authentik/website/docs/core/applications.md

---
title: Applications
slug: /applications
---

Applications in authentik are the other half of providers. They exist in a 1-to-1 relationship, each application needs a provider and every provider can be used with one application.

Applications are used to configure and separate the authorization / access control and the appearance in the Library page.

## Authorization

Application access can be configured using (Policy) Bindings. You can use this to grant access to one or multiple users/groups, or dynamically give access using policies.

By default, all users can access applications when no policies are bound.

When multiple policies/groups/users are attached, you can configure the *Policy engine mode* to either

- Require users to pass all bindings/be member of all groups (ALL), or
- Require users to pass either binding/be member of either group (ANY)

## Appearance

The following aspects can be configured:

- *Name*: This is the name shown for the application card
- *Launch URL*: The URL that is opened when a user clicks on the application. When left empty, authentik tries to guess it based on the provider

    Starting with authentik 2022.2, you can use placeholders in the launch url to build them dynamically based on logged in user. For example, you can set the Launch URL to `https://goauthentik.io/%(username)s`, which will be replaced with the currently logged in user's username.

- *Icon (URL)*: Optionally configure an Icon for the application
- *Publisher*: Text shown below the application
- *Description*: Subtext shown on the application card below the publisher

Applications are shown to users when

- The user has access defined via policies (or the application has no policies bound)
- A Valid Launch URL is configured/could be guessed, this consists of URLs starting with http:// and https://


#### Hiding applications

To hide applications without modifying policy settings and without removing it, you can simply set the *Launch URL* to `blank://blank`, which will hide the application from users.

Keep in mind, the users still have access, so they can still authorize access when the login process is started from the application.
website/docs: add application docs closes #1837 Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> 2021-11-23 22:15:30 +00:00			`---`
			`title: Applications`
website/docs: re-organise core concepts Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> 2021-12-03 10:55:09 +00:00			`slug: /applications`
website/docs: add application docs closes #1837 Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> 2021-11-23 22:15:30 +00:00			`---`

web/admin: add sidebar to applications Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> 2021-12-16 11:23:30 +00:00			`Applications in authentik are the other half of providers. They exist in a 1-to-1 relationship, each application needs a provider and every provider can be used with one application.`
website/docs: add application docs closes #1837 Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> 2021-11-23 22:15:30 +00:00
			`Applications are used to configure and separate the authorization / access control and the appearance in the Library page.`

			`## Authorization`

			`Application access can be configured using (Policy) Bindings. You can use this to grant access to one or multiple users/groups, or dynamically give access using policies.`

			`By default, all users can access applications when no policies are bound.`

			`When multiple policies/groups/users are attached, you can configure the Policy engine mode to either`

web/admin: add sidebar to applications Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> 2021-12-16 11:23:30 +00:00			`- Require users to pass all bindings/be member of all groups (ALL), or`
			`- Require users to pass either binding/be member of either group (ANY)`
website/docs: add application docs closes #1837 Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> 2021-11-23 22:15:30 +00:00
			`## Appearance`

			`The following aspects can be configured:`

web/admin: add sidebar to applications Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> 2021-12-16 11:23:30 +00:00			`- Name: This is the name shown for the application card`
			`- Launch URL: The URL that is opened when a user clicks on the application. When left empty, authentik tries to guess it based on the provider`
core: allow formatting strings to be used for applications' launch URLs Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> 2022-02-08 22:46:23 +00:00
			Starting with authentik 2022.2, you can use placeholders in the launch url to build them dynamically based on logged in user. For example, you can set the Launch URL to `https://goauthentik.io/%(username)s`, which will be replaced with the currently logged in user's username.

web/admin: add sidebar to applications Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> 2021-12-16 11:23:30 +00:00			`- Icon (URL): Optionally configure an Icon for the application`
			`- Publisher: Text shown below the application`
			`- Description: Subtext shown on the application card below the publisher`
website/docs: add application docs closes #1837 Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> 2021-11-23 22:15:30 +00:00
			`Applications are shown to users when`

web/admin: add sidebar to applications Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> 2021-12-16 11:23:30 +00:00			`- The user has access defined via policies (or the application has no policies bound)`
			`- A Valid Launch URL is configured/could be guessed, this consists of URLs starting with http:// and https://`
website/docs: add application docs closes #1837 Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> 2021-11-23 22:15:30 +00:00

			`#### Hiding applications`

			To hide applications without modifying policy settings and without removing it, you can simply set the Launch URL to `blank://blank`, which will hide the application from users.

			`Keep in mind, the users still have access, so they can still authorize access when the login process is started from the application.`