website/docs/endpoint-devices/authentik-agent/index.mdx
import DocCardList from "@theme/DocCardList";
The authentik Agent is a service that can be installed on Linux, macOS, and Windows devices. It provides the following capabilities:
The authentik Agent consists of several components:
| Platform | Component | Description | Dependencies |
|---|---|---|---|
| Linux, macOS, Windows | authentik-cli | Provides CLI commands for interacting with authentik-agent. | authentik-agent |
| Linux, macOS, Windows | authentik-agent | Authentication within a users' context, for CLI tools. | authentik-sysd |
| Linux, macOS, Windows | authentik-sysd | Responsible for handling device-level authentication and compliance checks. | None |
| Linux only | libpam-authentik | PAM Module for token-based and interactive authentication via authentik. Used for SSH authentication and local device login. | authentik-sysd |
| Linux only | libnss-authentik | NSS Module that makes Linux aware of authentik users. All authentik users will be visible to Linux - but won't be able to login unless configured via device access groups. Provides a consistent uid and gid for users on all Endpoint Devices. | authentik-sysd |
| Windows only | Windows Credential Provider (WCP) | Enables logging in to Windows devices using authentik credentials. | authentik-sysd |
All authentik Agent components communicate via gRPC and Unix domain sockets/Windows named pipes.
Linux: /var/run/authentik/sys.sock and /var/run/authentik/sys-ctrl.sock
macOS: /var/run/authentik-sysd.sock and /var/run/authentik-sysd-ctrl.sock
Windows: \\.\pipe\authentik\sysd and \\.\pipe\authentik\sysd-ctrl
sys.sock/*sysd.sock for general communication*-ctrl.sock for domain joinSentry reporting is currently enabled by default and cannot be disabled. This will be configurable in a future release.
Please report issues and bugs via the authentik Platform GitHub repository.
For more information, refer to each of the topics below:
<DocCardList />