eliott/authentik
1
0
Fork 0
mirror of https://github.com/goauthentik/authentik synced 2026-04-25 17:15:26 +02:00
Code Issues Packages Projects Releases Wiki Activity

docs: centralize hashed password caveat

Browse Source
This commit is contained in:
Dominic R
2026-04-22 20:38:57 -04:00
parent 9c0128c805
commit ec6edceff0
2 changed files with 3 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
website/docs/customize/blueprints/v1/models.mdx
View File

@@ -70,7 +70,7 @@ For example:
`password` and `password_hash` are mutually exclusive; setting both on the same user causes blueprint validation to fail.
Because no raw password is available when `password_hash` is used, authentik only updates the local password verifier. This does not propagate the password to LDAP or Kerberos integrations, even when password writeback is enabled.
`password_hash` follows the [hashed-password import behavior](../../../install-config/automated-install.mdx#authentik_bootstrap_password_hash): it updates only authentik's local password verifier and does not propagate to LDAP or Kerberos integrations.
### `permissions`

4
website/docs/install-config/automated-install.mdx
View File

@@ -12,7 +12,7 @@ These can't be defined using the file-based syntax (`file://`), so you can't pas
Configure the default password for the `akadmin` user using a pre-hashed Django password value. Only read on the first startup.
This stores the hash directly as authentik's local password verifier. Because authentik never sees the raw password, this does not propagate the password to LDAP or Kerberos integrations, even when password writeback is enabled.
This stores the hash directly as authentik's local password verifier. Because authentik never sees the raw password, hashed-password imports do not propagate the password to LDAP or Kerberos integrations, even when password writeback is enabled.
To generate a hash, run this command before your initial deployment:
@@ -57,7 +57,7 @@ Setting both `AUTHENTIK_BOOTSTRAP_PASSWORD` and `AUTHENTIK_BOOTSTRAP_PASSWORD_HA
For post-install automation, hashed passwords can also be set via blueprints with the `password_hash` user attribute, or via the `/api/v3/core/users/<id>/set_password_hash/` API endpoint with the hash provided in the `password` field. The API endpoint requires the `authentik_core.set_user_password_hash` permission and can target regular users or service accounts.
These paths also only update authentik's local password verifier and do not propagate to LDAP or Kerberos integrations.
These paths share the same local-verifier-only behavior as `AUTHENTIK_BOOTSTRAP_PASSWORD_HASH`.
### `AUTHENTIK_BOOTSTRAP_TOKEN`