Highlights

• Account Lockdown: Enterprise A new panic button for compromised accounts that can immediately cut off access, revoke tokens, end sessions, and leave an audit trail.
• Conditional Access: Enterprise New connectors verify device compliance and feed it into conditional access flows: Fleet (via Fleet certificates and an mTLS stage, without the authentik agent) and Google Chrome (via Chrome Enterprise Device Trust).
• AKQL is now open source: The AKQL search query language for logs and users, previously enterprise-only, is now free for everyone to use.
• Command Palette and wizard upgrades: A new Cmd + K command palette to search the authentik UI, alongside reworked wizards including a new user creation wizard, improved binding wizard, and new invitation wizard.
• Performance improvements: The new Rust worker entrypoint drops memory usage by approximately 200 MB per worker container, and opens one fewer PostgreSQL connection per worker. The Admin interface is less resource-intensive through lazy-loaded modals.

Breaking changes

Listening on multiple IPs

For advanced use cases, authentik now supports setting listening settings to a comma-separated list of IPs. With this change, the default IP we listen on changed from 0.0.0.0 to [::] to better match ecosystem standards. Some IPv4-only environments might need to adapt those settings.

New features and improvements

Account Lockdown: This feature is available in the enterprise version of authentik.

Account Lockdown gives administrators and users a panic button to secure an account when compromise is suspected. From the Admin interface, an administrator can lock down a user directly from their detail page; users can also lock down their own account from Settings if they no longer trust their password or active sessions.

A lockdown can deactivate the account, invalidate the local authentik password, terminate active sessions, revoke API/app/recovery/verification/OAuth tokens and grants, and record the reason in the audit log. authentik includes a packaged blueprint with warnings, reason collection, and completion messages so teams can get started quickly and customize the experience where needed.

For setup details, refer to the Account Lockdown documentation.

Conditional access: This feature is available in the enterprise version of authentik.

We've added two new connectors that verify device compliance and let you use them as a signal in conditional access flows.

Fleet: authentik can now verify user devices based on their Fleet certificates without requiring the authentik agent, using the Fleet Connector together with an mTLS stage. For details, refer to the Fleet Conditional Access documentation.

Google Chrome: authentik now includes a Google Device Trust connector that integrates with Chrome Enterprise Device Trust via the Chrome Verified Access API. This lets authentik validate that a user's Chrome browser or ChromeOS device is compliant — for example, running an up-to-date version with security patches applied. The connector is especially useful for BYOD environments and remote workforces where device compliance can't be assumed.

Tap-to-login Secure Enclave support: This feature is available in the enterprise version of authentik.

Endpoint Devices now support independent Secure Enclave keys for tap-to-login. This allows iPhone and Apple Watch credentials to be bound directly to a user, so tap-to-login can work without first pairing the credential to a specific endpoint device.

2FA attempt throttling

The Authenticator Validation stage can now throttle repeated failed attempts for email and SMS OTP devices, extending the same brute-force protection already available for TOTP and static authenticators. Admins can tune throttling behavior to slow down repeated guessing attempts without changing the user's login flow.

Import hashed passwords

authentik can now bootstrap and import users with pre-hashed Django passwords, making automated installs and migrations safer by avoiding plaintext passwords in deployment workflows.

Use AUTHENTIK_BOOTSTRAP_PASSWORD_HASH for the initial akadmin password, generate hashes with the new hash_password command, or import hashes later through blueprints and the user password-hash API.

Hashed-password imports update authentik's local password verifier only. Because authentik never receives the raw password, these imports are not written back to LDAP or Kerberos sources.

Command Palette

The new command palette lets you quickly navigate authentik without clicking through menus. Press Cmd + K (or Ctrl + K on Windows and Linux) from anywhere in the UI to open it, then start typing to jump to a page, run an action, or look up a user. You can also use Cmd/Ctrl + / to jump straight into search, or Cmd/Ctrl + Shift + K to open directly to the actions list.

Results are grouped by category, including pages within authentik, users, and documentation searches that open on docs.goauthentik.io. The palette is designed to make routine admin tasks faster — useful when you know what you want to do but don't want to hunt for the right menu.

WebAuthn Client Hints support

The WebAuthn Stage now supports the hints parameter from the WebAuthn Level 3 spec. Admins can configure one or more hints (security-key, client-device, or hybrid) to tell the browser which authenticator type to expect. The browser uses this to skip straight to the relevant selection UI during passkey registration and authentication, reducing friction especially in enterprise deployments where security keys are mandatory.

Keep in mind that hints are advisory — they only affect the browser UI, not policy. Authenticator type requirements still need to be enforced server-side.

AKQL is now open source

The AKQL search query language was previously an enterprise-only feature for querying logs and users. AKQL is now free for everyone to use, allowing searches based on specific attributes such as context.geo.country = "Germany".

OAuth2 configurable grant types

OAuth2 providers now have a Grant Types setting that lets admins explicitly choose which grant types a given provider may use. The available options are Authorization Code, Implicit, Hybrid, Refresh token, Client credentials, Password, and Device-code. Existing providers default to having all grant types enabled to preserve current behavior, but you can now disable any grant types you don't want a particular client to use — useful for tightening security on individual integrations and disabling legacy flows like Implicit or Password where they aren't needed.

Improved UI and accessibility

Accessibility and user experience improvements have been made across the admin interface.

Form accessibility

Form labels have been updated to be more descriptive for screen readers, and now informing you of the full action that will be executed when the button is pressed. This change is being rolled out across the entire admin interface, starting with the most commonly used buttons and forms. These changes have all been reflected in the docs as well, helping to make authentik more accessible for all users.

Modal accessibility

In addition to general improvements to form accessibility, many of our modals now use the browser native element, fixing several issues which prevented screen readers from properly traversing modal content. We'll be phasing out the remaining non- modals over the next few releases to ensure a more consistent and accessible experience across the entire admin interface.

Wizard improvements

Wizards throughout authentik have been reworked to have fewer steps and cover of the most common use cases.

The invitation wizard in particular now makes it easy for administrators to send invites to new users. It guides admins through the process of configuring an invite system and sending the invites to users.

Service accounts are now created through the new user creation wizard, which has been reworked to be more intuitive and faster to use.

Mobile and tablet improvements

While authentik's admin interface is primarily designed for desktop use, we've made several improvements to make it more usable on mobile and tablet devices for those times when you need to make a quick change on the go.

Login improvements

The login flow has additional UI improvements to reduce friction and make it easier to use, including:

• An improved "Remember me" option that autofocuses the most appropriate input field based the presence of a username or password field.
• Better error handling and messaging for failed login attempts, including more specific error messages for WebAuthn when authentication fails.
• Additional mobile optimizations, such as better keyboard handling, field focus, and responsive design improvements to make the login flow easier to use on mobile and tablet devices.

Small general improvements

• SAML provider issuer: authentik now automatically generates your SAML issuer URL. You can still override the default SAML issuer.
• SAML provider unified endpoints: Instead of an individual endpoint for login and logout for redirect and post, there is now a single SAML endpoint that handles login and logout for both request methods.
• Application Dashboard: The My applications page has been renamed to Application Dashboard, and related option labels have been updated to match. Our documentation and integration guides have been updated as well. You can now also hide applications from the Application Dashboard page using the new Hide from Application Dashboard toggle.

Before authentik 2026.5, an application was hidden by setting its Launch URL to blank://blank. Existing applications using that value are automatically migrated to using the Hide from Application Dashboard option upon upgrading.

• Dependencies: We've removed 17 packages from authentik. Fewer dependencies mean less code to maintain and keep patched, and a smaller attack surface overall.

Performance improvements

The authentik worker now starts through a Rust entrypoint. Python still runs authentik's worker code, but the Rust process owns worker startup, health checks, metrics, and worker-status reporting. This removes an idle top-level Python process and has led to an approximately 200 MB drop in memory usage for a single worker container. If you're a developer, check the updated Developer Docs to install Rust.

The worker status reporting change also uses one fewer PostgreSQL connection per worker, which should put less load on the database.

The Admin interface is also less resource-intensive in the browser due to lazy-loaded modals.

New out-of-the-box experience

When setting up authentik for the first time, you will now automatically be redirected to the initial-setup flow instead of having to manually go there to complete your authentik installation.

New integration guides

An integration is how authentik connects to third-party applications, directories, and other identity providers. The following integration guides were recently added. A big thanks to our contributors!

• Absorb LMS (Thanks to @dewi-tik!)
• Anthropic (Thanks to @dominic-r!)
• Anthropic Workload Identity Federation (Thanks to @dominic-r!)
• Forgejo (Thanks to @djagoo!)
• grommunio (Thanks to @snxRCS!)
• Okta (Thanks to @dewi-tik!)
• OneUptime (Thanks to @M-Slanec!)
• PhotoPrism (Thanks to @dominic-r!)
• PostHog (Thanks to @dominic-r!)
• RabbitMQ (Thanks to @djooberlee!)
• Splunk Enterprise (Thanks to @jhuesser!)
• Technitium DNS (Thanks to @scinca!)

Integration guide updates

• The GitHub Enterprise integration docs were revamped and split into dedicated guides for GitHub Enterprise Cloud, GitHub Enterprise Managed Users, and GitHub Enterprise Server, making it easier to pick the right SAML and SCIM setup path. (Thanks to @dominic-r!)
• Integration guides that configure application-side roles and permissions now use authentik Application Entitlements, giving admins a more consistent pattern for mapping access. (Thanks to @dominic-r!)
• The Jellyseerr integration guide was updated for the project's move to Seerr. (Thanks to @BreizhHardware!)
• The Home Assistant guide now covers both supported community OIDC integrations, christiaangoossens/hass-oidc-auth and cavefire/hass-openid, with UI and YAML setup options. (Thanks to @christiaangoossens!)
• The NetBird guide was refreshed to match NetBird's current authentik provider setup, with separate paths for adding authentik as an external identity provider or fully replacing NetBird's embedded IdP. (Thanks to @dominic-r!)

Upgrading

This release does not introduce any new requirements. You can follow the upgrade instructions below; for more detailed information about upgrading authentik, refer to our Upgrade documentation.

When you upgrade, be aware that the version of the authentik instance and of any outposts must be the same. We recommend that you always upgrade any outposts at the same time you upgrade your authentik instance.

Docker Compose

To upgrade, download the new docker-compose file and update the Docker stack with the new version, using these commands:

wget -O docker-compose.yml https://goauthentik.io/version/2026.5/lifecycle/container/compose.yml
docker compose up -d

The -O flag retains the downloaded file's name, overwriting any existing local file with the same name.

Kubernetes

Upgrade the Helm Chart to the new version, using the following commands:

helm repo update
helm upgrade authentik authentik/authentik -f values.yaml --version ^2026.5

Minor changes/fixes

A comprehensive list of minor changes and fixes is included, covering improvements in admin files, API, blueprints, core, lifecycle, outposts, packages, web, security, stages, and more.

API Changes

Detailed API changes are documented, including new properties, changed properties, added enum values, and deprecated features across various endpoints and components.

Original source

Highlights

• Object Lifecycle Management: Enterprise Preview Admins can now automatically schedule periodic reviews of authentik objects (applications, groups, roles) for compliance and auditing purposes.
• WS-Federation: Enterprise authentik now supports WS-Federation, a single sign-on and identity federation protocol common in some Microsoft environments.
• SCIM provider: Major improvements to the SCIM provider have been made by community contributions from @ImmanuelVonNeumann and @bitpavel-l25 in the form of sync improvements and group imports. Thank you!

Release frequency change

In recent years, a new authentik release was cut roughly every two months. We will be extending this to target a three-month release cycle, with the next release being 2026.5 in May. We will keep to our current practice of supporting the two most recently released versions with security coverage, which will therefore result in a longer coverage period as well.

Breaking changes

SCIM group syncing behavior

Users will now be filtered based on the policies bound to the application the SCIM provider is used with. There is now an option to select groups in the SCIM provider, which, if selected, will only sync those groups, and if no groups are selected, all groups will be synced. If you have a SCIM provider with a group filter setup, it will be deactivated and a configuration warning will be created, for you to review the configuration.

Policies / Property mappings

User.ak_groups has been deprecated. Users' groups are now accessed through User.groups. Usage of .ak_groups will continue to function, but will create a configuration warning event, at most every 30 days. We recommend you check any custom code (e.g. expression policies, property mappings) that deals with group memberships to update them if necessary.

New features and improvements

Object lifecycle management

This feature is available in the enterprise version of authentik. This feature is in preview and may change in the future.

Object Lifecycle Management allows Admins to schedule and track periodic reviews for Applications, Groups, and Roles. Reviewing access privileges to specific applications is an important best practice, as is reviewing other settings such as your branding settings, group and role membership, application entitlements, and current policy bindings.

WS-Federation

This feature is available in the enterprise version of authentik.

We now have a provider to integrate authentik with applications and service providers that use the WS-Fed protocol. WS-Federation is an XML-based identity federation protocol that uses token exchange for federated Single Sign-On (SSO) and IdP authentication, specifically for Windows applications such as Sharepoint. Note that we only support the SAML2 token type within WS-Federation providers, and that using the WS-Fed provider with Entra ID is not supported because Entra ID requires a SAML 1.0 token.

For details refer to our WS-Federation provider documentation.

Endpoints and authentik agent

This feature is available in the enterprise version of authentik.

Endpoints now has a Fleet connector integration. You can now pull device facts and signals data from Fleet into authentik to implement Conditional Access rules.

Local Device Login now works on Linux too and also supports webauthn/FIDO2.

Certificate builder

authentik's certificate builder now supports ED25519 and ED448 certificate generation.

SAML Provider

The SAML provider's metadata parser now supports importing Single Logout Service endpoints and encryption certificates. Also, encryption certificates without private keys are now accepted, and the structure of encrypted SAML assertions has been corrected. The signing order for encrypted SAML responses has been fixed, and signature algorithm options are now automatically pulled from the selected signing certificate. The SP ACS binding field has been lowered in the form and will soon be sunset, as defaulting to POST should work in every case.

SAML Source

SAML sources now correctly handle transient usernames longer than 150 characters by truncating them. AuthnRequest signatures are no longer incorrectly embedded in the request body when using the redirect binding. The signature verification order has been fixed to properly accommodate encrypted assertions, and InvalidSignature exceptions are now properly caught. Status message handling has also been improved for better error reporting.

Documentation page: First steps

We now have a tutorial for your First steps after installing authentik! This document walks you through adding a new application and provider, then adding your first user, with Tips to explain more complex concepts. Best practices and troubleshooting tips are also included.

πthon

authentik now uses Python 3.14 under the hood. This means absolutely nothing as we use none of its features, but it has a cool name.

New integration guides

An integration is how authentik connects to third-party applications, directories, and other identity providers. The following integration guides were recently added. A big thanks to our contributors!

• Affine (Thanks to @akaSorin)
• Arcane (Thanks to @steilerDev)
• Datadog (Thanks to @dominic-r!)
• Elastic Cloud (Thanks to @dominic-r!)

Upgrading

This release does not introduce any new requirements. You can follow the upgrade instructions below; for more detailed information about upgrading authentik, refer to our Upgrade documentation.

WARNING

When you upgrade, be aware that the version of the authentik instance and of any outposts must be the same. We recommended that you always upgrade any outposts at the same time you upgrade your authentik instance.

Docker Compose

To upgrade, download the new docker-compose file and update the Docker stack with the new version, using these commands:

wget -O docker-compose.yml https://goauthentik.io/version/2026.2/lifecycle/container/compose.yml
docker compose up -d

The -O flag retains the downloaded file's name, overwriting any existing local file with the same name.

Kubernetes

Upgrade the Helm Chart to the new version, using the following commands:

helm repo update
helm upgrade authentik authentik/authentik -f values.yaml --version ^2026.2

Minor changes/fixes

• *: Auto compress images (#19065)
• admin/files: add centralized theme variable support for file URLs (#19657)
• admin/files: fix duplicate bucket name in presigned URLs with custom domain (#19537)
• admin/files: fix get_objects_for_user queryset argument in FileUsedByView (#18845)
• admin/files: fix manageable check blocking file creation on fresh installs (#19547)
• admin/files: revert add check for /media existence (#18636) (#18829)
• admin/files: support %(theme)s variable in media file paths (#19108)
• api: fix latest version for public schema (#18902)
• api: fix page_size with invalid query param (#18879)
• blueprints: add InternallyManagedMixin instead of large list (#18983)
• blueprints: don't exclude default values (#20057)
• blueprints: fix deadlock and task context error in MetaApplyBlueprint (#19033)
• blueprints: fix flaky tests (#19002)
• blueprints: set enrollment token key (#19061)
• brands: fix Domain Matching in Brand Resolution (#19976)
• core: add bulk session revocation (#18564)
• core: add CC and BCC support to ak_send_email and TemplateEmailMessage (#19633)
• core: add last_login filter to users API (#18993)
• core: add prettier failure on duplicate group names (#18941)
• core: add skip s3_test_server_available to TestResolveFileUrlS3Backend (#18858)
• core: ask for token duration on recovery link/email by admin (#19875)
• core: fix non-expiring service accounts and app passwords (#19913)
• core: fix read replica routing during transactions (#19086)
• core: handle deserialization errors from FileField migration (#19067)
• core: list applications fix (#18798)
• core: remove session migration (#14568)
• core: remove superuser check from Token list (#18684)
• core: return bad request when user is authenticated and not active (#19706)
• core: skip s3 tests if endpoint isn't available (#18841)
• core: Update supported versions in SECURITY.md (#19385)
• core: use chunked_queryset for expired message deletion (#19028)
• core/groups: optimize prefetch queries to fetch only required fields (#18448)
• crypto: Add ED25519 and ED448 support to the certificate builder (#19465)
• crypto: fix extra cert data in db migration (#18937)
• crypto: Store details parsed from includeDetails in database instead (#18013)
• endpoints: fix endpoints stage marked as enterprise (#19607)
• endpoints: FleetDM connector (#18589)
• endpoints: include license status in agent config (#19227)
• endpoints: show agent version (#19239)
• endpoints/connectors/agent: add tests for IA endpoint stage (#19487)
• endpoints/connectors/agent: fix icon (#19722)
• endpoints/connectors/agent: Skip Endpoint stage on device IA & fix confusing identification subtext (#19482)
• endpoints/devices: cleanup (#19047)
• enterprise/audit: Expanded Diff (#19726)
• enterprise/lifecycle: implement Object Lifecycle Management (#20015)
• enterprise/providers: WS-Federation (#19583)
• enterprise/providers: WSFed configurable realm, default wreply (#19996)
• enterprise/reports: improve export list, confirmation (#18981)
• enterprise/search: add static autocomplete structure (#19008)
• events: notifications live update (#18980)
• Fix authenticator sms docs (#19797)
• flows: add option for flow layout with frame background (#19527)
• flows/executor: fix KeyError when session has no existing plan (#18951)
• integrations: add saml steps to mattermost (#19590)
• internal: don't warn on empty outpost for embedded (#18786)
• internal: fix certificate not refetched if fingerprint changes (#19761)
• internal: fix incorrect metric calculation (#19701)
• internal: rework liveness probe and proxy (#19312)
• internal: update TLS Suite (#19076)
• internal/outpost: improve PostgreSQL connection options parsing (#19118)
• lib: add helper for creating events in migration (#20044)
• lib: Add ssh/sftp schemas in to DomainlessFormattedURLValidator (#19881)
• lib: update error logging (#18628)
• lib: use orjson for structlog json (#19462)
• lib/sync: fix sync_dispatch (#19053)
• lib/sync/outgoing: handle deletions even if object does not exist in database (#18968)
• outpost/proxyv2: fix stale session cookie causing 400 error in createState (#19026)
• outpost/proxyv2: reduce max number of postgres connections (#19211)
• outpost/proxyv2: revalidate auth if session fails to load (#18063)
• outposts: fix docker_tls created files permission (#19978)
• outposts: fix permission errors for related certificates (#18861)
• packages/ak-guardian: cast safely (#18929)
• packages/django-dramatiq-postgres: broker: close django connections on consumer close (#18833)
• packages/django-dramatiq-postgres: broker: empty message after task completed successfully (#19340)
• policies: fix Provider's authentication_flow not used when set (#19609)
• providers/oauth2: add logout+jwt token type for oidc logout token. (#19554)
• providers/oauth2: allow property mappings to override scope claim in access tokens (#19226)
• providers/oauth2: Automated OpenID Conformance tests (#14785)
• providers/oauth2: Support login_hint (#19498)
• providers/oauth2: use compare_digest for client_secret comparison (#19979)
• providers/proxy: Fix incorrect comparison of redirect URL and CookieDomain (#15686)
• providers/saml: allow encryption certificates without private keys (#19526)
• providers/saml: auto pull signature algorithm options (#17614)
• providers/saml: fix signing order for encrypted saml responses (#19620)
• providers/saml: fix structure of encrypted saml assertion (#19592)
• providers/saml: move sp acs binding down in form (#20039)
• providers/saml: update metadata parser for single logout and encryption certificate (#20031)
• providers/scim: add configuration warning for migration (#19859)
• providers/scim: fix email validation mismatch (#19848)
• providers/scim: import SCIM groups (#19846)
• providers/scim: modify user- and group syncing behavior (#13947)
• rbac: Add show all to roles tab, add role tab to groups (#19097)
• rbac: alter migrated direct permission roles (#18860)
• rbac: clean up roles and permissions (#19588)
• recovery: consume token in transaction (#19967)
• root: Python 3.14 (#17313)
• security: CVE-2026-25227 (#20230)
• security: CVE-2026-25748 (#20231)
• security: CVE-2026-25922 (#20232)
• sources/kerberos: update to new python-kadmin-rs (#19491)
• sources/oauth: add fallback for id_token when profile URL is not available (#19311)
• sources/oauth: Fix an issue where wechat may crash duing login. (#18973)
• sources/oauth: Fix InvalidAudienceError in id_token fallback (#20096)
• sources/saml: Add testcases for PR #19593 (#19647)
• sources/saml: Fix signature verification order to accommodate encrypted assertions (#19593)
• sources/saml: prevent authnrequest signature being inside body on redirect (#19898)
• sources/saml: properly catch InvalidSignature exception (#19641)
• sources/saml: Set AuthnRequest ProtocolBinding to HTTP-POST instead of HTTP-Redirect (#17378)
• sources/saml: truncate transient username longer than 150 chars (#19930)
• sources/saml: update handling statusmessage (#19739)
• stages: remove more global state (#18641)
• stages/authenticator_*: fix code input field not string (#18875)
• stages/authenticator_static: set max token length to 100 chars (#19162)
• stages/authenticator_validate: decrease reputation on failed MFA attempt (#19378)
• stages/authenticator_webauthn: fix double JSON encoding of webauthn options (#19952)
• stages/identification: replace sleep with make_password (#18883)
• stages/password: replace session-based retries with reputation (#18643)
• stages/prompt: optimize API endpoints (#19251)
• tasks: add queued tasks metrics (#20118)
• tasks/middleware: close connections on worker status update database error (#18881)
• tasks/middlewares: call monitoring_set upon metrics request (#20117)
• web: add "Copy Secret" button to TOTP configuration stage (#19863)
• web: add custom message with links for empty data export list (#18830)
• web: Allow unused spread properties to strict unsafe. (#20084)
• web: Capitalize language display names, code owner fix (#19119)
• web: Captcha Refinements, Part 2 (#19757)
• web: Defer table refresh, visibility checks. (#19194)
• web: disable user settings fields when changes are not allowed (#19132)
• web: display custom attributes on admin view pages (#19720)
• web: enforce challenge nullish types. (#19768)
• web: fix Brand CSS not applied to nested Shadow DOM components (#19892)
• web: Fix development theme overrides (#19826)
• web: fix file search input not resetting results properly (#19034)
• web: fix file upload form (#18808)
• web: Fix flow inspector advancement event. (#19309)
• web: Fix Impersonation, Lit Reactive Controller Contexts (#19114)
• web: Fix locale selector in compatibility mode. (#19946)
• web: fix notification counter (#18781)
• web: fix Open button selecting row instead of navigating (#18992)
• web: fix promoted source button hover losing blue color (#19048)
• web: fix slug auto-updating when editing existing applications (#19169)
• web: Fix stale flow background (#19015)
• web: Fix Storybook package resolution with npm link (#19016)
• web: Fix user library colors, modal z-indexes, table progress bars (#19152)
• web: Flow info, localization, back button. (#19234)
• web: Form Modal Independence: Part 1 (#19395)
• web: Images styles, theming (#19233)
• web: Lit Development Mode, performance fixes. (#19825)
• web: Locale selector UI fixes (#18972)
• web: Merge branch -- Stale notifications, synchronized context objects, rendering fixes (#19141)
• web: re-update package-lock.json to include missing tree-sitter references
• web: Reduce Sentry Development Errors (#19504)
• web: refactor TOTP clipboard handlers and secret parsing (#19953)
• web: revert package-lock.json by tag workflow (#20349)
• web: Session UI Config Lifecycle (#19788)
• web: Token Form Fixes (#19121)
• web: UI Locale Fixes (#19235)
• web: update @goauthentik/api (#19542)
• web: Vendor SFE Bootstrap (#19766)
• web: Z-Index Fixes, Mobile Sidebar Behavior. (#19460)
• web/a11y: CAPTCHA Stage Form (#19670)
• web/a11y: Locale selector select styles, contrast. (#19634)
• web/admin: add banner to flow import form (#19288)
• web/admin: add UI copy to RBAC modal (#18917)
• web/admin: adjust sync threshold, add tooltip (#19131)
• web/admin: always retrieve selected provider when editing the application (#19341)
• web/admin: endpoint: change wording and add helper text (#18871)
• web/admin: fix brand form sending "undefined" string for blank default application (#19658)
• web/admin: fix button alignment on user view page (#19079)
• web/admin: fix captcha stage provider selector not showing saved value (#19555)
• web/admin: fix dark theme on map (#18985)
• web/admin: fix default binding order (#19943)
• web/admin: fix endpoints user binding (#18935)
• web/admin: fix file upload not preserving extension for custom names with dots (#19548)
• web/admin: Fix haveibeenpwned link in PasswordPolicyForm (#18984)
• web/admin: fix impersonation form requesting data without being opened (#19673)
• web/admin: fix read-only provider selection for application form (#18768)
• web/admin: fix rendering for configuration_warning event (#20050)
• web/admin: fix switches (#19493)
• web/admin: fix toggle-group for bindings now showing up (#19820)
• web/admin: Pluralize Certificate-Key Pair deletion confirmation (#19389)
• web/admin: prevent file upload attempt when backend not managed (#18646)
• web/admin: Register stage elements. Fix linter warnings (#19948)
• web/admin: reword some things on the device view page (#18785)
• web/admin: source forms not rendering (#19887)
• web/admin: use consistent icon for inactive user status (#19032)
• web/admin/rbac: misc object permission fixes (#18859)
• web/common: add dev middleware to show warnings for consecutive identical requests (#19671)
• web/elements: hidden secrets not propagating (#19029)
• web/elements: progress-bar and table loading header (#18934)
• web/elements: reduce spacing between collapsible form groups (#19627)
• web/elements: remove pfbase everywhere (#19623)
• web/elements: stabilize dual-select status height (#19734)
• web/flow: Fix spurious double submit on ak-stage-autosubmit (#18727)
• web/flows: revisit agent stage fallback delay (#20028)
• web/flows: update flow background (#19974)
• web/flows: update icon and text for device classes (#19648)
• web/forms: fix forms not resetting state when modal closes (#19562)
• web/forms: fix invalid date error for empty datetime-local inputs (#19561)
• web/i18n: Fix Japanese and Korean font overrides. (#19994)
• web/sfe: bug: polyfill needed to supply Object.assign() to IE11. (#20126)
• web/sfe: downgrade bootstrap, add access denied test (#19763)
• web/startup: deprecated theme names break theming (#19431)
• web/table: align row action icons and tooltip color (#19736)
• web/user: fix consent delete form missing details (#19147)
• web/user: fix Firefox for Android infinite render loop in user library (#19379)

Fixed in 2026.2.1

• core: fix get_provider returning base Provider instead of subclass (cherry-pick #19064 to version-2026.2) (#20670)
• crypto: fix kid legacy signal (cherry-pick #20627 to version-2026.2) (#20628)
• enterprise/wsfed: Fix metadata export and signing logic (cherry-pick #20643 to version-2026.2) (#20649)
• internal: make http timeouts configurable (cherry-pick #20472 to version-2026.2) (#20567)
• outpost/proxyv2: prevent panic in handleSignOut (cherry-pick #20097 to version-2026.2) (#20689)
• packages/django-channels-postgres: eagerly delete messages (cherry-pick #20687 to version-2026.2) (#20688)
• packages/django-dramatiq-postgres: fix worker startup on macos (cherry-pick #20637 to version-2026.2) (#20641)
• packages/django-dramatiq-postgres: use fork (cherry-pick #20606 to version-2026.2) (#20608)
• providers/proxy: move search path to query instead of runtime parameter (cherry-pick #20662 to version-2026.2) (#20693)
• sources/ldap: add connection logging & downgrade message (cherry-pick #20519 to version-2026.2) (#20636)
• web: fix identification stage styling in compatibility mode (cherry-pick #20684 to version-2026.2) (#20694)
• web/flows: fix source icons being always inverted (cherry-pick #20419 to version-2026.2) (#20607)

Fixed in 2026.2.2

• core: expiring model: ignore DoesNotExist error (cherry-pick #20922 to version-2026.2) (#20925)
• core: fix provider not nullable (cherry-pick #21275 to version-2026.2) (#21282)
• endpoints: prevent selection of incompatible connector (cherry-pick #20806 to version-2026.2) (#20807)
• endpoints/connectors: fix enabled flag not respected (cherry-pick #21144 to version-2026.2) (#21145)
• enterprise/endpoints/connectors/agent: add login_hint support for interactive auth (cherry-pick #20647 to version-2026.2) (#21047)
• events: avoid implicitly setting context from login_failed event (cherry-pick #21045 to version-2026.2) (#21050)
• events: prevent exception when events contains incompatible unicode (cherry-pick #21048 to version-2026.2) (#21053)
• flows: continuous login debug (cherry-pick #21044 to version-2026.2) (#21090)
• internal: fix certificate fallback without SNI (cherry-pick #21417 to version-2026.2) (#21419)
• outposts: only dispatch logout task if any outpost exists (cherry-pick #20920 to version-2026.2) (#20949)
• packages/django-channels-postgres: provide sync API for group_send (cherry-pick #20740 to version-2026.2) (#20741)
• packages/django-dramatiq-postgres: scheduler: only dispatch tasks if they're not running yet (cherry-pick #20921 to version-2026.2) (#20950)
• providers/ldap: inherit adjustable page size for LDAP searchers (cherry-pick #21377 to version-2026.2) (#21384)
• providers/oauth2: decode percent-encoded basic auth (cherry-pick #20779 to version-2026.2) (#20781)
• providers/proxy: Add a default maxResponseBodySize to Traefik Middleware (cherry-pick #21111 to version-2026.2) (#21140)
• providers/proxy: remove redundant logout event (cherry-pick #20860 to version-2026.2) (#20866)
• providers/saml: Fix redirect for saml slo (cherry-pick #21258 to version-2026.2) (#21284)
• providers/scim: fix out-of-scope users and groups not being deleted from destination application (cherry-pick #20742 to version-2026.2) (#20780)
• providers/ldap: avoid concurrent header writes in API Client (cherry-pick #21223 to version-2026.2) (#21228)

Fixed in 2026.2.3

• blueprints: fix reconcile calling @property (cherry-pick #21576 to version-2026.2) (#21616)
• core: bump django from v5.2.12 to 5.2.13 (cherry-pick #21520 to version-2026.2) (#21526)
• core: fix policy binding objects not being nullable (cherry-pick #21421 to version-2026.2) (#21481)
• core: fix search for app entitlements failing (cherry-pick #21944 to version-2026.2) (#21988)
• endpoints: fix tasks failing (cherry-pick #20904 to version-2026.2) (#21538)
• events: fix destination_group_obj not being nullable (cherry-pick #22161 to version-2026.2) (#22165)
• security: CVE-2026-40165 (#22282)
• security: CVE-2026-40166 (#22283)
• security: CVE-2026-40172 (#22284)
• security: CVE-2026-41569 (#22285)
• security: CVE-2026-41577 (#22286)
• security: CVE-2026-42849 (#22287)
• internal: Automated internal backport: GHSA-5wcc-hf24-rf5h.sec.patch to authentik-2026.2 (#22288)
• internal: Automated internal backport: GHSA-973w-j457-rp2m.sec.patch to authentik-2026.2 (#22289)
• internal: fix lint (#22263)
• lib/sync/outgoing: avoid expensive query to get number of sync pages (cherry-pick #21575 to version-2026.2) (#21581)
• packages/django-dramatiq-postgres: reset db connections in raise_connection_error (cherry-pick #21577 to version-2026.2) (#21599)
• packages/django-dramatiq-postgres/broker: avoid task processing stopping on decode error (cherry-pick #22110 to version-2026.2) (#22127)
• providers/oauth2: allow cross provider token introspection for federated providers (cherry-pick #21513 to version-2026.2) (#21748)
• providers/oauth2: clip device authorization scope against the provider's ScopeMapping set (cherry-pick #21701 to version-2026.2) (#21799)
• providers/oauth2: don't auto-set redirect_uri (cherry-pick #21746 to version-2026.2) (#21750)
• providers/oauth2: fix time logic in refresh_token_threshold (cherry-pick #21537 to version-2026.2) (#21598)
• providers/radius: fix message authenticator validation (cherry-pick #21824 to version-2026.2) (#21828)
• rbac: ensure migration 0056 runs before 0010 removes group field (cherry-pick #21964 to version-2026.2) (#22033)
• release: 2026.2.3-rc1
• root: update django to 5.2.14 (cherry-pick #22064 to version-2026.2) (#22066)
• tenants/settings: present unset flags as False (cherry-pick #22162 to version-2026.2) (#22164)
• web: Fix duplicate Turnstile widgets after extended idle (cherry-pick #21380 to version-2026.2) (#21473)
• web/flows: prevent leader tab deadlock in continuous login flow (cherry-pick #21583 to version-2026.2) (#21627)
• web/packages: Rework SFE rendering (cherry-pick #21833 to version-2026.2) (#21850)

API Changes

authentik (v2026.2.0)

API changes broke backward compatibility

Original source

Highlights

• Endpoint Devices: Enterprise Preview Endpoint Devices is a new feature set for Windows, macOS, and Linux devices that enables SSH authentication, local device login, and more, all with authentik credentials. See the Endpoint Devices docs for more details.
• CSV Data Exports: Enterprise Now you can export user and event data in CSV format for backup or analysis purposes.
• RBAC Permissions: Permissions are now granted exclusively via roles, and permission inheritance and basic object permissions have been enhanced.
• Passkey Autofill (WebAuthn Conditional UI): Passkeys now appear in the browser's autofill dropdown alongside saved passwords, enabling seamless passwordless login when focusing on input fields.

Breaking changes

RBAC

As a first step to overhaul authentik's access control system, much of how groups and roles work internally is altered in this release. We recommend you check any custom code (e.g. expression policies, property mappings) that deals with group/role memberships or access control.

Group name uniqueness

WARNING

Make sure your group names are unique before starting the upgrade.

From 2024.6, authentik enforced group name uniqueness through the API. However, groups created earlier or groups created by non-API mechanisms (e.g. a sync from a Source) may have left groups with duplicate names in your system. With 2025.12, group name uniqueness will now be enforced on the database-level.

We played with automatically renaming duplicates, but ultimately found it too confusing for admins. Instead, we made the migration fail loudly in case offending groups exist and now require manual renaming.

Permission inheritance

Groups already inherit is_superuser from their ancestor groups. With 2025.12, groups will also inherit all permissions from their ancestor groups.

Group hierarchy

Groups can now have multiple parent groups. Specifically, the Group.parent field (which was a ForeignKey) is now migrated to Group.parents (which is a ManyToManyField).

User permissions

All permissions now must be attached to a role. The direct relationships between the User and Permission models still exist (User.user_permissions and User.userobjectpermission_set), but they are not used and will be removed in a future release.

Storage improvements

File storage has been reworked to unify media file configuration (icons, branding options), and allow future uses of file storage including CSV Data Exports.

Files stored by authentik are now served from the /files prefix, and not from /media anymore. Any custom reverse proxy configuration handling those paths will need to be updated.

Storage mount changes

If local storage is used, authentik now expects a mount at /data for file storage. The existing /media mount must be moved to /data/media.

For Docker Compose users, the migration is as follows:

# Shut down authentik
docker compose down
# Create the new storage folder
mkdir -p ./data
# Move the old media storage to the new location
mv ./media ./data/media
# Download the new Docker Compose with the updated paths and start authentik. See below for details.

Storage configuration changes

New storage configuration options are available. See the storage settings reference for details.

New features and improvements

Endpoint devices

Endpoint Devices are end-user devices or servers that are integrated with authentik.

Devices can be integrated by installing the authentik Agent which supports:

• Local device login with authentik credentials
• Connecting via SSH to Endpoint Devices with authentik credentials
• Authenticating to CLI applications such as kubectl and AWS with authentik credentials

Connectors allow authentik to fetch device information which enables Device Compliance functionality in authentik flows and policies. For example, you can limit authentication to devices running a specific OS or OS version.

Currently, only the authentik Agent connector is supported. Connectors to fetch information from third-party tools like Fleet, Cloudflare WARP, and Microsoft Intune are in development.

CSV Data Exports

authentik now allows you to export user and event data in CSV format for backup or analysis purposes. The exported content matches that returned by the API endpoints for the respective object types. You can access past data exports from System Management > Data Exports, where you can view the query used for each export, search by data type and user, download completed exports, and delete exports you no longer need.

See Data Exports documentation for more details.

Passkey Autofill (WebAuthn Conditional UI)

WebAuthn Conditional UI allows passkeys to appear directly in the browser's autofill dropdown alongside saved passwords. When a user focuses on a login input field, their registered passkeys are presented as autofill options, enabling a seamless passwordless authentication experience without requiring users to explicitly select a passkey option first.

This feature improves the discoverability of passkeys and reduces friction for users who have registered WebAuthn credentials, making passwordless login as intuitive as traditional password autofill.

See the Passkey Autofill documentation for more details.

RBAC Permissions

authentik's access control is now completely role-based. The 2025.12 release also provides support for multiple parents for a group, inherited permissions from ancestors, allowing one or MORE roles to be assigned to a single group, and enforcement of unique names for groups. Additionally, object permissions are auto-assigned to the object's creator via managed roles, to ensure CRUD rights.

If you currently have user permissions defined, they will be migrated to the role named ak-migrated-role--user-{user_id}.

Files

authentik now provides a centralized file management system for storing and organizing image files used throughout the platform. This includes application icons, source icons, and branding assets such as logos, favicons, and flow background images. Files can be uploaded and managed from Customization > Files in the Admin interface. By default, files are stored on disk, but S3 storage can also be configured.

See Files documentation for more details.

UI improvements on mobile and tablet devices

Flows now work better on smaller screens, including fixes for scrollbars on mobile and tablet devices, smarter login card shadows, and better form label alignment. If you use custom styles, you may need to revise them.

Localization improvements

A locale selector is now available on the login screen, allowing users to choose their preferred language before authenticating. The selected locale persists for the browser session, and after authentication, user attributes take priority over the session preference if configured. We've also improved locale detection and updated our locale management to make future translations easier.

Promoted source

Sources can now be promoted to display as primary buttons on the login page instead of small icons. This allows administrators to emphasize preferred social login providers (such as Google, GitHub, or Discord) by giving them more visual prominence in the authentication flow, making it easier for users to identify and select their preferred login method.

Glossary

We have replaced our too-short Terminology page with a more rich Glossary, with terms that are searchable by tags or first letter.

New integration guides

An integration is how authentik connects to third-party applications, directories, and other identity providers. The following integration guides were recently added. A big thanks to the contributors of many of these new guides.

• Audiobookshelf (Thanks to @0skater0!)
• Amazon Business (Thanks to @nicedevil007!)
• ChatGPT (Thanks to @nicedevil007!)
• ezBookkeeping (Thanks to @mayswind!)
• FortiMail (Thanks to @nicedevil007!)
• GLPI (Thanks to @lameslime!)
• Hoop.dev (Thanks to @shcherbak!)
• Jellyseer (Thanks to @gabay!)
• Joplin (Thanks to @tetragir!)
• Keycloak
• KitchenOwl (Thanks to @l0f3n!)
• KnowBe4 (Thanks to @nicedevil007!)
• macmon NAC (Thanks to @nicedevil007!)
• Microsoft365 (Thanks to @nicedevil007!)
• Placetel (Thanks to @TimoReusch!)
• Pulse (Thanks to @0skater0!)
• Salesforce
• SeaTable (Thanks to @christophdb!)
• Wallos (Thanks to @0skater0!)

Upgrading

This release does not introduce any new requirements, but be sure to read about any breaking changes. You can follow the upgrade instructions below; for more detailed information about upgrading authentik, refer to our Upgrade documentation.

WARNING

When you upgrade, be aware that the version of the authentik instance and of any outposts must be the same. We recommended that you always upgrade any outposts at the same time you upgrade your authentik instance.

Docker Compose

To upgrade, download the new docker-compose file and update the Docker stack with the new version, using these commands:

wget -O docker-compose.yml https://goauthentik.io/version/2025.12/docker-compose.yml
docker compose up -d

The -O flag retains the downloaded file's name, overwriting any existing local file with the same name.

Kubernetes

Upgrade the Helm Chart to the new version, using the following commands:

helm repo update
helm upgrade authentik authentik/authentik -f values.yaml --version ^2025.12

Minor changes/fixes

• *: convert slugfields to textfields (#17411)
• admin/files: add check for /media existence (#18636)
• admin/files: cache expensive generated URLs (#18784)
• admin/files: delete applications cache on migration (#18565)
• api: add decorator to validate serializer in @action endpoints (#17435)
• api: allow configuring default page_size and max_page_size (#18165)
• api: fix IPC auth (#18612)
• api: test action decorator (#18583)
• blueprints: remove pk from recovery example (#18712)
• brands: add more matching tests (#16185)
• brands: sort matched brand by match length (#17920)
• cmd/server/healthcheck: remove worker HTTP healthcheck (#18090)
• core, web: unified locales (#18502)
• core/sessions: remove django groups prefetch (#18704)
• core: Add example invitation blueprint (#17661)
• core: add digraph group hierarchy (#17050)
• core: custom avatar url improvements (#10525)
• core: deduplicate user attribute constant definitions (#18138)
• core: improve app launch URL formatting (#18076)
• core: optimize list applications (#18330)
• core: propagate ModuleNotFoundError in import_relative (#18683)
• crypto: only generate managed keypair if non-existent (#18457)
• crypto: separate permissions for certificate and private keydownload (#18588)
• crypto: update certificate api and component (#17921)
• crypto: update certificates on fs event (#18129)
• endpoints/stage: v2, better error handling, more settings (#18545)
• endpoints/stage: v2.1, fix asymmetric token exchange and missing form input (#18547)
• endpoints: AuthN and AuthZ (#18350)
• endpoints: fix UI bugs, add user binding, etc (#18609)
• endpoints: fix device access group missing from blueprint (#18703)
• endpoints: implement endpoint stage (#18468)
• endpoints: include device ID in agent config (#18414)
• endpoints: initial data structure + agent (#11499)
• endpoints: rework perms (#18422)
• enterprise/endpoints/connectors/agent: fix Apple JWE encryption when FIPS is enabled (#18464)
• enterprise/providers/scim: fix OAuth (#18358)
• enterprise/reports: add users and events export (#18088)
• enterprise/stages/mtls: fix traefik certificate parsing (#18607)
• enterprise: Apple Platform SSO (#15318)
• enterprise: add prometheus metrics for license usage and expiry (#17606)
• enterprise: handle cached naive timezone (#17695)
• events: fix timezone not set for log events (#18067)
• files: rework (#17535)
• flows: keep ?next url when using cancel (#18619)
• flows: refresh unauthenticated tabs (#18621)
• flows: remove SESSION_KEY_APPLICATION_PRE (#18388)
• internal/web/proxy: fix return status code during startup (#17827)
• internal: Automated internal backport: 1487-invitation-expiry.sec.patch to authentik-2025.10 (#18258)
• internal: Automated internal backport: 1487-invitation-expiry.sec.patch to authentik-main (#18264)
• internal: Automated internal backport: 1498-oauth2-cc-user-active.sec.patch to authentik-2025.10 (#18259)
• internal: Automated internal backport: 1498-oauth2-cc-user-active.sec.patch to authentik-main (#18265)
• internal: Automated internal backport: 5000-sidebar.sec.patch to authentik-2025.10 (#18260)
• internal: Automated internal backport: 5000-sidebar.sec.patch to authentik-main (#18266)
• internal: add default go http server timeouts (#17858)
• internal: fix go deprecation for +build (#17806)
• internal: full openssl path (#17856)
• lib/sync/outgoing: check if there is a provider before creating tasks (#18394)
• lib/sync/outgoing: store sync settings in database (#17630)
• lib: add ak_create_jwt_raw (#18676)
• lib: do not strip and re-add curly braces from raw JSON config (#13769)
• lifecycle/migrate: remove tenant_files migration (#18729)
• lifecycle: set search_path in system migrations (#17721)
• outpost/proxyv2: more tests, fix pg password with spaces, and existing session on restart (#18211)
• outpost: revert breaking signals change (#17847)
• outposts: set container healthcheck inline (#18298)
• outposts: update permissions more eagerly (#17783)
• packages/django-channels-postgres/layer: fix query when subscribed to multiple channels (#18152)
• packages/django-channels-postgres: fix notify size check (#18347)
• packages/django-dramatiq-postgres: broker: ensure locking happens with the same connection (#18095)
• packages/django-postgres-cache: use upsert instead of select/update in a transaction (#17760)
• policies: use flow planner directly in PolicyAccessView to directly set flow context (#18372)
• provider/saml: make signing kp singleton (#17703)
• providers/oauth2: fix kid always required for federation (#17914)
• providers/oauth2: move encryption key field (#17722)
• providers/oauth2: optimize JWKS endpoint queries (#18405)
• providers/proxy: add gorm logging (#17758)
• providers/proxy: drop headers with underscores (#17650)
• providers/proxy: fix missing JWT/claims header (#17759)
• providers/radius: fix inverted message authenticator validation (#17855)
• providers/radius: fix panic when no cert is configured (#17762)
• providers/radius: revert fix inverted message authenticator validation (#17855) (#17915)
• providers/saml: fix front-end saml binding defaults (#18189)
• providers/saml: move sp binding location and default value (#17609)
• providers/scim: allow custom schema data (#18073)
• providers/scim: cache ServiceProviderConfig (#18047)
• providers/scim: compare users/groups before sending update request (#18456)
• providers/scim: fix PATCH for AWS (#18230)
• root: Add Dockerfile label org.opencontainers.image.source (#17756)
• root: fix missing authentik_device cookie causing error (#18642)
• root: skip current tab when refreshing others (#18674)
• root: use hashes for dockerfile FROM (#17795)
• sources/ldap: make server info optional (#18648)
• sources/oauth: Make PKCE verifier 128 characters (#17763)
• sources/oauth: add WeChat type (#18086)
• sources/oauth: save returned oauth refresh tokens and add slack provider (#18501)
• sources/sync: configuration for outgoing sync trigger mode (#17669)
• sources/telegram: implement connecting existing user to a Telegram account (#18517)
• stages/captcha: Make stage more managed with provider-specific defaults (#16129)
• stages/captcha: allow dynamic public/private key (#18346)
• stages/identification: Add WebAuthn conditional UI (passkey autofill) support (#18377)
• stages/mtls: always include cert in flow plan (#18657)
• stages/prompt: fix choices with labels causing error on submit (#18183)
• stages/prompt: set allow_blank for _read_only fields (#18297)
• stages/user_write: Fix user attributes are not sanitized under certains conditions (#17890)

Fixed in 2025.12.1

• outposts/ldap: fix build by @BeryJu in #19403
• web/startup: deprecated theme names break theming (cherry-pick to version-2025.12) by @authentik-automation [bot] in #19433
• ci: fix checkout stable (for 2025.12) (#19448) by @BeryJu
• providers/oauth2: allow property mappings to override scope claim in access tokens (cherry-pick to version-2025.12) by @authentik-automation [bot] in #19480
• core: bump aiohttp from 3.13.2 to v3.13.3 (cherry-pick to version-2025.12) by @authentik-automation [bot] in #19484
• endpoints/connectors/agent: Skip Endpoint stage on device IA & fix confusing identification subtext (cherry-pick to version-2025.12) by @authentik-automation [bot] in #19486
• website/docs: limiting permissions of AD service account (cherry-pick to version-2025.12) by @authentik-automation [bot] in #19489
• endpoints/connectors/agent: add tests for IA endpoint stage (cherry-pick to version-2025.12) by @authentik-automation [bot] in #19490
• web: Z-Index Fixes, Mobile Sidebar Behavior. (cherry-pick to version-2025.12) by @authentik-automation [bot] in #19492
• web/admin: fix switches (cherry-pick to version-2025.12) by @authentik-automation [bot] in #19496

Fixed in 2025.12.2

• sources/kerberos: update to new python-kadmin-rs (cherry-pick to version-2025.12) by @authentik-automation [bot] in #19523
• tests/e2e: Add delay and serialized rollback to saml e2e test (cherry-pick to version-2025.12) by @authentik-automation [bot] in #19532
• admin/files: fix manageable check blocking file creation on fresh installs (cherry-pick to version-2025.12) by @authentik-automation [bot] in #19553
• admin/files: fix duplicate bucket name in presigned URLs with custom domain (cherry-pick to version-2025.12) by @authentik-automation [bot] in #19575
• core: Update supported versions in SECURITY.md (cherry-pick to version-2025.12) by @authentik-automation [bot] in #19578
• web: update @goauthentik/api (cherry-pick to version-2025.12) by @authentik-automation [bot] in #19589
• web/forms: fix invalid date error for empty datetime-local inputs (cherry-pick to version-2025.12) by @authentik-automation [bot] in #19582
• endpoints: fix endpoints stage marked as enterprise (cherry-pick to version-2025.12) by @authentik-automation [bot] in #19610
• policies: fix Providers authentication_flow not used when set (cherry-pick to version-2025.12) by @authentik-automation [bot] in #19615
• providers/saml: fix structure of encrypted saml assertion (cherry-pick to version-2025.12) by @authentik-automation [bot] in #19613
• providers/saml: allow encryption certificates without private keys (cherry-pick to version-2025.12) by @authentik-automation [bot] in #19612
• sources/saml: Fix signature verification order to accommodate encrypted assertions (cherry-pick to version-2025.12) by @authentik-automation [bot] in #19614
• tests: improve e2e/integration test reliability (cherry-pick to version-2025.12) by @authentik-automation [bot] in #19611
• lib/sync/outgoing: handle deletions even if object does not exist in database (cherry-pick to version-2025.12) by @authentik-automation [bot] in #19617
• web/user: fix Firefox for Android infinite render loop in user library (cherry-pick to version-2025.12) by @authentik-automation [bot] in #19626
• web/maintenance: fix missing custom web component imports (cherry-pick to version-2025.12) by @authentik-automation [bot] in #19636
• web/a11y: Locale selector select styles, contrast. (cherry-pick to version-2025.12) by @authentik-automation [bot] in #19651
• web/admin: fix scim provider form (cherry-pick to version-2025.10) (#17831)
• web/admin: fix scim provider form (cherry-pick to version-2025.12) (#17834)
• web/admin: fix typo in PolicyAccessView (#18789)
• web/admin: fix wording in password stage (#18393)
• web/admin: fixes capitalization in application wizard title (#17959)
• web/admin: link to user on invitation list page (#18132)
• web/admin: link to user on invitation list page (cherry-pick to version-2025.10) (#18134)
• web/admin: make empty table message configurable (#18763)
• web/admin: update stage descriptions (#18118)
• web/elements: update AppIcon story with files change (#18608)
• web/flows: improvements for hCaptcha (#16882)
• web/flows: improvements for hCaptcha (cherry-pick to version-2025.10) (#18128)
• web/flows: update default background image (#18540)
• web/i18n: Clean up locale scripts (#18163)
• web/i18n: Japanese Locale（日本語ロケール） (#17938)
• web/i18n: Locale Context Merge Branch (#18426)
• web/i18n: Locale message fixes (#17913)
• web/i18n: Remove English Locale (#18164)
• web/integrations: add information for slo supported integrations (#17836)
• web/integrations: add slo supported integrations (#17810)
• web/sfe: downgrade bootstrap that was accidentally upgraded (#18157)
• web/sfe: downgrade bootstrap that was accidentally upgraded (cherry-pick to version-2025.10) (#18171)
• web/sources: Add promoted source (#18334)
• web: 2025.12 UI tidy (#18650)
• web: Abstract Wizard Lifecycle (#17658)
• web: Adjust colors (#18427)
• web: Codemirror fixes (#18610)

API changes broke backward compatibility

Original source

Highlights

• SAML and OAuth2 provider Single Logout support: This release adds support for back-channel and front-channel SLO for SAML and front-channel for OAuth2/OIDC.
• Removed Redis dependency: authentik no longer uses Redis at all.
• Telegram source: Telegram can now be used for social login.
• SCIM provider OAuth support: Enterprise SCIM providers can use OAuth providers to authenticate to SCIM endpoints.
• RADIUS EAP-TLS Support: Enterprise The RADIUS provider now supports EAP-TLS, which can be used to authenticate WiFi clients.

Breaking changes

Redis removal

In previous versions, authentik used Redis for caching, tasks, the embedded proxy outpost's session store, and WebSocket connections. Since 2025.8, tasks were migrated to use Postgres. With this release we've also migrated caching, the embedded outpost, and WebSocket to Postgres, fully removing the need for Redis.

As a result of this change, it is expected that authentik will use roughly 50% more database connections to Postgres. Redis-related settings have also been removed and can be deleted from your configuration.

If your Postgres instance requires a TLS connection, authentik now requires TLS 1.3 or the Extended Master Secret extension to connect to Postgres.

Default OAuth scope mappings

In previous releases with the default scope mappings, we set the email_verified claim to true. As we don't have a single source of whether a users' email is verified or not, and claiming that it is verified could lead to security implications, this claim has been corrected to false.

Some applications may require this claim to be true to successfully authenticate users, in which case you can create a custom email scope mapping that returns email_verified as true.

For more information, refer to the Email scope verification documentation.

New features and improvements

SCIM provider OAuth support

SCIM providers can now use OAuth sources to authenticate to SCIM endpoints. This requires support in the remote system for OAuth authentication. Using an OAuth source provides improved security due to not requiring long-lived static tokens.

This is supported by applications such as Slack and Salesforce.

See SCIM Provider documentation for more details.

RADIUS EAP-TLS support

The RADIUS outpost can now support EAP-TLS which allows for client authentication using certificates with the Mutual TLS stage.

See RADIUS Provider documentation.

SAML and OAuth2 provider Single Logout support

In 2025.8 we've introduced support for back-channel logout in the OAuth2 Provider. This release adds support for front-channel logout in the OAuth2 Provider and both back- and front-channel logout support in the SAML Provider.

See OAuth2 Provider documentation and SAML Provider documentation.

Telegram source

Being one of the most upvoted GitHub issues, we've finally done it. Telegram can now be used as a federated identity provider in authentik. This allows users to authenticate with their Telegram credentials.

See Telegram Source documentation.

Refined flow and user library

The flow interface now fits better on mobile devices/small viewports and looks sharper on HiDPi devices. There are also improvements for auto-completion during credential input (thanks to @cjoshmartin!). The user library has improved scaling and makes better use of space with a higher density.

Additional noteworthy improvements

• Credential provider: Alpha releases of desktop integrations are now available for testing; reach out to [email protected] if you are interested in providing early feedback for any of these:
  • Windows: a custom credential provider allowing custom authentication flows.
  • macOS: a Platform SSO integration allowing seamless authentication.
  • Linux: accessing Linux servers via an authentik identity.
• Add ak_send_email: Allow for easier sending of emails in expressions; see ak_send_email.
• Change recovery token duration: When using ak create_recovery_key, the duration is now set in minutes instead of years.
• Add OIDC ui_locales support: The OAuth2 provider now accepts ui_locales to set the locale of authentik.
• Add support for separate labels and values in prompt choice inputs, see Prompt stage documentation; thanks to @ErikAhlund!

New integration guides

An integration is how authentik connects to third-party applications, directories, and other identity providers. The following integration guides were recently added.

• Cloudflare
• Digital Ocean
• Entra ID SCIM
• osTicket
• Terraform Cloud
• Termix
• Zendesk
• Zoom
• Zot

Upgrading

Following the upgrade instructions below will remove Redis from your installation. If you use authentik with an externally configured Redis, you can simply remove the Redis configuration from authentik; for more detailed information about upgrading authentik, refer to our Upgrade documentation.

WARNING

When you upgrade, be aware that the version of the authentik instance and of any outposts must be the same. We recommended that you always upgrade any outposts at the same time you upgrade your authentik instance.

Docker Compose

To upgrade, download the new docker-compose file and update the Docker stack with the new version, using these commands:

wget -O docker-compose.yml https://goauthentik.io/version/2025.10/docker-compose.yml
docker compose up -d --remove-orphans

The -O flag retains the downloaded file's name, overwriting any existing local file with the same name.

The --remove-orphans flag removes the Redis container as its no longer needed.

Kubernetes

Upgrade the Helm Chart to the new version, using the following commands:

helm repo update
helm upgrade authentik authentik/authentik -f values.yaml --version ^2025.10

If you had persistence for Redis configured, you can delete the PVC and PV after the upgrade.

Minor changes/fixes

A large list of minor changes and fixes including bug fixes, optimizations, UI improvements, and security patches are included in this release. See the detailed changelog for specifics.

Fixed in 2025.10.1

Fixes including Go deprecation, openssl path, startup status code, outpost signals, permissions, and more.

Fixed in 2025.10.2

Fixes including brand matching tests, healthcheck removal, Django bump, app launch URL formatting, timezone fixes, and automated internal backports.

Fixed in 2025.10.3

Fixes including list applications, mtls certificate parsing, flow refresh, outpost proxy fixes, and various cherry-picked fixes.

Fixed in 2025.10.4

Fixes including Django bump, read replica routing, bad request handling, expired message deletion, TLS suite update, outpost session fixes, and security fixes.

API Changes

Several API changes related to providers (Google Workspace, Microsoft Entra, SCIM) including added properties sync_page_size (integer) and sync_page_timeout (string) to control synchronization behavior in tasks.

Original source