/json-
Changed property
results(array)Changed items (object): > Event Matcher Policy Serializer
-
Added property
query(string) -
Changed property
app(string)Match events created by selected application. When left empty, all applications are matched.
Added enum values:
-
authentik.enterprise.endpoints.connectors.google_chrome -
authentik.enterprise.stages.account_lockdownRemoved enum value: -
authentik.enterprise.search
-
-
Changed property
model(string)Match events created by selected model. When left empty, all models are matched. When an app is selected, all the application's models are matched.
Added enum values:
authentik_endpoints_connectors_google_chrome.googlechromeconnectorauthentik_stages_account_lockdown.accountlockdownstage
-
-
GET /policies/geoip/{policy_uuid}/
Return Type:
Changed response : 200 OK
- Changed content type :
application/json-
Changed property
countries_obj(array)Changed items (object):
-
Changed property
code(string)Removed enum values:
AFAXALDZASADAOAIAQAGARAMAWAUATAZBSBHBDBBBYBEBZBJBMBTBOBQBABWBVBRIOBNBGBFBICVKHCMCAKYCFTDCLCNCXCCCOKMCGCDCKCRCIHRCUCWCYCZDKDJDMDOECEGSVGQEREESZETFKFOFJFIFRGFPFTFGAGMGEDEGHGIGRGLGDGPGUGTGGGNGWGYHTHMVAHNHKHUISINIDIRIQIEIMILITJMJPJEJOKZKEKIKWKGLALVLBLSLRLYLILTLUMOMGMWMYMVMLMTMHMQMRMUYTMXFMMDMCMNMEMSMAMZMMNANRNPNLNCNZNINENGNUNFKPMKMPNOOMPKPWPSPAPGPYPEPHPNPLPTPRQARERORURWBLSHKNLCMFPMVCWSSMSTSASNRSSCSLSGSXSKSISBSOZAGSKRSSESLKSDSRSJSECHSYTWTJTZTHTLTGTKTOTTTNTRTMTCTVUGUAAEGBUMUSUYUZVUVEVNVGVIWFEHYEZMZW
-
-
PUT /policies/geoip/{policy_uuid}/
Return Type:
Changed response : 200 OK
- Changed content type :
application/json-
Changed property
countries_obj(array)Changed items (object):
-
Changed property
code(string)Removed enum values:
AFAXALDZASADAOAIAQAGARAMAWAUATAZBSBHBDBBBYBEBZBJBMBTBOBQBABWBVBRIOBNBGBFBICVKHCMCAKYCFTDCLCNCXCCCOKMCGCDCKCRCIHRCUCWCYCZDKDJDMDOECEGSVGQEREESZETFKFOFJFIFRGFPFTFGAGMGEDEGHGIGRGLGDGPGUGTGGGNGWGYHTHMVAHNHKHUISINIDIRIQIEIMILITJMJPJEJOKZKEKIKWKGLALVLBLSLRLYLILTLUMOMGMWMYMVMLMTMHMQMRMUYTMXFMMDMCMNMEMSMAMZMMNANRNPNLNCNZNINENGNUNFKPMKMPNOOMPKPWPSPAPGPYPEPHPNPLPTPRQARERORURWBLSHKNLCMFPMVCWSSMSTSASNRSSCSLSGSXSKSISBSOZAGSKRSSESLKSDSRSJSECHSYTWTJTZTHTLTGTKTOTTTNTRTMTCTVUGUAAEGBUMUSUYUZVUVEVNVGVIWFEHYEZMZW
-
-
PATCH /policies/geoip/{policy_uuid}/
Return Type:
Changed response : 200 OK
- Changed content type :
application/json-
Changed property
countries_obj(array)Changed items (object):
-
Changed property
code(string)Removed enum values:
AFAXALDZASADAOAIAQAGARAMAWAUATAZBSBHBDBBBYBEBZBJBMBTBOBQBABWBVBRIOBNBGBFBICVKHCMCAKYCFTDCLCNCXCCCOKMCGCDCKCRCIHRCUCWCYCZDKDJDMDOECEGSVGQEREESZETFKFOFJFIFRGFPFTFGAGMGEDEGHGIGRGLGDGPGUGTGGGNGWGYHTHMVAHNHKHUISINIDIRIQIEIMILITJMJPJEJOKZKEKIKWKGLALVLBLSLRLYLILTLUMOMGMWMYMVMLMTMHMQMRMUYTMXFMMDMCMNMEMSMAMZMMNANRNPNLNCNZNINENGNUNFKPMKMPNOOMPKPWPSPAPGPYPEPHPNPLPTPRQARERORURWBLSHKNLCMFPMVCWSSMSTSASNRSSCSLSGSXSKSISBSOZAGSKRSSESLKSDSRSJSECHSYTWTJTZTHTLTGTKTOTTTNTRTMTCTVUGUAAEGBUMUSUYUZVUVEVNVGVIWFEHYEZMZW
-
-
GET /providers/saml/{id}/
Return Type:
Changed response : 200 OK
-
Changed content type :
application/jsonNew required properties:
url_issuerurl_unifiedurl_unified_init
-
Added property
issuer_override(string)Also known as EntityID. Providing a value overrides the default issuer generated by authentik.
-
Added property
sign_logout_response(boolean) -
Added property
url_issuer(string)Get Issuer/EntityID URL
-
Added property
url_unified(string)Get unified SAML endpoint URL (handles SSO and SLO)
-
Added property
url_unified_init(string)Get IdP-initiated SAML URL
-
Deleted property
issuer(string)Also known as EntityID
PUT /providers/saml/{id}/
Request:
Changed content type : application/json
-
Added property
issuer_override(string)Also known as EntityID. Providing a value overrides the default issuer generated by authentik.
-
Added property
sign_logout_response(boolean) -
Deleted property
issuer(string)Also known as EntityID
Return Type:
Changed response : 200 OK
-
Changed content type :
application/jsonNew required properties:
url_issuerurl_unifiedurl_unified_init
-
Added property
issuer_override(string)Also known as EntityID. Providing a value overrides the default issuer generated by authentik.
-
Added property
sign_logout_response(boolean) -
Added property
url_issuer(string)Get Issuer/EntityID URL
-
Added property
url_unified(string)Get unified SAML endpoint URL (handles SSO and SLO)
-
Added property
url_unified_init(string)Get IdP-initiated SAML URL
-
Deleted property
issuer(string)Also known as EntityID
PATCH /providers/saml/{id}/
Request:
Changed content type : application/json
-
Added property
issuer_override(string)Also known as EntityID. Providing a value overrides the default issuer generated by authentik.
-
Added property
sign_logout_response(boolean) -
Deleted property
issuer(string)Also known as EntityID
Return Type:
Changed response : 200 OK
-
Changed content type :
application/jsonNew required properties:
url_issuerurl_unifiedurl_unified_init
-
Added property
issuer_override(string)Also known as EntityID. Providing a value overrides the default issuer generated by authentik.
-
Added property
sign_logout_response(boolean) -
Added property
url_issuer(string)Get Issuer/EntityID URL
-
Added property
url_unified(string)Get unified SAML endpoint URL (handles SSO and SLO)
-
Added property
url_unified_init(string)Get IdP-initiated SAML URL
-
Deleted property
issuer(string)Also known as EntityID
POST /providers/saml/import_metadata/
Return Type:
Changed response : 201 Created
-
Changed content type :
application/jsonNew required properties:
url_issuerurl_unifiedurl_unified_init
-
Added property
issuer_override(string)Also known as EntityID. Providing a value overrides the default issuer generated by authentik.
-
Added property
sign_logout_response(boolean) -
Added property
url_issuer(string)Get Issuer/EntityID URL
-
Added property
url_unified(string)Get unified SAML endpoint URL (handles SSO and SLO)
-
Added property
url_unified_init(string)Get IdP-initiated SAML URL
-
Deleted property
issuer(string)Also known as EntityID
GET /providers/scim/{id}/
Return Type:
Changed response : 200 OK
-
Changed content type :
application/jsonNew required properties:
auth_oauth_token_expiresauth_oauth_token_last_updatedauth_oauth_url_callbackauth_oauth_url_start
-
Added property
auth_oauth_token_last_updated(string) -
Added property
auth_oauth_token_expires(string) -
Added property
auth_oauth_url_callback(string) -
Added property
auth_oauth_url_start(string) -
Changed property
compatibility_mode(string)Alter authentik behavior for vendor-specific SCIM implementations.
Added enum values:
webexvcenter
-
Changed property
auth_mode(string)Added enum value:
oauth_interactive
PUT /providers/scim/{id}/
Request:
Changed content type : application/json
-
Changed property
compatibility_mode(string)Alter authentik behavior for vendor-specific SCIM implementations.
Added enum values:
webexvcenter
-
Changed property
auth_mode(string)Added enum value:
oauth_interactive
Return Type:
Changed response : 200 OK
-
Changed content type :
application/jsonNew required properties:
auth_oauth_token_expiresauth_oauth_token_last_updatedauth_oauth_url_callbackauth_oauth_url_start
-
Added property
auth_oauth_token_last_updated(string) -
Added property
auth_oauth_token_expires(string) -
Added property
auth_oauth_url_callback(string) -
Added property
auth_oauth_url_start(string) -
Changed property
compatibility_mode(string)Alter authentik behavior for vendor-specific SCIM implementations.
Added enum values:
webexvcenter
-
Changed property
auth_mode(string)Added enum value:
oauth_interactive
PATCH /providers/scim/{id}/
Request:
Changed content type : application/json
-
Changed property
compatibility_mode(string)Alter authentik behavior for vendor-specific SCIM implementations.
Added enum values:
webexvcenter
-
Changed property
auth_mode(string)Added enum value:
oauth_interactive
Return Type:
Changed response : 200 OK
-
Changed content type :
application/jsonNew required properties:
auth_oauth_token_expiresauth_oauth_token_last_updatedauth_oauth_url_callbackauth_oauth_url_start
-
Added property
auth_oauth_token_last_updated(string) -
Added property
auth_oauth_token_expires(string) -
Added property
auth_oauth_url_callback(string) -
Added property
auth_oauth_url_start(string) -
Changed property
compatibility_mode(string)Alter authentik behavior for vendor-specific SCIM implementations.
Added enum values:
webexvcenter
-
Changed property
auth_mode(string)Added enum value:
oauth_interactive
GET /providers/ssf/{id}/
Return Type:
Changed response : 200 OK
-
Changed content type :
application/jsonNew required properties:
oidc_auth_providers_obj
-
Added property
oidc_auth_providers_obj(array)Items (object): > Provider Serializer
-
Property
pk(integer) -
Property
name(string) -
Property
authentication_flow(string)Flow used for authentication when the associated application is accessed by an un-authenticated user.
-
Property
authorization_flow(string)Flow used when authorizing this provider.
-
Property
invalidation_flow(string)Flow used ending the session from a provider.
-
Property
property_mappings(array)Items (string):
-
Property
component(string)Get object component so that we know how to edit the object
-
Property
assigned_application_slug(string)Internal application name, used in URLs.
-
Property
assigned_application_name(string)Application's display Name.
-
Property
assigned_backchannel_application_slug(string)Internal application name, used in URLs.
-
Property
assigned_backchannel_application_name(string)Application's display Name.
-
Property
verbose_name(string)Return object's verbose_name
-
Property
verbose_name_plural(string)Return object's plural verbose_name
-
Property
meta_model_name(string)Return internal model name
-
-
Added property
push_verify_certificates(boolean)
PUT /providers/ssf/{id}/
Request:
Changed content type : application/json
- Added property
push_verify_certificates(boolean)
Return Type:
Changed response : 200 OK
-
Changed content type :
application/jsonNew required properties:
oidc_auth_providers_obj
-
Added property
oidc_auth_providers_obj(array) -
Added property
push_verify_certificates(boolean)
PATCH /providers/ssf/{id}/
Request:
Changed content type : application/json
- Added property
push_verify_certificates(boolean)
Return Type:
Changed response : 200 OK
-
Changed content type :
application/jsonNew required properties:
oidc_auth_providers_obj
-
Added property
oidc_auth_providers_obj(array) -
Added property
push_verify_certificates(boolean)
POST /rbac/permissions/assigned_by_roles/{uuid}/assign/
Request:
Changed content type : application/json
-
Changed property
model(string)Added enum values:
authentik_endpoints_connectors_google_chrome.googlechromeconnectorauthentik_stages_account_lockdown.accountlockdownstage
PATCH /rbac/permissions/assigned_by_roles/{uuid}/unassign/
Request:
Changed content type : application/json
-
Changed property
model(string)Added enum values:
authentik_endpoints_connectors_google_chrome.googlechromeconnectorauthentik_stages_account_lockdown.accountlockdownstage
GET /rbac/permissions/roles/
Return Type:
Changed response : 200 OK
-
Changed content type :
application/jsonNew required properties:
autocomplete
- Added property
autocomplete(object)
GET /sources/group_connections/ldap/{id}/
Return Type:
Changed response : 200 OK
-
Changed content type :
application/jsonNew required properties:
group_obj
- Added property
group_obj(object)-
Property
pk(string) -
Property
num_pk(integer)Get a numerical, int32 ID for the group
-
Property
name(string) -
Property
is_superuser(boolean)Users added to this group will be superusers.
-
Property
attributes(object)
-
PUT /sources/group_connections/ldap/{id}/
Return Type:
Changed response : 200 OK
-
Changed content type :
application/jsonNew required properties:
group_obj
- Added property
group_obj(object)
PATCH /sources/group_connections/ldap/{id}/
Return Type:
Changed response : 200 OK
-
Changed content type :
application/jsonNew required properties:
group_obj
- Added property
group_obj(object)
GET /sources/saml/{slug}/
Return Type:
Changed response : 200 OK
- Changed content type :
application/json- Added property
force_authn(boolean)When enabled, the IdP will re-authenticate the user even if a session exists.
- Added property
PUT /sources/saml/{slug}/
Request:
Changed content type : application/json
- Added property
force_authn(boolean)When enabled, the IdP will re-authenticate the user even if a session exists.
Return Type:
Changed response : 200 OK
- Changed content type :
application/json- Added property
force_authn(boolean)When enabled, the IdP will re-authenticate the user even if a session exists.
- Added property
PATCH /sources/saml/{slug}/
Request:
Changed content type : application/json
- Added property
force_authn(boolean)When enabled, the IdP will re-authenticate the user even if a session exists.
Return Type:
Changed response : 200 OK
- Changed content type :
application/json- Added property
force_authn(boolean)When enabled, the IdP will re-authenticate the user even if a session exists.
- Added property
GET /sources/user_connections/ldap/{id}/
Return Type:
Changed response : 200 OK
-
Changed content type :
application/jsonNew required properties:
user_obj
- Added property
user_obj(object)-
Property
pk(integer) -
Property
username(string)Required. 150 characters or fewer. Letters, digits and @/./+/-/_ only.
-
Property
name(string)User's display name.
-
Property
is_active(boolean)Designates whether this user should be treated as active. Unselect this instead of deleting accounts.
-
Property
last_login(string) -
Property
email(string) -
Property
attributes(object) -
Property
uid(string)
-
PUT /sources/user_connections/ldap/{id}/
Return Type:
Changed response : 200 OK
-
Changed content type :
application/jsonNew required properties:
user_obj
- Added property
user_obj(object)
PATCH /sources/user_connections/ldap/{id}/
Return Type:
Changed response : 200 OK
-
Changed content type :
application/jsonNew required properties:
user_obj
- Added property
user_obj(object)
GET /ssf/streams/{uuid}/
Return Type:
Changed response : 200 OK
- Changed content type :
application/json-
Added property
status(string)Enum values:
enabledpauseddisableddisabled_deleted
-
Changed property
provider_obj(object)SSFProvider Serializer
New required properties:
oidc_auth_providers_obj
-
Added property
oidc_auth_providers_obj(array) -
Added property
push_verify_certificates(boolean)
-
Changed property
delivery_method(string)Added enum values:
urn:ietf:rfc:8935urn:ietf:rfc:8936
-
Changed property
events_requested(array)Changed items (string):
Added enum values:
https://schemas.openid.net/secevent/caep/event-type/token-claims-changehttps://schemas.openid.net/secevent/caep/event-type/assurance-level-changehttps://schemas.openid.net/secevent/caep/event-type/device-compliance-changehttps://schemas.openid.net/secevent/caep/event-type/session-establishedhttps://schemas.openid.net/secevent/caep/event-type/session-presentedhttps://schemas.openid.net/secevent/caep/event-type/risk-level-change
-
GET /stages/invitation/invitations/{invite_uuid}/
Return Type:
Changed response : 200 OK
- Changed content type :
application/json-
Changed property
flow_obj(object)Flow Serializer
-
Changed property
authentication(string)Required level of authentication and authorization to access a flow.
Added enum value:
require_token
-
-
PUT /stages/invitation/invitations/{invite_uuid}/
Return Type:
Changed response : 200 OK
- Changed content type :
application/json-
Changed property
flow_obj(object)Flow Serializer
-
Changed property
authentication(string)Required level of authentication and authorization to access a flow.
Added enum value:
require_token
-
-
PATCH /stages/invitation/invitations/{invite_uuid}/
Return Type:
Changed response : 200 OK
- Changed content type :
application/json-
Changed property
flow_obj(object)Flow Serializer
-
Changed property
authentication(string)Required level of authentication and authorization to access a flow.
Added enum value:
require_token
-
-
POST /core/applications/
Request:
Changed content type : application/json
- Added property
meta_hide(boolean)Hide this application from the user's My applications page.
Return Type:
Changed response : 201 Created
- Changed content type :
application/json- Added property
meta_hide(boolean)Hide this application from the user's My applications page.
- Added property
GET /core/applications/
Return Type:
Changed response : 200 OK
- Changed content type :
application/json-
Changed property
results(array)Changed items (object): > Application Serializer
- Added property
meta_hide(boolean)Hide this application from the user's My applications page.
- Added property
-
GET /core/user_consent/{id}/
Return Type:
Changed response : 200 OK
- Changed content type :
application/json-
Changed property
application(object)Application Serializer
- Added property
meta_hide(boolean)Hide this application from the user's My applications page.
- Added property
-
GET /endpoints/devices/{device_uuid}/
Return Type:
Changed response : 200 OK
- Changed content type :
application/json-
Changed property
connections_obj(array)Changed items (object):
- Changed property
latest_snapshot(object)-
Changed property
vendor(string)Added enum value:
chrome.google.com
-
- Changed property
-
Changed property
facts(object)-
Changed property
vendor(string)Added enum value:
chrome.google.com
-
Changed property
data(object)-
Changed property
os(object)For example: {"family":"linux","name":"Ubuntu","version":"24.04.3 LTS (Noble Numbat)","arch":"amd64"} {"family": "windows","name":"Server 2022 Datacenter","version":"10.0.20348.4405","arch":"amd64"} {"family": "windows","name":"Server 2022 Datacenter","version":"10.0.20348.4405","arch":"amd64"} {"family": "mac_os", "name": "", "version": "26.2", "arch": "arm64"}
New optional properties:
arch
-
-
-
PUT /endpoints/devices/{device_uuid}/
Return Type:
Changed response : 200 OK
- Changed content type :
application/json- Changed property
facts(object)-
Changed property
vendor(string)Added enum value:
chrome.google.com
-
Changed property
data(object)-
Changed property
os(object)For example: {"family":"linux","name":"Ubuntu","version":"24.04.3 LTS (Noble Numbat)","arch":"amd64"} {"family": "windows","name":"Server 2022 Datacenter","version":"10.0.20348.4405","arch":"amd64"} {"family": "windows","name":"Server 2022 Datacenter","version":"10.0.20348.4405","arch":"amd64"} {"family": "mac_os", "name": "", "version": "26.2", "arch": "arm64"}
New optional properties:
arch
-
-
- Changed property
PATCH /endpoints/devices/{device_uuid}/
Return Type:
Changed response : 200 OK
- Changed content type :
application/json- Changed property
facts(object)-
Changed property
vendor(string)Added enum value:
chrome.google.com
-
Changed property
data(object)-
Changed property
os(object)For example: {"family":"linux","name":"Ubuntu","version":"24.04.3 LTS (Noble Numbat)","arch":"amd64"} {"family": "windows","name":"Server 2022 Datacenter","version":"10.0.20348.4405","arch":"amd64"} {"family": "windows","name":"Server 2022 Datacenter","version":"10.0.20348.4405","arch":"amd64"} {"family": "mac_os", "name": "", "version": "26.2", "arch": "arm64"}
New optional properties:
arch
-
-
- Changed property
GET /events/events/
Parameters:
Added: context_device in query
Context Device Primary Key
GET /events/rules/
Parameters:
Changed: severity in query
POST /events/transports/
Request:
Changed content type : application/json
- Added property
webhook_ca(string)When set, the selected certificate is used to validate the certificate of the webhook server.
Return Type:
Changed response : 201 Created
- Changed content type :
application/json- Added property
webhook_ca(string)When set, the selected certificate is used to validate the certificate of the webhook server.
- Added property
GET /events/transports/
Return Type:
Changed response : 200 OK
- Changed content type :
application/json-
Changed property
results(array)Changed items (object): > NotificationTransport Serializer
- Added property
webhook_ca(string)When set, the selected certificate is used to validate the certificate of the webhook server.
- Added property
-
POST /flows/instances/
Request:
Changed content type : application/json
-
Changed property
authentication(string)Required level of authentication and authorization to access a flow.
Added enum value:
require_token
Return Type:
Changed response : 201 Created
- Changed content type :
application/json-
Changed property
authentication(string)Required level of authentication and authorization to access a flow.
Added enum value:
require_token
-
GET /flows/instances/
Parameters:
Changed: denied_action in query
Changed: designation in query
Return Type:
Changed response : 200 OK
- Changed content type :
application/json-
Changed property
results(array)Changed items (object): > Flow Serializer
-
Changed property
authentication(string)Required level of authentication and authorization to access a flow.
Added enum value:
require_token
-
-
GET /lifecycle/iterations/open/
Return Type:
Changed response : 200 OK
- Changed content type :
application/json-
Changed property
results(array)Changed items (object): > Mixin to validate that a valid enterprise license > exists before allowing to save the object
New required properties:
rule
New optional properties:
min_reviewersreviewer_groupsreviewers
-
Added property
rule(object) -
Deleted property
reviewer_groups(array) -
Deleted property
min_reviewers(integer) -
Deleted property
reviewers(array)
-
POST /policies/geoip/
Return Type:
Changed response : 201 Created
- Changed content type :
application/json-
Changed property
countries_obj(array)Changed items (object):
-
Changed property
code(string)Removed enum values:
AFAXALDZASADAOAIAQAGARAMAWAUATAZBSBHBDBBBYBEBZBJBMBTBOBQBABWBVBRIOBNBGBFBICVKHCMCAKYCFTDCLCNCXCCCOKMCGCDCKCRCIHRCUCWCYCZDKDJDMDOECEGSVGQEREESZETFKFOFJFIFRGFPFTFGAGMGEDEGHGIGRGLGDGPGUGTGGGNGWGYHTHMVAHNHKHUISINIDIRIQIEIMILITJMJPJEJOKZKEKIKWKGLALVLBLSLRLYLILTLUMOMGMWMYMVMLMTMHMQMRMUYTMXFMMDMCMNMEMSMAMZMMNANRNPNLNCNZNINENGNUNFKPMKMPNOOMPKPWPSPAPGPYPEPHPNPLPTPRQARERORURWBLSHKNLCMFPMVCWSSMSTSASNRSSCSLSGSXSKSISBSOZAGSKRSSESLKSDSRSJSECHSYTWTJTZTHTLTGTKTOTTTNTRTMTCTVUGUAAEGBUMUSUYUZVUVEVNVGVIWFEHYEZMZW
-
-
GET /policies/geoip/
Return Type:
Changed response : 200 OK
- Changed content type :
application/json-
Changed property
results(array)Changed items (object): > GeoIP Policy Serializer
-
Changed property
countries_obj(array)Changed items (object):
-
Changed property
code(string)Removed enum values:
AFAXALDZASADAOAIAQAGARAMAWAUATAZBSBHBDBBBYBEBZBJBMBTBOBQBABWBVBRIOBNBGBFBICVKHCMCAKYCFTDCLCNCXCCCOKMCGCDCKCRCIHRCUCWCYCZDKDJDMDOECEGSVGQEREESZETFKFOFJFIFRGFPFTFGAGMGEDEGHGIGRGLGDGPGUGTGGGNGWGYHTHMVAHNHKHUISINIDIRIQIEIMILITJMJPJEJOKZKEKIKWKGLALVLBLSLRLYLILTLUMOMGMWMYMVMLMTMHMQMRMUYTMXFMMDMCMNMEMSMAMZMMNANRNPNLNCNZNINENGNUNFKPMKMPNOOMPKPWPSPAPGPYPEPHPNPLPTPRQARERORURWBLSHKNLCMFPMVCWSSMSTSASNRSSCSLSGSXSKSISBSOZAGSKRSSESLKSDSRSJSECHSYTWTJTZTHTLTGTKTOTTTNTRTMTCTVUGUAAEGBUMUSUYUZVUVEVNVGVIWFEHYEZMZW
-
-
-
GET /providers/oauth2/{id}/
Return Type:
Changed response : 200 OK
- Changed content type :
application/json-
Added property
grant_types(array)Items (string):
Enum values:
authorization_codeimplicithybridrefresh_tokenclient_credentialspasswordurn:ietf:params:oauth:grant-type:device_code
-
Changed property
redirect_uris(array)Changed items (object): > A single allowed redirect URI entry
-
Added property
redirect_uri_type(object)Enum values:
authorizationlogout
-
-
PUT /providers/oauth2/{id}/
Request:
Changed content type : application/json
-
Added property
grant_types(array) -
Changed property
redirect_uris(array)Changed items (object): > A single allowed redirect URI entry
- Added property
redirect_uri_type(object)
- Added property
Return Type:
Changed response : 200 OK
- Changed content type :
application/json-
Added property
grant_types(array) -
Changed property
redirect_uris(array)Changed items (object): > A single allowed redirect URI entry
- Added property
redirect_uri_type(object)
- Added property
-
PATCH /providers/oauth2/{id}/
Request:
Changed content type : application/json
-
Added property
grant_types(array) -
Changed property
redirect_uris(array)Changed items (object): > A single allowed redirect URI entry
- Added property
redirect_uri_type(object)
- Added property
Return Type:
Changed response : 200 OK
- Changed content type :
application/json-
Added property
grant_types(array) -
Changed property
redirect_uris(array)Changed items (object): > A single allowed redirect URI entry
- Added property
redirect_uri_type(object)
- Added property
-
GET /providers/proxy/{id}/
Return Type:
Changed response : 200 OK
- Changed content type :
application/json-
Changed property
redirect_uris(array)Changed items (object): > A single allowed redirect URI entry
- Added property
redirect_uri_type(object)
- Added property
-
PUT /providers/proxy/{id}/
Return Type:
Changed response : 200 OK
- Changed content type :
application/json-
Changed property
redirect_uris(array)Changed items (object): > A single allowed redirect URI entry
- Added property
redirect_uri_type(object)
- Added property
-
PATCH /providers/proxy/{id}/
Return Type:
Changed response : 200 OK
- Changed content type :
application/json-
Changed property
redirect_uris(array)Changed items (object): > A single allowed redirect URI entry
- Added property
redirect_uri_type(object)
- Added property
-
POST /providers/saml/
Request:
Changed content type : application/json
-
Added property
issuer_override(string)Also known as EntityID. Providing a value overrides the default issuer generated by authentik.
-
Added property
sign_logout_response(boolean) -
Deleted property
issuer(string)Also known as EntityID
Return Type:
Changed response : 201 Created
-
Changed content type :
application/jsonNew required properties:
url_issuerurl_unifiedurl_unified_init
-
Added property
issuer_override(string)Also known as EntityID. Providing a value overrides the default issuer generated by authentik.
-
Added property
sign_logout_response(boolean) -
Added property
url_issuer(string)Get Issuer/EntityID URL
-
Added property
url_unified(string)Get unified SAML endpoint URL (handles SSO and SLO)
-
Added property
url_unified_init(string)Get IdP-initiated SAML URL
-
Deleted property
issuer(string)Also known as EntityID
GET /providers/saml/
Parameters:
Added: issuer_override in query
Added: sign_logout_response in query
Deleted: issuer in query
Changed: logout_method in query
Changed: sls_binding in query
Changed: sp_binding in query
Return Type:
Changed response : 200 OK
- Changed content type :
application/json-
Changed property
results(array)Changed items (object): > SAMLProvider Serializer
New required properties:
url_issuerurl_unifiedurl_unified_init
-
Added property
issuer_override(string)Also known as EntityID. Providing a value overrides the default issuer generated by authentik.
-
Added property
sign_logout_response(boolean) -
Added property
url_issuer(string)Get Issuer/EntityID URL
-
Added property
url_unified(string)Get unified SAML endpoint URL (handles SSO and SLO)
-
Added property
url_unified_init(string)Get IdP-initiated SAML URL
-
Deleted property
issuer(string)Also known as EntityID
-
POST /providers/scim/
Request:
Changed content type : application/json
-
Changed property
compatibility_mode(string)Alter authentik behavior for vendor-specific SCIM implementations.
Added enum values:
webexvcenter
-
Changed property
auth_mode(string)Added enum value:
oauth_interactive
Return Type:
Changed response : 201 Created
-
Changed content type :
application/jsonNew required properties:
auth_oauth_token_expiresauth_oauth_token_last_updatedauth_oauth_url_callbackauth_oauth_url_start
-
Added property
auth_oauth_token_last_updated(string) -
Added property
auth_oauth_token_expires(string) -
Added property
auth_oauth_url_callback(string) -
Added property
auth_oauth_url_start(string) -
Changed property
compatibility_mode(string)Alter authentik behavior for vendor-specific SCIM implementations.
Added enum values:
webexvcenter
-
Changed property
auth_mode(string)Added enum value:
oauth_interactive
GET /providers/scim/
Return Type:
Changed response : 200 OK
- Changed content type :
application/json-
Changed property
results(array)Changed items (object): > SCIMProvider Serializer
New required properties:
auth_oauth_token_expiresauth_oauth_token_last_updatedauth_oauth_url_callbackauth_oauth_url_start
-
Added property
auth_oauth_token_last_updated(string) -
Added property
auth_oauth_token_expires(string) -
Added property
auth_oauth_url_callback(string) -
Added property
auth_oauth_url_start(string) -
Changed property
compatibility_mode(string)Alter authentik behavior for vendor-specific SCIM implementations.
Added enum values:
webexvcenter
-
Changed property
auth_mode(string)Added enum value:
oauth_interactive
-
POST /providers/ssf/
Request:
Changed content type : application/json
- Added property
push_verify_certificates(boolean)
Return Type:
Changed response : 201 Created
-
Changed content type :
application/jsonNew required properties:
oidc_auth_providers_obj
-
Added property
oidc_auth_providers_obj(array) -
Added property
push_verify_certificates(boolean)
GET /providers/ssf/
Return Type:
Changed response : 200 OK
- Changed content type :
application/json-
Changed property
results(array)Changed items (object): > SSFProvider Serializer
New required properties:
oidc_auth_providers_obj
-
Added property
oidc_auth_providers_obj(array) -
Added property
push_verify_certificates(boolean)
-
GET /providers/wsfed/
Parameters:
Added: issuer_override in query
Added: sign_logout_response in query
Deleted: issuer in query
Changed: logout_method in query
Changed: sls_binding in query
Changed: sp_binding in query
GET /rbac/permissions/assigned_by_roles/
Parameters:
Changed: model in query
POST /sources/group_connections/ldap/
Return Type:
Changed response : 201 Created
-
Changed content type :
application/jsonNew required properties:
group_obj
- Added property
group_obj(object)
GET /sources/group_connections/ldap/
Return Type:
Changed response : 200 OK
- Changed content type :
application/json-
Changed property
results(array)Changed items (object): > Group Source Connection
New required properties:
group_obj
- Added property
group_obj(object)
-
GET /sources/kerberos/
Parameters:
Changed: kadmin_type in query
GET /sources/oauth/
Parameters:
Changed: group_matching_mode in query
Changed: user_matching_mode in query
GET /sources/plex/
Parameters:
Changed: group_matching_mode in query
Changed: user_matching_mode in query
POST /sources/saml/
Request:
Changed content type : application/json
- Added property
force_authn(boolean)When enabled, the IdP will re-authenticate the user even if a session exists.
Return Type:
Changed response : 201 Created
- Changed content type :
application/json- Added property
force_authn(boolean)When enabled, the IdP will re-authenticate the user even if a session exists.
- Added property
GET /sources/saml/
Parameters:
Added: force_authn in query
Changed: name_id_policy in query
Changed: user_matching_mode in query
Return Type:
Changed response : 200 OK
- Changed content type :
application/json-
Changed property
results(array)Changed items (object): > SAMLSource Serializer
- Added property
force_authn(boolean)When enabled, the IdP will re-authenticate the user even if a session exists.
- Added property
-
GET /sources/telegram/
Parameters:
Changed: group_matching_mode in query
Changed: user_matching_mode in query
POST /sources/user_connections/ldap/
Return Type:
Changed response : 201 Created
-
Changed content type :
application/jsonNew required properties:
user_obj
- Added property
user_obj(object)
GET /sources/user_connections/ldap/
Return Type:
Changed response : 200 OK
- Changed content type :
application/json-
Changed property
results(array)Changed items (object): > User source connection
New required properties:
user_obj
- Added property
user_obj(object)
-
GET /ssf/streams/
Parameters:
Changed: delivery_method in query
Return Type:
Changed response : 200 OK
- Changed content type :
application/json-
Changed property
results(array)Changed items (object): > SSFStream Serializer
-
Added property
status(string) -
Changed property
provider_obj(object)SSFProvider Serializer
New required properties:
oidc_auth_providers_obj
-
Added property
oidc_auth_providers_obj(array) -
Added property
push_verify_certificates(boolean)
-
Changed property
delivery_method(string)Added enum values:
urn:ietf:rfc:8935urn:ietf:rfc:8936
-
Changed property
events_requested(array)Changed items (string):
Added enum values:
https://schemas.openid.net/secevent/caep/event-type/token-claims-changehttps://schemas.openid.net/secevent/caep/event-type/assurance-level-changehttps://schemas.openid.net/secevent/caep/event-type/device-compliance-changehttps://schemas.openid.net/secevent/caep/event-type/session-establishedhttps://schemas.openid.net/secevent/caep/event-type/session-presentedhttps://schemas.openid.net/secevent/caep/event-type/risk-level-change
-
-
GET /stages/authenticator/validate/{stage_uuid}/
Return Type:
Changed response : 200 OK
- Changed content type :
application/json-
Added property
webauthn_hints(array)Items (string):
Enum values:
security-keyclient-devicehybrid
-
Added property
email_otp_throttling_factor(number) -
Added property
sms_otp_throttling_factor(number) -
Added property
totp_otp_throttling_factor(number) -
Added property
static_otp_throttling_factor(number)
-
PUT /stages/authenticator/validate/{stage_uuid}/
Request:
Changed content type : application/json
-
Added property
webauthn_hints(array) -
Added property
email_otp_throttling_factor(number) -
Added property
sms_otp_throttling_factor(number) -
Added property
totp_otp_throttling_factor(number) -
Added property
static_otp_throttling_factor(number)
Return Type:
Changed response : 200 OK
- Changed content type :
application/json-
Added property
webauthn_hints(array) -
Added property
email_otp_throttling_factor(number) -
Added property
sms_otp_throttling_factor(number) -
Added property
totp_otp_throttling_factor(number) -
Added property
static_otp_throttling_factor(number)
-
PATCH /stages/authenticator/validate/{stage_uuid}/
Request:
Changed content type : application/json
-
Added property
webauthn_hints(array) -
Added property
email_otp_throttling_factor(number) -
Added property
sms_otp_throttling_factor(number) -
Added property
totp_otp_throttling_factor(number) -
Added property
static_otp_throttling_factor(number)
Return Type:
Changed response : 200 OK
- Changed content type :
application/json-
Added property
webauthn_hints(array) -
Added property
email_otp_throttling_factor(number) -
Added property
sms_otp_throttling_factor(number) -
Added property
totp_otp_throttling_factor(number) -
Added property
static_otp_throttling_factor(number)
-
GET /stages/authenticator/webauthn/{stage_uuid}/
Return Type:
Changed response : 200 OK
- Changed content type :
application/json-
Added property
hints(array) -
Added property
prevent_duplicate_devices(boolean)When enabled, a given device can only be registered once.
-
PUT /stages/authenticator/webauthn/{stage_uuid}/
Request:
Changed content type : application/json
-
Added property
hints(array) -
Added property
prevent_duplicate_devices(boolean)When enabled, a given device can only be registered once.
Return Type:
Changed response : 200 OK
- Changed content type :
application/json-
Added property
hints(array) -
Added property
prevent_duplicate_devices(boolean)When enabled, a given device can only be registered once.
-
PATCH /stages/authenticator/webauthn/{stage_uuid}/
Request:
Changed content type : application/json
-
Added property
hints(array) -
Added property
prevent_duplicate_devices(boolean)When enabled, a given device can only be registered once.
Return Type:
Changed response : 200 OK
- Changed content type :
application/json-
Added property
hints(array) -
Added property
prevent_duplicate_devices(boolean)When enabled, a given device can only be registered once.
-
POST /stages/invitation/invitations/
Return Type:
Changed response : 201 Created
- Changed content type :
application/json-
Changed property
flow_obj(object)Flow Serializer
-
Changed property
authentication(string)Required level of authentication and authorization to access a flow.
Added enum value:
require_token
-
-
GET /stages/invitation/invitations/
Return Type:
Changed response : 200 OK
- Changed content type :
application/json-
Changed property
results(array)Changed items (object): > Invitation Serializer
-
Changed property
flow_obj(object)Flow Serializer
-
Changed property
authentication(string)Required level of authentication and authorization to access a flow.
Added enum value:
require_token
-
-
-
POST /stages/prompt/prompts/preview/
Request:
Changed content type : application/json
-
Changed property
type(string)Added enum values:
alert_infoalert_warningalert_danger
Return Type:
Changed response : 200 OK
- Changed content type :
application/json-
Changed property
fields(array)Changed items (object): > Serializer for a single Prompt field
-
Changed property
type(string)Added enum values:
alert_infoalert_warningalert_danger
-
-
GET /core/user_consent/
Return Type:
Changed response : 200 OK
- Changed content type :
application/json-
Changed property
results(array)Changed items (object): > UserConsent Serializer
-
Changed property
application(object)Application Serializer
- Added property
meta_hide(boolean)Hide this application from the user's My applications page.
- Added property
-
-
GET /endpoints/devices/
Return Type:
Changed response : 200 OK
- Changed content type :
application/json-
Changed property
results(array)Changed items (object):
- Changed property
facts(object)-
Changed property
vendor(string)Added enum value:
chrome.google.com
-
Changed property
data(object)-
Changed property
os(object)For example: {"family":"linux","name":"Ubuntu","version":"24.04.3 LTS (Noble Numbat)","arch":"amd64"} {"family": "windows","name":"Server 2022 Datacenter","version":"10.0.20348.4405","arch":"amd64"} {"family": "windows","name":"Server 2022 Datacenter","version":"10.0.20348.4405","arch":"amd64"} {"family": "mac_os", "name": "", "version": "26.2", "arch": "arm64"}
New optional properties:
arch
-
-
- Changed property
-
GET /flows/bindings/
Parameters:
Changed: invalid_response_action in query
GET /flows/executor/{flow_slug}/
Return Type:
Changed response : 200 OK
-
Changed content type :
application/jsonUpdated
ak-stage-session-endcomponent:- Added property
overview_url(string)
Updated
ak-provider-iframe-logoutcomponent:-
Changed property
logout_urls(array)Changed items (object): > Data for a single logout URL
New required properties:
url
-
Added property
url(string) -
Added property
provider_name(string) -
Added property
binding(string) -
Added property
saml_request(string) -
Added property
saml_response(string) -
Added property
saml_relay_state(string)
Updated
ak-provider-saml-native-logoutcomponent:-
Added property
saml_binding(string)Enum values:
redirectpost
-
Added property
saml_response(string) -
Added property
saml_relay_state(string) -
Deleted property
relay_state(string) -
Deleted property
binding(string)
Updated
ak-stage-promptcomponent:-
Changed property
fields(array)Changed items (object): > Serializer for a single Prompt field
-
Changed property
type(string)Added enum values:
alert_infoalert_warningalert_danger
-
- Added property
POST /flows/executor/{flow_slug}/
Return Type:
Changed response : 200 OK
-
Changed content type :
application/jsonUpdated
ak-stage-session-endcomponent:- Added property
overview_url(string)
Updated
ak-provider-iframe-logoutcomponent:-
Changed property
logout_urls(array)Changed items (object): > Data for a single logout URL
New required properties:
url
-
Added property
url(string) -
Added property
provider_name(string) -
Added property
binding(string) -
Added property
saml_request(string) -
Added property
saml_response(string) -
Added property
saml_relay_state(string)
Updated
ak-provider-saml-native-logoutcomponent:-
Added property
saml_binding(string) -
Added property
saml_response(string) -
Added property
saml_relay_state(string) -
Deleted property
relay_state(string) -
Deleted property
binding(string)
Updated
ak-stage-promptcomponent:-
Changed property
fields(array)Changed items (object): > Serializer for a single Prompt field
-
Changed property
type(string)Added enum values:
alert_infoalert_warningalert_danger
-
- Added property
POST /providers/oauth2/
Request:
Changed content type : application/json
-
Added property
grant_types(array) -
Changed property
redirect_uris(array)Changed items (object): > A single allowed redirect URI entry
- Added property
redirect_uri_type(object)
- Added property
Return Type:
Changed response : 201 Created
- Changed content type :
application/json-
Added property
grant_types(array) -
Changed property
redirect_uris(array)Changed items (object): > A single allowed redirect URI entry
- Added property
redirect_uri_type(object)
- Added property
-
GET /providers/oauth2/
Parameters:
Changed: client_type in query
Changed: issuer_mode in query
Changed: sub_mode in query
Return Type:
Changed response : 200 OK
- Changed content type :
application/json-
Changed property
results(array)Changed items (object): > OAuth2Provider Serializer
-
Added property
grant_types(array) -
Changed property
redirect_uris(array)Changed items (object): > A single allowed redirect URI entry
- Added property
redirect_uri_type(object)
- Added property
-
-
POST /providers/proxy/
Return Type:
Changed response : 201 Created
- Changed content type :
application/json-
Changed property
redirect_uris(array)Changed items (object): > A single allowed redirect URI entry
- Added property
redirect_uri_type(object)
- Added property
-
GET /providers/proxy/
Return Type:
Changed response : 200 OK
- Changed content type :
application/json-
Changed property
results(array)Changed items (object): > ProxyProvider Serializer
-
Changed property
redirect_uris(array)Changed items (object): > A single allowed redirect URI entry
- Added property
redirect_uri_type(object)
- Added property
-
-
POST /stages/authenticator/validate/
Request:
Changed content type : application/json
-
Added property
webauthn_hints(array) -
Added property
email_otp_throttling_factor(number) -
Added property
sms_otp_throttling_factor(number) -
Added property
totp_otp_throttling_factor(number) -
Added property
static_otp_throttling_factor(number)
Return Type:
Changed response : 201 Created
- Changed content type :
application/json-
Added property
webauthn_hints(array) -
Added property
email_otp_throttling_factor(number) -
Added property
sms_otp_throttling_factor(number) -
Added property
totp_otp_throttling_factor(number) -
Added property
static_otp_throttling_factor(number)
-
GET /stages/authenticator/validate/
Return Type:
Changed response : 200 OK
- Changed content type :
application/json-
Changed property
results(array)Changed items (object): > AuthenticatorValidateStage Serializer
-
Added property
webauthn_hints(array) -
Added property
email_otp_throttling_factor(number) -
Added property
sms_otp_throttling_factor(number) -
Added property
totp_otp_throttling_factor(number) -
Added property
static_otp_throttling_factor(number)
-
-
POST /stages/authenticator/webauthn/
Request:
Changed content type : application/json
-
Added property
hints(array) -
Added property
prevent_duplicate_devices(boolean)When enabled, a given device can only be registered once.
Return Type:
Changed response : 201 Created
- Changed content type :
application/json-
Added property
hints(array) -
Added property
prevent_duplicate_devices(boolean)When enabled, a given device can only be registered once.
-
GET /stages/authenticator/webauthn/
Parameters:
Deleted: friendly_name in query
Deleted: stage_uuid in query
Changed: authenticator_attachment in query
Return Type:
Changed response : 200 OK
- Changed content type :
application/json-
Changed property
results(array)Changed items (object): > AuthenticatorWebAuthnStage Serializer
-
Added property
hints(array) -
Added property
prevent_duplicate_devices(boolean)When enabled, a given device can only be registered once.
-
-
GET /stages/prompt/prompts/{prompt_uuid}/
Return Type:
Changed response : 200 OK
- Changed content type :
application/json-
Changed property
type(string)Added enum values:
alert_infoalert_warningalert_danger
-
PUT /stages/prompt/prompts/{prompt_uuid}/
Request:
Changed content type : application/json
-
Changed property
type(string)Added enum values:
alert_infoalert_warningalert_danger
Return Type:
Changed response : 200 OK
- Changed content type :
application/json-
Changed property
type(string)Added enum values:
alert_infoalert_warningalert_danger
-
PATCH /stages/prompt/prompts/{prompt_uuid}/
Request:
Changed content type : application/json
-
Changed property
type(string)Added enum values:
alert_infoalert_warningalert_danger
Return Type:
Changed response : 200 OK
- Changed content type :
application/json-
Changed property
type(string)Added enum values:
alert_infoalert_warningalert_danger
-
GET /stages/user_login/
Parameters:
Changed: geoip_binding in query
Changed: network_binding in query
GET /tasks/tasks/
Parameters:
Changed: state in query
PUT /core/transactional/applications/
Request:
Changed content type : application/json
-
Changed property
app(object)Application Serializer
- Added property
meta_hide(boolean)Hide this application from the user's My applications page.
- Added property
-
Changed property
provider(object)Updated
authentik_providers_ssf.ssfproviderprovider_model:- Added property
push_verify_certificates(boolean)
Updated
authentik_providers_saml.samlproviderprovider_model:-
Added property
issuer_override(string)Also known as EntityID. Providing a value overrides the default issuer generated by authentik.
-
Added property
sign_logout_response(boolean) -
Deleted property
issuer(string)Also known as EntityID
Updated
authentik_providers_scim.scimproviderprovider_model:-
Changed property
compatibility_mode(string)Alter authentik behavior for vendor-specific SCIM implementations.
Added enum values:
webexvcenter
-
Changed property
auth_mode(string)Added enum value:
oauth_interactive
Updated
authentik_providers_oauth2.oauth2providerprovider_model: -
Added property
grant_types(array) -
Changed property
redirect_uris(array)Changed items (object): > A single allowed redirect URI entry
- Added property
redirect_uri_type(object)
- Added property
- Added property
POST /stages/prompt/prompts/
Request:
Changed content type : application/json
-
Changed property
type(string)Added enum values:
alert_infoalert_warningalert_danger
Return Type:
Changed response : 201 Created
- Changed content type :
application/json-
Changed property
type(string)Added enum values:
alert_infoalert_warningalert_danger
-
GET /stages/prompt/prompts/
Parameters:
Changed: type in query
Return Type:
Changed response : 200 OK
- Changed content type :
application/json-
Changed property
results(array)Changed items (object): > Prompt Serializer
-
Changed property
type(string)Added enum values:
alert_infoalert_warningalert_danger
-
-
Result
API changes broke backward compatibility