English English French French Turkish Turkish Spanish Spanish Polish Polish Taiwanese Mandarin Taiwanese Mandarin Chinese (simplified) Chinese (simplified) Chinese (traditional) Chinese (traditional) German German Loading... Loading... Application Application Logins Logins Show less Show less Show more Show more UID UID Name Name App App Model Name Model Name Message Message Subject Subject From From To To Context Context User User Affected model: Affected model: Authorized application: Authorized application: Using flow Using flow Email info: Email info: Secret: Secret: Open issue on GitHub... Open issue on GitHub... Exception Exception Expression Expression Binding Binding Request Request Object Object Result Result Passing Passing Messages Messages Using source Using source Attempted to log in as Attempted to log in as No additional data available. No additional data available. Click to change value Click to change value Select an object. Select an object. Loading options... Loading options... Connection error, reconnecting... Connection error, reconnecting... Login Login Failed login Failed login Logout Logout User was written to User was written to Suspicious request Suspicious request Password set Password set Secret was viewed Secret was viewed Secret was rotated Secret was rotated Invitation used Invitation used Application authorized Application authorized Source linked Source linked Impersonation started Impersonation started Impersonation ended Impersonation ended Flow execution Flow execution Policy execution Policy execution Policy exception Policy exception Property Mapping exception Property Mapping exception System task execution System task execution System task exception System task exception General system exception General system exception Configuration error Configuration error Model created Model created Model updated Model updated Model deleted Model deleted Email sent Email sent Update available Update available Unknown severity Unknown severity Alert Alert Notice Notice Warning Warning no tabs defined no tabs defined - of - of Go to previous page Go to previous page Go to next page Go to next page Search... Search... Loading Loading No objects found. No objects found. Failed to fetch objects. Failed to fetch objects. Refresh Refresh Select all rows Select all rows Action Action Creation Date Creation Date Client IP Client IP Tenant Tenant Recent events Recent events On behalf of On behalf of - - No Events found. No Events found. No matching events could be found. No matching events could be found. Embedded outpost is not configured correctly. Embedded outpost is not configured correctly. Check outposts. Check outposts. HTTPS is not detected correctly HTTPS is not detected correctly Server and client are further than 5 seconds apart. Server and client are further than 5 seconds apart. OK OK Everything is ok. Everything is ok. System status System status Based on Based on is available! is available! Up-to-date! Up-to-date! Version Version Workers Workers No workers connected. Background tasks will not run. No workers connected. Background tasks will not run. hour(s) ago hour(s) ago day(s) ago day(s) ago Authorizations Authorizations Failed Logins Failed Logins Successful Logins Successful Logins : : Cancel Cancel LDAP Source LDAP Source SCIM Provider SCIM Provider Healthy Healthy Healthy outposts Healthy outposts Admin Admin Not found Not found The URL "" was not found. The URL " " was not found. Return home Return home General system status General system status Welcome, . Welcome, . Quick actions Quick actions Create a new application Create a new application Check the logs Check the logs Explore integrations Explore integrations Manage users Manage users Check release notes Check release notes Outpost status Outpost status Sync status Sync status Logins and authorizations over the last week (per 8 hours) Logins and authorizations over the last week (per 8 hours) Apps with most usage Apps with most usage days ago days ago Objects created Objects created User statistics User statistics Users created per day in the last month Users created per day in the last month Logins per day in the last month Logins per day in the last month Failed Logins per day in the last month Failed Logins per day in the last month Clear search Clear search System Tasks System Tasks Long-running operations which authentik executes in the background. Long-running operations which authentik executes in the background. Identifier Identifier Description Description Last run Last run Status Status Actions Actions Successful Successful Error Error Unknown Unknown Duration Duration seconds seconds Authentication Authentication Authorization Authorization Enrollment Enrollment Invalidation Invalidation Recovery Recovery Stage Configuration Stage Configuration Unenrollment Unenrollment Unknown designation Unknown designation Stacked Stacked Content left Content left Content right Content right Sidebar left Sidebar left Sidebar right Sidebar right Unknown layout Unknown layout Successfully updated provider. Successfully updated provider. Successfully created provider. Successfully created provider. Bind flow Bind flow Flow used for users to authenticate. Flow used for users to authenticate. Search group Search group Users in the selected group can do search queries. If no group is selected, no LDAP Searches are allowed. Users in the selected group can do search queries. If no group is selected, no LDAP Searches are allowed. Bind mode Bind mode Cached binding Cached binding Flow is executed and session is cached in memory. Flow is executed when session expires Flow is executed and session is cached in memory. Flow is executed when session expires Direct binding Direct binding Always execute the configured bind flow to authenticate the user Always execute the configured bind flow to authenticate the user Configure how the outpost authenticates requests. Configure how the outpost authenticates requests. Search mode Search mode Cached querying Cached querying The outpost holds all users and groups in-memory and will refresh every 5 Minutes The outpost holds all users and groups in-memory and will refresh every 5 Minutes Direct querying Direct querying Always returns the latest data, but slower than cached querying Always returns the latest data, but slower than cached querying Configure how the outpost queries the core authentik server's users. Configure how the outpost queries the core authentik server's users. Protocol settings Protocol settings Base DN Base DN LDAP DN under which bind requests and search requests can be made. LDAP DN under which bind requests and search requests can be made. Certificate Certificate UID start number UID start number The start for uidNumbers, this number is added to the user.Pk to make sure that the numbers aren't too low for POSIX users. Default is 2000 to ensure that we don't collide with local users uidNumber The start for uidNumbers, this number is added to the user.Pk to make sure that the numbers aren't too low for POSIX users. Default is 2000 to ensure that we don't collide with local users uidNumber GID start number GID start number The start for gidNumbers, this number is added to a number generated from the group.Pk to make sure that the numbers aren't too low for POSIX groups. Default is 4000 to ensure that we don't collide with local groups or users primary groups gidNumber The start for gidNumbers, this number is added to a number generated from the group.Pk to make sure that the numbers aren't too low for POSIX groups. Default is 4000 to ensure that we don't collide with local groups or users primary groups gidNumber (Format: hours=-1;minutes=-2;seconds=-3). (Format: hours=-1;minutes=-2;seconds=-3). (Format: hours=1;minutes=2;seconds=3). (Format: hours=1;minutes=2;seconds=3). The following keywords are supported: The following keywords are supported: Authentication flow Authentication flow Flow used when a user access this provider and is not authenticated. Flow used when a user access this provider and is not authenticated. Authorization flow Authorization flow Flow used when authorizing this provider. Flow used when authorizing this provider. Client type Client type Confidential Confidential Confidential clients are capable of maintaining the confidentiality of their credentials such as client secrets Confidential clients are capable of maintaining the confidentiality of their credentials such as client secrets Public Public Public clients are incapable of maintaining the confidentiality and should use methods like PKCE. Public clients are incapable of maintaining the confidentiality and should use methods like PKCE. Client ID Client ID Client Secret Client Secret Redirect URIs/Origins (RegEx) Redirect URIs/Origins (RegEx) Valid redirect URLs after a successful authorization flow. Also specify any origins here for Implicit flows. Valid redirect URLs after a successful authorization flow. Also specify any origins here for Implicit flows. If no explicit redirect URIs are specified, the first successfully used redirect URI will be saved. If no explicit redirect URIs are specified, the first successfully used redirect URI will be saved. To allow any redirect URI, set this value to ".*". Be aware of the possible security implications this can have. To allow any redirect URI, set this value to ".*". Be aware of the possible security implications this can have. Signing Key Signing Key Key used to sign the tokens. Key used to sign the tokens. Advanced protocol settings Advanced protocol settings Access code validity Access code validity Configure how long access codes are valid for. Configure how long access codes are valid for. Access Token validity Access Token validity Configure how long access tokens are valid for. Configure how long access tokens are valid for. Refresh Token validity Refresh Token validity Configure how long refresh tokens are valid for. Configure how long refresh tokens are valid for. Scopes Scopes Select which scopes can be used by the client. The client still has to specify the scope to access the data. Select which scopes can be used by the client. The client still has to specify the scope to access the data. Hold control/command to select multiple items. Hold control/command to select multiple items. Subject mode Subject mode Based on the User's hashed ID Based on the User's hashed ID Based on the User's ID Based on the User's ID Based on the User's UUID Based on the User's UUID Based on the User's username Based on the User's username Based on the User's Email Based on the User's Email This is recommended over the UPN mode. This is recommended over the UPN mode. Based on the User's UPN Based on the User's UPN Requires the user to have a 'upn' attribute set, and falls back to hashed user ID. Use this mode only if you have different UPN and Mail domains. Requires the user to have a 'upn' attribute set, and falls back to hashed user ID. Use this mode only if you have different UPN and Mail domains. Configure what data should be used as unique User Identifier. For most cases, the default should be fine. Configure what data should be used as unique User Identifier. For most cases, the default should be fine. Include claims in id_token Include claims in id_token Include User claims from scopes in the id_token, for applications that don't access the userinfo endpoint. Include User claims from scopes in the id_token, for applications that don't access the userinfo endpoint. Issuer mode Issuer mode Each provider has a different issuer, based on the application slug Each provider has a different issuer, based on the application slug Same identifier is used for all providers Same identifier is used for all providers Configure how the issuer field of the ID Token should be filled. Configure how the issuer field of the ID Token should be filled. Machine-to-Machine authentication settings Machine-to-Machine authentication settings Trusted OIDC Sources Trusted OIDC Sources JWTs signed by certificates configured in the selected sources can be used to authenticate to this provider. JWTs signed by certificates configured in the selected sources can be used to authenticate to this provider. HTTP-Basic Username Key HTTP-Basic Username Key User/Group Attribute used for the user part of the HTTP-Basic Header. If not set, the user's Email address is used. User/Group Attribute used for the user part of the HTTP-Basic Header. If not set, the user's Email address is used. HTTP-Basic Password Key HTTP-Basic Password Key User/Group Attribute used for the password part of the HTTP-Basic Header. User/Group Attribute used for the password part of the HTTP-Basic Header. Proxy Proxy Forward auth (single application) Forward auth (single application) Forward auth (domain level) Forward auth (domain level) This provider will behave like a transparent reverse-proxy, except requests must be authenticated. If your upstream application uses HTTPS, make sure to connect to the outpost using HTTPS as well. This provider will behave like a transparent reverse-proxy, except requests must be authenticated. If your upstream application uses HTTPS, make sure to connect to the outpost using HTTPS as well. External host External host The external URL you'll access the application at. Include any non-standard port. The external URL you'll access the application at. Include any non-standard port. Internal host Internal host Upstream host that the requests are forwarded to. Upstream host that the requests are forwarded to. Internal host SSL Validation Internal host SSL Validation Validate SSL Certificates of upstream servers. Validate SSL Certificates of upstream servers. Use this provider with nginx's auth_request or traefik's forwardAuth. Only a single provider is required per root domain. You can't do per-application authorization, but you don't have to create a provider for each application. Use this provider with nginx's auth_request or traefik's forwardAuth. Only a single provider is required per root domain. You can't do per-application authorization, but you don't have to create a provider for each application. An example setup can look like this: An example setup can look like this: authentik running on auth.example.com authentik running on auth.example.com app1 running on app1.example.com app1 running on app1.example.com In this case, you'd set the Authentication URL to auth.example.com and Cookie domain to example.com. In this case, you'd set the Authentication URL to auth.example.com and Cookie domain to example.com. Authentication URL Authentication URL The external URL you'll authenticate at. The authentik core server should be reachable under this URL. The external URL you'll authenticate at. The authentik core server should be reachable under this URL. Cookie domain Cookie domain Set this to the domain you wish the authentication to be valid for. Must be a parent domain of the URL above. If you're running applications as app1.domain.tld, app2.domain.tld, set this to 'domain.tld'. Set this to the domain you wish the authentication to be valid for. Must be a parent domain of the URL above. If you're running applications as app1.domain.tld, app2.domain.tld, set this to 'domain.tld'. Unknown proxy mode Unknown proxy mode Token validity Token validity Configure how long tokens are valid for. Configure how long tokens are valid for. Additional scopes Additional scopes Additional scope mappings, which are passed to the proxy. Additional scope mappings, which are passed to the proxy. Unauthenticated URLs Unauthenticated URLs Unauthenticated Paths Unauthenticated Paths Regular expressions for which authentication is not required. Each new line is interpreted as a new expression. Regular expressions for which authentication is not required. Each new line is interpreted as a new expression. When using proxy or forward auth (single application) mode, the requested URL Path is checked against the regular expressions. When using forward auth (domain mode), the full requested URL including scheme and host is matched against the regular expressions. When using proxy or forward auth (single application) mode, the requested URL Path is checked against the regular expressions. When using forward auth (domain mode), the full requested URL including scheme and host is matched against the regular expressions. Authentication settings Authentication settings Intercept header authentication Intercept header authentication When enabled, authentik will intercept the Authorization header to authenticate the request. When enabled, authentik will intercept the Authorization header to authenticate the request. Send HTTP-Basic Authentication Send HTTP-Basic Authentication Send a custom HTTP-Basic Authentication header based on values from authentik. Send a custom HTTP-Basic Authentication header based on values from authentik. ACS URL ACS URL Issuer Issuer Also known as EntityID. Also known as EntityID. Service Provider Binding Service Provider Binding Redirect Redirect Post Post Determines how authentik sends the response back to the Service Provider. Determines how authentik sends the response back to the Service Provider. Audience Audience Signing Certificate Signing Certificate Certificate used to sign outgoing Responses going to the Service Provider. Certificate used to sign outgoing Responses going to the Service Provider. Verification Certificate Verification Certificate When selected, incoming assertion's Signatures will be validated against this certificate. To allow unsigned Requests, leave on default. When selected, incoming assertion's Signatures will be validated against this certificate. To allow unsigned Requests, leave on default. Property mappings Property mappings NameID Property Mapping NameID Property Mapping Configure how the NameID value will be created. When left empty, the NameIDPolicy of the incoming request will be respected. Configure how the NameID value will be created. When left empty, the NameIDPolicy of the incoming request will be respected. Assertion valid not before Assertion valid not before Configure the maximum allowed time drift for an assertion. Configure the maximum allowed time drift for an assertion. Assertion valid not on or after Assertion valid not on or after Assertion not valid on or after current time + this value. Assertion not valid on or after current time + this value. Session valid not on or after Session valid not on or after Session not valid on or after current time + this value. Session not valid on or after current time + this value. Digest algorithm Digest algorithm Signature algorithm Signature algorithm Successfully imported provider. Successfully imported provider. Metadata Metadata Apply changes Apply changes Close Close Finish Finish Back Back No form found No form found Form didn't return a promise for submitting Form didn't return a promise for submitting Select type Select type Try the new application wizard Try the new application wizard The new application wizard greatly simplifies the steps required to create applications and providers. The new application wizard greatly simplifies the steps required to create applications and providers. Try it now Try it now Create Create New provider New provider Create a new provider. Create a new provider. Create Create Shared secret Shared secret Client Networks Client Networks List of CIDRs (comma-seperated) that clients can connect from. A more specific CIDR will match before a looser one. Clients connecting from a non-specified CIDR will be dropped. URL URL SCIM base url, usually ends in /v2. SCIM base url, usually ends in /v2. Token Token Token to authenticate with. Currently only bearer authentication is supported. Token to authenticate with. Currently only bearer authentication is supported. User filtering User filtering Exclude service accounts Exclude service accounts Group Group Only sync users within the selected group. Only sync users within the selected group. Attribute mapping Attribute mapping User Property Mappings User Property Mappings Property mappings used to user mapping. Property mappings used to user mapping. Group Property Mappings Group Property Mappings Property mappings used to group creation. Property mappings used to group creation. Not used by any other object. Not used by any other object. object will be DELETED object will be DELETED connection will be deleted connection will be deleted reference will be reset to default value reference will be reset to default value reference will be set to an empty value reference will be set to an empty value () ( ) ID ID Successfully deleted Failed to delete : Failed to delete : Delete Delete Are you sure you want to delete ? Delete Delete Providers Providers Provide support for protocols like SAML and OAuth to assigned applications. Provide support for protocols like SAML and OAuth to assigned applications. Type Type Provider(s) Provider(s) Assigned to application Assigned to application Assigned to application (backchannel) Assigned to application (backchannel) Warning: Provider not assigned to any application. Warning: Provider not assigned to any application. Update Update Update Update Select providers to add to application Select providers to add to application Add Add Either input a full URL, a relative path, or use 'fa://fa-test' to use the Font Awesome icon "fa-test". Either input a full URL, a relative path, or use 'fa://fa-test' to use the Font Awesome icon "fa-test". Path template for users created. Use placeholders like `%(slug)s` to insert the source slug. Path template for users created. Use placeholders like `%(slug)s` to insert the source slug. Successfully updated application. Successfully updated application. Successfully created application. Successfully created application. Application's display Name. Application's display Name. Slug Slug Internal application name, used in URLs. Internal application name, used in URLs. Optionally enter a group name. Applications with identical groups are shown grouped together. Optionally enter a group name. Applications with identical groups are shown grouped together. Provider Provider Select a provider that this application should use. Select a provider that this application should use. Backchannel providers Backchannel providers Select backchannel providers which augment the functionality of the main provider. Select backchannel providers which augment the functionality of the main provider. Policy engine mode Policy engine mode Any policy must match to grant access Any policy must match to grant access All policies must match to grant access All policies must match to grant access UI settings UI settings Launch URL Launch URL If left empty, authentik will try to extract the launch URL based on the selected provider. If left empty, authentik will try to extract the launch URL based on the selected provider. Open in new tab Open in new tab If checked, the launch URL will open in a new browser tab or window from the user's application library. If checked, the launch URL will open in a new browser tab or window from the user's application library. Icon Icon Currently set to: Currently set to: Clear icon Clear icon Publisher Publisher Create Application Create Application Overview Overview Changelog Changelog Warning: Provider is not used by any Outpost. Warning: Provider is not used by any Outpost. Assigned to application Assigned to application Update LDAP Provider Update LDAP Provider Edit Edit How to connect How to connect Connect to the LDAP Server on port 389: Connect to the LDAP Server on port 389: Check the IP of the Kubernetes service, or Check the IP of the Kubernetes service, or The Host IP of the docker host The Host IP of the docker host Bind DN Bind DN Bind Password Bind Password Search base Search base Preview Preview Warning: Provider is not used by an Application. Warning: Provider is not used by an Application. Redirect URIs Redirect URIs Update OAuth2 Provider Update OAuth2 Provider OpenID Configuration URL OpenID Configuration URL OpenID Configuration Issuer OpenID Configuration Issuer Authorize URL Authorize URL Token URL Token URL Userinfo URL Userinfo URL Logout URL Logout URL JWKS URL JWKS URL Example JWT payload (for currently authenticated user) Example JWT payload (for currently authenticated user) Forward auth (domain-level) Forward auth (domain-level) Nginx (Ingress) Nginx (Ingress) Nginx (Proxy Manager) Nginx (Proxy Manager) Nginx (standalone) Nginx (standalone) Traefik (Ingress) Traefik (Ingress) Traefik (Compose) Traefik (Compose) Traefik (Standalone) Traefik (Standalone) Caddy (Standalone) Caddy (Standalone) Internal Host Internal Host External Host External Host Basic-Auth Basic-Auth Yes Yes Mode Mode Update Proxy Provider Update Proxy Provider Protocol Settings Protocol Settings Allowed Redirect URIs Allowed Redirect URIs Setup Setup No additional setup is required. No additional setup is required. Update Radius Provider Update Radius Provider Download Download Copy download URL Copy download URL Download signing certificate Download signing certificate Related objects Related objects Update SAML Provider Update SAML Provider SAML Configuration SAML Configuration EntityID/Issuer EntityID/Issuer SSO URL (Post) SSO URL (Post) SSO URL (Redirect) SSO URL (Redirect) SSO URL (IdP-initiated Login) SSO URL (IdP-initiated Login) SLO URL (Post) SLO URL (Post) SLO URL (Redirect) SLO URL (Redirect) SAML Metadata SAML Metadata Example SAML attributes Example SAML attributes NameID attribute NameID attribute SCIM provider is in preview. SCIM provider is in preview. Warning: Provider is not assigned to an application as backchannel provider. Warning: Provider is not assigned to an application as backchannel provider. Update SCIM Provider Update SCIM Provider Sync not run yet. Sync not run yet. Run sync again Run sync again Application details Application details Create application Create application Additional UI settings Additional UI settings OAuth2/OIDC OAuth2/OIDC Modern applications, APIs and Single-page applications. Modern applications, APIs and Single-page applications. SAML SAML XML-based SSO standard. Use this if your application only supports SAML. XML-based SSO standard. Use this if your application only supports SAML. Legacy applications which don't natively support SSO. Legacy applications which don't natively support SSO. LDAP LDAP Provide an LDAP interface for applications and users to authenticate against. Provide an LDAP interface for applications and users to authenticate against. Link Link Authentication method Authentication method LDAP details LDAP details Create service account Create service account Create provider Create provider Application Link Application Link URL which will be opened when a user clicks on the application. URL which will be opened when a user clicks on the application. Method details Method details This configuration can be used to authenticate to authentik with other APIs other otherwise programmatically. This configuration can be used to authenticate to authentik with other APIs other otherwise programmatically. By default, all service accounts can authenticate as this application, as long as they have a valid token of the type app-password. By default, all service accounts can authenticate as this application, as long as they have a valid token of the type app-password. Web application Web application Applications which handle the authentication server-side (for example, Python, Go, Rust, Java, PHP) Applications which handle the authentication server-side (for example, Python, Go, Rust, Java, PHP) Single-page applications Single-page applications Single-page applications which handle authentication in the browser (for example, Javascript, Angular, React, Vue) Single-page applications which handle authentication in the browser (for example, Javascript, Angular, React, Vue) Native application Native application Applications which redirect users to a non-web callback (for example, Android, iOS) Applications which redirect users to a non-web callback (for example, Android, iOS) API API Authentication without user interaction, or machine-to-machine authentication. Authentication without user interaction, or machine-to-machine authentication. Application type Application type Flow used when users access this application. Flow used when users access this application. Proxy details Proxy details External domain External domain External domain you will be accessing the domain from. External domain you will be accessing the domain from. Import SAML Metadata Import SAML Metadata Import the metadata document of the applicaation you want to configure. Import the metadata document of the applicaation you want to configure. Manual configuration Manual configuration Manually configure SAML Manually configure SAML SAML details SAML details URL that authentik will redirect back to after successful authentication. URL that authentik will redirect back to after successful authentication. Import SAML metadata Import SAML metadata New application New application Create a new application. Create a new application. Applications Applications External Applications which use authentik as Identity-Provider, utilizing protocols like OAuth2 and SAML. All applications are shown here, even ones you cannot access. External Applications which use authentik as Identity-Provider, utilizing protocols like OAuth2 and SAML. All applications are shown here, even ones you cannot access. Provider Type Provider Type Application(s) Application(s) Application Icon Application Icon Update Application Update Application Successfully sent test-request. Successfully sent test-request. Log messages Log messages No log messages. No log messages. Active Active Last login Last login Select users to add Select users to add Successfully updated group. Successfully updated group. Successfully created group. Successfully created group. Is superuser Is superuser Users added to this group will be superusers. Users added to this group will be superusers. Parent Parent Attributes Attributes Set custom attributes using YAML or JSON. Set custom attributes using YAML or JSON. Successfully updated binding. Successfully updated binding. Successfully created binding. Successfully created binding. Policy Policy Group mappings can only be checked if a user is already logged in when trying to access this source. Group mappings can only be checked if a user is already logged in when trying to access this source. User mappings can only be checked if a user is already logged in when trying to access this source. User mappings can only be checked if a user is already logged in when trying to access this source. Enabled Enabled Negate result Negate result Negates the outcome of the binding. Messages are unaffected. Negates the outcome of the binding. Messages are unaffected. Order Order Timeout Timeout Successfully updated policy. Successfully updated policy. Successfully created policy. Successfully created policy. A policy used for testing. Always returns the same result as specified below after waiting a random duration. A policy used for testing. Always returns the same result as specified below after waiting a random duration. Execution logging Execution logging When this option is enabled, all executions of this policy will be logged. By default, only execution errors are logged. When this option is enabled, all executions of this policy will be logged. By default, only execution errors are logged. Policy-specific settings Policy-specific settings Pass policy? Pass policy? Wait (min) Wait (min) The policy takes a random time to execute. This controls the minimum time it will take. The policy takes a random time to execute. This controls the minimum time it will take. Wait (max) Wait (max) Matches an event against a set of criteria. If any of the configured values match, the policy passes. Matches an event against a set of criteria. If any of the configured values match, the policy passes. Match created events with this action type. When left empty, all action types will be matched. Match created events with this action type. When left empty, all action types will be matched. Matches Event's Client IP (strict matching, for network matching use an Expression Policy. Matches Event's Client IP (strict matching, for network matching use an Expression Policy. Match events created by selected application. When left empty, all applications are matched. Match events created by selected application. When left empty, all applications are matched. Checks if the request's user's password has been changed in the last x days, and denys based on settings. Checks if the request's user's password has been changed in the last x days, and denys based on settings. Maximum age (in days) Maximum age (in days) Only fail the policy, don't invalidate user's password Only fail the policy, don't invalidate user's password Executes the python snippet to determine whether to allow or deny a request. Executes the python snippet to determine whether to allow or deny a request. Expression using Python. Expression using Python. See documentation for a list of all variables. See documentation for a list of all variables. Static rules Static rules Minimum length Minimum length Minimum amount of Uppercase Characters Minimum amount of Uppercase Characters Minimum amount of Lowercase Characters Minimum amount of Lowercase Characters Minimum amount of Digits Minimum amount of Digits Minimum amount of Symbols Characters Minimum amount of Symbols Characters Error message Error message Symbol charset Symbol charset Characters which are considered as symbols. Characters which are considered as symbols. HaveIBeenPwned settings HaveIBeenPwned settings Allowed count Allowed count Allow up to N occurrences in the HIBP database. Allow up to N occurrences in the HIBP database. zxcvbn settings zxcvbn settings Score threshold Score threshold If the password's score is less than or equal this value, the policy will fail. If the password's score is less than or equal this value, the policy will fail. 0: Too guessable: risky password. (guesses < 10^3) 0: Too guessable: risky password. (guesses < 10^3) 1: Very guessable: protection from throttled online attacks. (guesses < 10^6) 1: Very guessable: protection from throttled online attacks. (guesses < 10^6) 2: Somewhat guessable: protection from unthrottled online attacks. (guesses < 10^8) 2: Somewhat guessable: protection from unthrottled online attacks. (guesses < 10^8) 3: Safely unguessable: moderate protection from offline slow-hash scenario. (guesses < 10^10) 3: Safely unguessable: moderate protection from offline slow-hash scenario. (guesses < 10^10) 4: Very unguessable: strong protection from offline slow-hash scenario. (guesses >= 10^10) 4: Very unguessable: strong protection from offline slow-hash scenario. (guesses >= 10^10) Checks the value from the policy request against several rules, mostly used to ensure password strength. Checks the value from the policy request against several rules, mostly used to ensure password strength. Password field Password field Field key to check, field keys defined in Prompt stages are available. Field key to check, field keys defined in Prompt stages are available. Check static rules Check static rules Check haveibeenpwned.com Check haveibeenpwned.com For more info see: For more info see: Check zxcvbn Check zxcvbn Password strength estimator created by Dropbox, see: Password strength estimator created by Dropbox, see: Allows/denys requests based on the users and/or the IPs reputation. Allows/denys requests based on the users and/or the IPs reputation. Invalid login attempts will decrease the score for the client's IP, and the username they are attempting to login as, by one. The policy passes when the reputation score is below the threshold, and doesn't pass when either or both of the selected options are equal or above the threshold. Check IP Check IP Check Username Check Username Threshold Threshold New policy New policy Create a new policy. Create a new policy. Create Binding Create Binding Superuser Superuser Members Members Select groups to add user to Select groups to add user to Warning: Adding the user to the selected group(s) will give them superuser permissions. Warning: Adding the user to the selected group(s) will give them superuser permissions. Successfully updated user. Successfully updated user. Successfully created user. Successfully created user. Username Username User's primary identifier. 150 characters or fewer. User's primary identifier. 150 characters or fewer. User's display name. User's display name. Email Email Is active Is active Designates whether this user should be treated as active. Unselect this instead of deleting accounts. Designates whether this user should be treated as active. Unselect this instead of deleting accounts. Path Path Policy / User / Group Policy / User / Group Policy Policy Group Group User User Edit Policy Edit Policy Update Group Update Group Edit Group Edit Group Update User Update User Edit User Edit User Policy binding(s) Policy binding(s) Update Binding Update Binding Edit Binding Edit Binding No Policies bound. No Policies bound. No policies are currently bound to this object. No policies are currently bound to this object. Bind existing policy Bind existing policy Warning: Application is not used by any Outpost. Warning: Application is not used by any Outpost. Related Related Backchannel Providers Backchannel Providers Check access Check access Check Check Check Application access Check Application access Test Test Launch Launch Logins over the last week (per 8 hours) Logins over the last week (per 8 hours) Policy / Group / User Bindings Policy / Group / User Bindings These policies control which users can access this application. These policies control which users can access this application. Successfully updated source. Successfully updated source. Successfully created source. Successfully created source. Sync users Sync users User password writeback User password writeback Login password is synced from LDAP into authentik automatically. Enable this option only to write password changes in authentik back to LDAP. Login password is synced from LDAP into authentik automatically. Enable this option only to write password changes in authentik back to LDAP. Sync groups Sync groups Connection settings Connection settings Server URI Server URI Specify multiple server URIs by separating them with a comma. Specify multiple server URIs by separating them with a comma. Enable StartTLS Enable StartTLS To use SSL instead, use 'ldaps://' and disable this option. To use SSL instead, use 'ldaps://' and disable this option. TLS Verification Certificate TLS Verification Certificate When connecting to an LDAP Server with TLS, certificates are not checked by default. Specify a keypair to validate the remote certificate. When connecting to an LDAP Server with TLS, certificates are not checked by default. Specify a keypair to validate the remote certificate. Bind CN Bind CN LDAP Attribute mapping LDAP Attribute mapping Property mappings used to user creation. Property mappings used to user creation. Additional settings Additional settings Parent group for all the groups imported from LDAP. Parent group for all the groups imported from LDAP. User path User path Addition User DN Addition User DN Additional user DN, prepended to the Base DN. Additional user DN, prepended to the Base DN. Addition Group DN Addition Group DN Additional group DN, prepended to the Base DN. Additional group DN, prepended to the Base DN. User object filter User object filter Consider Objects matching this filter to be Users. Consider Objects matching this filter to be Users. Group object filter Group object filter Consider Objects matching this filter to be Groups. Consider Objects matching this filter to be Groups. Group membership field Group membership field Field which contains members of a group. Note that if using the "memberUid" field, the value is assumed to contain a relative distinguished name. e.g. 'memberUid=some-user' instead of 'memberUid=cn=some-user,ou=groups,...' Field which contains members of a group. Note that if using the "memberUid" field, the value is assumed to contain a relative distinguished name. e.g. 'memberUid=some-user' instead of 'memberUid=cn=some-user,ou=groups,...' Object uniqueness field Object uniqueness field Field which contains a unique Identifier. Field which contains a unique Identifier. Link users on unique identifier Link users on unique identifier Link to a user with identical email address. Can have security implications when a source doesn't validate email addresses Link to a user with identical email address. Can have security implications when a source doesn't validate email addresses Use the user's email address, but deny enrollment when the email address already exists Use the user's email address, but deny enrollment when the email address already exists Link to a user with identical username. Can have security implications when a username is used with another source Link to a user with identical username. Can have security implications when a username is used with another source Use the user's username, but deny enrollment when the username already exists Use the user's username, but deny enrollment when the username already exists Unknown user matching mode Unknown user matching mode URL settings URL settings Authorization URL Authorization URL URL the user is redirect to to consent the authorization. URL the user is redirect to to consent the authorization. Access token URL Access token URL URL used by authentik to retrieve tokens. URL used by authentik to retrieve tokens. Profile URL Profile URL URL used by authentik to get user information. URL used by authentik to get user information. Request token URL Request token URL URL used to request the initial token. This URL is only required for OAuth 1. URL used to request the initial token. This URL is only required for OAuth 1. OIDC Well-known URL OIDC Well-known URL OIDC well-known configuration URL. Can be used to automatically configure the URLs above. OIDC well-known configuration URL. Can be used to automatically configure the URLs above. OIDC JWKS URL OIDC JWKS URL JSON Web Key URL. Keys from the URL will be used to validate JWTs from this source. JSON Web Key URL. Keys from the URL will be used to validate JWTs from this source. OIDC JWKS OIDC JWKS Raw JWKS data. Raw JWKS data. User matching mode User matching mode Delete currently set icon. Delete currently set icon. Consumer key Consumer key Consumer secret Consumer secret Additional scopes to be passed to the OAuth Provider, separated by space. To replace existing scopes, prefix with *. Additional scopes to be passed to the OAuth Provider, separated by space. To replace existing scopes, prefix with *. Flow settings Flow settings Flow to use when authenticating existing users. Flow to use when authenticating existing users. Enrollment flow Enrollment flow Flow to use when enrolling new users. Flow to use when enrolling new users. Load servers Load servers Re-authenticate with plex Re-authenticate with plex Allow friends to authenticate via Plex, even if you don't share any servers Allow friends to authenticate via Plex, even if you don't share any servers Allowed servers Allowed servers Select which server a user has to be a member of to be allowed to authenticate. Select which server a user has to be a member of to be allowed to authenticate. SSO URL SSO URL URL that the initial Login request is sent to. URL that the initial Login request is sent to. SLO URL SLO URL Optional URL if the IDP supports Single-Logout. Optional URL if the IDP supports Single-Logout. Also known as Entity ID. Defaults the Metadata URL. Also known as Entity ID. Defaults the Metadata URL. Binding Type Binding Type Redirect binding Redirect binding Post-auto binding Post-auto binding Post binding but the request is automatically sent and the user doesn't have to confirm. Post binding but the request is automatically sent and the user doesn't have to confirm. Post binding Post binding Signing keypair Signing keypair Keypair which is used to sign outgoing requests. Leave empty to disable signing. Keypair which is used to sign outgoing requests. Leave empty to disable signing. Allow IDP-initiated logins Allow IDP-initiated logins Allows authentication flows initiated by the IdP. This can be a security risk, as no validation of the request ID is done. Allows authentication flows initiated by the IdP. This can be a security risk, as no validation of the request ID is done. NameID Policy NameID Policy Persistent Persistent Email address Email address Windows Windows X509 Subject X509 Subject Transient Transient Delete temporary users after Delete temporary users after Time offset when temporary users should be deleted. This only applies if your IDP uses the NameID Format 'transient', and the user doesn't log out manually. Time offset when temporary users should be deleted. This only applies if your IDP uses the NameID Format 'transient', and the user doesn't log out manually. Pre-authentication flow Pre-authentication flow Flow used before authentication. Flow used before authentication. New source New source Create a new source. Create a new source. Sources of identities, which can either be synced into authentik's database, or can be used by users to authenticate and enroll themselves. Sources of identities, which can either be synced into authentik's database, or can be used by users to authenticate and enroll themselves. Source(s) Source(s) Disabled Disabled Built-in Built-in Update LDAP Source Update LDAP Source Not synced yet. Not synced yet. Task finished with warnings Task finished with warnings Task finished with errors Task finished with errors Last sync: Last sync: OAuth Source OAuth Source Generic OpenID Connect Generic OpenID Connect Unknown provider type Unknown provider type Details Details Callback URL Callback URL Access Key Access Key Update OAuth Source Update OAuth Source Diagram Diagram Policy Bindings Policy Bindings These bindings control which users can access this source. You can only use policies here as access is checked before the user is authenticated. Update Plex Source Update Plex Source Update SAML Source Update SAML Source Successfully updated mapping. Successfully updated mapping. Successfully created mapping. Successfully created mapping. Object field Object field Field of the user object this value is written to. Field of the user object this value is written to. SAML Attribute Name SAML Attribute Name Attribute name used for SAML Assertions. Can be a URN OID, a schema reference, or a any other string. If this property mapping is used for NameID Property, this field is discarded. Attribute name used for SAML Assertions. Can be a URN OID, a schema reference, or a any other string. If this property mapping is used for NameID Property, this field is discarded. Friendly Name Friendly Name Optionally set the 'FriendlyName' value of the Assertion attribute. Optionally set the 'FriendlyName' value of the Assertion attribute. Scope name Scope name Scope which the client can specify to access these properties. Scope which the client can specify to access these properties. Description shown to the user when consenting. If left empty, the user won't be informed. Description shown to the user when consenting. If left empty, the user won't be informed. Example context data Example context data Active Directory User Active Directory User Active Directory Group Active Directory Group New property mapping New property mapping Create a new property mapping. Create a new property mapping. Property Mappings Property Mappings Control how authentik exposes and interprets information. Control how authentik exposes and interprets information. Property Mapping(s) Property Mapping(s) Test Property Mapping Test Property Mapping Hide managed mappings Hide managed mappings Successfully updated token. Successfully updated token. Successfully created token. Successfully created token. Unique identifier the token is referenced by. Unique identifier the token is referenced by. Intent Intent API Token API Token Used to access the API programmatically Used to access the API programmatically App password. App password. Used to login using a flow executor Used to login using a flow executor Expiring Expiring If this is selected, the token will expire. Upon expiration, the token will be rotated. If this is selected, the token will expire. Upon expiration, the token will be rotated. Expires on Expires on API Access API Access App password App password Verification Verification Unknown intent Unknown intent Tokens Tokens Tokens are used throughout authentik for Email validation stages, Recovery keys and API access. Tokens are used throughout authentik for Email validation stages, Recovery keys and API access. Expires? Expires? Expiry date Expiry date Token(s) Token(s) Create Token Create Token Token is managed by authentik. Token is managed by authentik. Update Token Update Token Successfully updated tenant. Successfully updated tenant. Successfully created tenant. Successfully created tenant. Domain Domain Matching is done based on domain suffix, so if you enter domain.tld, foo.domain.tld will still match. Matching is done based on domain suffix, so if you enter domain.tld, foo.domain.tld will still match. Default Default Use this tenant for each domain that doesn't have a dedicated tenant. Use this tenant for each domain that doesn't have a dedicated tenant. Branding settings Branding settings Title Title Branding shown in page title and several other places. Branding shown in page title and several other places. Logo Logo Icon shown in sidebar/header and flow executor. Icon shown in sidebar/header and flow executor. Favicon Favicon Icon shown in the browser tab. Icon shown in the browser tab. Default flows Default flows Flow used to authenticate users. If left empty, the first applicable flow sorted by the slug is used. Flow used to authenticate users. If left empty, the first applicable flow sorted by the slug is used. Invalidation flow Invalidation flow Flow used to logout. If left empty, the first applicable flow sorted by the slug is used. Flow used to logout. If left empty, the first applicable flow sorted by the slug is used. Recovery flow Recovery flow Recovery flow. If left empty, the first applicable flow sorted by the slug is used. Recovery flow. If left empty, the first applicable flow sorted by the slug is used. Unenrollment flow Unenrollment flow If set, users are able to unenroll themselves using this flow. If no flow is set, option is not shown. If set, users are able to unenroll themselves using this flow. If no flow is set, option is not shown. User settings flow User settings flow If set, users are able to configure details of their profile. If set, users are able to configure details of their profile. Device code flow Device code flow If set, the OAuth Device Code profile can be used, and the selected flow will be used to enter the code. If set, the OAuth Device Code profile can be used, and the selected flow will be used to enter the code. Other global settings Other global settings Web Certificate Web Certificate Event retention Event retention Duration after which events will be deleted from the database. Duration after which events will be deleted from the database. When using an external logging solution for archiving, this can be set to "minutes=5". When using an external logging solution for archiving, this can be set to "minutes=5". This setting only affects new Events, as the expiration is saved per-event. This setting only affects new Events, as the expiration is saved per-event. Format: "weeks=3;days=2;hours=3,seconds=2". Format: "weeks=3;days=2;hours=3,seconds=2". Set custom attributes using YAML or JSON. Any attributes set here will be inherited by users, if the request is handled by this tenant. Set custom attributes using YAML or JSON. Any attributes set here will be inherited by users, if the request is handled by this tenant. Tenants Tenants Configure visual settings and defaults for different domains. Configure visual settings and defaults for different domains. Default? Default? Tenant(s) Tenant(s) Update Tenant Update Tenant Create Tenant Create Tenant Policies Policies Allow users to use Applications based on properties, enforce Password Criteria and selectively apply Stages. Allow users to use Applications based on properties, enforce Password Criteria and selectively apply Stages. Assigned to object(s). Assigned to object(s). Warning: Policy is not assigned. Warning: Policy is not assigned. Test Policy Test Policy Policy / Policies Policy / Policies Successfully cleared policy cache Successfully cleared policy cache Failed to delete policy cache Failed to delete policy cache Clear cache Clear cache Clear Policy cache Clear Policy cache Are you sure you want to clear the policy cache? This will cause all policies to be re-evaluated on their next usage. Reputation scores Reputation scores Reputation for IP and user identifiers. Scores are decreased for each failed login and increased for each successful login. Reputation for IP and user identifiers. Scores are decreased for each failed login and increased for each successful login. IP IP Score Score Updated Updated Reputation Reputation Groups Groups Group users together and give them permissions based on the membership. Group users together and give them permissions based on the membership. Superuser privileges? Superuser privileges? Group(s) Group(s) Create Group Create Group Create group Create group Enabling this toggle will create a group named after the user, with the user as member. Enabling this toggle will create a group named after the user, with the user as member. Use the username and password below to authenticate. The password can be retrieved later on the Tokens page. Use the username and password below to authenticate. The password can be retrieved later on the Tokens page. Password Password Valid for 360 days, after which the password will automatically rotate. You can copy the password from the Token List. Valid for 360 days, after which the password will automatically rotate. You can copy the password from the Token List. The following objects use The following objects use connecting object will be deleted connecting object will be deleted Successfully updated Failed to update : Failed to update : Are you sure you want to update ""? Are you sure you want to update " "? Successfully updated password. Successfully updated password. Successfully sent email. Successfully sent email. Email stage Email stage Successfully added user(s). Successfully added user(s). Users to add Users to add User(s) User(s) Remove Users(s) Remove Users(s) Are you sure you want to remove the selected users from the group ? Are you sure you want to remove the selected users from the group ? Remove Remove Impersonate Impersonate User status User status Change status Change status Deactivate Deactivate Update password Update password Set password Set password Successfully generated recovery link Successfully generated recovery link No recovery flow is configured. No recovery flow is configured. Copy recovery link Copy recovery link Send link Send link Send recovery link to user Send recovery link to user Email recovery link Email recovery link Recovery link cannot be emailed, user has no email address saved. Recovery link cannot be emailed, user has no email address saved. To let a user directly reset a their password, configure a recovery flow on the currently active tenant. To let a user directly reset a their password, configure a recovery flow on the currently active tenant. Add User Add User Warning: This group is configured with superuser access. Added users will have superuser access. Warning: This group is configured with superuser access. Added users will have superuser access. Add existing user Add existing user Create user Create user Create User Create User Create Service account Create Service account Hide service-accounts Hide service-accounts Group Info Group Info Notes Notes Edit the notes attribute of this group to add notes here. Edit the notes attribute of this group to add notes here. Users Users Root Root Warning: You're about to delete the user you're logged in as (). Proceed at your own risk. Warning: You're about to delete the user you're logged in as ( ). Proceed at your own risk. Hide deactivated user Hide deactivated user User folders User folders Successfully added user to group(s). Successfully added user to group(s). Groups to add Groups to add Remove from Group(s) Remove from Group(s) Are you sure you want to remove user from the following groups? Are you sure you want to remove user from the following groups? Add Group Add Group Add to existing group Add to existing group Add new group Add new group Application authorizations Application authorizations Revoked? Revoked? Expires Expires ID Token ID Token Refresh Tokens(s) Refresh Tokens(s) Last IP Last IP Session(s) Session(s) Expiry Expiry (Current session) (Current session) Permissions Permissions Consent(s) Consent(s) Successfully updated device. Successfully updated device. Static tokens Static tokens TOTP Device TOTP Device Enroll Enroll Device(s) Device(s) Update Device Update Device Confirmed Confirmed User Info User Info To create a recovery link, the current tenant needs to have a recovery flow configured. To create a recovery link, the current tenant needs to have a recovery flow configured. Reset Password Reset Password Actions over the last week (per 8 hours) Actions over the last week (per 8 hours) Edit the notes attribute of this user to add notes here. Edit the notes attribute of this user to add notes here. Sessions Sessions User events User events Explicit Consent Explicit Consent OAuth Refresh Tokens OAuth Refresh Tokens MFA Authenticators MFA Authenticators Successfully updated invitation. Successfully updated invitation. Successfully created invitation. Successfully created invitation. Flow Flow When selected, the invite will only be usable with the flow. By default the invite is accepted on all flows with invitation stages. When selected, the invite will only be usable with the flow. By default the invite is accepted on all flows with invitation stages. Optional data which is loaded into the flow's 'prompt_data' context variable. YAML or JSON. Optional data which is loaded into the flow's 'prompt_data' context variable. YAML or JSON. Single use Single use When enabled, the invitation will be deleted after usage. When enabled, the invitation will be deleted after usage. Select an enrollment flow Select an enrollment flow Link to use the invitation. Link to use the invitation. Invitations Invitations Create Invitation Links to enroll Users, and optionally force specific attributes of their account. Create Invitation Links to enroll Users, and optionally force specific attributes of their account. Created by Created by Invitation(s) Invitation(s) Invitation not limited to any flow, and can be used with any enrollment flow. Invitation not limited to any flow, and can be used with any enrollment flow. Update Invitation Update Invitation Create Invitation Create Invitation Warning: No invitation stage is bound to any flow. Invitations will not work as expected. Warning: No invitation stage is bound to any flow. Invitations will not work as expected. Auto-detect (based on your browser) Auto-detect (based on your browser) Required. Required. Continue Continue Successfully updated prompt. Successfully updated prompt. Successfully created prompt. Successfully created prompt. Text: Simple Text input Text: Simple Text input Text Area: Multiline text input Text Area: Multiline text input Text (read-only): Simple Text input, but cannot be edited. Text (read-only): Simple Text input, but cannot be edited. Text Area (read-only): Multiline text input, but cannot be edited. Text Area (read-only): Multiline text input, but cannot be edited. Username: Same as Text input, but checks for and prevents duplicate usernames. Username: Same as Text input, but checks for and prevents duplicate usernames. Email: Text field with Email type. Email: Text field with Email type. Password: Masked input, multiple inputs of this type on the same prompt need to be identical. Password: Masked input, multiple inputs of this type on the same prompt need to be identical. Number Number Checkbox Checkbox Radio Button Group (fixed choice) Radio Button Group (fixed choice) Dropdown (fixed choice) Dropdown (fixed choice) Date Date Date Time Date Time File File Separator: Static Separator Line Separator: Static Separator Line Hidden: Hidden field, can be used to insert data into form. Hidden: Hidden field, can be used to insert data into form. Static: Static value, displayed as-is. Static: Static value, displayed as-is. authentik: Locale: Displays a list of locales authentik supports. authentik: Locale: Displays a list of locales authentik supports. Preview errors Preview errors Data preview Data preview Unique name of this field, used for selecting fields in prompt stages. Unique name of this field, used for selecting fields in prompt stages. Field Key Field Key Name of the form field, also used to store the value. Name of the form field, also used to store the value. When used in conjunction with a User Write stage, use attributes.foo to write attributes. When used in conjunction with a User Write stage, use attributes.foo to write attributes. Label Label Label shown next to/above the prompt. Label shown next to/above the prompt. Required Required Interpret placeholder as expression Interpret placeholder as expression When checked, the placeholder will be evaluated in the same way a property mapping is. If the evaluation fails, the placeholder itself is returned. Placeholder Placeholder Optionally provide a short hint that describes the expected input value. When creating a fixed choice field, enable interpreting as expression and return a list to return multiple choices. Interpret initial value as expression Interpret initial value as expression When checked, the initial value will be evaluated in the same way a property mapping is. If the evaluation fails, the initial value itself is returned. Initial value Initial value Optionally pre-fill the input with an initial value. When creating a fixed choice field, enable interpreting as expression and return a list to return multiple default choices. Help text Help text Any HTML can be used. Any HTML can be used. Prompts Prompts Single Prompts that can be used for Prompt Stages. Single Prompts that can be used for Prompt Stages. Field Field Stages Stages Prompt(s) Prompt(s) Update Prompt Update Prompt Create Prompt Create Prompt Target Target Stage Stage Evaluate when flow is planned Evaluate when flow is planned Evaluate policies during the Flow planning process. Evaluate policies during the Flow planning process. Evaluate when stage is run Evaluate when stage is run Evaluate policies before the Stage is present to the user. Evaluate policies before the Stage is present to the user. Invalid response behavior Invalid response behavior Returns the error message and a similar challenge to the executor Returns the error message and a similar challenge to the executor Restarts the flow from the beginning Restarts the flow from the beginning Restarts the flow from the beginning, while keeping the flow context Restarts the flow from the beginning, while keeping the flow context Configure how the flow executor should handle an invalid response to a challenge given by this bound stage. Configure how the flow executor should handle an invalid response to a challenge given by this bound stage. Successfully updated stage. Successfully updated stage. Successfully created stage. Successfully created stage. Stage used to configure a duo-based authenticator. This stage should be used for configuration flows. Stage used to configure a duo-based authenticator. This stage should be used for configuration flows. Authenticator type name Authenticator type name Display name of this authenticator, used by users when they enroll an authenticator. Display name of this authenticator, used by users when they enroll an authenticator. API Hostname API Hostname Duo Auth API Duo Auth API Integration key Integration key Secret key Secret key Duo Admin API (optional) Duo Admin API (optional) When using a Duo MFA, Access or Beyond plan, an Admin API application can be created. This will allow authentik to import devices automatically. Stage-specific settings Stage-specific settings Configuration flow Configuration flow Flow used by an authenticated user to configure this Stage. If empty, user will not be able to configure this stage. Flow used by an authenticated user to configure this Stage. If empty, user will not be able to configure this stage. Twilio Account SID Twilio Account SID Get this value from https://console.twilio.com Get this value from https://console.twilio.com Twilio Auth Token Twilio Auth Token Authentication Type Authentication Type Basic Auth Basic Auth Bearer Token Bearer Token External API URL External API URL This is the full endpoint to send POST requests to. This is the full endpoint to send POST requests to. API Auth Username API Auth Username This is the username to be used with basic auth or the token when used with bearer token This is the username to be used with basic auth or the token when used with bearer token API Auth password API Auth password This is the password to be used with basic auth This is the password to be used with basic auth Mapping Mapping Modify the payload sent to the custom provider. Modify the payload sent to the custom provider. Stage used to configure an SMS-based TOTP authenticator. Stage used to configure an SMS-based TOTP authenticator. Twilio Twilio Generic Generic From number From number Number the SMS will be sent from. Number the SMS will be sent from. Hash phone number Hash phone number If enabled, only a hash of the phone number will be saved. This can be done for data-protection reasons. Devices created from a stage with this enabled cannot be used with the authenticator validation stage. If enabled, only a hash of the phone number will be saved. This can be done for data-protection reasons. Devices created from a stage with this enabled cannot be used with the authenticator validation stage. Stage used to configure a static authenticator (i.e. static tokens). This stage should be used for configuration flows. Stage used to configure a static authenticator (i.e. static tokens). This stage should be used for configuration flows. Token count Token count Stage used to configure a TOTP authenticator (i.e. Authy/Google Authenticator). Stage used to configure a TOTP authenticator (i.e. Authy/Google Authenticator). Digits Digits 6 digits, widely compatible 6 digits, widely compatible 8 digits, not compatible with apps like Google Authenticator 8 digits, not compatible with apps like Google Authenticator Stage used to validate any authenticator. This stage should be used during authentication or authorization flows. Stage used to validate any authenticator. This stage should be used during authentication or authorization flows. Device classes Device classes Static Tokens Static Tokens TOTP Authenticators TOTP Authenticators WebAuthn Authenticators WebAuthn Authenticators Duo Authenticators Duo Authenticators SMS-based Authenticators SMS-based Authenticators Device classes which can be used to authenticate. Device classes which can be used to authenticate. Last validation threshold Last validation threshold If any of the devices user of the types selected above have been used within this duration, this stage will be skipped. If any of the devices user of the types selected above have been used within this duration, this stage will be skipped. Not configured action Not configured action Force the user to configure an authenticator Force the user to configure an authenticator Deny the user access Deny the user access WebAuthn User verification WebAuthn User verification User verification must occur. User verification must occur. User verification is preferred if available, but not required. User verification is preferred if available, but not required. User verification should not occur. User verification should not occur. Configuration stages Configuration stages Stages used to configure Authenticator when user doesn't have any compatible devices. After this configuration Stage passes, the user is not prompted again. Stages used to configure Authenticator when user doesn't have any compatible devices. After this configuration Stage passes, the user is not prompted again. When multiple stages are selected, the user can choose which one they want to enroll. When multiple stages are selected, the user can choose which one they want to enroll. User verification User verification Resident key requirement Resident key requirement Authenticator Attachment Authenticator Attachment No preference is sent No preference is sent A non-removable authenticator, like TouchID or Windows Hello A non-removable authenticator, like TouchID or Windows Hello A "roaming" authenticator, like a YubiKey A "roaming" authenticator, like a YubiKey This stage checks the user's current session against the Google reCaptcha (or compatible) service. This stage checks the user's current session against the Google reCaptcha (or compatible) service. Public Key Public Key Public key, acquired from https://www.google.com/recaptcha/intro/v3.html. Public key, acquired from https://www.google.com/recaptcha/intro/v3.html. Private Key Private Key Private key, acquired from https://www.google.com/recaptcha/intro/v3.html. Private key, acquired from https://www.google.com/recaptcha/intro/v3.html. Advanced settings Advanced settings JS URL JS URL URL to fetch JavaScript from, defaults to recaptcha. Can be replaced with any compatible alternative. URL to fetch JavaScript from, defaults to recaptcha. Can be replaced with any compatible alternative. API URL API URL URL used to validate captcha response, defaults to recaptcha. Can be replaced with any compatible alternative. URL used to validate captcha response, defaults to recaptcha. Can be replaced with any compatible alternative. Prompt for the user's consent. The consent can either be permanent or expire in a defined amount of time. Prompt for the user's consent. The consent can either be permanent or expire in a defined amount of time. Always require consent Always require consent Consent given last indefinitely Consent given last indefinitely Consent expires. Consent expires. Consent expires in Consent expires in Offset after which consent expires. Offset after which consent expires. Dummy stage used for testing. Shows a simple continue button and always passes. Dummy stage used for testing. Shows a simple continue button and always passes. Throw error? Throw error? SMTP Host SMTP Host SMTP Port SMTP Port SMTP Username SMTP Username SMTP Password SMTP Password Use TLS Use TLS Use SSL Use SSL From address From address Verify the user's email address by sending them a one-time-link. Can also be used for recovery to verify the user's authenticity. Verify the user's email address by sending them a one-time-link. Can also be used for recovery to verify the user's authenticity. Activate pending user on success Activate pending user on success When a user returns from the email successfully, their account will be activated. When a user returns from the email successfully, their account will be activated. Use global settings Use global settings When enabled, global Email connection settings will be used and connection settings below will be ignored. When enabled, global Email connection settings will be used and connection settings below will be ignored. Token expiry Token expiry Time in minutes the token sent is valid. Time in minutes the token sent is valid. Template Template Let the user identify themselves with their username or Email address. Let the user identify themselves with their username or Email address. User fields User fields UPN UPN Fields a user can identify themselves with. If no fields are selected, the user will only be able to use sources. Fields a user can identify themselves with. If no fields are selected, the user will only be able to use sources. Password stage Password stage When selected, a password field is shown on the same page instead of a separate page. This prevents username enumeration attacks. When selected, a password field is shown on the same page instead of a separate page. This prevents username enumeration attacks. Case insensitive matching Case insensitive matching When enabled, user fields are matched regardless of their casing. When enabled, user fields are matched regardless of their casing. Show matched user Show matched user When a valid username/email has been entered, and this option is enabled, the user's username and avatar will be shown. Otherwise, the text that the user entered will be shown. When a valid username/email has been entered, and this option is enabled, the user's username and avatar will be shown. Otherwise, the text that the user entered will be shown. Source settings Source settings Sources Sources Select sources should be shown for users to authenticate with. This only affects web-based sources, not LDAP. Select sources should be shown for users to authenticate with. This only affects web-based sources, not LDAP. Show sources' labels Show sources' labels By default, only icons are shown for sources. Enable this to show their full names. By default, only icons are shown for sources. Enable this to show their full names. Passwordless flow Passwordless flow Optional passwordless flow, which is linked at the bottom of the page. When configured, users can use this flow to authenticate with a WebAuthn authenticator, without entering any details. Optional passwordless flow, which is linked at the bottom of the page. When configured, users can use this flow to authenticate with a WebAuthn authenticator, without entering any details. Optional enrollment flow, which is linked at the bottom of the page. Optional enrollment flow, which is linked at the bottom of the page. Optional recovery flow, which is linked at the bottom of the page. Optional recovery flow, which is linked at the bottom of the page. This stage can be included in enrollment flows to accept invitations. This stage can be included in enrollment flows to accept invitations. Continue flow without invitation Continue flow without invitation If this flag is set, this Stage will jump to the next Stage when no Invitation is given. By default this Stage will cancel the Flow when no invitation is given. If this flag is set, this Stage will jump to the next Stage when no Invitation is given. By default this Stage will cancel the Flow when no invitation is given. Validate the user's password against the selected backend(s). Validate the user's password against the selected backend(s). Backends Backends User database + standard password User database + standard password User database + app passwords User database + app passwords User database + LDAP password User database + LDAP password Selection of backends to test the password against. Selection of backends to test the password against. Flow used by an authenticated user to configure their password. If empty, user will not be able to configure change their password. Flow used by an authenticated user to configure their password. If empty, user will not be able to configure change their password. Failed attempts before cancel Failed attempts before cancel How many attempts a user has before the flow is canceled. To lock the user out, use a reputation policy and a user_write stage. How many attempts a user has before the flow is canceled. To lock the user out, use a reputation policy and a user_write stage. Show arbitrary input fields to the user, for example during enrollment. Data is saved in the flow context under the 'prompt_data' variable. Show arbitrary input fields to the user, for example during enrollment. Data is saved in the flow context under the 'prompt_data' variable. Fields Fields ("", of type ) (" ", of type ) Validation Policies Validation Policies Selected policies are executed when the stage is submitted to validate the data. Selected policies are executed when the stage is submitted to validate the data. Delete the currently pending user. CAUTION, this stage does not ask for confirmation. Use a consent stage to ensure the user is aware of their actions. Log the currently pending user in. Log the currently pending user in. Session duration Session duration Determines how long a session lasts. Default of 0 seconds means that the sessions lasts until the browser is closed. Determines how long a session lasts. Default of 0 seconds means that the sessions lasts until the browser is closed. Different browsers handle session cookies differently, and might not remove them even when the browser is closed. Different browsers handle session cookies differently, and might not remove them even when the browser is closed. See here. See here. Stay signed in offset Stay signed in offset If set to a duration above 0, the user will have the option to choose to "stay signed in", which will extend their session by the time specified here. If set to a duration above 0, the user will have the option to choose to "stay signed in", which will extend their session by the time specified here. Terminate other sessions Terminate other sessions When enabled, all previous sessions of the user will be terminated. When enabled, all previous sessions of the user will be terminated. Remove the user from the current session. Remove the user from the current session. Write any data from the flow's context's 'prompt_data' to the currently pending user. If no user is pending, a new user is created, and data is written to them. Never create users Never create users When no user is present in the flow context, the stage will fail. When no user is present in the flow context, the stage will fail. Create users when required Create users when required When no user is present in the the flow context, a new user is created. When no user is present in the the flow context, a new user is created. Always create new users Always create new users Create a new user even if a user is in the flow context. Create a new user even if a user is in the flow context. Create users as inactive Create users as inactive Mark newly created users as inactive. Mark newly created users as inactive. User path template User path template Path new users will be created under. If left blank, the default path will be used. Path new users will be created under. If left blank, the default path will be used. Newly created users are added to this group, if a group is selected. Newly created users are added to this group, if a group is selected. New stage New stage Create a new stage. Create a new stage. Successfully imported device. Successfully imported device. The user in authentik this device will be assigned to. The user in authentik this device will be assigned to. Duo User ID Duo User ID The user ID in Duo, can be found in the URL after clicking on a user. The user ID in Duo, can be found in the URL after clicking on a user. Automatic import Automatic import Successfully imported devices. Successfully imported devices. Start automatic import Start automatic import Or manually import Or manually import Stages are single steps of a Flow that a user is guided through. A stage can only be executed from within a flow. Stages are single steps of a Flow that a user is guided through. A stage can only be executed from within a flow. Flows Flows Stage(s) Stage(s) Import Import Import Duo device Import Duo device Successfully updated flow. Successfully updated flow. Successfully created flow. Successfully created flow. Shown as the Title in Flow pages. Shown as the Title in Flow pages. Visible in the URL. Visible in the URL. Designation Designation Decides what this Flow is used for. For example, the Authentication flow is redirect to when an un-authenticated user visits authentik. Decides what this Flow is used for. For example, the Authentication flow is redirect to when an un-authenticated user visits authentik. No requirement No requirement Require authentication Require authentication Require no authentication. Require no authentication. Require superuser. Require superuser. Required authentication level for this flow. Required authentication level for this flow. Behavior settings Behavior settings Compatibility mode Compatibility mode Increases compatibility with password managers and mobile devices. Increases compatibility with password managers and mobile devices. Denied action Denied action Will follow the ?next parameter if set, otherwise show a message Will follow the ?next parameter if set, otherwise show a message Will either follow the ?next parameter or redirect to the default interface Will either follow the ?next parameter or redirect to the default interface Will notify the user the flow isn't applicable Will notify the user the flow isn't applicable Decides the response when a policy denies access to this flow for a user. Decides the response when a policy denies access to this flow for a user. Appearance settings Appearance settings Layout Layout Background Background Background shown during execution. Background shown during execution. Clear background Clear background Delete currently set background image. Delete currently set background image. Successfully imported flow. Successfully imported flow. .yaml files, which can be found on goauthentik.io and can be exported by authentik. .yaml files, which can be found on goauthentik.io and can be exported by authentik. Flows describe a chain of Stages to authenticate, enroll or recover a user. Stages are chosen based on policies applied to them. Flows describe a chain of Stages to authenticate, enroll or recover a user. Stages are chosen based on policies applied to them. Flow(s) Flow(s) Update Flow Update Flow Create Flow Create Flow Import Flow Import Flow Successfully cleared flow cache Successfully cleared flow cache Failed to delete flow cache Failed to delete flow cache Clear Flow cache Clear Flow cache Are you sure you want to clear the flow cache? This will cause all flows to be re-evaluated on their next usage. Stage binding(s) Stage binding(s) Stage type Stage type Edit Stage Edit Stage Update Stage binding Update Stage binding These bindings control if this stage will be applied to the flow. These bindings control if this stage will be applied to the flow. No Stages bound No Stages bound No stages are currently bound to this flow. No stages are currently bound to this flow. Create Stage binding Create Stage binding Bind stage Bind stage Bind existing stage Bind existing stage Flow Overview Flow Overview Related actions Related actions Execute flow Execute flow Normal Normal with current user with current user with inspector with inspector Export flow Export flow Export Export Stage Bindings Stage Bindings These bindings control which users can access this flow. These bindings control which users can access this flow. Event Log Event Log Event Event Event info Event info Created Created Successfully updated transport. Successfully updated transport. Successfully created transport. Successfully created transport. Local (notifications will be created within authentik) Local (notifications will be created within authentik) Webhook (generic) Webhook (generic) Webhook (Slack/Discord) Webhook (Slack/Discord) Webhook URL Webhook URL Webhook Mapping Webhook Mapping Send once Send once Only send notification once, for example when sending a webhook into a chat channel. Only send notification once, for example when sending a webhook into a chat channel. Notification Transports Notification Transports Define how notifications are sent to users, like Email or Webhook. Define how notifications are sent to users, like Email or Webhook. Notification transport(s) Notification transport(s) Update Notification Transport Update Notification Transport Create Notification Transport Create Notification Transport Successfully updated rule. Successfully updated rule. Successfully created rule. Successfully created rule. Select the group of users which the alerts are sent to. If no group is selected the rule is disabled. Select the group of users which the alerts are sent to. If no group is selected the rule is disabled. Transports Transports Select which transports should be used to notify the user. If none are selected, the notification will only be shown in the authentik UI. Select which transports should be used to notify the user. If none are selected, the notification will only be shown in the authentik UI. Severity Severity Notification Rules Notification Rules Send notifications whenever a specific Event is created and matched by policies. Send notifications whenever a specific Event is created and matched by policies. Sent to group Sent to group Notification rule(s) Notification rule(s) None (rule disabled) None (rule disabled) Update Notification Rule Update Notification Rule Create Notification Rule Create Notification Rule These bindings control upon which events this rule triggers. Bindings to groups/users are checked against the user of the event. Outpost Deployment Info Outpost Deployment Info View deployment documentation View deployment documentation Click to copy token Click to copy token If your authentik Instance is using a self-signed certificate, set this value. If your authentik Instance is using a self-signed certificate, set this value. If your authentik_host setting does not match the URL you want to login with, add this setting. If your authentik_host setting does not match the URL you want to login with, add this setting. Successfully updated outpost. Successfully updated outpost. Successfully created outpost. Successfully created outpost. Radius Radius Integration Integration Selecting an integration enables the management of the outpost by authentik. Selecting an integration enables the management of the outpost by authentik. You can only select providers that match the type of the outpost. You can only select providers that match the type of the outpost. Configuration Configuration See more here: See more here: Documentation Documentation Last seen Last seen , should be , should be Hostname Hostname Not available Not available Last seen: Last seen: Unknown type Unknown type Outposts Outposts Outposts are deployments of authentik components to support different environments and protocols, like reverse proxies. Outposts are deployments of authentik components to support different environments and protocols, like reverse proxies. Health and Version Health and Version Warning: authentik Domain is not configured, authentication will not work. Warning: authentik Domain is not configured, authentication will not work. Logging in via . Logging in via . No integration active No integration active Update Outpost Update Outpost View Deployment Info View Deployment Info Detailed health (one instance per column, data is cached so may be out of date) Detailed health (one instance per column, data is cached so may be out of date) Outpost(s) Outpost(s) Create Outpost Create Outpost Successfully updated integration. Successfully updated integration. Successfully created integration. Successfully created integration. Local Local If enabled, use the local connection. Required Docker socket/Kubernetes Integration. If enabled, use the local connection. Required Docker socket/Kubernetes Integration. Docker URL Docker URL Can be in the format of 'unix://' when connecting to a local docker daemon, using 'ssh://' to connect via SSH, or 'https://:2376' when connecting to a remote system. Can be in the format of 'unix://' when connecting to a local docker daemon, using 'ssh://' to connect via SSH, or 'https://:2376' when connecting to a remote system. CA which the endpoint's Certificate is verified against. Can be left empty for no validation. CA which the endpoint's Certificate is verified against. Can be left empty for no validation. TLS Authentication Certificate/SSH Keypair TLS Authentication Certificate/SSH Keypair Certificate/Key used for authentication. Can be left empty for no authentication. Certificate/Key used for authentication. Can be left empty for no authentication. When connecting via SSH, this keypair is used for authentication. When connecting via SSH, this keypair is used for authentication. Kubeconfig Kubeconfig Verify Kubernetes API SSL Certificate Verify Kubernetes API SSL Certificate New outpost integration New outpost integration Create a new outpost integration. Create a new outpost integration. State State Unhealthy Unhealthy Outpost integration(s) Outpost integration(s) Successfully generated certificate-key pair. Successfully generated certificate-key pair. Common Name Common Name Subject-alt name Subject-alt name Optional, comma-separated SubjectAlt Names. Optional, comma-separated SubjectAlt Names. Validity days Validity days Successfully updated certificate-key pair. Successfully updated certificate-key pair. Successfully created certificate-key pair. Successfully created certificate-key pair. PEM-encoded Certificate data. PEM-encoded Certificate data. Optional Private Key. If this is set, you can use this keypair for encryption. Optional Private Key. If this is set, you can use this keypair for encryption. Certificate-Key Pairs Certificate-Key Pairs Import certificates of external providers or create certificates to sign requests with. Import certificates of external providers or create certificates to sign requests with. Private key available? Private key available? Certificate-Key Pair(s) Certificate-Key Pair(s) Managed by authentik Managed by authentik Managed by authentik (Discovered) Managed by authentik (Discovered) Yes () Yes ( ) No No Update Certificate-Key Pair Update Certificate-Key Pair Certificate Fingerprint (SHA1) Certificate Fingerprint (SHA1) Certificate Fingerprint (SHA256) Certificate Fingerprint (SHA256) Certificate Subject Certificate Subject Download Certificate Download Certificate Download Private key Download Private key Create Certificate-Key Pair Create Certificate-Key Pair Generate Generate Generate Certificate-Key Pair Generate Certificate-Key Pair Successfully updated instance. Successfully updated instance. Successfully created instance. Successfully created instance. Disabled blueprints are never applied. Disabled blueprints are never applied. Local path Local path OCI Registry OCI Registry Internal Internal OCI URL, in the format of oci://registry.domain.tld/path/to/manifest. OCI URL, in the format of oci://registry.domain.tld/path/to/manifest. See more about OCI support here: See more about OCI support here: Blueprint Blueprint Configure the blueprint context, used for templating. Configure the blueprint context, used for templating. Orphaned Orphaned Blueprints Blueprints Automate and template configuration within authentik. Automate and template configuration within authentik. Last applied Last applied Blueprint(s) Blueprint(s) Update Blueprint Update Blueprint Create Blueprint Instance Create Blueprint Instance API Requests API Requests Open API Browser Open API Browser Notifications Notifications unread unread Successfully cleared notifications Successfully cleared notifications Clear all Clear all A newer version of the frontend is available. A newer version of the frontend is available. You're currently impersonating . Click to stop. You're currently impersonating . Click to stop. User interface User interface Dashboards Dashboards Events Events Logs Logs Customisation Customisation Directory Directory System System Certificates Certificates Outpost Integrations Outpost Integrations API request failed API request failed User's avatar User's avatar Something went wrong! Please try again later. Something went wrong! Please try again later. Request ID Request ID You may close this page now. You may close this page now. You're about to be redirect to the following URL. You're about to be redirect to the following URL. Follow redirect Follow redirect Request has been denied. Request has been denied. Not you? Not you? Need an account? Need an account? Sign up. Sign up. Forgot username or password? Forgot username or password? Select one of the sources below to login. Select one of the sources below to login. Or Or Use a security key Use a security key Login to continue to . Login to continue to . Please enter your password Please enter your password Forgot password? Forgot password? Application requires following permissions: Application requires following permissions: Application already has access to the following permissions: Application already has access to the following permissions: Application requires following new permissions: Application requires following new permissions: Check your Inbox for a verification email. Check your Inbox for a verification email. Send Email again. Send Email again. Successfully copied TOTP Config. Successfully copied TOTP Config. Copy Copy Code Code Please enter your TOTP Code Please enter your TOTP Code Duo activation QR code Duo activation QR code Alternatively, if your current device has Duo installed, click on this link: Alternatively, if your current device has Duo installed, click on this link: Duo activation Duo activation Check status Check status Make sure to keep these tokens in a safe place. Make sure to keep these tokens in a safe place. Phone number Phone number Please enter your Phone number. Please enter your Phone number. Please enter the code you received via SMS Please enter the code you received via SMS A code has been sent to you via SMS. A code has been sent to you via SMS. Open your two-factor authenticator app to view your authentication code. Open your two-factor authenticator app to view your authentication code. Static token Static token Authentication code Authentication code Please enter your code Please enter your code Return to device picker Return to device picker Sending Duo push notification Sending Duo push notification Assertions is empty Assertions is empty Error when creating credential: Error when creating credential: Error when validating assertion on server: Error when validating assertion on server: Retry authentication Retry authentication Duo push-notifications Duo push-notifications Receive a push notification on your device. Receive a push notification on your device. Authenticator Authenticator Use a security key to prove your identity. Use a security key to prove your identity. Traditional authenticator Traditional authenticator Use a code-based authenticator. Use a code-based authenticator. Recovery keys Recovery keys In case you can't access any other method. In case you can't access any other method. SMS SMS Tokens sent via SMS. Tokens sent via SMS. Select an authentication method. Select an authentication method. Stay signed in? Stay signed in? Select Yes to reduce the number of times you're asked to sign in. Select Yes to reduce the number of times you're asked to sign in. Authenticating with Plex... Authenticating with Plex... Waiting for authentication... Waiting for authentication... If no Plex popup opens, click the button below. If no Plex popup opens, click the button below. Open login Open login Authenticating with Apple... Authenticating with Apple... Retry Retry Enter the code shown on your device. Enter the code shown on your device. Please enter your Code Please enter your Code You've successfully authenticated your device. You've successfully authenticated your device. Flow inspector Flow inspector Next stage Next stage Stage name Stage name Stage kind Stage kind Stage object Stage object This flow is completed. This flow is completed. Plan history Plan history Current plan context Current plan context Session ID Session ID Powered by authentik Powered by authentik Background image Background image Error creating credential: Error creating credential: Server validation of credential failed: Server validation of credential failed: Register device Register device Refer to documentation No Applications available. No Applications available. Either no applications are defined, or you don’t have access to any. My Applications My Applications My applications My applications Change your password Change your password Change password Change password Save Save Delete account Delete account Successfully updated details Successfully updated details Open settings Open settings No settings flow configured. No settings flow configured. Update details Update details Successfully disconnected source Successfully disconnected source Failed to disconnected source: Failed to disconnected source: Disconnect Disconnect Connect Connect Error: unsupported source settings: Error: unsupported source settings: Connect your user account to the services listed below, to allow you to login using the service instead of traditional credentials. Connect your user account to the services listed below, to allow you to login using the service instead of traditional credentials. No services available. No services available. Create App password Create App password User details User details Consent Consent MFA Devices MFA Devices Connected services Connected services Tokens and App passwords Tokens and App passwords Unread notifications Unread notifications Admin interface Admin interface Stop impersonation Stop impersonation Avatar image Avatar image Failed Failed Unsynced / N/A Unsynced / N/A Outdated outposts Outdated outposts Unhealthy outposts Unhealthy outposts Next Next Inactive Inactive Regular user Regular user Activate Activate Use Server URI for SNI verification Required for servers using TLS 1.3+ Client certificate keypair to authenticate against the LDAP Server's Certificate. The certificate for the above configured Base DN. As a fallback, the provider uses a self-signed certificate. TLS Server name DNS name for which the above configured certificate should be used. The certificate cannot be detected based on the base DN, as the SSL/TLS negotiation happens before such data is exchanged. TLS Client authentication certificate Model Match events created by selected model. When left empty, all models are matched. Code-based MFA Support When enabled, code-based multi-factor authentication can be used by appending a semicolon and the TOTP code to the password. This should only be enabled if all users that will bind to this provider have a TOTP device configured, as otherwise a password may incorrectly be rejected if it contains a semicolon. User type Successfully updated license. Successfully created license. Install ID License key Licenses License(s) Enterprise is in preview. Cumulative license expiry Update License Warning: The current user count has exceeded the configured licenses. Click here for more info. Enterprise Manage enterprise licenses No licenses found. Send us feedback! Get a license Go to Customer Portal Forecast internal users Estimated user count one year from now based on current internal users and forecasted internal users. Forecast external users Estimated user count one year from now based on current external users and forecasted external users. Install Install License Internal users might be users such as company employees, which will get access to the full Enterprise feature set. External users might be external consultants or B2C customers. These users don't get access to enterprise features. Service accounts should be used for machine-to-machine authentication or other automations. Less details More details Remove item Open API drawer Open Notification drawer Restart task Add provider Open Copy token Add users Add group Import devices Execute Show details Apply Settings Sign out The number of tokens generated whenever this stage is used. Every token generated per stage execution will be attached to a single static device. Token length The length of the individual generated tokens. Can be increased to improve security. Internal: External: Statically deny the flow. To use this stage effectively, disable *Evaluate when flow is planned* on the respective binding. Create and bind Policy Federation and Social login Create and bind Stage Flows and Stages New version available Failure result Pass Don't pass Result used when policy execution fails. Required: User verification must occur. Preferred: User verification is preferred if available, but not required. Discouraged: User verification should not occur. Required: The authenticator MUST create a dedicated credential. If it cannot, the RP is prepared for an error to occur Preferred: The authenticator can create and store a dedicated credential, but if it doesn't that's alright too Discouraged: The authenticator should not create a dedicated credential Lock the user out of this system Allow the user to log in and use this system Temporarily assume the identity of this user Enter a new password for this user Create a link for this user to reset their password WebAuthn requires this page to be accessed via HTTPS. WebAuthn not supported by browser. Use this provider with nginx's auth_request or traefik's forwardAuth. Each application/domain needs its own provider. Additionally, on each domain, /outpost.goauthentik.io must be routed to the outpost (when using a managed outpost, this is done for you). Default relay state When using IDP-initiated logins, the relay state will be set to this value. Flow Info Stage used to configure a WebAuthn authenticator (i.e. Yubikey, FaceID/Windows Hello).