English

French

Turkish

Spanish

Polish

Taiwanese Mandarin

Chinese (simplified)

Chinese (traditional)

German

Application

Logins

Show less

UID

Name

App

Model Name

Message

Subject

From

Context

User

Affected model:

Authorized application:

Using flow

Email info:

Secret:

Open issue on GitHub...

Exception

Expression

Binding

Request

Object

Result

Passing

Messages

New version available!

Using source

Attempted to log in as

No additional data available.

Click to change value

Select an object.

Loading options...

Connection error, reconnecting...

Failed login

Logout

User was written to

Suspicious request

Password set

Secret was viewed

Secret was rotated

Invitation used

Application authorized

Source linked

Impersonation started

Impersonation ended

Flow execution

Policy execution

Policy exception

Property Mapping exception

System task execution

System task exception

General system exception

Configuration error

Model created

Model updated

Model deleted

Email sent

Update available

Unknown severity

Alert

Notice

Warning

no tabs defined

- of

Go to previous page

Go to next page

Search...

No objects found.

Failed to fetch objects.

Refresh

Select all rows

Action

Creation Date

Client IP

Tenant

Recent events

On behalf of

No Events found.

No matching events could be found.

Embedded outpost is not configured correctly.

Check outposts.

HTTPS is not detected correctly

Server and client are further than 5 seconds apart.

Everything is ok.

System status

Based on

is available!

Up-to-date!

Version

Workers

No workers connected. Background tasks will not run.

hour(s) ago

day(s) ago

Authorizations

Failed Logins

Successful Logins

Cancel

LDAP Source

SCIM Provider

Healthy

Healthy outposts

Admin

Not found

The URL "" was not found.

Return home

General system status

Welcome, .

Quick actions

Create a new application

Check the logs

Explore integrations

Manage users

Check release notes

Outpost status

Sync status

Logins and authorizations over the last week (per 8 hours)

Apps with most usage

days ago

Objects created

User statistics

Users created per day in the last month

Logins per day in the last month

Failed Logins per day in the last month

Clear search

System Tasks

Long-running operations which authentik executes in the background.

Identifier

Description

Last run

Status

Actions

Successful

Error

Unknown

Duration

seconds

Authentication

Authorization

Enrollment

Invalidation

Recovery

Stage Configuration

Unenrollment

Unknown designation

Stacked

Content left

Content right

Sidebar left

Sidebar right

Unknown layout

Successfully updated provider.

Successfully created provider.

Bind flow

Flow used for users to authenticate.

Search group

Users in the selected group can do search queries. If no group is selected, no LDAP Searches are allowed.

Bind mode

Cached binding

Flow is executed and session is cached in memory. Flow is executed when session expires

Direct binding

Always execute the configured bind flow to authenticate the user

Configure how the outpost authenticates requests.

Search mode

Cached querying

The outpost holds all users and groups in-memory and will refresh every 5 Minutes

Direct querying

Always returns the latest data, but slower than cached querying

Configure how the outpost queries the core authentik server's users.

Protocol settings

Base DN

LDAP DN under which bind requests and search requests can be made.

Certificate

UID start number

The start for uidNumbers, this number is added to the user.Pk to make sure that the numbers aren't too low for POSIX users. Default is 2000 to ensure that we don't collide with local users uidNumber

GID start number

The start for gidNumbers, this number is added to a number generated from the group.Pk to make sure that the numbers aren't too low for POSIX groups. Default is 4000 to ensure that we don't collide with local groups or users primary groups gidNumber

(Format: hours=-1;minutes=-2;seconds=-3).

(Format: hours=1;minutes=2;seconds=3).

The following keywords are supported:

Authentication flow

Flow used when a user access this provider and is not authenticated.

Authorization flow

Flow used when authorizing this provider.

Client type

Confidential

Confidential clients are capable of maintaining the confidentiality of their credentials such as client secrets

Public

Public clients are incapable of maintaining the confidentiality and should use methods like PKCE.

Client ID

Client Secret

Redirect URIs/Origins (RegEx)

Valid redirect URLs after a successful authorization flow. Also specify any origins here for Implicit flows.

If no explicit redirect URIs are specified, the first successfully used redirect URI will be saved.

To allow any redirect URI, set this value to ".*". Be aware of the possible security implications this can have.

Signing Key

Key used to sign the tokens.

Advanced protocol settings

Access code validity

Configure how long access codes are valid for.

Access Token validity

Configure how long access tokens are valid for.

Refresh Token validity

Configure how long refresh tokens are valid for.

Scopes

Select which scopes can be used by the client. The client still has to specify the scope to access the data.

Hold control/command to select multiple items.

Subject mode

Based on the User's hashed ID

Based on the User's ID

Based on the User's UUID

Based on the User's username

Based on the User's Email

This is recommended over the UPN mode.

Based on the User's UPN

Requires the user to have a 'upn' attribute set, and falls back to hashed user ID. Use this mode only if you have different UPN and Mail domains.

Configure what data should be used as unique User Identifier. For most cases, the default should be fine.

Include claims in id_token

Include User claims from scopes in the id_token, for applications that don't access the userinfo endpoint.

Issuer mode

Each provider has a different issuer, based on the application slug

Same identifier is used for all providers

Configure how the issuer field of the ID Token should be filled.

Machine-to-Machine authentication settings

Trusted OIDC Sources

JWTs signed by certificates configured in the selected sources can be used to authenticate to this provider.

HTTP-Basic Username Key

User/Group Attribute used for the user part of the HTTP-Basic Header. If not set, the user's Email address is used.

HTTP-Basic Password Key

User/Group Attribute used for the password part of the HTTP-Basic Header.

Proxy

Forward auth (single application)

Forward auth (domain level)

This provider will behave like a transparent reverse-proxy, except requests must be authenticated. If your upstream application uses HTTPS, make sure to connect to the outpost using HTTPS as well.

External host

The external URL you'll access the application at. Include any non-standard port.

Internal host

Upstream host that the requests are forwarded to.

Internal host SSL Validation

Validate SSL Certificates of upstream servers.

Use this provider with nginx's auth_request or traefik's forwardAuth. Each application/domain needs its own provider. Additionally, on each domain, /outpost.goauthentik.io must be routed to the outpost (when using a manged outpost, this is done for you).

Use this provider with nginx's auth_request or traefik's forwardAuth. Only a single provider is required per root domain. You can't do per-application authorization, but you don't have to create a provider for each application.

An example setup can look like this:

authentik running on auth.example.com

app1 running on app1.example.com

In this case, you'd set the Authentication URL to auth.example.com and Cookie domain to example.com.

Authentication URL

The external URL you'll authenticate at. The authentik core server should be reachable under this URL.

Cookie domain

Set this to the domain you wish the authentication to be valid for. Must be a parent domain of the URL above. If you're running applications as app1.domain.tld, app2.domain.tld, set this to 'domain.tld'.

Unknown proxy mode

Token validity

Configure how long tokens are valid for.

Additional scopes

Additional scope mappings, which are passed to the proxy.

Unauthenticated URLs

Unauthenticated Paths

Regular expressions for which authentication is not required. Each new line is interpreted as a new expression.

When using proxy or forward auth (single application) mode, the requested URL Path is checked against the regular expressions. When using forward auth (domain mode), the full requested URL including scheme and host is matched against the regular expressions.

Authentication settings

Intercept header authentication

When enabled, authentik will intercept the Authorization header to authenticate the request.

Send HTTP-Basic Authentication

Send a custom HTTP-Basic Authentication header based on values from authentik.

ACS URL

Issuer

Also known as EntityID.

Service Provider Binding

Redirect

Post

Determines how authentik sends the response back to the Service Provider.

Audience

Signing Certificate

Certificate used to sign outgoing Responses going to the Service Provider.

Verification Certificate

When selected, incoming assertion's Signatures will be validated against this certificate. To allow unsigned Requests, leave on default.

Property mappings

NameID Property Mapping

Configure how the NameID value will be created. When left empty, the NameIDPolicy of the incoming request will be respected.

Assertion valid not before

Configure the maximum allowed time drift for an assertion.

Assertion valid not on or after

Assertion not valid on or after current time + this value.

Session valid not on or after

Session not valid on or after current time + this value.

Digest algorithm

Signature algorithm

Successfully imported provider.

Metadata

Apply changes

Finish

Back

No form found

Form didn't return a promise for submitting

Select type

Try the new application wizard

The new application wizard greatly simplifies the steps required to create applications and providers.

Try it now

Create

New provider

Create a new provider.

Create

Shared secret

Client Networks

List of CIDRs (comma-seperated) that clients can connect from. A more specific CIDR will match before a looser one. Clients connecting from a non-specified CIDR will be dropped.

URL

SCIM base url, usually ends in /v2.

Token

Token to authenticate with. Currently only bearer authentication is supported.

User filtering

Exclude service accounts

Group

Only sync users within the selected group.

Attribute mapping

User Property Mappings

Property mappings used to user mapping.

Group Property Mappings

Property mappings used to group creation.

Not used by any other object.

object will be DELETED

connection will be deleted

reference will be reset to default value

reference will be set to an empty value

()

Successfully deleted

Failed to delete :

Delete

Are you sure you want to delete ?

Delete

Providers

Provide support for protocols like SAML and OAuth to assigned applications.

Type

Provider(s)

Assigned to application

Assigned to application (backchannel)

Warning: Provider not assigned to any application.

Update

Select providers to add to application

Add

Either input a full URL, a relative path, or use 'fa://fa-test' to use the Font Awesome icon "fa-test".

Path template for users created. Use placeholders like `%(slug)s` to insert the source slug.

Successfully updated application.

Successfully created application.

Application's display Name.

Slug

Internal application name, used in URLs.

Optionally enter a group name. Applications with identical groups are shown grouped together.

Provider

Select a provider that this application should use.

Backchannel providers

Select backchannel providers which augment the functionality of the main provider.

Policy engine mode

Any policy must match to grant access

All policies must match to grant access

UI settings

Launch URL

If left empty, authentik will try to extract the launch URL based on the selected provider.

Open in new tab

If checked, the launch URL will open in a new browser tab or window from the user's application library.

Icon

Currently set to:

Clear icon

Publisher

Create Application

Overview

Changelog

Warning: Provider is not used by any Outpost.

Assigned to application

Update LDAP Provider

Edit

How to connect

Connect to the LDAP Server on port 389:

Check the IP of the Kubernetes service, or

The Host IP of the docker host

Bind DN

Bind Password

Search base

Preview

Warning: Provider is not used by an Application.

Redirect URIs

Update OAuth2 Provider

OpenID Configuration URL

OpenID Configuration Issuer

Authorize URL

Token URL

Userinfo URL

Logout URL

JWKS URL

Example JWT payload (for currently authenticated user)

Forward auth (domain-level)

Nginx (Ingress)

Nginx (Proxy Manager)

Nginx (standalone)

Traefik (Ingress)

Traefik (Compose)

Traefik (Standalone)

Caddy (Standalone)

Internal Host

External Host

Basic-Auth

Yes

Mode

Update Proxy Provider

Protocol Settings

Allowed Redirect URIs

Setup

No additional setup is required.

Update Radius Provider

Download

Copy download URL

Download signing certificate

Related objects

Update SAML Provider

SAML Configuration

EntityID/Issuer

SSO URL (Post)

SSO URL (Redirect)

SSO URL (IdP-initiated Login)

SLO URL (Post)

SLO URL (Redirect)

SAML Metadata

Example SAML attributes

NameID attribute

SCIM provider is in preview.

Warning: Provider is not assigned to an application as backchannel provider.

Update SCIM Provider

Sync not run yet.

Run sync again

Application details

Create application

Additional UI settings

OAuth2/OIDC

Modern applications, APIs and Single-page applications.

SAML

XML-based SSO standard. Use this if your application only supports SAML.

Legacy applications which don't natively support SSO.

LDAP

Provide an LDAP interface for applications and users to authenticate against.

Link

Authentication method

LDAP details

Create service account

Create provider

Application Link

URL which will be opened when a user clicks on the application.

Method details

This configuration can be used to authenticate to authentik with other APIs other otherwise programmatically.

By default, all service accounts can authenticate as this application, as long as they have a valid token of the type app-password.

Web application

Applications which handle the authentication server-side (for example, Python, Go, Rust, Java, PHP)

Single-page applications

Single-page applications which handle authentication in the browser (for example, Javascript, Angular, React, Vue)

Native application

Applications which redirect users to a non-web callback (for example, Android, iOS)

API

Authentication without user interaction, or machine-to-machine authentication.

Application type

Flow used when users access this application.

Proxy details

External domain

External domain you will be accessing the domain from.

Import SAML Metadata

Import the metadata document of the applicaation you want to configure.

Manual configuration

Manually configure SAML

SAML details

URL that authentik will redirect back to after successful authentication.

Import SAML metadata

New application

Create a new application.

Applications

External Applications which use authentik as Identity-Provider, utilizing protocols like OAuth2 and SAML. All applications are shown here, even ones you cannot access.

Provider Type

Application(s)

Application Icon

Update Application

Successfully sent test-request.

Log messages

No log messages.

Active

Last login

Select users to add

Successfully updated group.

Successfully created group.

Is superuser

Users added to this group will be superusers.

Parent

Attributes

Set custom attributes using YAML or JSON.

Successfully updated binding.

Successfully created binding.

Policy

Group mappings can only be checked if a user is already logged in when trying to access this source.

User mappings can only be checked if a user is already logged in when trying to access this source.

Enabled

Negate result

Negates the outcome of the binding. Messages are unaffected.

Order

Timeout

Successfully updated policy.

Successfully created policy.

A policy used for testing. Always returns the same result as specified below after waiting a random duration.

Execution logging

When this option is enabled, all executions of this policy will be logged. By default, only execution errors are logged.

Policy-specific settings

Pass policy?

Wait (min)

The policy takes a random time to execute. This controls the minimum time it will take.

Wait (max)

Matches an event against a set of criteria. If any of the configured values match, the policy passes.

Match created events with this action type. When left empty, all action types will be matched.

Matches Event's Client IP (strict matching, for network matching use an Expression Policy.

Match events created by selected application. When left empty, all applications are matched.

Checks if the request's user's password has been changed in the last x days, and denys based on settings.

Maximum age (in days)

Only fail the policy, don't invalidate user's password

Executes the python snippet to determine whether to allow or deny a request.

Expression using Python.

See documentation for a list of all variables.

Static rules

Minimum length

Minimum amount of Uppercase Characters

Minimum amount of Lowercase Characters

Minimum amount of Digits

Minimum amount of Symbols Characters

Error message

Symbol charset

Characters which are considered as symbols.

HaveIBeenPwned settings

Allowed count

Allow up to N occurrences in the HIBP database.

zxcvbn settings

Score threshold

If the password's score is less than or equal this value, the policy will fail.

0: Too guessable: risky password. (guesses < 10^3)

1: Very guessable: protection from throttled online attacks. (guesses < 10^6)

2: Somewhat guessable: protection from unthrottled online attacks. (guesses < 10^8)

3: Safely unguessable: moderate protection from offline slow-hash scenario. (guesses < 10^10)

4: Very unguessable: strong protection from offline slow-hash scenario. (guesses >= 10^10)

Checks the value from the policy request against several rules, mostly used to ensure password strength.

Password field

Field key to check, field keys defined in Prompt stages are available.

Check static rules

Check haveibeenpwned.com

For more info see:

Check zxcvbn

Password strength estimator created by Dropbox, see:

Allows/denys requests based on the users and/or the IPs reputation.

Invalid login attempts will decrease the score for the client's IP, and the username they are attempting to login as, by one.

The policy passes when the reputation score is below the threshold, and doesn't pass when either or both of the selected options are equal or above the threshold.

Check IP

Check Username

Threshold

New policy

Create a new policy.

Create Binding

Superuser

Members

Select groups to add user to

Warning: Adding the user to the selected group(s) will give them superuser permissions.

Successfully updated user.

Successfully created user.

Username

User's primary identifier. 150 characters or fewer.

User's display name.

Is active

Designates whether this user should be treated as active. Unselect this instead of deleting accounts.

Path

Policy / User / Group

Policy

Group

User

Edit Policy

Update Group

Edit Group

Update User

Edit User

Policy binding(s)

Update Binding

Edit Binding

No Policies bound.

No policies are currently bound to this object.

Create & bind Policy

Bind existing policy

Warning: Application is not used by any Outpost.

Backchannel Providers

Check access

Check

Check Application access

Test

Launch

Logins over the last week (per 8 hours)

Policy / Group / User Bindings

These policies control which users can access this application.

Successfully updated source.

Successfully created source.

Sync users

User password writeback

Login password is synced from LDAP into authentik automatically. Enable this option only to write password changes in authentik back to LDAP.

Sync groups

Connection settings

Server URI

Specify multiple server URIs by separating them with a comma.

Enable StartTLS

To use SSL instead, use 'ldaps://' and disable this option.

TLS Verification Certificate

When connecting to an LDAP Server with TLS, certificates are not checked by default. Specify a keypair to validate the remote certificate.

Bind CN

LDAP Attribute mapping

Property mappings used to user creation.

Additional settings

Parent group for all the groups imported from LDAP.

User path

Addition User DN

Additional user DN, prepended to the Base DN.

Addition Group DN

Additional group DN, prepended to the Base DN.

User object filter

Consider Objects matching this filter to be Users.

Group object filter

Consider Objects matching this filter to be Groups.

Group membership field

Field which contains members of a group. Note that if using the "memberUid" field, the value is assumed to contain a relative distinguished name. e.g. 'memberUid=some-user' instead of 'memberUid=cn=some-user,ou=groups,...'

Object uniqueness field

Field which contains a unique Identifier.

Link users on unique identifier

Link to a user with identical email address. Can have security implications when a source doesn't validate email addresses

Use the user's email address, but deny enrollment when the email address already exists

Link to a user with identical username. Can have security implications when a username is used with another source

Use the user's username, but deny enrollment when the username already exists

Unknown user matching mode

URL settings

Authorization URL

URL the user is redirect to to consent the authorization.

Access token URL

URL used by authentik to retrieve tokens.

Profile URL

URL used by authentik to get user information.

Request token URL

URL used to request the initial token. This URL is only required for OAuth 1.

OIDC Well-known URL

OIDC well-known configuration URL. Can be used to automatically configure the URLs above.

OIDC JWKS URL

JSON Web Key URL. Keys from the URL will be used to validate JWTs from this source.

OIDC JWKS

Raw JWKS data.

User matching mode

Delete currently set icon.

Consumer key

Consumer secret

Additional scopes to be passed to the OAuth Provider, separated by space. To replace existing scopes, prefix with *.

Flow settings

Flow to use when authenticating existing users.

Enrollment flow

Flow to use when enrolling new users.

Load servers

Re-authenticate with plex

Allow friends to authenticate via Plex, even if you don't share any servers

Allowed servers

Select which server a user has to be a member of to be allowed to authenticate.

SSO URL

URL that the initial Login request is sent to.

SLO URL

Optional URL if the IDP supports Single-Logout.

Also known as Entity ID. Defaults the Metadata URL.

Binding Type

Redirect binding

Post-auto binding

Post binding but the request is automatically sent and the user doesn't have to confirm.

Post binding

Signing keypair

Keypair which is used to sign outgoing requests. Leave empty to disable signing.

Allow IDP-initiated logins

Allows authentication flows initiated by the IdP. This can be a security risk, as no validation of the request ID is done.

NameID Policy

Persistent

Email address

Windows

X509 Subject

Transient

Delete temporary users after

Time offset when temporary users should be deleted. This only applies if your IDP uses the NameID Format 'transient', and the user doesn't log out manually.

Pre-authentication flow

Flow used before authentication.

New source

Create a new source.

Federation & Social login

Sources of identities, which can either be synced into authentik's database, or can be used by users to authenticate and enroll themselves.

Source(s)

Disabled

Built-in

Update LDAP Source

Not synced yet.

Task finished with warnings

Task finished with errors

Last sync:

OAuth Source

Generic OpenID Connect

Unknown provider type

Details

Callback URL

Access Key

Update OAuth Source

Diagram

Policy Bindings

These bindings control which users can access this source. You can only use policies here as access is checked before the user is authenticated.

Update Plex Source

Update SAML Source

Successfully updated mapping.

Successfully created mapping.

Object field

Field of the user object this value is written to.

SAML Attribute Name

Attribute name used for SAML Assertions. Can be a URN OID, a schema reference, or a any other string. If this property mapping is used for NameID Property, this field is discarded.

Friendly Name

Optionally set the 'FriendlyName' value of the Assertion attribute.

Scope name

Scope which the client can specify to access these properties.

Description shown to the user when consenting. If left empty, the user won't be informed.

Example context data

Active Directory User

Active Directory Group

New property mapping

Create a new property mapping.

Property Mappings

Control how authentik exposes and interprets information.

Property Mapping(s)

Test Property Mapping

Hide managed mappings

Successfully updated token.

Successfully created token.

Unique identifier the token is referenced by.

Intent

API Token

Used to access the API programmatically

App password.

Used to login using a flow executor

Expiring

If this is selected, the token will expire. Upon expiration, the token will be rotated.

Expires on

API Access

App password

Verification

Unknown intent

Tokens

Tokens are used throughout authentik for Email validation stages, Recovery keys and API access.

Expires?

Expiry date

Token(s)

Create Token

Token is managed by authentik.

Update Token

Successfully updated tenant.

Successfully created tenant.

Domain

Matching is done based on domain suffix, so if you enter domain.tld, foo.domain.tld will still match.

Default

Use this tenant for each domain that doesn't have a dedicated tenant.

Branding settings

Title

Branding shown in page title and several other places.

Logo

Icon shown in sidebar/header and flow executor.

Favicon

Icon shown in the browser tab.

Default flows

Flow used to authenticate users. If left empty, the first applicable flow sorted by the slug is used.

Invalidation flow

Flow used to logout. If left empty, the first applicable flow sorted by the slug is used.

Recovery flow

Recovery flow. If left empty, the first applicable flow sorted by the slug is used.

Unenrollment flow

If set, users are able to unenroll themselves using this flow. If no flow is set, option is not shown.

User settings flow

If set, users are able to configure details of their profile.

Device code flow

If set, the OAuth Device Code profile can be used, and the selected flow will be used to enter the code.

Other global settings

Web Certificate

Event retention

Duration after which events will be deleted from the database.

When using an external logging solution for archiving, this can be set to "minutes=5".

This setting only affects new Events, as the expiration is saved per-event.

Format: "weeks=3;days=2;hours=3,seconds=2".

Set custom attributes using YAML or JSON. Any attributes set here will be inherited by users, if the request is handled by this tenant.

Tenants

Configure visual settings and defaults for different domains.

Default?

Tenant(s)

Update Tenant

Create Tenant

Policies

Allow users to use Applications based on properties, enforce Password Criteria and selectively apply Stages.

Assigned to object(s).

Warning: Policy is not assigned.

Test Policy

Policy / Policies

Successfully cleared policy cache

Failed to delete policy cache

Clear cache

Clear Policy cache

Are you sure you want to clear the policy cache? This will cause all policies to be re-evaluated on their next usage.

Reputation scores

Reputation for IP and user identifiers. Scores are decreased for each failed login and increased for each successful login.

Score

Updated

Reputation

Groups

Group users together and give them permissions based on the membership.

Superuser privileges?

Group(s)

Create Group

Create group

Enabling this toggle will create a group named after the user, with the user as member.

Use the username and password below to authenticate. The password can be retrieved later on the Tokens page.

Password

Valid for 360 days, after which the password will automatically rotate. You can copy the password from the Token List.

The following objects use

connecting object will be deleted

Successfully updated

Failed to update :

Are you sure you want to update ""?

Successfully updated password.

Successfully sent email.

Email stage

Successfully added user(s).

Users to add

User(s)

Remove Users(s)

Are you sure you want to remove the selected users from the group ?

Remove

Impersonate

User status

Change status

Deactivate

Update password

Set password

Successfully generated recovery link

No recovery flow is configured.

Copy recovery link

Send link

Send recovery link to user

Email recovery link

Recovery link cannot be emailed, user has no email address saved.

To let a user directly reset a their password, configure a recovery flow on the currently active tenant.

Add User

Warning: This group is configured with superuser access. Added users will have superuser access.

Add existing user

Create user

Create User

Create Service account

Hide service-accounts

Group Info

Notes

Edit the notes attribute of this group to add notes here.

Users

Root

Warning: You're about to delete the user you're logged in as (). Proceed at your own risk.

Hide deactivated user

User folders

Successfully added user to group(s).

Groups to add

Remove from Group(s)

Are you sure you want to remove user from the following groups?

Add Group

Add to existing group

Add new group

Application authorizations

Revoked?

Expires

ID Token

Refresh Tokens(s)

Last IP

Session(s)

Expiry

(Current session)

Permissions

Consent(s)

Successfully updated device.

Static tokens

TOTP Device

Enroll

Device(s)

Update Device

Confirmed

User Info

To create a recovery link, the current tenant needs to have a recovery flow configured.

Reset Password

Actions over the last week (per 8 hours)

Edit the notes attribute of this user to add notes here.

Sessions

User events

Explicit Consent

OAuth Refresh Tokens

MFA Authenticators

Successfully updated invitation.

Successfully created invitation.

Flow

When selected, the invite will only be usable with the flow. By default the invite is accepted on all flows with invitation stages.

Optional data which is loaded into the flow's 'prompt_data' context variable. YAML or JSON.

Single use

When enabled, the invitation will be deleted after usage.

Select an enrollment flow

Link to use the invitation.

Invitations

Create Invitation Links to enroll Users, and optionally force specific attributes of their account.

Created by

Invitation(s)

Invitation not limited to any flow, and can be used with any enrollment flow.

Update Invitation

Create Invitation

Warning: No invitation stage is bound to any flow. Invitations will not work as expected.

Auto-detect (based on your browser)

Required.

Continue

Successfully updated prompt.

Successfully created prompt.

Text: Simple Text input

Text Area: Multiline text input

Text (read-only): Simple Text input, but cannot be edited.

Text Area (read-only): Multiline text input, but cannot be edited.

Username: Same as Text input, but checks for and prevents duplicate usernames.

Email: Text field with Email type.

Password: Masked input, multiple inputs of this type on the same prompt need to be identical.

Number

Checkbox

Radio Button Group (fixed choice)

Dropdown (fixed choice)

Date

Date Time

File

Separator: Static Separator Line

Hidden: Hidden field, can be used to insert data into form.

Static: Static value, displayed as-is.

authentik: Locale: Displays a list of locales authentik supports.

Preview errors

Data preview

Unique name of this field, used for selecting fields in prompt stages.

Field Key

Name of the form field, also used to store the value.

When used in conjunction with a User Write stage, use attributes.foo to write attributes.

Label

Label shown next to/above the prompt.

Required

Interpret placeholder as expression

When checked, the placeholder will be evaluated in the same way a property mapping is. If the evaluation fails, the placeholder itself is returned.

Placeholder

Optionally provide a short hint that describes the expected input value. When creating a fixed choice field, enable interpreting as expression and return a list to return multiple choices.

Interpret initial value as expression

When checked, the initial value will be evaluated in the same way a property mapping is. If the evaluation fails, the initial value itself is returned.

Initial value

Optionally pre-fill the input with an initial value. When creating a fixed choice field, enable interpreting as expression and return a list to return multiple default choices.

Help text

Any HTML can be used.

Prompts

Single Prompts that can be used for Prompt Stages.

Field

Stages

Prompt(s)

Update Prompt

Create Prompt

Target

Stage

Evaluate when flow is planned

Evaluate policies during the Flow planning process.

Evaluate when stage is run

Evaluate policies before the Stage is present to the user.

Invalid response behavior

Returns the error message and a similar challenge to the executor

Restarts the flow from the beginning

Restarts the flow from the beginning, while keeping the flow context

Configure how the flow executor should handle an invalid response to a challenge given by this bound stage.

Successfully updated stage.

Successfully created stage.

Stage used to configure a duo-based authenticator. This stage should be used for configuration flows.

Authenticator type name

Display name of this authenticator, used by users when they enroll an authenticator.

API Hostname

Duo Auth API

Integration key

Secret key

Duo Admin API (optional)

When using a Duo MFA, Access or Beyond plan, an Admin API application can be created. This will allow authentik to import devices automatically.

Stage-specific settings

Configuration flow

Flow used by an authenticated user to configure this Stage. If empty, user will not be able to configure this stage.

Twilio Account SID

Get this value from https://console.twilio.com

Twilio Auth Token

Authentication Type

Basic Auth

Bearer Token

External API URL

This is the full endpoint to send POST requests to.

API Auth Username

This is the username to be used with basic auth or the token when used with bearer token

API Auth password

This is the password to be used with basic auth

Mapping

Modify the payload sent to the custom provider.

Stage used to configure an SMS-based TOTP authenticator.

Twilio

Generic

From number

Number the SMS will be sent from.

Hash phone number

If enabled, only a hash of the phone number will be saved. This can be done for data-protection reasons. Devices created from a stage with this enabled cannot be used with the authenticator validation stage.

Stage used to configure a static authenticator (i.e. static tokens). This stage should be used for configuration flows.

Token count

Stage used to configure a TOTP authenticator (i.e. Authy/Google Authenticator).

Digits

6 digits, widely compatible

8 digits, not compatible with apps like Google Authenticator

Stage used to validate any authenticator. This stage should be used during authentication or authorization flows.

Device classes

Static Tokens

TOTP Authenticators

WebAuthn Authenticators

Duo Authenticators

SMS-based Authenticators

Device classes which can be used to authenticate.

Last validation threshold

If any of the devices user of the types selected above have been used within this duration, this stage will be skipped.

Not configured action

Force the user to configure an authenticator

Deny the user access

WebAuthn User verification

User verification must occur.

User verification is preferred if available, but not required.

User verification should not occur.

Configuration stages

Stages used to configure Authenticator when user doesn't have any compatible devices. After this configuration Stage passes, the user is not prompted again.

When multiple stages are selected, the user can choose which one they want to enroll.

Stage used to configure a WebAutnn authenticator (i.e. Yubikey, FaceID/Windows Hello).

User verification

Resident key requirement

The authenticator should not create a dedicated credential

The authenticator can create and store a dedicated credential, but if it doesn't that's alright too

The authenticator MUST create a dedicated credential. If it cannot, the RP is prepared for an error to occur

Authenticator Attachment

No preference is sent

A non-removable authenticator, like TouchID or Windows Hello

A "roaming" authenticator, like a YubiKey

This stage checks the user's current session against the Google reCaptcha (or compatible) service.

Public Key

Public key, acquired from https://www.google.com/recaptcha/intro/v3.html.

Private Key

Private key, acquired from https://www.google.com/recaptcha/intro/v3.html.

Advanced settings

JS URL

URL to fetch JavaScript from, defaults to recaptcha. Can be replaced with any compatible alternative.

API URL

URL used to validate captcha response, defaults to recaptcha. Can be replaced with any compatible alternative.

Prompt for the user's consent. The consent can either be permanent or expire in a defined amount of time.

Always require consent

Consent given last indefinitely

Consent expires.

Consent expires in

Offset after which consent expires.

Statically deny the flow. To use this stage effectively, disable *Evaluate on plan* on the respective binding.

Dummy stage used for testing. Shows a simple continue button and always passes.

Throw error?

SMTP Host

SMTP Port

SMTP Username

SMTP Password

Use TLS

Use SSL

From address

Verify the user's email address by sending them a one-time-link. Can also be used for recovery to verify the user's authenticity.

Activate pending user on success

When a user returns from the email successfully, their account will be activated.

Use global settings

When enabled, global Email connection settings will be used and connection settings below will be ignored.

Token expiry

Time in minutes the token sent is valid.

Template

Let the user identify themselves with their username or Email address.

User fields

UPN

Fields a user can identify themselves with. If no fields are selected, the user will only be able to use sources.

Password stage

When selected, a password field is shown on the same page instead of a separate page. This prevents username enumeration attacks.

Case insensitive matching

When enabled, user fields are matched regardless of their casing.

Show matched user

When a valid username/email has been entered, and this option is enabled, the user's username and avatar will be shown. Otherwise, the text that the user entered will be shown.

Source settings

Sources

Select sources should be shown for users to authenticate with. This only affects web-based sources, not LDAP.

Show sources' labels

By default, only icons are shown for sources. Enable this to show their full names.

Passwordless flow

Optional passwordless flow, which is linked at the bottom of the page. When configured, users can use this flow to authenticate with a WebAuthn authenticator, without entering any details.

Optional enrollment flow, which is linked at the bottom of the page.

Optional recovery flow, which is linked at the bottom of the page.

This stage can be included in enrollment flows to accept invitations.

Continue flow without invitation

If this flag is set, this Stage will jump to the next Stage when no Invitation is given. By default this Stage will cancel the Flow when no invitation is given.

Validate the user's password against the selected backend(s).

Backends

User database + standard password

User database + app passwords

User database + LDAP password

Selection of backends to test the password against.

Flow used by an authenticated user to configure their password. If empty, user will not be able to configure change their password.

Failed attempts before cancel

How many attempts a user has before the flow is canceled. To lock the user out, use a reputation policy and a user_write stage.

Show arbitrary input fields to the user, for example during enrollment. Data is saved in the flow context under the 'prompt_data' variable.

Fields

("", of type )

Validation Policies

Selected policies are executed when the stage is submitted to validate the data.

Delete the currently pending user. CAUTION, this stage does not ask for confirmation. Use a consent stage to ensure the user is aware of their actions.

Log the currently pending user in.

Session duration

Determines how long a session lasts. Default of 0 seconds means that the sessions lasts until the browser is closed.

Different browsers handle session cookies differently, and might not remove them even when the browser is closed.

See here.

Stay signed in offset

If set to a duration above 0, the user will have the option to choose to "stay signed in", which will extend their session by the time specified here.

Terminate other sessions

When enabled, all previous sessions of the user will be terminated.

Remove the user from the current session.

Write any data from the flow's context's 'prompt_data' to the currently pending user. If no user is pending, a new user is created, and data is written to them.

Never create users

When no user is present in the flow context, the stage will fail.

Create users when required

When no user is present in the the flow context, a new user is created.

Always create new users

Create a new user even if a user is in the flow context.

Create users as inactive

Mark newly created users as inactive.

User path template

Path new users will be created under. If left blank, the default path will be used.

Newly created users are added to this group, if a group is selected.

New stage

Create a new stage.

Successfully imported device.

The user in authentik this device will be assigned to.

Duo User ID

The user ID in Duo, can be found in the URL after clicking on a user.

Automatic import

Successfully imported devices.

Start automatic import

Or manually import

Stages are single steps of a Flow that a user is guided through. A stage can only be executed from within a flow.

Flows

Stage(s)

Import

Import Duo device

Successfully updated flow.

Successfully created flow.

Shown as the Title in Flow pages.

Visible in the URL.

Designation

Decides what this Flow is used for. For example, the Authentication flow is redirect to when an un-authenticated user visits authentik.

No requirement

Require authentication

Require no authentication.

Require superuser.

Required authentication level for this flow.

Behavior settings

Compatibility mode

Increases compatibility with password managers and mobile devices.

Denied action

Will follow the ?next parameter if set, otherwise show a message

Will either follow the ?next parameter or redirect to the default interface

Will notify the user the flow isn't applicable

Decides the response when a policy denies access to this flow for a user.

Appearance settings

Layout

Background

Background shown during execution.

Clear background

Delete currently set background image.

Successfully imported flow.

.yaml files, which can be found on goauthentik.io and can be exported by authentik.

Flows describe a chain of Stages to authenticate, enroll or recover a user. Stages are chosen based on policies applied to them.

Flow(s)

Update Flow

Create Flow

Import Flow

Successfully cleared flow cache

Failed to delete flow cache

Clear Flow cache

Are you sure you want to clear the flow cache? This will cause all flows to be re-evaluated on their next usage.

Stage binding(s)

Stage type

Edit Stage

Update Stage binding

These bindings control if this stage will be applied to the flow.

No Stages bound

No stages are currently bound to this flow.

Create Stage binding

Bind stage

Create & bind Stage

Bind existing stage

Flow Overview

Related actions

Execute flow

Normal

with current user

with inspector

Export flow

Export

Stage Bindings

These bindings control which users can access this flow.

Event Log

Event

Event info

Created

Successfully updated transport.

Successfully created transport.

Local (notifications will be created within authentik)

Webhook (generic)

Webhook (Slack/Discord)

Webhook URL

Webhook Mapping

Send once

Only send notification once, for example when sending a webhook into a chat channel.

Notification Transports

Define how notifications are sent to users, like Email or Webhook.

Notification transport(s)

Update Notification Transport

Create Notification Transport

Successfully updated rule.

Successfully created rule.

Select the group of users which the alerts are sent to. If no group is selected the rule is disabled.

Transports

Select which transports should be used to notify the user. If none are selected, the notification will only be shown in the authentik UI.

Severity

Notification Rules

Send notifications whenever a specific Event is created and matched by policies.

Sent to group

Notification rule(s)

None (rule disabled)

Update Notification Rule

Create Notification Rule

These bindings control upon which events this rule triggers. Bindings to groups/users are checked against the user of the event.

Outpost Deployment Info

View deployment documentation

Click to copy token

If your authentik Instance is using a self-signed certificate, set this value.

If your authentik_host setting does not match the URL you want to login with, add this setting.

Successfully updated outpost.

Successfully created outpost.

Radius

Integration

Selecting an integration enables the management of the outpost by authentik.

You can only select providers that match the type of the outpost.

Configuration

See more here:

Documentation

Last seen

, should be

Hostname

Not available

Last seen:

Unknown type

Outposts

Outposts are deployments of authentik components to support different environments and protocols, like reverse proxies.

Health and Version

Warning: authentik Domain is not configured, authentication will not work.

Logging in via .

No integration active

Update Outpost

View Deployment Info

Detailed health (one instance per column, data is cached so may be out of date)

Outpost(s)

Create Outpost

Successfully updated integration.

Successfully created integration.

Local

If enabled, use the local connection. Required Docker socket/Kubernetes Integration.

Docker URL

Can be in the format of 'unix://' when connecting to a local docker daemon, using 'ssh://' to connect via SSH, or 'https://:2376' when connecting to a remote system.

CA which the endpoint's Certificate is verified against. Can be left empty for no validation.

TLS Authentication Certificate/SSH Keypair

Certificate/Key used for authentication. Can be left empty for no authentication.

When connecting via SSH, this keypair is used for authentication.

Kubeconfig

Verify Kubernetes API SSL Certificate

New outpost integration

Create a new outpost integration.

State

Unhealthy

Outpost integration(s)

Successfully generated certificate-key pair.

Common Name

Subject-alt name

Optional, comma-separated SubjectAlt Names.

Validity days

Successfully updated certificate-key pair.

Successfully created certificate-key pair.

PEM-encoded Certificate data.

Optional Private Key. If this is set, you can use this keypair for encryption.

Certificate-Key Pairs

Import certificates of external providers or create certificates to sign requests with.

Private key available?

Certificate-Key Pair(s)

Managed by authentik

Managed by authentik (Discovered)

Yes ()

Update Certificate-Key Pair

Certificate Fingerprint (SHA1)

Certificate Fingerprint (SHA256)

Certificate Subject

Download Certificate

Download Private key

Create Certificate-Key Pair

Generate

Generate Certificate-Key Pair

Successfully updated instance.

Successfully created instance.

Disabled blueprints are never applied.

Local path

OCI Registry

Internal

OCI URL, in the format of oci://registry.domain.tld/path/to/manifest.

See more about OCI support here:

Blueprint

Configure the blueprint context, used for templating.

Orphaned

Blueprints

Automate and template configuration within authentik.

Last applied

Blueprint(s)

Update Blueprint

Create Blueprint Instance

API Requests

Open API Browser

Notifications

unread

Successfully cleared notifications

Clear all

A newer version of the frontend is available.

You're currently impersonating . Click to stop.

User interface

Dashboards

Events

Logs

Customisation

Flows & Stages