Release 2025.4

Highlights

• Improve membership resolution for the LDAP Source Allow lookups of LDAP group memberships from user attributes as an alternative to lookups from group attributes. This also allows for nested group lookups in Active Directory.

• RBAC: Initial Permissions :ak-preview Provides more flexible access control by assigning permissions to the user/role creating a new object in authentik. Use Initial Permissions as a pragmatic way to implement the principle of least privilege.

• Password History Policy :ak-enterprise A new policy (the Password Uniqueness policy) can be implemented to prevent users from reusing previous passwords; admins are able to configure how many previous password hashes the system will store and evaluate. This new policy makes it easier to enforce password reuse requirements, such as for FedRAMP compliance.

• Provider Sync Dry Run :ak-preview Add the option for dry-run syncs for SCIM, Google Workspace, and Microsoft Entra providers to preview the results of a sync without affecting live accounts.

Breaking changes

• Reputation score limit: The default values for the new upper and lower limits on Reputation score are -5 and 5. This could break custom policies that rely on the reputation scores decreasing or increasing beyond these limits. You can set your custom limits under System > Settings.

• Deprecated and frozen :latest container image tag after 2025.2

  Using the :latest tag with container images is not recommended as it can lead to unintentional updates and potentially broken setups.

  The tag will not be removed, however it will also not be updated past 2025.2.

  We strongly recommended the use of a specific version tag for authentik instances' container images, such as :2025.4.

• Helm chart dependencies update: Following Bitnami's changes to only publish latest version of containers, the Helm chart dependencies (PostgreSQL and Redis) will now be updated with each release.

For this release:

• The Redis chart will be upgraded to the latest version. As the image is not pinned, it will also get upgraded.
• The PostgreSQL chart will be upgraded to the latest version, but the image will remain pinned to 15.8.0-debian-12-r18.

For the next release:

• The Redis chart will be upgraded to the latest version again.
• The PostgreSQL chart will be upgraded to the latest version again, and the image will no longer be pinned, which will bring it to PostgreSQL major version 17. This will require following PostgreSQL major upgrade steps, for which we provide documentation.

For subsequent releases:

• The Redis chart will be upgraded to the latest version.
• The PostgreSQL chart will be upgraded to the latest version, with major upgrades being called out in authentik release notes.

We encourage users to pin their PostgreSQL image version.

Manual action might be required

Sessions are now stored in the database

Previously, sessions were stored by default in the cache. Now, they are stored in the database. This allows for numerous other performance improvements. On high traffic instances, requests to old instances after the upgrade has started will fail to authenticate.

New features

• Remember me: Users can now choose to skip entering their usernames after their first login on the same device. This feature is optional and admins can enable it in the Identification stage.

• RBAC: Initial Permissions

  In hardened authentik installations, it is possible for a user to have permission to create an object type, but not to view/change/delete(/etc) objects of that type. Previously, this could result in a user creating an object and then not having any access to that object. InitialPermissions is a mechanism to automatically add permissions to any object on creation. Refer to our documentation for more details.

• Reputation score limit

  Reputation scores now have a configurable numerical limit in addition to the already existing temporal limit.

• Password History Policy: See description under Highlights. Refer to our documentation.

• Improve membership resolution for the LDAP Source: See description under Highlights. Refer to our documentation.

• Provider Sync Dry Run: See description under Highlights.

• Gateway API support :ak-preview

  For Kubernetes users, authentik now supports the Gateway API. The Helm chart supports HTTPRoute. The Kubernetes outpost integrations supports creating HTTPRoute objects for Proxy providers. Refer to our documentation.

New integration guides

An integration is a how authentik connects to third-party applications, directories, and other identity providers. The following integration guides were recently added.

• Apple Business Manager
• FleetDM
• Gravity
• Homarr
• KnocKnoc
• Mautic
• Mailcow
• Mealie
• OpenProject
• Sidero Omni
• Tandoor
• Wazuh
• XCreds
• Zipline

Upgrading

This release does not introduce any new requirements. You can follow the upgrade instructions below; for more detailed information about upgrading authentik, refer to our Upgrade documentation.

:::warning When you upgrade, be aware that the version of the authentik instance and of any outposts must be the same. We recommended that you always upgrade any outposts at the same time you upgrade your authentik instance. :::

Docker Compose

To upgrade, download the new docker-compose file and update the Docker stack with the new version, using these commands:

wget -O docker-compose.yml https://goauthentik.io/version/2025.4/docker-compose.yml
docker compose up -d

The -O flag retains the downloaded file's name, overwriting any existing local file with the same name.

Kubernetes

Upgrade the Helm Chart to the new version, using the following commands:

helm repo update
helm upgrade authentik authentik/authentik -f values.yaml --version ^2025.4

Minor changes/fixes

• */saml: allow for domainless SAML URLs (#13737)
• *: fix stage incorrectly being inserted instead of appended (#13304)
• admin: fix system API when using bearer token (#13651)
• blueprints: Adjust title for MFA set up (#13400)
• brands: add option to set global default flow background (#13079)
• brands: fix migration 0008 by removing incorrect context manager usage (#13635)
• brands: migrate custom CSS to brands (#13172)
• cmd: set version in outposts (#13116)
• cmd: set version in outposts (cherry-pick #13116) (#13122)
• core: Tidy contributor onboarding, fix typos. (#12700)
• core: add darkreader-lock (#13183)
• core: add pre-hydrated relative URL (#13243)
• core: clear expired database sessions (#13105)
• core: fix core/user is_superuser filter (#13693)
• core: fix double slash in cache key (#13721)
• core: fix error when viewing used_by for built-in source (#13588)
• core: fix flaky tests introduced with is_superuser API fix (#13709)
• core: fix migrations (#14009)
• core: fix non-exploitable open redirect (#13696)
• core: migrate all sessions to the database (#9736)
• core: users API: add date_joined (#13817)
• enterprise/policies: Add Password Uniqueness History Policy (#13453)
• enterprise/stages/source: fix Source stage not executing authentication/enrollment flow (#12875)
• enterprise/stages/source: fix dispatch method signature (#13321)
• enterprise/stages/source: set is_redirected in flow source stage redirects to (#13604)
• events: add configurable headers to webhooks (#13602)
• flows: fix API not returning configured background (#13641)
• lib/config: fix conn_max_age parsing (#13370)
• lib/sync/outgoing: add dry run (#13244)
• lib: set a default HTTP timeout on outgoing requests (#13599)
• lifecycle/migrate: fix migration failing if killed during first startup (#14207)
• lifecycle: add warning regarding supported installation methods (#13190)
• outposts/controllers: k8s: sanitize resource names to comply with DNS subdomain standards (#13444)
• outposts/ldap: fix paginator going into infinite loop (#13677)
• outposts: add support for gateway API (#13272)
• policies/geoip: fix math in impossible travel (#13141)
• policies/geoip: fix result when only dynamic results are used (#14107)
• policies/reputation: limit reputation score (#14008)
• policies: buffered policy access view for concurrent authorization attempts when unauthenticated (#13629)
• providers/SCIM: fix object exists error for users, attempt to look up user ID in remote system (#13437)
• providers/oauth2, rac: make sure tokens are revoked after session deletion (#14011)
• providers/oauth2: offline_access don't require explicit consent (#13419)
• providers/oauth2: properly support P-384 and P-521 keys (#13317)
• providers/proxy: kubernetes outpost: fix reconcile when only annotations changed (#13372)
• providers/rac: fix signals and Endpoint caching (#13529)
• providers/rac: move to open source (#13015)
• providers/saml: configurable AuthnContextClassRef (#13566)
• providers/scim: add compatibility mode for AWS & Slack (#13342)
• providers/scim: fix group membership check failing (#13644)
• providers/scim: save attributes returned from remote system like google workspace and entra ID (#13459)
• rbac: add InitialPermissions (#13795)
• rbac: add name to Permissions search (#14269)
• remove rc notice and enterprise tag for the span
• revert: rbac: exclude permissions for internal models (#12803) (#13138)
• root: allow configuring session cookie age (#12389)
• root: bump python client generator version (#13467)
• root: bump python patch version to 3.12.9 (#13710)
• root: fix dependency install due to description-file (#13655)
• root: fix uv lock file on macOS (#13578)
• root: prevent docker-compose up when secret key is missing (#14043)
• root: replace poetry with uv (#13388)
• root: support db pool (#13534)
• scripts: fix broken link (#13156)
• scripts: postgres: print statements (#13537)
• security: fix CVE-2025-29928 (#13695)
• sources/kerberos, saml: allow creation of connections from the API (#13794)
• sources/ldap: add source connections (#13796)
• sources/ldap: lookup group memberships from user attribute (#12661)
• sources/oauth: add group sync for azure_ad (#12894)
• sources/oauth: fix duplicate authentication (#13322)
• sources/oauth: ignore missing well-known keys (#13468)
• sources/oauth: introduce authorization code auth method (#14034)
• sources/oauth: reddit: fix duplicate keyword auth (#13466)
• sources: move identifier to parent model (#13797)
• sources: prevent deletion of built-in source (#12914)
• stages/authenticator_email: Email Authenticator Stage Documentation (#12853)
• stages/authenticator_email: Fix Enroll dropdown in the MFA Devices page (#13404)
• stages/authenticator_email: fix session cleanup test b (#13264)
• stages/authenticator_email: remove flaky assertions (#13371)
• stages/email: Clean newline characters in TemplateEmailMessage (#13666)
• stages/email: Fix email stage serialization (#13256)
• stages/email: fix for newlines in emails (#13712)
• stages/email: token_expiry format (#13394)
• stages/identification: check captcha after checking authentication (#13533)
• stages/identification: refresh captcha on failure (#13697)
• web/admin: add button to clear application cache (#13399)
• web/admin: add sync status refresh button (#13678)
• web/admin: allow user lists to show active only (#13403)
• web/admin: decorative display in user’s page breaks in other locales (#13393)
• web/admin: fix comment being rendered (#13530)
• web/admin: fix custom scope mappings being selected by default in proxy provider (#13735)
• web/admin: fix default selection for binding policy (#13180)
• web/admin: fix diff showing previous false as "-" (#13580)
• web/admin: fix display bug for assigned users in application bindings in the wizard (#13435)
• web/admin: fix markdown being completely whited out in dark mode on proxy provider pages (#13387)
• web/admin: fix minor typo (#13181)
• web/admin: only show message when not editing an application (#13165)
• web/admin: prefer using datefns over moment.js (#13143)
• web/admin: prevent default logo flashing in admin interface (#13960)
• web/admin: reworked sync status card (#13625)
• web/admin: reworked sync status card (cherry-pick #13625) (#13692)
• web/admin: update Application Wizard button placement (#12771)
• web/api: Fix Hoisted exports across entrypoints. Update Axios. (#14089)
• web/common: utils: fix infinite value handling in getRelativeTime function (#13564)
• web/flow: fix translate extract (#13208)
• web/flow: grab focus to uid input field (#13177)
• web/flow: update default flow background (#13175)
• web/flows: disambiguate brand links codeblock (#12141)
• web/flows: fix error on interactive Captcha stage when retrying captcha (#13119)
• web/flows: fix missing padding on authenticator_validate card (#13420)
• web/user: ensure modal container on user-settings page is min-height: 100% (#13402)
• web/user: fix RAC launch not opening when clicking icon (#13164)
• web/user: fix display for RAC tile (#13211)
• web/user: fix opening application with Enter not respecting new tab setting (#13115)
• web/user: fix post MFA creation link being invalid (#13157)
• web/user: fix race condition in user settings flow executor (#13163)
• web/user: show admin interface button on mobile (#13421)
• web: Client-side MDX rendering (#13610)
• web: ESBuild performance + Live reload (#13026)
• web: Fix TypeScript compilation issues for mixins, events. (#13766)
• web: Fix inline documentation rendering (#13379)
• web: Fix prop. (#13630)
• web: Flesh out configs. (#13801)
• web: Ignore Storybook when running codespell. (#13454)
• web: Indicate when caps-lock is active during password input. (#12733)
• web: Indicate when caps-lock is active during password input. (cherry-pick #12733) (#13160)
• web: Normalize client-side error handling (#13595)
• web: Packagify live reload plugin. (#14134)
• web: Safari fixes merge branch (#14181)
• web: Tidy temporal utilities. (#13755)
• web: add remember me feature to IdentificationStage (#10397)
• web: admin interface: faster card load (#13331)
• web: elements: Table: Fix table selection clearing behavior (#13959)
• web: ensure wizard modal closes on first cancel click (#13636)
• web: fix bug that was causing charts to be too tall (#14253)
• web: fix scrollbar styling (#12600)
• web: lock lit/ssr (#14214)
• web: update default flow background (#14115)
• Revert "core: fix non-exploitable open redirect (#13696)" (#13824)
• Revert "policies: buffered policy access view for concurrent authorization attempts when unauthenticated (#13629)" (#14180)
• Revert "web: Safari fixes merge branch (#14181)" (#14211)
• Revert "website/docs: Prepare for monorepo. (#14119)" (#14239)
• Revert package-lock.json changes from "web: add remember me feature to IdentificationStage (#10397)" (#14212)

Fixed in 2025.4.1

• brands: fix CSS Migration not updating brands (cherry-pick #14306) (#14308)
• core: bump h11 from 0.14.0 to v0.16.0 (cherry-pick #14352) (#14472)
• core: fix session migration when old session can't be loaded (cherry-pick #14466) (#14480)
• core: fix unable to create group if no enable_group_superuser permission is given (cherry-pick #14510) (#14521)
• core: remove OldAuthenticatedSession content type (cherry-pick #14507) (#14509)
• enterprise: fix expired license's users being counted (cherry-pick #14451) (#14496)
• lifecycle: fix ak dump_config (cherry-pick #14445) (#14448)
• outposts: fix tmpdir in containers not being set (cherry-pick #14444) (#14449)
• rbac: fix RoleObjectPermissionTable not showing add_user_to_group (cherry-pick #14312) (#14334)
• root: backport SFE Build fix (#14495)
• root: temporarily deactivate database pool option (cherry-pick #14443) (#14479)
• web/flows/sfe: fix global background image not being loaded (cherry-pick #14442) (#14450)

Fixed in 2025.4.2

• core: Migrate permissions before deleting OldAuthenticatedSession (cherry-pick #14788) (#14791)
• lifecycle: fix arguments not being passed to worker command (cherry-pick #14574) (#14620)
• sources/scim: fix all users being added to group when no members are given (cherry-pick #14645) (#14666)

Fixed in 2025.4.3

• security: fix CVE-2025-52553 (#15289)

Fixed in 2025.4.4

• security: fix CVE-2025-53942 (#15719)

API Changes

What's New

GET /policies/unique_password/

POST /policies/unique_password/

GET /policies/unique_password/{policy_uuid}/

PUT /policies/unique_password/{policy_uuid}/

DELETE /policies/unique_password/{policy_uuid}/

PATCH /policies/unique_password/{policy_uuid}/

GET /policies/unique_password/{policy_uuid}/used_by/

GET /rbac/initial_permissions/

POST /rbac/initial_permissions/

GET /rbac/initial_permissions/{id}/

PUT /rbac/initial_permissions/{id}/

DELETE /rbac/initial_permissions/{id}/

PATCH /rbac/initial_permissions/{id}/

GET /rbac/initial_permissions/{id}/used_by/

GET /sources/group_connections/all/

GET /sources/group_connections/all/{id}/

PUT /sources/group_connections/all/{id}/

DELETE /sources/group_connections/all/{id}/

PATCH /sources/group_connections/all/{id}/

GET /sources/group_connections/all/{id}/used_by/

GET /sources/group_connections/ldap/

POST /sources/group_connections/ldap/

GET /sources/group_connections/ldap/{id}/

PUT /sources/group_connections/ldap/{id}/

DELETE /sources/group_connections/ldap/{id}/

PATCH /sources/group_connections/ldap/{id}/

GET /sources/group_connections/ldap/{id}/used_by/

GET /sources/user_connections/ldap/

POST /sources/user_connections/ldap/

GET /sources/user_connections/ldap/{id}/

PUT /sources/user_connections/ldap/{id}/

DELETE /sources/user_connections/ldap/{id}/

PATCH /sources/user_connections/ldap/{id}/

GET /sources/user_connections/ldap/{id}/used_by/

POST /sources/group_connections/kerberos/

POST /sources/group_connections/saml/

What's Changed

GET /admin/settings/

Return Type:

Changed response : 200 OK

• Changed content type : application/json

  • Added property reputation_lower_limit (integer)

    Reputation cannot decrease lower than this value. Zero or negative.

  • Added property reputation_upper_limit (integer)

    Reputation cannot increase higher than this value. Zero or positive.

PUT /admin/settings/

Request:

Changed content type : application/json

• Added property reputation_lower_limit (integer)

  Reputation cannot decrease lower than this value. Zero or negative.

• Added property reputation_upper_limit (integer)

  Reputation cannot increase higher than this value. Zero or positive.

Return Type:

Changed response : 200 OK

• Changed content type : application/json

  • Added property reputation_lower_limit (integer)

    Reputation cannot decrease lower than this value. Zero or negative.

  • Added property reputation_upper_limit (integer)

    Reputation cannot increase higher than this value. Zero or positive.

PATCH /admin/settings/

Request:

Changed content type : application/json

• Added property reputation_lower_limit (integer)

  Reputation cannot decrease lower than this value. Zero or negative.

• Added property reputation_upper_limit (integer)

  Reputation cannot increase higher than this value. Zero or positive.

Return Type:

Changed response : 200 OK

• Changed content type : application/json

  • Added property reputation_lower_limit (integer)

    Reputation cannot decrease lower than this value. Zero or negative.

  • Added property reputation_upper_limit (integer)

    Reputation cannot increase higher than this value. Zero or positive.

GET /core/authenticated_sessions/{uuid}/

Parameters:

Changed: uuid in path

Return Type:

Changed response : 200 OK

• Changed content type : application/json

  New required properties:

  • expires
  • last_user_agent

  • Changed property last_ip (string)

  • Changed property last_user_agent (string)

  • Changed property expires (string)

DELETE /core/authenticated_sessions/{uuid}/

Parameters:

Changed: uuid in path

GET /core/brands/{brand_uuid}/

Return Type:

Changed response : 200 OK

• Changed content type : application/json

  • Added property branding_custom_css (string)

  • Added property branding_default_flow_background (string)

PUT /core/brands/{brand_uuid}/

Request:

Changed content type : application/json

• Added property branding_custom_css (string)

• Added property branding_default_flow_background (string)

Return Type:

Changed response : 200 OK

• Changed content type : application/json

  • Added property branding_custom_css (string)

  • Added property branding_default_flow_background (string)

PATCH /core/brands/{brand_uuid}/

Request:

Changed content type : application/json

• Added property branding_custom_css (string)

• Added property branding_default_flow_background (string)

Return Type:

Changed response : 200 OK

• Changed content type : application/json

  • Added property branding_custom_css (string)

  • Added property branding_default_flow_background (string)

GET /policies/event_matcher/{policy_uuid}/

Return Type:

Changed response : 200 OK

• Changed content type : application/json

  • Changed property app (string)

    Match events created by selected application. When left empty, all applications are matched.

    Added enum value:

    • authentik.enterprise.policies.unique_password

  • Changed property model (string)

    Match events created by selected model. When left empty, all models are matched. When an app is selected, all the application's models are matched.

    Added enum values:

    • authentik_rbac.initialpermissions
    • authentik_sources_ldap.userldapsourceconnection
    • authentik_sources_ldap.groupldapsourceconnection
    • authentik_policies_unique_password.uniquepasswordpolicy

PUT /policies/event_matcher/{policy_uuid}/

Request:

Changed content type : application/json

• Changed property app (string)

  Match events created by selected application. When left empty, all applications are matched.

  Added enum value:

  • authentik.enterprise.policies.unique_password

• Changed property model (string)

  Match events created by selected model. When left empty, all models are matched. When an app is selected, all the application's models are matched.

  Added enum values:

  • authentik_rbac.initialpermissions
  • authentik_sources_ldap.userldapsourceconnection
  • authentik_sources_ldap.groupldapsourceconnection
  • authentik_policies_unique_password.uniquepasswordpolicy

Return Type:

Changed response : 200 OK

• Changed content type : application/json

  • Changed property app (string)

    Match events created by selected application. When left empty, all applications are matched.

    Added enum value:

    • authentik.enterprise.policies.unique_password

  • Changed property model (string)

    Match events created by selected model. When left empty, all models are matched. When an app is selected, all the application's models are matched.

    Added enum values:

    • authentik_rbac.initialpermissions
    • authentik_sources_ldap.userldapsourceconnection
    • authentik_sources_ldap.groupldapsourceconnection
    • authentik_policies_unique_password.uniquepasswordpolicy

PATCH /policies/event_matcher/{policy_uuid}/

Request:

Changed content type : application/json

• Changed property app (string)

  Match events created by selected application. When left empty, all applications are matched.

  Added enum value:

  • authentik.enterprise.policies.unique_password

• Changed property model (string)

  Match events created by selected model. When left empty, all models are matched. When an app is selected, all the application's models are matched.

  Added enum values:

  • authentik_rbac.initialpermissions
  • authentik_sources_ldap.userldapsourceconnection
  • authentik_sources_ldap.groupldapsourceconnection
  • authentik_policies_unique_password.uniquepasswordpolicy

Return Type:

Changed response : 200 OK

• Changed content type : application/json

  • Changed property app (string)

    Match events created by selected application. When left empty, all applications are matched.

    Added enum value:

    • authentik.enterprise.policies.unique_password

  • Changed property model (string)

    Match events created by selected model. When left empty, all models are matched. When an app is selected, all the application's models are matched.

    Added enum values:

    • authentik_rbac.initialpermissions
    • authentik_sources_ldap.userldapsourceconnection
    • authentik_sources_ldap.groupldapsourceconnection
    • authentik_policies_unique_password.uniquepasswordpolicy

GET /providers/scim/{id}/

Return Type:

Changed response : 200 OK

• Changed content type : application/json

  • Added property compatibility_mode (object)

    Alter authentik behavior for vendor-specific SCIM implementations.

    Enum values:

    • default
    • aws
    • slack

  • Added property dry_run (boolean)

    When enabled, provider will not modify or create objects in the remote system.

PUT /providers/scim/{id}/

Request:

Changed content type : application/json

• Added property compatibility_mode (object)

  Alter authentik behavior for vendor-specific SCIM implementations.

• Added property dry_run (boolean)

  When enabled, provider will not modify or create objects in the remote system.

Return Type:

Changed response : 200 OK

• Changed content type : application/json

  • Added property compatibility_mode (object)

    Alter authentik behavior for vendor-specific SCIM implementations.

  • Added property dry_run (boolean)

    When enabled, provider will not modify or create objects in the remote system.

PATCH /providers/scim/{id}/

Request:

Changed content type : application/json

• Added property compatibility_mode (object)

  Alter authentik behavior for vendor-specific SCIM implementations.

• Added property dry_run (boolean)

  When enabled, provider will not modify or create objects in the remote system.

Return Type:

Changed response : 200 OK

• Changed content type : application/json

  • Added property compatibility_mode (object)

    Alter authentik behavior for vendor-specific SCIM implementations.

  • Added property dry_run (boolean)

    When enabled, provider will not modify or create objects in the remote system.

GET /providers/scim_groups/{id}/

Return Type:

Changed response : 200 OK

• Changed content type : application/json

  New required properties:

  • attributes
  • Added property attributes (object)

GET /providers/scim_users/{id}/

Return Type:

Changed response : 200 OK

• Changed content type : application/json

  New required properties:

  • attributes
  • Added property attributes (object)

GET /core/authenticated_sessions/

Parameters:

Added: session__last_ip in query

Added: session__last_user_agent in query

Deleted: last_ip in query

Deleted: last_user_agent in query

Return Type:

Changed response : 200 OK

• Changed content type : application/json

  • Changed property results (array)

    Changed items (object): > AuthenticatedSession Serializer

    New required properties:

    • expires
    • last_user_agent

    • Changed property last_ip (string)

    • Changed property last_user_agent (string)

    • Changed property expires (string)

GET /core/authenticated_sessions/{uuid}/used_by/

Parameters:

Changed: uuid in path

POST /core/brands/

Request:

Changed content type : application/json

• Added property branding_custom_css (string)

• Added property branding_default_flow_background (string)

Return Type:

Changed response : 201 Created

• Changed content type : application/json

  • Added property branding_custom_css (string)

  • Added property branding_default_flow_background (string)

GET /core/brands/

Parameters:

Added: branding_default_flow_background in query

Return Type:

Changed response : 200 OK

• Changed content type : application/json

  • Changed property results (array)

    Changed items (object): > Brand Serializer

    • Added property branding_custom_css (string)

    • Added property branding_default_flow_background (string)

GET /core/brands/current/

Return Type:

Changed response : 200 OK

• Changed content type : application/json

  New required properties:

  • branding_custom_css
  • Added property branding_custom_css (string)

GET /core/tokens/{identifier}/

Return Type:

Changed response : 200 OK

• Changed content type : application/json

  • Changed property user_obj (object)

    User Serializer

    New required properties:

    • date_joined
    • Added property date_joined (string)

PUT /core/tokens/{identifier}/

Return Type:

Changed response : 200 OK

• Changed content type : application/json

  • Changed property user_obj (object)

    User Serializer

    New required properties:

    • date_joined
    • Added property date_joined (string)

PATCH /core/tokens/{identifier}/

Return Type:

Changed response : 200 OK

• Changed content type : application/json

  • Changed property user_obj (object)

    User Serializer

    New required properties:

    • date_joined
    • Added property date_joined (string)

GET /core/users/{id}/

Return Type:

Changed response : 200 OK

• Changed content type : application/json

  New required properties:

  • date_joined
  • Added property date_joined (string)

PUT /core/users/{id}/

Return Type:

Changed response : 200 OK

• Changed content type : application/json

  New required properties:

  • date_joined
  • Added property date_joined (string)

PATCH /core/users/{id}/

Return Type:

Changed response : 200 OK

• Changed content type : application/json

  New required properties:

  • date_joined
  • Added property date_joined (string)

GET /events/transports/{uuid}/

Return Type:

Changed response : 200 OK

• Changed content type : application/json

  • Added property webhook_mapping_body (string)

    Customize the body of the request. Mapping should return data that is JSON-serializable.

  • Added property webhook_mapping_headers (string)

    Configure additional headers to be sent. Mapping should return a dictionary of key-value pairs

  • Deleted property webhook_mapping (string)

PUT /events/transports/{uuid}/

Request:

Changed content type : application/json

• Added property webhook_mapping_body (string)

  Customize the body of the request. Mapping should return data that is JSON-serializable.

• Added property webhook_mapping_headers (string)

  Configure additional headers to be sent. Mapping should return a dictionary of key-value pairs

• Deleted property webhook_mapping (string)

Return Type:

Changed response : 200 OK

• Changed content type : application/json

  • Added property webhook_mapping_body (string)

    Customize the body of the request. Mapping should return data that is JSON-serializable.

  • Added property webhook_mapping_headers (string)

    Configure additional headers to be sent. Mapping should return a dictionary of key-value pairs

  • Deleted property webhook_mapping (string)

PATCH /events/transports/{uuid}/

Request:

Changed content type : application/json

• Added property webhook_mapping_body (string)

  Customize the body of the request. Mapping should return data that is JSON-serializable.

• Added property webhook_mapping_headers (string)

  Configure additional headers to be sent. Mapping should return a dictionary of key-value pairs

• Deleted property webhook_mapping (string)

Return Type:

Changed response : 200 OK

• Changed content type : application/json

  • Added property webhook_mapping_body (string)

    Customize the body of the request. Mapping should return data that is JSON-serializable.

  • Added property webhook_mapping_headers (string)

    Configure additional headers to be sent. Mapping should return a dictionary of key-value pairs

  • Deleted property webhook_mapping (string)

GET /policies/bindings/{policy_binding_uuid}/

Return Type:

Changed response : 200 OK

• Changed content type : application/json

  • Changed property user_obj (object)

    User Serializer

    New required properties:

    • date_joined
    • Added property date_joined (string)

PUT /policies/bindings/{policy_binding_uuid}/

Return Type:

Changed response : 200 OK

• Changed content type : application/json

  • Changed property user_obj (object)

    User Serializer

    New required properties:

    • date_joined
    • Added property date_joined (string)

PATCH /policies/bindings/{policy_binding_uuid}/

Return Type:

Changed response : 200 OK

• Changed content type : application/json

  • Changed property user_obj (object)

    User Serializer

    New required properties:

    • date_joined
    • Added property date_joined (string)

POST /policies/event_matcher/

Request:

Changed content type : application/json

• Changed property app (string)

  Match events created by selected application. When left empty, all applications are matched.

  Added enum value:

  • authentik.enterprise.policies.unique_password

• Changed property model (string)

  Match events created by selected model. When left empty, all models are matched. When an app is selected, all the application's models are matched.

  Added enum values:

  • authentik_rbac.initialpermissions
  • authentik_sources_ldap.userldapsourceconnection
  • authentik_sources_ldap.groupldapsourceconnection
  • authentik_policies_unique_password.uniquepasswordpolicy

Return Type:

Changed response : 201 Created

• Changed content type : application/json

  • Changed property app (string)

    Match events created by selected application. When left empty, all applications are matched.

    Added enum value:

    • authentik.enterprise.policies.unique_password

  • Changed property model (string)

    Match events created by selected model. When left empty, all models are matched. When an app is selected, all the application's models are matched.

    Added enum values:

    • authentik_rbac.initialpermissions
    • authentik_sources_ldap.userldapsourceconnection
    • authentik_sources_ldap.groupldapsourceconnection
    • authentik_policies_unique_password.uniquepasswordpolicy

GET /policies/event_matcher/

Return Type:

Changed response : 200 OK

• Changed content type : application/json

  • Changed property results (array)

    Changed items (object): > Event Matcher Policy Serializer

    • Changed property app (string)

      Match events created by selected application. When left empty, all applications are matched.

      Added enum value:

      • authentik.enterprise.policies.unique_password

    • Changed property model (string)

      Match events created by selected model. When left empty, all models are matched. When an app is selected, all the application's models are matched.

      Added enum values:

      • authentik_rbac.initialpermissions
      • authentik_sources_ldap.userldapsourceconnection
      • authentik_sources_ldap.groupldapsourceconnection
      • authentik_policies_unique_password.uniquepasswordpolicy

GET /providers/google_workspace/{id}/

Return Type:

Changed response : 200 OK

• Changed content type : application/json
  • Added property dry_run (boolean)

    When enabled, provider will not modify or create objects in the remote system.

PUT /providers/google_workspace/{id}/

Request:

Changed content type : application/json

• Added property dry_run (boolean)

  When enabled, provider will not modify or create objects in the remote system.

Return Type:

Changed response : 200 OK

• Changed content type : application/json
  • Added property dry_run (boolean)

    When enabled, provider will not modify or create objects in the remote system.

PATCH /providers/google_workspace/{id}/

Request:

Changed content type : application/json

• Added property dry_run (boolean)

  When enabled, provider will not modify or create objects in the remote system.

Return Type:

Changed response : 200 OK

• Changed content type : application/json
  • Added property dry_run (boolean)

    When enabled, provider will not modify or create objects in the remote system.

GET /providers/microsoft_entra/{id}/

Return Type:

Changed response : 200 OK

• Changed content type : application/json
  • Added property dry_run (boolean)

    When enabled, provider will not modify or create objects in the remote system.

PUT /providers/microsoft_entra/{id}/

Request:

Changed content type : application/json

• Added property dry_run (boolean)

  When enabled, provider will not modify or create objects in the remote system.

Return Type:

Changed response : 200 OK

• Changed content type : application/json
  • Added property dry_run (boolean)

    When enabled, provider will not modify or create objects in the remote system.

PATCH /providers/microsoft_entra/{id}/

Request:

Changed content type : application/json

• Added property dry_run (boolean)

  When enabled, provider will not modify or create objects in the remote system.

Return Type:

Changed response : 200 OK

• Changed content type : application/json
  • Added property dry_run (boolean)

    When enabled, provider will not modify or create objects in the remote system.

GET /providers/saml/{id}/

Return Type:

Changed response : 200 OK

• Changed content type : application/json

  • Added property authn_context_class_ref_mapping (string)

    Configure how the AuthnContextClassRef value will be created. When left empty, the AuthnContextClassRef will be set based on which authentication methods the user used to authenticate.

  • Changed property acs_url (string)

PUT /providers/saml/{id}/

Request:

Changed content type : application/json

• Added property authn_context_class_ref_mapping (string)

  Configure how the AuthnContextClassRef value will be created. When left empty, the AuthnContextClassRef will be set based on which authentication methods the user used to authenticate.

• Changed property acs_url (string)

Return Type:

Changed response : 200 OK

• Changed content type : application/json

  • Added property authn_context_class_ref_mapping (string)

    Configure how the AuthnContextClassRef value will be created. When left empty, the AuthnContextClassRef will be set based on which authentication methods the user used to authenticate.

  • Changed property acs_url (string)

PATCH /providers/saml/{id}/

Request:

Changed content type : application/json

• Added property authn_context_class_ref_mapping (string)

  Configure how the AuthnContextClassRef value will be created. When left empty, the AuthnContextClassRef will be set based on which authentication methods the user used to authenticate.

• Changed property acs_url (string)

Return Type:

Changed response : 200 OK

• Changed content type : application/json

  • Added property authn_context_class_ref_mapping (string)

    Configure how the AuthnContextClassRef value will be created. When left empty, the AuthnContextClassRef will be set based on which authentication methods the user used to authenticate.

  • Changed property acs_url (string)

POST /providers/scim/

Request:

Changed content type : application/json

• Added property compatibility_mode (object)

  Alter authentik behavior for vendor-specific SCIM implementations.

• Added property dry_run (boolean)

  When enabled, provider will not modify or create objects in the remote system.

Return Type:

Changed response : 201 Created

• Changed content type : application/json

  • Added property compatibility_mode (object)

    Alter authentik behavior for vendor-specific SCIM implementations.

  • Added property dry_run (boolean)

    When enabled, provider will not modify or create objects in the remote system.

GET /providers/scim/

Return Type:

Changed response : 200 OK

• Changed content type : application/json

  • Changed property results (array)

    Changed items (object): > SCIMProvider Serializer

    • Added property compatibility_mode (object)

      Alter authentik behavior for vendor-specific SCIM implementations.

    • Added property dry_run (boolean)

      When enabled, provider will not modify or create objects in the remote system.

POST /providers/scim_groups/

Return Type:

Changed response : 201 Created

• Changed content type : application/json

  New required properties:

  • attributes
  • Added property attributes (object)

GET /providers/scim_groups/

Return Type:

Changed response : 200 OK

• Changed content type : application/json

  • Changed property results (array)

    Changed items (object): > SCIMProviderGroup Serializer

    New required properties:

    • attributes
    • Added property attributes (object)

POST /providers/scim_users/

Return Type:

Changed response : 201 Created

• Changed content type : application/json

  New required properties:

  • attributes
  • Added property attributes (object)

GET /providers/scim_users/

Return Type:

Changed response : 200 OK

• Changed content type : application/json

  • Changed property results (array)

    Changed items (object): > SCIMProviderUser Serializer

    New required properties:

    • attributes
    • Added property attributes (object)

GET /providers/ssf/{id}/

Return Type:

Changed response : 200 OK

• Changed content type : application/json

  • Changed property token_obj (object)

    Token Serializer

    • Changed property user_obj (object)

      User Serializer

      New required properties:

      • date_joined
      • Added property date_joined (string)

PUT /providers/ssf/{id}/

Return Type:

Changed response : 200 OK

• Changed content type : application/json

  • Changed property token_obj (object)

    Token Serializer

    • Changed property user_obj (object)

      User Serializer

      New required properties:

      • date_joined
      • Added property date_joined (string)

PATCH /providers/ssf/{id}/

Return Type:

Changed response : 200 OK

• Changed content type : application/json

  • Changed property token_obj (object)

    Token Serializer

    • Changed property user_obj (object)

      User Serializer

      New required properties:

      • date_joined
      • Added property date_joined (string)

POST /rbac/permissions/assigned_by_roles/{uuid}/assign/

Request:

Changed content type : application/json

• Changed property model (string)

  Added enum values:

  • authentik_rbac.initialpermissions
  • authentik_sources_ldap.userldapsourceconnection
  • authentik_sources_ldap.groupldapsourceconnection
  • authentik_policies_unique_password.uniquepasswordpolicy

PATCH /rbac/permissions/assigned_by_roles/{uuid}/unassign/

Request:

Changed content type : application/json

• Changed property model (string)

  Added enum values:

  • authentik_rbac.initialpermissions
  • authentik_sources_ldap.userldapsourceconnection
  • authentik_sources_ldap.groupldapsourceconnection
  • authentik_policies_unique_password.uniquepasswordpolicy

POST /rbac/permissions/assigned_by_users/{id}/assign/

Request:

Changed content type : application/json

• Changed property model (string)

  Added enum values:

  • authentik_rbac.initialpermissions
  • authentik_sources_ldap.userldapsourceconnection
  • authentik_sources_ldap.groupldapsourceconnection
  • authentik_policies_unique_password.uniquepasswordpolicy

PATCH /rbac/permissions/assigned_by_users/{id}/unassign/

Request:

Changed content type : application/json

• Changed property model (string)

  Added enum values:

  • authentik_rbac.initialpermissions
  • authentik_sources_ldap.userldapsourceconnection
  • authentik_sources_ldap.groupldapsourceconnection
  • authentik_policies_unique_password.uniquepasswordpolicy

DELETE /sources/all/{slug}/

GET /sources/group_connections/kerberos/{id}/

Return Type:

Changed response : 200 OK

• Changed content type : application/json

  New required properties:

  • last_updated
  • Added property last_updated (string)

PUT /sources/group_connections/kerberos/{id}/

Request:

Changed content type : application/json

Return Type:

Changed response : 200 OK

• Changed content type : application/json

  New required properties:

  • last_updated
  • Added property last_updated (string)

PATCH /sources/group_connections/kerberos/{id}/

Request:

Changed content type : application/json

Return Type:

Changed response : 200 OK

• Changed content type : application/json

  New required properties:

  • last_updated
  • Added property last_updated (string)

GET /sources/group_connections/oauth/{id}/

Return Type:

Changed response : 200 OK

• Changed content type : application/json

  New required properties:

  • last_updated
  • Added property last_updated (string)

PUT /sources/group_connections/oauth/{id}/

Request:

Changed content type : application/json

Return Type:

Changed response : 200 OK

• Changed content type : application/json

  New required properties:

  • last_updated
  • Added property last_updated (string)

PATCH /sources/group_connections/oauth/{id}/

Request:

Changed content type : application/json

Return Type:

Changed response : 200 OK

• Changed content type : application/json

  New required properties:

  • last_updated
  • Added property last_updated (string)

GET /sources/group_connections/plex/{id}/

Return Type:

Changed response : 200 OK

• Changed content type : application/json

  New required properties:

  • last_updated
  • Added property last_updated (string)

PUT /sources/group_connections/plex/{id}/

Request:

Changed content type : application/json

Return Type:

Changed response : 200 OK

• Changed content type : application/json

  New required properties:

  • last_updated
  • Added property last_updated (string)

PATCH /sources/group_connections/plex/{id}/

Request:

Changed content type : application/json

Return Type:

Changed response : 200 OK

• Changed content type : application/json

  New required properties:

  • last_updated
  • Added property last_updated (string)

GET /sources/group_connections/saml/{id}/

Return Type:

Changed response : 200 OK

• Changed content type : application/json

  New required properties:

  • last_updated
  • Added property last_updated (string)

PUT /sources/group_connections/saml/{id}/

Request:

Changed content type : application/json

Return Type:

Changed response : 200 OK

• Changed content type : application/json

  New required properties:

  • last_updated
  • Added property last_updated (string)

PATCH /sources/group_connections/saml/{id}/

Request:

Changed content type : application/json

Return Type:

Changed response : 200 OK

• Changed content type : application/json

  New required properties:

  • last_updated
  • Added property last_updated (string)

GET /sources/ldap/{slug}/

Return Type:

Changed response : 200 OK

• Changed content type : application/json
  • Added property lookup_groups_from_user (boolean)

    Lookup group membership based on a user attribute instead of a group attribute. This allows nested group resolution on systems like FreeIPA and Active Directory

PUT /sources/ldap/{slug}/

Request:

Changed content type : application/json

• Added property lookup_groups_from_user (boolean)

  Lookup group membership based on a user attribute instead of a group attribute. This allows nested group resolution on systems like FreeIPA and Active Directory

Return Type:

Changed response : 200 OK

• Changed content type : application/json
  • Added property lookup_groups_from_user (boolean)

    Lookup group membership based on a user attribute instead of a group attribute. This allows nested group resolution on systems like FreeIPA and Active Directory

PATCH /sources/ldap/{slug}/

Request:

Changed content type : application/json

• Added property lookup_groups_from_user (boolean)

  Lookup group membership based on a user attribute instead of a group attribute. This allows nested group resolution on systems like FreeIPA and Active Directory

Return Type:

Changed response : 200 OK

• Changed content type : application/json
  • Added property lookup_groups_from_user (boolean)

    Lookup group membership based on a user attribute instead of a group attribute. This allows nested group resolution on systems like FreeIPA and Active Directory

GET /sources/oauth/{slug}/

Return Type:

Changed response : 200 OK

• Changed content type : application/json

  • Added property authorization_code_auth_method (object)

    How to perform authentication during an authorization_code token request flow

    Enum values:

    • basic_auth
    • post_body

PUT /sources/oauth/{slug}/

Request:

Changed content type : application/json

• Added property authorization_code_auth_method (object)

  How to perform authentication during an authorization_code token request flow

Return Type:

Changed response : 200 OK

• Changed content type : application/json
  • Added property authorization_code_auth_method (object)

    How to perform authentication during an authorization_code token request flow

PATCH /sources/oauth/{slug}/

Request:

Changed content type : application/json

• Added property authorization_code_auth_method (object)

  How to perform authentication during an authorization_code token request flow

Return Type:

Changed response : 200 OK

• Changed content type : application/json
  • Added property authorization_code_auth_method (object)

    How to perform authentication during an authorization_code token request flow

GET /sources/saml/{slug}/

Return Type:

Changed response : 200 OK

• Changed content type : application/json

  • Changed property sso_url (string)

    URL that the initial Login request is sent to.

  • Changed property slo_url (string)

    Optional URL if your IDP supports Single-Logout.

PUT /sources/saml/{slug}/

Request:

Changed content type : application/json

• Changed property sso_url (string)

  URL that the initial Login request is sent to.

• Changed property slo_url (string)

  Optional URL if your IDP supports Single-Logout.

Return Type:

Changed response : 200 OK

• Changed content type : application/json

  • Changed property sso_url (string)

    URL that the initial Login request is sent to.

  • Changed property slo_url (string)

    Optional URL if your IDP supports Single-Logout.

PATCH /sources/saml/{slug}/

Request:

Changed content type : application/json

• Changed property sso_url (string)

  URL that the initial Login request is sent to.

• Changed property slo_url (string)

  Optional URL if your IDP supports Single-Logout.

Return Type:

Changed response : 200 OK

• Changed content type : application/json

  • Changed property sso_url (string)

    URL that the initial Login request is sent to.

  • Changed property slo_url (string)

    Optional URL if your IDP supports Single-Logout.

GET /sources/scim/{slug}/

Return Type:

Changed response : 200 OK

• Changed content type : application/json

  • Changed property token_obj (object)

    Token Serializer

    • Changed property user_obj (object)

      User Serializer

      New required properties:

      • date_joined
      • Added property date_joined (string)

PUT /sources/scim/{slug}/

Return Type:

Changed response : 200 OK

• Changed content type : application/json

  • Changed property token_obj (object)

    Token Serializer

    • Changed property user_obj (object)

      User Serializer

      New required properties:

      • date_joined
      • Added property date_joined (string)

PATCH /sources/scim/{slug}/

Return Type:

Changed response : 200 OK

• Changed content type : application/json

  • Changed property token_obj (object)

    Token Serializer

    • Changed property user_obj (object)

      User Serializer

      New required properties:

      • date_joined
      • Added property date_joined (string)

GET /sources/user_connections/all/{id}/

Return Type:

Changed response : 200 OK

• Changed content type : application/json

  New required properties:

  • identifier
  • last_updated

  • Added property identifier (string)

  • Added property last_updated (string)

PUT /sources/user_connections/all/{id}/

Request:

Changed content type : application/json

New required properties:

• identifier

• Added property identifier (string)

Return Type:

Changed response : 200 OK

• Changed content type : application/json

  New required properties:

  • identifier
  • last_updated

  • Added property identifier (string)

  • Added property last_updated (string)

PATCH /sources/user_connections/all/{id}/

Request:

Changed content type : application/json

• Added property identifier (string)

Return Type:

Changed response : 200 OK

• Changed content type : application/json

  New required properties:

  • identifier
  • last_updated

  • Added property identifier (string)

  • Added property last_updated (string)

DELETE /sources/user_connections/kerberos/{id}/

GET /sources/user_connections/kerberos/{id}/

Return Type:

Changed response : 200 OK

• Changed content type : application/json

  New required properties:

  • last_updated
  • Added property last_updated (string)

PUT /sources/user_connections/kerberos/{id}/

Request:

Changed content type : application/json

Return Type:

Changed response : 200 OK

• Changed content type : application/json

  New required properties:

  • last_updated
  • Added property last_updated (string)

PATCH /sources/user_connections/kerberos/{id}/

Request:

Changed content type : application/json

Return Type:

Changed response : 200 OK

• Changed content type : application/json

  New required properties:

  • last_updated
  • Added property last_updated (string)

DELETE /sources/user_connections/oauth/{id}/

GET /sources/user_connections/oauth/{id}/

Return Type:

Changed response : 200 OK

• Changed content type : application/json

  New required properties:

  • last_updated

  • Added property last_updated (string)

  • Changed property identifier (string)

PUT /sources/user_connections/oauth/{id}/

Request:

Changed content type : application/json

• Changed property identifier (string)

Return Type:

Changed response : 200 OK

• Changed content type : application/json

  New required properties:

  • last_updated

  • Added property last_updated (string)

  • Changed property identifier (string)

PATCH /sources/user_connections/oauth/{id}/

Request:

Changed content type : application/json

• Changed property identifier (string)

Return Type:

Changed response : 200 OK

• Changed content type : application/json

  New required properties:

  • last_updated

  • Added property last_updated (string)

  • Changed property identifier (string)

DELETE /sources/user_connections/plex/{id}/

GET /sources/user_connections/plex/{id}/

Return Type:

Changed response : 200 OK

• Changed content type : application/json

  New required properties:

  • last_updated
  • Added property last_updated (string)

PUT /sources/user_connections/plex/{id}/

Request:

Changed content type : application/json

Return Type:

Changed response : 200 OK

• Changed content type : application/json

  New required properties:

  • last_updated
  • Added property last_updated (string)

PATCH /sources/user_connections/plex/{id}/

Request:

Changed content type : application/json

Return Type:

Changed response : 200 OK

• Changed content type : application/json

  New required properties:

  • last_updated
  • Added property last_updated (string)

DELETE /sources/user_connections/saml/{id}/

GET /sources/user_connections/saml/{id}/

Return Type:

Changed response : 200 OK

• Changed content type : application/json

  New required properties:

  • last_updated
  • Added property last_updated (string)

PUT /sources/user_connections/saml/{id}/

Request:

Changed content type : application/json

Return Type:

Changed response : 200 OK

• Changed content type : application/json

  New required properties:

  • last_updated
  • Added property last_updated (string)

PATCH /sources/user_connections/saml/{id}/

Request:

Changed content type : application/json

Return Type:

Changed response : 200 OK

• Changed content type : application/json

  New required properties:

  • last_updated
  • Added property last_updated (string)

GET /ssf/streams/{uuid}/

Return Type:

Changed response : 200 OK

• Changed content type : application/json

  • Changed property provider_obj (object)

    SSFProvider Serializer

    • Changed property token_obj (object)

      Token Serializer

      • Changed property user_obj (object)

        User Serializer

        New required properties:

        • date_joined
        • Added property date_joined (string)

POST /core/tokens/

Return Type:

Changed response : 201 Created

• Changed content type : application/json

  • Changed property user_obj (object)

    User Serializer

    New required properties:

    • date_joined
    • Added property date_joined (string)

GET /core/tokens/

Return Type:

Changed response : 200 OK

• Changed content type : application/json

  • Changed property results (array)

    Changed items (object): > Token Serializer

    • Changed property user_obj (object)

      User Serializer

      New required properties:

      • date_joined
      • Added property date_joined (string)

GET /core/user_consent/{id}/

Return Type:

Changed response : 200 OK

• Changed content type : application/json

  • Changed property user (object)

    User Serializer

    New required properties:

    • date_joined
    • Added property date_joined (string)

POST /core/users/

Return Type:

Changed response : 201 Created

• Changed content type : application/json

  New required properties:

  • date_joined
  • Added property date_joined (string)

GET /core/users/

Return Type:

Changed response : 200 OK

• Changed content type : application/json

  • Changed property results (array)

    Changed items (object): > User Serializer

    New required properties:

    • date_joined
    • Added property date_joined (string)

POST /events/transports/

Request:

Changed content type : application/json

• Added property webhook_mapping_body (string)

  Customize the body of the request. Mapping should return data that is JSON-serializable.

• Added property webhook_mapping_headers (string)

  Configure additional headers to be sent. Mapping should return a dictionary of key-value pairs

• Deleted property webhook_mapping (string)

Return Type:

Changed response : 201 Created

• Changed content type : application/json

  • Added property webhook_mapping_body (string)

    Customize the body of the request. Mapping should return data that is JSON-serializable.

  • Added property webhook_mapping_headers (string)

    Configure additional headers to be sent. Mapping should return a dictionary of key-value pairs

  • Deleted property webhook_mapping (string)

GET /events/transports/

Return Type:

Changed response : 200 OK

• Changed content type : application/json

  • Changed property results (array)

    Changed items (object): > NotificationTransport Serializer

    • Added property webhook_mapping_body (string)

      Customize the body of the request. Mapping should return data that is JSON-serializable.

    • Added property webhook_mapping_headers (string)

      Configure additional headers to be sent. Mapping should return a dictionary of key-value pairs

    • Deleted property webhook_mapping (string)

POST /policies/bindings/

Return Type:

Changed response : 201 Created

• Changed content type : application/json

  • Changed property user_obj (object)

    User Serializer

    New required properties:

    • date_joined
    • Added property date_joined (string)

GET /policies/bindings/

Return Type:

Changed response : 200 OK

• Changed content type : application/json

  • Changed property results (array)

    Changed items (object): > PolicyBinding Serializer

    • Changed property user_obj (object)

      User Serializer

      New required properties:

      • date_joined
      • Added property date_joined (string)

POST /providers/google_workspace/

Request:

Changed content type : application/json

• Added property dry_run (boolean)

  When enabled, provider will not modify or create objects in the remote system.

Return Type:

Changed response : 201 Created

• Changed content type : application/json
  • Added property dry_run (boolean)

    When enabled, provider will not modify or create objects in the remote system.

GET /providers/google_workspace/

Return Type:

Changed response : 200 OK

• Changed content type : application/json

  • Changed property results (array)

    Changed items (object): > GoogleWorkspaceProvider Serializer

    • Added property dry_run (boolean)

      When enabled, provider will not modify or create objects in the remote system.

POST /providers/google_workspace/{id}/sync/object/

Request:

Changed content type : application/json

• Added property override_dry_run (boolean)

POST /providers/microsoft_entra/

Request:

Changed content type : application/json

• Added property dry_run (boolean)

  When enabled, provider will not modify or create objects in the remote system.

Return Type:

Changed response : 201 Created

• Changed content type : application/json
  • Added property dry_run (boolean)

    When enabled, provider will not modify or create objects in the remote system.

GET /providers/microsoft_entra/

Return Type:

Changed response : 200 OK

• Changed content type : application/json

  • Changed property results (array)

    Changed items (object): > MicrosoftEntraProvider Serializer

    • Added property dry_run (boolean)

      When enabled, provider will not modify or create objects in the remote system.

POST /providers/microsoft_entra/{id}/sync/object/

Request:

Changed content type : application/json

• Added property override_dry_run (boolean)

POST /providers/saml/

Request:

Changed content type : application/json

• Added property authn_context_class_ref_mapping (string)

  Configure how the AuthnContextClassRef value will be created. When left empty, the AuthnContextClassRef will be set based on which authentication methods the user used to authenticate.

• Changed property acs_url (string)

Return Type:

Changed response : 201 Created

• Changed content type : application/json

  • Added property authn_context_class_ref_mapping (string)

    Configure how the AuthnContextClassRef value will be created. When left empty, the AuthnContextClassRef will be set based on which authentication methods the user used to authenticate.

  • Changed property acs_url (string)

GET /providers/saml/

Parameters:

Added: authn_context_class_ref_mapping in query

Return Type:

Changed response : 200 OK

• Changed content type : application/json

  • Changed property results (array)

    Changed items (object): > SAMLProvider Serializer

    • Added property authn_context_class_ref_mapping (string)

      Configure how the AuthnContextClassRef value will be created. When left empty, the AuthnContextClassRef will be set based on which authentication methods the user used to authenticate.

    • Changed property acs_url (string)

POST /providers/scim/{id}/sync/object/

Request:

Changed content type : application/json

• Added property override_dry_run (boolean)

POST /providers/ssf/

Return Type:

Changed response : 201 Created

• Changed content type : application/json

  • Changed property token_obj (object)

    Token Serializer

    • Changed property user_obj (object)

      User Serializer

      New required properties:

      • date_joined
      • Added property date_joined (string)

GET /providers/ssf/

Return Type:

Changed response : 200 OK

• Changed content type : application/json

  • Changed property results (array)

    Changed items (object): > SSFProvider Serializer

    • Changed property token_obj (object)

      Token Serializer

      • Changed property user_obj (object)

        User Serializer

        New required properties:

        • date_joined
        • Added property date_joined (string)

GET /rbac/permissions/assigned_by_roles/

Parameters:

Changed: model in query

GET /rbac/permissions/assigned_by_users/

Parameters:

Changed: model in query

GET /sources/group_connections/kerberos/

Return Type:

Changed response : 200 OK

• Changed content type : application/json

  • Changed property results (array)

    Changed items (object): > Group Source Connection

    New required properties:

    • last_updated
    • Added property last_updated (string)

POST /sources/group_connections/oauth/

Request:

Changed content type : application/json

Return Type:

Changed response : 201 Created

• Changed content type : application/json

  New required properties:

  • last_updated
  • Added property last_updated (string)

GET /sources/group_connections/oauth/

Return Type:

Changed response : 200 OK

• Changed content type : application/json

  • Changed property results (array)

    Changed items (object): > Group Source Connection

    New required properties:

    • last_updated
    • Added property last_updated (string)

POST /sources/group_connections/plex/

Request:

Changed content type : application/json

Return Type:

Changed response : 201 Created

• Changed content type : application/json

  New required properties:

  • last_updated
  • Added property last_updated (string)

GET /sources/group_connections/plex/

Return Type:

Changed response : 200 OK

• Changed content type : application/json

  • Changed property results (array)

    Changed items (object): > Group Source Connection

    New required properties:

    • last_updated
    • Added property last_updated (string)

GET /sources/group_connections/saml/

Return Type:

Changed response : 200 OK

• Changed content type : application/json

  • Changed property results (array)

    Changed items (object): > Group Source Connection

    New required properties:

    • last_updated
    • Added property last_updated (string)

POST /sources/ldap/

Request:

Changed content type : application/json

• Added property lookup_groups_from_user (boolean)

  Lookup group membership based on a user attribute instead of a group attribute. This allows nested group resolution on systems like FreeIPA and Active Directory

Return Type:

Changed response : 201 Created

• Changed content type : application/json
  • Added property lookup_groups_from_user (boolean)

    Lookup group membership based on a user attribute instead of a group attribute. This allows nested group resolution on systems like FreeIPA and Active Directory

GET /sources/ldap/

Parameters:

Added: lookup_groups_from_user in query

Return Type:

Changed response : 200 OK

• Changed content type : application/json

  • Changed property results (array)

    Changed items (object): > LDAP Source Serializer

    • Added property lookup_groups_from_user (boolean)

      Lookup group membership based on a user attribute instead of a group attribute. This allows nested group resolution on systems like FreeIPA and Active Directory

POST /sources/oauth/

Request:

Changed content type : application/json

• Added property authorization_code_auth_method (object)

  How to perform authentication during an authorization_code token request flow

Return Type:

Changed response : 201 Created

• Changed content type : application/json
  • Added property authorization_code_auth_method (object)

    How to perform authentication during an authorization_code token request flow

GET /sources/oauth/

Return Type:

Changed response : 200 OK

• Changed content type : application/json

  • Changed property results (array)

    Changed items (object): > OAuth Source Serializer

    • Added property authorization_code_auth_method (object)

      How to perform authentication during an authorization_code token request flow

POST /sources/saml/

Request:

Changed content type : application/json

• Changed property sso_url (string)

  URL that the initial Login request is sent to.

• Changed property slo_url (string)

  Optional URL if your IDP supports Single-Logout.

Return Type:

Changed response : 201 Created

• Changed content type : application/json

  • Changed property sso_url (string)

    URL that the initial Login request is sent to.

  • Changed property slo_url (string)

    Optional URL if your IDP supports Single-Logout.

GET /sources/saml/

Return Type:

Changed response : 200 OK

• Changed content type : application/json

  • Changed property results (array)

    Changed items (object): > SAMLSource Serializer

    • Changed property sso_url (string)

      URL that the initial Login request is sent to.

    • Changed property slo_url (string)

      Optional URL if your IDP supports Single-Logout.

POST /sources/scim/

Return Type:

Changed response : 201 Created

• Changed content type : application/json

  • Changed property token_obj (object)

    Token Serializer

    • Changed property user_obj (object)

      User Serializer

      New required properties:

      • date_joined
      • Added property date_joined (string)

GET /sources/scim/

Return Type:

Changed response : 200 OK

• Changed content type : application/json

  • Changed property results (array)

    Changed items (object): > SCIMSource Serializer

    • Changed property token_obj (object)

      Token Serializer

      • Changed property user_obj (object)

        User Serializer

        New required properties:

        • date_joined
        • Added property date_joined (string)

GET /sources/user_connections/all/

Return Type:

Changed response : 200 OK

• Changed content type : application/json

  • Changed property results (array)

    Changed items (object): > User source connection

    New required properties:

    • identifier
    • last_updated

    • Added property identifier (string)

    • Added property last_updated (string)

POST /sources/user_connections/kerberos/

Request:

Changed content type : application/json

Return Type:

Changed response : 201 Created

• Changed content type : application/json

  New required properties:

  • last_updated
  • Added property last_updated (string)

GET /sources/user_connections/kerberos/

Parameters:

Added: user in query

Return Type:

Changed response : 200 OK

• Changed content type : application/json

  • Changed property results (array)

    Changed items (object): > User source connection

    New required properties:

    • last_updated
    • Added property last_updated (string)

POST /sources/user_connections/oauth/

Request:

Changed content type : application/json

• Changed property identifier (string)

Return Type:

Changed response : 201 Created

• Changed content type : application/json

  New required properties:

  • last_updated

  • Added property last_updated (string)

  • Changed property identifier (string)

GET /sources/user_connections/oauth/

Return Type:

Changed response : 200 OK

• Changed content type : application/json

  • Changed property results (array)

    Changed items (object): > User source connection

    New required properties:

    • last_updated

    • Added property last_updated (string)

    • Changed property identifier (string)

POST /sources/user_connections/plex/

Request:

Changed content type : application/json

Return Type:

Changed response : 201 Created

• Changed content type : application/json

  New required properties:

  • last_updated
  • Added property last_updated (string)

GET /sources/user_connections/plex/

Return Type:

Changed response : 200 OK

• Changed content type : application/json

  • Changed property results (array)

    Changed items (object): > User source connection

    New required properties:

    • last_updated
    • Added property last_updated (string)

POST /sources/user_connections/saml/

Request:

Changed content type : application/json

Return Type:

Changed response : 201 Created

• Changed content type : application/json

  New required properties:

  • last_updated
  • Added property last_updated (string)

GET /sources/user_connections/saml/

Return Type:

Changed response : 200 OK

• Changed content type : application/json

  • Changed property results (array)

    Changed items (object): > User source connection

    New required properties:

    • last_updated
    • Added property last_updated (string)

GET /ssf/streams/

Return Type:

Changed response : 200 OK

• Changed content type : application/json

  • Changed property results (array)

    Changed items (object): > SSFStream Serializer

    • Changed property provider_obj (object)

      SSFProvider Serializer

      • Changed property token_obj (object)

        Token Serializer

        • Changed property user_obj (object)

          User Serializer

          New required properties:

          • date_joined
          • Added property date_joined (string)

GET /stages/email/{stage_uuid}/

Return Type:

Changed response : 200 OK

• Changed content type : application/json
  • Changed property token_expiry (integer -> string)

    Time the token sent is valid (Format: hours=3,minutes=17,seconds=300).

PUT /stages/email/{stage_uuid}/

Request:

Changed content type : application/json

• Changed property token_expiry (integer -> string)

  Time the token sent is valid (Format: hours=3,minutes=17,seconds=300).

Return Type:

Changed response : 200 OK

• Changed content type : application/json
  • Changed property token_expiry (integer -> string)

    Time the token sent is valid (Format: hours=3,minutes=17,seconds=300).

PATCH /stages/email/{stage_uuid}/

Request:

Changed content type : application/json

• Changed property token_expiry (integer -> string)

  Time the token sent is valid (Format: hours=3,minutes=17,seconds=300).

Return Type:

Changed response : 200 OK

• Changed content type : application/json
  • Changed property token_expiry (integer -> string)

    Time the token sent is valid (Format: hours=3,minutes=17,seconds=300).

GET /stages/identification/{stage_uuid}/

Return Type:

Changed response : 200 OK

• Changed content type : application/json
  • Added property enable_remember_me (boolean)

    Show the user the 'Remember me on this device' toggle, allowing repeat users to skip straight to entering their password.

PUT /stages/identification/{stage_uuid}/

Request:

Changed content type : application/json

• Added property enable_remember_me (boolean)

  Show the user the 'Remember me on this device' toggle, allowing repeat users to skip straight to entering their password.

Return Type:

Changed response : 200 OK

• Changed content type : application/json
  • Added property enable_remember_me (boolean)

    Show the user the 'Remember me on this device' toggle, allowing repeat users to skip straight to entering their password.

PATCH /stages/identification/{stage_uuid}/

Request:

Changed content type : application/json

• Added property enable_remember_me (boolean)

  Show the user the 'Remember me on this device' toggle, allowing repeat users to skip straight to entering their password.

Return Type:

Changed response : 200 OK

• Changed content type : application/json
  • Added property enable_remember_me (boolean)

    Show the user the 'Remember me on this device' toggle, allowing repeat users to skip straight to entering their password.

GET /core/user_consent/

Return Type:

Changed response : 200 OK

• Changed content type : application/json

  • Changed property results (array)

    Changed items (object): > UserConsent Serializer

    • Changed property user (object)

      User Serializer

      New required properties:

      • date_joined
      • Added property date_joined (string)

GET /flows/executor/{flow_slug}/

Return Type:

Changed response : 200 OK

• Changed content type : application/json

  Updated ak-stage-identification component:

  • Added property enable_remember_me (boolean)

POST /flows/executor/{flow_slug}/

Return Type:

Changed response : 200 OK

• Changed content type : application/json

  Updated ak-stage-identification component:

  • Added property enable_remember_me (boolean)

GET /oauth2/access_tokens/{id}/

Return Type:

Changed response : 200 OK

• Changed content type : application/json

  • Changed property user (object)

    User Serializer

    New required properties:

    • date_joined
    • Added property date_joined (string)

GET /oauth2/authorization_codes/{id}/

Return Type:

Changed response : 200 OK

• Changed content type : application/json

  • Changed property user (object)

    User Serializer

    New required properties:

    • date_joined
    • Added property date_joined (string)

GET /oauth2/refresh_tokens/{id}/

Return Type:

Changed response : 200 OK

• Changed content type : application/json

  • Changed property user (object)

    User Serializer

    New required properties:

    • date_joined
    • Added property date_joined (string)

POST /stages/email/

Request:

Changed content type : application/json

• Changed property token_expiry (integer -> string)

  Time the token sent is valid (Format: hours=3,minutes=17,seconds=300).

Return Type:

Changed response : 201 Created

• Changed content type : application/json
  • Changed property token_expiry (integer -> string)

    Time the token sent is valid (Format: hours=3,minutes=17,seconds=300).

GET /stages/email/

Parameters:

Changed: token_expiry in query

Return Type:

Changed response : 200 OK

• Changed content type : application/json

  • Changed property results (array)

    Changed items (object): > EmailStage Serializer

    • Changed property token_expiry (integer -> string)

      Time the token sent is valid (Format: hours=3,minutes=17,seconds=300).

POST /stages/identification/

Request:

Changed content type : application/json

• Added property enable_remember_me (boolean)

  Show the user the 'Remember me on this device' toggle, allowing repeat users to skip straight to entering their password.

Return Type:

Changed response : 201 Created

• Changed content type : application/json
  • Added property enable_remember_me (boolean)

    Show the user the 'Remember me on this device' toggle, allowing repeat users to skip straight to entering their password.

GET /stages/identification/

Return Type:

Changed response : 200 OK

• Changed content type : application/json

  • Changed property results (array)

    Changed items (object): > IdentificationStage Serializer

    • Added property enable_remember_me (boolean)

      Show the user the 'Remember me on this device' toggle, allowing repeat users to skip straight to entering their password.

PUT /core/transactional/applications/

Request:

Changed content type : application/json

• Changed property provider (object)

  Updated authentik_providers_microsoft_entra.microsoftentraprovider provider_model:

  • Added property dry_run (boolean)

    When enabled, provider will not modify or create objects in the remote system.

  Updated authentik_providers_scim.scimprovider provider_model:

  • Added property compatibility_mode (object)

    Alter authentik behavior for vendor-specific SCIM implementations.

  • Added property dry_run (boolean)

    When enabled, provider will not modify or create objects in the remote system.

  Updated authentik_providers_google_workspace.googleworkspaceprovider provider_model:

  • Added property dry_run (boolean)

    When enabled, provider will not modify or create objects in the remote system.

  Updated authentik_providers_saml.samlprovider provider_model:

  • Added property authn_context_class_ref_mapping (string)

    Configure how the AuthnContextClassRef value will be created. When left empty, the AuthnContextClassRef will be set based on which authentication methods the user used to authenticate.

  • Changed property acs_url (string)

GET /oauth2/access_tokens/

Return Type:

Changed response : 200 OK

• Changed content type : application/json

  • Changed property results (array)

    Changed items (object): > Serializer for BaseGrantModel and RefreshToken

    • Changed property user (object)

      User Serializer

      New required properties:

      • date_joined
      • Added property date_joined (string)

GET /oauth2/authorization_codes/

Return Type:

Changed response : 200 OK

• Changed content type : application/json

  • Changed property results (array)

    Changed items (object): > Serializer for BaseGrantModel and ExpiringBaseGrant

    • Changed property user (object)

      User Serializer

      New required properties:

      • date_joined
      • Added property date_joined (string)

GET /oauth2/refresh_tokens/

Return Type:

Changed response : 200 OK

• Changed content type : application/json

  • Changed property results (array)

    Changed items (object): > Serializer for BaseGrantModel and RefreshToken

    • Changed property user (object)

      User Serializer

      New required properties:

      • date_joined
      • Added property date_joined (string)