"description":"Optional Private Key. If this is set, you can use this keypair for encryption."
}
},
"required":[]
},
"model_authentik_events.event":{
"type":"object",
"properties":{
"user":{
"type":"object",
"additionalProperties":true,
"title":"User"
},
"action":{
"type":"string",
"enum":[
"login",
"login_failed",
"logout",
"user_write",
"suspicious_request",
"password_set",
"secret_view",
"secret_rotate",
"invitation_used",
"authorize_application",
"source_linked",
"impersonation_started",
"impersonation_ended",
"flow_execution",
"policy_execution",
"policy_exception",
"property_mapping_exception",
"system_task_execution",
"system_task_exception",
"system_exception",
"configuration_error",
"model_created",
"model_updated",
"model_deleted",
"email_sent",
"update_available",
"custom_"
],
"title":"Action"
},
"app":{
"type":"string",
"minLength":1,
"title":"App"
},
"context":{
"type":"object",
"additionalProperties":true,
"title":"Context"
},
"client_ip":{
"type":[
"string",
"null"
],
"minLength":1,
"title":"Client ip"
},
"expires":{
"type":"string",
"format":"date-time",
"title":"Expires"
},
"tenant":{
"type":"object",
"additionalProperties":true,
"title":"Tenant"
}
},
"required":[]
},
"model_authentik_events.notificationtransport":{
"type":"object",
"properties":{
"name":{
"type":"string",
"minLength":1,
"title":"Name"
},
"mode":{
"type":"string",
"enum":[
"local",
"webhook",
"webhook_slack",
"email"
],
"title":"Mode"
},
"webhook_url":{
"type":"string",
"title":"Webhook url"
},
"webhook_mapping":{
"type":"integer",
"title":"Webhook mapping"
},
"send_once":{
"type":"boolean",
"title":"Send once",
"description":"Only send notification once, for example when sending a webhook into a chat channel."
}
},
"required":[]
},
"model_authentik_events.notification":{
"type":"object",
"properties":{
"event":{
"type":"object",
"properties":{
"user":{
"type":"object",
"additionalProperties":true,
"title":"User"
},
"action":{
"type":"string",
"enum":[
"login",
"login_failed",
"logout",
"user_write",
"suspicious_request",
"password_set",
"secret_view",
"secret_rotate",
"invitation_used",
"authorize_application",
"source_linked",
"impersonation_started",
"impersonation_ended",
"flow_execution",
"policy_execution",
"policy_exception",
"property_mapping_exception",
"system_task_execution",
"system_task_exception",
"system_exception",
"configuration_error",
"model_created",
"model_updated",
"model_deleted",
"email_sent",
"update_available",
"custom_"
],
"title":"Action"
},
"app":{
"type":"string",
"minLength":1,
"title":"App"
},
"context":{
"type":"object",
"additionalProperties":true,
"title":"Context"
},
"client_ip":{
"type":[
"string",
"null"
],
"minLength":1,
"title":"Client ip"
},
"expires":{
"type":"string",
"format":"date-time",
"title":"Expires"
},
"tenant":{
"type":"object",
"additionalProperties":true,
"title":"Tenant"
}
},
"required":[
"action",
"app"
],
"title":"Event"
},
"seen":{
"type":"boolean",
"title":"Seen"
}
},
"required":[]
},
"model_authentik_events.notificationrule":{
"type":"object",
"properties":{
"name":{
"type":"string",
"minLength":1,
"title":"Name"
},
"transports":{
"type":"array",
"items":{
"type":"integer",
"description":"Select which transports should be used to notify the user. If none are selected, the notification will only be shown in the authentik UI."
},
"title":"Transports",
"description":"Select which transports should be used to notify the user. If none are selected, the notification will only be shown in the authentik UI."
},
"severity":{
"type":"string",
"enum":[
"notice",
"warning",
"alert"
],
"title":"Severity",
"description":"Controls which severity level the created notifications will have."
},
"group":{
"type":"integer",
"title":"Group",
"description":"Define which group of users this notification should be sent and shown to. If left empty, Notification won't ben sent."
"description":"Decides what this Flow is used for. For example, the Authentication flow is redirect to when an un-authenticated user visits authentik."
"description":"Enable compatibility mode, increases compatibility with password managers on mobile devices."
},
"layout":{
"type":"string",
"enum":[
"stacked",
"content_left",
"content_right",
"sidebar_left",
"sidebar_right"
],
"title":"Layout"
},
"denied_action":{
"type":"string",
"enum":[
"message_continue",
"message",
"continue"
],
"title":"Denied action",
"description":"Configure what should happen when a flow denies access to a user."
},
"authentication":{
"type":"string",
"enum":[
"none",
"require_authenticated",
"require_unauthenticated",
"require_superuser"
],
"title":"Authentication",
"description":"Required level of authentication and authorization to access a flow."
}
},
"required":[]
},
"model_authentik_flows.flowstagebinding":{
"type":"object",
"properties":{
"target":{
"type":"integer",
"title":"Target"
},
"stage":{
"type":"integer",
"title":"Stage"
},
"evaluate_on_plan":{
"type":"boolean",
"title":"Evaluate on plan",
"description":"Evaluate policies during the Flow planning process."
},
"re_evaluate_policies":{
"type":"boolean",
"title":"Re evaluate policies",
"description":"Evaluate policies when the Stage is present to the user."
},
"order":{
"type":"integer",
"minimum":-2147483648,
"maximum":2147483647,
"title":"Order"
},
"policy_engine_mode":{
"type":"string",
"enum":[
"all",
"any"
],
"title":"Policy engine mode"
},
"invalid_response_action":{
"type":"string",
"enum":[
"retry",
"restart",
"restart_with_context"
],
"title":"Invalid response action",
"description":"Configure how the flow executor should handle an invalid response to a challenge. RETRY returns the error message and a similar challenge to the executor. RESTART restarts the flow from the beginning, and RESTART_WITH_CONTEXT restarts the flow while keeping the current context."
"description":"If enabled, use the local connection. Required Docker socket/Kubernetes Integration"
},
"url":{
"type":"string",
"minLength":1,
"title":"Url",
"description":"Can be in the format of 'unix://<path>' when connecting to a local docker daemon, or 'https://<hostname>:2376' when connecting to a remote system."
},
"tls_verification":{
"type":"integer",
"title":"Tls verification",
"description":"CA which the endpoint's Certificate is verified against. Can be left empty for no validation."
},
"tls_authentication":{
"type":"integer",
"title":"Tls authentication",
"description":"Certificate/Key used for authentication. Can be left empty for no authentication."
"description":"Objects that are managed by authentik. These objects are created and updated automatically. This flag only indicates that an object can be overwritten by migrations. You can still modify the objects via the API, but expect changes to be overwritten in a later update."
"description":"Match events created by selected model. When left empty, all models are matched. When an app is selected, all the application's models are matched."
"description":"The start for uidNumbers, this number is added to the user.pk to make sure that the numbers aren't too low for POSIX users. Default is 2000 to ensure that we don't collide with local users uidNumber"
"description":"The start for gidNumbers, this number is added to a number generated from the group.pk to make sure that the numbers aren't too low for POSIX groups. Default is 4000 to ensure that we don't collide with local groups or users primary groups gidNumber"
"description":"When enabled, code-based multi-factor authentication can be used by appending a semicolon and the TOTP code to the password. This should only be enabled if all users that will bind to this provider have a TOTP device configured, as otherwise a password may incorrectly be rejected if it contains a semicolon."
"description":"Objects that are managed by authentik. These objects are created and updated automatically. This flag only indicates that an object can be overwritten by migrations. You can still modify the objects via the API, but expect changes to be overwritten in a later update."
"description":"Flow used for authentication when the associated application is accessed by an un-authenticated user."
},
"authorization_flow":{
"type":"integer",
"title":"Authorization flow",
"description":"Flow used when authorizing this provider."
},
"property_mappings":{
"type":"array",
"items":{
"type":"integer"
},
"title":"Property mappings"
},
"client_networks":{
"type":"string",
"minLength":1,
"title":"Client networks",
"description":"List of CIDRs (comma-separated) that clients can connect from. A more specific CIDR will match before a looser one. Clients connecting from a non-specified CIDR will be dropped."
},
"shared_secret":{
"type":"string",
"minLength":1,
"title":"Shared secret",
"description":"Shared secret between clients and server to hash packets."
}
},
"required":[]
},
"model_authentik_providers_saml.samlprovider":{
"type":"object",
"properties":{
"name":{
"type":"string",
"minLength":1,
"title":"Name"
},
"authentication_flow":{
"type":"integer",
"title":"Authentication flow",
"description":"Flow used for authentication when the associated application is accessed by an un-authenticated user."
},
"authorization_flow":{
"type":"integer",
"title":"Authorization flow",
"description":"Flow used when authorizing this provider."
},
"property_mappings":{
"type":"array",
"items":{
"type":"integer"
},
"title":"Property mappings"
},
"acs_url":{
"type":"string",
"format":"uri",
"maxLength":200,
"minLength":1,
"title":"ACS URL"
},
"audience":{
"type":"string",
"title":"Audience",
"description":"Value of the audience restriction field of the assertion. When left empty, no audience restriction will be added."
},
"issuer":{
"type":"string",
"minLength":1,
"title":"Issuer",
"description":"Also known as EntityID"
},
"assertion_valid_not_before":{
"type":"string",
"minLength":1,
"title":"Assertion valid not before",
"description":"Assertion valid not before current time + this value (Format: hours=-1;minutes=-2;seconds=-3)."
},
"assertion_valid_not_on_or_after":{
"type":"string",
"minLength":1,
"title":"Assertion valid not on or after",
"description":"Assertion not valid on or after current time + this value (Format: hours=1;minutes=2;seconds=3)."
},
"session_valid_not_on_or_after":{
"type":"string",
"minLength":1,
"title":"Session valid not on or after",
"description":"Session not valid on or after current time + this value (Format: hours=1;minutes=2;seconds=3)."
},
"name_id_mapping":{
"type":"integer",
"title":"NameID Property Mapping",
"description":"Configure how the NameID value will be created. When left empty, the NameIDPolicy of the incoming request will be considered"
"description":"Keypair used to sign outgoing Responses going to the Service Provider."
},
"verification_kp":{
"type":"integer",
"title":"Verification Certificate",
"description":"When selected, incoming assertion's Signatures will be validated against this certificate. To allow unsigned Requests, leave on default."
},
"sp_binding":{
"type":"string",
"enum":[
"redirect",
"post"
],
"title":"Service Provider Binding",
"description":"This determines how authentik sends the response back to the Service Provider."
"description":"Objects that are managed by authentik. These objects are created and updated automatically. This flag only indicates that an object can be overwritten by migrations. You can still modify the objects via the API, but expect changes to be overwritten in a later update."
"description":"Objects that are managed by authentik. These objects are created and updated automatically. This flag only indicates that an object can be overwritten by migrations. You can still modify the objects via the API, but expect changes to be overwritten in a later update."
"description":"Objects that are managed by authentik. These objects are created and updated automatically. This flag only indicates that an object can be overwritten by migrations. You can still modify the objects via the API, but expect changes to be overwritten in a later update."
"description":"When selected, incoming assertion's Signatures will be validated against this certificate. To allow unsigned Requests, leave on default."
"description":"Time offset when temporary users should be deleted. This only applies if your IDP uses the NameID Format 'transient', and the user doesn't log out manually. (Format: hours=1;minutes=2;seconds=3)."
"description":"Decides what this Flow is used for. For example, the Authentication flow is redirect to when an un-authenticated user visits authentik."
},
"policy_engine_mode":{
"type":"string",
"enum":[
"all",
"any"
],
"title":"Policy engine mode"
},
"compatibility_mode":{
"type":"boolean",
"title":"Compatibility mode",
"description":"Enable compatibility mode, increases compatibility with password managers on mobile devices."
},
"layout":{
"type":"string",
"enum":[
"stacked",
"content_left",
"content_right",
"sidebar_left",
"sidebar_right"
],
"title":"Layout"
},
"denied_action":{
"type":"string",
"enum":[
"message_continue",
"message",
"continue"
],
"title":"Denied action",
"description":"Configure what should happen when a flow denies access to a user."
}
},
"required":[
"name",
"slug",
"title",
"designation"
]
},
"title":"Flow set"
},
"configure_flow":{
"type":"integer",
"title":"Configure flow",
"description":"Flow used by an authenticated user to configure this Stage. If empty, user will not be able to configure this stage."
"description":"Decides what this Flow is used for. For example, the Authentication flow is redirect to when an un-authenticated user visits authentik."
},
"policy_engine_mode":{
"type":"string",
"enum":[
"all",
"any"
],
"title":"Policy engine mode"
},
"compatibility_mode":{
"type":"boolean",
"title":"Compatibility mode",
"description":"Enable compatibility mode, increases compatibility with password managers on mobile devices."
},
"layout":{
"type":"string",
"enum":[
"stacked",
"content_left",
"content_right",
"sidebar_left",
"sidebar_right"
],
"title":"Layout"
},
"denied_action":{
"type":"string",
"enum":[
"message_continue",
"message",
"continue"
],
"title":"Denied action",
"description":"Configure what should happen when a flow denies access to a user."
}
},
"required":[
"name",
"slug",
"title",
"designation"
]
},
"title":"Flow set"
},
"configure_flow":{
"type":"integer",
"title":"Configure flow",
"description":"Flow used by an authenticated user to configure this Stage. If empty, user will not be able to configure this stage."
"description":"When enabled, the Phone number is only used during enrollment to verify the users authenticity. Only a hash of the phone number is saved to ensure it is not reused in the future."
"description":"Decides what this Flow is used for. For example, the Authentication flow is redirect to when an un-authenticated user visits authentik."
},
"policy_engine_mode":{
"type":"string",
"enum":[
"all",
"any"
],
"title":"Policy engine mode"
},
"compatibility_mode":{
"type":"boolean",
"title":"Compatibility mode",
"description":"Enable compatibility mode, increases compatibility with password managers on mobile devices."
},
"layout":{
"type":"string",
"enum":[
"stacked",
"content_left",
"content_right",
"sidebar_left",
"sidebar_right"
],
"title":"Layout"
},
"denied_action":{
"type":"string",
"enum":[
"message_continue",
"message",
"continue"
],
"title":"Denied action",
"description":"Configure what should happen when a flow denies access to a user."
}
},
"required":[
"name",
"slug",
"title",
"designation"
]
},
"title":"Flow set"
},
"configure_flow":{
"type":"integer",
"title":"Configure flow",
"description":"Flow used by an authenticated user to configure this Stage. If empty, user will not be able to configure this stage."
"description":"Decides what this Flow is used for. For example, the Authentication flow is redirect to when an un-authenticated user visits authentik."
},
"policy_engine_mode":{
"type":"string",
"enum":[
"all",
"any"
],
"title":"Policy engine mode"
},
"compatibility_mode":{
"type":"boolean",
"title":"Compatibility mode",
"description":"Enable compatibility mode, increases compatibility with password managers on mobile devices."
},
"layout":{
"type":"string",
"enum":[
"stacked",
"content_left",
"content_right",
"sidebar_left",
"sidebar_right"
],
"title":"Layout"
},
"denied_action":{
"type":"string",
"enum":[
"message_continue",
"message",
"continue"
],
"title":"Denied action",
"description":"Configure what should happen when a flow denies access to a user."
}
},
"required":[
"name",
"slug",
"title",
"designation"
]
},
"title":"Flow set"
},
"configure_flow":{
"type":"integer",
"title":"Configure flow",
"description":"Flow used by an authenticated user to configure this Stage. If empty, user will not be able to configure this stage."
"description":"Decides what this Flow is used for. For example, the Authentication flow is redirect to when an un-authenticated user visits authentik."
},
"policy_engine_mode":{
"type":"string",
"enum":[
"all",
"any"
],
"title":"Policy engine mode"
},
"compatibility_mode":{
"type":"boolean",
"title":"Compatibility mode",
"description":"Enable compatibility mode, increases compatibility with password managers on mobile devices."
},
"layout":{
"type":"string",
"enum":[
"stacked",
"content_left",
"content_right",
"sidebar_left",
"sidebar_right"
],
"title":"Layout"
},
"denied_action":{
"type":"string",
"enum":[
"message_continue",
"message",
"continue"
],
"title":"Denied action",
"description":"Configure what should happen when a flow denies access to a user."
}
},
"required":[
"name",
"slug",
"title",
"designation"
]
},
"title":"Flow set"
},
"not_configured_action":{
"type":"string",
"enum":[
"skip",
"deny",
"configure"
],
"title":"Not configured action"
},
"device_classes":{
"type":"array",
"items":{
"type":"string",
"enum":[
"static",
"totp",
"webauthn",
"duo",
"sms"
],
"title":"Device classes"
},
"title":"Device classes",
"description":"Device classes which can be used to authenticate"
},
"configuration_stages":{
"type":"array",
"items":{
"type":"integer",
"description":"Stages used to configure Authenticator when user doesn't have any compatible devices. After this configuration Stage passes, the user is not prompted again."
},
"title":"Configuration stages",
"description":"Stages used to configure Authenticator when user doesn't have any compatible devices. After this configuration Stage passes, the user is not prompted again."
},
"last_auth_threshold":{
"type":"string",
"minLength":1,
"title":"Last auth threshold",
"description":"If any of the user's device has been used within this threshold, this stage will be skipped"
},
"webauthn_user_verification":{
"type":"string",
"enum":[
"required",
"preferred",
"discouraged"
],
"title":"Webauthn user verification",
"description":"Enforce user verification for WebAuthn devices."
"description":"Decides what this Flow is used for. For example, the Authentication flow is redirect to when an un-authenticated user visits authentik."
},
"policy_engine_mode":{
"type":"string",
"enum":[
"all",
"any"
],
"title":"Policy engine mode"
},
"compatibility_mode":{
"type":"boolean",
"title":"Compatibility mode",
"description":"Enable compatibility mode, increases compatibility with password managers on mobile devices."
},
"layout":{
"type":"string",
"enum":[
"stacked",
"content_left",
"content_right",
"sidebar_left",
"sidebar_right"
],
"title":"Layout"
},
"denied_action":{
"type":"string",
"enum":[
"message_continue",
"message",
"continue"
],
"title":"Denied action",
"description":"Configure what should happen when a flow denies access to a user."
}
},
"required":[
"name",
"slug",
"title",
"designation"
]
},
"title":"Flow set"
},
"configure_flow":{
"type":"integer",
"title":"Configure flow",
"description":"Flow used by an authenticated user to configure this Stage. If empty, user will not be able to configure this stage."
"description":"Decides what this Flow is used for. For example, the Authentication flow is redirect to when an un-authenticated user visits authentik."
},
"policy_engine_mode":{
"type":"string",
"enum":[
"all",
"any"
],
"title":"Policy engine mode"
},
"compatibility_mode":{
"type":"boolean",
"title":"Compatibility mode",
"description":"Enable compatibility mode, increases compatibility with password managers on mobile devices."
},
"layout":{
"type":"string",
"enum":[
"stacked",
"content_left",
"content_right",
"sidebar_left",
"sidebar_right"
],
"title":"Layout"
},
"denied_action":{
"type":"string",
"enum":[
"message_continue",
"message",
"continue"
],
"title":"Denied action",
"description":"Configure what should happen when a flow denies access to a user."
}
},
"required":[
"name",
"slug",
"title",
"designation"
]
},
"title":"Flow set"
},
"public_key":{
"type":"string",
"minLength":1,
"title":"Public key",
"description":"Public key, acquired your captcha Provider."
},
"private_key":{
"type":"string",
"minLength":1,
"title":"Private key",
"description":"Private key, acquired your captcha Provider."
},
"js_url":{
"type":"string",
"minLength":1,
"title":"Js url"
},
"api_url":{
"type":"string",
"minLength":1,
"title":"Api url"
}
},
"required":[]
},
"model_authentik_stages_consent.consentstage":{
"type":"object",
"properties":{
"name":{
"type":"string",
"minLength":1,
"title":"Name"
},
"flow_set":{
"type":"array",
"items":{
"type":"object",
"properties":{
"name":{
"type":"string",
"minLength":1,
"title":"Name"
},
"slug":{
"type":"string",
"maxLength":50,
"minLength":1,
"pattern":"^[-a-zA-Z0-9_]+$",
"title":"Slug",
"description":"Visible in the URL."
},
"title":{
"type":"string",
"minLength":1,
"title":"Title",
"description":"Shown as the Title in Flow pages."
},
"designation":{
"type":"string",
"enum":[
"authentication",
"authorization",
"invalidation",
"enrollment",
"unenrollment",
"recovery",
"stage_configuration"
],
"title":"Designation",
"description":"Decides what this Flow is used for. For example, the Authentication flow is redirect to when an un-authenticated user visits authentik."
},
"policy_engine_mode":{
"type":"string",
"enum":[
"all",
"any"
],
"title":"Policy engine mode"
},
"compatibility_mode":{
"type":"boolean",
"title":"Compatibility mode",
"description":"Enable compatibility mode, increases compatibility with password managers on mobile devices."
},
"layout":{
"type":"string",
"enum":[
"stacked",
"content_left",
"content_right",
"sidebar_left",
"sidebar_right"
],
"title":"Layout"
},
"denied_action":{
"type":"string",
"enum":[
"message_continue",
"message",
"continue"
],
"title":"Denied action",
"description":"Configure what should happen when a flow denies access to a user."
}
},
"required":[
"name",
"slug",
"title",
"designation"
]
},
"title":"Flow set"
},
"mode":{
"type":"string",
"enum":[
"always_require",
"permanent",
"expiring"
],
"title":"Mode"
},
"consent_expire_in":{
"type":"string",
"minLength":1,
"title":"Consent expires in",
"description":"Offset after which consent expires. (Format: hours=1;minutes=2;seconds=3)."
}
},
"required":[]
},
"model_authentik_stages_consent.userconsent":{
"type":"object",
"properties":{
"expires":{
"type":"string",
"format":"date-time",
"title":"Expires"
},
"user":{
"type":"object",
"properties":{
"username":{
"type":"string",
"maxLength":150,
"minLength":1,
"title":"Username"
},
"name":{
"type":"string",
"title":"Name",
"description":"User's display name."
},
"is_active":{
"type":"boolean",
"title":"Active",
"description":"Designates whether this user should be treated as active. Unselect this instead of deleting accounts."
"description":"Open launch URL in a new browser tab or window."
},
"meta_launch_url":{
"type":"string",
"title":"Meta launch url"
},
"meta_description":{
"type":"string",
"title":"Meta description"
},
"meta_publisher":{
"type":"string",
"title":"Meta publisher"
},
"policy_engine_mode":{
"type":"string",
"enum":[
"all",
"any"
],
"title":"Policy engine mode"
},
"group":{
"type":"string",
"title":"Group"
}
},
"required":[
"name",
"slug"
],
"title":"Application"
},
"permissions":{
"type":"string",
"minLength":1,
"title":"Permissions"
}
},
"required":[]
},
"model_authentik_stages_deny.denystage":{
"type":"object",
"properties":{
"name":{
"type":"string",
"minLength":1,
"title":"Name"
},
"flow_set":{
"type":"array",
"items":{
"type":"object",
"properties":{
"name":{
"type":"string",
"minLength":1,
"title":"Name"
},
"slug":{
"type":"string",
"maxLength":50,
"minLength":1,
"pattern":"^[-a-zA-Z0-9_]+$",
"title":"Slug",
"description":"Visible in the URL."
},
"title":{
"type":"string",
"minLength":1,
"title":"Title",
"description":"Shown as the Title in Flow pages."
},
"designation":{
"type":"string",
"enum":[
"authentication",
"authorization",
"invalidation",
"enrollment",
"unenrollment",
"recovery",
"stage_configuration"
],
"title":"Designation",
"description":"Decides what this Flow is used for. For example, the Authentication flow is redirect to when an un-authenticated user visits authentik."
},
"policy_engine_mode":{
"type":"string",
"enum":[
"all",
"any"
],
"title":"Policy engine mode"
},
"compatibility_mode":{
"type":"boolean",
"title":"Compatibility mode",
"description":"Enable compatibility mode, increases compatibility with password managers on mobile devices."
},
"layout":{
"type":"string",
"enum":[
"stacked",
"content_left",
"content_right",
"sidebar_left",
"sidebar_right"
],
"title":"Layout"
},
"denied_action":{
"type":"string",
"enum":[
"message_continue",
"message",
"continue"
],
"title":"Denied action",
"description":"Configure what should happen when a flow denies access to a user."
"description":"Decides what this Flow is used for. For example, the Authentication flow is redirect to when an un-authenticated user visits authentik."
},
"policy_engine_mode":{
"type":"string",
"enum":[
"all",
"any"
],
"title":"Policy engine mode"
},
"compatibility_mode":{
"type":"boolean",
"title":"Compatibility mode",
"description":"Enable compatibility mode, increases compatibility with password managers on mobile devices."
},
"layout":{
"type":"string",
"enum":[
"stacked",
"content_left",
"content_right",
"sidebar_left",
"sidebar_right"
],
"title":"Layout"
},
"denied_action":{
"type":"string",
"enum":[
"message_continue",
"message",
"continue"
],
"title":"Denied action",
"description":"Configure what should happen when a flow denies access to a user."
}
},
"required":[
"name",
"slug",
"title",
"designation"
]
},
"title":"Flow set"
},
"throw_error":{
"type":"boolean",
"title":"Throw error"
}
},
"required":[]
},
"model_authentik_stages_email.emailstage":{
"type":"object",
"properties":{
"name":{
"type":"string",
"minLength":1,
"title":"Name"
},
"flow_set":{
"type":"array",
"items":{
"type":"object",
"properties":{
"name":{
"type":"string",
"minLength":1,
"title":"Name"
},
"slug":{
"type":"string",
"maxLength":50,
"minLength":1,
"pattern":"^[-a-zA-Z0-9_]+$",
"title":"Slug",
"description":"Visible in the URL."
},
"title":{
"type":"string",
"minLength":1,
"title":"Title",
"description":"Shown as the Title in Flow pages."
},
"designation":{
"type":"string",
"enum":[
"authentication",
"authorization",
"invalidation",
"enrollment",
"unenrollment",
"recovery",
"stage_configuration"
],
"title":"Designation",
"description":"Decides what this Flow is used for. For example, the Authentication flow is redirect to when an un-authenticated user visits authentik."
},
"policy_engine_mode":{
"type":"string",
"enum":[
"all",
"any"
],
"title":"Policy engine mode"
},
"compatibility_mode":{
"type":"boolean",
"title":"Compatibility mode",
"description":"Enable compatibility mode, increases compatibility with password managers on mobile devices."
},
"layout":{
"type":"string",
"enum":[
"stacked",
"content_left",
"content_right",
"sidebar_left",
"sidebar_right"
],
"title":"Layout"
},
"denied_action":{
"type":"string",
"enum":[
"message_continue",
"message",
"continue"
],
"title":"Denied action",
"description":"Configure what should happen when a flow denies access to a user."
}
},
"required":[
"name",
"slug",
"title",
"designation"
]
},
"title":"Flow set"
},
"use_global_settings":{
"type":"boolean",
"title":"Use global settings",
"description":"When enabled, global Email connection settings will be used and connection settings below will be ignored."
},
"host":{
"type":"string",
"minLength":1,
"title":"Host"
},
"port":{
"type":"integer",
"minimum":-2147483648,
"maximum":2147483647,
"title":"Port"
},
"username":{
"type":"string",
"title":"Username"
},
"password":{
"type":"string",
"title":"Password"
},
"use_tls":{
"type":"boolean",
"title":"Use tls"
},
"use_ssl":{
"type":"boolean",
"title":"Use ssl"
},
"timeout":{
"type":"integer",
"minimum":-2147483648,
"maximum":2147483647,
"title":"Timeout"
},
"from_address":{
"type":"string",
"format":"email",
"maxLength":254,
"minLength":1,
"title":"From address"
},
"token_expiry":{
"type":"integer",
"minimum":-2147483648,
"maximum":2147483647,
"title":"Token expiry",
"description":"Time in minutes the token sent is valid."
},
"subject":{
"type":"string",
"minLength":1,
"title":"Subject"
},
"template":{
"type":"string",
"minLength":1,
"title":"Template"
},
"activate_user_on_success":{
"type":"boolean",
"title":"Activate user on success",
"description":"Activate users upon completion of stage."
"description":"Decides what this Flow is used for. For example, the Authentication flow is redirect to when an un-authenticated user visits authentik."
},
"policy_engine_mode":{
"type":"string",
"enum":[
"all",
"any"
],
"title":"Policy engine mode"
},
"compatibility_mode":{
"type":"boolean",
"title":"Compatibility mode",
"description":"Enable compatibility mode, increases compatibility with password managers on mobile devices."
},
"layout":{
"type":"string",
"enum":[
"stacked",
"content_left",
"content_right",
"sidebar_left",
"sidebar_right"
],
"title":"Layout"
},
"denied_action":{
"type":"string",
"enum":[
"message_continue",
"message",
"continue"
],
"title":"Denied action",
"description":"Configure what should happen when a flow denies access to a user."
"description":"Fields of the user object to match against. (Hold shift to select multiple options)"
},
"password_stage":{
"type":"integer",
"title":"Password stage",
"description":"When set, shows a password field, instead of showing the password field as seaprate step."
},
"case_insensitive_matching":{
"type":"boolean",
"title":"Case insensitive matching",
"description":"When enabled, user fields are matched regardless of their casing."
},
"show_matched_user":{
"type":"boolean",
"title":"Show matched user",
"description":"When a valid username/email has been entered, and this option is enabled, the user's username and avatar will be shown. Otherwise, the text that the user entered will be shown"
},
"enrollment_flow":{
"type":"integer",
"title":"Enrollment flow",
"description":"Optional enrollment flow, which is linked at the bottom of the page."
},
"recovery_flow":{
"type":"integer",
"title":"Recovery flow",
"description":"Optional recovery flow, which is linked at the bottom of the page."
},
"passwordless_flow":{
"type":"integer",
"title":"Passwordless flow",
"description":"Optional passwordless flow, which is linked at the bottom of the page."
},
"sources":{
"type":"array",
"items":{
"type":"integer",
"description":"Specify which sources should be shown."
},
"title":"Sources",
"description":"Specify which sources should be shown."
"description":"Decides what this Flow is used for. For example, the Authentication flow is redirect to when an un-authenticated user visits authentik."
},
"policy_engine_mode":{
"type":"string",
"enum":[
"all",
"any"
],
"title":"Policy engine mode"
},
"compatibility_mode":{
"type":"boolean",
"title":"Compatibility mode",
"description":"Enable compatibility mode, increases compatibility with password managers on mobile devices."
},
"layout":{
"type":"string",
"enum":[
"stacked",
"content_left",
"content_right",
"sidebar_left",
"sidebar_right"
],
"title":"Layout"
},
"denied_action":{
"type":"string",
"enum":[
"message_continue",
"message",
"continue"
],
"title":"Denied action",
"description":"Configure what should happen when a flow denies access to a user."
}
},
"required":[
"name",
"slug",
"title",
"designation"
]
},
"title":"Flow set"
},
"continue_flow_without_invitation":{
"type":"boolean",
"title":"Continue flow without invitation",
"description":"If this flag is set, this Stage will jump to the next Stage when no Invitation is given. By default this Stage will cancel the Flow when no invitation is given."
"description":"Decides what this Flow is used for. For example, the Authentication flow is redirect to when an un-authenticated user visits authentik."
},
"policy_engine_mode":{
"type":"string",
"enum":[
"all",
"any"
],
"title":"Policy engine mode"
},
"compatibility_mode":{
"type":"boolean",
"title":"Compatibility mode",
"description":"Enable compatibility mode, increases compatibility with password managers on mobile devices."
},
"layout":{
"type":"string",
"enum":[
"stacked",
"content_left",
"content_right",
"sidebar_left",
"sidebar_right"
],
"title":"Layout"
},
"denied_action":{
"type":"string",
"enum":[
"message_continue",
"message",
"continue"
],
"title":"Denied action",
"description":"Configure what should happen when a flow denies access to a user."
"description":"Selection of backends to test the password against."
},
"configure_flow":{
"type":"integer",
"title":"Configure flow",
"description":"Flow used by an authenticated user to configure this Stage. If empty, user will not be able to configure this stage."
},
"failed_attempts_before_cancel":{
"type":"integer",
"minimum":-2147483648,
"maximum":2147483647,
"title":"Failed attempts before cancel",
"description":"How many attempts a user has before the flow is canceled. To lock the user out, use a reputation policy and a user_write stage."
}
},
"required":[]
},
"model_authentik_stages_prompt.prompt":{
"type":"object",
"properties":{
"name":{
"type":"string",
"minLength":1,
"title":"Name"
},
"field_key":{
"type":"string",
"minLength":1,
"title":"Field key",
"description":"Name of the form field, also used to store the value"
},
"label":{
"type":"string",
"minLength":1,
"title":"Label"
},
"type":{
"type":"string",
"enum":[
"text",
"text_area",
"text_read_only",
"text_area_read_only",
"username",
"email",
"password",
"number",
"checkbox",
"radio-button-group",
"dropdown",
"date",
"date-time",
"file",
"separator",
"hidden",
"static",
"ak-locale"
],
"title":"Type"
},
"required":{
"type":"boolean",
"title":"Required"
},
"placeholder":{
"type":"string",
"title":"Placeholder",
"description":"Optionally provide a short hint that describes the expected input value. When creating a fixed choice field, enable interpreting as expression and return a list to return multiple choices."
},
"initial_value":{
"type":"string",
"title":"Initial value",
"description":"Optionally pre-fill the input with an initial value. When creating a fixed choice field, enable interpreting as expression and return a list to return multiple default choices."
},
"order":{
"type":"integer",
"minimum":-2147483648,
"maximum":2147483647,
"title":"Order"
},
"promptstage_set":{
"type":"array",
"items":{
"type":"object",
"properties":{
"name":{
"type":"string",
"minLength":1,
"title":"Name"
},
"flow_set":{
"type":"array",
"items":{
"type":"object",
"properties":{
"name":{
"type":"string",
"minLength":1,
"title":"Name"
},
"slug":{
"type":"string",
"maxLength":50,
"minLength":1,
"pattern":"^[-a-zA-Z0-9_]+$",
"title":"Slug",
"description":"Visible in the URL."
},
"title":{
"type":"string",
"minLength":1,
"title":"Title",
"description":"Shown as the Title in Flow pages."
},
"designation":{
"type":"string",
"enum":[
"authentication",
"authorization",
"invalidation",
"enrollment",
"unenrollment",
"recovery",
"stage_configuration"
],
"title":"Designation",
"description":"Decides what this Flow is used for. For example, the Authentication flow is redirect to when an un-authenticated user visits authentik."
},
"policy_engine_mode":{
"type":"string",
"enum":[
"all",
"any"
],
"title":"Policy engine mode"
},
"compatibility_mode":{
"type":"boolean",
"title":"Compatibility mode",
"description":"Enable compatibility mode, increases compatibility with password managers on mobile devices."
},
"layout":{
"type":"string",
"enum":[
"stacked",
"content_left",
"content_right",
"sidebar_left",
"sidebar_right"
],
"title":"Layout"
},
"denied_action":{
"type":"string",
"enum":[
"message_continue",
"message",
"continue"
],
"title":"Denied action",
"description":"Configure what should happen when a flow denies access to a user."
"description":"Decides what this Flow is used for. For example, the Authentication flow is redirect to when an un-authenticated user visits authentik."
},
"policy_engine_mode":{
"type":"string",
"enum":[
"all",
"any"
],
"title":"Policy engine mode"
},
"compatibility_mode":{
"type":"boolean",
"title":"Compatibility mode",
"description":"Enable compatibility mode, increases compatibility with password managers on mobile devices."
},
"layout":{
"type":"string",
"enum":[
"stacked",
"content_left",
"content_right",
"sidebar_left",
"sidebar_right"
],
"title":"Layout"
},
"denied_action":{
"type":"string",
"enum":[
"message_continue",
"message",
"continue"
],
"title":"Denied action",
"description":"Configure what should happen when a flow denies access to a user."
"description":"Decides what this Flow is used for. For example, the Authentication flow is redirect to when an un-authenticated user visits authentik."
},
"policy_engine_mode":{
"type":"string",
"enum":[
"all",
"any"
],
"title":"Policy engine mode"
},
"compatibility_mode":{
"type":"boolean",
"title":"Compatibility mode",
"description":"Enable compatibility mode, increases compatibility with password managers on mobile devices."
},
"layout":{
"type":"string",
"enum":[
"stacked",
"content_left",
"content_right",
"sidebar_left",
"sidebar_right"
],
"title":"Layout"
},
"denied_action":{
"type":"string",
"enum":[
"message_continue",
"message",
"continue"
],
"title":"Denied action",
"description":"Configure what should happen when a flow denies access to a user."
"description":"Decides what this Flow is used for. For example, the Authentication flow is redirect to when an un-authenticated user visits authentik."
},
"policy_engine_mode":{
"type":"string",
"enum":[
"all",
"any"
],
"title":"Policy engine mode"
},
"compatibility_mode":{
"type":"boolean",
"title":"Compatibility mode",
"description":"Enable compatibility mode, increases compatibility with password managers on mobile devices."
},
"layout":{
"type":"string",
"enum":[
"stacked",
"content_left",
"content_right",
"sidebar_left",
"sidebar_right"
],
"title":"Layout"
},
"denied_action":{
"type":"string",
"enum":[
"message_continue",
"message",
"continue"
],
"title":"Denied action",
"description":"Configure what should happen when a flow denies access to a user."
}
},
"required":[
"name",
"slug",
"title",
"designation"
]
},
"title":"Flow set"
},
"session_duration":{
"type":"string",
"minLength":1,
"title":"Session duration",
"description":"Determines how long a session lasts. Default of 0 means that the sessions lasts until the browser is closed. (Format: hours=-1;minutes=-2;seconds=-3)"
},
"terminate_other_sessions":{
"type":"boolean",
"title":"Terminate other sessions",
"description":"Terminate all other sessions of the user logging in."
},
"remember_me_offset":{
"type":"string",
"minLength":1,
"title":"Remember me offset",
"description":"Offset the session will be extended by when the user picks the remember me option. Default of 0 means that the remember me option will not be shown. (Format: hours=-1;minutes=-2;seconds=-3)"
"description":"Decides what this Flow is used for. For example, the Authentication flow is redirect to when an un-authenticated user visits authentik."
},
"policy_engine_mode":{
"type":"string",
"enum":[
"all",
"any"
],
"title":"Policy engine mode"
},
"compatibility_mode":{
"type":"boolean",
"title":"Compatibility mode",
"description":"Enable compatibility mode, increases compatibility with password managers on mobile devices."
},
"layout":{
"type":"string",
"enum":[
"stacked",
"content_left",
"content_right",
"sidebar_left",
"sidebar_right"
],
"title":"Layout"
},
"denied_action":{
"type":"string",
"enum":[
"message_continue",
"message",
"continue"
],
"title":"Denied action",
"description":"Configure what should happen when a flow denies access to a user."
"description":"Decides what this Flow is used for. For example, the Authentication flow is redirect to when an un-authenticated user visits authentik."
},
"policy_engine_mode":{
"type":"string",
"enum":[
"all",
"any"
],
"title":"Policy engine mode"
},
"compatibility_mode":{
"type":"boolean",
"title":"Compatibility mode",
"description":"Enable compatibility mode, increases compatibility with password managers on mobile devices."
},
"layout":{
"type":"string",
"enum":[
"stacked",
"content_left",
"content_right",
"sidebar_left",
"sidebar_right"
],
"title":"Layout"
},
"denied_action":{
"type":"string",
"enum":[
"message_continue",
"message",
"continue"
],
"title":"Denied action",
"description":"Configure what should happen when a flow denies access to a user."
}
},
"required":[
"name",
"slug",
"title",
"designation"
]
},
"title":"Flow set"
},
"user_creation_mode":{
"type":"string",
"enum":[
"never_create",
"create_when_required",
"always_create"
],
"title":"User creation mode"
},
"create_users_as_inactive":{
"type":"boolean",
"title":"Create users as inactive",
"description":"When set, newly created users are inactive and cannot login."
},
"create_users_group":{
"type":"integer",
"title":"Create users group",
"description":"Optionally add newly created users to this group."
},
"user_path_template":{
"type":"string",
"title":"User path template"
}
},
"required":[]
},
"model_authentik_tenants.tenant":{
"type":"object",
"properties":{
"domain":{
"type":"string",
"minLength":1,
"title":"Domain",
"description":"Domain that activates this tenant. Can be a superset, i.e. `a.b` for `aa.b` and `ba.b`"
},
"default":{
"type":"boolean",
"title":"Default"
},
"branding_title":{
"type":"string",
"minLength":1,
"title":"Branding title"
},
"branding_logo":{
"type":"string",
"minLength":1,
"title":"Branding logo"
},
"branding_favicon":{
"type":"string",
"minLength":1,
"title":"Branding favicon"
},
"flow_authentication":{
"type":"integer",
"title":"Flow authentication"
},
"flow_invalidation":{
"type":"integer",
"title":"Flow invalidation"
},
"flow_recovery":{
"type":"integer",
"title":"Flow recovery"
},
"flow_unenrollment":{
"type":"integer",
"title":"Flow unenrollment"
},
"flow_user_settings":{
"type":"integer",
"title":"Flow user settings"
},
"flow_device_code":{
"type":"integer",
"title":"Flow device code"
},
"event_retention":{
"type":"string",
"minLength":1,
"title":"Event retention",
"description":"Events will be deleted after this duration.(Format: weeks=3;days=2;hours=3,seconds=2)."
},
"web_certificate":{
"type":"integer",
"title":"Web certificate",
"description":"Web Certificate used by the authentik Core webserver."
},
"attributes":{
"type":"object",
"additionalProperties":true,
"title":"Attributes"
}
},
"required":[]
},
"model_authentik_blueprints.blueprintinstance":{
"type":"object",
"properties":{
"name":{
"type":"string",
"minLength":1,
"title":"Name"
},
"path":{
"type":"string",
"title":"Path"
},
"context":{
"type":"object",
"additionalProperties":true,
"title":"Context"
},
"enabled":{
"type":"boolean",
"title":"Enabled"
},
"content":{
"type":"string",
"title":"Content"
}
},
"required":[]
},
"model_authentik_core.group":{
"type":"object",
"properties":{
"name":{
"type":"string",
"maxLength":80,
"minLength":1,
"title":"Name"
},
"is_superuser":{
"type":"boolean",
"title":"Is superuser",
"description":"Users added to this group will be superusers."
"description":"Objects that are managed by authentik. These objects are created and updated automatically. This flag only indicates that an object can be overwritten by migrations. You can still modify the objects via the API, but expect changes to be overwritten in a later update."