Tidy. Fix colors.

Signed-off-by: Tana M Berry <tanamarieberry@yahoo.com>

website/docs/add-secure-apps/applications/manage_apps.mdx

@@ -19,20 +19,41 @@ To add an application to authentik and have it display on users' **My applicatio
 
     - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and any additional required configurations.
 
-    - **Configure Bindings**: to manage the listing and access to applications on a user's **My applications** page, you can optionally create a [binding](../flows-stages/bindings/index.md) between the application and a specific policy, group, or user. Note that if you do not define any bindings, then all users have access to the application. For more information about user access, refer to our documentation about [authorization](#policy-driven-authorization) and [hiding an application](#hide-applications).
+    - **Configure Bindings**: to manage which applications a user can view and access via their **My applications** page, you can optionally create a [binding](../bindings-overview/index.md) between the application and a specific policy, group, or user. Note that if you do not define any bindings, then all users have access to the application. For more information about user access, refer to our documentation about [policy-driven authorization](#policy-driven-authorization), [using application entitlements](../applications/manage_apps.mdx#create-an-application-entitlement) and [hiding an application](#hide-applications).
 
 4. On the **Review and Submit Application** panel, review the configuration for the new application and its provider, and then click **Submit**.
 
-## Policy-driven authorization
+## Use bindings to control access
 
-To use a [policy](../../customize/policies/index.md) to control which users or groups can access an application, click on an application in the applications list and then select the **Policy/Group/User Bindings** tab. There you can bind users/groups/policies to grant them access. When nothing is bound, everyone has access. Binding a policy restricts access to specific Users or Groups, or by other custom policies such as restriction to a set time-of-day or a geographic region.
+By default, all users can access applications when no bindings are defined on the application.
 
-By default, all users can access applications when no policies are bound.
+You can bind policies, groups, and users to grant access to an application. When nothing is bound, everyone has access. Binding a policy restricts access to specific Users or Groups, or by other custom policies such as restriction to a set time-of-day or a geographic region.
 
 When multiple policies/groups/users are attached, you can configure the _Policy engine mode_ to either:
 
-- Require users to pass all bindings/be member of all groups (ALL), or
-- Require users to pass either binding/be member of either group (ANY)
+- Require users to pass all policies or be member of all groups (ALL), or
+- Require users to pass any single policy or be member of any group (ANY)
+
+The most common ways to control access to an application by using bindings are:
+
+1. [Create a policy binding](../../customize/policies/working_with_policies.md#bind-a-policy-to-an-application) in which a policy is used to determine whether or not a user can access an application.
+2. [Bind a user or group to the application](#bind-a-user-or-group-to-an-application).
+
+### Policy-driven authorization
+
+To use a [policy](../../customize/policies/index.md) to control which users or groups can access an application, click on an application in the applications list, click the **Policy/Group/User Bindings** tab, and then select **Policy** from the **Policy/Group/User Bindings** options.
+
+### Bind a user or group to an application
+
+You can bind a user or group to an application either when you create a new application and provider or later, after the application is created.
+
+#### When creating an application and provider
+
+Follow the instructions for [creating a new application and provider](#create-an-application-and-provider-pair). On the **Policy/Group/User Bindings** tab at the top of the page, you can select **Group** or \*User\*\* to bind a specific group or userto the application.
+
+#### Add binding to an existing application
+
+To bind a user or group to an existing application, click on an application in the applications list, select **Group** or **User** from the **Policy/Group/User Bindings** options, and then select the group or user that you want to bind to the application.
 
 ## Application Entitlements
 
@@ -43,7 +64,7 @@ When multiple policies/groups/users are attached, you can configure the _Policy
 
 </div>
 
-Application entitlements can be used through authentik to manage authorization within an application (what areas of the app users or groups can access). Entitlements are scoped to a single application and can be bound to multiple users and/or groups (binding policies is not currently supported), giving them access to the entitlement. An application can either check for the name of the entitlement (via the `entitlements` scope), or via attributes stored in entitlements.
+Application entitlements can be used through authentik to manage authorization _within an application_ (what areas of the app users or groups can access). Entitlements are scoped to a single application and can be bound to multiple users and/or groups (binding policies is not currently supported), giving them access to the entitlement. An application can either check for the name of the entitlement (via the `entitlements` scope), or via attributes stored in entitlements.
 
 An authentik admin can create an entitlement [in the Admin interface](#create-an-application-entitlement) or using the [authentik API](/api).
 

website/docs/add-secure-apps/bindings-overview/index.md

@@ -0,0 +1,113 @@
+---
+title: authentik bindings
+---
+
+A binding is, simply put, a connection between two components. The use of a binding adds additional functionality to one the existing components; for example, a policy binding can cause a new stage to be presented within a flow to a specific user or group.
+
+:::info
+For information about creating and managing bindings, refer to [Work with bindings](./work-with-bindings.md).
+:::
+
+Bindings are an important part of authentik; the majority of configuration options are defined in bindings.
+
+It's important to remember that bindings are instantiated objects themselves, and conceptually can be considered as a "connector" between two components. This is why you might read about "binding a binding", because technically, a binding is "spliced" into another binding, in order to intercept and enforce the criteria defined in the second binding.
+
+## Relations with bindings
+
+This diagram shows the relationships that bindings have between components. The primary components are _policy_, _user_, and _group_; these three objects can be bound to either an application, application entitlement, flow, flow-stage binding, source, device, device access group, notification rule, or endpoint.
+
+```mermaid
+
+flowchart TD
+    subgraph Directory
+        user[User]
+        group[Group]
+    end
+
+    subgraph Policy
+        policy[Policy]
+        policy_binding[Policy Binding]
+    end
+
+    subgraph Application
+        application[Application]
+        application_entitlement[Application Entitlement]
+    end
+    subgraph Sources
+        source[Source]
+    end
+    subgraph Endpoint devices
+        device[Device]
+        device_access_group[Device Access Group]
+    end
+    subgraph Events
+        notification_rule[Notification Rule]
+    end
+    subgraph RAC Provider
+        endpoint[Endpoint]
+    end
+    subgraph Flows
+        flow[Flow]
+        flow_stage_binding[Flow Stage Binding]
+        stage[Stage]
+    end
+
+    policy --> policy_binding
+    user --> policy_binding
+    group --> policy_binding
+
+    policy_binding --> application
+    policy_binding --> application_entitlement
+    policy_binding --> source
+    policy_binding --> device
+    policy_binding --> device_access_group
+    policy_binding --> notification_rule
+    policy_binding --> flow
+    policy_binding --> endpoint
+
+    flow_stage_binding --> stage
+    flow --> flow_stage_binding
+
+    policy_binding --> flow_stage_binding
+```
+
+## Types of bindings
+
+The two most common types of bindings in authentik are:
+
+- policy bindings (which can also bind to users and groups)
+- flow-stage bindings
+
+### Policy bindings
+
+A _policy binding_ connects a specific policy (a policy object) to a flow or flow-stage binding. With the policy binding, the flow (or specifically the stage within the flow) will now have additional content (i.e. the rules of the policy).
+
+With policy bindings, you can also bind groups and users to another component (an application, a source, a flow, etc.). For example you can bind a group to an application, and then only that group (or other groups also bound to it), can access the application.
+
+Bindings are also used for [Application Entitlements](../../add-secure-apps/applications/manage_apps.mdx#application-entitlements), where you can bind specific users or groups to an application as a way to manage who has access to certain areas _within an application_.
+
+::: info
+Be aware that policy bindings that are bound directly to the flow are evaluated _before_ the flow executes, so if the user is not authenticated, the flow will not start.
+:::
+
+### Flow-stage bindings
+
+:::info
+Be aware that depending on context, user and group policy bindings are not evaluated (i.e. ignored). For example, if you are not authenticated or if authentik has not yet identified the user, a policy binding that depends on knowing who the user is cannot be evaluated.
+:::
+
+Flow-stage bindings are analyzed by authentik's Flow Plan, which starts with the flow, then assesses all of the bound policies, and then runs them in order to build out the plan.
+
+A _flow-stage binding_ connects a stage to a flow in a specified order, so that the stage is executed at the desired point within the flow.
+
+For example, you can create a binding for a specific group, and then [bind that to a stage binding](../flows-stages/stages/index.md#bind-users-and-groups-to-a-flows-stage-binding), with the result that everyone in that group now will see that stage (and any policies bound to that stage) as part of their flow. Or more specifically, and going one step deeper, you can also _bind a binding to a binding_.
+
+Flow-stage bindings can have policy bindings bound to them; this can be used to conditionally run or skip stages within a flow. There are two settings in a flow-stage binding that configure _when_ these policies are executed:
+
+- **Evaluate when flow is planned**
+  Policies are evaluated when authentik creates a flow plan that contains a reference to all of the stages that the user will need to go through to complete the flow. In this case,user-specific attributes are only available if the user is already authentiticated before beginning the flow.
+
+- **Evaluate when the stage is run**
+  Policies bound to a flow-stage binding are evaluated before the stage is run (i.e after the flow has started but before the stage is reached in the flow). Therefore the context with which policy bindings to the flow-stage binding are evaluated reflects the current state of the flow.
+
+    For example, when configuring an authentication flow with an identification stage bound to it, and a user bound to a Captcha flow-stage binding, with this setting (**Evaluate when stage is run**) enabled authentik can check against the user who has identified themselves previously.

website/docs/add-secure-apps/bindings-overview/work-with-bindings.md

@@ -0,0 +1,12 @@
+---
+title: Work with bindings
+---
+
+As covered in the [overview](./index.md), bindings interact with many other components.
+
+For instructions to create a binding, refer to the documentation for the specific components:
+
+- [Bind a stage to a flow](../flows-stages/stages/index.md#bind-a-stage-to-a-flow)
+- [Bind a policy to a flow, stage, application, or source](../../customize/policies/working_with_policies.md#bind-a-policy-to-a-flow-stage-application-or-source)
+- [Bind users or groups to a specific application](../applications/manage_apps.mdx#use-bindings-to-control-access)
+- [Bind users and groups to a stage binding, to define whether or not that stage is shown](../flows-stages/stages/index.md#bind-users-and-groups-to-a-flows-stage-binding)

website/docs/add-secure-apps/flows-stages/bindings/index.md

@@ -1,33 +0,0 @@
----
-title: Bindings
----
-
-A binding is, simply put, a connection between two components (a flow, stage, policy, user, or group). The use of a binding adds additional functionality to one those existing components; for example, a policy binding can cause a new stage to be presented within a flow to a specific user or group.
-
-:::info
-For information about creating and managing bindings, refer to [Working with bindings](./work_with_bindings.md).
-:::
-
-Bindings are an important part of authentik; the majority of configuration options are set in bindings.
-
-Bindings are analyzed by authentik's Flow Plan, which starts with the flow, then assesses all of the bound policies, and then runs them in order to build out the plan.
-
-The three most common types of bindings in authentik are:
-
-- stage bindings
-- policy bindings
-- user and group bindings
-
-A _stage binding_ connects a stage to a flow. The "additional content" (i.e. the content in the stage) is now added to the flow.
-
-A _policy binding_ connects a specific policy to a flow or to a stage. With the binding, the flow (or stage) will now have additional content (i.e. the policy rules).
-
-You can also bind groups and users to another component (a policy, a stage, a flow, etc.). For example, you can create a binding for a specific group, and then [bind that to a stage binding](../stages/index.md#bind-users-and-groups-to-a-flows-stage-binding), with the result that everyone in that group now will see that stage (and any policies bound to that stage) as part of their flow. Or more specifically, and going one step deeper, you can also _bind a binding to a binding_.
-
-Bindings are also used for [Application Entitlements](../../applications/manage_apps.mdx#application-entitlements), where you can bind specific users or groups to an application as a way to manage who has access to the application.
-
-It's important to remember that bindings are instantiated objects themselves, and conceptually can be considered as a "connector" between two components. This is why you might read about "binding a binding", because technically, a binding is "spliced" into another binding, in order to intercept and enforce the criteria defined in the second binding.
-
-:::info
-Be aware that some stages and flows do not allow user or group bindings, because in certain scenarios (authentication or enrollment), the flow plan doesn't yet know who the user or group is.
-:::

website/docs/add-secure-apps/flows-stages/bindings/work_with_bindings.md

@@ -1,13 +0,0 @@
----
-title: Work with bindings
----
-
-As covered in the [overview](./index.md), bindings interact with many other components.
-
-For instructions to create a binding, refer to the documentation for the specific components:
-
-- [Bind a stage to a flow](../stages/index.md#bind-a-stage-to-a-flow)
-- [Bind a policy to a flow or stage](../../../customize/policies/working_with_policies.md#bind-a-policy-to-a-flow-or-stage)
-- [Bind users or groups to a specific application with an Application Entitlement](../../applications/manage_apps.mdx#application-entitlements)
-- [Bind a policy to a specific application when you create a new application and provider](../../applications/manage_apps.mdx#create-an-application-and-provider-pair)
-- [Bind users and groups to a stage binding, to define whether or not that stage is shown](../stages/index.md#bind-users-and-groups-to-a-flows-stage-binding)

website/docs/add-secure-apps/flows-stages/flow-stage-bindings/index.md

@@ -0,0 +1,13 @@
+---
+title: Stage bindings
+---
+
+You can use a binding to determine which exact [stages](../stages/index.md) (all of the _steps_ within a flow) are presented to a user (or a group).
+
+A _stage binding_ connects a stage to a flow. The "additional content" (i.e. the content in the stage) is now added to the flow.
+
+:::info
+Be aware that some stages and flows do not allow user or group bindings, because in certain scenarios (authentication or enrollment), the flow plan doesn't yet know who the user or group is.
+:::
+
+For an overview about all the different types of bindings in authentik and how they are used, refer to [About authentik bindings](../../bindings-overview/index.md).

website/docs/add-secure-apps/flows-stages/stages/index.md

@@ -74,4 +74,4 @@ To bind a user or a group to a stage binding for a specific flow, follow these s
 8. In the drop-down list, select the group or user.
 9. Optionally, configure additional settings for the binding, and then click **Create** to create the binding and close the box.
 
-Learn more about [bindings](../bindings/index.md) and [working with them](../bindings/work_with_bindings.md).
+Learn more about the different types of [bindings](../../bindings-overview/index.md) in authentik and [working with them](../../bindings-overview/work-with-bindings.md).

website/docs/customize/policies/expression/source_switch.md

@@ -42,4 +42,4 @@ return False
 
 ## Bind the policy to the stage
 
-The new expression policy needs to be bound to the stage binding that comes after the Identification stage (or any custom stage that you might have created). For more information read our documentation about [bindings](../../../../add-secure-apps/flows-stages/bindings/), and for instructions to bind a policy, see [Bind a policy to a stage](../../../../customize/policies/working_with_policies/#bind-a-policy-to-a-stage).
+The new expression policy needs to be bound to the stage binding that comes after the Identification stage (or any custom stage that you might have created). For more information read our documentation about [bindings](../../../add-secure-apps/flows-stages/flow-stage-bindings/index.md), and for instructions to bind a policy, see [Bind a policy to a stage](../../../customize/policies/working_with_policies.md#bind-a-policy-to-a-stage).

website/docs/customize/policies/working_with_policies.md

@@ -10,7 +10,7 @@ authentik provides several [standard policy types](./index.md#standard-policies)
 You can add expressions to our standard policies to further customize them.
 :::
 
-To learn more, see the [bindings](../../add-secure-apps/flows-stages/bindings/index.md) and how to [bind policy bindings to a new application when the application is created](../../add-secure-apps/applications/manage_apps.mdx#create-an-application-and-provider-pair) documentation (for example, to configure application-specific access).
+To learn more, see the [bindings](../../add-secure-apps/bindings-overview/index.md) and how to [bind policy bindings to a new application when the application is created](../../add-secure-apps/applications/manage_apps.mdx#create-an-application-and-provider-pair) documentation (for example, to configure application-specific access).
 
 ## Create a policy
 
@@ -21,12 +21,17 @@ To create a new policy, _either a pre-configured one or an expression policy_, f
 3. Click **Create**, and select the type of policy. Here you select whether you want to create a custom expression policy, or a standard, out-of-the box one.
 4. Define the policy and click **Finish**.
 
-## Bind a policy to a flow or stage
+## Bind a policy to a flow, stage, application, or source
 
-After creating the policy, you can bind it to either a [flow](../../add-secure-apps/flows-stages/flow/index.md) or to a [stage](../../add-secure-apps/flows-stages/stages/index.md).
+After creating the policy, you can bind it to either a:
+
+- [flow](../../add-secure-apps/flows-stages/flow/index.md)
+- [stage](../../add-secure-apps/flows-stages/stages/index.md)
+- [application](../../add-secure-apps/applications/index.md)
+- [source](../../users-sources/sources/index.md)
 
 :::info
-Bindings are instantiated objects themselves, and conceptually can be considered as the "connector" between the policy and the stage or flow. This is why you might read about "binding a binding", because technically, a binding is "spliced" into another binding, in order to intercept and enforce the criteria defined in the policy. To learn more refer to our [Bindings documentation](../../add-secure-apps/flows-stages/bindings/index.md).
+Bindings are instantiated objects themselves, and conceptually can be considered as the "connector" between the policy and the component to which it is bound. This is why you might read about "binding a binding", because technically, a binding is "spliced" into another binding, in order to intercept and enforce the criteria defined in the policy. To learn more refer to our [Bindings documentation](../../add-secure-apps/bindings-overview/index.md).
 :::
 
 ### Bind a policy to a flow
@@ -50,3 +55,27 @@ These bindings control which stages are applied to a flow.
 5. Click the arrow (**>**) beside the name of the stage to which you want to bind a policy.
    The details for that stage displays.
 6. Here, you can decide if you want to create a new policy and bind it to the stage (**Create and bind Policy**), or if you want to select an existing policy and bind it to the stage (**Bind existing policy/group/user**).
+
+## Bind a policy to an application
+
+These bindings control which users or groups can access an application.
+
+1. Log in to authentik as an administrator and open the authentik Admin interface.
+2. Navigate to **Applications** > **Applications**.
+3. In the list of applications, click on the name of the application to which you want to bind a policy.
+4. Click on the **Policy/Group/User Bindings** tab at the top of the page.
+5. Here, select if you want to create a new policy and bind it to the application, or select an existing policy and bind it to the application:
+    - **Create and bind Policy**
+    - **Bind existing Policy/Group/User**
+
+## Bind a policy to a source
+
+These bindings control which users or groups can access an application.
+
+1. Log in to authentik as an administrator and open the authentik Admin interface.
+2. Navigate to **Directory** > **Federatin and Social login**.
+3. In the list of sources, click on the name of the source to which you want to bind a policy.
+4. Click on the **Policy Bindings** tab at the top of the page.
+5. Here, select if you want to create a new policy and bind it to the application, or select an existing policy and bind it to the application:
+    - **Create and bind Policy**
+    - **Bind existing Policy/Group/User**

website/docs/docusaurus.config.esm.mjs

@@ -58,7 +58,7 @@ export default createDocusaurusConfig(
         future: {
             experimental_faster: true,
         },
-
+        clientModules: ["../docusaurus-theme/theme/utils/mermaid_icons.js"],
         url: "https://docs.goauthentik.io",
         //#region Preset
 

website/docs/endpoint-devices/authentik-agent/configuration.md

@@ -42,7 +42,7 @@ The authentik agent requires an OAuth application/provider pair to handle authen
         - Select any available signing key.
         - Under **Advanced protocol settings**:
             - In addition to the three default **Selected Scopes**, add the `authentik default OAuth Mapping: OpenID 'offline_access'` scope.
-    - **Configure Bindings** _(optional)_: you can create a [binding](../../../add-secure-apps/flows-stages/bindings/) (policy, group, or user) to manage access to the application.
+    - **Configure Bindings** _(optional)_: you can create a [binding](../../add-secure-apps/bindings-overview/index.md) (policy, group, or user) to manage access to the application.
 
 3. Click **Submit** to save the new application and provider.
 

website/docs/endpoint-devices/device-authentication/cli-app-authentication/aws.mdx

@@ -25,7 +25,7 @@ To support the integration of authentik Agent with AWS CLI, you need to create a
         - Set the **Client ID** to `authentik-aws-cli`.
         - Select any available signing key.
         - Under **Machine-to-Machine authentication settings** add the `authentik-cli` provider as a **Federated OIDC Provider**.
-    - **Configure Bindings** _(optional)_: you can create a [binding](../../../../add-secure-apps/flows-stages/bindings/) (policy, group, or user) to manage access to the application.
+    - **Configure Bindings** _(optional)_: you can create a [binding](../../../add-secure-apps/bindings-overview/index.md) (policy, group, or user) to manage access to the application.
 
 3. Click **Submit** to save the new application and provider.
 

website/docs/endpoint-devices/device-authentication/cli-app-authentication/k8s.mdx

@@ -25,7 +25,7 @@ To support the integration of authentik Agent with `kubectl`, you need to create
         - Set the **Client ID** to `kubernetes-cluster`.
         - Select any available signing key.
         - Under **Machine-to-Machine authentication settings** add the `authentik-cli` provider as a **Federated OIDC Provider**.
-    - **Configure Bindings** _(optional)_: you can create a [binding](../../../../add-secure-apps/flows-stages/bindings/) (policy, group, or user) to manage access to the application.
+    - **Configure Bindings** _(optional)_: you can create a [binding](../../../add-secure-apps/bindings-overview/index.md) (policy, group, or user) to manage access to the application.
 
 3. Click **Submit** to save the new application and provider.
 

website/docs/enterprise/get-started.md

@@ -1,5 +1,5 @@
 ---
-title: Get started
+title: Get started with Enterprise
 ---
 
 Installing authentik is exactly the same process for both the Enterprise version and our open source version.

website/docs/install-config/configuration/configuration.mdx

@@ -635,7 +635,7 @@ Defaults to `/`.
 
 ## System settings
 
-Additional settings are configurable using the Admin interface, under **System** > **Settings** or using the API.
+Additional [system settings](../../sys-mgmt/settings.md) are configurable using the Admin interface, under **System** > **Settings** or using the API.
 
 ## Custom python settings
 

website/docs/install-config/first-steps/_blurb_first_steps.mdx

@@ -0,0 +1,14 @@
+You are now ready to add your first application and its provider. Then you'll want to add users and define groups, roles, and RBAC guidelines.
+
+To view a typical workflow for adding applications and users, with helpful context and explanations for each step, refer to the [First Steps](./index.mdx) tutorial.
+
+import DocCard from "@theme/DocCard";
+
+<DocCard
+    item={{
+        type: "link",
+        href: "../../first-steps",
+        label: "Potatoes",
+        description: "They're great!",
+    }}
+/>

website/docs/install-config/first-steps/index.mdx

@@ -0,0 +1,228 @@
+---
+title: First steps
+---
+
+import "./styles.css";
+
+After you have installed and started authentik, you are now ready to add your first application and provider, add some users, and get started with using authentik as your Identity provider.
+
+```mermaid
+architecture-beta
+
+    group first
+
+    service install(mdi:application-cog-outline)[Install authentik] in first
+    service acl(mdi:account-key-outline)[Access authentik] in first
+    service apps(mdi:plus-box-multiple-outline)[Add an app and provider] in first
+    service users(mdi:account-multiple-plus)[Create a new user] in first
+    service further(mdi:cog-clockwise)[Further customization] in first
+
+    install:R --> L:acl
+    acl:R --> L:apps
+    apps:R --> L:users
+    users:R --> L:further
+
+```
+
+## Where are we now, and what's next?
+
+The following tutorial assumes that you have already:
+
+1. Installed authentik on either [Docker Compose](../../install-config/install/docker-compose.mdx#install-and-start-authentik), [Kubernetes](../../install-config/install/kubernetes.md#install-authentik-helm-chart), or [AWS CloudFormation](../../install-config/install/aws.md) and confirmed that the server, worker, and the PostgreSQL database are started and running.
+
+2. Opened authentik in your browser to the `initial-setup` flow and added credentials for a default Admin account. ([Docker](../../install-config/install/docker-compose.mdx#access-authentik), [Kubernetes](../../install-config/install/kubernetes.md#access-authentik)), or [AWS CloudFormation](../../install-config/install/aws.md#access-authentik-from-aws-cloudformation).
+
+:::info Initial setup in browser
+You will get a `Not Found` error if the initial setup URL doesn't include the forward slash `/` at the very end of the URL. Also verify that the authentik server, worker, and PostgreSQL database are running and healthy. Review additional tips in our [troubleshooting docs](../../troubleshooting/login.md#cant-access-initial-setup-flow-during-installation-steps).
+:::
+
+Other optional pre-installation configurations that you might have already completed include:
+
+- [Configured your global email address](../email/#global-email-settings).
+- [Configured your PostgreSQL settings](../configuration/configuration.mdx#postgresql-settings) (read-replica, connections, etc.).
+- Configured a [reverse proxy](../reverse-proxy.md).
+- Configured your [media storage settings](../../install-config/configuration/configuration.mdx#media-storage-settings) or optionally [AWS S3 file storage](../../sys-mgmt/ops/storage-s3.md).
+- Added additional [custom configurations environment variables](../configuration/#set-your-environment-variables).
+- [Verified](../configuration/#verify-your-configuration-settings) your configuration settings.
+
+## Install your first application and provider
+
+Now that you have your authentik instance installed and configured with the required settings, you can add your first [application](../../../core/glossary/?application) and [provider](../../../core/glossary/?provider). After that, we'll walk through how to add your first user.
+
+:::tip Security Best Practice
+
+In a production environment, best practice is to first [create a group](../../users-sources/groups/manage_groups.mdx#create-a-group), then [create the user(s)](../../users-sources/user/user_basic_operations.md#create-a-user), and then add the application. Then you can configure the application to have a [binding](../../add-secure-apps/bindings-overview/work-with-bindings.md#) to a specific group or user. The binding controls the access to the application (whether or not it is displayed on a user's My Applications page).
+
+:::
+
+authentik supports integration with any application; refer to our [Integrations documentation](https://integrations.goauthentik.io) to view integrations guides for over 180 of the most common ones.
+
+**In this guide we'll be setting up Grafana as an example application.**
+
+<details>
+    <summary>Why Grafana?</summary>
+
+We'll use Grafana as an example application in this guide as it is very common and straight forward to setup.
+
+For more configuration options and full details about integrating with Grafana, refer to our [full integration guide](/integrationsmonitoring/grafana/). The following steps require that you have [Grafana instance running in Docker](https://grafana.com/docs/grafana/latest/setup-grafana/configure-docker/), and that you can access the authentik Admin interface.
+
+</details>
+
+### 1. Log in to authentik as an administrator and open the authentik Admin interface.
+
+    **A.** In the Admin interface, navigate to **Applications** > **Applications** and click **Create with Provider** to create an application and provider pair.
+
+:::tip About application and provider pairs
+Every application that you add to authentik requires a provider, which is used to configure the specific protocol between the application and authentik, for example OAuth2/OIDC, SAML, LDAP, or others.
+:::
+
+**B.** Provide the details for the application (Grafana) and provider (OAuth2/OIDC).
+
+- **Configure the Application**:
+    - **Name**: provide a descriptive name (such as Grafana).
+        - **Group**: select an optional group for the application; groups are used to visually separate applications. For example, you can choose to group applications that you use for coding from those you use for internal communication.
+    - **Policy engine mode**: select **Any** for this tutorial; the mode determnes how strictly policies are adhered to.
+        - <strong className="tip">TIP</strong>: in authentik,
+          [policies](../../customize/policies/working_with_policies.md) are used in authentik to
+          fine-tune access to applications, flows, stages and many other authentik components. It is
+          not required to use a policy at all, though. The _policy engine mode_ setting of **Any**
+          means that as long as a single policy passes (or if there are no policies bound to the
+          application), then access to the application is granted. The mode **ALL** means that every
+          one of any policies bound to the application must pass in order for a user to have access
+          to the application.
+    - **UI Settings**: optional UI settings that are displayed about the application, including the launch URL, and three settings to display extra information about the application on the **My Applications** page: an optional icon, the publisher of the application, and a brief description.
+
+- **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type.
+
+- **Configure the Provider**:
+    - **Name**: Provide a name (or accept the auto-provided name).
+    - **Authorization flow**: Select the default `implicit` authorization flow to use for this provider.
+        - <strong className="tip">TIP</strong>: The authorization
+          [flow](../../add-secure-apps/flows-stages/flow/index.md) is where the various steps, or
+          [_stages_](../../add-secure-apps/flows-stages/stages/index.md) of authorization are
+          defined and executed. The defined set of stages construct the workflows of authentication,
+          authorization, etc.
+    - **Protocol settings** provide the following required configurations:
+        - Note the **Client ID**, **Client Secret**, and **Slug** values because they will be required later when you configure Grafana to use authentik.
+        - Set a `Strict` redirect URI to `https://grafana.company/login/generic_oauth`.
+            - <strong className="tip">TIP</strong>: The Redirect URI is where the application will
+              go as soon as authentik's authorization flow is successfully completed.
+    - **Logout URI**: set to `https://grafana.company/logout`.
+    - **Logout Method**: set to `Front-channel`.
+        - <strong className="tip">TIP</strong>: With OAuth2, front-channel logout is considered the
+          default because most application (including Grafana) do not support back-channel logout.
+    - **Signing key**: select any available signing key.
+        - <strong className="tip">TIP</strong>: authentik generates a key that you can use, called
+          the `authentik Self-signed Certificate`, if you do not have a specific signing key for an
+          application.
+
+- **Configure Bindings** _(optional)_: for this tutorial, skip this step because you do not yet have a user. Later, after you create your first user, you can [create a binding](../../add-secure-apps/bindings-overview/work-with-bindings.md) to manage the display and access to applications on a user's **My applications** page.
+    - <strong className="tip">TIP</strong>: By creating a binding between an application and a
+      specific user, you are ensuring that the application is accessible only to that user and any
+      other users or groups for whom you created a binding. Learn more about how bindings are used
+      in authentik in our [Bindings overview](../../add-secure-apps/bindings-overview/index.md).
+
+    For any fields not mentioned above, you can leave the default value.
+
+**C.** Click **Submit** to save the new application and provider.
+
+### 2. Configure Grafana to use authentik as its IdP
+
+For some applications, you log into the application and configure settings there; with Grafana you simply edit your Grafana Docker Compose file. Here you add basic configuration settings as well as the **Client ID**, **Client Secret**, and the **Slug** values that you obtained when you configured the application and provider in authentik in Step 1. above.
+
+**A.** In the Grafana Docker Compose file, set the following environment variables:
+
+:::tip Tips
+These values below are for a [Grafana instance running in Docker](https://grafana.com/docs/grafana/latest/setup-grafana/configure-docker/); for standalone or Helm Chart instances refer to our [Grafana integration guide](https://integrations.goauthentik.io/monitoring/grafana/).
+
+Note that `authentik.company` is a placeholder that we use in our example settings; replace this with the domain that authentik is running on in your environment.
+:::
+
+```
+environment:
+    GF_AUTH_GENERIC_OAUTH_ENABLED: "true"
+    GF_AUTH_GENERIC_OAUTH_NAME: "authentik"
+    GF_AUTH_GENERIC_OAUTH_CLIENT_ID: "<Client ID from above>"
+    GF_AUTH_GENERIC_OAUTH_CLIENT_SECRET: "<Client Secret from above>"
+    GF_AUTH_GENERIC_OAUTH_SCOPES: "openid profile email"
+    GF_AUTH_GENERIC_OAUTH_AUTH_URL: "https://authentik.company/application/o/authorize/"
+    GF_AUTH_GENERIC_OAUTH_TOKEN_URL: "https://authentik.company/application/o/token/"
+    GF_AUTH_GENERIC_OAUTH_API_URL: "https://authentik.company/application/o/userinfo/"
+    GF_AUTH_SIGNOUT_REDIRECT_URL: "https://authentik.company/application/o/<application_slug>/end-session/"
+    # Optionally enable auto-login (bypasses Grafana login screen)
+    GF_AUTH_OAUTH_AUTO_LOGIN: "true"
+    # Optionally map user groups to Grafana roles
+    GF_AUTH_GENERIC_OAUTH_ROLE_ATTRIBUTE_PATH: "contains(groups[*], 'Grafana Admins') && 'Admin' || contains(groups[*], 'Grafana Editors') && 'Editor' || 'Viewer'"
+    # Required if Grafana is running behind a reverse proxy
+    GF_SERVER_ROOT_URL: "https://grafana.company"
+```
+
+**B.** Save your Grafana Docker Compose file, and then launch the stack and access Grafana via your browser at the configured URL.
+
+**C.** To confirm that authentik is properly configured with the new application, log out of Grafana and then log back in using the **Sign in with authentik** button. You should be redirected to authentik to provide credentials.
+
+## Add your first user
+
+Now that you can access the authentik Admin interface, and you have added an application and provider, let's add a new user.
+
+### 1. Log in to authentik as an administrator and open the authentik Admin interface.
+
+    **A.** Navigate to **Directory > Users**, and click **New User**.
+
+    **B.** Fill in the **_required_** fields:
+
+    - **Username**: This value must be unique across all users.
+    - <strong className="tip">TIP</strong>: With OAuth2, front-channel logout is considered the default because most application
+          (including Grafana) do not support back-channel logout.
+    - **Path**: The path where the user will be created. By default the new user is created in the `users` directory, but you can change that later by editing the user.
+        - <strong className="tip">TIP</strong>: Paths are basically directories, that are used to organize your users (for example HR vs Sales, etc.). Paths do not ipoact access; they are purely organizational. Note that the top-level **users** directory displays all users in that directory and all sub-directories.
+
+    For information about the **_optional_** fields below, refer to our [documentation on managing users](../../users-sources/user/user_basic_operations.md#create-a-user).
+
+    - **Name**: The display name of the user.
+    - **Email**: The email address of the user. This is required for many integrations.
+    - **Is active**: Define the newly created user account as active.
+    - **Attributes**: You can leave this empty for this tutorial. This field can be used to store custom attributes for the user, in YAML or JSON format. These attributes can then be used within property mappings and policies.
+
+    **C.** Click **Create**.
+
+### 2. Verify that the new user was created
+
+- Look for the new user in the list on the **Directory** > **Users** page.
+
+## What's next?
+
+Now that you have added your first application, and a new user, here are some typical next steps:
+
+- Assign your new user to appropriate [groups](../../users-sources/user/user_basic_operations.md#add-a-user-to-a-group) and [roles](../../users-sources/user/user_basic_operations.md#add-a-user-to-a-role).
+- Configure federated or external [sources](../../users-sources/sources/index.md) (an existing source of user credentials and other user data).
+- Set up MFA
+- Define [property mappings](../../add-secure-apps/providers/property-mappings/index.md).
+- Create a [custom flow](../../add-secure-apps/flows-stages/flow/index.md#).
+- Install an [Enterprise license](../../enterprise/manage-enterprise.mdx#buy-a-license)
+- [Create a policy](../../customize/policies/index.md) to control access, force MFA use, etc..
+
+## Things to know and troubleshooting tips
+
+Review the following information to learn more about the basics of setting up authentik and for troubleshooting tips.
+
+### Modifying the Docker Compose file
+
+Especially when you are just starting out with authentik, we recommend that you use the default `docker-compose.yml` file that comes with the download, instead of trying to write the file from scratch. After you have successfully installed, configured, and accessed authentik, you can edit the file to do more advanced configurations, as documented in the [Configuration section](../../install-config/configuration/configuration.mdx).
+
+### Reverse proxy
+
+Typically authentik is set up with a reverse proxy in front of it. If you already have a reverse proxy that you are using to handle your incoming network traffic, you can simply use that same reverse proxy for authentik, by adding a few configuration values. For more details see the [Reverse proxy guide](../reverse-proxy.md).
+
+### The `latest` tag is deprecated
+
+The `:latest` tag has been deprecated and will never be updated from the 2025.2 release.
+Instead, use a specific version tag for authentik instances' container images, such as `:2025.12`.
+
+### Using bindings to allow or restrict access to applications
+
+Note that if you do not define any bindings, then all users have access to the application. For more information about user access, refer to our documentation about [authorization](../../add-secure-apps/applications/manage_apps.mdx#policy-driven-authorization) and [hiding an application](../../add-secure-apps/applications/manage_apps.mdx#hide-applications).
+
+### Upgrades
+
+When you are ready to upgrade to the latest version, be sure to read our [Upgrade documentation](../upgrade.mdx) and refer to the [Release Notes](../../releases/) for the specific version.

website/docs/install-config/first-steps/styles.css

@@ -0,0 +1,25 @@
+/**
+ * Mermaid architecture diagram styles
+ */
+
+#service-install {
+    --mm-service-icon-color: var(--ifm-color-primary);
+}
+
+#service-acl {
+    --mm-service-icon-color: var(--ifm-color-primary);
+}
+
+#service-apps {
+    --mm-service-icon-color: var(--ifm-color-primary);
+}
+#service-users {
+    --mm-service-icon-color: var(--ifm-color-primary);
+}
+#service-further {
+    --mm-service-icon-color: var(--ifm-color-primary);
+}
+
+.tip {
+    color: var(--ifm-color-success-dark);
+}

website/docs/install-config/install/aws.md

@@ -28,6 +28,16 @@ This stack will create the following resources:
 
 The stack will output the endpoint of the ALB that to which you can point your DNS records.
 
+## Access authentik from AWS CloudFormation
+
+To launch authentik, in your browser go to:
+
+`http://<domain_you_configured>/if/flow/initial-setup/`
+
+:::info Initial setup in browser
+You will get a `Not Found` error if initial setup URL doesn't include the trailing forward slash `/`. Also verify that the authentik server, worker, and PostgreSQL database are running and healthy. Review additional tips in our [troubleshooting docs](../../troubleshooting/login.md#cant-access-initial-setup-flow-during-installation-steps).
+:::
+
 ### Further customization
 
 If you require further customization, we recommend you install authentik via [Docker Compose](./docker-compose.mdx) or [Kubernetes](./kubernetes.md).

website/docs/install-config/install/docker-compose.mdx

@@ -1,5 +1,5 @@
 ---
-title: Compose installation
+title: Docker Compose installation
 ---
 
 This installation method is for test setups and small-scale production setups.
@@ -7,11 +7,12 @@ This installation method is for test setups and small-scale production setups.
 ## Requirements
 
 - A host with at least 2 CPU cores and 2 GB of RAM
-- Podman or Docker
 - Podman or Docker Compose (Compose v2, see [instructions for upgrade](https://docs.docker.com/compose/migrate/))
 
 ## Video
 
+View our video about installing authentik on Docker.
+
 <iframe
     width="560"
     height="315"
@@ -22,10 +23,9 @@ This installation method is for test setups and small-scale production setups.
     allowFullScreen
 ></iframe>
 
-## Preparation
+## Download the Compose file
 
-To download the latest `compose.yml` open your terminal and navigate to the directory of your choice.
-Run the following command:
+To download the latest `compose.yml` open your terminal, navigate to the directory of your choice, and then run the following command:
 
 import TabItem from "@theme/TabItem";
 import Tabs from "@theme/Tabs";
@@ -44,9 +44,11 @@ import Tabs from "@theme/Tabs";
     </TabItem>
 </Tabs>
 
-If this is a fresh authentik installation, you need to generate a password and a secret key. Use a secure password generator of your choice such as pwgen, or you can use `openssl` as below.
+## Generate PostgreSQL password and secret key
 
-Run the following commands to generate a password and secret key and write them to your `.env` file:
+If this is a fresh authentik installation, you need to generate a PostgreSQL password and a secret key. Use a secure password generator of your choice such as `pwgen`, or you can use `openssl` as below.
+
+Run the following commands to generate a PostgreSQL password and secret key and write them to your `.env` file:
 
 {/* prettier-ignore */}
 ```shell
@@ -64,36 +66,7 @@ To enable error reporting, run the following command:
 echo "AUTHENTIK_ERROR_REPORTING__ENABLED=true" >> .env
 ```
 
-## Email configuration (optional but recommended)
-
-It is also recommended to configure global email settings. These are used by authentik to notify administrators about alerts, configuration issues and new releases. They can also be used by [Email stages](../../add-secure-apps/flows-stages/stages/email/index.mdx) to send verification/recovery emails.
-
-For more information, refer to our [Email configuration](../email.mdx) documentation.
-
-## Startup
-
-:::warning
-All internal operations use UTC. Times displayed in the UI are automatically localized for the user. Do not update or mount `/etc/timezone` or `/etc/localtime` in the authentik containers; it will cause problems with OAuth and SAML authentication, as seen this [GitHub issue](https://github.com/goauthentik/authentik/issues/3005).
-:::
-
-Afterward, run these commands to finish:
-
-```shell
-docker compose pull
-docker compose up -d
-```
-
-The `compose.yml` file statically references the latest version available at the time of downloading the compose file. Each time you upgrade to a newer version of authentik, you download a new `compose.yml` file, which points to the latest available version. For more information, refer to the **Upgrading** section in the [Release Notes](../../../releases/).
-
-To start the initial setup, navigate to `http://<your server's IP or hostname>:9000/if/flow/initial-setup/`.
-
-:::info
-You will get a `Not Found` error if initial setup URL doesn't include the trailing forward slash `/`. Make sure you use the complete url (`http://<your server's IP or hostname>:9000/if/flow/initial-setup/`) including the trailing forward slash.
-:::
-
-There you are prompted to set a password for the `akadmin` user (the default user).
-
-For an explanation about what each service in the docker compose file does, see [Architecture](../../core/architecture.md).
+For an explanation about what each service in the Docker Compose file does, see [Architecture](../../core/architecture.md).
 
 ## Configure custom ports
 
@@ -119,3 +92,40 @@ This is used for [automatic deployment and management of authentik Outposts](../
 Mounting the Docker socket to a container comes with some inherent security risks. To reduce these risks, you can utilize a [Docker Socket Proxy](../../add-secure-apps/outposts/integrations/docker.md#docker-socket-proxy) as an additional layer of protection.
 
 Alternatively, you can remove this mount and instead [manually deploy and manage outposts](../../add-secure-apps/outposts/manual-deploy-docker-compose.md).
+
+## Email configuration (optional but recommended)
+
+It is also recommended to configure global email settings. These are used by authentik to notify administrators about alerts, configuration issues and new releases. They can also be used by [Email stages](../../add-secure-apps/flows-stages/stages/email/index.mdx) to send verification/recovery emails.
+
+For more information, refer to our [Email configuration](../email.mdx) documentation.
+
+## Install and start authentik
+
+:::warning
+All internal operations use UTC. Times displayed in the UI are automatically localized for the user. Do not update or mount `/etc/timezone` or `/etc/localtime` in the authentik containers; it will cause problems with OAuth and SAML authentication, as seen this [GitHub issue](https://github.com/goauthentik/authentik/issues/3005).
+:::
+
+After you have downloaded the `docker-compose.yml` file, generated a password and a secret key, and optionally configured your global email, run these commands to retrieve and install the current version of authentik:
+
+```shell
+docker compose pull
+docker compose up -d
+```
+
+The `compose.yml` file statically references the latest version available at the time of downloading the compose file. Each time you upgrade to a newer version of authentik, you download a new `compose.yml` file, which points to the latest available version. For more information, refer to the **Upgrading** section in the [Release Notes](../../../releases/).
+
+## Access authentik
+
+To start the initial setup, navigate to `http://<your server's IP or hostname>:9000/if/flow/initial-setup/`.
+
+:::info Initial setup in browser
+You will get a `Not Found` error if initial setup URL doesn't include the trailing forward slash `/`. Also verify that the authentik server, worker, and PostgreSQL database are running and healthy. Review additional tips in our [troubleshooting docs](../../troubleshooting/login.md#cant-access-initial-setup-flow-during-installation-steps).
+:::
+
+There you are prompted to set a password for the `akadmin` user (the default user).
+
+## First steps in authentik
+
+import BlurbFirstSteps from "../first-steps/_blurb_first_steps.mdx";
+
+<BlurbFirstSteps />

website/docs/install-config/install/kubernetes.md

@@ -15,9 +15,11 @@ You can also [view a video walk-through](https://www.youtube.com/watch?v=O1qUbrk
 
 ## Video
 
+View our video about installing authentik on Kubernetes.
+
 <iframe width="560" height="315" src="https://www.youtube.com/embed/O1qUbrk4Yc8?si=hs-ZhbVk4Y-TW_Vw&amp;start=562" title="YouTube video player" frameborder="0" allow="accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture; web-share" allowfullscreen></iframe>
 
-## Generate Passwords
+## Generate passwords
 
 Start by generating passwords for the database and cache. You can use either of the following commands:
 
@@ -26,7 +28,7 @@ pwgen -s 50 1
 openssl rand 60 | base64 -w 0
 ```
 
-## Set Values
+## Set values
 
 Create a `values.yaml` file with a minimum of these settings:
 
@@ -41,9 +43,9 @@ authentik:
         password: "ThisIsNotASecurePassword"
 
 server:
-    ingress:
-        # Specify kubernetes ingress controller class name
-        ingressClassName: nginx | traefik | kong
+    gateway:
+        # Specify kubernetes gateway controller class name
+        GatewayClassName: nginx | traefik | kong
         enabled: true
         hosts:
             - authentik.domain.tld
@@ -56,6 +58,19 @@ postgresql:
 
 See all configurable values on [ArtifactHub](https://artifacthub.io/packages/helm/goauthentik/authentik).
 
+## PostgreSQL production setup
+
+The PostgreSQL database that is created by default during installation is only intended for demonstration and testing purposes. For production instances, you should use another installation method using one of the following operators:
+
+- [CloudNativePG](https://github.com/cloudnative-pg/cloudnative-pg)
+- [Zalando Postgres Operator](https://github.com/zalando/postgres-operator)
+
+## Email configuration (optional but recommended)
+
+It is also recommended to configure global email settings. These are used by authentik to notify administrators about alerts, configuration issues and new releases. They can also be used by [Email stages](../../add-secure-apps/flows-stages/stages/email/index.mdx) to send verification/recovery emails.
+
+For more information, refer to our [Email configuration](../email.mdx) documentation.
+
 ## Install authentik Helm Chart
 
 Now, execute the following commands to install authentik:
@@ -68,23 +83,16 @@ helm upgrade --install authentik authentik/authentik -f values.yaml
 
 During the installation process, the database migrations will be applied automatically on startup.
 
-## Accessing authentik
+## Access authentik
 
-After the installation is complete, access authentik at `https://<ingress-host-name>/if/flow/initial-setup/`. Here, you can set a password for the default `akadmin` user.
+After the installation is complete, access authentik at `https://<gateway-host-name>/if/flow/initial-setup/`. Here, you can set a password for the default `akadmin` user.
 
-:::info
-You will get a `Not Found` error if initial setup URL doesn't include the trailing forward slash `/`. Make sure you use the complete URL (`http://<ingress-host-name>/if/flow/initial-setup/`) including the trailing forward slash.
+:::info Initial setup in browser
+You will get a `Not Found` error if initial setup URL doesn't include the trailing forward slash `/`. Also verify that the authentik server, worker, and PostgreSQL database are running and healthy. Review additional tips in our [troubleshooting docs](../../troubleshooting/login.md#cant-access-initial-setup-flow-during-installation-steps).
 :::
 
-## PostgreSQL production setup
+## First steps in authentik
 
-We recommend using another installation method for PostgreSQL than the one provided that is only intended for demonstration and testing purposes. We recommend the following operators:
+import BlurbFirstSteps from "../first-steps/\_blurb_first_steps.mdx";
 
-- [CloudNativePG](https://github.com/cloudnative-pg/cloudnative-pg)
-- [Zalando Postgres Operator](https://github.com/zalando/postgres-operator)
-
-## Email configuration (optional but recommended)
-
-It is also recommended to configure global email settings. These are used by authentik to notify administrators about alerts, configuration issues and new releases. They can also be used by [Email stages](../../add-secure-apps/flows-stages/stages/email/index.mdx) to send verification/recovery emails.
-
-For more information, refer to our [Email configuration](../email.mdx) documentation.
+<BlurbFirstSteps />

website/docs/install-config/reverse-proxy.md

@@ -1,9 +1,9 @@
 ---
-title: Reverse-proxy
+title: Reverse proxy
 ---
 
 :::info
-Since authentik uses WebSockets to communicate with Outposts, it does not support HTTP/1.0 reverse-proxies. The HTTP/1.0 specification does not officially support WebSockets or protocol upgrades, though some clients may allow it.
+Since authentik uses WebSockets to communicate with Outposts, it does not support HTTP/1.0 reverse proxies. The HTTP/1.0 specification does not officially support WebSockets or protocol upgrades, though some clients may allow it.
 :::
 
 If you want to access authentik behind a reverse proxy, there are a few headers that must be passed upstream:

website/docs/mermaid.mjs

@@ -0,0 +1,9 @@
+import * as mdi from "@iconify-json/mdi";
+import mermaid from "mermaid";
+
+mermaid.registerIconPacks([
+    {
+        name: mdi.icons.prefix,
+        icons: mdi.icons,
+    },
+]);

website/docs/package.json

@@ -22,6 +22,10 @@
         "@docusaurus/types": "^3.9.2",
         "@goauthentik/docusaurus-config": "^2.2.2",
         "@goauthentik/docusaurus-theme": "*",
+        "@iconify-json/fa7-regular": "^1.2.2",
+        "@iconify-json/fa7-solid": "^1.2.3",
+        "@iconify-json/fluent-mdl2": "^1.2.1",
+        "@iconify-json/mdi": "^1.2.3",
         "@mdx-js/react": "^3.1.1",
         "@types/react": "^19.2.7",
         "@types/react-dom": "^19.2.3",

website/docs/sidebar.mjs

@@ -76,10 +76,9 @@ const items = [
                     "install-config/install/kubernetes",
                     "install-config/install/aws",
                 ],
+                //#endregion
             },
             {
-                //#endregion
-
                 //#region Configuration
                 type: "category",
                 label: "Configuration",
@@ -89,6 +88,7 @@ const items = [
                 },
                 items: [],
             },
+            "install-config/first-steps/index",
             "install-config/email",
             "install-config/upgrade",
             "install-config/beta",
@@ -332,20 +332,24 @@ const items = [
                             "add-secure-apps/flows-stages/stages/user_write",
                         ],
                     },
-                    {
-                        type: "category",
-                        label: "Bindings",
-                        link: {
-                            type: "doc",
-                            id: "add-secure-apps/flows-stages/bindings/index",
-                        },
-                        items: ["add-secure-apps/flows-stages/bindings/work_with_bindings"],
-                    },
+                    "add-secure-apps/flows-stages/flow-stage-bindings/index",
                 ],
             },
             {
                 //#endregion
 
+                //#region Bindings
+                type: "category",
+                label: "Bindings",
+                link: {
+                    type: "doc",
+                    id: "add-secure-apps/bindings-overview/index",
+                },
+                items: ["add-secure-apps/bindings-overview/work-with-bindings"],
+            },
+            {
+                //#endregion
+
                 //#region Outposts
                 type: "category",
                 label: "Outposts",

website/docs/users-sources/groups/manage_groups.mdx

@@ -51,6 +51,12 @@ You can assign a role to a group, and then all users in the group inherit the pe
 Roles are inherited through group hierarchy. If a parent group has a role assigned, all child groups (and their users) automatically inherit that role's permissions. You can view both directly assigned and inherited roles on a group's detail page under the **Roles** tab.
 :::
 
+## Bind a group to an application
+
+These bindings control which groups can access an application, and whether or not the application is visible in a group member's **My applications** page. If no bindings for an application are defined, this means that all users and groups can access the application.
+
+For instructions refer to [Manage applications](../../add-secure-apps/applications/manage_apps.mdx#bind-a-user-or-group-to-an-application).
+
 ## Delegating group member management
 
 To give a specific role or user the ability to manage group members, the following permissions need to be granted on the matching group object:

website/docs/users-sources/user/user_basic_operations.md

@@ -11,7 +11,7 @@ The following topics are for the basic management of users: how to create, modif
 > If you want to automate user creation, you can do that either by [invitations](./invitations.md), [`user_write` stage](../../add-secure-apps/flows-stages/stages/user_write.md), or [using the API](/api/reference/core-users-create).
 
 1. In the Admin interface of your authentik instance, select **Directory** > **Users** in the left side menu.
-2. Select the folder where you want to create a user.
+2. In the **User folders** area, select the folder where you want to create a user.
 3. Click **Create** (for a default user).
 4. Fill in the required fields:
 
@@ -101,6 +101,12 @@ On the flipside, to grant permissions on a user object to a role, review ["Manag
 Users also inherit roles from the groups they belong to. The **Roles** tab has two sub-tabs: **Assigned Roles** shows roles directly assigned to the user, while **All Roles** shows all roles including those inherited from groups. Inherited roles are marked with an "Inherited" label.
 :::
 
+## Bind a user to an application
+
+These bindings control which users can access an application, and whether or not the application is visible in the user's **My applications** page. If no bindings for an application are defined, this means that all users and groups can access the application.
+
+For instructions refer to [Manage applications](../../add-secure-apps/applications/manage_apps.mdx#bind-a-user-or-group-to-an-application).
+
 ## User credentials recovery
 
 If a user has lost their credentials and needs to recover their account, there are two available options:

website/docusaurus-theme/theme/DocItem/Content/index.tsx

@@ -8,6 +8,8 @@
  * support badges, and Authentik version badges.
  */
 
+import "./styles.css";
+
 import { SupportBadge } from "#components/SupportBadge.tsx";
 import { VersionBadge } from "#components/VersionBadge.tsx";
 

website/docusaurus-theme/theme/DocItem/Content/styles.css

@@ -0,0 +1,24 @@
+.docusaurus-mermaid-container {
+    .architecture-service {
+        svg {
+            color: var(--mm-service-icon-color, var(--ifm-color-content));
+        }
+
+        .text-inner-tspan {
+            font-weight: var(--ifm-font-weight-bold);
+        }
+    }
+
+    .architecture-edges {
+        .edge {
+            stroke: var(--mm-edge-color, var(--ifm-color-emphasis-800)) !important;
+        }
+        .arrow {
+            fill: var(--mm-arrow-color, var(--ifm-color-emphasis-800)) !important;
+        }
+    }
+
+    .architecture-groups .node-bkg {
+        stroke: var(--mm-group-border-color, transparent) !important;
+    }
+}

website/docusaurus-theme/theme/utils/mermaid_icons.js

@@ -0,0 +1,19 @@
+import * as fa7Regular from "@iconify-json/fa7-regular";
+import * as fa7Solid from "@iconify-json/fa7-solid";
+import * as mdi from "@iconify-json/mdi";
+import mermaid from "mermaid";
+
+mermaid.registerIconPacks([
+    {
+        name: fa7Regular.icons.prefix,
+        icons: fa7Regular.icons,
+    },
+    {
+        name: fa7Solid.icons.prefix,
+        icons: fa7Solid.icons,
+    },
+    {
+        name: mdi.icons.prefix,
+        icons: mdi.icons,
+    },
+]);

website/integrations/monitoring/grafana/index.mdx

@@ -38,7 +38,7 @@ To support the integration of Grafana with authentik, you need to create an appl
     - Set the Logout URI to `https://grafana.company/logout`.
     - Set the Logout Method to `Front-channel`.
     - Select any available signing key.
-- **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/flows-stages/bindings/) (policy, group, or user) to manage the listing and access to applications on a user's **My applications** page.
+- **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/flows-stages/bindings/) (policy, group, or user) to manage the display and access to applications on a user's **My applications** page.
 
 3. Click **Submit** to save the new application and provider.
 

website/package-lock.json

@@ -112,6 +112,10 @@
                 "@docusaurus/types": "^3.9.2",
                 "@goauthentik/docusaurus-config": "^2.2.2",
                 "@goauthentik/docusaurus-theme": "*",
+                "@iconify-json/fa7-regular": "^1.2.2",
+                "@iconify-json/fa7-solid": "^1.2.3",
+                "@iconify-json/fluent-mdl2": "^1.2.1",
+                "@iconify-json/mdi": "^1.2.3",
                 "@mdx-js/react": "^3.1.1",
                 "@types/react": "^19.2.7",
                 "@types/react-dom": "^19.2.3",
@@ -134,6 +138,7 @@
             "dependencies": {
                 "@docusaurus/preset-classic": "^3.9.2",
                 "@goauthentik/docusaurus-config": "^2.2.2",
+                "@iconify-json/logos": "^1.2.9",
                 "@types/semver": "^7.7.1",
                 "clsx": "^2.1.1",
                 "fast-glob": "^3.3.3",
@@ -4938,6 +4943,51 @@
             "integrity": "sha512-trnsAYxU3xnS1gPHPyU961coFyLkh4gAD/0zQ5mymY4yOZ+CYvsPqUbOFSw0aDM4y0tV7tiFxL/1XfXPNC6IPg==",
             "license": "ISC"
         },
+        "node_modules/@iconify-json/fa7-regular": {
+            "version": "1.2.2",
+            "resolved": "https://registry.npmjs.org/@iconify-json/fa7-regular/-/fa7-regular-1.2.2.tgz",
+            "integrity": "sha512-SBSDkdE6yPhCxebAgpbDF9PPUJ7FKEtR/dMCqOqMHvZmJn4Cu/mz6ZVuY3S91PK11MMT/XeKE0aeVwCbgtWt5w==",
+            "license": "CC-BY-4.0",
+            "dependencies": {
+                "@iconify/types": "*"
+            }
+        },
+        "node_modules/@iconify-json/fa7-solid": {
+            "version": "1.2.3",
+            "resolved": "https://registry.npmjs.org/@iconify-json/fa7-solid/-/fa7-solid-1.2.3.tgz",
+            "integrity": "sha512-QMpjaoljKlJ33jnwIlvE/BF449AD+aVUe2o46Wl8oKUHCy+M2E4GRM4LvRaGdCOTUSE3VIQlXkqkYBug8WHEVQ==",
+            "license": "CC-BY-4.0",
+            "dependencies": {
+                "@iconify/types": "*"
+            }
+        },
+        "node_modules/@iconify-json/fluent-mdl2": {
+            "version": "1.2.1",
+            "resolved": "https://registry.npmjs.org/@iconify-json/fluent-mdl2/-/fluent-mdl2-1.2.1.tgz",
+            "integrity": "sha512-zFgd1V9r0a+mqA46Z4mOoSf6PbQbhYnY9Uhtpjl3xvw03doNolh4apMtsZoLlC/Y7wO2uj306MgziaqwWdNMwg==",
+            "license": "MIT",
+            "dependencies": {
+                "@iconify/types": "*"
+            }
+        },
+        "node_modules/@iconify-json/logos": {
+            "version": "1.2.10",
+            "resolved": "https://registry.npmjs.org/@iconify-json/logos/-/logos-1.2.10.tgz",
+            "integrity": "sha512-qxaXKJ6fu8jzTMPQdHtNxlfx6tBQ0jXRbHZIYy5Ilh8Lx9US9FsAdzZWUR8MXV8PnWTKGDFO4ZZee9VwerCyMA==",
+            "license": "CC0-1.0",
+            "dependencies": {
+                "@iconify/types": "*"
+            }
+        },
+        "node_modules/@iconify-json/mdi": {
+            "version": "1.2.3",
+            "resolved": "https://registry.npmjs.org/@iconify-json/mdi/-/mdi-1.2.3.tgz",
+            "integrity": "sha512-O3cLwbDOK7NNDf2ihaQOH5F9JglnulNDFV7WprU2dSoZu3h3cWH//h74uQAB87brHmvFVxIOkuBX2sZSzYhScg==",
+            "license": "Apache-2.0",
+            "dependencies": {
+                "@iconify/types": "*"
+            }
+        },
         "node_modules/@iconify/types": {
             "version": "2.0.0",
             "resolved": "https://registry.npmjs.org/@iconify/types/-/types-2.0.0.tgz",