website/docs/users-sources/user/invitations.md
Invitations are another way to create a user, by inviting someone to join your authentik instance as a new user. With invitations, you can either email an enrollment invitation URL to one or more specific recipients with pre-defined credentials, or you can email a URL to users, who can then log in and define their own credentials.
You can configure invitations either by:
:::info You can also create a policy to see if the invitation was ever used. :::
The fastest way to configure invitations in authentik is to use our pre-defined blueprints that have the necessary flows, stages, and prompts already included.
We have two pre-defined blueprints, theExample - Invitation-based Enrollment blueprint and the Example - Enrollment (2 Stage)blueprint.
Example - Invitation-based Enrollment blueprint (Recommended)This blueprint provides several examples of how to configure different invitation features and serves as a helpful starting point:
engineering-team)Download the Example - Invitation-based Enrollment blueprint by running this command:
wget https://goauthentik.io/blueprints/example/flows-invitation-enrollment.yaml
Alternatively, use this link to view and save the file.
Example - Enrollment (2 Stage) blueprintFor a simpler invitation flow that doesn't include separate flows for internal/external user types, automatic group assignment, and set user paths, download the Example - Enrollment (2 Stage) blueprint by running this command:
wget https://goauthentik.io/blueprints/example/flows-enrollment-2-stage.yaml
Alternatively, use this link to view and save the file.
Log in to authentik as an administrator and open the authentik Admin interface.
Navigate to Directory > Invitations and click Create.
The Create Invitation box appears.
Configure the following settings:
invitation-enrollment-flow-external, invitation-enrollment-flow-internal, invitation-enrollment-flow-internal-engineering, or default-enrollment-flow depending on which blueprint you used). **Pre-fill email only (JSON)**:
```json
{
"email": "[email protected]"
}
```
**Pre-fill multiple fields (YAML)**:
```yaml
name: Jane Smith
email: [email protected]
```
**Pre-fill with custom attributes (JSON)**:
```json
{
"name": "John Doe",
"email": "[email protected]",
"attributes": {
"department": "Engineering",
"employee_type": "contractor",
"start_date": "2025-01-15"
}
}
```
</details>
:::info
The field keys (e.g., `email`, `name`) must match the field keys configured in your flow's [prompt stage](../../add-secure-apps/flows-stages/stages/prompt/index.md).
:::
- **Single use**: Specify whether the invitation should expire after a single use.
- Enable for invitations sent to specific individuals.
- Disable for invitations shared with multiple people (e.g., department onboarding links).
3. Click Save.
On the Invitations page, click the chevron beside your new invitation to expand the details. The Link to use the invitation displays with the URL.
You can share the invitation in two ways:
Copy the URL and send it in an email to the people you want to invite to enroll.
The invitation link format is:
https://authentik.company/if/flow/<flow-slug>/?itoken=<invitation-uuid>
Follow the steps below to send invitation emails directly from authentik:
Invitation template is recommended.The emails are queued and sent asynchronously by the background worker. Each recipient receives an email containing the invitation link.
:::note Email configuration required To use this feature, you must have email configured in authentik, refer to the Email configuration documentation for details. :::
If you prefer to create your invitation flow manually instead of using a blueprint, follow these steps:
Log in to authentik as an administrator and open the authentik Admin interface.
Navigate to Flows and Stages > Stages and click Create.
Select Invitation Stage from the stage type list.
Configure the stage:
enrollment-invitation-stage)false if you want to require a valid invitation token (recommended for invitation-only flows).true if you want to allow both invited and non-invited users to use the same enrollment flow.Click Create.
:::info
The Continue flow without invitation setting determines whether users can proceed through the flow without a valid invitation token. When set to false, only users with valid invitation links can complete enrollment.
:::
invitation-enrollment).In your enrollment flow, go to the Stage Bindings tab.
Click Bind Stage and select your invitation stage.
Configure the binding:
5 or 10) so it evaluates early in the flow.Add other necessary stages to your flow (in order):
Now you can create invitations that reference your custom flow. Follow the steps in Create the invitation object above.
To automatically add users to a group when they enroll via invitation, you need to configure the enrollment flow's User Write Stage:
:::info Groups cannot be set directly in invitation custom attributes because they require database relationships. They must be configured at the flow/stage level. :::
User paths organize users in a directory structure (e.g., users/external, users/internal/engineering). To configure user paths:
You can use expression policies to make decisions based on invitation data:
# Check if user was invited
return context.get('invitation_in_effect', False)
# Access invitation data
invitation = context.get('invitation')
if invitation:
return invitation.fixed_data.get('department') == 'Engineering'
# Access pre-filled prompt data
prompt_data = context.get('prompt_data', {})
return prompt_data.get('email', '').endswith('@example.com')
Problem: External user sees "Interface can only be accessed by internal users" after enrollment.
Solution: Configure a Default Application in your brand settings (System → Brands) so external users have somewhere to go after login.
Possible causes:
Possible causes:
placeholder_expression: true:::info Invitation links validity Be aware that when an authentik administrator or any other user creates an invitation link, that link remains valid even if the administrator is deactivated or has permissions revoked. However, if the user who created the link is deleted and removed from the authentik system, the link is also deleted. :::