Either input a full URL, a relative path, or use 'fa://fa-test' to use the Font Awesome icon "fa-test". Path template for users created. Use placeholders like `%(slug)s` to insert the source slug. API Access App password Recovery Verification Unknown intent Login Failed login Logout User was written to Suspicious request Password set Secret was viewed Secret was rotated Invitation used Application authorized Source linked Impersonation started Impersonation ended Flow execution Policy execution Policy exception Property Mapping exception System task execution System task exception General system exception Configuration error Model created Model updated Model deleted Email sent Update available Alert Notice Warning Unknown severity Static tokens TOTP Device Internal External Service account Service account (internal) Connection error, reconnecting... Application Icon UID Name App Model Name Message Subject From To Context User Affected model: Authorized application: Using flow Email info: Secret: Exception Open issue on GitHub... Expression Binding Request Object Result Passing Messages New version available Using source Attempted to log in as No additional data available. Currently set to: Yes No Show less Show more Admin Open API drawer Open Notification drawer Loading... no tabs defined Root Loading Powered by authentik Background image Flow inspector Close Next stage Stage name Stage kind Stage object This flow is completed. Plan history Current plan context Session ID User's avatar Unread notifications Settings Sign out Admin interface Stop impersonation Avatar image User interface Dashboards Overview User Statistics System Tasks Applications Providers Outposts Events Logs Notification Rules Notification Transports Customisation Policies Property Mappings Blueprints Reputation scores Flows and Stages Flows Stages Prompts Directory Users Groups Roles Federation and Social login Tokens and App passwords Invitations System Tenants Certificates Outpost Integrations A newer version of the frontend is available. You're currently impersonating . Click to stop. Enterprise Licenses General system status Welcome, . Quick actions Create a new application Check the logs Explore integrations Manage users Check the release notes Outpost status Sync status Logins and authorizations over the last week (per 8 hours) Apps with most usage Users created per day in the last month Users created Logins per day in the last month Logins Failed Logins per day in the last month Failed logins Application days ago Authorizations Successfully sent test-request. Log messages No log messages. Any policy must match to grant access All policies must match to grant access Successfully updated application. Successfully created application. Application's display Name. Slug Internal application name used in URLs. Group Optionally enter a group name. Applications with identical groups are shown grouped together. Provider Select a provider that this application should use. Backchannel Providers Select backchannel providers which augment the functionality of the main provider. Add provider Policy engine mode UI settings Launch URL If left empty, authentik will try to extract the launch URL based on the selected provider. Open in new tab If checked, the launch URL will open in a new browser tab or window from the user's application library. Icon Clear icon Delete currently set icon. Publisher Description One hint, 'New Application Wizard', is currently hidden External applications that use authentik as an identity provider via protocols like OAuth2 and SAML. All applications are shown here, even ones you cannot access. Provider Type Actions Application(s) Delete - Update Update Application Edit Open Create Create Application Warning: Application is not used by any Outpost. Related Check access Check Check Application access Test Launch Logins over the last week (per 8 hours) Changelog Policy / Group / User Bindings These policies control which users can access this application. Permissions Type Select providers to add to application Add Cancel Successfully updated instance. Successfully created instance. Enabled Disabled blueprints are never applied. Local path OCI Registry Path URL OCI URL, in the format of oci://registry.domain.tld/path/to/manifest. See more about OCI support here: Documentation Blueprint Additional settings Configure the blueprint context, used for templating. Successful Orphaned Error Unknown Automate and template configuration within authentik. Status Last applied Blueprint(s) Update Blueprint Apply Create Blueprint Instance Successfully generated certificate-key pair. Common Name Subject-alt name Optional, comma-separated SubjectAlt Names. Validity days Successfully updated certificate-key pair. Successfully created certificate-key pair. Certificate PEM-encoded Certificate data. Private Key Optional Private Key. If this is set, you can use this keypair for encryption. Certificate-Key Pairs Import certificates of external providers or create certificates to sign requests with. Private key available? Expiry date Certificate-Key Pair(s) Expiry Managed by authentik Managed by authentik (Discovered) Yes () Update Certificate-Key Pair Certificate Fingerprint (SHA1) Certificate Fingerprint (SHA256) Certificate Subject Download Download Certificate Download Private key Create Certificate-Key Pair Generate Generate Certificate-Key Pair Successfully updated license. Successfully created license. Install ID License key Manage enterprise licenses No licenses found. License(s) Enterprise is in preview. Send us feedback! Get a license Go to Customer Portal Forecast internal users Estimated user count one year from now based on current internal users and forecasted internal users. Forecast external users Estimated user count one year from now based on current external users and forecasted external users. Cumulative license expiry Internal: External: Update License Install Install License Event Log Action Creation Date Client IP Tenant On behalf of Show details Event Event info Created Event volume Successfully updated rule. Successfully created rule. Select the group of users which the alerts are sent to. If no group is selected the rule is disabled. Transports Select which transports should be used to notify the user. If none are selected, the notification will only be shown in the authentik UI. Hold control/command to select multiple items. Severity Send notifications whenever a specific Event is created and matched by policies. Sent to group Notification rule(s) None (rule disabled) Update Notification Rule Create Notification Rule These bindings control upon which events this rule triggers. Bindings to groups/users are checked against the user of the event. Successfully updated transport. Successfully created transport. Mode Local (notifications will be created within authentik) Email Webhook (generic) Webhook (Slack/Discord) Webhook URL Webhook Mapping Send once Only send notification once, for example when sending a webhook into a chat channel. Define how notifications are sent to users, like Email or Webhook. Notification transport(s) Update Notification Transport Create Notification Transport Order Stage binding(s) Stage Stage type Update Edit Stage Update Stage binding Edit Binding These bindings control if this stage will be applied to the flow. No Stages bound No stages are currently bound to this flow. Create Stage binding Bind stage Create and bind Stage Bind existing stage Successfully updated flow. Successfully created flow. Title Shown as the Title in Flow pages. Visible in the URL. Designation Decides what this Flow is used for. For example, the Authentication flow is redirect to when an un-authenticated user visits authentik. Authentication No requirement Require authentication Require no authentication. Require superuser. Require Outpost (flow can only be executed from an outpost). Required authentication level for this flow. Behavior settings Compatibility mode Increases compatibility with password managers and mobile devices. Denied action Will follow the ?next parameter if set, otherwise show a message Will either follow the ?next parameter or redirect to the default interface Will notify the user the flow isn't applicable Decides the response when a policy denies access to this flow for a user. Appearance settings Layout Background Background shown during execution. Clear background Delete currently set background image. Successfully imported flow. Flow .yaml files, which can be found on goauthentik.io and can be exported by authentik. Flows describe a chain of Stages to authenticate, enroll or recover a user. Stages are chosen based on policies applied to them. Identifier Flow(s) Update Flow Execute Export Create Flow Import Import Flow Successfully cleared flow cache Failed to delete flow cache Clear cache Clear Flow cache Are you sure you want to clear the flow cache? This will cause all flows to be re-evaluated on their next usage. Flow Overview Flow Info Related actions Execute flow Normal with current user with inspector Export flow Diagram Stage Bindings These bindings control which users can access this flow. Successfully updated binding. Successfully created binding. Target Evaluate when flow is planned Evaluate policies during the Flow planning process. Evaluate when stage is run Evaluate policies before the Stage is present to the user. Invalid response behavior Returns the error message and a similar challenge to the executor Restarts the flow from the beginning Restarts the flow from the beginning, while keeping the flow context Configure how the flow executor should handle an invalid response to a challenge given by this bound stage. Authorization Enrollment Invalidation Stage Configuration Unenrollment Unknown designation Stacked Content left Content right Sidebar left Sidebar right Unknown layout Successfully updated group. Successfully created group. Is superuser Users added to this group will be superusers. Parent Select roles to grant this groups' users' permissions from the selected roles. Attributes Set custom attributes using YAML or JSON. Group users together and give them permissions based on the membership. Members Superuser privileges? Group(s) Update Group Create Group Group Group Info Superuser Notes Edit the notes attribute of this group to add notes here. Active Last login Select users to add Successfully added user to group(s). Groups to add Add group Remove from Group(s) Are you sure you want to remove user from the following groups? Remove Add Group Add to existing group Add new group Successfully added user(s). Users to add Add users User(s) Remove Users(s) Are you sure you want to remove the selected users from the group ? Username ID Update User Impersonate User status Inactive Regular user Change status Deactivate Activate Update password Set password Successfully generated recovery link No recovery flow is configured. Copy recovery link Send link Send recovery link to user Email recovery link Recovery link cannot be emailed, user has no email address saved. To let a user directly reset a their password, configure a recovery flow on the currently active tenant. Add User Warning: This group is configured with superuser access. Added users will have superuser access. Add existing user Create user Create User This user will be added to the group "". Create Service account Hide service-accounts Outpost Deployment Info View deployment documentation Click to copy token If your authentik Instance is using a self-signed certificate, set this value. If your authentik_host setting does not match the URL you want to login with, add this setting. Successfully updated outpost. Successfully created outpost. Proxy LDAP Radius RAC Integration Selecting an integration enables the management of the outpost by authentik. You can only select providers that match the type of the outpost. Advanced settings Configuration See more here: Last seen Version , should be Hostname Not available Last seen: Unknown type Outposts are deployments of authentik components to support different environments and protocols, like reverse proxies. Health and Version Warning: authentik Domain is not configured, authentication will not work. Logging in via . No integration active Update Outpost View Deployment Info Detailed health (one instance per column, data is cached so may be out of date) Outpost(s) Create Outpost Successfully updated integration. Successfully created integration. Local If enabled, use the local connection. Required Docker socket/Kubernetes Integration. Docker URL Can be in the format of 'unix://' when connecting to a local docker daemon, using 'ssh://' to connect via SSH, or 'https://:2376' when connecting to a remote system. TLS Verification Certificate CA which the endpoint's Certificate is verified against. Can be left empty for no validation. TLS Authentication Certificate/SSH Keypair Certificate/Key used for authentication. Can be left empty for no authentication. When connecting via SSH, this keypair is used for authentication. Kubeconfig Verify Kubernetes API SSL Certificate State Unhealthy Outpost integration(s) Select type New outpost integration Create a new outpost integration. Create Successfully updated policy. Successfully created policy. Policy / User / Group Timeout Policy User Edit Policy Edit Group Edit User Policy binding(s) Update Binding No Policies bound. No policies are currently bound to this object. Create Binding Create and bind Policy Bind existing policy Policy Group mappings can only be checked if a user is already logged in when trying to access this source. User mappings can only be checked if a user is already logged in when trying to access this source. Negate result Negates the outcome of the binding. Messages are unaffected. Failure result Pass Don't pass Result used when policy execution fails. Allow users to use Applications based on properties, enforce Password Criteria and selectively apply Stages. Assigned to object(s). Warning: Policy is not assigned. Test Policy Policy / Policies Successfully cleared policy cache Failed to delete policy cache Clear Policy cache Are you sure you want to clear the policy cache? This will cause all policies to be re-evaluated on their next usage. New policy Create a new policy. Successfully updated mapping. Successfully created mapping. Object field Field of the user object this value is written to. Expression using Python. See documentation for a list of all variables. Control how authentik exposes and interprets information. Property Mapping(s) Test Property Mapping Hide managed mappings General settings Password RDP settings Ignore server certificate Enable wallpaper Enable font-smoothing Enable full window dragging SAML Attribute Name Attribute name used for SAML Assertions. Can be a URN OID, a schema reference, or a any other string. If this property mapping is used for NameID Property, this field is discarded. Friendly Name Optionally set the 'FriendlyName' value of the Assertion attribute. Scope name Scope which the client can specify to access these properties. Description shown to the user when consenting. If left empty, the user won't be informed. Example context data Active Directory User Active Directory Group Provider require enterprise. Learn more New property mapping Create a new property mapping. Successfully updated provider. Successfully created provider. Provide support for protocols like SAML and OAuth to assigned applications. Provider(s) Assigned to application Assigned to application (backchannel) Warning: Provider not assigned to any application. Try the new application wizard The new application wizard greatly simplifies the steps required to create applications and providers. Try it now New provider Create a new provider. Successfully updated role. Successfully created role. Manage roles which grant permissions to objects within authentik. Role(s) RBAC is in preview. Update Role Create Role Successfully assigned permission. Permissions to add Select permissions Assign Assign permission to role Assign permission Permission(s) Permission Role doesn't have view permission so description cannot be retrieved. Role Role Info Assigned global permissions Assigned object permissions Successfully updated source. Successfully created source. Sources of identities, which can either be synced into authentik's database, or can be used by users to authenticate and enroll themselves. Source(s) Disabled Built-in New source Create a new source. Successfully updated stage. Successfully created stage. Stages are single steps of a Flow that a user is guided through. A stage can only be executed from within a flow. Stage(s) Import Duo device Import devices New stage Create a new stage. Long-running operations which authentik executes in the background. Last run Duration seconds Restart task Successfully updated tenant. Successfully created tenant. Domain Matching is done based on domain suffix, so if you enter domain.tld, foo.domain.tld will still match. Default Use this tenant for each domain that doesn't have a dedicated tenant. Branding settings Branding shown in page title and several other places. Logo Icon shown in sidebar/header and flow executor. Favicon Icon shown in the browser tab. Default flows Authentication flow Flow used to authenticate users. If left empty, the first applicable flow sorted by the slug is used. Invalidation flow Flow used to logout. If left empty, the first applicable flow sorted by the slug is used. Recovery flow Recovery flow. If left empty, the first applicable flow sorted by the slug is used. Unenrollment flow If set, users are able to unenroll themselves using this flow. If no flow is set, option is not shown. User settings flow If set, users are able to configure details of their profile. Device code flow If set, the OAuth Device Code profile can be used, and the selected flow will be used to enter the code. Other global settings Web Certificate Event retention Duration after which events will be deleted from the database. When using an external logging solution for archiving, this can be set to "minutes=5". This setting only affects new Events, as the expiration is saved per-event. Format: "weeks=3;days=2;hours=3,seconds=2". Set custom attributes using YAML or JSON. Any attributes set here will be inherited by users, if the request is handled by this tenant. Configure visual settings and defaults for different domains. Default? Tenant(s) Update Tenant Create Tenant Successfully updated token. Successfully created token. Expires on Unique identifier the token is referenced by. Intent API Token Used to access the API programmatically App password. Used to login using a flow executor Expiring If this is selected, the token will expire. Upon expiration, the token will be rotated. Tokens Tokens are used throughout authentik for Email validation stages, Recovery keys and API access. Expires? Token(s) Create Token Token is managed by authentik. Update Token Editing is disabled for managed tokens Copy token Select groups to add user to Warning: Adding the user to the selected group(s) will give them superuser permissions. Successfully created user and added to group Successfully created user. User's primary identifier. 150 characters or fewer. Create group Enabling this toggle will create a group named after the user, with the user as member. Use the username and password below to authenticate. The password can be retrieved later on the Tokens page. Valid for 360 days, after which the password will automatically rotate. You can copy the password from the Token List. Successfully updated Failed to update : Are you sure you want to update ""? Assign permission to user User doesn't have view permission so description cannot be retrieved. Failed Logins Successful Logins Application authorizations Confirmed Device(s) Refresh Successfully updated user. User's display name. User type Internal users might be users such as company employees, which will get access to the full Enterprise feature set. External users might be external consultants or B2C customers. These users don't get access to enterprise features. Service accounts should be used for machine-to-machine authentication or other automations. Is active Designates whether this user should be treated as active. Unselect this instead of deleting accounts. A copy of this recovery link has been placed in your clipboard The current tenant must have a recovery flow configured to use a recovery link Warning: You're about to delete the user you're logged in as (). Proceed at your own risk. Hide deactivated user <No name set> Create recovery link User folders Successfully updated password. Successfully sent email. Email stage User Info Lock the user out of this system Allow the user to log in and use this system Temporarily assume the identity of this user Enter a new password for this user Create a link for this user to reset their password Create Recovery Link Actions over the last week (per 8 hours) Edit the notes attribute of this user to add notes here. Sessions User events Explicit Consent OAuth Refresh Tokens MFA Authenticators Assigned permissions WebAuthn requires this page to be accessed via HTTPS. WebAuthn not supported by browser. Don't show this message again. Next Back Submit No Events found. No matching events could be found. Pseudolocale (for testing) English Spanish German French Korean Dutch Polish Turkish Chinese (traditional) Taiwanese Mandarin Chinese (simplified) Everything is ok. hour(s) ago Failed to fetch data. Remove item Warning: The current user count has exceeded the configured licenses. Click here for more info. : Not used by any other object. object will be DELETED connection will be deleted reference will be reset to default value reference will be set to an empty value () Successfully deleted Failed to delete : Delete Are you sure you want to delete ? The following objects use connecting object will be deleted Click to change value No form found Form didn't return a promise for submitting Select an object. Loading options... API request failed API Requests Open API Browser Notifications unread Successfully cleared notifications Clear all Revoked? Expires Scopes ID Token Refresh Tokens(s) Update Permissions User Object Permissions Role Object Permissions Model Select permissions to grant Role Assign to new role Directly assigned Assign to new user Not found The URL "" was not found. Return home No objects found. Failed to fetch objects. Select all rows Clear search - of Go to previous page Go to next page Search... Last IP Session(s) (Current session) Consent(s) (Format: hours=-1;minutes=-2;seconds=-3). (Format: hours=1;minutes=2;seconds=3). The following keywords are supported: Apply changes Finish Connection failed after attempts. Re-connecting in second(s). Connecting... Something went wrong! Please try again later. Request ID You may close this page now. Redirect You're about to be redirect to the following URL. Follow redirect Select endpoint to connect to Less details More details Refer to documentation No Applications available. Either no applications are defined, or you don’t have access to any. My Applications My applications User details Consent MFA Devices Connected services Failed to fetch Recent events Embedded outpost is not configured correctly. Check outposts. HTTPS is not detected correctly Server and client are further than 5 seconds apart. OK System status Based on is available! Up-to-date! Workers No workers connected. Background tasks will not run. day(s) ago Objects created Healthy outposts Outdated outposts Unhealthy outposts LDAP Source SCIM Provider Healthy Failed Unsynced / N/A UI Settings OAuth2/OIDC (Open Authorization/OpenID Connect) Modern applications, APIs and Single-page applications. LDAP (Lightweight Directory Access Protocol) Provide an LDAP interface for applications and users to authenticate against. Transparent Reverse Proxy For transparent reverse proxies with required authentication Forward Auth (Single Application) For nginx's auth_request or traefik's forwardAuth Forward Auth (Domain Level) For nginx's auth_request or traefik's forwardAuth per root domain SAML (Security Assertion Markup Language) Configure SAML provider manually RADIUS (Remote Authentication Dial-In User Service) Configure RADIUS provider manually SCIM (System for Cross-domain Identity Management) Configure SCIM provider manually Saving Application... Authentik was unable to save this application: Your application has been saved There was an error in the application. Review the application. There was an error in the provider. Review the provider. There was an error There was an error creating the application, but no error message was sent. Please review the server logs. Cached binding Flow is executed and session is cached in memory. Flow is executed when session expires Direct binding Always execute the configured bind flow to authenticate the user Cached querying The outpost holds all users and groups in-memory and will refresh every 5 Minutes Direct querying Always returns the latest data, but slower than cached querying When enabled, code-based multi-factor authentication can be used by appending a semicolon and the TOTP code to the password. This should only be enabled if all users that will bind to this provider have a TOTP device configured, as otherwise a password may incorrectly be rejected if it contains a semicolon. The start for gidNumbers, this number is added to a number generated from the group.Pk to make sure that the numbers aren't too low for POSIX groups. Default is 4000 to ensure that we don't collide with local groups or users primary groups gidNumber The certificate for the above configured Base DN. As a fallback, the provider uses a self-signed certificate. DNS name for which the above configured certificate should be used. The certificate cannot be detected based on the base DN, as the SSL/TLS negotiation happens before such data is exchanged. The start for uidNumbers, this number is added to the user.Pk to make sure that the numbers aren't too low for POSIX users. Default is 2000 to ensure that we don't collide with local users uidNumber Configure LDAP Provider Method's display Name. Bind flow Flow used for users to authenticate. Search group Bind mode Configure how the outpost authenticates requests. Search mode Configure how the outpost queries the core authentik server's users. Code-based MFA Support Protocol settings Base DN LDAP DN under which bind requests and search requests can be made. TLS Server name UID start number GID start number Configure OAuth2/OpenId Provider Flow used when a user access this provider and is not authenticated. Authorization flow Flow used when authorizing this provider. Client type Client ID Client Secret Redirect URIs/Origins (RegEx) Signing Key Key used to sign the tokens. Advanced protocol settings Access code validity Configure how long access codes are valid for. Access Token validity Configure how long access tokens are valid for. Refresh Token validity Configure how long refresh tokens are valid for. Select which scopes can be used by the client. The client still has to specify the scope to access the data. Subject mode Configure what data should be used as unique User Identifier. For most cases, the default should be fine. Include claims in id_token Include User claims from scopes in the id_token, for applications that don't access the userinfo endpoint. Issuer mode Configure how the issuer field of the ID Token should be filled. Machine-to-Machine authentication settings Trusted OIDC Sources JWTs signed by certificates configured in the selected sources can be used to authenticate to this provider. HTTP-Basic Username Key User/Group Attribute used for the user part of the HTTP-Basic Header. If not set, the user's Email address is used. HTTP-Basic Password Key User/Group Attribute used for the password part of the HTTP-Basic Header. Configure Proxy Provider Token validity Configure how long tokens are valid for. AdditionalScopes Additional scope mappings, which are passed to the proxy. Unauthenticated URLs Unauthenticated Paths Regular expressions for which authentication is not required. Each new line is interpreted as a new expression. When using proxy or forward auth (single application) mode, the requested URL Path is checked against the regular expressions. When using forward auth (domain mode), the full requested URL including scheme and host is matched against the regular expressions. Authentication settings Intercept header authentication When enabled, authentik will intercept the Authorization header to authenticate the request. Send HTTP-Basic Authentication Send a custom HTTP-Basic Authentication header based on values from authentik. Use this provider with nginx's auth_request or traefik's forwardAuth. Only a single provider is required per root domain. You can't do per-application authorization, but you don't have to create a provider for each application. An example setup can look like this: authentik running on auth.example.com app1 running on app1.example.com In this case, you'd set the Authentication URL to auth.example.com and Cookie domain to example.com. External host The external URL you'll authenticate at. The authentik core server should be reachable under this URL. Cookie domain Set this to the domain you wish the authentication to be valid for. Must be a parent domain of the URL above. If you're running applications as app1.domain.tld, app2.domain.tld, set this to 'domain.tld'. This provider will behave like a transparent reverse-proxy, except requests must be authenticated. If your upstream application uses HTTPS, make sure to connect to the outpost using HTTPS as well. The external URL you'll access the application at. Include any non-standard port. Internal host Upstream host that the requests are forwarded to. Internal host SSL Validation Validate SSL Certificates of upstream servers. Use this provider with nginx's auth_request or traefik's forwardAuth. Each application/domain needs its own provider. Additionally, on each domain, /outpost.goauthentik.io must be routed to the outpost (when using a managed outpost, this is done for you). Configure Radius Provider Shared secret Client Networks List of CIDRs (comma-seperated) that clients can connect from. A more specific CIDR will match before a looser one. Clients connecting from a non-specified CIDR will be dropped. Post Configure SAML Provider ACS URL Issuer Also known as EntityID. Service Provider Binding Determines how authentik sends the response back to the Service Provider. Audience Signing Certificate Certificate used to sign outgoing Responses going to the Service Provider. Verification Certificate When selected, incoming assertion's Signatures will be validated against this certificate. To allow unsigned Requests, leave on default. Property mappings used for user mapping. NameID Property Mapping Configure how the NameID value will be created. When left empty, the NameIDPolicy of the incoming request will be respected. Assertion valid not before Configure the maximum allowed time drift for an assertion. Assertion valid not on or after Assertion not valid on or after current time + this value. Session valid not on or after Session not valid on or after current time + this value. Digest algorithm Signature algorithm Configure SCIM Provider SCIM base url, usually ends in /v2. Token Token to authenticate with. Currently only bearer authentication is supported. User filtering Exclude service accounts Only sync users within the selected group. Attribute mapping User Property Mappings Group Property Mappings Property mappings used for group creation. Create With Wizard New application A policy used for testing. Always returns the same result as specified below after waiting a random duration. Execution logging When this option is enabled, all executions of this policy will be logged. By default, only execution errors are logged. Policy-specific settings Pass policy? Wait (min) The policy takes a random time to execute. This controls the minimum time it will take. Wait (max) Matches an event against a set of criteria. If any of the configured values match, the policy passes. Match created events with this action type. When left empty, all action types will be matched. Matches Event's Client IP (strict matching, for network matching use an Expression Policy. Match events created by selected application. When left empty, all applications are matched. Match events created by selected model. When left empty, all models are matched. Checks if the request's user's password has been changed in the last x days, and denys based on settings. Maximum age (in days) Only fail the policy, don't invalidate user's password Executes the python snippet to determine whether to allow or deny a request. Static rules Minimum length Minimum amount of Uppercase Characters Minimum amount of Lowercase Characters Minimum amount of Digits Minimum amount of Symbols Characters Error message Symbol charset Characters which are considered as symbols. HaveIBeenPwned settings Allowed count Allow up to N occurrences in the HIBP database. zxcvbn settings Score threshold If the password's score is less than or equal this value, the policy will fail. 0: Too guessable: risky password. (guesses &lt; 10^3) 1: Very guessable: protection from throttled online attacks. (guesses &lt; 10^6) 2: Somewhat guessable: protection from unthrottled online attacks. (guesses &lt; 10^8) 3: Safely unguessable: moderate protection from offline slow-hash scenario. (guesses &lt; 10^10) 4: Very unguessable: strong protection from offline slow-hash scenario. (guesses &gt;= 10^10) Checks the value from the policy request against several rules, mostly used to ensure password strength. Password field Field key to check, field keys defined in Prompt stages are available. Check static rules Check haveibeenpwned.com For more info see: Check zxcvbn Password strength estimator created by Dropbox, see: Reputation for IP and user identifiers. Scores are decreased for each failed login and increased for each successful login. IP Score Updated Reputation Allows/denys requests based on the users and/or the IPs reputation. Invalid login attempts will decrease the score for the client's IP, and the username they are attempting to login as, by one. The policy passes when the reputation score is below the threshold, and doesn't pass when either or both of the selected options are equal or above the threshold. Check IP Check Username Threshold Users in the selected group can do search queries. If no group is selected, no LDAP Searches are allowed. Warning: Provider is not used by any Outpost. Assigned to application Update LDAP Provider How to connect Connect to the LDAP Server on port 389: Check the IP of the Kubernetes service, or The Host IP of the docker host Bind DN Bind Password Search base Confidential Confidential clients are capable of maintaining the confidentiality of their credentials such as client secrets Public Public clients are incapable of maintaining the confidentiality and should use methods like PKCE. Based on the User's hashed ID Based on the User's ID Based on the User's UUID Based on the User's username Based on the User's Email This is recommended over the UPN mode. Based on the User's UPN Requires the user to have a 'upn' attribute set, and falls back to hashed user ID. Use this mode only if you have different UPN and Mail domains. Each provider has a different issuer, based on the application slug Same identifier is used for all providers Valid redirect URLs after a successful authorization flow. Also specify any origins here for Implicit flows. If no explicit redirect URIs are specified, the first successfully used redirect URI will be saved. To allow any redirect URI, set this value to ".*". Be aware of the possible security implications this can have. Preview Warning: Provider is not used by an Application. Redirect URIs Update OAuth2 Provider OpenID Configuration URL OpenID Configuration Issuer Authorize URL Token URL Userinfo URL Logout URL JWKS URL Example JWT payload (for currently authenticated user) Forward auth (single application) Forward auth (domain level) Use this provider with nginx's auth_request or traefik's forwardAuth. Each application/domain needs its own provider. Additionally, on each domain, /outpost.goauthentik.io must be routed to the outpost (when using a managed outpost, this is done for you). Authentication URL Unknown proxy mode Additional scopes Forward auth (domain-level) Nginx (Ingress) Nginx (Proxy Manager) Nginx (standalone) Traefik (Ingress) Traefik (Compose) Traefik (Standalone) Caddy (Standalone) Internal Host External Host Basic-Auth Update Proxy Provider Protocol Settings Allowed Redirect URIs Setup No additional setup is required. Successfully updated endpoint. Successfully created endpoint. Protocol RDP SSH VNC Host Hostname/IP to connect to. Maximum concurrent connections Maximum concurrent allowed connections to this endpoint. Can be set to -1 to disable the limit. Property mappings Connection settings. Endpoint(s) Update Endpoint These bindings control which users will have access to this endpoint. Users must also have access to the application. Create Endpoint Connection expiry Determines how long a session lasts before being disconnected and requiring re-authorization. RAC is in preview. Update RAC Provider Endpoints Update Radius Provider Default relay state When using IDP-initiated logins, the relay state will be set to this value. Successfully imported provider. Metadata Copy download URL Download signing certificate Related objects Update SAML Provider SAML Configuration EntityID/Issuer SSO URL (Post) SSO URL (Redirect) SSO URL (IdP-initiated Login) SLO URL (Post) SLO URL (Redirect) SAML Metadata Example SAML attributes NameID attribute Property mappings used to user mapping. Property mappings used to group creation. No sync status. Sync currently running. Not synced yet. Task finished with warnings Task finished with errors Last sync: Warning: Provider is not assigned to an application as backchannel provider. Update SCIM Provider Run sync again Global status Vendor Sync users User password writeback Login password is synced from LDAP into authentik automatically. Enable this option only to write password changes in authentik back to LDAP. Sync groups Connection settings Server URI Specify multiple server URIs by separating them with a comma. Enable StartTLS To use SSL instead, use 'ldaps://' and disable this option. Use Server URI for SNI verification Required for servers using TLS 1.3+ When connecting to an LDAP Server with TLS, certificates are not checked by default. Specify a keypair to validate the remote certificate. TLS Client authentication certificate Client certificate keypair to authenticate against the LDAP Server's Certificate. Bind CN LDAP Attribute mapping Property mappings used to user creation. Parent group for all the groups imported from LDAP. User path Addition User DN Additional user DN, prepended to the Base DN. Addition Group DN Additional group DN, prepended to the Base DN. User object filter Consider Objects matching this filter to be Users. Group object filter Consider Objects matching this filter to be Groups. Group membership field Field which contains members of a group. Note that if using the "memberUid" field, the value is assumed to contain a relative distinguished name. e.g. 'memberUid=some-user' instead of 'memberUid=cn=some-user,ou=groups,...' Object uniqueness field Field which contains a unique Identifier. Update LDAP Source Connectivity OAuth Source URL settings Authorization URL URL the user is redirect to to consent the authorization. Access token URL URL used by authentik to retrieve tokens. Profile URL URL used by authentik to get user information. Request token URL URL used to request the initial token. This URL is only required for OAuth 1. OIDC Well-known URL OIDC well-known configuration URL. Can be used to automatically configure the URLs above. OIDC JWKS URL JSON Web Key URL. Keys from the URL will be used to validate JWTs from this source. OIDC JWKS Raw JWKS data. User matching mode Consumer key Also known as Client ID. Consumer secret Also known as Client Secret. Additional scopes to be passed to the OAuth Provider, separated by space. To replace existing scopes, prefix with *. Flow settings Flow to use when authenticating existing users. Enrollment flow Flow to use when enrolling new users. Generic OpenID Connect Unknown provider type Details Callback URL Access Key Update OAuth Source Policy Bindings These bindings control which users can access this source. You can only use policies here as access is checked before the user is authenticated. Link users on unique identifier Link to a user with identical email address. Can have security implications when a source doesn't validate email addresses Use the user's email address, but deny enrollment when the email address already exists Link to a user with identical username. Can have security implications when a username is used with another source Use the user's username, but deny enrollment when the username already exists Unknown user matching mode Load servers Re-authenticate with plex Allow friends to authenticate via Plex, even if you don't share any servers Allowed servers Select which server a user has to be a member of to be allowed to authenticate. Update Plex Source SSO URL URL that the initial Login request is sent to. SLO URL Optional URL if the IDP supports Single-Logout. Also known as Entity ID. Defaults the Metadata URL. Binding Type Redirect binding Post-auto binding Post binding but the request is automatically sent and the user doesn't have to confirm. Post binding Signing keypair Keypair which is used to sign outgoing requests. Leave empty to disable signing. Allow IDP-initiated logins Allows authentication flows initiated by the IdP. This can be a security risk, as no validation of the request ID is done. NameID Policy Persistent Email address Windows X509 Subject Transient Delete temporary users after Time offset when temporary users should be deleted. This only applies if your IDP uses the NameID Format 'transient', and the user doesn't log out manually. Pre-authentication flow Flow used before authentication. Update SAML Source Stage used to configure a duo-based authenticator. This stage should be used for configuration flows. Authenticator type name Display name of this authenticator, used by users when they enroll an authenticator. API Hostname Duo Auth API Integration key Secret key Duo Admin API (optional) When using a Duo MFA, Access or Beyond plan, an Admin API application can be created. This will allow authentik to import devices automatically. Stage-specific settings Configuration flow Flow used by an authenticated user to configure this Stage. If empty, user will not be able to configure this stage. Successfully imported device. The user in authentik this device will be assigned to. Duo User ID The user ID in Duo, can be found in the URL after clicking on a user. Automatic import Successfully imported devices. Start automatic import Or manually import Twilio Account SID Get this value from https://console.twilio.com Twilio Auth Token Authentication Type Basic Auth Bearer Token External API URL This is the full endpoint to send POST requests to. API Auth Username This is the username to be used with basic auth or the token when used with bearer token API Auth password This is the password to be used with basic auth Mapping Modify the payload sent to the custom provider. Stage used to configure an SMS-based TOTP authenticator. Twilio Generic From number Number the SMS will be sent from. Hash phone number If enabled, only a hash of the phone number will be saved. This can be done for data-protection reasons. Devices created from a stage with this enabled cannot be used with the authenticator validation stage. Stage used to configure a static authenticator (i.e. static tokens). This stage should be used for configuration flows. Token count The number of tokens generated whenever this stage is used. Every token generated per stage execution will be attached to a single static device. Token length The length of the individual generated tokens. Can be increased to improve security. Stage used to configure a TOTP authenticator (i.e. Authy/Google Authenticator). Digits 6 digits, widely compatible 8 digits, not compatible with apps like Google Authenticator Stage used to validate any authenticator. This stage should be used during authentication or authorization flows. Device classes Static Tokens TOTP Authenticators WebAuthn Authenticators Duo Authenticators SMS-based Authenticators Device classes which can be used to authenticate. Last validation threshold If any of the devices user of the types selected above have been used within this duration, this stage will be skipped. Not configured action Force the user to configure an authenticator Deny the user access Continue WebAuthn User verification User verification must occur. User verification is preferred if available, but not required. User verification should not occur. Configuration stages Stages used to configure Authenticator when user doesn't have any compatible devices. After this configuration Stage passes, the user is not prompted again. When multiple stages are selected, the user can choose which one they want to enroll. Stage used to configure a WebAuthn authenticator (i.e. Yubikey, FaceID/Windows Hello). User verification Required: User verification must occur. Preferred: User verification is preferred if available, but not required. Discouraged: User verification should not occur. Resident key requirement Required: The authenticator MUST create a dedicated credential. If it cannot, the RP is prepared for an error to occur Preferred: The authenticator can create and store a dedicated credential, but if it doesn't that's alright too Discouraged: The authenticator should not create a dedicated credential Authenticator Attachment No preference is sent A non-removable authenticator, like TouchID or Windows Hello A "roaming" authenticator, like a YubiKey This stage checks the user's current session against the Google reCaptcha (or compatible) service. Public Key Public key, acquired from https://www.google.com/recaptcha/intro/v3.html. Private key, acquired from https://www.google.com/recaptcha/intro/v3.html. JS URL URL to fetch JavaScript from, defaults to recaptcha. Can be replaced with any compatible alternative. API URL URL used to validate captcha response, defaults to recaptcha. Can be replaced with any compatible alternative. Prompt for the user's consent. The consent can either be permanent or expire in a defined amount of time. Always require consent Consent given last indefinitely Consent expires. Consent expires in Offset after which consent expires. Statically deny the flow. To use this stage effectively, disable *Evaluate when flow is planned* on the respective binding. Deny message Message shown when this stage is run. Dummy stage used for testing. Shows a simple continue button and always passes. Throw error? SMTP Host SMTP Port SMTP Username SMTP Password Use TLS Use SSL From address Verify the user's email address by sending them a one-time-link. Can also be used for recovery to verify the user's authenticity. Activate pending user on success When a user returns from the email successfully, their account will be activated. Use global settings When enabled, global Email connection settings will be used and connection settings below will be ignored. Token expiry Time in minutes the token sent is valid. Template Let the user identify themselves with their username or Email address. User fields UPN Fields a user can identify themselves with. If no fields are selected, the user will only be able to use sources. Password stage When selected, a password field is shown on the same page instead of a separate page. This prevents username enumeration attacks. Case insensitive matching When enabled, user fields are matched regardless of their casing. Pretend user exists When enabled, the stage will always accept the given user identifier and continue. Show matched user When a valid username/email has been entered, and this option is enabled, the user's username and avatar will be shown. Otherwise, the text that the user entered will be shown. Source settings Sources Select sources should be shown for users to authenticate with. This only affects web-based sources, not LDAP. Show sources' labels By default, only icons are shown for sources. Enable this to show their full names. Passwordless flow Optional passwordless flow, which is linked at the bottom of the page. When configured, users can use this flow to authenticate with a WebAuthn authenticator, without entering any details. Optional enrollment flow, which is linked at the bottom of the page. Optional recovery flow, which is linked at the bottom of the page. Successfully updated invitation. Successfully created invitation. When selected, the invite will only be usable with the flow. By default the invite is accepted on all flows with invitation stages. Custom attributes Optional data which is loaded into the flow's 'prompt_data' context variable. YAML or JSON. Single use When enabled, the invitation will be deleted after usage. Select an enrollment flow Link to use the invitation. Create Invitation Links to enroll Users, and optionally force specific attributes of their account. Created by Invitation(s) Invitation not limited to any flow, and can be used with any enrollment flow. Update Invitation Create Invitation Warning: No invitation stage is bound to any flow. Invitations will not work as expected. This stage can be included in enrollment flows to accept invitations. Continue flow without invitation If this flag is set, this Stage will jump to the next Stage when no Invitation is given. By default this Stage will cancel the Flow when no invitation is given. Validate the user's password against the selected backend(s). Backends User database + standard password User database + app passwords User database + LDAP password Selection of backends to test the password against. Flow used by an authenticated user to configure their password. If empty, user will not be able to configure change their password. Failed attempts before cancel How many attempts a user has before the flow is canceled. To lock the user out, use a reputation policy and a user_write stage. Successfully updated prompt. Successfully created prompt. Text: Simple Text input Text Area: Multiline text input Text (read-only): Simple Text input, but cannot be edited. Text Area (read-only): Multiline text input, but cannot be edited. Username: Same as Text input, but checks for and prevents duplicate usernames. Email: Text field with Email type. Password: Masked input, multiple inputs of this type on the same prompt need to be identical. Number Checkbox Radio Button Group (fixed choice) Dropdown (fixed choice) Date Date Time File Separator: Static Separator Line Hidden: Hidden field, can be used to insert data into form. Static: Static value, displayed as-is. authentik: Locale: Displays a list of locales authentik supports. Preview errors Data preview Unique name of this field, used for selecting fields in prompt stages. Field Key Name of the form field, also used to store the value. When used in conjunction with a User Write stage, use attributes.foo to write attributes. Label Label shown next to/above the prompt. Required Interpret placeholder as expression When checked, the placeholder will be evaluated in the same way a property mapping is. If the evaluation fails, the placeholder itself is returned. Placeholder Optionally provide a short hint that describes the expected input value. When creating a fixed choice field, enable interpreting as expression and return a list to return multiple choices. Interpret initial value as expression When checked, the initial value will be evaluated in the same way a property mapping is. If the evaluation fails, the initial value itself is returned. Initial value Optionally pre-fill the input with an initial value. When creating a fixed choice field, enable interpreting as expression and return a list to return multiple default choices. Help text Any HTML can be used. Single Prompts that can be used for Prompt Stages. Field Prompt(s) Update Prompt Create Prompt Show arbitrary input fields to the user, for example during enrollment. Data is saved in the flow context under the 'prompt_data' variable. Fields ("", of type ) Validation Policies Selected policies are executed when the stage is submitted to validate the data. Delete the currently pending user. CAUTION, this stage does not ask for confirmation. Use a consent stage to ensure the user is aware of their actions. Log the currently pending user in. Session duration Determines how long a session lasts. Default of 0 seconds means that the sessions lasts until the browser is closed. Different browsers handle session cookies differently, and might not remove them even when the browser is closed. See here. Stay signed in offset If set to a duration above 0, the user will have the option to choose to "stay signed in", which will extend their session by the time specified here. Network binding No binding Bind ASN Bind ASN and Network Bind ASN, Network and IP Configure if sessions created by this stage should be bound to the Networks they were created in. GeoIP binding Bind Continent Bind Continent and Country Bind Continent, Country and City Configure if sessions created by this stage should be bound to their GeoIP-based location Terminate other sessions When enabled, all previous sessions of the user will be terminated. Remove the user from the current session. Write any data from the flow's context's 'prompt_data' to the currently pending user. If no user is pending, a new user is created, and data is written to them. Never create users When no user is present in the flow context, the stage will fail. Create users when required When no user is present in the the flow context, a new user is created. Always create new users Create a new user even if a user is in the flow context. Create users as inactive Mark newly created users as inactive. User path template User type used for newly created users. Path new users will be created under. If left blank, the default path will be used. Newly created users are added to this group, if a group is selected. Open Wizard Demo Wizard Run the demo wizard The token has been copied to your clipboard The token was displayed because authentik does not have permission to write to the clipboard Enter the code shown on your device. Code Please enter your Code You've successfully authenticated your device. Authenticating with Apple... Retry Authenticating with Plex... Waiting for authentication... If no Plex popup opens, click the button below. Open login Request has been denied. Not you? Duo activation QR code Alternatively, if your current device has Duo installed, click on this link: Duo activation Check status Phone number Please enter your Phone number. Please enter the code you received via SMS Make sure to keep these tokens in a safe place. Successfully copied TOTP Config. Copy Please enter your TOTP Code Duo push-notifications Receive a push notification on your device. Authenticator Use a security key to prove your identity. Traditional authenticator Use a code-based authenticator. Recovery keys In case you can't access any other method. SMS Tokens sent via SMS. Select an authentication method. A code has been sent to you via SMS. Open your two-factor authenticator app to view your authentication code. Static token Authentication code Please enter your code Return to device picker Sending Duo push notification Assertions is empty Error when creating credential: Error when validating assertion on server: Retry authentication Error creating credential: Server validation of credential failed: Register device Application requires following permissions: Application already has access to the following permissions: Application requires following new permissions: Check your Inbox for a verification email. Send Email again. Need an account? Sign up. Forgot username or password? Select one of the sources below to login. Or Use a security key Login to continue to . Please enter your password Forgot password? Auto-detect (based on your browser) Required. Stay signed in? Select Yes to reduce the number of times you're asked to sign in. Change your password Change password Successfully updated details Open settings No settings flow configured. Update details Successfully updated device. Enroll Update Device Error: unsupported source settings: Connect your user account to the services listed below, to allow you to login using the service instead of traditional credentials. No services available. Successfully disconnected source Failed to disconnected source: Disconnect Connect Create App password Save Delete account