Spelling

* website/docs: stages cleanup

* apply suggestions

* docs review

* website/docs: address review feedback for stages cleanup

Co-authored-by: Codex <codex@openai.com>

* website/docs: fix expression policy stage links

Co-authored-by: Codex <codex@openai.com>

* website/docs: fix SAML user write stage link

---------

Co-authored-by: Codex <codex@openai.com>

.github/actions/setup/action.yml

@@ -64,7 +64,7 @@ runs:
         rustflags: ""
     - name: Setup rust dependencies
       if: ${{ contains(inputs.dependencies, 'rust') }}
-      uses: taiki-e/install-action@db5fb34fa772531a3ece57ca434f579eb334e0fb # v2
+      uses: taiki-e/install-action@711e1c3275189d76dcc4d34ddea63bf96ac49090 # v2
       with:
         tool: cargo-deny cargo-machete cargo-llvm-cov nextest
     - name: Setup node (web)

authentik/api/ordering.py

@@ -0,0 +1,36 @@
+from django.db.models import F, QuerySet
+from rest_framework.filters import OrderingFilter
+from rest_framework.request import Request
+from rest_framework.views import APIView
+
+
+class NullsAwareOrderingFilter(OrderingFilter):
+    """OrderingFilter that sorts NULL values consistently.
+
+    For any nullable field, NULLs are treated as the smallest possible value:
+    - ascending  → NULLs appear first  (nulls_first=True)
+    - descending → NULLs appear last   (nulls_last=True)
+    """
+
+    def _nullable_field_names(self, queryset: QuerySet) -> set[str]:
+        return {f.name for f in queryset.model._meta.get_fields() if hasattr(f, "null") and f.null}
+
+    def filter_queryset(self, request: Request, queryset: QuerySet, view: APIView):
+        queryset = super().filter_queryset(request, queryset, view)
+        ordering = queryset.query.order_by
+        if not ordering:
+            return queryset
+        nullable = self._nullable_field_names(queryset)
+        new_ordering = []
+        changed = False
+        for term in ordering:
+            name = term.lstrip("-")
+            if name in nullable:
+                changed = True
+                if term.startswith("-"):
+                    new_ordering.append(F(name).desc(nulls_last=True))
+                else:
+                    new_ordering.append(F(name).asc(nulls_first=True))
+            else:
+                new_ordering.append(term)
+        return queryset.order_by(*new_ordering) if changed else queryset

authentik/api/tests/test_ordering.py

@@ -0,0 +1,59 @@
+from django.db.models import OrderBy
+from django.test import TestCase
+from rest_framework.request import Request
+from rest_framework.test import APIRequestFactory
+
+from authentik.api.ordering import NullsAwareOrderingFilter
+from authentik.core.models import Token, User
+
+
+class MockView:
+    ordering_fields = "__all__"
+    ordering = None
+
+
+class TestNullsAwareOrderingFilter(TestCase):
+
+    def setUp(self):
+        self.filter = NullsAwareOrderingFilter()
+        self.view = MockView()
+        factory = APIRequestFactory()
+        self._req = lambda ordering: Request(factory.get("/", {"ordering": ordering}))
+
+    def _order_by(self, model, ordering):
+        qs = model.objects.all()
+        return self.filter.filter_queryset(self._req(ordering), qs, self.view).query.order_by
+
+    def test_nullable_asc_nulls_first(self):
+        """Ascending sort on a nullable field rewrites to nulls_first=True."""
+        (expr,) = self._order_by(User, "last_login")
+        self.assertIsInstance(expr, OrderBy)
+        self.assertFalse(expr.descending)
+        self.assertTrue(expr.nulls_first)
+
+    def test_nullable_desc_nulls_last(self):
+        """Descending sort on a nullable field rewrites to nulls_last=True."""
+        (expr,) = self._order_by(User, "-last_login")
+        self.assertIsInstance(expr, OrderBy)
+        self.assertTrue(expr.descending)
+        self.assertTrue(expr.nulls_last)
+
+    def test_non_nullable_passes_through(self):
+        """Non-nullable fields are left as plain string terms."""
+        (expr,) = self._order_by(User, "username")
+        self.assertEqual(expr, "username")
+
+    def test_mixed_ordering(self):
+        """Only nullable terms are rewritten; non-nullable terms pass through unchanged."""
+        first, second = self._order_by(User, "username,-last_login")
+        self.assertEqual(first, "username")
+        self.assertIsInstance(second, OrderBy)
+        self.assertTrue(second.descending)
+        self.assertTrue(second.nulls_last)
+
+    def test_expires_nullable(self):
+        """expires on ExpiringModel is nullable and is rewritten correctly."""
+        (expr,) = self._order_by(Token, "-expires")
+        self.assertIsInstance(expr, OrderBy)
+        self.assertTrue(expr.descending)
+        self.assertTrue(expr.nulls_last)

authentik/blueprints/api.py

@@ -217,7 +217,10 @@ class BlueprintInstanceViewSet(UsedByMixin, ModelViewSet):
 
     @extend_schema(
         request={"multipart/form-data": BlueprintUploadSerializer},
-        responses={200: BlueprintImportResultSerializer},
+        responses={
+            204: BlueprintImportResultSerializer,
+            400: BlueprintImportResultSerializer,
+        },
     )
     @action(url_path="import", detail=False, methods=["POST"], parser_classes=(MultiPartParser,))
     @validate(
@@ -244,13 +247,21 @@ class BlueprintInstanceViewSet(UsedByMixin, ModelViewSet):
 
         import_response = self.BlueprintImportResultSerializer(
             data={
-                "logs": [LogEventSerializer(log).data for log in logs],
-                "success": valid,
+                "logs": [],
+                "success": False,
             }
         )
         import_response.is_valid(raise_exception=True)
 
-        if valid:
-            import_response.initial_data["success"] = importer.apply()
-            import_response.is_valid()
+        import_response.initial_data["logs"] = [LogEventSerializer(log).data for log in logs]
+        import_response.initial_data["success"] = valid
+        import_response.is_valid()
+        if not valid:
+            return Response(data=import_response.initial_data, status=200)
+
+        successful = importer.apply()
+        import_response.initial_data["success"] = successful
+        import_response.is_valid()
+        if not successful:
+            return Response(data=import_response.initial_data, status=200)
         return Response(data=import_response.initial_data, status=200)

authentik/blueprints/tests/test_v1_api.py

@@ -3,7 +3,6 @@
 from json import dumps, loads
 from tempfile import NamedTemporaryFile, mkdtemp
 
-from django.core.files.uploadedfile import SimpleUploadedFile
 from django.urls import reverse
 from rest_framework.test import APITestCase
 from yaml import dump
@@ -142,20 +141,6 @@ class TestBlueprintsV1API(APITestCase):
             )
         self.assertEqual(res.status_code, 200)
 
-    def test_api_import_invalid_blueprint_returns_result_payload(self):
-        """Invalid blueprint content returns a result payload instead of a 400 response."""
-        file = SimpleUploadedFile("invalid-blueprint.yaml", b'{"version": 3}')
-
-        res = self.client.post(
-            reverse("authentik_api:blueprintinstance-import-"),
-            data={"file": file},
-            format="multipart",
-        )
-
-        self.assertEqual(res.status_code, 200)
-        self.assertFalse(res.json()["success"])
-        self.assertGreater(len(res.json()["logs"]), 0)
-
     def test_api_import_unknown_path(self):
         """Path not in available blueprints is rejected (covers api.py:56)."""
         res = self.client.post(

authentik/root/settings.py

@@ -221,7 +221,7 @@ REST_FRAMEWORK = {
         "authentik.api.search.ql.QLSearch",
         "authentik.rbac.filters.ObjectFilter",
         "django_filters.rest_framework.DjangoFilterBackend",
-        "rest_framework.filters.OrderingFilter",
+        "authentik.api.ordering.NullsAwareOrderingFilter",
     ],
     "DEFAULT_PERMISSION_CLASSES": ("authentik.rbac.permissions.ObjectPermissions",),
     "DEFAULT_AUTHENTICATION_CLASSES": (

authentik/stages/authenticator/models.py

@@ -389,17 +389,19 @@ class ThrottlingMixin(models.Model):
         """Check if throttling is enabled"""
         return self.get_throttle_factor() > 0
 
-    def get_throttle_factor(self):  # pragma: no cover
+    def get_throttle_factor(self) -> float:  # pragma: no cover
         """
-        This must be implemented to return the throttle factor.
+        Returns the throttling factor.
+        """
+        return getattr(self, "_throttle_factor", 1.0)
+
+    def set_throttle_factor(self, throttle_factor: float) -> None:
+        """
+        Sets the throttle factor to use. Call this to override the default value of 1.
 
         The number of seconds required between verification attempts will be
         :math:`c2^{n-1}` where `c` is this factor and `n` is the number of
         previous failures. A factor of 1 translates to delays of 1, 2, 4, 8,
         etc. seconds. A factor of 0 disables the throttling.
-
-        Normally this is just a wrapper for a plugin-specific setting like
-        :setting:`OTP_EMAIL_THROTTLE_FACTOR`.
-
         """
-        raise NotImplementedError()
+        self._throttle_factor = throttle_factor

authentik/stages/authenticator/tests.py

@@ -6,7 +6,6 @@ from threading import Thread
 from django.contrib.auth.models import AnonymousUser
 from django.db import connection
 from django.test import TestCase, TransactionTestCase
-from django.test.utils import override_settings
 from django.utils import timezone
 from freezegun import freeze_time
 
@@ -110,8 +109,24 @@ class ThrottlingTestMixin:
             self.assertEqual(verify_is_allowed3, True)
             self.assertEqual(data3, None)
 
+    def test_set_throttle_factor_is_reflected(self):
+        """`set_throttle_factor` must drive `get_throttle_factor`."""
+        self.device.set_throttle_factor(5.5)
+        self.assertEqual(self.device.get_throttle_factor(), 5.5)
+        self.device.set_throttle_factor(0)
+        self.assertEqual(self.device.get_throttle_factor(), 0)
+
+    def test_throttling_disabled_by_factor_zero(self):
+        """Setting the throttle factor to 0 must actually disable throttling.
+
+        A failed attempt followed by a successful one must succeed. The lockout
+        path must not kick in when the factor is 0.
+        """
+        self.device.set_throttle_factor(0)
+        self.assertFalse(self.device.verify_token(self.invalid_token()))
+        self.assertTrue(self.device.verify_token(self.valid_token()))
+
 
-@override_settings(OTP_STATIC_THROTTLE_FACTOR=0)
 class APITestCase(TestCase):
     """Test API"""
 
@@ -119,6 +134,7 @@ class APITestCase(TestCase):
         self.alice = create_test_admin_user("alice")
         self.bob = create_test_admin_user("bob")
         device = self.alice.staticdevice_set.create()
+        device.set_throttle_factor(0)
         self.valid = generate_id(length=16)
         device.token_set.create(token=self.valid)
 
@@ -138,6 +154,8 @@ class APITestCase(TestCase):
         verified = verify_token(self.alice, device.persistent_id, "bogus")
         self.assertIsNone(verified)
 
+        self.alice.staticdevice_set.get().throttle_reset()
+
         verified = verify_token(self.alice, device.persistent_id, self.valid)
         self.assertIsNotNone(verified)
 
@@ -146,11 +164,12 @@ class APITestCase(TestCase):
         verified = match_token(self.alice, "bogus")
         self.assertIsNone(verified)
 
+        self.alice.staticdevice_set.get().throttle_reset()
+
         verified = match_token(self.alice, self.valid)
         self.assertEqual(verified, self.alice.staticdevice_set.first())
 
 
-@override_settings(OTP_STATIC_THROTTLE_FACTOR=0)
 class ConcurrencyTestCase(TransactionTestCase):
     """Test concurrent verifications"""
 

authentik/stages/authenticator_email/migrations/0003_emaildevice_throttling_failure_count_and_more.py

@@ -0,0 +1,33 @@
+# Generated by Django 5.2.12 on 2026-04-02 15:14
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        (
+            "authentik_stages_authenticator_email",
+            "0002_alter_authenticatoremailstage_friendly_name",
+        ),
+    ]
+
+    operations = [
+        migrations.AddField(
+            model_name="emaildevice",
+            name="throttling_failure_count",
+            field=models.PositiveIntegerField(
+                default=0, help_text="Number of successive failed attempts."
+            ),
+        ),
+        migrations.AddField(
+            model_name="emaildevice",
+            name="throttling_failure_timestamp",
+            field=models.DateTimeField(
+                blank=True,
+                default=None,
+                help_text="A timestamp of the last failed verification attempt. Null if last attempt succeeded.",
+                null=True,
+            ),
+        ),
+    ]

authentik/stages/authenticator_email/models.py

@@ -14,7 +14,7 @@ from authentik.flows.models import ConfigurableStage, FriendlyNamedStage, Stage
 from authentik.lib.config import CONFIG
 from authentik.lib.models import SerializerModel
 from authentik.lib.utils.time import timedelta_string_validator
-from authentik.stages.authenticator.models import SideChannelDevice
+from authentik.stages.authenticator.models import SideChannelDevice, ThrottlingMixin
 from authentik.stages.email.models import EmailTemplates
 from authentik.stages.email.utils import TemplateEmailMessage
 
@@ -116,7 +116,7 @@ class AuthenticatorEmailStage(ConfigurableStage, FriendlyNamedStage, Stage):
         verbose_name_plural = _("Email Authenticator Setup Stages")
 
 
-class EmailDevice(SerializerModel, SideChannelDevice):
+class EmailDevice(SerializerModel, ThrottlingMixin, SideChannelDevice):
     """Email Device"""
 
     user = models.ForeignKey(get_user_model(), on_delete=models.CASCADE)
@@ -130,6 +130,20 @@ class EmailDevice(SerializerModel, SideChannelDevice):
 
         return EmailDeviceSerializer
 
+    def verify_token(self, token: str) -> bool:
+        verify_allowed, _ = self.verify_is_allowed()
+        if verify_allowed:
+            verified = super().verify_token(token)
+
+            if verified:
+                self.throttle_reset()
+            else:
+                self.throttle_increment()
+        else:
+            verified = False
+
+        return verified
+
     def _compose_email(self) -> TemplateEmailMessage:
         try:
             pending_user = self.user

authentik/stages/authenticator_email/tests.py

@@ -8,6 +8,7 @@ from django.core.mail.backends.locmem import EmailBackend
 from django.core.mail.backends.smtp import EmailBackend as SMTPEmailBackend
 from django.db.utils import IntegrityError
 from django.template.exceptions import TemplateDoesNotExist
+from django.test import TestCase
 from django.urls import reverse
 from django.utils.timezone import now
 
@@ -16,6 +17,7 @@ from authentik.flows.models import FlowStageBinding
 from authentik.flows.tests import FlowTestCase
 from authentik.lib.config import CONFIG
 from authentik.lib.utils.email import mask_email
+from authentik.stages.authenticator.tests import ThrottlingTestMixin
 from authentik.stages.authenticator_email.api import (
     AuthenticatorEmailStageSerializer,
     EmailDeviceSerializer,
@@ -79,6 +81,7 @@ class TestAuthenticatorEmailStage(FlowTestCase):
         self.assertFalse(self.device.verify_token("000000"))
 
         # Verify correct token (should clear token after verification)
+        self.device.throttle_reset(commit=False)
         self.assertTrue(self.device.verify_token(token))
         self.assertIsNone(self.device.token)
 
@@ -329,3 +332,27 @@ class TestAuthenticatorEmailStage(FlowTestCase):
         # Test AuthenticatorEmailStage send method
         self.stage.send(self.device)
         self.assertEqual(len(mail.outbox), 1)
+
+
+class TestEmailDeviceThrottling(ThrottlingTestMixin, TestCase):
+    def setUp(self):
+        super().setUp()
+        flow = create_test_flow()
+        user = create_test_user()
+        stage = AuthenticatorEmailStage.objects.create(
+            name="email-authenticator-throttle",
+            use_global_settings=True,
+            from_address="test@authentik.local",
+            configure_flow=flow,
+            token_expiry="minutes=30",
+        )  # nosec
+        self.device = EmailDevice.objects.create(
+            user=user, stage=stage, email="throttle@authentik.local"
+        )
+        self.device.generate_token()
+
+    def valid_token(self):
+        return self.device.token
+
+    def invalid_token(self):
+        return "000000" if self.device.token != "000000" else "111111"

authentik/stages/authenticator_sms/migrations/0009_smsdevice_throttling_failure_count_and_more.py

@@ -0,0 +1,30 @@
+# Generated by Django 5.2.12 on 2026-04-16 17:28
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ("authentik_stages_authenticator_sms", "0008_alter_authenticatorsmsstage_friendly_name"),
+    ]
+
+    operations = [
+        migrations.AddField(
+            model_name="smsdevice",
+            name="throttling_failure_count",
+            field=models.PositiveIntegerField(
+                default=0, help_text="Number of successive failed attempts."
+            ),
+        ),
+        migrations.AddField(
+            model_name="smsdevice",
+            name="throttling_failure_timestamp",
+            field=models.DateTimeField(
+                blank=True,
+                default=None,
+                help_text="A timestamp of the last failed verification attempt. Null if last attempt succeeded.",
+                null=True,
+            ),
+        ),
+    ]

authentik/stages/authenticator_sms/models.py

@@ -20,7 +20,7 @@ from authentik.events.utils import sanitize_item
 from authentik.flows.models import ConfigurableStage, FriendlyNamedStage, Stage
 from authentik.lib.models import SerializerModel
 from authentik.lib.utils.http import get_http_session
-from authentik.stages.authenticator.models import SideChannelDevice
+from authentik.stages.authenticator.models import SideChannelDevice, ThrottlingMixin
 
 LOGGER = get_logger()
 
@@ -197,7 +197,7 @@ def hash_phone_number(phone_number: str) -> str:
     return "hash:" + sha256(phone_number.encode()).hexdigest()
 
 
-class SMSDevice(SerializerModel, SideChannelDevice):
+class SMSDevice(SerializerModel, ThrottlingMixin, SideChannelDevice):
     """SMS Device"""
 
     user = models.ForeignKey(get_user_model(), on_delete=models.CASCADE)
@@ -224,11 +224,19 @@ class SMSDevice(SerializerModel, SideChannelDevice):
 
         return SMSDeviceSerializer
 
-    def verify_token(self, token):
-        valid = super().verify_token(token)
-        if valid:
-            self.save()
-        return valid
+    def verify_token(self, token: str) -> bool:
+        verify_allowed, _ = self.verify_is_allowed()
+        if verify_allowed:
+            verified = super().verify_token(token)
+
+            if verified:
+                self.throttle_reset()
+            else:
+                self.throttle_increment()
+        else:
+            verified = False
+
+        return verified
 
     def __str__(self):
         return str(self.name) or str(self.user_id)

authentik/stages/authenticator_sms/tests.py

@@ -3,6 +3,7 @@
 from unittest.mock import MagicMock, patch
 from urllib.parse import parse_qsl
 
+from django.test import TestCase
 from django.urls import reverse
 from requests_mock import Mocker
 
@@ -12,6 +13,7 @@ from authentik.flows.planner import FlowPlan
 from authentik.flows.tests import FlowTestCase
 from authentik.flows.views.executor import SESSION_KEY_PLAN
 from authentik.lib.generators import generate_id
+from authentik.stages.authenticator.tests import ThrottlingTestMixin
 from authentik.stages.authenticator_sms.models import (
     AuthenticatorSMSStage,
     SMSDevice,
@@ -357,3 +359,30 @@ class AuthenticatorSMSStageTests(FlowTestCase):
             },
             phone_number_required=False,
         )
+
+
+class TestSMSDeviceThrottling(ThrottlingTestMixin, TestCase):
+    """Test ThrottlingMixin behaviour on SMSDevice.verify_token"""
+
+    def setUp(self):
+        super().setUp()
+        flow = create_test_flow()
+        user = create_test_admin_user()
+        stage = AuthenticatorSMSStage.objects.create(
+            flow=flow,
+            name="sms-throttle",
+            provider=SMSProviders.GENERIC,
+            from_number="1234",
+        )
+        self.device = SMSDevice.objects.create(
+            user=user,
+            stage=stage,
+            phone_number="+15551230001",
+        )
+        self.device.generate_token()
+
+    def valid_token(self):
+        return self.device.token
+
+    def invalid_token(self):
+        return "000000" if self.device.token != "000000" else "111111"

authentik/stages/authenticator_static/models.py

@@ -3,7 +3,6 @@
 from base64 import b32encode
 from os import urandom
 
-from django.conf import settings
 from django.core.validators import MaxValueValidator
 from django.db import models
 from django.utils.translation import gettext_lazy as _
@@ -78,9 +77,6 @@ class StaticDevice(SerializerModel, ThrottlingMixin, Device):
 
         return StaticDeviceSerializer
 
-    def get_throttle_factor(self):
-        return getattr(settings, "OTP_STATIC_THROTTLE_FACTOR", 1)
-
     def verify_token(self, token):
         verify_allowed, _ = self.verify_is_allowed()
         if verify_allowed:

authentik/stages/authenticator_static/tests.py

@@ -1,6 +1,5 @@
 """Test Static API"""
 
-from django.test.utils import override_settings
 from django.urls import reverse
 from rest_framework.test import APITestCase
 
@@ -44,9 +43,6 @@ class DeviceTest(TestCase):
         str(device)
 
 
-@override_settings(
-    OTP_STATIC_THROTTLE_FACTOR=1,
-)
 class ThrottlingTestCase(ThrottlingTestMixin, TestCase):
     """Test static device throttling"""
 

authentik/stages/authenticator_totp/models.py

@@ -194,9 +194,6 @@ class TOTPDevice(SerializerModel, ThrottlingMixin, Device):
 
         return verified
 
-    def get_throttle_factor(self):
-        return getattr(settings, "OTP_TOTP_THROTTLE_FACTOR", 1)
-
     @property
     def config_url(self):
         """

authentik/stages/authenticator_totp/tests.py

@@ -63,11 +63,14 @@ class TOTPDeviceMixin:
 
 @override_settings(
     OTP_TOTP_SYNC=False,
-    OTP_TOTP_THROTTLE_FACTOR=0,
 )
 class TOTPTest(TOTPDeviceMixin, TestCase):
     """TOTP tests"""
 
+    def setUp(self):
+        super().setUp()
+        self.device.set_throttle_factor(0)
+
     def test_default_key(self):
         """Ensure default_key is valid"""
         device = self.alice.totpdevice_set.create()
@@ -190,9 +193,6 @@ class TOTPTest(TOTPDeviceMixin, TestCase):
         self.assertEqual(params["image"][0], image_url)
 
 
-@override_settings(
-    OTP_TOTP_THROTTLE_FACTOR=1,
-)
 class ThrottlingTestCase(TOTPDeviceMixin, ThrottlingTestMixin, TestCase):
     """Test TOTP Throttling"""
 

authentik/stages/authenticator_validate/api.py

@@ -39,6 +39,10 @@ class AuthenticatorValidateStageSerializer(StageSerializer):
             "webauthn_hints",
             "webauthn_allowed_device_types",
             "webauthn_allowed_device_types_obj",
+            "email_otp_throttling_factor",
+            "sms_otp_throttling_factor",
+            "totp_otp_throttling_factor",
+            "static_otp_throttling_factor",
         ]
 
 

authentik/stages/authenticator_validate/challenge.py

@@ -3,6 +3,7 @@
 from typing import TYPE_CHECKING
 from urllib.parse import urlencode
 
+from django.db import transaction
 from django.http import HttpRequest
 from django.http.response import Http404
 from django.shortcuts import get_object_or_404
@@ -29,8 +30,8 @@ from authentik.flows.stage import StageView
 from authentik.lib.utils.email import mask_email
 from authentik.lib.utils.time import timedelta_from_string
 from authentik.root.middleware import ClientIPMiddleware
-from authentik.stages.authenticator import match_token
-from authentik.stages.authenticator.models import Device
+from authentik.stages.authenticator import devices_for_user
+from authentik.stages.authenticator.models import Device, ThrottlingMixin
 from authentik.stages.authenticator_duo.models import AuthenticatorDuoStage, DuoDevice
 from authentik.stages.authenticator_email.models import EmailDevice
 from authentik.stages.authenticator_sms.models import SMSDevice
@@ -143,7 +144,20 @@ def select_challenge_email(request: HttpRequest, device: EmailDevice):
 def validate_challenge_code(code: str, stage_view: StageView, user: User) -> Device:
     """Validate code-based challenges. We test against every device, on purpose, as
     the user mustn't choose between totp and static devices."""
-    device = match_token(user, code)
+
+    with transaction.atomic():
+        for device in devices_for_user(user, for_verify=True):
+            if isinstance(device, ThrottlingMixin):
+                throttling_factor = stage_view.executor.current_stage.get_throttling_factor(
+                    DeviceClasses.from_model_label(device.model_label())
+                )
+                if throttling_factor is not None:
+                    device.set_throttle_factor(throttling_factor)
+            if device.verify_token(code):
+                break
+        else:
+            device = None
+
     if not device:
         login_failed.send(
             sender=__name__,

authentik/stages/authenticator_validate/migrations/0016_authenticatorvalidatestage_email_otp_throttling_factor_and_more.py

@@ -0,0 +1,36 @@
+# Generated by Django 5.2.12 on 2026-04-16 16:33
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        (
+            "authentik_stages_authenticator_validate",
+            "0015_authenticatorvalidatestage_webauthn_hints",
+        ),
+    ]
+
+    operations = [
+        migrations.AddField(
+            model_name="authenticatorvalidatestage",
+            name="email_otp_throttling_factor",
+            field=models.FloatField(default=1),
+        ),
+        migrations.AddField(
+            model_name="authenticatorvalidatestage",
+            name="sms_otp_throttling_factor",
+            field=models.FloatField(default=1),
+        ),
+        migrations.AddField(
+            model_name="authenticatorvalidatestage",
+            name="static_otp_throttling_factor",
+            field=models.FloatField(default=1),
+        ),
+        migrations.AddField(
+            model_name="authenticatorvalidatestage",
+            name="totp_otp_throttling_factor",
+            field=models.FloatField(default=1),
+        ),
+    ]

authentik/stages/authenticator_validate/models.py

@@ -22,6 +22,12 @@ class DeviceClasses(models.TextChoices):
     SMS = "sms", _("SMS")
     EMAIL = "email", _("Email")
 
+    @staticmethod
+    def from_model_label(model_label: str) -> DeviceClasses:
+        return getattr(
+            DeviceClasses, model_label.rsplit(".", maxsplit=1)[-1][: -len("device")].upper()
+        )
+
 
 def default_device_classes() -> list:
     """By default, accept all device classes"""
@@ -82,6 +88,11 @@ class AuthenticatorValidateStage(Stage):
         "authentik_stages_authenticator_webauthn.WebAuthnDeviceType", blank=True
     )
 
+    email_otp_throttling_factor = models.FloatField(default=1)
+    sms_otp_throttling_factor = models.FloatField(default=1)
+    totp_otp_throttling_factor = models.FloatField(default=1)
+    static_otp_throttling_factor = models.FloatField(default=1)
+
     @property
     def serializer(self) -> type[BaseSerializer]:
         from authentik.stages.authenticator_validate.api import AuthenticatorValidateStageSerializer
@@ -98,6 +109,17 @@ class AuthenticatorValidateStage(Stage):
     def component(self) -> str:
         return "ak-stage-authenticator-validate-form"
 
+    def get_throttling_factor(self, device_class: DeviceClasses) -> float | None:
+        if device_class == DeviceClasses.EMAIL:
+            return self.email_otp_throttling_factor
+        elif device_class == DeviceClasses.SMS:
+            return self.sms_otp_throttling_factor
+        elif device_class == DeviceClasses.TOTP:
+            return self.totp_otp_throttling_factor
+        elif device_class == DeviceClasses.STATIC:
+            return self.static_otp_throttling_factor
+        return None
+
     class Meta:
         verbose_name = _("Authenticator Validation Stage")
         verbose_name_plural = _("Authenticator Validation Stages")

authentik/stages/authenticator_validate/tests/test_throttling.py

@@ -0,0 +1,247 @@
+from django.test import TestCase
+from django.test.client import RequestFactory
+from django.urls.base import reverse
+from rest_framework.exceptions import ValidationError
+
+from authentik.core.tests.utils import create_test_admin_user, create_test_flow
+from authentik.flows.models import FlowStageBinding
+from authentik.flows.stage import StageView
+from authentik.flows.tests import FlowTestCase
+from authentik.flows.views.executor import FlowExecutorView
+from authentik.lib.generators import generate_id
+from authentik.stages.authenticator_email.models import AuthenticatorEmailStage, EmailDevice
+from authentik.stages.authenticator_sms.models import (
+    AuthenticatorSMSStage,
+    SMSDevice,
+    SMSProviders,
+)
+from authentik.stages.authenticator_validate.challenge import validate_challenge_code
+from authentik.stages.authenticator_validate.models import (
+    AuthenticatorValidateStage,
+    DeviceClasses,
+)
+from authentik.stages.identification.models import IdentificationStage, UserFields
+
+
+class DeviceClassesHelperTests(TestCase):
+    """Tests for the DeviceClasses.from_model_label helper."""
+
+    def test_from_model_label_all_classes(self):
+        cases = {
+            "authentik_stages_authenticator_email.emaildevice": DeviceClasses.EMAIL,
+            "authentik_stages_authenticator_sms.smsdevice": DeviceClasses.SMS,
+            "authentik_stages_authenticator_totp.totpdevice": DeviceClasses.TOTP,
+            "authentik_stages_authenticator_static.staticdevice": DeviceClasses.STATIC,
+            "authentik_stages_authenticator_duo.duodevice": DeviceClasses.DUO,
+            "authentik_stages_authenticator_webauthn.webauthndevice": DeviceClasses.WEBAUTHN,
+        }
+        for label, expected in cases.items():
+            with self.subTest(label=label):
+                self.assertEqual(DeviceClasses.from_model_label(label), expected)
+
+
+class AuthenticatorValidateStageFactorTests(TestCase):
+    """Tests for AuthenticatorValidateStage.get_throttling_factor."""
+
+    def test_per_class_factors_returned(self):
+        stage = AuthenticatorValidateStage.objects.create(
+            name=generate_id(),
+            email_otp_throttling_factor=5,
+            sms_otp_throttling_factor=6,
+            totp_otp_throttling_factor=7,
+            static_otp_throttling_factor=8,
+        )
+        self.assertEqual(stage.get_throttling_factor(DeviceClasses.EMAIL), 5)
+        self.assertEqual(stage.get_throttling_factor(DeviceClasses.SMS), 6)
+        self.assertEqual(stage.get_throttling_factor(DeviceClasses.TOTP), 7)
+        self.assertEqual(stage.get_throttling_factor(DeviceClasses.STATIC), 8)
+
+    def test_no_factor_for_webauthn_or_duo(self):
+        stage = AuthenticatorValidateStage.objects.create(name=generate_id())
+        self.assertIsNone(stage.get_throttling_factor(DeviceClasses.WEBAUTHN))
+        self.assertIsNone(stage.get_throttling_factor(DeviceClasses.DUO))
+
+
+class ValidateChallengeCodeThrottlingTests(FlowTestCase):
+    """Tests for validate_challenge_code throttling behavior."""
+
+    def setUp(self) -> None:
+        super().setUp()
+        self.user = create_test_admin_user()
+        self.request_factory = RequestFactory()
+        self.email_stage = AuthenticatorEmailStage.objects.create(
+            name="email-stage-validate-throttle",
+            use_global_settings=True,
+            from_address="test@authentik.local",
+            token_expiry="minutes=30",
+        )  # nosec
+        self.sms_stage = AuthenticatorSMSStage.objects.create(
+            name="sms-stage-validate-throttle",
+            provider=SMSProviders.GENERIC,
+            from_number="1234",
+        )
+
+    def _validate_stage(self, **factors) -> AuthenticatorValidateStage:
+        return AuthenticatorValidateStage.objects.create(
+            name=generate_id(),
+            device_classes=[
+                DeviceClasses.EMAIL,
+                DeviceClasses.SMS,
+                DeviceClasses.TOTP,
+                DeviceClasses.STATIC,
+            ],
+            **factors,
+        )
+
+    def _stage_view(self, validate_stage: AuthenticatorValidateStage) -> StageView:
+        request = self.request_factory.get("/")
+        return StageView(FlowExecutorView(current_stage=validate_stage), request=request)
+
+    def _email_device(self, email: str = "throttle@authentik.local") -> EmailDevice:
+        return EmailDevice.objects.create(
+            user=self.user,
+            stage=self.email_stage,
+            confirmed=True,
+            email=email,
+        )
+
+    def _sms_device(self, phone_number: str = "+15551230101") -> SMSDevice:
+        return SMSDevice.objects.create(
+            user=self.user,
+            stage=self.sms_stage,
+            confirmed=True,
+            phone_number=phone_number,
+        )
+
+    def test_stage_factor_applied_to_email_device(self):
+        """The stage's email_otp_throttling_factor is pushed onto the device before verify."""
+        stage = self._validate_stage(email_otp_throttling_factor=3)
+        device = self._email_device()
+        device.generate_token()
+        with self.assertRaises(ValidationError):
+            validate_challenge_code("000000", self._stage_view(stage), self.user)
+        device.refresh_from_db()
+        self.assertEqual(device.throttling_failure_count, 1)
+        # verify_is_allowed must compute the delay using factor=3 (3 * 2^0 = 3s).
+        device.set_throttle_factor(3)
+        allowed, data = device.verify_is_allowed()
+        self.assertFalse(allowed)
+        required = data["locked_until"] - device.throttling_failure_timestamp
+        self.assertAlmostEqual(required.total_seconds(), 3, places=3)
+
+    def test_factor_zero_disables_throttling_end_to_end(self):
+        """With email_otp_throttling_factor=0, repeated failures do not lock the device."""
+        stage = self._validate_stage(email_otp_throttling_factor=0)
+        device = self._email_device()
+        device.generate_token()
+        token = device.token
+        for _ in range(10):
+            with self.assertRaises(ValidationError):
+                validate_challenge_code("000000", self._stage_view(stage), self.user)
+        matched = validate_challenge_code(token, self._stage_view(stage), self.user)
+        self.assertEqual(matched.pk, device.pk)
+
+    def test_lockout_persists_across_calls(self):
+        """
+        A correct token on the second call is still blocked and does not increment the counter.
+        """
+        stage = self._validate_stage(email_otp_throttling_factor=1)
+        device = self._email_device()
+        device.generate_token()
+        token = device.token
+        invalid_token = "000000" if token != "000000" else "111111"  # nosec
+        with self.assertRaises(ValidationError):
+            validate_challenge_code(invalid_token, self._stage_view(stage), self.user)
+        # Immediately try with the correct token: lockout still active, attempt must be rejected.
+        with self.assertRaises(ValidationError):
+            validate_challenge_code(token, self._stage_view(stage), self.user)
+        device.refresh_from_db()
+        # Token wasn't consumed (verification never ran), and counter didn't get incremented.
+        self.assertEqual(device.token, token)
+        self.assertEqual(device.throttling_failure_count, 1)
+
+
+class ValidateStageThrottlingFlowTests(FlowTestCase):
+    """End-to-end lockout behavior through the flow executor HTTP API."""
+
+    def setUp(self) -> None:
+        super().setUp()
+        self.user = create_test_admin_user()
+        self.email_stage = AuthenticatorEmailStage.objects.create(
+            name="email-stage-flow-throttle",
+            use_global_settings=True,
+            from_address="test@authentik.local",
+            token_expiry="minutes=30",
+        )  # nosec
+        self.ident_stage = IdentificationStage.objects.create(
+            name=generate_id(),
+            user_fields=[UserFields.USERNAME],
+        )
+        self.validate_stage = AuthenticatorValidateStage.objects.create(
+            name=generate_id(),
+            device_classes=[DeviceClasses.EMAIL],
+            email_otp_throttling_factor=1,
+        )
+        self.flow = create_test_flow()
+        FlowStageBinding.objects.create(target=self.flow, stage=self.ident_stage, order=0)
+        FlowStageBinding.objects.create(target=self.flow, stage=self.validate_stage, order=1)
+
+    def _identify(self):
+        response = self.client.post(
+            reverse("authentik_api:flow-executor", kwargs={"flow_slug": self.flow.slug}),
+            {"uid_field": self.user.username},
+            follow=True,
+        )
+        self.assertEqual(response.status_code, 200)
+
+    def _select_email(self, device: EmailDevice):
+        self.client.post(
+            reverse("authentik_api:flow-executor", kwargs={"flow_slug": self.flow.slug}),
+            {
+                "component": "ak-stage-authenticator-validate",
+                "selected_challenge": {
+                    "device_class": "email",
+                    "device_uid": str(device.pk),
+                    "challenge": {},
+                    "last_used": None,
+                },
+            },
+        )
+
+    def test_bad_code_then_correct_code_is_still_blocked(self):
+        """After a bad code over HTTP, a subsequent correct code is still rejected
+        because the lockout persists in the database."""
+        device = EmailDevice.objects.create(
+            user=self.user,
+            confirmed=True,
+            stage=self.email_stage,
+            email="throttle-flow@authentik.local",
+        )
+        self._identify()
+        self._select_email(device)
+        # Server generated and stored the token - grab it from DB.
+        device.refresh_from_db()
+        token = device.token
+        # First attempt: bad code - must increment the DB counter.
+        self.client.post(
+            reverse("authentik_api:flow-executor", kwargs={"flow_slug": self.flow.slug}),
+            {"component": "ak-stage-authenticator-validate", "code": "000000"},
+        )
+        device.refresh_from_db()
+        self.assertEqual(device.throttling_failure_count, 1)
+        self.assertEqual(device.token, token)
+        # Second attempt with the correct token - still blocked.
+        response = self.client.post(
+            reverse("authentik_api:flow-executor", kwargs={"flow_slug": self.flow.slug}),
+            {"component": "ak-stage-authenticator-validate", "code": token},
+        )
+        self.assertStageResponse(
+            response,
+            flow=self.flow,
+            component="ak-stage-authenticator-validate",
+        )
+        device.refresh_from_db()
+        # Counter wasn't incremented on a blocked attempt
+        self.assertEqual(device.throttling_failure_count, 1)
+        # Token wasn't consumed.
+        self.assertEqual(device.token, token)

blueprints/schema.json

@@ -14936,6 +14936,22 @@
                         "format": "uuid"
                     },
                     "title": "Webauthn allowed device types"
+                },
+                "email_otp_throttling_factor": {
+                    "type": "number",
+                    "title": "Email otp throttling factor"
+                },
+                "sms_otp_throttling_factor": {
+                    "type": "number",
+                    "title": "Sms otp throttling factor"
+                },
+                "totp_otp_throttling_factor": {
+                    "type": "number",
+                    "title": "Totp otp throttling factor"
+                },
+                "static_otp_throttling_factor": {
+                    "type": "number",
+                    "title": "Static otp throttling factor"
                 }
             },
             "required": []

lifecycle/aws/package-lock.json

@@ -9,7 +9,7 @@
             "version": "0.0.0",
             "license": "MIT",
             "devDependencies": {
-                "aws-cdk": "^2.1119.0",
+                "aws-cdk": "^2.1120.0",
                 "cross-env": "^10.1.0"
             },
             "engines": {
@@ -25,9 +25,9 @@
             "license": "MIT"
         },
         "node_modules/aws-cdk": {
-            "version": "2.1119.0",
-            "resolved": "https://registry.npmjs.org/aws-cdk/-/aws-cdk-2.1119.0.tgz",
-            "integrity": "sha512-XBxZEKH3BY4M1EX6x0qBkmOAj8viErjpww14iH6Z3z6nI0YzjZeJ05eEl7eJwzUgv7NTGagWBS9m/eDJW5+dAg==",
+            "version": "2.1120.0",
+            "resolved": "https://registry.npmjs.org/aws-cdk/-/aws-cdk-2.1120.0.tgz",
+            "integrity": "sha512-vDVa0IX0FhizARdY/GLSParFglKbdHCIhM8IDmynrAv9w8uLLljzWMeLUOhC1XpMErDZ/npYEihAOjfKxTaMIw==",
             "dev": true,
             "license": "Apache-2.0",
             "bin": {

lifecycle/aws/package.json

@@ -7,7 +7,7 @@
         "aws-cfn": "cross-env CI=false cdk synth --version-reporting=false > template.yaml"
     },
     "devDependencies": {
-        "aws-cdk": "^2.1119.0",
+        "aws-cdk": "^2.1120.0",
         "cross-env": "^10.1.0"
     },
     "engines": {

locale/cs_CZ/LC_MESSAGES/django.po

@@ -12,7 +12,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: PACKAGE VERSION\n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2026-02-10 19:27+0000\n"
+"POT-Creation-Date: 2026-05-06 00:27+0000\n"
 "PO-Revision-Date: 2025-12-01 19:09+0000\n"
 "Last-Translator: Václav Nováček <waclaw661@gmail.com>, 2026\n"
 "Language-Team: Czech (Czech Republic) (https://app.transifex.com/authentik/teams/119923/cs_CZ/)\n"
@@ -106,6 +106,14 @@ msgstr "Chyba validace"
 msgid "Blueprint file does not exist"
 msgstr "Soubor s konfigurační šablonou neexistuje"
 
+#: authentik/blueprints/api.py
+msgid "Context must be valid JSON"
+msgstr ""
+
+#: authentik/blueprints/api.py
+msgid "Context must be a JSON object"
+msgstr ""
+
 #: authentik/blueprints/api.py
 msgid "Failed to validate blueprint"
 msgstr "Ověřování konfigurační šablony selhalo"
@@ -114,6 +122,11 @@ msgstr "Ověřování konfigurační šablony selhalo"
 msgid "Either path or content must be set."
 msgstr "Musí být nastavena buď cesta, nebo obsah."
 
+#: authentik/blueprints/api.py
+#, python-brace-format
+msgid "User lacks permission to create {model}"
+msgstr "Uživatel nemá oprávnění vytvořit {model}"
+
 #: authentik/blueprints/models.py
 msgid "Managed by authentik"
 msgstr "Spravuje authentik"
@@ -244,10 +257,13 @@ msgstr ""
 "pouze poskytovatele backchannel. Pokud je vypnuto, backchannel poskytovatelé"
 " nejsou zahrnuti."
 
-#: authentik/core/api/transactional_applications.py
-#, python-brace-format
-msgid "User lacks permission to create {model}"
-msgstr "Uživatel nemá oprávnění vytvořit {model}"
+#: authentik/core/api/users.py
+msgid "Invalid password hash format. Must be a valid Django password hash."
+msgstr ""
+
+#: authentik/core/api/users.py
+msgid "Cannot set both password and password_hash. Use only one."
+msgstr ""
 
 #: authentik/core/api/users.py
 msgid "No leading or trailing slashes allowed."
@@ -309,6 +325,12 @@ msgstr ""
 msgid "This field is required."
 msgstr "Toto pole je povinné."
 
+#: authentik/core/apps.py
+msgid ""
+"Configure if applications without any policy/group/user bindings should be "
+"accessible to any user."
+msgstr ""
+
 #: authentik/core/models.py
 msgid "name"
 msgstr "Jméno"
@@ -415,6 +437,10 @@ msgstr "Interní název aplikace, používaný v URI."
 msgid "Open launch URL in a new browser tab or window."
 msgstr "Otevřít úvodní URL v novém okně nebo kartě prohlížeče."
 
+#: authentik/core/models.py
+msgid "Hide this application from the user's My applications page."
+msgstr ""
+
 #: authentik/core/models.py
 msgid "Application"
 msgstr "Aplikace"
@@ -606,6 +632,14 @@ msgstr "Odstranit dočasné uživatele vytvořené zdroji SAML."
 msgid "Go home"
 msgstr "Přejít domů"
 
+#: authentik/core/templates/login/base_full.html
+msgid "Site footer"
+msgstr ""
+
+#: authentik/core/templates/login/base_full.html
+msgid "Flow links"
+msgstr ""
+
 #: authentik/core/templates/login/base_full.html
 #: authentik/flows/templates/if/flow-sfe.html
 msgid "Powered by authentik"
@@ -712,6 +746,10 @@ msgstr ""
 msgid "Discover, import and update certificates from the filesystem."
 msgstr "Objevit, importovat a aktualizovat certifikáty na souborovém systému."
 
+#: authentik/endpoints/api/stages.py
+msgid "Selected connector is not compatible with this stage."
+msgstr ""
+
 #: authentik/endpoints/connectors/agent/api/connectors.py
 msgid "Selected platform not supported"
 msgstr ""
@@ -766,6 +804,14 @@ msgstr ""
 msgid "Apple Nonces"
 msgstr ""
 
+#: authentik/endpoints/connectors/agent/models.py
+msgid "Apple Independent Secure Enclave"
+msgstr ""
+
+#: authentik/endpoints/connectors/agent/models.py
+msgid "Apple Independent Secure Enclaves"
+msgstr ""
+
 #: authentik/endpoints/facts.py
 msgid "Operating System name, such as 'Server 2022' or 'Ubuntu'"
 msgstr ""
@@ -837,6 +883,12 @@ msgstr ""
 msgid "Enterprise is required to use this endpoint."
 msgstr ""
 
+#: authentik/enterprise/audit/apps.py
+msgid ""
+"Include additional information in audit logs, may incur a performance "
+"penalty."
+msgstr ""
+
 #: authentik/enterprise/endpoints/connectors/fleet/models.py
 #: authentik/events/models.py
 msgid ""
@@ -854,6 +906,19 @@ msgstr ""
 msgid "Fleet Connectors"
 msgstr ""
 
+#: authentik/enterprise/endpoints/connectors/google_chrome/models.py
+msgid "Google Device Trust Connector"
+msgstr ""
+
+#: authentik/enterprise/endpoints/connectors/google_chrome/models.py
+msgid "Google Device Trust Connectors"
+msgstr ""
+
+#: authentik/enterprise/endpoints/connectors/google_chrome/stage.py
+#: authentik/enterprise/stages/authenticator_endpoint_gdtc/stage.py
+msgid "Verifying your browser..."
+msgstr "Ověřuji Váš prohlížeč..."
+
 #: authentik/enterprise/lifecycle/api/reviews.py
 msgid "You are not allowed to submit a review for this object."
 msgstr ""
@@ -870,10 +935,6 @@ msgstr ""
 msgid "Grace period must be shorter than the interval."
 msgstr ""
 
-#: authentik/enterprise/lifecycle/api/rules.py
-msgid "Only one type-wide rule for each object type is allowed."
-msgstr ""
-
 #: authentik/enterprise/lifecycle/models.py
 msgid ""
 "Select which transports should be used to notify the reviewers. If none are "
@@ -901,7 +962,8 @@ msgid "Go to {self._get_model_name()}"
 msgstr ""
 
 #: authentik/enterprise/lifecycle/models.py
-msgid "Access review is due for {self.content_type.name} {str(self.object)}"
+msgid ""
+"Access review is due for {self.content_type.name.lower()} {object_label}"
 msgstr ""
 
 #: authentik/enterprise/lifecycle/models.py
@@ -915,7 +977,7 @@ msgid ""
 msgstr ""
 
 #: authentik/enterprise/lifecycle/tasks.py
-msgid "Dispatch tasks to validate lifecycle rules."
+msgid "Dispatch tasks to apply lifecycle rules."
 msgstr ""
 
 #: authentik/enterprise/lifecycle/tasks.py
@@ -1158,6 +1220,14 @@ msgstr "Pro použití EAP-TLS je nutná Enterprise licence."
 msgid "Enterprise is required to use the OAuth mode."
 msgstr "Pro použití OAuth režimu je vyžadována Enterprise licence."
 
+#: authentik/enterprise/providers/ssf/models.py
+msgid "SSF RFC Push"
+msgstr ""
+
+#: authentik/enterprise/providers/ssf/models.py
+msgid "SSF RFC Pull"
+msgstr ""
+
 #: authentik/enterprise/providers/ssf/models.py
 #: authentik/providers/oauth2/models.py
 msgid "Signing Key"
@@ -1239,6 +1309,78 @@ msgstr ""
 msgid "Generate data export."
 msgstr ""
 
+#: authentik/enterprise/stages/account_lockdown/api.py
+msgid "User to lock. If omitted, locks the current user (self-service)."
+msgstr ""
+
+#: authentik/enterprise/stages/account_lockdown/api.py
+msgid "No lockdown flow configured."
+msgstr ""
+
+#: authentik/enterprise/stages/account_lockdown/api.py
+msgid "Lockdown flow is not applicable."
+msgstr ""
+
+#: authentik/enterprise/stages/account_lockdown/api.py
+msgid "Choose the target account, then return a flow link."
+msgstr ""
+
+#: authentik/enterprise/stages/account_lockdown/api.py
+msgid "No lockdown flow configured or the flow is not applicable"
+msgstr ""
+
+#: authentik/enterprise/stages/account_lockdown/api.py
+msgid "Permission denied (when targeting another user)"
+msgstr ""
+
+#: authentik/enterprise/stages/account_lockdown/models.py
+msgid "Deactivate the user account (set is_active to False)"
+msgstr ""
+
+#: authentik/enterprise/stages/account_lockdown/models.py
+msgid "Set an unusable password for the user"
+msgstr ""
+
+#: authentik/enterprise/stages/account_lockdown/models.py
+msgid "Delete all active sessions for the user"
+msgstr ""
+
+#: authentik/enterprise/stages/account_lockdown/models.py
+msgid ""
+"Revoke all tokens for the user (API, app password, recovery, verification, "
+"OAuth)"
+msgstr ""
+
+#: authentik/enterprise/stages/account_lockdown/models.py
+msgid ""
+"Flow to redirect users to after self-service lockdown. This flow should not "
+"require authentication since the user's session is deleted."
+msgstr ""
+
+#: authentik/enterprise/stages/account_lockdown/models.py
+msgid "Account Lockdown Stage"
+msgstr ""
+
+#: authentik/enterprise/stages/account_lockdown/models.py
+msgid "Account Lockdown Stages"
+msgstr ""
+
+#: authentik/enterprise/stages/account_lockdown/stage.py
+msgid "No target user specified for account lockdown"
+msgstr ""
+
+#: authentik/enterprise/stages/account_lockdown/stage.py
+msgid "You do not have permission to lock down this account."
+msgstr ""
+
+#: authentik/enterprise/stages/account_lockdown/stage.py
+msgid "Account lockdown failed for this account."
+msgstr ""
+
+#: authentik/enterprise/stages/account_lockdown/stage.py
+msgid "Self-service account lockdown requires a completion flow."
+msgstr ""
+
 #: authentik/enterprise/stages/authenticator_endpoint_gdtc/models.py
 msgid "Endpoint Authenticator Google Device Trust Connector Stage"
 msgstr "Fáze konektoru Endpoint Authenticator Google Device Trust"
@@ -1255,10 +1397,6 @@ msgstr "Koncové zařízení"
 msgid "Endpoint Devices"
 msgstr "Koncová zařízení"
 
-#: authentik/enterprise/stages/authenticator_endpoint_gdtc/stage.py
-msgid "Verifying your browser..."
-msgstr "Ověřuji Váš prohlížeč..."
-
 #: authentik/enterprise/stages/mtls/models.py
 msgid ""
 "Configure certificate authorities to validate the certificate against. This "
@@ -1341,6 +1479,12 @@ msgstr ""
 "Odeslat oznámení pouze jednou, například při posílání webhooku do kanálu "
 "chatu."
 
+#: authentik/events/models.py
+msgid ""
+"When set, the selected ceritifcate is used to validate the certificate of "
+"the webhook server."
+msgstr ""
+
 #: authentik/events/models.py
 msgid ""
 "Customize the body of the request. Mapping should return data that is JSON-"
@@ -1511,6 +1655,15 @@ msgstr "Zásady před tokem"
 msgid "Flow"
 msgstr "Tok"
 
+#: authentik/flows/apps.py
+msgid "Refresh other tabs after successful authentication."
+msgstr ""
+
+#: authentik/flows/apps.py
+msgid ""
+"Upon successful authentication, re-start authentication in other open tabs."
+msgstr ""
+
 #: authentik/flows/exceptions.py
 msgid "Flow does not apply to current user."
 msgstr "Tok se nevztahuje na aktuálního uživatele."
@@ -1620,8 +1773,8 @@ msgstr "Token Toku"
 msgid "Flow Tokens"
 msgstr "Tokeny Toků"
 
-#: authentik/flows/templates/if/flow.html
-msgid "Site footer"
+#: authentik/flows/planner.py
+msgid "This link is invalid or has expired. Please request a new one."
 msgstr ""
 
 #: authentik/flows/views/executor.py
@@ -2006,22 +2159,6 @@ msgstr "Reputační skóre"
 msgid "Reputation Scores"
 msgstr "Reputační skóre"
 
-#: authentik/policies/templates/policies/buffer.html
-msgid "Waiting for authentication..."
-msgstr "Čeká se na ověření..."
-
-#: authentik/policies/templates/policies/buffer.html
-msgid ""
-"You're already authenticating in another tab. This page will refresh once "
-"authentication is completed."
-msgstr ""
-"Už se přihlašujete na jiné záložce. Stránka se obnoví, jakmile bude ověření "
-"dokončeno."
-
-#: authentik/policies/templates/policies/buffer.html
-msgid "Authenticate in this tab"
-msgstr "Ověřit na této záložce"
-
 #: authentik/policies/templates/policies/denied.html
 msgid "Permission denied"
 msgstr "Nedostatečná oprávnění"
@@ -2147,6 +2284,14 @@ msgstr "Striktní porovnání URL"
 msgid "Regular Expression URL matching"
 msgstr "Porovnání URL regulárním výrazem"
 
+#: authentik/providers/oauth2/models.py
+msgid "Authorization"
+msgstr ""
+
+#: authentik/providers/oauth2/models.py
+msgid "Logout"
+msgstr ""
+
 #: authentik/providers/oauth2/models.py
 msgid "Back-channel"
 msgstr "Back-channel"
@@ -2504,10 +2649,6 @@ msgstr "Poskytovatel proxy"
 msgid "Proxy Providers"
 msgstr "Poskytovatelé proxy"
 
-#: authentik/providers/proxy/tasks.py
-msgid "Terminate session on Proxy outpost."
-msgstr "Ukončit relaci na outpostu proxy."
-
 #: authentik/providers/rac/models.py authentik/stages/user_login/models.py
 msgid ""
 "Determines how long a session lasts. Default of 0 means that the sessions "
@@ -2635,8 +2776,10 @@ msgstr ""
 "omezení publika nebude přidáno."
 
 #: authentik/providers/saml/models.py
-msgid "Also known as EntityID"
-msgstr "Také známé jako EntityID."
+msgid ""
+"Also known as EntityID. Providing a value overrides the default issuer "
+"generated by authentik."
+msgstr ""
 
 #: authentik/providers/saml/models.py
 msgid "SLS URL"
@@ -2854,6 +2997,10 @@ msgstr "Hodnota SAML NameID pro tuto relaci"
 msgid "SAML NameID format"
 msgstr "Formát SAML NameID"
 
+#: authentik/providers/saml/models.py
+msgid "SAML Issuer used for this session"
+msgstr ""
+
 #: authentik/providers/saml/models.py
 msgid "SAML Session"
 msgstr "Relace SAML"
@@ -2882,6 +3029,14 @@ msgstr "Slack"
 msgid "Salesforce"
 msgstr ""
 
+#: authentik/providers/scim/models.py
+msgid "Webex"
+msgstr ""
+
+#: authentik/providers/scim/models.py
+msgid "vCenter"
+msgstr ""
+
 #: authentik/providers/scim/models.py
 msgid "Group filters used to define sync-scope for groups."
 msgstr ""
@@ -3158,7 +3313,7 @@ msgstr ""
 "                    Prosím, kontaktujte správce.\n"
 "                "
 
-#: authentik/sources/ldap/api.py
+#: authentik/sources/ldap/api/sources.py
 msgid "Only a single LDAP Source with password synchronization is allowed"
 msgstr "Je dovolen pouze jeden zdroj LDAP se synchronizací hesel"
 
@@ -3688,6 +3843,12 @@ msgstr ""
 "Povolit autentikační tok iniciovaný Identity Providerem. Může představovat "
 "bezpečnostní riziko, protože se nekontroluje request ID."
 
+#: authentik/sources/saml/models.py
+msgid ""
+"When enabled, the IdP will re-authenticate the user even if a session "
+"exists."
+msgstr ""
+
 #: authentik/sources/saml/models.py
 msgid ""
 "NameID Policy sent to the IdP. Can be unset, in which case no Policy is "
@@ -4108,6 +4269,10 @@ msgstr "Kroky validace autentikátoru"
 msgid "No (allowed) MFA authenticator configured."
 msgstr "Žádný (povolený) MFA autentikátor nebyl nastaven."
 
+#: authentik/stages/authenticator_webauthn/models.py
+msgid "When enabled, a given device can only be registered once."
+msgstr ""
+
 #: authentik/stages/authenticator_webauthn/models.py
 msgid "WebAuthn Authenticator Setup Stage"
 msgstr "Krok nastavení autentikátoru WebAuthn"
@@ -4243,6 +4408,10 @@ msgstr "Email OTP"
 msgid "Event Notification"
 msgstr "Oznámení o události"
 
+#: authentik/stages/email/models.py authentik/stages/invitation/models.py
+msgid "Invitation"
+msgstr "Pozvánka"
+
 #: authentik/stages/email/models.py
 msgid ""
 "The time window used to count recent account recovery attempts. If the "
@@ -4361,6 +4530,62 @@ msgstr ""
 "\n"
 "Tento email byl odeslán z transportu oznámení %(name)s.\n"
 
+#: authentik/stages/email/templates/email/invitation.html
+msgid ""
+"\n"
+"      You're Invited!\n"
+"      "
+msgstr ""
+
+#: authentik/stages/email/templates/email/invitation.html
+#, python-format
+msgid ""
+"\n"
+"          You have been invited to join %(host)s. Click the button below to get started.\n"
+"          "
+msgstr ""
+
+#: authentik/stages/email/templates/email/invitation.html
+#, python-format
+msgid ""
+"\n"
+"          This invitation expires %(expires)s.\n"
+"          "
+msgstr ""
+
+#: authentik/stages/email/templates/email/invitation.html
+#: authentik/stages/email/templates/email/invitation.txt
+msgid "Accept Invitation"
+msgstr ""
+
+#: authentik/stages/email/templates/email/invitation.html
+msgid ""
+"\n"
+"    If you cannot click the button above, please copy and paste the following URL into your browser:\n"
+"    "
+msgstr ""
+
+#: authentik/stages/email/templates/email/invitation.txt
+msgid "You're Invited!"
+msgstr ""
+
+#: authentik/stages/email/templates/email/invitation.txt
+#, python-format
+msgid ""
+"You have been invited to join %(host)s. Use the link below to get started."
+msgstr ""
+
+#: authentik/stages/email/templates/email/invitation.txt
+#, python-format
+msgid "This invitation expires %(expires)s."
+msgstr ""
+
+#: authentik/stages/email/templates/email/invitation.txt
+msgid ""
+"If you cannot click the link above, please copy and paste the following URL "
+"into your browser:"
+msgstr ""
+
 #: authentik/stages/email/templates/email/password_reset.html
 msgid ""
 "\n"
@@ -4538,10 +4763,6 @@ msgstr "Pokud je povoleno, pozvánka bude po použití smazána."
 msgid "Optional fixed data to enforce on user enrollment."
 msgstr ""
 
-#: authentik/stages/invitation/models.py
-msgid "Invitation"
-msgstr "Pozvánka"
-
 #: authentik/stages/invitation/models.py
 msgid "Invitations"
 msgstr "Pozvánky"
@@ -4654,6 +4875,18 @@ msgstr ""
 msgid "Static: Static value, displayed as-is."
 msgstr ""
 
+#: authentik/stages/prompt/models.py
+msgid "Alert (Info): Static alert box with info styling"
+msgstr ""
+
+#: authentik/stages/prompt/models.py
+msgid "Alert (Warning): Static alert box with warning styling"
+msgstr ""
+
+#: authentik/stages/prompt/models.py
+msgid "Alert (Danger): Static alert box with danger styling"
+msgstr ""
+
 #: authentik/stages/prompt/models.py
 msgid "authentik: Selection of locales authentik supports"
 msgstr "authentik: Výběr jazyků, které authentik podporuje"

locale/de_DE/LC_MESSAGES/django.po

@@ -14,7 +14,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: PACKAGE VERSION\n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2026-04-23 00:25+0000\n"
+"POT-Creation-Date: 2026-05-06 00:27+0000\n"
 "PO-Revision-Date: 2025-12-01 19:09+0000\n"
 "Last-Translator: Lukas Nielsen, 2026\n"
 "Language-Team: German (Germany) (https://app.transifex.com/authentik/teams/119923/de_DE/)\n"
@@ -68,7 +68,7 @@ msgstr "Dateiname zu lang (max. {MAX_FILE_NAME_LENGTH} Zeichen)"
 #: authentik/admin/files/validation.py
 #, python-brace-format
 msgid "Path component too long (max {MAX_PATH_COMPONENT_LENGTH} characters)"
-msgstr "Dateipfad zu lang (max. {MAX_PATH_COMPONENT_LENGTH} Zeichen)"
+msgstr "Dateipfad zu lang (max. {MAX_FILE_NAME_LENGTH} Zeichen)"
 
 #: authentik/admin/models.py
 msgid "Version history"
@@ -111,6 +111,14 @@ msgstr "Validierungsfehler"
 msgid "Blueprint file does not exist"
 msgstr "Vorlagendatei existiert nicht"
 
+#: authentik/blueprints/api.py
+msgid "Context must be valid JSON"
+msgstr ""
+
+#: authentik/blueprints/api.py
+msgid "Context must be a JSON object"
+msgstr ""
+
 #: authentik/blueprints/api.py
 msgid "Failed to validate blueprint"
 msgstr "Fehler bei der Validierung der Vorlage"
@@ -257,6 +265,14 @@ msgstr ""
 "werden nur die backchannel Provider zurück gegeben. Zudem werden bei "
 "Deaktivierung die backchannel Provider ausgeschlossen."
 
+#: authentik/core/api/users.py
+msgid "Invalid password hash format. Must be a valid Django password hash."
+msgstr ""
+
+#: authentik/core/api/users.py
+msgid "Cannot set both password and password_hash. Use only one."
+msgstr ""
+
 #: authentik/core/api/users.py
 msgid "No leading or trailing slashes allowed."
 msgstr "Es sind keine führenden oder abschließenden Schrägstriche erlaubt."
@@ -435,6 +451,10 @@ msgstr "Interner Anwendungsname, wird in URLs verwendet."
 msgid "Open launch URL in a new browser tab or window."
 msgstr "Start-URL in einem neuen Browser-Fenster öffnen."
 
+#: authentik/core/models.py
+msgid "Hide this application from the user's My applications page."
+msgstr ""
+
 #: authentik/core/models.py
 msgid "Application"
 msgstr "Anwendung"
@@ -934,10 +954,6 @@ msgstr "Es muss entweder eine Prüfergruppe oder ein Prüfer festgelegt werden."
 msgid "Grace period must be shorter than the interval."
 msgstr "Die Nachfrist muss kürzer sein als das Intervall."
 
-#: authentik/enterprise/lifecycle/api/rules.py
-msgid "Only one type-wide rule for each object type is allowed."
-msgstr "Für jeden Objekttyp ist nur eine typweite Regel zulässig."
-
 #: authentik/enterprise/lifecycle/models.py
 msgid ""
 "Select which transports should be used to notify the reviewers. If none are "
@@ -968,10 +984,9 @@ msgid "Go to {self._get_model_name()}"
 msgstr "Gehe zu {self._get_model_name()}"
 
 #: authentik/enterprise/lifecycle/models.py
-msgid "Access review is due for {self.content_type.name} {str(self.object)}"
+msgid ""
+"Access review is due for {self.content_type.name.lower()} {object_label}"
 msgstr ""
-"Die Zugriffsüberprüfung für {self.content_type.name} {str(self.object)} "
-"steht an"
 
 #: authentik/enterprise/lifecycle/models.py
 msgid ""
@@ -988,8 +1003,8 @@ msgstr ""
 "erledigt"
 
 #: authentik/enterprise/lifecycle/tasks.py
-msgid "Dispatch tasks to validate lifecycle rules."
-msgstr "Aufgaben zur Überprüfung von Lebenszyklusregeln zuweisen."
+msgid "Dispatch tasks to apply lifecycle rules."
+msgstr ""
 
 #: authentik/enterprise/lifecycle/tasks.py
 msgid "Apply lifecycle rule."
@@ -1332,6 +1347,78 @@ msgstr "Download"
 msgid "Generate data export."
 msgstr "Datenexport generieren."
 
+#: authentik/enterprise/stages/account_lockdown/api.py
+msgid "User to lock. If omitted, locks the current user (self-service)."
+msgstr ""
+
+#: authentik/enterprise/stages/account_lockdown/api.py
+msgid "No lockdown flow configured."
+msgstr ""
+
+#: authentik/enterprise/stages/account_lockdown/api.py
+msgid "Lockdown flow is not applicable."
+msgstr ""
+
+#: authentik/enterprise/stages/account_lockdown/api.py
+msgid "Choose the target account, then return a flow link."
+msgstr ""
+
+#: authentik/enterprise/stages/account_lockdown/api.py
+msgid "No lockdown flow configured or the flow is not applicable"
+msgstr ""
+
+#: authentik/enterprise/stages/account_lockdown/api.py
+msgid "Permission denied (when targeting another user)"
+msgstr ""
+
+#: authentik/enterprise/stages/account_lockdown/models.py
+msgid "Deactivate the user account (set is_active to False)"
+msgstr ""
+
+#: authentik/enterprise/stages/account_lockdown/models.py
+msgid "Set an unusable password for the user"
+msgstr ""
+
+#: authentik/enterprise/stages/account_lockdown/models.py
+msgid "Delete all active sessions for the user"
+msgstr ""
+
+#: authentik/enterprise/stages/account_lockdown/models.py
+msgid ""
+"Revoke all tokens for the user (API, app password, recovery, verification, "
+"OAuth)"
+msgstr ""
+
+#: authentik/enterprise/stages/account_lockdown/models.py
+msgid ""
+"Flow to redirect users to after self-service lockdown. This flow should not "
+"require authentication since the user's session is deleted."
+msgstr ""
+
+#: authentik/enterprise/stages/account_lockdown/models.py
+msgid "Account Lockdown Stage"
+msgstr ""
+
+#: authentik/enterprise/stages/account_lockdown/models.py
+msgid "Account Lockdown Stages"
+msgstr ""
+
+#: authentik/enterprise/stages/account_lockdown/stage.py
+msgid "No target user specified for account lockdown"
+msgstr ""
+
+#: authentik/enterprise/stages/account_lockdown/stage.py
+msgid "You do not have permission to lock down this account."
+msgstr ""
+
+#: authentik/enterprise/stages/account_lockdown/stage.py
+msgid "Account lockdown failed for this account."
+msgstr ""
+
+#: authentik/enterprise/stages/account_lockdown/stage.py
+msgid "Self-service account lockdown requires a completion flow."
+msgstr ""
+
 #: authentik/enterprise/stages/authenticator_endpoint_gdtc/models.py
 msgid "Endpoint Authenticator Google Device Trust Connector Stage"
 msgstr "Endpunkt-Authenticator für Google Gerätevertrauen Verbindungs Stage"
@@ -2777,8 +2864,10 @@ msgstr ""
 "Feld leer, wird keine Zielgruppenbeschränkung hinzugefügt."
 
 #: authentik/providers/saml/models.py
-msgid "Also known as EntityID"
-msgstr "Auch bekannt als EntityID"
+msgid ""
+"Also known as EntityID. Providing a value overrides the default issuer "
+"generated by authentik."
+msgstr ""
 
 #: authentik/providers/saml/models.py
 msgid "SLS URL"
@@ -3000,6 +3089,10 @@ msgstr "SAML-NameID-Wert für diese Sitzung"
 msgid "SAML NameID format"
 msgstr "SAML-NameID-Format"
 
+#: authentik/providers/saml/models.py
+msgid "SAML Issuer used for this session"
+msgstr ""
+
 #: authentik/providers/saml/models.py
 msgid "SAML Session"
 msgstr "SAML Sitzung"
@@ -3032,6 +3125,10 @@ msgstr "Salesforce"
 msgid "Webex"
 msgstr "Webex"
 
+#: authentik/providers/scim/models.py
+msgid "vCenter"
+msgstr ""
+
 #: authentik/providers/scim/models.py
 msgid "Group filters used to define sync-scope for groups."
 msgstr ""
@@ -4946,6 +5043,18 @@ msgstr ""
 msgid "Static: Static value, displayed as-is."
 msgstr "Statisch: Statischer Wert, wird so angezeigt, wie er ist."
 
+#: authentik/stages/prompt/models.py
+msgid "Alert (Info): Static alert box with info styling"
+msgstr ""
+
+#: authentik/stages/prompt/models.py
+msgid "Alert (Warning): Static alert box with warning styling"
+msgstr ""
+
+#: authentik/stages/prompt/models.py
+msgid "Alert (Danger): Static alert box with danger styling"
+msgstr ""
+
 #: authentik/stages/prompt/models.py
 msgid "authentik: Selection of locales authentik supports"
 msgstr "Authentik: Auswahl der von Authentik unterstützten Gebietsschemata"

locale/es_ES/LC_MESSAGES/django.po

@@ -11,7 +11,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: PACKAGE VERSION\n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2026-02-10 19:27+0000\n"
+"POT-Creation-Date: 2026-05-06 00:27+0000\n"
 "PO-Revision-Date: 2025-12-01 19:09+0000\n"
 "Last-Translator: Marc Schmitt, 2025\n"
 "Language-Team: Spanish (Spain) (https://app.transifex.com/authentik/teams/119923/es_ES/)\n"
@@ -105,6 +105,14 @@ msgstr "Error de validación"
 msgid "Blueprint file does not exist"
 msgstr "El archivo de plantilla(blueprint) no existe"
 
+#: authentik/blueprints/api.py
+msgid "Context must be valid JSON"
+msgstr ""
+
+#: authentik/blueprints/api.py
+msgid "Context must be a JSON object"
+msgstr ""
+
 #: authentik/blueprints/api.py
 msgid "Failed to validate blueprint"
 msgstr "No se pudo validar la plantilla(blueprint)"
@@ -113,6 +121,11 @@ msgstr "No se pudo validar la plantilla(blueprint)"
 msgid "Either path or content must be set."
 msgstr "Se debe establecer una ruta o contenido."
 
+#: authentik/blueprints/api.py
+#, python-brace-format
+msgid "User lacks permission to create {model}"
+msgstr "El usuario carece de permisos para crear {model}"
+
 #: authentik/blueprints/models.py
 msgid "Managed by authentik"
 msgstr "Administrado por authentik"
@@ -248,10 +261,13 @@ msgstr ""
 "secundario. Cuando se configura como falso, se excluyen los proveedores de "
 "canal secundario."
 
-#: authentik/core/api/transactional_applications.py
-#, python-brace-format
-msgid "User lacks permission to create {model}"
-msgstr "El usuario carece de permisos para crear {model}"
+#: authentik/core/api/users.py
+msgid "Invalid password hash format. Must be a valid Django password hash."
+msgstr ""
+
+#: authentik/core/api/users.py
+msgid "Cannot set both password and password_hash. Use only one."
+msgstr ""
 
 #: authentik/core/api/users.py
 msgid "No leading or trailing slashes allowed."
@@ -313,6 +329,12 @@ msgstr ""
 msgid "This field is required."
 msgstr ""
 
+#: authentik/core/apps.py
+msgid ""
+"Configure if applications without any policy/group/user bindings should be "
+"accessible to any user."
+msgstr ""
+
 #: authentik/core/models.py
 msgid "name"
 msgstr "nombre"
@@ -419,6 +441,10 @@ msgstr "Nombre de la aplicación interna, utilizado en las URL."
 msgid "Open launch URL in a new browser tab or window."
 msgstr "Abrir la URL de inicio en una nueva pestaña o ventana del navegador."
 
+#: authentik/core/models.py
+msgid "Hide this application from the user's My applications page."
+msgstr ""
+
 #: authentik/core/models.py
 msgid "Application"
 msgstr "Aplicación"
@@ -609,6 +635,14 @@ msgstr "Eliminar usuarios temporales creados por SAML Sources."
 msgid "Go home"
 msgstr "Ir al inicio"
 
+#: authentik/core/templates/login/base_full.html
+msgid "Site footer"
+msgstr ""
+
+#: authentik/core/templates/login/base_full.html
+msgid "Flow links"
+msgstr ""
+
 #: authentik/core/templates/login/base_full.html
 #: authentik/flows/templates/if/flow-sfe.html
 msgid "Powered by authentik"
@@ -716,6 +750,10 @@ msgid "Discover, import and update certificates from the filesystem."
 msgstr ""
 "Descubra, importe y actualice certificados desde el sistema de archivos."
 
+#: authentik/endpoints/api/stages.py
+msgid "Selected connector is not compatible with this stage."
+msgstr ""
+
 #: authentik/endpoints/connectors/agent/api/connectors.py
 msgid "Selected platform not supported"
 msgstr ""
@@ -770,6 +808,14 @@ msgstr ""
 msgid "Apple Nonces"
 msgstr ""
 
+#: authentik/endpoints/connectors/agent/models.py
+msgid "Apple Independent Secure Enclave"
+msgstr ""
+
+#: authentik/endpoints/connectors/agent/models.py
+msgid "Apple Independent Secure Enclaves"
+msgstr ""
+
 #: authentik/endpoints/facts.py
 msgid "Operating System name, such as 'Server 2022' or 'Ubuntu'"
 msgstr ""
@@ -840,6 +886,12 @@ msgstr "Se requiere de Enterprise para crear/actualizar este objeto."
 msgid "Enterprise is required to use this endpoint."
 msgstr ""
 
+#: authentik/enterprise/audit/apps.py
+msgid ""
+"Include additional information in audit logs, may incur a performance "
+"penalty."
+msgstr ""
+
 #: authentik/enterprise/endpoints/connectors/fleet/models.py
 #: authentik/events/models.py
 msgid ""
@@ -857,6 +909,19 @@ msgstr ""
 msgid "Fleet Connectors"
 msgstr ""
 
+#: authentik/enterprise/endpoints/connectors/google_chrome/models.py
+msgid "Google Device Trust Connector"
+msgstr ""
+
+#: authentik/enterprise/endpoints/connectors/google_chrome/models.py
+msgid "Google Device Trust Connectors"
+msgstr ""
+
+#: authentik/enterprise/endpoints/connectors/google_chrome/stage.py
+#: authentik/enterprise/stages/authenticator_endpoint_gdtc/stage.py
+msgid "Verifying your browser..."
+msgstr "Verificando tu navegador..."
+
 #: authentik/enterprise/lifecycle/api/reviews.py
 msgid "You are not allowed to submit a review for this object."
 msgstr ""
@@ -873,10 +938,6 @@ msgstr ""
 msgid "Grace period must be shorter than the interval."
 msgstr ""
 
-#: authentik/enterprise/lifecycle/api/rules.py
-msgid "Only one type-wide rule for each object type is allowed."
-msgstr ""
-
 #: authentik/enterprise/lifecycle/models.py
 msgid ""
 "Select which transports should be used to notify the reviewers. If none are "
@@ -904,7 +965,8 @@ msgid "Go to {self._get_model_name()}"
 msgstr ""
 
 #: authentik/enterprise/lifecycle/models.py
-msgid "Access review is due for {self.content_type.name} {str(self.object)}"
+msgid ""
+"Access review is due for {self.content_type.name.lower()} {object_label}"
 msgstr ""
 
 #: authentik/enterprise/lifecycle/models.py
@@ -918,7 +980,7 @@ msgid ""
 msgstr ""
 
 #: authentik/enterprise/lifecycle/tasks.py
-msgid "Dispatch tasks to validate lifecycle rules."
+msgid "Dispatch tasks to apply lifecycle rules."
 msgstr ""
 
 #: authentik/enterprise/lifecycle/tasks.py
@@ -1159,6 +1221,14 @@ msgstr ""
 msgid "Enterprise is required to use the OAuth mode."
 msgstr ""
 
+#: authentik/enterprise/providers/ssf/models.py
+msgid "SSF RFC Push"
+msgstr ""
+
+#: authentik/enterprise/providers/ssf/models.py
+msgid "SSF RFC Pull"
+msgstr ""
+
 #: authentik/enterprise/providers/ssf/models.py
 #: authentik/providers/oauth2/models.py
 msgid "Signing Key"
@@ -1240,6 +1310,78 @@ msgstr ""
 msgid "Generate data export."
 msgstr ""
 
+#: authentik/enterprise/stages/account_lockdown/api.py
+msgid "User to lock. If omitted, locks the current user (self-service)."
+msgstr ""
+
+#: authentik/enterprise/stages/account_lockdown/api.py
+msgid "No lockdown flow configured."
+msgstr ""
+
+#: authentik/enterprise/stages/account_lockdown/api.py
+msgid "Lockdown flow is not applicable."
+msgstr ""
+
+#: authentik/enterprise/stages/account_lockdown/api.py
+msgid "Choose the target account, then return a flow link."
+msgstr ""
+
+#: authentik/enterprise/stages/account_lockdown/api.py
+msgid "No lockdown flow configured or the flow is not applicable"
+msgstr ""
+
+#: authentik/enterprise/stages/account_lockdown/api.py
+msgid "Permission denied (when targeting another user)"
+msgstr ""
+
+#: authentik/enterprise/stages/account_lockdown/models.py
+msgid "Deactivate the user account (set is_active to False)"
+msgstr ""
+
+#: authentik/enterprise/stages/account_lockdown/models.py
+msgid "Set an unusable password for the user"
+msgstr ""
+
+#: authentik/enterprise/stages/account_lockdown/models.py
+msgid "Delete all active sessions for the user"
+msgstr ""
+
+#: authentik/enterprise/stages/account_lockdown/models.py
+msgid ""
+"Revoke all tokens for the user (API, app password, recovery, verification, "
+"OAuth)"
+msgstr ""
+
+#: authentik/enterprise/stages/account_lockdown/models.py
+msgid ""
+"Flow to redirect users to after self-service lockdown. This flow should not "
+"require authentication since the user's session is deleted."
+msgstr ""
+
+#: authentik/enterprise/stages/account_lockdown/models.py
+msgid "Account Lockdown Stage"
+msgstr ""
+
+#: authentik/enterprise/stages/account_lockdown/models.py
+msgid "Account Lockdown Stages"
+msgstr ""
+
+#: authentik/enterprise/stages/account_lockdown/stage.py
+msgid "No target user specified for account lockdown"
+msgstr ""
+
+#: authentik/enterprise/stages/account_lockdown/stage.py
+msgid "You do not have permission to lock down this account."
+msgstr ""
+
+#: authentik/enterprise/stages/account_lockdown/stage.py
+msgid "Account lockdown failed for this account."
+msgstr ""
+
+#: authentik/enterprise/stages/account_lockdown/stage.py
+msgid "Self-service account lockdown requires a completion flow."
+msgstr ""
+
 #: authentik/enterprise/stages/authenticator_endpoint_gdtc/models.py
 msgid "Endpoint Authenticator Google Device Trust Connector Stage"
 msgstr ""
@@ -1260,10 +1402,6 @@ msgstr "Dispositivo de Punto de Conexión"
 msgid "Endpoint Devices"
 msgstr "Dispositivos de Punto de Conexión"
 
-#: authentik/enterprise/stages/authenticator_endpoint_gdtc/stage.py
-msgid "Verifying your browser..."
-msgstr "Verificando tu navegador..."
-
 #: authentik/enterprise/stages/mtls/models.py
 msgid ""
 "Configure certificate authorities to validate the certificate against. This "
@@ -1347,6 +1485,12 @@ msgstr ""
 "Envía notificaciones solo una vez, por ejemplo, al enviar un webhook a un "
 "canal de chat."
 
+#: authentik/events/models.py
+msgid ""
+"When set, the selected ceritifcate is used to validate the certificate of "
+"the webhook server."
+msgstr ""
+
 #: authentik/events/models.py
 msgid ""
 "Customize the body of the request. Mapping should return data that is JSON-"
@@ -1518,6 +1662,15 @@ msgstr "Políticas pre-flujo"
 msgid "Flow"
 msgstr "Flujo"
 
+#: authentik/flows/apps.py
+msgid "Refresh other tabs after successful authentication."
+msgstr ""
+
+#: authentik/flows/apps.py
+msgid ""
+"Upon successful authentication, re-start authentication in other open tabs."
+msgstr ""
+
 #: authentik/flows/exceptions.py
 msgid "Flow does not apply to current user."
 msgstr "El flujo no aplica al usuario actual."
@@ -1630,8 +1783,8 @@ msgstr "Token de flujo"
 msgid "Flow Tokens"
 msgstr "Tokens de flujo"
 
-#: authentik/flows/templates/if/flow.html
-msgid "Site footer"
+#: authentik/flows/planner.py
+msgid "This link is invalid or has expired. Please request a new one."
 msgstr ""
 
 #: authentik/flows/views/executor.py
@@ -2022,22 +2175,6 @@ msgstr "Puntuación de Reputacion"
 msgid "Reputation Scores"
 msgstr "Puntuaciones de Reputacion"
 
-#: authentik/policies/templates/policies/buffer.html
-msgid "Waiting for authentication..."
-msgstr "Esperando autenticación"
-
-#: authentik/policies/templates/policies/buffer.html
-msgid ""
-"You're already authenticating in another tab. This page will refresh once "
-"authentication is completed."
-msgstr ""
-"Ya estás autenticándote en otra pestaña. Esta página se actualizará una vez "
-"que la autenticación se haya completado."
-
-#: authentik/policies/templates/policies/buffer.html
-msgid "Authenticate in this tab"
-msgstr "Autenticar en esta pestaña"
-
 #: authentik/policies/templates/policies/denied.html
 msgid "Permission denied"
 msgstr "Permiso denegado"
@@ -2166,6 +2303,14 @@ msgstr "Comparación de URL estricta"
 msgid "Regular Expression URL matching"
 msgstr "Coincidencia de URL con Expresiones Regulares"
 
+#: authentik/providers/oauth2/models.py
+msgid "Authorization"
+msgstr ""
+
+#: authentik/providers/oauth2/models.py
+msgid "Logout"
+msgstr ""
+
 #: authentik/providers/oauth2/models.py
 msgid "Back-channel"
 msgstr ""
@@ -2528,10 +2673,6 @@ msgstr "Proveedor de Proxy"
 msgid "Proxy Providers"
 msgstr "Proveedores de Proxy"
 
-#: authentik/providers/proxy/tasks.py
-msgid "Terminate session on Proxy outpost."
-msgstr "Terminar sesión en Proxy outpost."
-
 #: authentik/providers/rac/models.py authentik/stages/user_login/models.py
 msgid ""
 "Determines how long a session lasts. Default of 0 means that the sessions "
@@ -2663,8 +2804,10 @@ msgstr ""
 "vacío, no se agregará ninguna restricción de audiencia."
 
 #: authentik/providers/saml/models.py
-msgid "Also known as EntityID"
-msgstr "También conocido como EntityID"
+msgid ""
+"Also known as EntityID. Providing a value overrides the default issuer "
+"generated by authentik."
+msgstr ""
 
 #: authentik/providers/saml/models.py
 msgid "SLS URL"
@@ -2877,6 +3020,10 @@ msgstr ""
 msgid "SAML NameID format"
 msgstr ""
 
+#: authentik/providers/saml/models.py
+msgid "SAML Issuer used for this session"
+msgstr ""
+
 #: authentik/providers/saml/models.py
 msgid "SAML Session"
 msgstr ""
@@ -2905,6 +3052,14 @@ msgstr "Slack"
 msgid "Salesforce"
 msgstr ""
 
+#: authentik/providers/scim/models.py
+msgid "Webex"
+msgstr ""
+
+#: authentik/providers/scim/models.py
+msgid "vCenter"
+msgstr ""
+
 #: authentik/providers/scim/models.py
 msgid "Group filters used to define sync-scope for groups."
 msgstr ""
@@ -3188,7 +3343,7 @@ msgstr ""
 "                    Por favor, contacta a tu administrador.\n"
 "                "
 
-#: authentik/sources/ldap/api.py
+#: authentik/sources/ldap/api/sources.py
 msgid "Only a single LDAP Source with password synchronization is allowed"
 msgstr ""
 "Solo está permitida una Fuente de LDAP con sincronización de contraseña"
@@ -3722,6 +3877,12 @@ msgstr ""
 " un riesgo para la seguridad, ya que no se valida el identificador de la "
 "solicitud."
 
+#: authentik/sources/saml/models.py
+msgid ""
+"When enabled, the IdP will re-authenticate the user even if a session "
+"exists."
+msgstr ""
+
 #: authentik/sources/saml/models.py
 msgid ""
 "NameID Policy sent to the IdP. Can be unset, in which case no Policy is "
@@ -4150,6 +4311,10 @@ msgstr "Etapas de Validación del Autenticador"
 msgid "No (allowed) MFA authenticator configured."
 msgstr "No hay un autenticador MFA (permitido) configurado."
 
+#: authentik/stages/authenticator_webauthn/models.py
+msgid "When enabled, a given device can only be registered once."
+msgstr ""
+
 #: authentik/stages/authenticator_webauthn/models.py
 msgid "WebAuthn Authenticator Setup Stage"
 msgstr "Etapa de Configuración del Autenticador WebAuthn"
@@ -4288,6 +4453,10 @@ msgstr "OTP por Correo Electrónico"
 msgid "Event Notification"
 msgstr ""
 
+#: authentik/stages/email/models.py authentik/stages/invitation/models.py
+msgid "Invitation"
+msgstr "Invitación"
+
 #: authentik/stages/email/models.py
 msgid ""
 "The time window used to count recent account recovery attempts. If the "
@@ -4408,6 +4577,62 @@ msgstr ""
 "\n"
 "Este correo electrónico fue enviado desde el transporte de notificaciones %(name)s.\n"
 
+#: authentik/stages/email/templates/email/invitation.html
+msgid ""
+"\n"
+"      You're Invited!\n"
+"      "
+msgstr ""
+
+#: authentik/stages/email/templates/email/invitation.html
+#, python-format
+msgid ""
+"\n"
+"          You have been invited to join %(host)s. Click the button below to get started.\n"
+"          "
+msgstr ""
+
+#: authentik/stages/email/templates/email/invitation.html
+#, python-format
+msgid ""
+"\n"
+"          This invitation expires %(expires)s.\n"
+"          "
+msgstr ""
+
+#: authentik/stages/email/templates/email/invitation.html
+#: authentik/stages/email/templates/email/invitation.txt
+msgid "Accept Invitation"
+msgstr ""
+
+#: authentik/stages/email/templates/email/invitation.html
+msgid ""
+"\n"
+"    If you cannot click the button above, please copy and paste the following URL into your browser:\n"
+"    "
+msgstr ""
+
+#: authentik/stages/email/templates/email/invitation.txt
+msgid "You're Invited!"
+msgstr ""
+
+#: authentik/stages/email/templates/email/invitation.txt
+#, python-format
+msgid ""
+"You have been invited to join %(host)s. Use the link below to get started."
+msgstr ""
+
+#: authentik/stages/email/templates/email/invitation.txt
+#, python-format
+msgid "This invitation expires %(expires)s."
+msgstr ""
+
+#: authentik/stages/email/templates/email/invitation.txt
+msgid ""
+"If you cannot click the link above, please copy and paste the following URL "
+"into your browser:"
+msgstr ""
+
 #: authentik/stages/email/templates/email/password_reset.html
 msgid ""
 "\n"
@@ -4591,10 +4816,6 @@ msgstr "Cuando se habilita, la invitación se eliminará después de su uso."
 msgid "Optional fixed data to enforce on user enrollment."
 msgstr "Datos fijos opcionales para aplicar en la inscripción de usuarios."
 
-#: authentik/stages/invitation/models.py
-msgid "Invitation"
-msgstr "Invitación"
-
 #: authentik/stages/invitation/models.py
 msgid "Invitations"
 msgstr "Invitaciones"
@@ -4719,6 +4940,18 @@ msgstr ""
 msgid "Static: Static value, displayed as-is."
 msgstr "Estático: valor estático, que se muestra tal cual."
 
+#: authentik/stages/prompt/models.py
+msgid "Alert (Info): Static alert box with info styling"
+msgstr ""
+
+#: authentik/stages/prompt/models.py
+msgid "Alert (Warning): Static alert box with warning styling"
+msgstr ""
+
+#: authentik/stages/prompt/models.py
+msgid "Alert (Danger): Static alert box with danger styling"
+msgstr ""
+
 #: authentik/stages/prompt/models.py
 msgid "authentik: Selection of locales authentik supports"
 msgstr ""

locale/fi_FI/LC_MESSAGES/django.po

@@ -5,18 +5,18 @@
 # 
 # Translators:
 # Marc Schmitt, 2025
-# Skyler Mäntysaari, 2025
 # Jiri Grönroos <jiri.gronroos@iki.fi>, 2025
-# Viima Veteläinen, 2026
+# Uumas, 2026
+# Skyler Mäntysaari, 2026
 # 
 #, fuzzy
 msgid ""
 msgstr ""
 "Project-Id-Version: PACKAGE VERSION\n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2026-02-10 19:27+0000\n"
+"POT-Creation-Date: 2026-05-06 00:27+0000\n"
 "PO-Revision-Date: 2025-12-01 19:09+0000\n"
-"Last-Translator: Viima Veteläinen, 2026\n"
+"Last-Translator: Skyler Mäntysaari, 2026\n"
 "Language-Team: Finnish (Finland) (https://app.transifex.com/authentik/teams/119923/fi_FI/)\n"
 "MIME-Version: 1.0\n"
 "Content-Type: text/plain; charset=UTF-8\n"
@@ -113,6 +113,14 @@ msgstr "Vahvistusvirhe"
 msgid "Blueprint file does not exist"
 msgstr "Suunnitelman tiedostoa ei löydetty"
 
+#: authentik/blueprints/api.py
+msgid "Context must be valid JSON"
+msgstr ""
+
+#: authentik/blueprints/api.py
+msgid "Context must be a JSON object"
+msgstr ""
+
 #: authentik/blueprints/api.py
 msgid "Failed to validate blueprint"
 msgstr "Suunnitelman validointi ei onnistunut"
@@ -121,6 +129,11 @@ msgstr "Suunnitelman validointi ei onnistunut"
 msgid "Either path or content must be set."
 msgstr "Joko polku tai sisältö on määritettävä."
 
+#: authentik/blueprints/api.py
+#, python-brace-format
+msgid "User lacks permission to create {model}"
+msgstr "Käyttäjältä puuttuu oikeus luoda {model}"
+
 #: authentik/blueprints/models.py
 msgid "Managed by authentik"
 msgstr "Authentikin hallinnoima"
@@ -248,10 +261,13 @@ msgstr ""
 "true, vain taustakanava-tarjoajat palautetaan. Kun asetus on false, "
 "takakanava-tarjoajat suljetaan pois."
 
-#: authentik/core/api/transactional_applications.py
-#, python-brace-format
-msgid "User lacks permission to create {model}"
-msgstr "Käyttäjältä puuttuu oikeus luoda {model}"
+#: authentik/core/api/users.py
+msgid "Invalid password hash format. Must be a valid Django password hash."
+msgstr ""
+
+#: authentik/core/api/users.py
+msgid "Cannot set both password and password_hash. Use only one."
+msgstr ""
 
 #: authentik/core/api/users.py
 msgid "No leading or trailing slashes allowed."
@@ -313,6 +329,12 @@ msgstr "Sähköpostivaihetta ei löydetty."
 msgid "This field is required."
 msgstr "Tämä kenttä on pakollinen."
 
+#: authentik/core/apps.py
+msgid ""
+"Configure if applications without any policy/group/user bindings should be "
+"accessible to any user."
+msgstr ""
+
 #: authentik/core/models.py
 msgid "name"
 msgstr "nimi"
@@ -419,6 +441,10 @@ msgstr "Sovelluksen sisäinen nimi, jota käytetään URLeissa."
 msgid "Open launch URL in a new browser tab or window."
 msgstr "Avaa käynnistys-URL uuteen selainvälilehteen tai -ikkunaan."
 
+#: authentik/core/models.py
+msgid "Hide this application from the user's My applications page."
+msgstr ""
+
 #: authentik/core/models.py
 msgid "Application"
 msgstr "Sovellus"
@@ -608,6 +634,14 @@ msgstr "Poista SAML-lähteiden luomat tilapäiset käyttäjät."
 msgid "Go home"
 msgstr "Siirry etusivulle"
 
+#: authentik/core/templates/login/base_full.html
+msgid "Site footer"
+msgstr "Sivuston alatunniste"
+
+#: authentik/core/templates/login/base_full.html
+msgid "Flow links"
+msgstr ""
+
 #: authentik/core/templates/login/base_full.html
 #: authentik/flows/templates/if/flow-sfe.html
 msgid "Powered by authentik"
@@ -714,6 +748,10 @@ msgstr ""
 msgid "Discover, import and update certificates from the filesystem."
 msgstr "Havaitse, tuo ja päivitä sertifikaatteja levyjärjestelmästä."
 
+#: authentik/endpoints/api/stages.py
+msgid "Selected connector is not compatible with this stage."
+msgstr ""
+
 #: authentik/endpoints/connectors/agent/api/connectors.py
 msgid "Selected platform not supported"
 msgstr "Valittu alusta ei ole tuettu"
@@ -768,6 +806,14 @@ msgstr ""
 msgid "Apple Nonces"
 msgstr ""
 
+#: authentik/endpoints/connectors/agent/models.py
+msgid "Apple Independent Secure Enclave"
+msgstr ""
+
+#: authentik/endpoints/connectors/agent/models.py
+msgid "Apple Independent Secure Enclaves"
+msgstr ""
+
 #: authentik/endpoints/facts.py
 msgid "Operating System name, such as 'Server 2022' or 'Ubuntu'"
 msgstr ""
@@ -838,6 +884,12 @@ msgstr "Tämän objektin luontiin/päivittämiseen tarvitaan Enterprise-versiota
 msgid "Enterprise is required to use this endpoint."
 msgstr ""
 
+#: authentik/enterprise/audit/apps.py
+msgid ""
+"Include additional information in audit logs, may incur a performance "
+"penalty."
+msgstr ""
+
 #: authentik/enterprise/endpoints/connectors/fleet/models.py
 #: authentik/events/models.py
 msgid ""
@@ -855,6 +907,19 @@ msgstr ""
 msgid "Fleet Connectors"
 msgstr ""
 
+#: authentik/enterprise/endpoints/connectors/google_chrome/models.py
+msgid "Google Device Trust Connector"
+msgstr ""
+
+#: authentik/enterprise/endpoints/connectors/google_chrome/models.py
+msgid "Google Device Trust Connectors"
+msgstr ""
+
+#: authentik/enterprise/endpoints/connectors/google_chrome/stage.py
+#: authentik/enterprise/stages/authenticator_endpoint_gdtc/stage.py
+msgid "Verifying your browser..."
+msgstr "Selaintasi varmennetaan..."
+
 #: authentik/enterprise/lifecycle/api/reviews.py
 msgid "You are not allowed to submit a review for this object."
 msgstr ""
@@ -871,10 +936,6 @@ msgstr ""
 msgid "Grace period must be shorter than the interval."
 msgstr ""
 
-#: authentik/enterprise/lifecycle/api/rules.py
-msgid "Only one type-wide rule for each object type is allowed."
-msgstr ""
-
 #: authentik/enterprise/lifecycle/models.py
 msgid ""
 "Select which transports should be used to notify the reviewers. If none are "
@@ -902,7 +963,8 @@ msgid "Go to {self._get_model_name()}"
 msgstr ""
 
 #: authentik/enterprise/lifecycle/models.py
-msgid "Access review is due for {self.content_type.name} {str(self.object)}"
+msgid ""
+"Access review is due for {self.content_type.name.lower()} {object_label}"
 msgstr ""
 
 #: authentik/enterprise/lifecycle/models.py
@@ -916,7 +978,7 @@ msgid ""
 msgstr ""
 
 #: authentik/enterprise/lifecycle/tasks.py
-msgid "Dispatch tasks to validate lifecycle rules."
+msgid "Dispatch tasks to apply lifecycle rules."
 msgstr ""
 
 #: authentik/enterprise/lifecycle/tasks.py
@@ -1160,6 +1222,14 @@ msgstr "EAP-TLS:n käyttöön tarvitaan Enterprise-versiota."
 msgid "Enterprise is required to use the OAuth mode."
 msgstr "OAuth-tilan käyttöön tarvitaan Enterprise-versiota."
 
+#: authentik/enterprise/providers/ssf/models.py
+msgid "SSF RFC Push"
+msgstr ""
+
+#: authentik/enterprise/providers/ssf/models.py
+msgid "SSF RFC Pull"
+msgstr ""
+
 #: authentik/enterprise/providers/ssf/models.py
 #: authentik/providers/oauth2/models.py
 msgid "Signing Key"
@@ -1241,6 +1311,78 @@ msgstr "Lataa"
 msgid "Generate data export."
 msgstr ""
 
+#: authentik/enterprise/stages/account_lockdown/api.py
+msgid "User to lock. If omitted, locks the current user (self-service)."
+msgstr ""
+
+#: authentik/enterprise/stages/account_lockdown/api.py
+msgid "No lockdown flow configured."
+msgstr ""
+
+#: authentik/enterprise/stages/account_lockdown/api.py
+msgid "Lockdown flow is not applicable."
+msgstr ""
+
+#: authentik/enterprise/stages/account_lockdown/api.py
+msgid "Choose the target account, then return a flow link."
+msgstr ""
+
+#: authentik/enterprise/stages/account_lockdown/api.py
+msgid "No lockdown flow configured or the flow is not applicable"
+msgstr ""
+
+#: authentik/enterprise/stages/account_lockdown/api.py
+msgid "Permission denied (when targeting another user)"
+msgstr ""
+
+#: authentik/enterprise/stages/account_lockdown/models.py
+msgid "Deactivate the user account (set is_active to False)"
+msgstr ""
+
+#: authentik/enterprise/stages/account_lockdown/models.py
+msgid "Set an unusable password for the user"
+msgstr ""
+
+#: authentik/enterprise/stages/account_lockdown/models.py
+msgid "Delete all active sessions for the user"
+msgstr ""
+
+#: authentik/enterprise/stages/account_lockdown/models.py
+msgid ""
+"Revoke all tokens for the user (API, app password, recovery, verification, "
+"OAuth)"
+msgstr ""
+
+#: authentik/enterprise/stages/account_lockdown/models.py
+msgid ""
+"Flow to redirect users to after self-service lockdown. This flow should not "
+"require authentication since the user's session is deleted."
+msgstr ""
+
+#: authentik/enterprise/stages/account_lockdown/models.py
+msgid "Account Lockdown Stage"
+msgstr ""
+
+#: authentik/enterprise/stages/account_lockdown/models.py
+msgid "Account Lockdown Stages"
+msgstr ""
+
+#: authentik/enterprise/stages/account_lockdown/stage.py
+msgid "No target user specified for account lockdown"
+msgstr ""
+
+#: authentik/enterprise/stages/account_lockdown/stage.py
+msgid "You do not have permission to lock down this account."
+msgstr ""
+
+#: authentik/enterprise/stages/account_lockdown/stage.py
+msgid "Account lockdown failed for this account."
+msgstr ""
+
+#: authentik/enterprise/stages/account_lockdown/stage.py
+msgid "Self-service account lockdown requires a completion flow."
+msgstr ""
+
 #: authentik/enterprise/stages/authenticator_endpoint_gdtc/models.py
 msgid "Endpoint Authenticator Google Device Trust Connector Stage"
 msgstr "Päätepisteen todentaja Google Device Trust Connector -vaihe"
@@ -1257,10 +1399,6 @@ msgstr "Päätelaite"
 msgid "Endpoint Devices"
 msgstr "Päätelaitteet"
 
-#: authentik/enterprise/stages/authenticator_endpoint_gdtc/stage.py
-msgid "Verifying your browser..."
-msgstr "Selaintasi varmennetaan..."
-
 #: authentik/enterprise/stages/mtls/models.py
 msgid ""
 "Configure certificate authorities to validate the certificate against. This "
@@ -1344,6 +1482,12 @@ msgstr ""
 "Lähetä notifikaatio vain kerran, esimerkiksi kun lähetetään webhook-"
 "tapahtuma pikaviestinkanavalle."
 
+#: authentik/events/models.py
+msgid ""
+"When set, the selected ceritifcate is used to validate the certificate of "
+"the webhook server."
+msgstr ""
+
 #: authentik/events/models.py
 msgid ""
 "Customize the body of the request. Mapping should return data that is JSON-"
@@ -1515,6 +1659,15 @@ msgstr "Prosessia edeltävät käytännöt"
 msgid "Flow"
 msgstr "Prosessi"
 
+#: authentik/flows/apps.py
+msgid "Refresh other tabs after successful authentication."
+msgstr ""
+
+#: authentik/flows/apps.py
+msgid ""
+"Upon successful authentication, re-start authentication in other open tabs."
+msgstr ""
+
 #: authentik/flows/exceptions.py
 msgid "Flow does not apply to current user."
 msgstr "Prosessi ei koske nykyistä käyttäjää."
@@ -1624,9 +1777,9 @@ msgstr "Prosessin tunniste"
 msgid "Flow Tokens"
 msgstr "Prosessin tunnisteet"
 
-#: authentik/flows/templates/if/flow.html
-msgid "Site footer"
-msgstr "Sivuston alatunniste"
+#: authentik/flows/planner.py
+msgid "This link is invalid or has expired. Please request a new one."
+msgstr ""
 
 #: authentik/flows/views/executor.py
 msgid "Invalid next URL"
@@ -2012,22 +2165,6 @@ msgstr "Mainepistemäärä"
 msgid "Reputation Scores"
 msgstr "Mainepistemäärät"
 
-#: authentik/policies/templates/policies/buffer.html
-msgid "Waiting for authentication..."
-msgstr "Odotetaan todennusta..."
-
-#: authentik/policies/templates/policies/buffer.html
-msgid ""
-"You're already authenticating in another tab. This page will refresh once "
-"authentication is completed."
-msgstr ""
-"Kirjaudut jo toisella välilehdellä. Tämä sivu päivittyy kun todennus on "
-"valmis."
-
-#: authentik/policies/templates/policies/buffer.html
-msgid "Authenticate in this tab"
-msgstr "Kirjaudu tällä välilehdellä"
-
 #: authentik/policies/templates/policies/denied.html
 msgid "Permission denied"
 msgstr "Käyttö evätty"
@@ -2156,6 +2293,14 @@ msgstr "Tiukka URL-vertailu"
 msgid "Regular Expression URL matching"
 msgstr "Regular Expression -pohjainen URL-vertailu"
 
+#: authentik/providers/oauth2/models.py
+msgid "Authorization"
+msgstr "Valtuutus"
+
+#: authentik/providers/oauth2/models.py
+msgid "Logout"
+msgstr "Kirjaudu ulos"
+
 #: authentik/providers/oauth2/models.py
 msgid "Back-channel"
 msgstr "Taustakanava"
@@ -2520,10 +2665,6 @@ msgstr "Välityspalveluntarjoaja"
 msgid "Proxy Providers"
 msgstr "Välityspalveluntarjoajat"
 
-#: authentik/providers/proxy/tasks.py
-msgid "Terminate session on Proxy outpost."
-msgstr "Katkaise istunto välityspalvelutukikohdasta."
-
 #: authentik/providers/rac/models.py authentik/stages/user_login/models.py
 msgid ""
 "Determines how long a session lasts. Default of 0 means that the sessions "
@@ -2656,8 +2797,10 @@ msgstr ""
 "yleisörajoitusta ei lisätä."
 
 #: authentik/providers/saml/models.py
-msgid "Also known as EntityID"
-msgstr "Tunnetaan myös nimellä EntityID"
+msgid ""
+"Also known as EntityID. Providing a value overrides the default issuer "
+"generated by authentik."
+msgstr ""
 
 #: authentik/providers/saml/models.py
 msgid "SLS URL"
@@ -2880,6 +3023,10 @@ msgstr "SAML NameID:n arvo tälle istunnolle"
 msgid "SAML NameID format"
 msgstr "SAML NameID:n muoto"
 
+#: authentik/providers/saml/models.py
+msgid "SAML Issuer used for this session"
+msgstr ""
+
 #: authentik/providers/saml/models.py
 msgid "SAML Session"
 msgstr "SAML-istunto"
@@ -2908,6 +3055,14 @@ msgstr "Slack"
 msgid "Salesforce"
 msgstr "Salesforce"
 
+#: authentik/providers/scim/models.py
+msgid "Webex"
+msgstr ""
+
+#: authentik/providers/scim/models.py
+msgid "vCenter"
+msgstr ""
+
 #: authentik/providers/scim/models.py
 msgid "Group filters used to define sync-scope for groups."
 msgstr ""
@@ -3193,7 +3348,7 @@ msgstr ""
 "                    Ota yhteyttä ylläpitäjään.\n"
 "                "
 
-#: authentik/sources/ldap/api.py
+#: authentik/sources/ldap/api/sources.py
 msgid "Only a single LDAP Source with password synchronization is allowed"
 msgstr "Vain yksi LDAP-lähde salasanojen synkronoinnilla on sallittu"
 
@@ -3730,6 +3885,12 @@ msgstr ""
 "Sallii IdP-lähtöiset todentamisprosessit. Tämä voi olla tietoturvariski, "
 "koska pyynnön ID:tä ei validoida."
 
+#: authentik/sources/saml/models.py
+msgid ""
+"When enabled, the IdP will re-authenticate the user even if a session "
+"exists."
+msgstr ""
+
 #: authentik/sources/saml/models.py
 msgid ""
 "NameID Policy sent to the IdP. Can be unset, in which case no Policy is "
@@ -4155,6 +4316,10 @@ msgstr "Todentajan validaatiovaiheet"
 msgid "No (allowed) MFA authenticator configured."
 msgstr "Yhtään (sallittua) MFA-todentajaa ei ole määritelty."
 
+#: authentik/stages/authenticator_webauthn/models.py
+msgid "When enabled, a given device can only be registered once."
+msgstr ""
+
 #: authentik/stages/authenticator_webauthn/models.py
 msgid "WebAuthn Authenticator Setup Stage"
 msgstr "WebAuthn-todentajan asetusvaihe"
@@ -4293,6 +4458,10 @@ msgstr "Sähköposti-OTP"
 msgid "Event Notification"
 msgstr "Tapahtumanotifikaatio"
 
+#: authentik/stages/email/models.py authentik/stages/invitation/models.py
+msgid "Invitation"
+msgstr "Kutsu"
+
 #: authentik/stages/email/models.py
 msgid ""
 "The time window used to count recent account recovery attempts. If the "
@@ -4411,6 +4580,62 @@ msgstr ""
 "\n"
 "Tämä viesti on lähetetty notifikaatiokanavasta %(name)s.\n"
 
+#: authentik/stages/email/templates/email/invitation.html
+msgid ""
+"\n"
+"      You're Invited!\n"
+"      "
+msgstr ""
+
+#: authentik/stages/email/templates/email/invitation.html
+#, python-format
+msgid ""
+"\n"
+"          You have been invited to join %(host)s. Click the button below to get started.\n"
+"          "
+msgstr ""
+
+#: authentik/stages/email/templates/email/invitation.html
+#, python-format
+msgid ""
+"\n"
+"          This invitation expires %(expires)s.\n"
+"          "
+msgstr ""
+
+#: authentik/stages/email/templates/email/invitation.html
+#: authentik/stages/email/templates/email/invitation.txt
+msgid "Accept Invitation"
+msgstr ""
+
+#: authentik/stages/email/templates/email/invitation.html
+msgid ""
+"\n"
+"    If you cannot click the button above, please copy and paste the following URL into your browser:\n"
+"    "
+msgstr ""
+
+#: authentik/stages/email/templates/email/invitation.txt
+msgid "You're Invited!"
+msgstr ""
+
+#: authentik/stages/email/templates/email/invitation.txt
+#, python-format
+msgid ""
+"You have been invited to join %(host)s. Use the link below to get started."
+msgstr ""
+
+#: authentik/stages/email/templates/email/invitation.txt
+#, python-format
+msgid "This invitation expires %(expires)s."
+msgstr ""
+
+#: authentik/stages/email/templates/email/invitation.txt
+msgid ""
+"If you cannot click the link above, please copy and paste the following URL "
+"into your browser:"
+msgstr ""
+
 #: authentik/stages/email/templates/email/password_reset.html
 msgid ""
 "\n"
@@ -4591,10 +4816,6 @@ msgid "Optional fixed data to enforce on user enrollment."
 msgstr ""
 "Valinnainen kiinteä data joka pakotetaan käyttäjän rekisteröitymisessä."
 
-#: authentik/stages/invitation/models.py
-msgid "Invitation"
-msgstr "Kutsu"
-
 #: authentik/stages/invitation/models.py
 msgid "Invitations"
 msgstr "Kutsut"
@@ -4719,6 +4940,18 @@ msgstr ""
 msgid "Static: Static value, displayed as-is."
 msgstr "Staattinen: Staattinen arvo, näytetään sellaisenaan."
 
+#: authentik/stages/prompt/models.py
+msgid "Alert (Info): Static alert box with info styling"
+msgstr ""
+
+#: authentik/stages/prompt/models.py
+msgid "Alert (Warning): Static alert box with warning styling"
+msgstr ""
+
+#: authentik/stages/prompt/models.py
+msgid "Alert (Danger): Static alert box with danger styling"
+msgstr ""
+
 #: authentik/stages/prompt/models.py
 msgid "authentik: Selection of locales authentik supports"
 msgstr "authentik: Valittavat kielialueet, joita authentik tukee"

locale/fr_FR/LC_MESSAGES/django.po

@@ -15,7 +15,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: PACKAGE VERSION\n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2026-05-01 03:47+0000\n"
+"POT-Creation-Date: 2026-05-06 00:27+0000\n"
 "PO-Revision-Date: 2025-12-01 19:09+0000\n"
 "Last-Translator: Sp P, 2026\n"
 "Language-Team: French (France) (https://app.transifex.com/authentik/teams/119923/fr_FR/)\n"
@@ -116,6 +116,14 @@ msgstr "Erreur de Validation"
 msgid "Blueprint file does not exist"
 msgstr "Le fichier de plan n'existe pas"
 
+#: authentik/blueprints/api.py
+msgid "Context must be valid JSON"
+msgstr ""
+
+#: authentik/blueprints/api.py
+msgid "Context must be a JSON object"
+msgstr ""
+
 #: authentik/blueprints/api.py
 msgid "Failed to validate blueprint"
 msgstr "Échec de validation du plan"

locale/it_IT/LC_MESSAGES/django.po

@@ -5,15 +5,16 @@
 # 
 # Translators:
 # Marc Schmitt, 2025
+# Pao P, 2026
 # 
 #, fuzzy
 msgid ""
 msgstr ""
 "Project-Id-Version: PACKAGE VERSION\n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2026-02-10 19:27+0000\n"
+"POT-Creation-Date: 2026-05-06 00:27+0000\n"
 "PO-Revision-Date: 2025-12-01 19:09+0000\n"
-"Last-Translator: Marc Schmitt, 2025\n"
+"Last-Translator: Pao P, 2026\n"
 "Language-Team: Italian (Italy) (https://app.transifex.com/authentik/teams/119923/it_IT/)\n"
 "MIME-Version: 1.0\n"
 "Content-Type: text/plain; charset=UTF-8\n"
@@ -57,12 +58,14 @@ msgstr ""
 #: authentik/admin/files/validation.py
 #, python-brace-format
 msgid "File name too long (max {MAX_FILE_NAME_LENGTH} characters)"
-msgstr ""
+msgstr "Nome del file troppo lungo (max {MAX_FILE_NAME_LENGTH} caratteri)"
 
 #: authentik/admin/files/validation.py
 #, python-brace-format
 msgid "Path component too long (max {MAX_PATH_COMPONENT_LENGTH} characters)"
 msgstr ""
+"Componente del percorso troppo lungo (max {MAX_PATH_COMPONENT_LENGTH} "
+"caratteri)"
 
 #: authentik/admin/models.py
 msgid "Version history"
@@ -105,6 +108,14 @@ msgstr "Errore di validazione"
 msgid "Blueprint file does not exist"
 msgstr "File del progetto inesistente"
 
+#: authentik/blueprints/api.py
+msgid "Context must be valid JSON"
+msgstr ""
+
+#: authentik/blueprints/api.py
+msgid "Context must be a JSON object"
+msgstr ""
+
 #: authentik/blueprints/api.py
 msgid "Failed to validate blueprint"
 msgstr "Impossibile convalidare il progetto"
@@ -113,6 +124,11 @@ msgstr "Impossibile convalidare il progetto"
 msgid "Either path or content must be set."
 msgstr "È necessario impostare il percorso o il contenuto."
 
+#: authentik/blueprints/api.py
+#, python-brace-format
+msgid "User lacks permission to create {model}"
+msgstr "L'utente non ha i diritti per creare {model}"
+
 #: authentik/blueprints/models.py
 msgid "Managed by authentik"
 msgstr "Gestito da authentik"
@@ -238,10 +254,13 @@ msgstr ""
 " vengono restituiti solo i provider di backchannel. Se impostato su falso, i"
 " provider di backchannel vengono esclusi"
 
-#: authentik/core/api/transactional_applications.py
-#, python-brace-format
-msgid "User lacks permission to create {model}"
-msgstr "L'utente non ha i diritti per creare {model}"
+#: authentik/core/api/users.py
+msgid "Invalid password hash format. Must be a valid Django password hash."
+msgstr ""
+
+#: authentik/core/api/users.py
+msgid "Cannot set both password and password_hash. Use only one."
+msgstr ""
 
 #: authentik/core/api/users.py
 msgid "No leading or trailing slashes allowed."
@@ -303,6 +322,12 @@ msgstr ""
 msgid "This field is required."
 msgstr "Questo campo è obbligatorio."
 
+#: authentik/core/apps.py
+msgid ""
+"Configure if applications without any policy/group/user bindings should be "
+"accessible to any user."
+msgstr ""
+
 #: authentik/core/models.py
 msgid "name"
 msgstr "nome"
@@ -409,6 +434,10 @@ msgstr "Nome interno dell'applicazione, utilizzato negli URL."
 msgid "Open launch URL in a new browser tab or window."
 msgstr "Apri l'URL di avvio in una nuova scheda o finestra del browser."
 
+#: authentik/core/models.py
+msgid "Hide this application from the user's My applications page."
+msgstr ""
+
 #: authentik/core/models.py
 msgid "Application"
 msgstr "Applicazione"
@@ -597,6 +626,14 @@ msgstr "Rimuovi gli utenti temporanei creati da SAML Sources."
 msgid "Go home"
 msgstr "Vai alla pagina iniziale"
 
+#: authentik/core/templates/login/base_full.html
+msgid "Site footer"
+msgstr ""
+
+#: authentik/core/templates/login/base_full.html
+msgid "Flow links"
+msgstr ""
+
 #: authentik/core/templates/login/base_full.html
 #: authentik/flows/templates/if/flow-sfe.html
 msgid "Powered by authentik"
@@ -703,6 +740,10 @@ msgstr ""
 msgid "Discover, import and update certificates from the filesystem."
 msgstr "Scopri, importa e aggiorna i certificati dal file system."
 
+#: authentik/endpoints/api/stages.py
+msgid "Selected connector is not compatible with this stage."
+msgstr ""
+
 #: authentik/endpoints/connectors/agent/api/connectors.py
 msgid "Selected platform not supported"
 msgstr ""
@@ -757,6 +798,14 @@ msgstr ""
 msgid "Apple Nonces"
 msgstr ""
 
+#: authentik/endpoints/connectors/agent/models.py
+msgid "Apple Independent Secure Enclave"
+msgstr ""
+
+#: authentik/endpoints/connectors/agent/models.py
+msgid "Apple Independent Secure Enclaves"
+msgstr ""
+
 #: authentik/endpoints/facts.py
 msgid "Operating System name, such as 'Server 2022' or 'Ubuntu'"
 msgstr ""
@@ -827,6 +876,12 @@ msgstr "Versione Enterprise richiesta per creare/aggiornare questo oggetto"
 msgid "Enterprise is required to use this endpoint."
 msgstr ""
 
+#: authentik/enterprise/audit/apps.py
+msgid ""
+"Include additional information in audit logs, may incur a performance "
+"penalty."
+msgstr ""
+
 #: authentik/enterprise/endpoints/connectors/fleet/models.py
 #: authentik/events/models.py
 msgid ""
@@ -844,6 +899,19 @@ msgstr ""
 msgid "Fleet Connectors"
 msgstr ""
 
+#: authentik/enterprise/endpoints/connectors/google_chrome/models.py
+msgid "Google Device Trust Connector"
+msgstr ""
+
+#: authentik/enterprise/endpoints/connectors/google_chrome/models.py
+msgid "Google Device Trust Connectors"
+msgstr ""
+
+#: authentik/enterprise/endpoints/connectors/google_chrome/stage.py
+#: authentik/enterprise/stages/authenticator_endpoint_gdtc/stage.py
+msgid "Verifying your browser..."
+msgstr "Verifica del tuo browser..."
+
 #: authentik/enterprise/lifecycle/api/reviews.py
 msgid "You are not allowed to submit a review for this object."
 msgstr ""
@@ -860,10 +928,6 @@ msgstr ""
 msgid "Grace period must be shorter than the interval."
 msgstr ""
 
-#: authentik/enterprise/lifecycle/api/rules.py
-msgid "Only one type-wide rule for each object type is allowed."
-msgstr ""
-
 #: authentik/enterprise/lifecycle/models.py
 msgid ""
 "Select which transports should be used to notify the reviewers. If none are "
@@ -891,7 +955,8 @@ msgid "Go to {self._get_model_name()}"
 msgstr ""
 
 #: authentik/enterprise/lifecycle/models.py
-msgid "Access review is due for {self.content_type.name} {str(self.object)}"
+msgid ""
+"Access review is due for {self.content_type.name.lower()} {object_label}"
 msgstr ""
 
 #: authentik/enterprise/lifecycle/models.py
@@ -905,7 +970,7 @@ msgid ""
 msgstr ""
 
 #: authentik/enterprise/lifecycle/tasks.py
-msgid "Dispatch tasks to validate lifecycle rules."
+msgid "Dispatch tasks to apply lifecycle rules."
 msgstr ""
 
 #: authentik/enterprise/lifecycle/tasks.py
@@ -1153,6 +1218,14 @@ msgstr "Per Enterprise è tenuta a utilizzare EAP-TLS."
 msgid "Enterprise is required to use the OAuth mode."
 msgstr "Per Enterprise è obbligatorio utilizzare la modalità OAuth."
 
+#: authentik/enterprise/providers/ssf/models.py
+msgid "SSF RFC Push"
+msgstr ""
+
+#: authentik/enterprise/providers/ssf/models.py
+msgid "SSF RFC Pull"
+msgstr ""
+
 #: authentik/enterprise/providers/ssf/models.py
 #: authentik/providers/oauth2/models.py
 msgid "Signing Key"
@@ -1234,6 +1307,78 @@ msgstr ""
 msgid "Generate data export."
 msgstr ""
 
+#: authentik/enterprise/stages/account_lockdown/api.py
+msgid "User to lock. If omitted, locks the current user (self-service)."
+msgstr ""
+
+#: authentik/enterprise/stages/account_lockdown/api.py
+msgid "No lockdown flow configured."
+msgstr ""
+
+#: authentik/enterprise/stages/account_lockdown/api.py
+msgid "Lockdown flow is not applicable."
+msgstr ""
+
+#: authentik/enterprise/stages/account_lockdown/api.py
+msgid "Choose the target account, then return a flow link."
+msgstr ""
+
+#: authentik/enterprise/stages/account_lockdown/api.py
+msgid "No lockdown flow configured or the flow is not applicable"
+msgstr ""
+
+#: authentik/enterprise/stages/account_lockdown/api.py
+msgid "Permission denied (when targeting another user)"
+msgstr ""
+
+#: authentik/enterprise/stages/account_lockdown/models.py
+msgid "Deactivate the user account (set is_active to False)"
+msgstr ""
+
+#: authentik/enterprise/stages/account_lockdown/models.py
+msgid "Set an unusable password for the user"
+msgstr ""
+
+#: authentik/enterprise/stages/account_lockdown/models.py
+msgid "Delete all active sessions for the user"
+msgstr ""
+
+#: authentik/enterprise/stages/account_lockdown/models.py
+msgid ""
+"Revoke all tokens for the user (API, app password, recovery, verification, "
+"OAuth)"
+msgstr ""
+
+#: authentik/enterprise/stages/account_lockdown/models.py
+msgid ""
+"Flow to redirect users to after self-service lockdown. This flow should not "
+"require authentication since the user's session is deleted."
+msgstr ""
+
+#: authentik/enterprise/stages/account_lockdown/models.py
+msgid "Account Lockdown Stage"
+msgstr ""
+
+#: authentik/enterprise/stages/account_lockdown/models.py
+msgid "Account Lockdown Stages"
+msgstr ""
+
+#: authentik/enterprise/stages/account_lockdown/stage.py
+msgid "No target user specified for account lockdown"
+msgstr ""
+
+#: authentik/enterprise/stages/account_lockdown/stage.py
+msgid "You do not have permission to lock down this account."
+msgstr ""
+
+#: authentik/enterprise/stages/account_lockdown/stage.py
+msgid "Account lockdown failed for this account."
+msgstr ""
+
+#: authentik/enterprise/stages/account_lockdown/stage.py
+msgid "Self-service account lockdown requires a completion flow."
+msgstr ""
+
 #: authentik/enterprise/stages/authenticator_endpoint_gdtc/models.py
 msgid "Endpoint Authenticator Google Device Trust Connector Stage"
 msgstr ""
@@ -1252,10 +1397,6 @@ msgstr "Dispositivo di Accesso"
 msgid "Endpoint Devices"
 msgstr "Dispositivi di Accesso"
 
-#: authentik/enterprise/stages/authenticator_endpoint_gdtc/stage.py
-msgid "Verifying your browser..."
-msgstr "Verifica del tuo browser..."
-
 #: authentik/enterprise/stages/mtls/models.py
 msgid ""
 "Configure certificate authorities to validate the certificate against. This "
@@ -1339,6 +1480,12 @@ msgstr ""
 "Invia una notifica solo una volta, ad esempio quando invii un webhook in un "
 "canale di chat."
 
+#: authentik/events/models.py
+msgid ""
+"When set, the selected ceritifcate is used to validate the certificate of "
+"the webhook server."
+msgstr ""
+
 #: authentik/events/models.py
 msgid ""
 "Customize the body of the request. Mapping should return data that is JSON-"
@@ -1509,6 +1656,15 @@ msgstr "Politiche pre-flusso"
 msgid "Flow"
 msgstr "Flusso"
 
+#: authentik/flows/apps.py
+msgid "Refresh other tabs after successful authentication."
+msgstr ""
+
+#: authentik/flows/apps.py
+msgid ""
+"Upon successful authentication, re-start authentication in other open tabs."
+msgstr ""
+
 #: authentik/flows/exceptions.py
 msgid "Flow does not apply to current user."
 msgstr "Il flusso non si applica all'utente corrente."
@@ -1623,8 +1779,8 @@ msgstr "Token del flusso"
 msgid "Flow Tokens"
 msgstr "Tokens del flusso"
 
-#: authentik/flows/templates/if/flow.html
-msgid "Site footer"
+#: authentik/flows/planner.py
+msgid "This link is invalid or has expired. Please request a new one."
 msgstr ""
 
 #: authentik/flows/views/executor.py
@@ -2013,22 +2169,6 @@ msgstr "Punteggio di reputazione"
 msgid "Reputation Scores"
 msgstr "Punteggi di reputazione"
 
-#: authentik/policies/templates/policies/buffer.html
-msgid "Waiting for authentication..."
-msgstr "In attesa di autenticazione..."
-
-#: authentik/policies/templates/policies/buffer.html
-msgid ""
-"You're already authenticating in another tab. This page will refresh once "
-"authentication is completed."
-msgstr ""
-"Ti stai già autenticando in un'altra scheda. Questa pagina si aggiornerà una"
-" volta completata l'autenticazione."
-
-#: authentik/policies/templates/policies/buffer.html
-msgid "Authenticate in this tab"
-msgstr "Autenticati in questa scheda"
-
 #: authentik/policies/templates/policies/denied.html
 msgid "Permission denied"
 msgstr "Permesso negato"
@@ -2156,6 +2296,14 @@ msgstr "Confronto URL rigoroso"
 msgid "Regular Expression URL matching"
 msgstr "Corrispondenza URL espressione regolare"
 
+#: authentik/providers/oauth2/models.py
+msgid "Authorization"
+msgstr ""
+
+#: authentik/providers/oauth2/models.py
+msgid "Logout"
+msgstr ""
+
 #: authentik/providers/oauth2/models.py
 msgid "Back-channel"
 msgstr ""
@@ -2518,10 +2666,6 @@ msgstr "Provider Proxy"
 msgid "Proxy Providers"
 msgstr "Providers Proxy"
 
-#: authentik/providers/proxy/tasks.py
-msgid "Terminate session on Proxy outpost."
-msgstr ""
-
 #: authentik/providers/rac/models.py authentik/stages/user_login/models.py
 msgid ""
 "Determines how long a session lasts. Default of 0 means that the sessions "
@@ -2653,8 +2797,10 @@ msgstr ""
 "vuoto, non verrà aggiunta alcuna restrizione sul pubblico."
 
 #: authentik/providers/saml/models.py
-msgid "Also known as EntityID"
-msgstr "Conosciuto anche come EntityID"
+msgid ""
+"Also known as EntityID. Providing a value overrides the default issuer "
+"generated by authentik."
+msgstr ""
 
 #: authentik/providers/saml/models.py
 msgid "SLS URL"
@@ -2868,6 +3014,10 @@ msgstr ""
 msgid "SAML NameID format"
 msgstr ""
 
+#: authentik/providers/saml/models.py
+msgid "SAML Issuer used for this session"
+msgstr ""
+
 #: authentik/providers/saml/models.py
 msgid "SAML Session"
 msgstr "Sessione SAML "
@@ -2896,6 +3046,14 @@ msgstr "Slack"
 msgid "Salesforce"
 msgstr ""
 
+#: authentik/providers/scim/models.py
+msgid "Webex"
+msgstr ""
+
+#: authentik/providers/scim/models.py
+msgid "vCenter"
+msgstr ""
+
 #: authentik/providers/scim/models.py
 msgid "Group filters used to define sync-scope for groups."
 msgstr ""
@@ -3177,7 +3335,7 @@ msgstr ""
 " e di aver configurato correttamente il browser. \n"
 "Contatta il tuo amministratore."
 
-#: authentik/sources/ldap/api.py
+#: authentik/sources/ldap/api/sources.py
 msgid "Only a single LDAP Source with password synchronization is allowed"
 msgstr ""
 "È consentita solo una singola sorgente LDAP con sincronizzazione della "
@@ -3711,6 +3869,12 @@ msgstr ""
 "rappresentare un rischio per la sicurezza, poiché non viene eseguita alcuna "
 "convalida dell'ID richiesta."
 
+#: authentik/sources/saml/models.py
+msgid ""
+"When enabled, the IdP will re-authenticate the user even if a session "
+"exists."
+msgstr ""
+
 #: authentik/sources/saml/models.py
 msgid ""
 "NameID Policy sent to the IdP. Can be unset, in which case no Policy is "
@@ -4142,6 +4306,10 @@ msgstr "Fasi di convalida dell'autenticatore"
 msgid "No (allowed) MFA authenticator configured."
 msgstr "Nessun autenticatore MFA (consentito) configurato."
 
+#: authentik/stages/authenticator_webauthn/models.py
+msgid "When enabled, a given device can only be registered once."
+msgstr ""
+
 #: authentik/stages/authenticator_webauthn/models.py
 msgid "WebAuthn Authenticator Setup Stage"
 msgstr "Fase di configurazione dell'autenticatore WebAuthn"
@@ -4280,6 +4448,10 @@ msgstr "Email OTP"
 msgid "Event Notification"
 msgstr "Notifica evento"
 
+#: authentik/stages/email/models.py authentik/stages/invitation/models.py
+msgid "Invitation"
+msgstr "Invito"
+
 #: authentik/stages/email/models.py
 msgid ""
 "The time window used to count recent account recovery attempts. If the "
@@ -4398,6 +4570,62 @@ msgstr ""
 "\n"
 "Questa email è stata inviata dal trasporto delle notifiche %(name)s.\n"
 
+#: authentik/stages/email/templates/email/invitation.html
+msgid ""
+"\n"
+"      You're Invited!\n"
+"      "
+msgstr ""
+
+#: authentik/stages/email/templates/email/invitation.html
+#, python-format
+msgid ""
+"\n"
+"          You have been invited to join %(host)s. Click the button below to get started.\n"
+"          "
+msgstr ""
+
+#: authentik/stages/email/templates/email/invitation.html
+#, python-format
+msgid ""
+"\n"
+"          This invitation expires %(expires)s.\n"
+"          "
+msgstr ""
+
+#: authentik/stages/email/templates/email/invitation.html
+#: authentik/stages/email/templates/email/invitation.txt
+msgid "Accept Invitation"
+msgstr ""
+
+#: authentik/stages/email/templates/email/invitation.html
+msgid ""
+"\n"
+"    If you cannot click the button above, please copy and paste the following URL into your browser:\n"
+"    "
+msgstr ""
+
+#: authentik/stages/email/templates/email/invitation.txt
+msgid "You're Invited!"
+msgstr ""
+
+#: authentik/stages/email/templates/email/invitation.txt
+#, python-format
+msgid ""
+"You have been invited to join %(host)s. Use the link below to get started."
+msgstr ""
+
+#: authentik/stages/email/templates/email/invitation.txt
+#, python-format
+msgid "This invitation expires %(expires)s."
+msgstr ""
+
+#: authentik/stages/email/templates/email/invitation.txt
+msgid ""
+"If you cannot click the link above, please copy and paste the following URL "
+"into your browser:"
+msgstr ""
+
 #: authentik/stages/email/templates/email/password_reset.html
 msgid ""
 "\n"
@@ -4577,10 +4805,6 @@ msgstr "Se abilitato, l'invito verrà eliminato dopo l'utilizzo."
 msgid "Optional fixed data to enforce on user enrollment."
 msgstr "Dati fissi facoltativi da applicare alla registrazione dell'utente."
 
-#: authentik/stages/invitation/models.py
-msgid "Invitation"
-msgstr "Invito"
-
 #: authentik/stages/invitation/models.py
 msgid "Invitations"
 msgstr "Inviti"
@@ -4706,6 +4930,18 @@ msgstr ""
 msgid "Static: Static value, displayed as-is."
 msgstr "Statico: Valore statico, visualizzato così com'è."
 
+#: authentik/stages/prompt/models.py
+msgid "Alert (Info): Static alert box with info styling"
+msgstr ""
+
+#: authentik/stages/prompt/models.py
+msgid "Alert (Warning): Static alert box with warning styling"
+msgstr ""
+
+#: authentik/stages/prompt/models.py
+msgid "Alert (Danger): Static alert box with danger styling"
+msgstr ""
+
 #: authentik/stages/prompt/models.py
 msgid "authentik: Selection of locales authentik supports"
 msgstr ""

locale/ja_JP/LC_MESSAGES/django.po

@@ -11,7 +11,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: PACKAGE VERSION\n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2026-02-10 19:27+0000\n"
+"POT-Creation-Date: 2026-05-06 00:27+0000\n"
 "PO-Revision-Date: 2025-12-01 19:09+0000\n"
 "Last-Translator: Marc Schmitt, 2025\n"
 "Language-Team: Japanese (Japan) (https://app.transifex.com/authentik/teams/119923/ja_JP/)\n"
@@ -105,6 +105,14 @@ msgstr "検証エラー"
 msgid "Blueprint file does not exist"
 msgstr "ブループリントファイルがありません"
 
+#: authentik/blueprints/api.py
+msgid "Context must be valid JSON"
+msgstr ""
+
+#: authentik/blueprints/api.py
+msgid "Context must be a JSON object"
+msgstr ""
+
 #: authentik/blueprints/api.py
 msgid "Failed to validate blueprint"
 msgstr "ブループリントの検証に失敗しました"
@@ -113,6 +121,11 @@ msgstr "ブループリントの検証に失敗しました"
 msgid "Either path or content must be set."
 msgstr "パスかコンテンツの設定は必須です。"
 
+#: authentik/blueprints/api.py
+#, python-brace-format
+msgid "User lacks permission to create {model}"
+msgstr "ユーザーは {model} を作成するための権限がありません"
+
 #: authentik/blueprints/models.py
 msgid "Managed by authentik"
 msgstr "Managed by authentik"
@@ -228,10 +241,13 @@ msgid ""
 msgstr ""
 "設定されていない場合、すべてのプロバイダーが返されます。trueに設定すると、バックチャネルプロバイダーのみが返されます。falseに設定すると、バックチャネルプロバイダーは除外されます"
 
-#: authentik/core/api/transactional_applications.py
-#, python-brace-format
-msgid "User lacks permission to create {model}"
-msgstr "ユーザーは {model} を作成するための権限がありません"
+#: authentik/core/api/users.py
+msgid "Invalid password hash format. Must be a valid Django password hash."
+msgstr ""
+
+#: authentik/core/api/users.py
+msgid "Cannot set both password and password_hash. Use only one."
+msgstr ""
 
 #: authentik/core/api/users.py
 msgid "No leading or trailing slashes allowed."
@@ -293,6 +309,12 @@ msgstr ""
 msgid "This field is required."
 msgstr "このフィールドは必須です。"
 
+#: authentik/core/apps.py
+msgid ""
+"Configure if applications without any policy/group/user bindings should be "
+"accessible to any user."
+msgstr ""
+
 #: authentik/core/models.py
 msgid "name"
 msgstr "名前"
@@ -395,6 +417,10 @@ msgstr "URLで使用される内部アプリ名。"
 msgid "Open launch URL in a new browser tab or window."
 msgstr "ブラウザーの新しいタブまたはウィンドウで起動URLを開きます。"
 
+#: authentik/core/models.py
+msgid "Hide this application from the user's My applications page."
+msgstr ""
+
 #: authentik/core/models.py
 msgid "Application"
 msgstr "アプリ"
@@ -566,6 +592,14 @@ msgstr "SAMLで作成された一時ユーザを削除。"
 msgid "Go home"
 msgstr "ホームに戻る"
 
+#: authentik/core/templates/login/base_full.html
+msgid "Site footer"
+msgstr ""
+
+#: authentik/core/templates/login/base_full.html
+msgid "Flow links"
+msgstr ""
+
 #: authentik/core/templates/login/base_full.html
 #: authentik/flows/templates/if/flow-sfe.html
 msgid "Powered by authentik"
@@ -670,6 +704,10 @@ msgstr ""
 msgid "Discover, import and update certificates from the filesystem."
 msgstr "証明書をファイルシステムから検出、インポート、更新する。"
 
+#: authentik/endpoints/api/stages.py
+msgid "Selected connector is not compatible with this stage."
+msgstr ""
+
 #: authentik/endpoints/connectors/agent/api/connectors.py
 msgid "Selected platform not supported"
 msgstr ""
@@ -724,6 +762,14 @@ msgstr ""
 msgid "Apple Nonces"
 msgstr ""
 
+#: authentik/endpoints/connectors/agent/models.py
+msgid "Apple Independent Secure Enclave"
+msgstr ""
+
+#: authentik/endpoints/connectors/agent/models.py
+msgid "Apple Independent Secure Enclaves"
+msgstr ""
+
 #: authentik/endpoints/facts.py
 msgid "Operating System name, such as 'Server 2022' or 'Ubuntu'"
 msgstr ""
@@ -794,6 +840,12 @@ msgstr "このオブジェクトの作成/更新にはエンタープライズ
 msgid "Enterprise is required to use this endpoint."
 msgstr ""
 
+#: authentik/enterprise/audit/apps.py
+msgid ""
+"Include additional information in audit logs, may incur a performance "
+"penalty."
+msgstr ""
+
 #: authentik/enterprise/endpoints/connectors/fleet/models.py
 #: authentik/events/models.py
 msgid ""
@@ -809,6 +861,19 @@ msgstr ""
 msgid "Fleet Connectors"
 msgstr ""
 
+#: authentik/enterprise/endpoints/connectors/google_chrome/models.py
+msgid "Google Device Trust Connector"
+msgstr ""
+
+#: authentik/enterprise/endpoints/connectors/google_chrome/models.py
+msgid "Google Device Trust Connectors"
+msgstr ""
+
+#: authentik/enterprise/endpoints/connectors/google_chrome/stage.py
+#: authentik/enterprise/stages/authenticator_endpoint_gdtc/stage.py
+msgid "Verifying your browser..."
+msgstr "ブラウザの確認中...。"
+
 #: authentik/enterprise/lifecycle/api/reviews.py
 msgid "You are not allowed to submit a review for this object."
 msgstr ""
@@ -825,10 +890,6 @@ msgstr ""
 msgid "Grace period must be shorter than the interval."
 msgstr ""
 
-#: authentik/enterprise/lifecycle/api/rules.py
-msgid "Only one type-wide rule for each object type is allowed."
-msgstr ""
-
 #: authentik/enterprise/lifecycle/models.py
 msgid ""
 "Select which transports should be used to notify the reviewers. If none are "
@@ -856,7 +917,8 @@ msgid "Go to {self._get_model_name()}"
 msgstr ""
 
 #: authentik/enterprise/lifecycle/models.py
-msgid "Access review is due for {self.content_type.name} {str(self.object)}"
+msgid ""
+"Access review is due for {self.content_type.name.lower()} {object_label}"
 msgstr ""
 
 #: authentik/enterprise/lifecycle/models.py
@@ -870,7 +932,7 @@ msgid ""
 msgstr ""
 
 #: authentik/enterprise/lifecycle/tasks.py
-msgid "Dispatch tasks to validate lifecycle rules."
+msgid "Dispatch tasks to apply lifecycle rules."
 msgstr ""
 
 #: authentik/enterprise/lifecycle/tasks.py
@@ -1095,6 +1157,14 @@ msgstr "EAP-TLSを使用するにはエンタープライズが必要です。"
 msgid "Enterprise is required to use the OAuth mode."
 msgstr "OAuthモードを使用するにはエンタープライズが必要です。"
 
+#: authentik/enterprise/providers/ssf/models.py
+msgid "SSF RFC Push"
+msgstr ""
+
+#: authentik/enterprise/providers/ssf/models.py
+msgid "SSF RFC Pull"
+msgstr ""
+
 #: authentik/enterprise/providers/ssf/models.py
 #: authentik/providers/oauth2/models.py
 msgid "Signing Key"
@@ -1176,6 +1246,78 @@ msgstr ""
 msgid "Generate data export."
 msgstr ""
 
+#: authentik/enterprise/stages/account_lockdown/api.py
+msgid "User to lock. If omitted, locks the current user (self-service)."
+msgstr ""
+
+#: authentik/enterprise/stages/account_lockdown/api.py
+msgid "No lockdown flow configured."
+msgstr ""
+
+#: authentik/enterprise/stages/account_lockdown/api.py
+msgid "Lockdown flow is not applicable."
+msgstr ""
+
+#: authentik/enterprise/stages/account_lockdown/api.py
+msgid "Choose the target account, then return a flow link."
+msgstr ""
+
+#: authentik/enterprise/stages/account_lockdown/api.py
+msgid "No lockdown flow configured or the flow is not applicable"
+msgstr ""
+
+#: authentik/enterprise/stages/account_lockdown/api.py
+msgid "Permission denied (when targeting another user)"
+msgstr ""
+
+#: authentik/enterprise/stages/account_lockdown/models.py
+msgid "Deactivate the user account (set is_active to False)"
+msgstr ""
+
+#: authentik/enterprise/stages/account_lockdown/models.py
+msgid "Set an unusable password for the user"
+msgstr ""
+
+#: authentik/enterprise/stages/account_lockdown/models.py
+msgid "Delete all active sessions for the user"
+msgstr ""
+
+#: authentik/enterprise/stages/account_lockdown/models.py
+msgid ""
+"Revoke all tokens for the user (API, app password, recovery, verification, "
+"OAuth)"
+msgstr ""
+
+#: authentik/enterprise/stages/account_lockdown/models.py
+msgid ""
+"Flow to redirect users to after self-service lockdown. This flow should not "
+"require authentication since the user's session is deleted."
+msgstr ""
+
+#: authentik/enterprise/stages/account_lockdown/models.py
+msgid "Account Lockdown Stage"
+msgstr ""
+
+#: authentik/enterprise/stages/account_lockdown/models.py
+msgid "Account Lockdown Stages"
+msgstr ""
+
+#: authentik/enterprise/stages/account_lockdown/stage.py
+msgid "No target user specified for account lockdown"
+msgstr ""
+
+#: authentik/enterprise/stages/account_lockdown/stage.py
+msgid "You do not have permission to lock down this account."
+msgstr ""
+
+#: authentik/enterprise/stages/account_lockdown/stage.py
+msgid "Account lockdown failed for this account."
+msgstr ""
+
+#: authentik/enterprise/stages/account_lockdown/stage.py
+msgid "Self-service account lockdown requires a completion flow."
+msgstr ""
+
 #: authentik/enterprise/stages/authenticator_endpoint_gdtc/models.py
 msgid "Endpoint Authenticator Google Device Trust Connector Stage"
 msgstr "エンドポイント認証器Google Device Trust Connectorステージ"
@@ -1192,10 +1334,6 @@ msgstr "エンドポイントデバイス"
 msgid "Endpoint Devices"
 msgstr "エンドポイントデバイス"
 
-#: authentik/enterprise/stages/authenticator_endpoint_gdtc/stage.py
-msgid "Verifying your browser..."
-msgstr "ブラウザの確認中...。"
-
 #: authentik/enterprise/stages/mtls/models.py
 msgid ""
 "Configure certificate authorities to validate the certificate against. This "
@@ -1273,6 +1411,12 @@ msgid ""
 "channel."
 msgstr "チャットチャンネルにWebhookを送るときのような場合に、一度だけ通知を送信します。"
 
+#: authentik/events/models.py
+msgid ""
+"When set, the selected ceritifcate is used to validate the certificate of "
+"the webhook server."
+msgstr ""
+
 #: authentik/events/models.py
 msgid ""
 "Customize the body of the request. Mapping should return data that is JSON-"
@@ -1432,6 +1576,15 @@ msgstr "事前フローのポリシー"
 msgid "Flow"
 msgstr "フロー"
 
+#: authentik/flows/apps.py
+msgid "Refresh other tabs after successful authentication."
+msgstr ""
+
+#: authentik/flows/apps.py
+msgid ""
+"Upon successful authentication, re-start authentication in other open tabs."
+msgstr ""
+
 #: authentik/flows/exceptions.py
 msgid "Flow does not apply to current user."
 msgstr "フローは現在のユーザーに適用されません。"
@@ -1536,8 +1689,8 @@ msgstr "フロートークン"
 msgid "Flow Tokens"
 msgstr "フロートークン"
 
-#: authentik/flows/templates/if/flow.html
-msgid "Site footer"
+#: authentik/flows/planner.py
+msgid "This link is invalid or has expired. Please request a new one."
 msgstr ""
 
 #: authentik/flows/views/executor.py
@@ -1897,20 +2050,6 @@ msgstr "評判スコア"
 msgid "Reputation Scores"
 msgstr "評判スコア"
 
-#: authentik/policies/templates/policies/buffer.html
-msgid "Waiting for authentication..."
-msgstr "認証を待機中...。"
-
-#: authentik/policies/templates/policies/buffer.html
-msgid ""
-"You're already authenticating in another tab. This page will refresh once "
-"authentication is completed."
-msgstr "別のタブで既に認証中です。認証が完了するとこのページが更新されます。"
-
-#: authentik/policies/templates/policies/buffer.html
-msgid "Authenticate in this tab"
-msgstr "このタブで認証"
-
 #: authentik/policies/templates/policies/denied.html
 msgid "Permission denied"
 msgstr "権限がありません"
@@ -2031,6 +2170,14 @@ msgstr "厳密な URL 比較"
 msgid "Regular Expression URL matching"
 msgstr "正規表現 URL マッチング"
 
+#: authentik/providers/oauth2/models.py
+msgid "Authorization"
+msgstr ""
+
+#: authentik/providers/oauth2/models.py
+msgid "Logout"
+msgstr ""
+
 #: authentik/providers/oauth2/models.py
 msgid "Back-channel"
 msgstr "バックチャネル"
@@ -2358,10 +2505,6 @@ msgstr "プロキシプロバイダー"
 msgid "Proxy Providers"
 msgstr "プロキシプロバイダー"
 
-#: authentik/providers/proxy/tasks.py
-msgid "Terminate session on Proxy outpost."
-msgstr "Proxy Outpost でセッションを終了。"
-
 #: authentik/providers/rac/models.py authentik/stages/user_login/models.py
 msgid ""
 "Determines how long a session lasts. Default of 0 means that the sessions "
@@ -2485,8 +2628,10 @@ msgid ""
 msgstr "アサーションのオーディエンス制限フィールドの値。空の場合、オーディエンス制限は追加されません。"
 
 #: authentik/providers/saml/models.py
-msgid "Also known as EntityID"
-msgstr "EntityID とも呼ばれる"
+msgid ""
+"Also known as EntityID. Providing a value overrides the default issuer "
+"generated by authentik."
+msgstr ""
 
 #: authentik/providers/saml/models.py
 msgid "SLS URL"
@@ -2686,6 +2831,10 @@ msgstr "このセッションの SAML NameID 値"
 msgid "SAML NameID format"
 msgstr "SAML NameID フォーマット"
 
+#: authentik/providers/saml/models.py
+msgid "SAML Issuer used for this session"
+msgstr ""
+
 #: authentik/providers/saml/models.py
 msgid "SAML Session"
 msgstr "SAML セッション"
@@ -2714,6 +2863,14 @@ msgstr "Slack"
 msgid "Salesforce"
 msgstr "Salesforce"
 
+#: authentik/providers/scim/models.py
+msgid "Webex"
+msgstr ""
+
+#: authentik/providers/scim/models.py
+msgid "vCenter"
+msgstr ""
+
 #: authentik/providers/scim/models.py
 msgid "Group filters used to define sync-scope for groups."
 msgstr ""
@@ -2978,7 +3135,7 @@ msgstr ""
 "                    管理者に連絡してください。\n"
 "                "
 
-#: authentik/sources/ldap/api.py
+#: authentik/sources/ldap/api/sources.py
 msgid "Only a single LDAP Source with password synchronization is allowed"
 msgstr "パスワード同期を備えた単一の LDAP ソースのみが許可されます"
 
@@ -3491,6 +3648,12 @@ msgid ""
 "risk, as no validation of the request ID is done."
 msgstr "IdP によって開始される認証フローを許可します。リクエスト ID の検証が行われないため、セキュリティリスクになる可能性があります。"
 
+#: authentik/sources/saml/models.py
+msgid ""
+"When enabled, the IdP will re-authenticate the user even if a session "
+"exists."
+msgstr ""
+
 #: authentik/sources/saml/models.py
 msgid ""
 "NameID Policy sent to the IdP. Can be unset, in which case no Policy is "
@@ -3894,6 +4057,10 @@ msgstr "認証器検証ステージ"
 msgid "No (allowed) MFA authenticator configured."
 msgstr "（許可された）MFA 認証器が設定されていません。"
 
+#: authentik/stages/authenticator_webauthn/models.py
+msgid "When enabled, a given device can only be registered once."
+msgstr ""
+
 #: authentik/stages/authenticator_webauthn/models.py
 msgid "WebAuthn Authenticator Setup Stage"
 msgstr "WebAuthn 認証器セットアップステージ"
@@ -4026,6 +4193,10 @@ msgstr "メール OTP"
 msgid "Event Notification"
 msgstr "イベント通知"
 
+#: authentik/stages/email/models.py authentik/stages/invitation/models.py
+msgid "Invitation"
+msgstr "招待"
+
 #: authentik/stages/email/models.py
 msgid ""
 "The time window used to count recent account recovery attempts. If the "
@@ -4138,6 +4309,62 @@ msgstr ""
 "\n"
 "このメールは通知トランスポート %(name)s から送信されました。\n"
 
+#: authentik/stages/email/templates/email/invitation.html
+msgid ""
+"\n"
+"      You're Invited!\n"
+"      "
+msgstr ""
+
+#: authentik/stages/email/templates/email/invitation.html
+#, python-format
+msgid ""
+"\n"
+"          You have been invited to join %(host)s. Click the button below to get started.\n"
+"          "
+msgstr ""
+
+#: authentik/stages/email/templates/email/invitation.html
+#, python-format
+msgid ""
+"\n"
+"          This invitation expires %(expires)s.\n"
+"          "
+msgstr ""
+
+#: authentik/stages/email/templates/email/invitation.html
+#: authentik/stages/email/templates/email/invitation.txt
+msgid "Accept Invitation"
+msgstr ""
+
+#: authentik/stages/email/templates/email/invitation.html
+msgid ""
+"\n"
+"    If you cannot click the button above, please copy and paste the following URL into your browser:\n"
+"    "
+msgstr ""
+
+#: authentik/stages/email/templates/email/invitation.txt
+msgid "You're Invited!"
+msgstr ""
+
+#: authentik/stages/email/templates/email/invitation.txt
+#, python-format
+msgid ""
+"You have been invited to join %(host)s. Use the link below to get started."
+msgstr ""
+
+#: authentik/stages/email/templates/email/invitation.txt
+#, python-format
+msgid "This invitation expires %(expires)s."
+msgstr ""
+
+#: authentik/stages/email/templates/email/invitation.txt
+msgid ""
+"If you cannot click the link above, please copy and paste the following URL "
+"into your browser:"
+msgstr ""
+
 #: authentik/stages/email/templates/email/password_reset.html
 msgid ""
 "\n"
@@ -4301,10 +4528,6 @@ msgstr "有効にすると、招待は使用後に削除されます。"
 msgid "Optional fixed data to enforce on user enrollment."
 msgstr "ユーザー登録に強制するオプショナル固定データ。"
 
-#: authentik/stages/invitation/models.py
-msgid "Invitation"
-msgstr "招待"
-
 #: authentik/stages/invitation/models.py
 msgid "Invitations"
 msgstr "招待"
@@ -4415,6 +4638,18 @@ msgstr "非表示: 非表示フィールド、フォームにデータを挿入
 msgid "Static: Static value, displayed as-is."
 msgstr "静的: 静的値、そのまま表示。"
 
+#: authentik/stages/prompt/models.py
+msgid "Alert (Info): Static alert box with info styling"
+msgstr ""
+
+#: authentik/stages/prompt/models.py
+msgid "Alert (Warning): Static alert box with warning styling"
+msgstr ""
+
+#: authentik/stages/prompt/models.py
+msgid "Alert (Danger): Static alert box with danger styling"
+msgstr ""
+
 #: authentik/stages/prompt/models.py
 msgid "authentik: Selection of locales authentik supports"
 msgstr "authentik: authentik がサポートするロケールの選択"

locale/no_NO/LC_MESSAGES/django.po

@@ -12,7 +12,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: PACKAGE VERSION\n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2026-04-23 00:25+0000\n"
+"POT-Creation-Date: 2026-05-06 00:27+0000\n"
 "PO-Revision-Date: 2025-12-01 19:09+0000\n"
 "Last-Translator: Raphael Cancelliere, 2026\n"
 "Language-Team: Norwegian (Norway) (https://app.transifex.com/authentik/teams/119923/no_NO/)\n"
@@ -109,6 +109,14 @@ msgstr "Valideringsfeil"
 msgid "Blueprint file does not exist"
 msgstr "Blueprint-filen eksisterer ikke"
 
+#: authentik/blueprints/api.py
+msgid "Context must be valid JSON"
+msgstr ""
+
+#: authentik/blueprints/api.py
+msgid "Context must be a JSON object"
+msgstr ""
+
 #: authentik/blueprints/api.py
 msgid "Failed to validate blueprint"
 msgstr "Klarte ikke å validere blueprint"
@@ -247,6 +255,14 @@ msgstr ""
 " kun backchannel-leverandører. Når satt til false, ekskluderes backchannel-"
 "leverandører."
 
+#: authentik/core/api/users.py
+msgid "Invalid password hash format. Must be a valid Django password hash."
+msgstr ""
+
+#: authentik/core/api/users.py
+msgid "Cannot set both password and password_hash. Use only one."
+msgstr ""
+
 #: authentik/core/api/users.py
 msgid "No leading or trailing slashes allowed."
 msgstr "Ingen skråstreker i starten eller slutten er tillatt."
@@ -421,6 +437,10 @@ msgstr "Internt applikasjonsnavn, brukt i URL-er."
 msgid "Open launch URL in a new browser tab or window."
 msgstr "Åpne start-URL i en ny nettleserfane eller -vindu."
 
+#: authentik/core/models.py
+msgid "Hide this application from the user's My applications page."
+msgstr ""
+
 #: authentik/core/models.py
 msgid "Application"
 msgstr "Applikasjon"
@@ -917,10 +937,6 @@ msgstr "Enten en vurderingsgruppe eller en vurderer må være angitt."
 msgid "Grace period must be shorter than the interval."
 msgstr "Respittiden må være kortere enn intervallet."
 
-#: authentik/enterprise/lifecycle/api/rules.py
-msgid "Only one type-wide rule for each object type is allowed."
-msgstr "Kun én type-omfattende regel for hver objekttype er tillatt."
-
 #: authentik/enterprise/lifecycle/models.py
 msgid ""
 "Select which transports should be used to notify the reviewers. If none are "
@@ -950,9 +966,9 @@ msgid "Go to {self._get_model_name()}"
 msgstr "Gå til {self._get_model_name()}"
 
 #: authentik/enterprise/lifecycle/models.py
-msgid "Access review is due for {self.content_type.name} {str(self.object)}"
+msgid ""
+"Access review is due for {self.content_type.name.lower()} {object_label}"
 msgstr ""
-"Tilgangsvurdering forfaller for {self.content_type.name} {str(self.object)}"
 
 #: authentik/enterprise/lifecycle/models.py
 msgid ""
@@ -968,8 +984,8 @@ msgstr ""
 "Tilgangsvurdering fullført for {self.content_type.name} {str(self.object)}"
 
 #: authentik/enterprise/lifecycle/tasks.py
-msgid "Dispatch tasks to validate lifecycle rules."
-msgstr "Send ut oppgaver for å validere livssyklusregler."
+msgid "Dispatch tasks to apply lifecycle rules."
+msgstr ""
 
 #: authentik/enterprise/lifecycle/tasks.py
 msgid "Apply lifecycle rule."
@@ -1305,6 +1321,78 @@ msgstr "Last ned"
 msgid "Generate data export."
 msgstr "Generer eksport av data."
 
+#: authentik/enterprise/stages/account_lockdown/api.py
+msgid "User to lock. If omitted, locks the current user (self-service)."
+msgstr ""
+
+#: authentik/enterprise/stages/account_lockdown/api.py
+msgid "No lockdown flow configured."
+msgstr ""
+
+#: authentik/enterprise/stages/account_lockdown/api.py
+msgid "Lockdown flow is not applicable."
+msgstr ""
+
+#: authentik/enterprise/stages/account_lockdown/api.py
+msgid "Choose the target account, then return a flow link."
+msgstr ""
+
+#: authentik/enterprise/stages/account_lockdown/api.py
+msgid "No lockdown flow configured or the flow is not applicable"
+msgstr ""
+
+#: authentik/enterprise/stages/account_lockdown/api.py
+msgid "Permission denied (when targeting another user)"
+msgstr ""
+
+#: authentik/enterprise/stages/account_lockdown/models.py
+msgid "Deactivate the user account (set is_active to False)"
+msgstr ""
+
+#: authentik/enterprise/stages/account_lockdown/models.py
+msgid "Set an unusable password for the user"
+msgstr ""
+
+#: authentik/enterprise/stages/account_lockdown/models.py
+msgid "Delete all active sessions for the user"
+msgstr ""
+
+#: authentik/enterprise/stages/account_lockdown/models.py
+msgid ""
+"Revoke all tokens for the user (API, app password, recovery, verification, "
+"OAuth)"
+msgstr ""
+
+#: authentik/enterprise/stages/account_lockdown/models.py
+msgid ""
+"Flow to redirect users to after self-service lockdown. This flow should not "
+"require authentication since the user's session is deleted."
+msgstr ""
+
+#: authentik/enterprise/stages/account_lockdown/models.py
+msgid "Account Lockdown Stage"
+msgstr ""
+
+#: authentik/enterprise/stages/account_lockdown/models.py
+msgid "Account Lockdown Stages"
+msgstr ""
+
+#: authentik/enterprise/stages/account_lockdown/stage.py
+msgid "No target user specified for account lockdown"
+msgstr ""
+
+#: authentik/enterprise/stages/account_lockdown/stage.py
+msgid "You do not have permission to lock down this account."
+msgstr ""
+
+#: authentik/enterprise/stages/account_lockdown/stage.py
+msgid "Account lockdown failed for this account."
+msgstr ""
+
+#: authentik/enterprise/stages/account_lockdown/stage.py
+msgid "Self-service account lockdown requires a completion flow."
+msgstr ""
+
 #: authentik/enterprise/stages/authenticator_endpoint_gdtc/models.py
 msgid "Endpoint Authenticator Google Device Trust Connector Stage"
 msgstr "Trinn for endepunktautentisering via Google Device Trust-kobling"
@@ -2705,8 +2793,10 @@ msgstr ""
 " vil ingen målgrupperestriksjon bli lagt til."
 
 #: authentik/providers/saml/models.py
-msgid "Also known as EntityID"
-msgstr "Også kjent som EntityID"
+msgid ""
+"Also known as EntityID. Providing a value overrides the default issuer "
+"generated by authentik."
+msgstr ""
 
 #: authentik/providers/saml/models.py
 msgid "SLS URL"
@@ -2924,6 +3014,10 @@ msgstr "SAML NameID-verdi for denne økten"
 msgid "SAML NameID format"
 msgstr "SAML NameID-format"
 
+#: authentik/providers/saml/models.py
+msgid "SAML Issuer used for this session"
+msgstr ""
+
 #: authentik/providers/saml/models.py
 msgid "SAML Session"
 msgstr "SAML-økt"
@@ -2956,6 +3050,10 @@ msgstr "Salesforce"
 msgid "Webex"
 msgstr "Webex"
 
+#: authentik/providers/scim/models.py
+msgid "vCenter"
+msgstr ""
+
 #: authentik/providers/scim/models.py
 msgid "Group filters used to define sync-scope for groups."
 msgstr "Gruppefiltre brukt for å definere synkroniseringsomfang for grupper."
@@ -4830,6 +4928,18 @@ msgstr "Skjult: Skjult felt, kan brukes til å sette inn data i skjemaet."
 msgid "Static: Static value, displayed as-is."
 msgstr "Statisk: Statisk verdi, vises som den er."
 
+#: authentik/stages/prompt/models.py
+msgid "Alert (Info): Static alert box with info styling"
+msgstr ""
+
+#: authentik/stages/prompt/models.py
+msgid "Alert (Warning): Static alert box with warning styling"
+msgstr ""
+
+#: authentik/stages/prompt/models.py
+msgid "Alert (Danger): Static alert box with danger styling"
+msgstr ""
+
 #: authentik/stages/prompt/models.py
 msgid "authentik: Selection of locales authentik supports"
 msgstr "authentik: Utvalg av språk som authentik støtter"

locale/pl_PL/LC_MESSAGES/django.po

@@ -6,16 +6,16 @@
 # Translators:
 # Marc Schmitt, 2025
 # Darek “NeroPcStation” NeroPcStation <dareknowacki2001@gmail.com>, 2025
-# Jens L. <jens@goauthentik.io>, 2025
+# Jens L. <jens@goauthentik.io>, 2026
 # 
 #, fuzzy
 msgid ""
 msgstr ""
 "Project-Id-Version: PACKAGE VERSION\n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2026-02-10 19:27+0000\n"
+"POT-Creation-Date: 2026-05-06 00:27+0000\n"
 "PO-Revision-Date: 2025-12-01 19:09+0000\n"
-"Last-Translator: Jens L. <jens@goauthentik.io>, 2025\n"
+"Last-Translator: Jens L. <jens@goauthentik.io>, 2026\n"
 "Language-Team: Polish (Poland) (https://app.transifex.com/authentik/teams/119923/pl_PL/)\n"
 "MIME-Version: 1.0\n"
 "Content-Type: text/plain; charset=UTF-8\n"
@@ -107,6 +107,14 @@ msgstr "Błąd walidacji"
 msgid "Blueprint file does not exist"
 msgstr "Plik szablonu nie istnieje"
 
+#: authentik/blueprints/api.py
+msgid "Context must be valid JSON"
+msgstr ""
+
+#: authentik/blueprints/api.py
+msgid "Context must be a JSON object"
+msgstr ""
+
 #: authentik/blueprints/api.py
 msgid "Failed to validate blueprint"
 msgstr "Nie udało się zweryfikować szablonu"
@@ -115,6 +123,11 @@ msgstr "Nie udało się zweryfikować szablonu"
 msgid "Either path or content must be set."
 msgstr "Ścieżka albo treść muszą być ustawione."
 
+#: authentik/blueprints/api.py
+#, python-brace-format
+msgid "User lacks permission to create {model}"
+msgstr ""
+
 #: authentik/blueprints/models.py
 msgid "Managed by authentik"
 msgstr "Zarządzane przez authentik"
@@ -241,9 +254,12 @@ msgstr ""
 "zwracani są tylko dostawcy kanału zwrotnego. Gdy ustawiono na fałsz, "
 "dostawcy kanału zwrotnego są wykluczeni."
 
-#: authentik/core/api/transactional_applications.py
-#, python-brace-format
-msgid "User lacks permission to create {model}"
+#: authentik/core/api/users.py
+msgid "Invalid password hash format. Must be a valid Django password hash."
+msgstr ""
+
+#: authentik/core/api/users.py
+msgid "Cannot set both password and password_hash. Use only one."
 msgstr ""
 
 #: authentik/core/api/users.py
@@ -306,6 +322,12 @@ msgstr ""
 msgid "This field is required."
 msgstr ""
 
+#: authentik/core/apps.py
+msgid ""
+"Configure if applications without any policy/group/user bindings should be "
+"accessible to any user."
+msgstr ""
+
 #: authentik/core/models.py
 msgid "name"
 msgstr "nazwa"
@@ -412,6 +434,10 @@ msgstr "Wewnętrzna nazwa aplikacji, używana w adresach URL."
 msgid "Open launch URL in a new browser tab or window."
 msgstr "Otwórz adres URL uruchamiania w nowej karcie lub oknie przeglądarki."
 
+#: authentik/core/models.py
+msgid "Hide this application from the user's My applications page."
+msgstr ""
+
 #: authentik/core/models.py
 msgid "Application"
 msgstr "Aplikacja"
@@ -596,6 +622,14 @@ msgstr ""
 msgid "Go home"
 msgstr "Przejdź do domu"
 
+#: authentik/core/templates/login/base_full.html
+msgid "Site footer"
+msgstr ""
+
+#: authentik/core/templates/login/base_full.html
+msgid "Flow links"
+msgstr ""
+
 #: authentik/core/templates/login/base_full.html
 #: authentik/flows/templates/if/flow-sfe.html
 msgid "Powered by authentik"
@@ -702,6 +736,10 @@ msgstr ""
 msgid "Discover, import and update certificates from the filesystem."
 msgstr ""
 
+#: authentik/endpoints/api/stages.py
+msgid "Selected connector is not compatible with this stage."
+msgstr ""
+
 #: authentik/endpoints/connectors/agent/api/connectors.py
 msgid "Selected platform not supported"
 msgstr ""
@@ -756,6 +794,14 @@ msgstr ""
 msgid "Apple Nonces"
 msgstr ""
 
+#: authentik/endpoints/connectors/agent/models.py
+msgid "Apple Independent Secure Enclave"
+msgstr ""
+
+#: authentik/endpoints/connectors/agent/models.py
+msgid "Apple Independent Secure Enclaves"
+msgstr ""
+
 #: authentik/endpoints/facts.py
 msgid "Operating System name, such as 'Server 2022' or 'Ubuntu'"
 msgstr ""
@@ -827,6 +873,12 @@ msgstr ""
 msgid "Enterprise is required to use this endpoint."
 msgstr ""
 
+#: authentik/enterprise/audit/apps.py
+msgid ""
+"Include additional information in audit logs, may incur a performance "
+"penalty."
+msgstr ""
+
 #: authentik/enterprise/endpoints/connectors/fleet/models.py
 #: authentik/events/models.py
 msgid ""
@@ -842,6 +894,19 @@ msgstr ""
 msgid "Fleet Connectors"
 msgstr ""
 
+#: authentik/enterprise/endpoints/connectors/google_chrome/models.py
+msgid "Google Device Trust Connector"
+msgstr ""
+
+#: authentik/enterprise/endpoints/connectors/google_chrome/models.py
+msgid "Google Device Trust Connectors"
+msgstr ""
+
+#: authentik/enterprise/endpoints/connectors/google_chrome/stage.py
+#: authentik/enterprise/stages/authenticator_endpoint_gdtc/stage.py
+msgid "Verifying your browser..."
+msgstr "Weryfikowanie Twojej przeglądarki..."
+
 #: authentik/enterprise/lifecycle/api/reviews.py
 msgid "You are not allowed to submit a review for this object."
 msgstr ""
@@ -858,10 +923,6 @@ msgstr ""
 msgid "Grace period must be shorter than the interval."
 msgstr ""
 
-#: authentik/enterprise/lifecycle/api/rules.py
-msgid "Only one type-wide rule for each object type is allowed."
-msgstr ""
-
 #: authentik/enterprise/lifecycle/models.py
 msgid ""
 "Select which transports should be used to notify the reviewers. If none are "
@@ -889,7 +950,8 @@ msgid "Go to {self._get_model_name()}"
 msgstr ""
 
 #: authentik/enterprise/lifecycle/models.py
-msgid "Access review is due for {self.content_type.name} {str(self.object)}"
+msgid ""
+"Access review is due for {self.content_type.name.lower()} {object_label}"
 msgstr ""
 
 #: authentik/enterprise/lifecycle/models.py
@@ -903,7 +965,7 @@ msgid ""
 msgstr ""
 
 #: authentik/enterprise/lifecycle/tasks.py
-msgid "Dispatch tasks to validate lifecycle rules."
+msgid "Dispatch tasks to apply lifecycle rules."
 msgstr ""
 
 #: authentik/enterprise/lifecycle/tasks.py
@@ -1130,6 +1192,14 @@ msgstr ""
 msgid "Enterprise is required to use the OAuth mode."
 msgstr ""
 
+#: authentik/enterprise/providers/ssf/models.py
+msgid "SSF RFC Push"
+msgstr ""
+
+#: authentik/enterprise/providers/ssf/models.py
+msgid "SSF RFC Pull"
+msgstr ""
+
 #: authentik/enterprise/providers/ssf/models.py
 #: authentik/providers/oauth2/models.py
 msgid "Signing Key"
@@ -1211,6 +1281,78 @@ msgstr "Pobierz"
 msgid "Generate data export."
 msgstr ""
 
+#: authentik/enterprise/stages/account_lockdown/api.py
+msgid "User to lock. If omitted, locks the current user (self-service)."
+msgstr ""
+
+#: authentik/enterprise/stages/account_lockdown/api.py
+msgid "No lockdown flow configured."
+msgstr ""
+
+#: authentik/enterprise/stages/account_lockdown/api.py
+msgid "Lockdown flow is not applicable."
+msgstr ""
+
+#: authentik/enterprise/stages/account_lockdown/api.py
+msgid "Choose the target account, then return a flow link."
+msgstr ""
+
+#: authentik/enterprise/stages/account_lockdown/api.py
+msgid "No lockdown flow configured or the flow is not applicable"
+msgstr ""
+
+#: authentik/enterprise/stages/account_lockdown/api.py
+msgid "Permission denied (when targeting another user)"
+msgstr ""
+
+#: authentik/enterprise/stages/account_lockdown/models.py
+msgid "Deactivate the user account (set is_active to False)"
+msgstr ""
+
+#: authentik/enterprise/stages/account_lockdown/models.py
+msgid "Set an unusable password for the user"
+msgstr ""
+
+#: authentik/enterprise/stages/account_lockdown/models.py
+msgid "Delete all active sessions for the user"
+msgstr ""
+
+#: authentik/enterprise/stages/account_lockdown/models.py
+msgid ""
+"Revoke all tokens for the user (API, app password, recovery, verification, "
+"OAuth)"
+msgstr ""
+
+#: authentik/enterprise/stages/account_lockdown/models.py
+msgid ""
+"Flow to redirect users to after self-service lockdown. This flow should not "
+"require authentication since the user's session is deleted."
+msgstr ""
+
+#: authentik/enterprise/stages/account_lockdown/models.py
+msgid "Account Lockdown Stage"
+msgstr ""
+
+#: authentik/enterprise/stages/account_lockdown/models.py
+msgid "Account Lockdown Stages"
+msgstr ""
+
+#: authentik/enterprise/stages/account_lockdown/stage.py
+msgid "No target user specified for account lockdown"
+msgstr ""
+
+#: authentik/enterprise/stages/account_lockdown/stage.py
+msgid "You do not have permission to lock down this account."
+msgstr ""
+
+#: authentik/enterprise/stages/account_lockdown/stage.py
+msgid "Account lockdown failed for this account."
+msgstr ""
+
+#: authentik/enterprise/stages/account_lockdown/stage.py
+msgid "Self-service account lockdown requires a completion flow."
+msgstr ""
+
 #: authentik/enterprise/stages/authenticator_endpoint_gdtc/models.py
 msgid "Endpoint Authenticator Google Device Trust Connector Stage"
 msgstr ""
@@ -1227,10 +1369,6 @@ msgstr ""
 msgid "Endpoint Devices"
 msgstr ""
 
-#: authentik/enterprise/stages/authenticator_endpoint_gdtc/stage.py
-msgid "Verifying your browser..."
-msgstr "Weryfikowanie Twojej przeglądarki..."
-
 #: authentik/enterprise/stages/mtls/models.py
 msgid ""
 "Configure certificate authorities to validate the certificate against. This "
@@ -1311,6 +1449,12 @@ msgstr ""
 "Wyślij powiadomienie tylko raz, na przykład podczas wysyłania webhooka na "
 "kanał czatu."
 
+#: authentik/events/models.py
+msgid ""
+"When set, the selected ceritifcate is used to validate the certificate of "
+"the webhook server."
+msgstr ""
+
 #: authentik/events/models.py
 msgid ""
 "Customize the body of the request. Mapping should return data that is JSON-"
@@ -1475,6 +1619,15 @@ msgstr "Przed-przepływowe zasady"
 msgid "Flow"
 msgstr "Przepływ"
 
+#: authentik/flows/apps.py
+msgid "Refresh other tabs after successful authentication."
+msgstr ""
+
+#: authentik/flows/apps.py
+msgid ""
+"Upon successful authentication, re-start authentication in other open tabs."
+msgstr ""
+
 #: authentik/flows/exceptions.py
 msgid "Flow does not apply to current user."
 msgstr "Przepływ nie dotyczy bieżącego użytkownika."
@@ -1590,8 +1743,8 @@ msgstr "Token przepływu"
 msgid "Flow Tokens"
 msgstr "Tokeny przepływu"
 
-#: authentik/flows/templates/if/flow.html
-msgid "Site footer"
+#: authentik/flows/planner.py
+msgid "This link is invalid or has expired. Please request a new one."
 msgstr ""
 
 #: authentik/flows/views/executor.py
@@ -1975,20 +2128,6 @@ msgstr "Punkty reputacji"
 msgid "Reputation Scores"
 msgstr "Punkty reputacji"
 
-#: authentik/policies/templates/policies/buffer.html
-msgid "Waiting for authentication..."
-msgstr "Oczekiwanie na uwierzytelnienie..."
-
-#: authentik/policies/templates/policies/buffer.html
-msgid ""
-"You're already authenticating in another tab. This page will refresh once "
-"authentication is completed."
-msgstr ""
-
-#: authentik/policies/templates/policies/buffer.html
-msgid "Authenticate in this tab"
-msgstr ""
-
 #: authentik/policies/templates/policies/denied.html
 msgid "Permission denied"
 msgstr "Odmowa uprawnień"
@@ -2115,6 +2254,14 @@ msgstr ""
 msgid "Regular Expression URL matching"
 msgstr ""
 
+#: authentik/providers/oauth2/models.py
+msgid "Authorization"
+msgstr "Autoryzacja"
+
+#: authentik/providers/oauth2/models.py
+msgid "Logout"
+msgstr "Wyloguj"
+
 #: authentik/providers/oauth2/models.py
 msgid "Back-channel"
 msgstr ""
@@ -2465,10 +2612,6 @@ msgstr "Dostawca proxy"
 msgid "Proxy Providers"
 msgstr "Dostawcy proxy"
 
-#: authentik/providers/proxy/tasks.py
-msgid "Terminate session on Proxy outpost."
-msgstr ""
-
 #: authentik/providers/rac/models.py authentik/stages/user_login/models.py
 msgid ""
 "Determines how long a session lasts. Default of 0 means that the sessions "
@@ -2596,8 +2739,10 @@ msgstr ""
 " ograniczenie odbiorców nie zostanie dodane."
 
 #: authentik/providers/saml/models.py
-msgid "Also known as EntityID"
-msgstr "Znany również jako EntityID"
+msgid ""
+"Also known as EntityID. Providing a value overrides the default issuer "
+"generated by authentik."
+msgstr ""
 
 #: authentik/providers/saml/models.py
 msgid "SLS URL"
@@ -2801,6 +2946,10 @@ msgstr ""
 msgid "SAML NameID format"
 msgstr ""
 
+#: authentik/providers/saml/models.py
+msgid "SAML Issuer used for this session"
+msgstr ""
+
 #: authentik/providers/saml/models.py
 msgid "SAML Session"
 msgstr ""
@@ -2829,6 +2978,14 @@ msgstr "Slack"
 msgid "Salesforce"
 msgstr ""
 
+#: authentik/providers/scim/models.py
+msgid "Webex"
+msgstr ""
+
+#: authentik/providers/scim/models.py
+msgid "vCenter"
+msgstr ""
+
 #: authentik/providers/scim/models.py
 msgid "Group filters used to define sync-scope for groups."
 msgstr ""
@@ -3089,7 +3246,7 @@ msgid ""
 "                "
 msgstr ""
 
-#: authentik/sources/ldap/api.py
+#: authentik/sources/ldap/api/sources.py
 msgid "Only a single LDAP Source with password synchronization is allowed"
 msgstr ""
 
@@ -3616,6 +3773,12 @@ msgstr ""
 " Może to stanowić zagrożenie bezpieczeństwa, ponieważ nie przeprowadza się "
 "weryfikacji identyfikatora żądania."
 
+#: authentik/sources/saml/models.py
+msgid ""
+"When enabled, the IdP will re-authenticate the user even if a session "
+"exists."
+msgstr ""
+
 #: authentik/sources/saml/models.py
 msgid ""
 "NameID Policy sent to the IdP. Can be unset, in which case no Policy is "
@@ -4029,6 +4192,10 @@ msgstr "Etapy weryfikacji uwierzytelniacza"
 msgid "No (allowed) MFA authenticator configured."
 msgstr "Nie skonfigurowano (dozwolonego) uwierzytelniania MFA."
 
+#: authentik/stages/authenticator_webauthn/models.py
+msgid "When enabled, a given device can only be registered once."
+msgstr ""
+
 #: authentik/stages/authenticator_webauthn/models.py
 msgid "WebAuthn Authenticator Setup Stage"
 msgstr "Etap konfiguracji uwierzytelniacza WebAuthn"
@@ -4165,6 +4332,10 @@ msgstr ""
 msgid "Event Notification"
 msgstr ""
 
+#: authentik/stages/email/models.py authentik/stages/invitation/models.py
+msgid "Invitation"
+msgstr "Zaproszenie"
+
 #: authentik/stages/email/models.py
 msgid ""
 "The time window used to count recent account recovery attempts. If the "
@@ -4280,6 +4451,62 @@ msgstr ""
 "\n"
 "Ta wiadomość e-mail została wysłana z transportu powiadomień %(name)s.\n"
 
+#: authentik/stages/email/templates/email/invitation.html
+msgid ""
+"\n"
+"      You're Invited!\n"
+"      "
+msgstr ""
+
+#: authentik/stages/email/templates/email/invitation.html
+#, python-format
+msgid ""
+"\n"
+"          You have been invited to join %(host)s. Click the button below to get started.\n"
+"          "
+msgstr ""
+
+#: authentik/stages/email/templates/email/invitation.html
+#, python-format
+msgid ""
+"\n"
+"          This invitation expires %(expires)s.\n"
+"          "
+msgstr ""
+
+#: authentik/stages/email/templates/email/invitation.html
+#: authentik/stages/email/templates/email/invitation.txt
+msgid "Accept Invitation"
+msgstr ""
+
+#: authentik/stages/email/templates/email/invitation.html
+msgid ""
+"\n"
+"    If you cannot click the button above, please copy and paste the following URL into your browser:\n"
+"    "
+msgstr ""
+
+#: authentik/stages/email/templates/email/invitation.txt
+msgid "You're Invited!"
+msgstr ""
+
+#: authentik/stages/email/templates/email/invitation.txt
+#, python-format
+msgid ""
+"You have been invited to join %(host)s. Use the link below to get started."
+msgstr ""
+
+#: authentik/stages/email/templates/email/invitation.txt
+#, python-format
+msgid "This invitation expires %(expires)s."
+msgstr ""
+
+#: authentik/stages/email/templates/email/invitation.txt
+msgid ""
+"If you cannot click the link above, please copy and paste the following URL "
+"into your browser:"
+msgstr ""
+
 #: authentik/stages/email/templates/email/password_reset.html
 msgid ""
 "\n"
@@ -4456,10 +4683,6 @@ msgstr "Gdy ta opcja jest włączona, zaproszenie zostanie usunięte po użyciu.
 msgid "Optional fixed data to enforce on user enrollment."
 msgstr "Opcjonalne stałe dane do wymuszenia przy rejestracji użytkownika."
 
-#: authentik/stages/invitation/models.py
-msgid "Invitation"
-msgstr "Zaproszenie"
-
 #: authentik/stages/invitation/models.py
 msgid "Invitations"
 msgstr "Zaproszenia"
@@ -4583,6 +4806,18 @@ msgstr "Ukryte: Ukryte pole, może służyć do wstawiania danych do formularza.
 msgid "Static: Static value, displayed as-is."
 msgstr "Statyczny: wartość statyczna, wyświetlana w stanie, w jakim jest."
 
+#: authentik/stages/prompt/models.py
+msgid "Alert (Info): Static alert box with info styling"
+msgstr ""
+
+#: authentik/stages/prompt/models.py
+msgid "Alert (Warning): Static alert box with warning styling"
+msgstr ""
+
+#: authentik/stages/prompt/models.py
+msgid "Alert (Danger): Static alert box with danger styling"
+msgstr ""
+
 #: authentik/stages/prompt/models.py
 msgid "authentik: Selection of locales authentik supports"
 msgstr "authentik: Wybór ustawień regionalnych obsługiwanych przez authentik"

locale/pt_BR/LC_MESSAGES/django.po

@@ -6,17 +6,18 @@
 # Translators:
 # Marc Schmitt, 2025
 # André Cristian Neidert, 2025
-# Rafael Mundel, 2025
 # Ariel Amaral, 2025
+# Rafael Mundel, 2026
+# Gil Poiares-Oliveira, 2026
 # 
 #, fuzzy
 msgid ""
 msgstr ""
 "Project-Id-Version: PACKAGE VERSION\n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2026-02-10 19:27+0000\n"
+"POT-Creation-Date: 2026-05-06 00:27+0000\n"
 "PO-Revision-Date: 2025-12-01 19:09+0000\n"
-"Last-Translator: Ariel Amaral, 2025\n"
+"Last-Translator: Gil Poiares-Oliveira, 2026\n"
 "Language-Team: Portuguese (Brazil) (https://app.transifex.com/authentik/teams/119923/pt_BR/)\n"
 "MIME-Version: 1.0\n"
 "Content-Type: text/plain; charset=UTF-8\n"
@@ -111,6 +112,14 @@ msgstr "Erro de Validação"
 msgid "Blueprint file does not exist"
 msgstr "Arquivo de Blueprint não existe"
 
+#: authentik/blueprints/api.py
+msgid "Context must be valid JSON"
+msgstr ""
+
+#: authentik/blueprints/api.py
+msgid "Context must be a JSON object"
+msgstr ""
+
 #: authentik/blueprints/api.py
 msgid "Failed to validate blueprint"
 msgstr "Falha ao validar o projeto"
@@ -119,6 +128,11 @@ msgstr "Falha ao validar o projeto"
 msgid "Either path or content must be set."
 msgstr "O caminho ou o conteúdo devem ser definidos."
 
+#: authentik/blueprints/api.py
+#, python-brace-format
+msgid "User lacks permission to create {model}"
+msgstr "O usuário não tem permissão para criar {model}"
+
 #: authentik/blueprints/models.py
 msgid "Managed by authentik"
 msgstr "Gerenciado pelo authentik"
@@ -248,10 +262,13 @@ msgstr ""
 "true, somente os provedores de backchannel são retornados. Quando definido "
 "para false, provedores de backchannel são excluídos"
 
-#: authentik/core/api/transactional_applications.py
-#, python-brace-format
-msgid "User lacks permission to create {model}"
-msgstr "O usuário não tem permissão para criar {model}"
+#: authentik/core/api/users.py
+msgid "Invalid password hash format. Must be a valid Django password hash."
+msgstr ""
+
+#: authentik/core/api/users.py
+msgid "Cannot set both password and password_hash. Use only one."
+msgstr ""
 
 #: authentik/core/api/users.py
 msgid "No leading or trailing slashes allowed."
@@ -313,6 +330,12 @@ msgstr ""
 msgid "This field is required."
 msgstr "Este campo é obrigatório."
 
+#: authentik/core/apps.py
+msgid ""
+"Configure if applications without any policy/group/user bindings should be "
+"accessible to any user."
+msgstr ""
+
 #: authentik/core/models.py
 msgid "name"
 msgstr "nome"
@@ -419,6 +442,10 @@ msgstr "Nome do aplicativo interno, usado em URLs."
 msgid "Open launch URL in a new browser tab or window."
 msgstr "Abra o URL de inicialização em uma nova guia ou janela do navegador."
 
+#: authentik/core/models.py
+msgid "Hide this application from the user's My applications page."
+msgstr ""
+
 #: authentik/core/models.py
 msgid "Application"
 msgstr "Aplicativo"
@@ -607,6 +634,14 @@ msgstr "Remover usuários temporários criados por Fontes SAML."
 msgid "Go home"
 msgstr "Ir para casa"
 
+#: authentik/core/templates/login/base_full.html
+msgid "Site footer"
+msgstr "Rodapé do site"
+
+#: authentik/core/templates/login/base_full.html
+msgid "Flow links"
+msgstr ""
+
 #: authentik/core/templates/login/base_full.html
 #: authentik/flows/templates/if/flow-sfe.html
 msgid "Powered by authentik"
@@ -715,6 +750,10 @@ msgstr "Visualizar chave privada do par de chaves"
 msgid "Discover, import and update certificates from the filesystem."
 msgstr "Descobrir, importar e atualizar certificados do sistema de arquivos."
 
+#: authentik/endpoints/api/stages.py
+msgid "Selected connector is not compatible with this stage."
+msgstr ""
+
 #: authentik/endpoints/connectors/agent/api/connectors.py
 msgid "Selected platform not supported"
 msgstr "A plataforma selecionada não é compatível."
@@ -769,6 +808,14 @@ msgstr "Nonce Apple"
 msgid "Apple Nonces"
 msgstr "Nonces Apple"
 
+#: authentik/endpoints/connectors/agent/models.py
+msgid "Apple Independent Secure Enclave"
+msgstr ""
+
+#: authentik/endpoints/connectors/agent/models.py
+msgid "Apple Independent Secure Enclaves"
+msgstr ""
+
 #: authentik/endpoints/facts.py
 msgid "Operating System name, such as 'Server 2022' or 'Ubuntu'"
 msgstr ""
@@ -839,6 +886,12 @@ msgstr "Enterprise é necessário para criar/atualizar esse objeto."
 msgid "Enterprise is required to use this endpoint."
 msgstr "Enterprise é necessário para usar este endpoint."
 
+#: authentik/enterprise/audit/apps.py
+msgid ""
+"Include additional information in audit logs, may incur a performance "
+"penalty."
+msgstr ""
+
 #: authentik/enterprise/endpoints/connectors/fleet/models.py
 #: authentik/events/models.py
 msgid ""
@@ -856,6 +909,19 @@ msgstr ""
 msgid "Fleet Connectors"
 msgstr ""
 
+#: authentik/enterprise/endpoints/connectors/google_chrome/models.py
+msgid "Google Device Trust Connector"
+msgstr ""
+
+#: authentik/enterprise/endpoints/connectors/google_chrome/models.py
+msgid "Google Device Trust Connectors"
+msgstr ""
+
+#: authentik/enterprise/endpoints/connectors/google_chrome/stage.py
+#: authentik/enterprise/stages/authenticator_endpoint_gdtc/stage.py
+msgid "Verifying your browser..."
+msgstr "Verificando seu navegador…"
+
 #: authentik/enterprise/lifecycle/api/reviews.py
 msgid "You are not allowed to submit a review for this object."
 msgstr ""
@@ -872,10 +938,6 @@ msgstr ""
 msgid "Grace period must be shorter than the interval."
 msgstr ""
 
-#: authentik/enterprise/lifecycle/api/rules.py
-msgid "Only one type-wide rule for each object type is allowed."
-msgstr ""
-
 #: authentik/enterprise/lifecycle/models.py
 msgid ""
 "Select which transports should be used to notify the reviewers. If none are "
@@ -903,7 +965,8 @@ msgid "Go to {self._get_model_name()}"
 msgstr ""
 
 #: authentik/enterprise/lifecycle/models.py
-msgid "Access review is due for {self.content_type.name} {str(self.object)}"
+msgid ""
+"Access review is due for {self.content_type.name.lower()} {object_label}"
 msgstr ""
 
 #: authentik/enterprise/lifecycle/models.py
@@ -917,7 +980,7 @@ msgid ""
 msgstr ""
 
 #: authentik/enterprise/lifecycle/tasks.py
-msgid "Dispatch tasks to validate lifecycle rules."
+msgid "Dispatch tasks to apply lifecycle rules."
 msgstr ""
 
 #: authentik/enterprise/lifecycle/tasks.py
@@ -1161,6 +1224,14 @@ msgstr "Enterprise é necessário para usar EAP-TLS."
 msgid "Enterprise is required to use the OAuth mode."
 msgstr "Enterprise é necessário para usar o modo OAuth."
 
+#: authentik/enterprise/providers/ssf/models.py
+msgid "SSF RFC Push"
+msgstr ""
+
+#: authentik/enterprise/providers/ssf/models.py
+msgid "SSF RFC Pull"
+msgstr ""
+
 #: authentik/enterprise/providers/ssf/models.py
 #: authentik/providers/oauth2/models.py
 msgid "Signing Key"
@@ -1242,6 +1313,78 @@ msgstr "Download"
 msgid "Generate data export."
 msgstr "Gerar exportação de dados."
 
+#: authentik/enterprise/stages/account_lockdown/api.py
+msgid "User to lock. If omitted, locks the current user (self-service)."
+msgstr ""
+
+#: authentik/enterprise/stages/account_lockdown/api.py
+msgid "No lockdown flow configured."
+msgstr ""
+
+#: authentik/enterprise/stages/account_lockdown/api.py
+msgid "Lockdown flow is not applicable."
+msgstr ""
+
+#: authentik/enterprise/stages/account_lockdown/api.py
+msgid "Choose the target account, then return a flow link."
+msgstr ""
+
+#: authentik/enterprise/stages/account_lockdown/api.py
+msgid "No lockdown flow configured or the flow is not applicable"
+msgstr ""
+
+#: authentik/enterprise/stages/account_lockdown/api.py
+msgid "Permission denied (when targeting another user)"
+msgstr ""
+
+#: authentik/enterprise/stages/account_lockdown/models.py
+msgid "Deactivate the user account (set is_active to False)"
+msgstr ""
+
+#: authentik/enterprise/stages/account_lockdown/models.py
+msgid "Set an unusable password for the user"
+msgstr ""
+
+#: authentik/enterprise/stages/account_lockdown/models.py
+msgid "Delete all active sessions for the user"
+msgstr ""
+
+#: authentik/enterprise/stages/account_lockdown/models.py
+msgid ""
+"Revoke all tokens for the user (API, app password, recovery, verification, "
+"OAuth)"
+msgstr ""
+
+#: authentik/enterprise/stages/account_lockdown/models.py
+msgid ""
+"Flow to redirect users to after self-service lockdown. This flow should not "
+"require authentication since the user's session is deleted."
+msgstr ""
+
+#: authentik/enterprise/stages/account_lockdown/models.py
+msgid "Account Lockdown Stage"
+msgstr ""
+
+#: authentik/enterprise/stages/account_lockdown/models.py
+msgid "Account Lockdown Stages"
+msgstr ""
+
+#: authentik/enterprise/stages/account_lockdown/stage.py
+msgid "No target user specified for account lockdown"
+msgstr ""
+
+#: authentik/enterprise/stages/account_lockdown/stage.py
+msgid "You do not have permission to lock down this account."
+msgstr ""
+
+#: authentik/enterprise/stages/account_lockdown/stage.py
+msgid "Account lockdown failed for this account."
+msgstr ""
+
+#: authentik/enterprise/stages/account_lockdown/stage.py
+msgid "Self-service account lockdown requires a completion flow."
+msgstr ""
+
 #: authentik/enterprise/stages/authenticator_endpoint_gdtc/models.py
 msgid "Endpoint Authenticator Google Device Trust Connector Stage"
 msgstr "Etapa do Conector Google Device Trust do autenticador de endpoint."
@@ -1258,10 +1401,6 @@ msgstr "Dispositivo de endpoint."
 msgid "Endpoint Devices"
 msgstr "Dispositivos de endpoint."
 
-#: authentik/enterprise/stages/authenticator_endpoint_gdtc/stage.py
-msgid "Verifying your browser..."
-msgstr "Verificando seu navegador…"
-
 #: authentik/enterprise/stages/mtls/models.py
 msgid ""
 "Configure certificate authorities to validate the certificate against. This "
@@ -1344,6 +1483,12 @@ msgstr ""
 "Envie uma notificação apenas uma vez, por exemplo, ao enviar um webhook para"
 " um canal de bate-papo."
 
+#: authentik/events/models.py
+msgid ""
+"When set, the selected ceritifcate is used to validate the certificate of "
+"the webhook server."
+msgstr ""
+
 #: authentik/events/models.py
 msgid ""
 "Customize the body of the request. Mapping should return data that is JSON-"
@@ -1514,6 +1659,15 @@ msgstr "Políticas de pré-fluxo"
 msgid "Flow"
 msgstr "Fluxo"
 
+#: authentik/flows/apps.py
+msgid "Refresh other tabs after successful authentication."
+msgstr ""
+
+#: authentik/flows/apps.py
+msgid ""
+"Upon successful authentication, re-start authentication in other open tabs."
+msgstr ""
+
 #: authentik/flows/exceptions.py
 msgid "Flow does not apply to current user."
 msgstr "O fluxo não se aplica ao usuário atual."
@@ -1624,9 +1778,9 @@ msgstr "Token de Fluxo"
 msgid "Flow Tokens"
 msgstr "Tokens de Fluxo"
 
-#: authentik/flows/templates/if/flow.html
-msgid "Site footer"
-msgstr "Rodapé do site"
+#: authentik/flows/planner.py
+msgid "This link is invalid or has expired. Please request a new one."
+msgstr ""
 
 #: authentik/flows/views/executor.py
 msgid "Invalid next URL"
@@ -2010,22 +2164,6 @@ msgstr "Pontuação de reputação"
 msgid "Reputation Scores"
 msgstr "Pontuações de reputação"
 
-#: authentik/policies/templates/policies/buffer.html
-msgid "Waiting for authentication..."
-msgstr "Aguardando autenticação…"
-
-#: authentik/policies/templates/policies/buffer.html
-msgid ""
-"You're already authenticating in another tab. This page will refresh once "
-"authentication is completed."
-msgstr ""
-"Você já está autenticando em outra aba. Esta página será atualizada quando a"
-" autenticação for concluída."
-
-#: authentik/policies/templates/policies/buffer.html
-msgid "Authenticate in this tab"
-msgstr "Autenticar nesta aba"
-
 #: authentik/policies/templates/policies/denied.html
 msgid "Permission denied"
 msgstr "Permissão negada"
@@ -2150,6 +2288,14 @@ msgstr "Comparação estrita de URL"
 msgid "Regular Expression URL matching"
 msgstr "Correspondência de URL por expressão regular"
 
+#: authentik/providers/oauth2/models.py
+msgid "Authorization"
+msgstr "Autorização"
+
+#: authentik/providers/oauth2/models.py
+msgid "Logout"
+msgstr "Sair"
+
 #: authentik/providers/oauth2/models.py
 msgid "Back-channel"
 msgstr "Back-channel"
@@ -2512,10 +2658,6 @@ msgstr "Provedor de proxy"
 msgid "Proxy Providers"
 msgstr "Provedores de proxy"
 
-#: authentik/providers/proxy/tasks.py
-msgid "Terminate session on Proxy outpost."
-msgstr "Encerrar sessão no outpost Proxy"
-
 #: authentik/providers/rac/models.py authentik/stages/user_login/models.py
 msgid ""
 "Determines how long a session lasts. Default of 0 means that the sessions "
@@ -2648,8 +2790,10 @@ msgstr ""
 "branco, nenhuma restrição de público será adicionada."
 
 #: authentik/providers/saml/models.py
-msgid "Also known as EntityID"
-msgstr "Também conhecido como EntityID"
+msgid ""
+"Also known as EntityID. Providing a value overrides the default issuer "
+"generated by authentik."
+msgstr ""
 
 #: authentik/providers/saml/models.py
 msgid "SLS URL"
@@ -2870,6 +3014,10 @@ msgstr "Valor do SAML NameID para essa sessão"
 msgid "SAML NameID format"
 msgstr "Formato do SAML NameID"
 
+#: authentik/providers/saml/models.py
+msgid "SAML Issuer used for this session"
+msgstr ""
+
 #: authentik/providers/saml/models.py
 msgid "SAML Session"
 msgstr "Sessão SAML"
@@ -2898,6 +3046,14 @@ msgstr "Slack"
 msgid "Salesforce"
 msgstr "Salesforce"
 
+#: authentik/providers/scim/models.py
+msgid "Webex"
+msgstr ""
+
+#: authentik/providers/scim/models.py
+msgid "vCenter"
+msgstr ""
+
 #: authentik/providers/scim/models.py
 msgid "Group filters used to define sync-scope for groups."
 msgstr ""
@@ -3181,7 +3337,7 @@ msgstr ""
 "e que o navegador esteja configurado corretamente. \n"
 "Contate seu administrador."
 
-#: authentik/sources/ldap/api.py
+#: authentik/sources/ldap/api/sources.py
 msgid "Only a single LDAP Source with password synchronization is allowed"
 msgstr "Somente uma Origem LDAP com sincronização de senha é aceita"
 
@@ -3716,6 +3872,12 @@ msgstr ""
 "Permite fluxos de autenticação iniciados pelo IdP. Isso pode ser um risco de"
 " segurança, pois nenhuma validação do ID da solicitação é feita."
 
+#: authentik/sources/saml/models.py
+msgid ""
+"When enabled, the IdP will re-authenticate the user even if a session "
+"exists."
+msgstr ""
+
 #: authentik/sources/saml/models.py
 msgid ""
 "NameID Policy sent to the IdP. Can be unset, in which case no Policy is "
@@ -4141,6 +4303,10 @@ msgstr "Etapas de validação do autenticador"
 msgid "No (allowed) MFA authenticator configured."
 msgstr "Nenhum autenticador MFA (permitido) configurado."
 
+#: authentik/stages/authenticator_webauthn/models.py
+msgid "When enabled, a given device can only be registered once."
+msgstr ""
+
 #: authentik/stages/authenticator_webauthn/models.py
 msgid "WebAuthn Authenticator Setup Stage"
 msgstr "Estágio de configuração do autenticador WebAuthn"
@@ -4280,6 +4446,10 @@ msgstr "OTP por Email"
 msgid "Event Notification"
 msgstr "Notificação de Evento"
 
+#: authentik/stages/email/models.py authentik/stages/invitation/models.py
+msgid "Invitation"
+msgstr "Convite"
+
 #: authentik/stages/email/models.py
 msgid ""
 "The time window used to count recent account recovery attempts. If the "
@@ -4399,6 +4569,62 @@ msgstr ""
 "\n"
 "Este email foi enviado pelo transporte de notificações %(name)s.\n"
 
+#: authentik/stages/email/templates/email/invitation.html
+msgid ""
+"\n"
+"      You're Invited!\n"
+"      "
+msgstr ""
+
+#: authentik/stages/email/templates/email/invitation.html
+#, python-format
+msgid ""
+"\n"
+"          You have been invited to join %(host)s. Click the button below to get started.\n"
+"          "
+msgstr ""
+
+#: authentik/stages/email/templates/email/invitation.html
+#, python-format
+msgid ""
+"\n"
+"          This invitation expires %(expires)s.\n"
+"          "
+msgstr ""
+
+#: authentik/stages/email/templates/email/invitation.html
+#: authentik/stages/email/templates/email/invitation.txt
+msgid "Accept Invitation"
+msgstr ""
+
+#: authentik/stages/email/templates/email/invitation.html
+msgid ""
+"\n"
+"    If you cannot click the button above, please copy and paste the following URL into your browser:\n"
+"    "
+msgstr ""
+
+#: authentik/stages/email/templates/email/invitation.txt
+msgid "You're Invited!"
+msgstr ""
+
+#: authentik/stages/email/templates/email/invitation.txt
+#, python-format
+msgid ""
+"You have been invited to join %(host)s. Use the link below to get started."
+msgstr ""
+
+#: authentik/stages/email/templates/email/invitation.txt
+#, python-format
+msgid "This invitation expires %(expires)s."
+msgstr ""
+
+#: authentik/stages/email/templates/email/invitation.txt
+msgid ""
+"If you cannot click the link above, please copy and paste the following URL "
+"into your browser:"
+msgstr ""
+
 #: authentik/stages/email/templates/email/password_reset.html
 msgid ""
 "\n"
@@ -4577,10 +4803,6 @@ msgstr "Quando ativado, o convite será excluído após o uso."
 msgid "Optional fixed data to enforce on user enrollment."
 msgstr "Dados fixos opcionais para aplicar na inscrição do usuário."
 
-#: authentik/stages/invitation/models.py
-msgid "Invitation"
-msgstr "Convite"
-
 #: authentik/stages/invitation/models.py
 msgid "Invitations"
 msgstr "Convites"
@@ -4704,6 +4926,18 @@ msgstr ""
 msgid "Static: Static value, displayed as-is."
 msgstr "Estático: valor estático, exibido como está."
 
+#: authentik/stages/prompt/models.py
+msgid "Alert (Info): Static alert box with info styling"
+msgstr ""
+
+#: authentik/stages/prompt/models.py
+msgid "Alert (Warning): Static alert box with warning styling"
+msgstr ""
+
+#: authentik/stages/prompt/models.py
+msgid "Alert (Danger): Static alert box with danger styling"
+msgstr ""
+
 #: authentik/stages/prompt/models.py
 msgid "authentik: Selection of locales authentik supports"
 msgstr "authentik: Seleção de locais suportados pelo authentik"

locale/pt_PT/LC_MESSAGES/django.po

@@ -7,17 +7,18 @@
 # Hélder Silva <hsilva@keep.pt>, 2025
 # Sergio Reis, 2025
 # Marc Schmitt, 2025
-# Gil Poiares-Oliveira, 2025
 # Tiago Gaspar, 2025
+# G S, 2026
+# Gil Poiares-Oliveira, 2026
 # 
 #, fuzzy
 msgid ""
 msgstr ""
 "Project-Id-Version: PACKAGE VERSION\n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2026-02-10 19:27+0000\n"
+"POT-Creation-Date: 2026-05-06 00:27+0000\n"
 "PO-Revision-Date: 2025-12-01 19:09+0000\n"
-"Last-Translator: Tiago Gaspar, 2025\n"
+"Last-Translator: Gil Poiares-Oliveira, 2026\n"
 "Language-Team: Portuguese (Portugal) (https://app.transifex.com/authentik/teams/119923/pt_PT/)\n"
 "MIME-Version: 1.0\n"
 "Content-Type: text/plain; charset=UTF-8\n"
@@ -109,6 +110,14 @@ msgstr "Erro de validação"
 msgid "Blueprint file does not exist"
 msgstr "Ficheiro de modelos não existe"
 
+#: authentik/blueprints/api.py
+msgid "Context must be valid JSON"
+msgstr ""
+
+#: authentik/blueprints/api.py
+msgid "Context must be a JSON object"
+msgstr ""
+
 #: authentik/blueprints/api.py
 msgid "Failed to validate blueprint"
 msgstr "Falha na validação de modelo"
@@ -117,6 +126,11 @@ msgstr "Falha na validação de modelo"
 msgid "Either path or content must be set."
 msgstr "O caminho ou o conteúdo devem ser definidos."
 
+#: authentik/blueprints/api.py
+#, python-brace-format
+msgid "User lacks permission to create {model}"
+msgstr "O utilizador não tem permissão para criar {model}"
+
 #: authentik/blueprints/models.py
 msgid "Managed by authentik"
 msgstr "Gerido por authentik"
@@ -244,10 +258,13 @@ msgstr ""
 "como verdadeiro, apenas os provedores de backchannel são retornados. Quando "
 "definido como falso, os provedores de backchannel são excluídos"
 
-#: authentik/core/api/transactional_applications.py
-#, python-brace-format
-msgid "User lacks permission to create {model}"
-msgstr "O utilizador não tem permissão para criar {model}"
+#: authentik/core/api/users.py
+msgid "Invalid password hash format. Must be a valid Django password hash."
+msgstr ""
+
+#: authentik/core/api/users.py
+msgid "Cannot set both password and password_hash. Use only one."
+msgstr ""
 
 #: authentik/core/api/users.py
 msgid "No leading or trailing slashes allowed."
@@ -309,6 +326,12 @@ msgstr ""
 msgid "This field is required."
 msgstr "Este campo é necessário."
 
+#: authentik/core/apps.py
+msgid ""
+"Configure if applications without any policy/group/user bindings should be "
+"accessible to any user."
+msgstr ""
+
 #: authentik/core/models.py
 msgid "name"
 msgstr "nome"
@@ -415,6 +438,10 @@ msgstr "Nome interno da aplicação, usado em URLs."
 msgid "Open launch URL in a new browser tab or window."
 msgstr "Abrir o URL de inicialização num novo separador ou janela do browser."
 
+#: authentik/core/models.py
+msgid "Hide this application from the user's My applications page."
+msgstr ""
+
 #: authentik/core/models.py
 msgid "Application"
 msgstr "Aplicação"
@@ -602,6 +629,14 @@ msgstr ""
 msgid "Go home"
 msgstr "Ir para início"
 
+#: authentik/core/templates/login/base_full.html
+msgid "Site footer"
+msgstr ""
+
+#: authentik/core/templates/login/base_full.html
+msgid "Flow links"
+msgstr ""
+
 #: authentik/core/templates/login/base_full.html
 #: authentik/flows/templates/if/flow-sfe.html
 msgid "Powered by authentik"
@@ -708,6 +743,10 @@ msgstr ""
 msgid "Discover, import and update certificates from the filesystem."
 msgstr "Descobrir, importar e atualizar certificados do sistema de arquivos."
 
+#: authentik/endpoints/api/stages.py
+msgid "Selected connector is not compatible with this stage."
+msgstr ""
+
 #: authentik/endpoints/connectors/agent/api/connectors.py
 msgid "Selected platform not supported"
 msgstr ""
@@ -762,6 +801,14 @@ msgstr ""
 msgid "Apple Nonces"
 msgstr ""
 
+#: authentik/endpoints/connectors/agent/models.py
+msgid "Apple Independent Secure Enclave"
+msgstr ""
+
+#: authentik/endpoints/connectors/agent/models.py
+msgid "Apple Independent Secure Enclaves"
+msgstr ""
+
 #: authentik/endpoints/facts.py
 msgid "Operating System name, such as 'Server 2022' or 'Ubuntu'"
 msgstr ""
@@ -832,6 +879,12 @@ msgstr "Enterprise necessário para criar/atualizar este objeto."
 msgid "Enterprise is required to use this endpoint."
 msgstr ""
 
+#: authentik/enterprise/audit/apps.py
+msgid ""
+"Include additional information in audit logs, may incur a performance "
+"penalty."
+msgstr ""
+
 #: authentik/enterprise/endpoints/connectors/fleet/models.py
 #: authentik/events/models.py
 msgid ""
@@ -849,6 +902,19 @@ msgstr ""
 msgid "Fleet Connectors"
 msgstr ""
 
+#: authentik/enterprise/endpoints/connectors/google_chrome/models.py
+msgid "Google Device Trust Connector"
+msgstr ""
+
+#: authentik/enterprise/endpoints/connectors/google_chrome/models.py
+msgid "Google Device Trust Connectors"
+msgstr ""
+
+#: authentik/enterprise/endpoints/connectors/google_chrome/stage.py
+#: authentik/enterprise/stages/authenticator_endpoint_gdtc/stage.py
+msgid "Verifying your browser..."
+msgstr "A verificar o seu browser..."
+
 #: authentik/enterprise/lifecycle/api/reviews.py
 msgid "You are not allowed to submit a review for this object."
 msgstr ""
@@ -865,10 +931,6 @@ msgstr ""
 msgid "Grace period must be shorter than the interval."
 msgstr ""
 
-#: authentik/enterprise/lifecycle/api/rules.py
-msgid "Only one type-wide rule for each object type is allowed."
-msgstr ""
-
 #: authentik/enterprise/lifecycle/models.py
 msgid ""
 "Select which transports should be used to notify the reviewers. If none are "
@@ -896,7 +958,8 @@ msgid "Go to {self._get_model_name()}"
 msgstr ""
 
 #: authentik/enterprise/lifecycle/models.py
-msgid "Access review is due for {self.content_type.name} {str(self.object)}"
+msgid ""
+"Access review is due for {self.content_type.name.lower()} {object_label}"
 msgstr ""
 
 #: authentik/enterprise/lifecycle/models.py
@@ -910,7 +973,7 @@ msgid ""
 msgstr ""
 
 #: authentik/enterprise/lifecycle/tasks.py
-msgid "Dispatch tasks to validate lifecycle rules."
+msgid "Dispatch tasks to apply lifecycle rules."
 msgstr ""
 
 #: authentik/enterprise/lifecycle/tasks.py
@@ -1140,6 +1203,14 @@ msgstr ""
 msgid "Enterprise is required to use the OAuth mode."
 msgstr ""
 
+#: authentik/enterprise/providers/ssf/models.py
+msgid "SSF RFC Push"
+msgstr ""
+
+#: authentik/enterprise/providers/ssf/models.py
+msgid "SSF RFC Pull"
+msgstr ""
+
 #: authentik/enterprise/providers/ssf/models.py
 #: authentik/providers/oauth2/models.py
 msgid "Signing Key"
@@ -1221,6 +1292,78 @@ msgstr "Descarregar"
 msgid "Generate data export."
 msgstr ""
 
+#: authentik/enterprise/stages/account_lockdown/api.py
+msgid "User to lock. If omitted, locks the current user (self-service)."
+msgstr ""
+
+#: authentik/enterprise/stages/account_lockdown/api.py
+msgid "No lockdown flow configured."
+msgstr ""
+
+#: authentik/enterprise/stages/account_lockdown/api.py
+msgid "Lockdown flow is not applicable."
+msgstr ""
+
+#: authentik/enterprise/stages/account_lockdown/api.py
+msgid "Choose the target account, then return a flow link."
+msgstr ""
+
+#: authentik/enterprise/stages/account_lockdown/api.py
+msgid "No lockdown flow configured or the flow is not applicable"
+msgstr ""
+
+#: authentik/enterprise/stages/account_lockdown/api.py
+msgid "Permission denied (when targeting another user)"
+msgstr ""
+
+#: authentik/enterprise/stages/account_lockdown/models.py
+msgid "Deactivate the user account (set is_active to False)"
+msgstr ""
+
+#: authentik/enterprise/stages/account_lockdown/models.py
+msgid "Set an unusable password for the user"
+msgstr ""
+
+#: authentik/enterprise/stages/account_lockdown/models.py
+msgid "Delete all active sessions for the user"
+msgstr ""
+
+#: authentik/enterprise/stages/account_lockdown/models.py
+msgid ""
+"Revoke all tokens for the user (API, app password, recovery, verification, "
+"OAuth)"
+msgstr ""
+
+#: authentik/enterprise/stages/account_lockdown/models.py
+msgid ""
+"Flow to redirect users to after self-service lockdown. This flow should not "
+"require authentication since the user's session is deleted."
+msgstr ""
+
+#: authentik/enterprise/stages/account_lockdown/models.py
+msgid "Account Lockdown Stage"
+msgstr ""
+
+#: authentik/enterprise/stages/account_lockdown/models.py
+msgid "Account Lockdown Stages"
+msgstr ""
+
+#: authentik/enterprise/stages/account_lockdown/stage.py
+msgid "No target user specified for account lockdown"
+msgstr ""
+
+#: authentik/enterprise/stages/account_lockdown/stage.py
+msgid "You do not have permission to lock down this account."
+msgstr ""
+
+#: authentik/enterprise/stages/account_lockdown/stage.py
+msgid "Account lockdown failed for this account."
+msgstr ""
+
+#: authentik/enterprise/stages/account_lockdown/stage.py
+msgid "Self-service account lockdown requires a completion flow."
+msgstr ""
+
 #: authentik/enterprise/stages/authenticator_endpoint_gdtc/models.py
 msgid "Endpoint Authenticator Google Device Trust Connector Stage"
 msgstr ""
@@ -1239,10 +1382,6 @@ msgstr "Dispositivo do ponto de ligação"
 msgid "Endpoint Devices"
 msgstr "Dispositivos do ponto de ligação"
 
-#: authentik/enterprise/stages/authenticator_endpoint_gdtc/stage.py
-msgid "Verifying your browser..."
-msgstr "A verificar o seu browser..."
-
 #: authentik/enterprise/stages/mtls/models.py
 msgid ""
 "Configure certificate authorities to validate the certificate against. This "
@@ -1323,6 +1462,12 @@ msgstr ""
 "Enviar a notificação apenas uma vez, por exemplo, ao enviar um webhook para "
 "um canal de chat."
 
+#: authentik/events/models.py
+msgid ""
+"When set, the selected ceritifcate is used to validate the certificate of "
+"the webhook server."
+msgstr ""
+
 #: authentik/events/models.py
 msgid ""
 "Customize the body of the request. Mapping should return data that is JSON-"
@@ -1489,6 +1634,15 @@ msgstr "Políticas de pré-fluxo"
 msgid "Flow"
 msgstr "Fluxo"
 
+#: authentik/flows/apps.py
+msgid "Refresh other tabs after successful authentication."
+msgstr ""
+
+#: authentik/flows/apps.py
+msgid ""
+"Upon successful authentication, re-start authentication in other open tabs."
+msgstr ""
+
 #: authentik/flows/exceptions.py
 msgid "Flow does not apply to current user."
 msgstr "O fluxo não se aplica ao utilizador atual."
@@ -1602,8 +1756,8 @@ msgstr "Token do fluxo"
 msgid "Flow Tokens"
 msgstr "Tokens do fluxo"
 
-#: authentik/flows/templates/if/flow.html
-msgid "Site footer"
+#: authentik/flows/planner.py
+msgid "This link is invalid or has expired. Please request a new one."
 msgstr ""
 
 #: authentik/flows/views/executor.py
@@ -1991,20 +2145,6 @@ msgstr "Pontuação da reputação"
 msgid "Reputation Scores"
 msgstr "Pontuações da reputação"
 
-#: authentik/policies/templates/policies/buffer.html
-msgid "Waiting for authentication..."
-msgstr "A aguardar autenticação"
-
-#: authentik/policies/templates/policies/buffer.html
-msgid ""
-"You're already authenticating in another tab. This page will refresh once "
-"authentication is completed."
-msgstr ""
-
-#: authentik/policies/templates/policies/buffer.html
-msgid "Authenticate in this tab"
-msgstr "Autenticar nesta aba"
-
 #: authentik/policies/templates/policies/denied.html
 msgid "Permission denied"
 msgstr "Permissão negada"
@@ -2130,6 +2270,14 @@ msgstr "Comparação rigorosa de URL"
 msgid "Regular Expression URL matching"
 msgstr "Correspondência de URL com expressões regulares"
 
+#: authentik/providers/oauth2/models.py
+msgid "Authorization"
+msgstr "Autorização"
+
+#: authentik/providers/oauth2/models.py
+msgid "Logout"
+msgstr ""
+
 #: authentik/providers/oauth2/models.py
 msgid "Back-channel"
 msgstr "Back-channel"
@@ -2492,10 +2640,6 @@ msgstr "Provedor de Proxy"
 msgid "Proxy Providers"
 msgstr "Provedores de Proxy"
 
-#: authentik/providers/proxy/tasks.py
-msgid "Terminate session on Proxy outpost."
-msgstr "Terminar sessão no Proxy outpost "
-
 #: authentik/providers/rac/models.py authentik/stages/user_login/models.py
 msgid ""
 "Determines how long a session lasts. Default of 0 means that the sessions "
@@ -2629,8 +2773,10 @@ msgstr ""
 "branco, nenhuma restrição de audiência será adicionada."
 
 #: authentik/providers/saml/models.py
-msgid "Also known as EntityID"
-msgstr "Também conhecido como EntityID."
+msgid ""
+"Also known as EntityID. Providing a value overrides the default issuer "
+"generated by authentik."
+msgstr ""
 
 #: authentik/providers/saml/models.py
 msgid "SLS URL"
@@ -2849,6 +2995,10 @@ msgstr ""
 msgid "SAML NameID format"
 msgstr ""
 
+#: authentik/providers/saml/models.py
+msgid "SAML Issuer used for this session"
+msgstr ""
+
 #: authentik/providers/saml/models.py
 msgid "SAML Session"
 msgstr "Instância SAML"
@@ -2877,6 +3027,14 @@ msgstr "Slack"
 msgid "Salesforce"
 msgstr "Salesforce"
 
+#: authentik/providers/scim/models.py
+msgid "Webex"
+msgstr ""
+
+#: authentik/providers/scim/models.py
+msgid "vCenter"
+msgstr ""
+
 #: authentik/providers/scim/models.py
 msgid "Group filters used to define sync-scope for groups."
 msgstr ""
@@ -3156,7 +3314,7 @@ msgstr ""
 "                    Contacte o seu administrador.\n"
 "                "
 
-#: authentik/sources/ldap/api.py
+#: authentik/sources/ldap/api/sources.py
 msgid "Only a single LDAP Source with password synchronization is allowed"
 msgstr ""
 "Apenas é permitida uma única fonte LDAP com sincronização de palavras-passe"
@@ -3688,6 +3846,12 @@ msgstr ""
 "Permite fluxos de autenticação iniciados pelo IdP. Isto pode ser um risco de"
 " segurança uma vez que não é feita nenhuma validação do ID do pedido."
 
+#: authentik/sources/saml/models.py
+msgid ""
+"When enabled, the IdP will re-authenticate the user even if a session "
+"exists."
+msgstr ""
+
 #: authentik/sources/saml/models.py
 msgid ""
 "NameID Policy sent to the IdP. Can be unset, in which case no Policy is "
@@ -4112,6 +4276,10 @@ msgstr "Etapas de validação do autenticador"
 msgid "No (allowed) MFA authenticator configured."
 msgstr "Nenhum autenticador MFA (permitido) configurado."
 
+#: authentik/stages/authenticator_webauthn/models.py
+msgid "When enabled, a given device can only be registered once."
+msgstr ""
+
 #: authentik/stages/authenticator_webauthn/models.py
 msgid "WebAuthn Authenticator Setup Stage"
 msgstr "Etapa de configuração do autenticador WebAuthn"
@@ -4249,6 +4417,10 @@ msgstr "OTP E-mail"
 msgid "Event Notification"
 msgstr "Notificação de Evento"
 
+#: authentik/stages/email/models.py authentik/stages/invitation/models.py
+msgid "Invitation"
+msgstr "Convite"
+
 #: authentik/stages/email/models.py
 msgid ""
 "The time window used to count recent account recovery attempts. If the "
@@ -4368,6 +4540,62 @@ msgstr ""
 "\n"
 "Este e-mail foi enviado a partir do transporte de notificações %(name)s.\n"
 
+#: authentik/stages/email/templates/email/invitation.html
+msgid ""
+"\n"
+"      You're Invited!\n"
+"      "
+msgstr ""
+
+#: authentik/stages/email/templates/email/invitation.html
+#, python-format
+msgid ""
+"\n"
+"          You have been invited to join %(host)s. Click the button below to get started.\n"
+"          "
+msgstr ""
+
+#: authentik/stages/email/templates/email/invitation.html
+#, python-format
+msgid ""
+"\n"
+"          This invitation expires %(expires)s.\n"
+"          "
+msgstr ""
+
+#: authentik/stages/email/templates/email/invitation.html
+#: authentik/stages/email/templates/email/invitation.txt
+msgid "Accept Invitation"
+msgstr ""
+
+#: authentik/stages/email/templates/email/invitation.html
+msgid ""
+"\n"
+"    If you cannot click the button above, please copy and paste the following URL into your browser:\n"
+"    "
+msgstr ""
+
+#: authentik/stages/email/templates/email/invitation.txt
+msgid "You're Invited!"
+msgstr ""
+
+#: authentik/stages/email/templates/email/invitation.txt
+#, python-format
+msgid ""
+"You have been invited to join %(host)s. Use the link below to get started."
+msgstr ""
+
+#: authentik/stages/email/templates/email/invitation.txt
+#, python-format
+msgid "This invitation expires %(expires)s."
+msgstr ""
+
+#: authentik/stages/email/templates/email/invitation.txt
+msgid ""
+"If you cannot click the link above, please copy and paste the following URL "
+"into your browser:"
+msgstr ""
+
 #: authentik/stages/email/templates/email/password_reset.html
 msgid ""
 "\n"
@@ -4553,10 +4781,6 @@ msgstr "Quando ativado, o convite será eliminado após utilização."
 msgid "Optional fixed data to enforce on user enrollment."
 msgstr "Dados fixos opcionais a aplicar no registo de utilizadores."
 
-#: authentik/stages/invitation/models.py
-msgid "Invitation"
-msgstr "Convite"
-
 #: authentik/stages/invitation/models.py
 msgid "Invitations"
 msgstr "Convites"
@@ -4682,6 +4906,18 @@ msgstr ""
 msgid "Static: Static value, displayed as-is."
 msgstr "Estático: Valor estático, mostrado tal como é."
 
+#: authentik/stages/prompt/models.py
+msgid "Alert (Info): Static alert box with info styling"
+msgstr ""
+
+#: authentik/stages/prompt/models.py
+msgid "Alert (Warning): Static alert box with warning styling"
+msgstr ""
+
+#: authentik/stages/prompt/models.py
+msgid "Alert (Danger): Static alert box with danger styling"
+msgstr ""
+
 #: authentik/stages/prompt/models.py
 msgid "authentik: Selection of locales authentik supports"
 msgstr "authentik: Seleção de localizações suportadas"

locale/ru_RU/LC_MESSAGES/django.po

@@ -6,16 +6,16 @@
 # Translators:
 # Marc Schmitt, 2025
 # Vladimir, 2025
-# Andrey Boyko, 2025
+# Andrey Boyko, 2026
 # 
 #, fuzzy
 msgid ""
 msgstr ""
 "Project-Id-Version: PACKAGE VERSION\n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2026-02-10 19:27+0000\n"
+"POT-Creation-Date: 2026-05-06 00:27+0000\n"
 "PO-Revision-Date: 2025-12-01 19:09+0000\n"
-"Last-Translator: Andrey Boyko, 2025\n"
+"Last-Translator: Andrey Boyko, 2026\n"
 "Language-Team: Russian (Russia) (https://app.transifex.com/authentik/teams/119923/ru_RU/)\n"
 "MIME-Version: 1.0\n"
 "Content-Type: text/plain; charset=UTF-8\n"
@@ -107,6 +107,14 @@ msgstr "Ошибка валидации"
 msgid "Blueprint file does not exist"
 msgstr "Файл чертежа не существует"
 
+#: authentik/blueprints/api.py
+msgid "Context must be valid JSON"
+msgstr ""
+
+#: authentik/blueprints/api.py
+msgid "Context must be a JSON object"
+msgstr ""
+
 #: authentik/blueprints/api.py
 msgid "Failed to validate blueprint"
 msgstr ""
@@ -115,6 +123,11 @@ msgstr ""
 msgid "Either path or content must be set."
 msgstr "Путь или содержимое должно быть установлено."
 
+#: authentik/blueprints/api.py
+#, python-brace-format
+msgid "User lacks permission to create {model}"
+msgstr ""
+
 #: authentik/blueprints/models.py
 msgid "Managed by authentik"
 msgstr "Управляется authentik"
@@ -242,9 +255,12 @@ msgstr ""
 "значение true, возвращаются только провайдеры обратного канала. При значении"
 " false провайдеры обратного канала исключаются."
 
-#: authentik/core/api/transactional_applications.py
-#, python-brace-format
-msgid "User lacks permission to create {model}"
+#: authentik/core/api/users.py
+msgid "Invalid password hash format. Must be a valid Django password hash."
+msgstr ""
+
+#: authentik/core/api/users.py
+msgid "Cannot set both password and password_hash. Use only one."
 msgstr ""
 
 #: authentik/core/api/users.py
@@ -307,6 +323,12 @@ msgstr ""
 msgid "This field is required."
 msgstr ""
 
+#: authentik/core/apps.py
+msgid ""
+"Configure if applications without any policy/group/user bindings should be "
+"accessible to any user."
+msgstr ""
+
 #: authentik/core/models.py
 msgid "name"
 msgstr "имя"
@@ -413,6 +435,10 @@ msgstr "Внутреннее имя приложения, используемо
 msgid "Open launch URL in a new browser tab or window."
 msgstr "Открыть URL-адрес запуска в новой вкладке или окне браузера."
 
+#: authentik/core/models.py
+msgid "Hide this application from the user's My applications page."
+msgstr ""
+
 #: authentik/core/models.py
 msgid "Application"
 msgstr "Приложение"
@@ -604,6 +630,14 @@ msgstr ""
 msgid "Go home"
 msgstr "Домой"
 
+#: authentik/core/templates/login/base_full.html
+msgid "Site footer"
+msgstr ""
+
+#: authentik/core/templates/login/base_full.html
+msgid "Flow links"
+msgstr ""
+
 #: authentik/core/templates/login/base_full.html
 #: authentik/flows/templates/if/flow-sfe.html
 msgid "Powered by authentik"
@@ -710,6 +744,10 @@ msgstr ""
 msgid "Discover, import and update certificates from the filesystem."
 msgstr ""
 
+#: authentik/endpoints/api/stages.py
+msgid "Selected connector is not compatible with this stage."
+msgstr ""
+
 #: authentik/endpoints/connectors/agent/api/connectors.py
 msgid "Selected platform not supported"
 msgstr ""
@@ -764,6 +802,14 @@ msgstr ""
 msgid "Apple Nonces"
 msgstr ""
 
+#: authentik/endpoints/connectors/agent/models.py
+msgid "Apple Independent Secure Enclave"
+msgstr ""
+
+#: authentik/endpoints/connectors/agent/models.py
+msgid "Apple Independent Secure Enclaves"
+msgstr ""
+
 #: authentik/endpoints/facts.py
 msgid "Operating System name, such as 'Server 2022' or 'Ubuntu'"
 msgstr ""
@@ -834,6 +880,12 @@ msgstr "Для создания/обновления этого объекта
 msgid "Enterprise is required to use this endpoint."
 msgstr ""
 
+#: authentik/enterprise/audit/apps.py
+msgid ""
+"Include additional information in audit logs, may incur a performance "
+"penalty."
+msgstr ""
+
 #: authentik/enterprise/endpoints/connectors/fleet/models.py
 #: authentik/events/models.py
 msgid ""
@@ -849,6 +901,19 @@ msgstr ""
 msgid "Fleet Connectors"
 msgstr ""
 
+#: authentik/enterprise/endpoints/connectors/google_chrome/models.py
+msgid "Google Device Trust Connector"
+msgstr ""
+
+#: authentik/enterprise/endpoints/connectors/google_chrome/models.py
+msgid "Google Device Trust Connectors"
+msgstr ""
+
+#: authentik/enterprise/endpoints/connectors/google_chrome/stage.py
+#: authentik/enterprise/stages/authenticator_endpoint_gdtc/stage.py
+msgid "Verifying your browser..."
+msgstr "Проверка вашего браузера..."
+
 #: authentik/enterprise/lifecycle/api/reviews.py
 msgid "You are not allowed to submit a review for this object."
 msgstr ""
@@ -865,10 +930,6 @@ msgstr ""
 msgid "Grace period must be shorter than the interval."
 msgstr ""
 
-#: authentik/enterprise/lifecycle/api/rules.py
-msgid "Only one type-wide rule for each object type is allowed."
-msgstr ""
-
 #: authentik/enterprise/lifecycle/models.py
 msgid ""
 "Select which transports should be used to notify the reviewers. If none are "
@@ -896,7 +957,8 @@ msgid "Go to {self._get_model_name()}"
 msgstr ""
 
 #: authentik/enterprise/lifecycle/models.py
-msgid "Access review is due for {self.content_type.name} {str(self.object)}"
+msgid ""
+"Access review is due for {self.content_type.name.lower()} {object_label}"
 msgstr ""
 
 #: authentik/enterprise/lifecycle/models.py
@@ -910,7 +972,7 @@ msgid ""
 msgstr ""
 
 #: authentik/enterprise/lifecycle/tasks.py
-msgid "Dispatch tasks to validate lifecycle rules."
+msgid "Dispatch tasks to apply lifecycle rules."
 msgstr ""
 
 #: authentik/enterprise/lifecycle/tasks.py
@@ -1136,6 +1198,14 @@ msgstr ""
 msgid "Enterprise is required to use the OAuth mode."
 msgstr ""
 
+#: authentik/enterprise/providers/ssf/models.py
+msgid "SSF RFC Push"
+msgstr ""
+
+#: authentik/enterprise/providers/ssf/models.py
+msgid "SSF RFC Pull"
+msgstr ""
+
 #: authentik/enterprise/providers/ssf/models.py
 #: authentik/providers/oauth2/models.py
 msgid "Signing Key"
@@ -1217,6 +1287,78 @@ msgstr "Скачать"
 msgid "Generate data export."
 msgstr ""
 
+#: authentik/enterprise/stages/account_lockdown/api.py
+msgid "User to lock. If omitted, locks the current user (self-service)."
+msgstr ""
+
+#: authentik/enterprise/stages/account_lockdown/api.py
+msgid "No lockdown flow configured."
+msgstr ""
+
+#: authentik/enterprise/stages/account_lockdown/api.py
+msgid "Lockdown flow is not applicable."
+msgstr ""
+
+#: authentik/enterprise/stages/account_lockdown/api.py
+msgid "Choose the target account, then return a flow link."
+msgstr ""
+
+#: authentik/enterprise/stages/account_lockdown/api.py
+msgid "No lockdown flow configured or the flow is not applicable"
+msgstr ""
+
+#: authentik/enterprise/stages/account_lockdown/api.py
+msgid "Permission denied (when targeting another user)"
+msgstr ""
+
+#: authentik/enterprise/stages/account_lockdown/models.py
+msgid "Deactivate the user account (set is_active to False)"
+msgstr ""
+
+#: authentik/enterprise/stages/account_lockdown/models.py
+msgid "Set an unusable password for the user"
+msgstr ""
+
+#: authentik/enterprise/stages/account_lockdown/models.py
+msgid "Delete all active sessions for the user"
+msgstr ""
+
+#: authentik/enterprise/stages/account_lockdown/models.py
+msgid ""
+"Revoke all tokens for the user (API, app password, recovery, verification, "
+"OAuth)"
+msgstr ""
+
+#: authentik/enterprise/stages/account_lockdown/models.py
+msgid ""
+"Flow to redirect users to after self-service lockdown. This flow should not "
+"require authentication since the user's session is deleted."
+msgstr ""
+
+#: authentik/enterprise/stages/account_lockdown/models.py
+msgid "Account Lockdown Stage"
+msgstr ""
+
+#: authentik/enterprise/stages/account_lockdown/models.py
+msgid "Account Lockdown Stages"
+msgstr ""
+
+#: authentik/enterprise/stages/account_lockdown/stage.py
+msgid "No target user specified for account lockdown"
+msgstr ""
+
+#: authentik/enterprise/stages/account_lockdown/stage.py
+msgid "You do not have permission to lock down this account."
+msgstr ""
+
+#: authentik/enterprise/stages/account_lockdown/stage.py
+msgid "Account lockdown failed for this account."
+msgstr ""
+
+#: authentik/enterprise/stages/account_lockdown/stage.py
+msgid "Self-service account lockdown requires a completion flow."
+msgstr ""
+
 #: authentik/enterprise/stages/authenticator_endpoint_gdtc/models.py
 msgid "Endpoint Authenticator Google Device Trust Connector Stage"
 msgstr ""
@@ -1236,10 +1378,6 @@ msgstr "Конечное устройство"
 msgid "Endpoint Devices"
 msgstr "Конечные устройства"
 
-#: authentik/enterprise/stages/authenticator_endpoint_gdtc/stage.py
-msgid "Verifying your browser..."
-msgstr "Проверка вашего браузера..."
-
 #: authentik/enterprise/stages/mtls/models.py
 msgid ""
 "Configure certificate authorities to validate the certificate against. This "
@@ -1320,6 +1458,12 @@ msgstr ""
 "Отправлять уведомление только один раз, например, при отправке вебхука в "
 "чат-канал."
 
+#: authentik/events/models.py
+msgid ""
+"When set, the selected ceritifcate is used to validate the certificate of "
+"the webhook server."
+msgstr ""
+
 #: authentik/events/models.py
 msgid ""
 "Customize the body of the request. Mapping should return data that is JSON-"
@@ -1483,6 +1627,15 @@ msgstr "Предварительные политики потока"
 msgid "Flow"
 msgstr "Поток"
 
+#: authentik/flows/apps.py
+msgid "Refresh other tabs after successful authentication."
+msgstr ""
+
+#: authentik/flows/apps.py
+msgid ""
+"Upon successful authentication, re-start authentication in other open tabs."
+msgstr ""
+
 #: authentik/flows/exceptions.py
 msgid "Flow does not apply to current user."
 msgstr "Поток не применяется к текущему пользователю."
@@ -1595,8 +1748,8 @@ msgstr "Токен потока"
 msgid "Flow Tokens"
 msgstr "Токены потока"
 
-#: authentik/flows/templates/if/flow.html
-msgid "Site footer"
+#: authentik/flows/planner.py
+msgid "This link is invalid or has expired. Please request a new one."
 msgstr ""
 
 #: authentik/flows/views/executor.py
@@ -1983,20 +2136,6 @@ msgstr "Оценка репутации"
 msgid "Reputation Scores"
 msgstr "Оценка репутации"
 
-#: authentik/policies/templates/policies/buffer.html
-msgid "Waiting for authentication..."
-msgstr ""
-
-#: authentik/policies/templates/policies/buffer.html
-msgid ""
-"You're already authenticating in another tab. This page will refresh once "
-"authentication is completed."
-msgstr ""
-
-#: authentik/policies/templates/policies/buffer.html
-msgid "Authenticate in this tab"
-msgstr ""
-
 #: authentik/policies/templates/policies/denied.html
 msgid "Permission denied"
 msgstr "Доступ запрещен"
@@ -2124,6 +2263,14 @@ msgstr ""
 msgid "Regular Expression URL matching"
 msgstr ""
 
+#: authentik/providers/oauth2/models.py
+msgid "Authorization"
+msgstr "Авторизация"
+
+#: authentik/providers/oauth2/models.py
+msgid "Logout"
+msgstr "Выход"
+
 #: authentik/providers/oauth2/models.py
 msgid "Back-channel"
 msgstr ""
@@ -2478,10 +2625,6 @@ msgstr "Прокси провайдер"
 msgid "Proxy Providers"
 msgstr "Прокси провайдеры"
 
-#: authentik/providers/proxy/tasks.py
-msgid "Terminate session on Proxy outpost."
-msgstr ""
-
 #: authentik/providers/rac/models.py authentik/stages/user_login/models.py
 msgid ""
 "Determines how long a session lasts. Default of 0 means that the sessions "
@@ -2611,8 +2754,10 @@ msgstr ""
 " ограничение аудитории не будет добавлено."
 
 #: authentik/providers/saml/models.py
-msgid "Also known as EntityID"
-msgstr "Также известен как EntityID"
+msgid ""
+"Also known as EntityID. Providing a value overrides the default issuer "
+"generated by authentik."
+msgstr ""
 
 #: authentik/providers/saml/models.py
 msgid "SLS URL"
@@ -2822,6 +2967,10 @@ msgstr ""
 msgid "SAML NameID format"
 msgstr ""
 
+#: authentik/providers/saml/models.py
+msgid "SAML Issuer used for this session"
+msgstr ""
+
 #: authentik/providers/saml/models.py
 msgid "SAML Session"
 msgstr ""
@@ -2850,6 +2999,14 @@ msgstr "Slack"
 msgid "Salesforce"
 msgstr ""
 
+#: authentik/providers/scim/models.py
+msgid "Webex"
+msgstr ""
+
+#: authentik/providers/scim/models.py
+msgid "vCenter"
+msgstr ""
+
 #: authentik/providers/scim/models.py
 msgid "Group filters used to define sync-scope for groups."
 msgstr ""
@@ -3119,7 +3276,7 @@ msgid ""
 "                "
 msgstr ""
 
-#: authentik/sources/ldap/api.py
+#: authentik/sources/ldap/api/sources.py
 msgid "Only a single LDAP Source with password synchronization is allowed"
 msgstr ""
 
@@ -3646,6 +3803,12 @@ msgstr ""
 "угрозу безопасности, так как проверка идентификатора запроса не "
 "производится."
 
+#: authentik/sources/saml/models.py
+msgid ""
+"When enabled, the IdP will re-authenticate the user even if a session "
+"exists."
+msgstr ""
+
 #: authentik/sources/saml/models.py
 msgid ""
 "NameID Policy sent to the IdP. Can be unset, in which case no Policy is "
@@ -4059,6 +4222,10 @@ msgstr "Этапы проверки аутентификатора"
 msgid "No (allowed) MFA authenticator configured."
 msgstr "Не сконфигурирован ни один (разрешенный) MFA аутентификатор"
 
+#: authentik/stages/authenticator_webauthn/models.py
+msgid "When enabled, a given device can only be registered once."
+msgstr ""
+
 #: authentik/stages/authenticator_webauthn/models.py
 msgid "WebAuthn Authenticator Setup Stage"
 msgstr "Этап настройки аутентификатора WebAuthn"
@@ -4195,6 +4362,10 @@ msgstr ""
 msgid "Event Notification"
 msgstr ""
 
+#: authentik/stages/email/models.py authentik/stages/invitation/models.py
+msgid "Invitation"
+msgstr "Приглашение"
+
 #: authentik/stages/email/models.py
 msgid ""
 "The time window used to count recent account recovery attempts. If the "
@@ -4309,6 +4480,62 @@ msgstr ""
 "\n"
 "Это письмо было отправлено с помощью поставщика уведомления %(name)s.\n"
 
+#: authentik/stages/email/templates/email/invitation.html
+msgid ""
+"\n"
+"      You're Invited!\n"
+"      "
+msgstr ""
+
+#: authentik/stages/email/templates/email/invitation.html
+#, python-format
+msgid ""
+"\n"
+"          You have been invited to join %(host)s. Click the button below to get started.\n"
+"          "
+msgstr ""
+
+#: authentik/stages/email/templates/email/invitation.html
+#, python-format
+msgid ""
+"\n"
+"          This invitation expires %(expires)s.\n"
+"          "
+msgstr ""
+
+#: authentik/stages/email/templates/email/invitation.html
+#: authentik/stages/email/templates/email/invitation.txt
+msgid "Accept Invitation"
+msgstr ""
+
+#: authentik/stages/email/templates/email/invitation.html
+msgid ""
+"\n"
+"    If you cannot click the button above, please copy and paste the following URL into your browser:\n"
+"    "
+msgstr ""
+
+#: authentik/stages/email/templates/email/invitation.txt
+msgid "You're Invited!"
+msgstr ""
+
+#: authentik/stages/email/templates/email/invitation.txt
+#, python-format
+msgid ""
+"You have been invited to join %(host)s. Use the link below to get started."
+msgstr ""
+
+#: authentik/stages/email/templates/email/invitation.txt
+#, python-format
+msgid "This invitation expires %(expires)s."
+msgstr ""
+
+#: authentik/stages/email/templates/email/invitation.txt
+msgid ""
+"If you cannot click the link above, please copy and paste the following URL "
+"into your browser:"
+msgstr ""
+
 #: authentik/stages/email/templates/email/password_reset.html
 msgid ""
 "\n"
@@ -4488,10 +4715,6 @@ msgstr ""
 "Необязательные фиксированные данные, которые будут применяться при "
 "регистрации пользователя."
 
-#: authentik/stages/invitation/models.py
-msgid "Invitation"
-msgstr "Приглашение"
-
 #: authentik/stages/invitation/models.py
 msgid "Invitations"
 msgstr "Приглашения"
@@ -4617,6 +4840,18 @@ msgstr ""
 msgid "Static: Static value, displayed as-is."
 msgstr "Статический: Статичное значение, отображается как есть."
 
+#: authentik/stages/prompt/models.py
+msgid "Alert (Info): Static alert box with info styling"
+msgstr ""
+
+#: authentik/stages/prompt/models.py
+msgid "Alert (Warning): Static alert box with warning styling"
+msgstr ""
+
+#: authentik/stages/prompt/models.py
+msgid "Alert (Danger): Static alert box with danger styling"
+msgstr ""
+
 #: authentik/stages/prompt/models.py
 msgid "authentik: Selection of locales authentik supports"
 msgstr "authentik: Выбор локализаций, которые поддерживает authentik"

locale/tr_TR/LC_MESSAGES/django.po

@@ -11,7 +11,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: PACKAGE VERSION\n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2026-02-10 19:27+0000\n"
+"POT-Creation-Date: 2026-05-06 00:27+0000\n"
 "PO-Revision-Date: 2025-12-01 19:09+0000\n"
 "Last-Translator: Marc Schmitt, 2025\n"
 "Language-Team: Turkish (Turkey) (https://app.transifex.com/authentik/teams/119923/tr_TR/)\n"
@@ -105,6 +105,14 @@ msgstr "Doğrulama Hatası"
 msgid "Blueprint file does not exist"
 msgstr "Plan dosyası mevcut değil"
 
+#: authentik/blueprints/api.py
+msgid "Context must be valid JSON"
+msgstr ""
+
+#: authentik/blueprints/api.py
+msgid "Context must be a JSON object"
+msgstr ""
+
 #: authentik/blueprints/api.py
 msgid "Failed to validate blueprint"
 msgstr "Plan doğrulanamadı"
@@ -113,6 +121,11 @@ msgstr "Plan doğrulanamadı"
 msgid "Either path or content must be set."
 msgstr "Ya yol ya da içerik ayarlanmalıdır."
 
+#: authentik/blueprints/api.py
+#, python-brace-format
+msgid "User lacks permission to create {model}"
+msgstr ""
+
 #: authentik/blueprints/models.py
 msgid "Managed by authentik"
 msgstr "Authentik tarafından yönetilmektedir"
@@ -239,9 +252,12 @@ msgstr ""
 "yalnızca arka kanal sağlayıcıları döndürülür. false olarak ayarlandığında, "
 "arka kanal sağlayıcıları hariç tutulur"
 
-#: authentik/core/api/transactional_applications.py
-#, python-brace-format
-msgid "User lacks permission to create {model}"
+#: authentik/core/api/users.py
+msgid "Invalid password hash format. Must be a valid Django password hash."
+msgstr ""
+
+#: authentik/core/api/users.py
+msgid "Cannot set both password and password_hash. Use only one."
 msgstr ""
 
 #: authentik/core/api/users.py
@@ -304,6 +320,12 @@ msgstr ""
 msgid "This field is required."
 msgstr ""
 
+#: authentik/core/apps.py
+msgid ""
+"Configure if applications without any policy/group/user bindings should be "
+"accessible to any user."
+msgstr ""
+
 #: authentik/core/models.py
 msgid "name"
 msgstr "isim"
@@ -411,6 +433,10 @@ msgid "Open launch URL in a new browser tab or window."
 msgstr ""
 "Başlatma URL'sini yeni bir tarayıcı sekmesinde veya penceresinde açın."
 
+#: authentik/core/models.py
+msgid "Hide this application from the user's My applications page."
+msgstr ""
+
 #: authentik/core/models.py
 msgid "Application"
 msgstr "Uygulama"
@@ -597,6 +623,14 @@ msgstr ""
 msgid "Go home"
 msgstr "Başa dön"
 
+#: authentik/core/templates/login/base_full.html
+msgid "Site footer"
+msgstr ""
+
+#: authentik/core/templates/login/base_full.html
+msgid "Flow links"
+msgstr ""
+
 #: authentik/core/templates/login/base_full.html
 #: authentik/flows/templates/if/flow-sfe.html
 msgid "Powered by authentik"
@@ -703,6 +737,10 @@ msgstr ""
 msgid "Discover, import and update certificates from the filesystem."
 msgstr ""
 
+#: authentik/endpoints/api/stages.py
+msgid "Selected connector is not compatible with this stage."
+msgstr ""
+
 #: authentik/endpoints/connectors/agent/api/connectors.py
 msgid "Selected platform not supported"
 msgstr ""
@@ -757,6 +795,14 @@ msgstr ""
 msgid "Apple Nonces"
 msgstr ""
 
+#: authentik/endpoints/connectors/agent/models.py
+msgid "Apple Independent Secure Enclave"
+msgstr ""
+
+#: authentik/endpoints/connectors/agent/models.py
+msgid "Apple Independent Secure Enclaves"
+msgstr ""
+
 #: authentik/endpoints/facts.py
 msgid "Operating System name, such as 'Server 2022' or 'Ubuntu'"
 msgstr ""
@@ -827,6 +873,12 @@ msgstr "Bu nesneyi oluşturmak/güncellemek için Kurumsal Paket gereklidir."
 msgid "Enterprise is required to use this endpoint."
 msgstr ""
 
+#: authentik/enterprise/audit/apps.py
+msgid ""
+"Include additional information in audit logs, may incur a performance "
+"penalty."
+msgstr ""
+
 #: authentik/enterprise/endpoints/connectors/fleet/models.py
 #: authentik/events/models.py
 msgid ""
@@ -842,6 +894,19 @@ msgstr ""
 msgid "Fleet Connectors"
 msgstr ""
 
+#: authentik/enterprise/endpoints/connectors/google_chrome/models.py
+msgid "Google Device Trust Connector"
+msgstr ""
+
+#: authentik/enterprise/endpoints/connectors/google_chrome/models.py
+msgid "Google Device Trust Connectors"
+msgstr ""
+
+#: authentik/enterprise/endpoints/connectors/google_chrome/stage.py
+#: authentik/enterprise/stages/authenticator_endpoint_gdtc/stage.py
+msgid "Verifying your browser..."
+msgstr "Tarayıcınız doğrulanıyor..."
+
 #: authentik/enterprise/lifecycle/api/reviews.py
 msgid "You are not allowed to submit a review for this object."
 msgstr ""
@@ -858,10 +923,6 @@ msgstr ""
 msgid "Grace period must be shorter than the interval."
 msgstr ""
 
-#: authentik/enterprise/lifecycle/api/rules.py
-msgid "Only one type-wide rule for each object type is allowed."
-msgstr ""
-
 #: authentik/enterprise/lifecycle/models.py
 msgid ""
 "Select which transports should be used to notify the reviewers. If none are "
@@ -889,7 +950,8 @@ msgid "Go to {self._get_model_name()}"
 msgstr ""
 
 #: authentik/enterprise/lifecycle/models.py
-msgid "Access review is due for {self.content_type.name} {str(self.object)}"
+msgid ""
+"Access review is due for {self.content_type.name.lower()} {object_label}"
 msgstr ""
 
 #: authentik/enterprise/lifecycle/models.py
@@ -903,7 +965,7 @@ msgid ""
 msgstr ""
 
 #: authentik/enterprise/lifecycle/tasks.py
-msgid "Dispatch tasks to validate lifecycle rules."
+msgid "Dispatch tasks to apply lifecycle rules."
 msgstr ""
 
 #: authentik/enterprise/lifecycle/tasks.py
@@ -1130,6 +1192,14 @@ msgstr ""
 msgid "Enterprise is required to use the OAuth mode."
 msgstr ""
 
+#: authentik/enterprise/providers/ssf/models.py
+msgid "SSF RFC Push"
+msgstr ""
+
+#: authentik/enterprise/providers/ssf/models.py
+msgid "SSF RFC Pull"
+msgstr ""
+
 #: authentik/enterprise/providers/ssf/models.py
 #: authentik/providers/oauth2/models.py
 msgid "Signing Key"
@@ -1211,6 +1281,78 @@ msgstr ""
 msgid "Generate data export."
 msgstr ""
 
+#: authentik/enterprise/stages/account_lockdown/api.py
+msgid "User to lock. If omitted, locks the current user (self-service)."
+msgstr ""
+
+#: authentik/enterprise/stages/account_lockdown/api.py
+msgid "No lockdown flow configured."
+msgstr ""
+
+#: authentik/enterprise/stages/account_lockdown/api.py
+msgid "Lockdown flow is not applicable."
+msgstr ""
+
+#: authentik/enterprise/stages/account_lockdown/api.py
+msgid "Choose the target account, then return a flow link."
+msgstr ""
+
+#: authentik/enterprise/stages/account_lockdown/api.py
+msgid "No lockdown flow configured or the flow is not applicable"
+msgstr ""
+
+#: authentik/enterprise/stages/account_lockdown/api.py
+msgid "Permission denied (when targeting another user)"
+msgstr ""
+
+#: authentik/enterprise/stages/account_lockdown/models.py
+msgid "Deactivate the user account (set is_active to False)"
+msgstr ""
+
+#: authentik/enterprise/stages/account_lockdown/models.py
+msgid "Set an unusable password for the user"
+msgstr ""
+
+#: authentik/enterprise/stages/account_lockdown/models.py
+msgid "Delete all active sessions for the user"
+msgstr ""
+
+#: authentik/enterprise/stages/account_lockdown/models.py
+msgid ""
+"Revoke all tokens for the user (API, app password, recovery, verification, "
+"OAuth)"
+msgstr ""
+
+#: authentik/enterprise/stages/account_lockdown/models.py
+msgid ""
+"Flow to redirect users to after self-service lockdown. This flow should not "
+"require authentication since the user's session is deleted."
+msgstr ""
+
+#: authentik/enterprise/stages/account_lockdown/models.py
+msgid "Account Lockdown Stage"
+msgstr ""
+
+#: authentik/enterprise/stages/account_lockdown/models.py
+msgid "Account Lockdown Stages"
+msgstr ""
+
+#: authentik/enterprise/stages/account_lockdown/stage.py
+msgid "No target user specified for account lockdown"
+msgstr ""
+
+#: authentik/enterprise/stages/account_lockdown/stage.py
+msgid "You do not have permission to lock down this account."
+msgstr ""
+
+#: authentik/enterprise/stages/account_lockdown/stage.py
+msgid "Account lockdown failed for this account."
+msgstr ""
+
+#: authentik/enterprise/stages/account_lockdown/stage.py
+msgid "Self-service account lockdown requires a completion flow."
+msgstr ""
+
 #: authentik/enterprise/stages/authenticator_endpoint_gdtc/models.py
 msgid "Endpoint Authenticator Google Device Trust Connector Stage"
 msgstr "Uç Nokta Kimlik Doğrulayıcı Google Cihaz Güven Bağlayıcısı Aşaması"
@@ -1227,10 +1369,6 @@ msgstr "Uç Nokta Cihazı"
 msgid "Endpoint Devices"
 msgstr "Uç Nokta Cihazları"
 
-#: authentik/enterprise/stages/authenticator_endpoint_gdtc/stage.py
-msgid "Verifying your browser..."
-msgstr "Tarayıcınız doğrulanıyor..."
-
 #: authentik/enterprise/stages/mtls/models.py
 msgid ""
 "Configure certificate authorities to validate the certificate against. This "
@@ -1311,6 +1449,12 @@ msgstr ""
 "Örneğin bir sohbet kanalına web kancası gönderirken yalnızca bir kez "
 "bildirim gönderin."
 
+#: authentik/events/models.py
+msgid ""
+"When set, the selected ceritifcate is used to validate the certificate of "
+"the webhook server."
+msgstr ""
+
 #: authentik/events/models.py
 msgid ""
 "Customize the body of the request. Mapping should return data that is JSON-"
@@ -1476,6 +1620,15 @@ msgstr "Akış öncesi ilkeleri"
 msgid "Flow"
 msgstr "Akış"
 
+#: authentik/flows/apps.py
+msgid "Refresh other tabs after successful authentication."
+msgstr ""
+
+#: authentik/flows/apps.py
+msgid ""
+"Upon successful authentication, re-start authentication in other open tabs."
+msgstr ""
+
 #: authentik/flows/exceptions.py
 msgid "Flow does not apply to current user."
 msgstr "Akış mevcut kullanıcı için geçerli değildir."
@@ -1589,8 +1742,8 @@ msgstr "Akış Jetonu"
 msgid "Flow Tokens"
 msgstr "Akış Jetonları"
 
-#: authentik/flows/templates/if/flow.html
-msgid "Site footer"
+#: authentik/flows/planner.py
+msgid "This link is invalid or has expired. Please request a new one."
 msgstr ""
 
 #: authentik/flows/views/executor.py
@@ -1972,20 +2125,6 @@ msgstr "İtibar Puanı"
 msgid "Reputation Scores"
 msgstr "İtibar Puanları"
 
-#: authentik/policies/templates/policies/buffer.html
-msgid "Waiting for authentication..."
-msgstr ""
-
-#: authentik/policies/templates/policies/buffer.html
-msgid ""
-"You're already authenticating in another tab. This page will refresh once "
-"authentication is completed."
-msgstr ""
-
-#: authentik/policies/templates/policies/buffer.html
-msgid "Authenticate in this tab"
-msgstr ""
-
 #: authentik/policies/templates/policies/denied.html
 msgid "Permission denied"
 msgstr "İzin reddedildi"
@@ -2112,6 +2251,14 @@ msgstr ""
 msgid "Regular Expression URL matching"
 msgstr ""
 
+#: authentik/providers/oauth2/models.py
+msgid "Authorization"
+msgstr ""
+
+#: authentik/providers/oauth2/models.py
+msgid "Logout"
+msgstr ""
+
 #: authentik/providers/oauth2/models.py
 msgid "Back-channel"
 msgstr ""
@@ -2469,10 +2616,6 @@ msgstr "Vekil Sağlayıcı"
 msgid "Proxy Providers"
 msgstr "Vekil Sağlayıcılar"
 
-#: authentik/providers/proxy/tasks.py
-msgid "Terminate session on Proxy outpost."
-msgstr ""
-
 #: authentik/providers/rac/models.py authentik/stages/user_login/models.py
 msgid ""
 "Determines how long a session lasts. Default of 0 means that the sessions "
@@ -2605,8 +2748,10 @@ msgstr ""
 "herhangi bir hedef kitle kısıtlaması eklenmez."
 
 #: authentik/providers/saml/models.py
-msgid "Also known as EntityID"
-msgstr "EntityID olarak da bilinir"
+msgid ""
+"Also known as EntityID. Providing a value overrides the default issuer "
+"generated by authentik."
+msgstr ""
 
 #: authentik/providers/saml/models.py
 msgid "SLS URL"
@@ -2816,6 +2961,10 @@ msgstr ""
 msgid "SAML NameID format"
 msgstr ""
 
+#: authentik/providers/saml/models.py
+msgid "SAML Issuer used for this session"
+msgstr ""
+
 #: authentik/providers/saml/models.py
 msgid "SAML Session"
 msgstr ""
@@ -2844,6 +2993,14 @@ msgstr ""
 msgid "Salesforce"
 msgstr ""
 
+#: authentik/providers/scim/models.py
+msgid "Webex"
+msgstr ""
+
+#: authentik/providers/scim/models.py
+msgid "vCenter"
+msgstr ""
+
 #: authentik/providers/scim/models.py
 msgid "Group filters used to define sync-scope for groups."
 msgstr ""
@@ -3119,7 +3276,7 @@ msgstr ""
 "                    Lütfen yöneticinizle iletişime geçin.\n"
 "                "
 
-#: authentik/sources/ldap/api.py
+#: authentik/sources/ldap/api/sources.py
 msgid "Only a single LDAP Source with password synchronization is allowed"
 msgstr ""
 "Parola senkronizasyonuna sahip yalnızca tek bir LDAP Kaynağına izin verilir"
@@ -3646,6 +3803,12 @@ msgstr ""
 "IdP tarafından başlatılan kimlik doğrulama akışlarına izin verir. İstek "
 "kimliğinin doğrulanması yapılmadığından, bu bir güvenlik riski olabilir."
 
+#: authentik/sources/saml/models.py
+msgid ""
+"When enabled, the IdP will re-authenticate the user even if a session "
+"exists."
+msgstr ""
+
 #: authentik/sources/saml/models.py
 msgid ""
 "NameID Policy sent to the IdP. Can be unset, in which case no Policy is "
@@ -4055,6 +4218,10 @@ msgstr "Kimlik Doğrulayıcı Doğrulama Aşamaları"
 msgid "No (allowed) MFA authenticator configured."
 msgstr "Yapılandırılmış (izin verilen) MFA kimlik doğrulayıcısı yok."
 
+#: authentik/stages/authenticator_webauthn/models.py
+msgid "When enabled, a given device can only be registered once."
+msgstr ""
+
 #: authentik/stages/authenticator_webauthn/models.py
 msgid "WebAuthn Authenticator Setup Stage"
 msgstr "WebAuthn Authenticator Kurulum Aşaması"
@@ -4190,6 +4357,10 @@ msgstr ""
 msgid "Event Notification"
 msgstr ""
 
+#: authentik/stages/email/models.py authentik/stages/invitation/models.py
+msgid "Invitation"
+msgstr "Davetiye"
+
 #: authentik/stages/email/models.py
 msgid ""
 "The time window used to count recent account recovery attempts. If the "
@@ -4304,6 +4475,62 @@ msgstr ""
 "\n"
 "Bu e-posta bildirim aktarımından gönderilmiştir %(name)s.\n"
 
+#: authentik/stages/email/templates/email/invitation.html
+msgid ""
+"\n"
+"      You're Invited!\n"
+"      "
+msgstr ""
+
+#: authentik/stages/email/templates/email/invitation.html
+#, python-format
+msgid ""
+"\n"
+"          You have been invited to join %(host)s. Click the button below to get started.\n"
+"          "
+msgstr ""
+
+#: authentik/stages/email/templates/email/invitation.html
+#, python-format
+msgid ""
+"\n"
+"          This invitation expires %(expires)s.\n"
+"          "
+msgstr ""
+
+#: authentik/stages/email/templates/email/invitation.html
+#: authentik/stages/email/templates/email/invitation.txt
+msgid "Accept Invitation"
+msgstr ""
+
+#: authentik/stages/email/templates/email/invitation.html
+msgid ""
+"\n"
+"    If you cannot click the button above, please copy and paste the following URL into your browser:\n"
+"    "
+msgstr ""
+
+#: authentik/stages/email/templates/email/invitation.txt
+msgid "You're Invited!"
+msgstr ""
+
+#: authentik/stages/email/templates/email/invitation.txt
+#, python-format
+msgid ""
+"You have been invited to join %(host)s. Use the link below to get started."
+msgstr ""
+
+#: authentik/stages/email/templates/email/invitation.txt
+#, python-format
+msgid "This invitation expires %(expires)s."
+msgstr ""
+
+#: authentik/stages/email/templates/email/invitation.txt
+msgid ""
+"If you cannot click the link above, please copy and paste the following URL "
+"into your browser:"
+msgstr ""
+
 #: authentik/stages/email/templates/email/password_reset.html
 msgid ""
 "\n"
@@ -4470,10 +4697,6 @@ msgstr "Etkinleştirildiğinde, davetiye kullanımdan sonra silinir."
 msgid "Optional fixed data to enforce on user enrollment."
 msgstr "Kullanıcı kaydında zorlamak için isteğe bağlı sabit veriler."
 
-#: authentik/stages/invitation/models.py
-msgid "Invitation"
-msgstr "Davetiye"
-
 #: authentik/stages/invitation/models.py
 msgid "Invitations"
 msgstr "Davetiyeler"
@@ -4595,6 +4818,18 @@ msgstr "Gizli: Gizli alan, form içine veri eklemek için kullanılabilir."
 msgid "Static: Static value, displayed as-is."
 msgstr "Statik: Statik değer, olduğu gibi görüntülenir."
 
+#: authentik/stages/prompt/models.py
+msgid "Alert (Info): Static alert box with info styling"
+msgstr ""
+
+#: authentik/stages/prompt/models.py
+msgid "Alert (Warning): Static alert box with warning styling"
+msgstr ""
+
+#: authentik/stages/prompt/models.py
+msgid "Alert (Danger): Static alert box with danger styling"
+msgstr ""
+
 #: authentik/stages/prompt/models.py
 msgid "authentik: Selection of locales authentik supports"
 msgstr "authentik: authentik'in desteklediği yerel dillerin seçimi"

locale/zh-Hans/LC_MESSAGES/django.po

@@ -8,18 +8,19 @@
 # 刘松, 2025
 # deluxghost, 2025
 # Marc Schmitt, 2025
-# Jens L. <jens@goauthentik.io>, 2025
 # Kuang Jr, 2025
 # RocketDev, 2026
+# Lei Kou, 2026
+# Jens L. <jens@goauthentik.io>, 2026
 # 
 #, fuzzy
 msgid ""
 msgstr ""
 "Project-Id-Version: PACKAGE VERSION\n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2026-02-10 19:27+0000\n"
+"POT-Creation-Date: 2026-05-06 00:27+0000\n"
 "PO-Revision-Date: 2025-12-01 19:09+0000\n"
-"Last-Translator: RocketDev, 2026\n"
+"Last-Translator: Jens L. <jens@goauthentik.io>, 2026\n"
 "Language-Team: Chinese Simplified (https://app.transifex.com/authentik/teams/119923/zh-Hans/)\n"
 "MIME-Version: 1.0\n"
 "Content-Type: text/plain; charset=UTF-8\n"
@@ -113,6 +114,14 @@ msgstr "校验错误"
 msgid "Blueprint file does not exist"
 msgstr "蓝图文件不存在"
 
+#: authentik/blueprints/api.py
+msgid "Context must be valid JSON"
+msgstr ""
+
+#: authentik/blueprints/api.py
+msgid "Context must be a JSON object"
+msgstr ""
+
 #: authentik/blueprints/api.py
 msgid "Failed to validate blueprint"
 msgstr "验证蓝图失败"
@@ -121,6 +130,11 @@ msgstr "验证蓝图失败"
 msgid "Either path or content must be set."
 msgstr "必须设置路径或内容。"
 
+#: authentik/blueprints/api.py
+#, python-brace-format
+msgid "User lacks permission to create {model}"
+msgstr "用户缺少创建 {model} 的权限"
+
 #: authentik/blueprints/models.py
 msgid "Managed by authentik"
 msgstr "由 authentik 管理"
@@ -234,10 +248,13 @@ msgid ""
 "excluded"
 msgstr "如果未设置，则返回所有提供程序。如果启用，仅返回反向通道提供程序。如果禁用，则返回非反向通道提供程序"
 
-#: authentik/core/api/transactional_applications.py
-#, python-brace-format
-msgid "User lacks permission to create {model}"
-msgstr "用户缺少创建 {model} 的权限"
+#: authentik/core/api/users.py
+msgid "Invalid password hash format. Must be a valid Django password hash."
+msgstr ""
+
+#: authentik/core/api/users.py
+msgid "Cannot set both password and password_hash. Use only one."
+msgstr ""
 
 #: authentik/core/api/users.py
 msgid "No leading or trailing slashes allowed."
@@ -299,6 +316,12 @@ msgstr "未找到电子邮件阶段。"
 msgid "This field is required."
 msgstr "此字段是必需的。"
 
+#: authentik/core/apps.py
+msgid ""
+"Configure if applications without any policy/group/user bindings should be "
+"accessible to any user."
+msgstr ""
+
 #: authentik/core/models.py
 msgid "name"
 msgstr "名称"
@@ -401,6 +424,10 @@ msgstr "应用的内部名称，在 URL 中使用。"
 msgid "Open launch URL in a new browser tab or window."
 msgstr "在新浏览器标签页或窗口中打开启动 URL。"
 
+#: authentik/core/models.py
+msgid "Hide this application from the user's My applications page."
+msgstr ""
+
 #: authentik/core/models.py
 msgid "Application"
 msgstr "应用程序"
@@ -571,6 +598,14 @@ msgstr "移除由 SAML 源创建的临时用户。"
 msgid "Go home"
 msgstr "前往首页"
 
+#: authentik/core/templates/login/base_full.html
+msgid "Site footer"
+msgstr "网站页脚"
+
+#: authentik/core/templates/login/base_full.html
+msgid "Flow links"
+msgstr ""
+
 #: authentik/core/templates/login/base_full.html
 #: authentik/flows/templates/if/flow-sfe.html
 msgid "Powered by authentik"
@@ -675,6 +710,10 @@ msgstr "查看证书-密钥对的私钥"
 msgid "Discover, import and update certificates from the filesystem."
 msgstr "从文件系统中发现、导入并更新证书。"
 
+#: authentik/endpoints/api/stages.py
+msgid "Selected connector is not compatible with this stage."
+msgstr ""
+
 #: authentik/endpoints/connectors/agent/api/connectors.py
 msgid "Selected platform not supported"
 msgstr "所选平台不受支持"
@@ -729,6 +768,14 @@ msgstr "Apple 随机数"
 msgid "Apple Nonces"
 msgstr "Apple 随机数"
 
+#: authentik/endpoints/connectors/agent/models.py
+msgid "Apple Independent Secure Enclave"
+msgstr ""
+
+#: authentik/endpoints/connectors/agent/models.py
+msgid "Apple Independent Secure Enclaves"
+msgstr ""
+
 #: authentik/endpoints/facts.py
 msgid "Operating System name, such as 'Server 2022' or 'Ubuntu'"
 msgstr "操作系统名称，例如“Server 2022”或“Ubuntu”"
@@ -799,6 +846,12 @@ msgstr "创建/更新此对象需要企业版。"
 msgid "Enterprise is required to use this endpoint."
 msgstr "企业要求使用这个端点。"
 
+#: authentik/enterprise/audit/apps.py
+msgid ""
+"Include additional information in audit logs, may incur a performance "
+"penalty."
+msgstr ""
+
 #: authentik/enterprise/endpoints/connectors/fleet/models.py
 #: authentik/events/models.py
 msgid ""
@@ -814,13 +867,26 @@ msgstr ""
 msgid "Fleet Connectors"
 msgstr ""
 
+#: authentik/enterprise/endpoints/connectors/google_chrome/models.py
+msgid "Google Device Trust Connector"
+msgstr ""
+
+#: authentik/enterprise/endpoints/connectors/google_chrome/models.py
+msgid "Google Device Trust Connectors"
+msgstr ""
+
+#: authentik/enterprise/endpoints/connectors/google_chrome/stage.py
+#: authentik/enterprise/stages/authenticator_endpoint_gdtc/stage.py
+msgid "Verifying your browser..."
+msgstr "正在验证您的浏览器…"
+
 #: authentik/enterprise/lifecycle/api/reviews.py
 msgid "You are not allowed to submit a review for this object."
-msgstr ""
+msgstr "您不能为此对象提交评论。"
 
 #: authentik/enterprise/lifecycle/api/rules.py
 msgid "Object does not exist"
-msgstr ""
+msgstr "对象不存在"
 
 #: authentik/enterprise/lifecycle/api/rules.py
 msgid "Either a reviewer group or a reviewer must be set."
@@ -830,10 +896,6 @@ msgstr ""
 msgid "Grace period must be shorter than the interval."
 msgstr ""
 
-#: authentik/enterprise/lifecycle/api/rules.py
-msgid "Only one type-wide rule for each object type is allowed."
-msgstr ""
-
 #: authentik/enterprise/lifecycle/models.py
 msgid ""
 "Select which transports should be used to notify the reviewers. If none are "
@@ -842,26 +904,27 @@ msgstr ""
 
 #: authentik/enterprise/lifecycle/models.py
 msgid "Reviewed"
-msgstr ""
+msgstr "已审核"
 
 #: authentik/enterprise/lifecycle/models.py
 msgid "Pending"
-msgstr ""
+msgstr "待处理"
 
 #: authentik/enterprise/lifecycle/models.py
 msgid "Overdue"
-msgstr ""
+msgstr "逾期"
 
 #: authentik/enterprise/lifecycle/models.py
 msgid "Canceled"
-msgstr ""
+msgstr "已取消"
 
 #: authentik/enterprise/lifecycle/models.py
 msgid "Go to {self._get_model_name()}"
 msgstr ""
 
 #: authentik/enterprise/lifecycle/models.py
-msgid "Access review is due for {self.content_type.name} {str(self.object)}"
+msgid ""
+"Access review is due for {self.content_type.name.lower()} {object_label}"
 msgstr ""
 
 #: authentik/enterprise/lifecycle/models.py
@@ -875,7 +938,7 @@ msgid ""
 msgstr ""
 
 #: authentik/enterprise/lifecycle/tasks.py
-msgid "Dispatch tasks to validate lifecycle rules."
+msgid "Dispatch tasks to apply lifecycle rules."
 msgstr ""
 
 #: authentik/enterprise/lifecycle/tasks.py
@@ -1100,6 +1163,14 @@ msgstr "使用 EAP-TLS 需要企业版。"
 msgid "Enterprise is required to use the OAuth mode."
 msgstr "使用 OAuth 模式需要企业版。"
 
+#: authentik/enterprise/providers/ssf/models.py
+msgid "SSF RFC Push"
+msgstr ""
+
+#: authentik/enterprise/providers/ssf/models.py
+msgid "SSF RFC Pull"
+msgstr ""
+
 #: authentik/enterprise/providers/ssf/models.py
 #: authentik/providers/oauth2/models.py
 msgid "Signing Key"
@@ -1181,6 +1252,78 @@ msgstr "下载"
 msgid "Generate data export."
 msgstr "生成数据导出文件。"
 
+#: authentik/enterprise/stages/account_lockdown/api.py
+msgid "User to lock. If omitted, locks the current user (self-service)."
+msgstr ""
+
+#: authentik/enterprise/stages/account_lockdown/api.py
+msgid "No lockdown flow configured."
+msgstr ""
+
+#: authentik/enterprise/stages/account_lockdown/api.py
+msgid "Lockdown flow is not applicable."
+msgstr ""
+
+#: authentik/enterprise/stages/account_lockdown/api.py
+msgid "Choose the target account, then return a flow link."
+msgstr ""
+
+#: authentik/enterprise/stages/account_lockdown/api.py
+msgid "No lockdown flow configured or the flow is not applicable"
+msgstr ""
+
+#: authentik/enterprise/stages/account_lockdown/api.py
+msgid "Permission denied (when targeting another user)"
+msgstr ""
+
+#: authentik/enterprise/stages/account_lockdown/models.py
+msgid "Deactivate the user account (set is_active to False)"
+msgstr ""
+
+#: authentik/enterprise/stages/account_lockdown/models.py
+msgid "Set an unusable password for the user"
+msgstr ""
+
+#: authentik/enterprise/stages/account_lockdown/models.py
+msgid "Delete all active sessions for the user"
+msgstr ""
+
+#: authentik/enterprise/stages/account_lockdown/models.py
+msgid ""
+"Revoke all tokens for the user (API, app password, recovery, verification, "
+"OAuth)"
+msgstr ""
+
+#: authentik/enterprise/stages/account_lockdown/models.py
+msgid ""
+"Flow to redirect users to after self-service lockdown. This flow should not "
+"require authentication since the user's session is deleted."
+msgstr ""
+
+#: authentik/enterprise/stages/account_lockdown/models.py
+msgid "Account Lockdown Stage"
+msgstr ""
+
+#: authentik/enterprise/stages/account_lockdown/models.py
+msgid "Account Lockdown Stages"
+msgstr ""
+
+#: authentik/enterprise/stages/account_lockdown/stage.py
+msgid "No target user specified for account lockdown"
+msgstr ""
+
+#: authentik/enterprise/stages/account_lockdown/stage.py
+msgid "You do not have permission to lock down this account."
+msgstr ""
+
+#: authentik/enterprise/stages/account_lockdown/stage.py
+msgid "Account lockdown failed for this account."
+msgstr ""
+
+#: authentik/enterprise/stages/account_lockdown/stage.py
+msgid "Self-service account lockdown requires a completion flow."
+msgstr ""
+
 #: authentik/enterprise/stages/authenticator_endpoint_gdtc/models.py
 msgid "Endpoint Authenticator Google Device Trust Connector Stage"
 msgstr "端点身份验证器 Google 设备信任连接器阶段"
@@ -1197,10 +1340,6 @@ msgstr "端点设备"
 msgid "Endpoint Devices"
 msgstr "端点设备"
 
-#: authentik/enterprise/stages/authenticator_endpoint_gdtc/stage.py
-msgid "Verifying your browser..."
-msgstr "正在验证您的浏览器…"
-
 #: authentik/enterprise/stages/mtls/models.py
 msgid ""
 "Configure certificate authorities to validate the certificate against. This "
@@ -1277,6 +1416,12 @@ msgid ""
 "channel."
 msgstr "仅发送一次通知，例如在向聊天频道发送 Webhook 时。"
 
+#: authentik/events/models.py
+msgid ""
+"When set, the selected ceritifcate is used to validate the certificate of "
+"the webhook server."
+msgstr ""
+
 #: authentik/events/models.py
 msgid ""
 "Customize the body of the request. Mapping should return data that is JSON-"
@@ -1435,6 +1580,15 @@ msgstr "流程前置策略"
 msgid "Flow"
 msgstr "流程"
 
+#: authentik/flows/apps.py
+msgid "Refresh other tabs after successful authentication."
+msgstr ""
+
+#: authentik/flows/apps.py
+msgid ""
+"Upon successful authentication, re-start authentication in other open tabs."
+msgstr ""
+
 #: authentik/flows/exceptions.py
 msgid "Flow does not apply to current user."
 msgstr "流程不应用于当前用户。"
@@ -1536,9 +1690,9 @@ msgstr "流程令牌"
 msgid "Flow Tokens"
 msgstr "流程令牌"
 
-#: authentik/flows/templates/if/flow.html
-msgid "Site footer"
-msgstr "网站页脚"
+#: authentik/flows/planner.py
+msgid "This link is invalid or has expired. Please request a new one."
+msgstr ""
 
 #: authentik/flows/views/executor.py
 msgid "Invalid next URL"
@@ -1546,7 +1700,7 @@ msgstr "无效的 next URL"
 
 #: authentik/lib/sync/incoming/models.py
 msgid "When to trigger sync for outgoing providers"
-msgstr ""
+msgstr "何时触发对外提供商的同步"
 
 #: authentik/lib/sync/outgoing/models.py
 msgid "Controls the number of objects synced in a single task"
@@ -1894,20 +2048,6 @@ msgstr "信誉分数"
 msgid "Reputation Scores"
 msgstr "信誉分数"
 
-#: authentik/policies/templates/policies/buffer.html
-msgid "Waiting for authentication..."
-msgstr "正在等待身份验证…"
-
-#: authentik/policies/templates/policies/buffer.html
-msgid ""
-"You're already authenticating in another tab. This page will refresh once "
-"authentication is completed."
-msgstr "您正在另一个标签页中验证身份。身份验证完成后，此页面会刷新。"
-
-#: authentik/policies/templates/policies/buffer.html
-msgid "Authenticate in this tab"
-msgstr "在此标签页中验证身份"
-
 #: authentik/policies/templates/policies/denied.html
 msgid "Permission denied"
 msgstr "权限被拒绝"
@@ -2026,6 +2166,14 @@ msgstr "严格 URL 比较"
 msgid "Regular Expression URL matching"
 msgstr "正则表达式 URL 匹配"
 
+#: authentik/providers/oauth2/models.py
+msgid "Authorization"
+msgstr "授权"
+
+#: authentik/providers/oauth2/models.py
+msgid "Logout"
+msgstr "登出"
+
 #: authentik/providers/oauth2/models.py
 msgid "Back-channel"
 msgstr "反向通道"
@@ -2352,10 +2500,6 @@ msgstr "代理提供程序"
 msgid "Proxy Providers"
 msgstr "代理提供程序"
 
-#: authentik/providers/proxy/tasks.py
-msgid "Terminate session on Proxy outpost."
-msgstr "终止代理前哨的会话。"
-
 #: authentik/providers/rac/models.py authentik/stages/user_login/models.py
 msgid ""
 "Determines how long a session lasts. Default of 0 means that the sessions "
@@ -2473,8 +2617,10 @@ msgid ""
 msgstr "断言的 Audience 受限字段的值。留空时，不会添加  Audience 限制。"
 
 #: authentik/providers/saml/models.py
-msgid "Also known as EntityID"
-msgstr "也称为 EntityID"
+msgid ""
+"Also known as EntityID. Providing a value overrides the default issuer "
+"generated by authentik."
+msgstr ""
 
 #: authentik/providers/saml/models.py
 msgid "SLS URL"
@@ -2668,6 +2814,10 @@ msgstr "当前会话的 SAML NameID 值"
 msgid "SAML NameID format"
 msgstr "SAML NameID 格式"
 
+#: authentik/providers/saml/models.py
+msgid "SAML Issuer used for this session"
+msgstr ""
+
 #: authentik/providers/saml/models.py
 msgid "SAML Session"
 msgstr "SAML 会话"
@@ -2696,6 +2846,14 @@ msgstr "Slack"
 msgid "Salesforce"
 msgstr "Salesforce"
 
+#: authentik/providers/scim/models.py
+msgid "Webex"
+msgstr ""
+
+#: authentik/providers/scim/models.py
+msgid "vCenter"
+msgstr ""
+
 #: authentik/providers/scim/models.py
 msgid "Group filters used to define sync-scope for groups."
 msgstr "用于定义组同步范围的组过滤器。"
@@ -2960,7 +3118,7 @@ msgstr ""
 "                    请联系您的管理员。\n"
 "                "
 
-#: authentik/sources/ldap/api.py
+#: authentik/sources/ldap/api/sources.py
 msgid "Only a single LDAP Source with password synchronization is allowed"
 msgstr "仅允许使用密码同步的单个 LDAP 源"
 
@@ -3468,6 +3626,12 @@ msgid ""
 "risk, as no validation of the request ID is done."
 msgstr "允许由 IdP 启动的身份验证流程。这可能存在安全风险，因为未对请求 ID 进行验证。"
 
+#: authentik/sources/saml/models.py
+msgid ""
+"When enabled, the IdP will re-authenticate the user even if a session "
+"exists."
+msgstr ""
+
 #: authentik/sources/saml/models.py
 msgid ""
 "NameID Policy sent to the IdP. Can be unset, in which case no Policy is "
@@ -3870,6 +4034,10 @@ msgstr "身份验证器验证阶段"
 msgid "No (allowed) MFA authenticator configured."
 msgstr "未配置（允许的）MFA 身份验证器。"
 
+#: authentik/stages/authenticator_webauthn/models.py
+msgid "When enabled, a given device can only be registered once."
+msgstr ""
+
 #: authentik/stages/authenticator_webauthn/models.py
 msgid "WebAuthn Authenticator Setup Stage"
 msgstr "WebAuthn 身份验证器设置阶段"
@@ -4000,6 +4168,10 @@ msgstr "电子邮件 OTP"
 msgid "Event Notification"
 msgstr "事件通知"
 
+#: authentik/stages/email/models.py authentik/stages/invitation/models.py
+msgid "Invitation"
+msgstr "邀请"
+
 #: authentik/stages/email/models.py
 msgid ""
 "The time window used to count recent account recovery attempts. If the "
@@ -4112,6 +4284,62 @@ msgstr ""
 "\n"
 "此邮件由通知递送 %(name)s 发送。\n"
 
+#: authentik/stages/email/templates/email/invitation.html
+msgid ""
+"\n"
+"      You're Invited!\n"
+"      "
+msgstr ""
+
+#: authentik/stages/email/templates/email/invitation.html
+#, python-format
+msgid ""
+"\n"
+"          You have been invited to join %(host)s. Click the button below to get started.\n"
+"          "
+msgstr ""
+
+#: authentik/stages/email/templates/email/invitation.html
+#, python-format
+msgid ""
+"\n"
+"          This invitation expires %(expires)s.\n"
+"          "
+msgstr ""
+
+#: authentik/stages/email/templates/email/invitation.html
+#: authentik/stages/email/templates/email/invitation.txt
+msgid "Accept Invitation"
+msgstr "接受邀请"
+
+#: authentik/stages/email/templates/email/invitation.html
+msgid ""
+"\n"
+"    If you cannot click the button above, please copy and paste the following URL into your browser:\n"
+"    "
+msgstr ""
+
+#: authentik/stages/email/templates/email/invitation.txt
+msgid "You're Invited!"
+msgstr "你被邀请了！"
+
+#: authentik/stages/email/templates/email/invitation.txt
+#, python-format
+msgid ""
+"You have been invited to join %(host)s. Use the link below to get started."
+msgstr ""
+
+#: authentik/stages/email/templates/email/invitation.txt
+#, python-format
+msgid "This invitation expires %(expires)s."
+msgstr "此邀请已失效 %(expires)s"
+
+#: authentik/stages/email/templates/email/invitation.txt
+msgid ""
+"If you cannot click the link above, please copy and paste the following URL "
+"into your browser:"
+msgstr "如果无法点击上方链接，请将以下网址复制并粘贴到浏览器中："
+
 #: authentik/stages/email/templates/email/password_reset.html
 msgid ""
 "\n"
@@ -4272,10 +4500,6 @@ msgstr "启用后，邀请将在使用后被删除。"
 msgid "Optional fixed data to enforce on user enrollment."
 msgstr "在用户注册时强制设置的可选固定数据。"
 
-#: authentik/stages/invitation/models.py
-msgid "Invitation"
-msgstr "邀请"
-
 #: authentik/stages/invitation/models.py
 msgid "Invitations"
 msgstr "邀请"
@@ -4386,6 +4610,18 @@ msgstr "隐藏：隐藏字段，可用于将数据插入表单。"
 msgid "Static: Static value, displayed as-is."
 msgstr "静态：静态值，按原样显示。"
 
+#: authentik/stages/prompt/models.py
+msgid "Alert (Info): Static alert box with info styling"
+msgstr ""
+
+#: authentik/stages/prompt/models.py
+msgid "Alert (Warning): Static alert box with warning styling"
+msgstr ""
+
+#: authentik/stages/prompt/models.py
+msgid "Alert (Danger): Static alert box with danger styling"
+msgstr ""
+
 #: authentik/stages/prompt/models.py
 msgid "authentik: Selection of locales authentik supports"
 msgstr "authentik：选择 authentik 支持的语言环境。"

packages/client-ts/package.json

@@ -8,8 +8,8 @@
         "url": "https://github.com/goauthentik/authentik.git"
     },
     "scripts": {
-        "build": "npm run clean && tsc -b tsconfig.json tsconfig.esm.json",
         "clean": "tsc -b --clean tsconfig.json tsconfig.esm.json",
+        "build": "npm run clean && tsc -b tsconfig.json tsconfig.esm.json",
         "prepare": "npm run build"
     },
     "main": "./dist/index.js",

packages/client-ts/src/models/AuthenticatorValidateStage.ts

@@ -124,6 +124,30 @@ export interface AuthenticatorValidateStage {
      * @memberof AuthenticatorValidateStage
      */
     readonly webauthnAllowedDeviceTypesObj: Array<WebAuthnDeviceType>;
+    /**
+     *
+     * @type {number}
+     * @memberof AuthenticatorValidateStage
+     */
+    emailOtpThrottlingFactor?: number;
+    /**
+     *
+     * @type {number}
+     * @memberof AuthenticatorValidateStage
+     */
+    smsOtpThrottlingFactor?: number;
+    /**
+     *
+     * @type {number}
+     * @memberof AuthenticatorValidateStage
+     */
+    totpOtpThrottlingFactor?: number;
+    /**
+     *
+     * @type {number}
+     * @memberof AuthenticatorValidateStage
+     */
+    staticOtpThrottlingFactor?: number;
 }
 
 /**
@@ -193,6 +217,22 @@ export function AuthenticatorValidateStageFromJSONTyped(
         webauthnAllowedDeviceTypesObj: (
             json["webauthn_allowed_device_types_obj"] as Array<any>
         ).map(WebAuthnDeviceTypeFromJSON),
+        emailOtpThrottlingFactor:
+            json["email_otp_throttling_factor"] == null
+                ? undefined
+                : json["email_otp_throttling_factor"],
+        smsOtpThrottlingFactor:
+            json["sms_otp_throttling_factor"] == null
+                ? undefined
+                : json["sms_otp_throttling_factor"],
+        totpOtpThrottlingFactor:
+            json["totp_otp_throttling_factor"] == null
+                ? undefined
+                : json["totp_otp_throttling_factor"],
+        staticOtpThrottlingFactor:
+            json["static_otp_throttling_factor"] == null
+                ? undefined
+                : json["static_otp_throttling_factor"],
     };
 }
 
@@ -232,5 +272,9 @@ export function AuthenticatorValidateStageToJSONTyped(
                 ? undefined
                 : (value["webauthnHints"] as Array<any>).map(WebAuthnHintEnumToJSON),
         webauthn_allowed_device_types: value["webauthnAllowedDeviceTypes"],
+        email_otp_throttling_factor: value["emailOtpThrottlingFactor"],
+        sms_otp_throttling_factor: value["smsOtpThrottlingFactor"],
+        totp_otp_throttling_factor: value["totpOtpThrottlingFactor"],
+        static_otp_throttling_factor: value["staticOtpThrottlingFactor"],
     };
 }

packages/client-ts/src/models/AuthenticatorValidateStageRequest.ts

@@ -78,6 +78,30 @@ export interface AuthenticatorValidateStageRequest {
      * @memberof AuthenticatorValidateStageRequest
      */
     webauthnAllowedDeviceTypes?: Array<string>;
+    /**
+     *
+     * @type {number}
+     * @memberof AuthenticatorValidateStageRequest
+     */
+    emailOtpThrottlingFactor?: number;
+    /**
+     *
+     * @type {number}
+     * @memberof AuthenticatorValidateStageRequest
+     */
+    smsOtpThrottlingFactor?: number;
+    /**
+     *
+     * @type {number}
+     * @memberof AuthenticatorValidateStageRequest
+     */
+    totpOtpThrottlingFactor?: number;
+    /**
+     *
+     * @type {number}
+     * @memberof AuthenticatorValidateStageRequest
+     */
+    staticOtpThrottlingFactor?: number;
 }
 
 /**
@@ -129,6 +153,22 @@ export function AuthenticatorValidateStageRequestFromJSONTyped(
             json["webauthn_allowed_device_types"] == null
                 ? undefined
                 : json["webauthn_allowed_device_types"],
+        emailOtpThrottlingFactor:
+            json["email_otp_throttling_factor"] == null
+                ? undefined
+                : json["email_otp_throttling_factor"],
+        smsOtpThrottlingFactor:
+            json["sms_otp_throttling_factor"] == null
+                ? undefined
+                : json["sms_otp_throttling_factor"],
+        totpOtpThrottlingFactor:
+            json["totp_otp_throttling_factor"] == null
+                ? undefined
+                : json["totp_otp_throttling_factor"],
+        staticOtpThrottlingFactor:
+            json["static_otp_throttling_factor"] == null
+                ? undefined
+                : json["static_otp_throttling_factor"],
     };
 }
 
@@ -161,5 +201,9 @@ export function AuthenticatorValidateStageRequestToJSONTyped(
                 ? undefined
                 : (value["webauthnHints"] as Array<any>).map(WebAuthnHintEnumToJSON),
         webauthn_allowed_device_types: value["webauthnAllowedDeviceTypes"],
+        email_otp_throttling_factor: value["emailOtpThrottlingFactor"],
+        sms_otp_throttling_factor: value["smsOtpThrottlingFactor"],
+        totp_otp_throttling_factor: value["totpOtpThrottlingFactor"],
+        static_otp_throttling_factor: value["staticOtpThrottlingFactor"],
     };
 }

packages/client-ts/src/models/PatchedAuthenticatorValidateStageRequest.ts

@@ -78,6 +78,30 @@ export interface PatchedAuthenticatorValidateStageRequest {
      * @memberof PatchedAuthenticatorValidateStageRequest
      */
     webauthnAllowedDeviceTypes?: Array<string>;
+    /**
+     *
+     * @type {number}
+     * @memberof PatchedAuthenticatorValidateStageRequest
+     */
+    emailOtpThrottlingFactor?: number;
+    /**
+     *
+     * @type {number}
+     * @memberof PatchedAuthenticatorValidateStageRequest
+     */
+    smsOtpThrottlingFactor?: number;
+    /**
+     *
+     * @type {number}
+     * @memberof PatchedAuthenticatorValidateStageRequest
+     */
+    totpOtpThrottlingFactor?: number;
+    /**
+     *
+     * @type {number}
+     * @memberof PatchedAuthenticatorValidateStageRequest
+     */
+    staticOtpThrottlingFactor?: number;
 }
 
 /**
@@ -128,6 +152,22 @@ export function PatchedAuthenticatorValidateStageRequestFromJSONTyped(
             json["webauthn_allowed_device_types"] == null
                 ? undefined
                 : json["webauthn_allowed_device_types"],
+        emailOtpThrottlingFactor:
+            json["email_otp_throttling_factor"] == null
+                ? undefined
+                : json["email_otp_throttling_factor"],
+        smsOtpThrottlingFactor:
+            json["sms_otp_throttling_factor"] == null
+                ? undefined
+                : json["sms_otp_throttling_factor"],
+        totpOtpThrottlingFactor:
+            json["totp_otp_throttling_factor"] == null
+                ? undefined
+                : json["totp_otp_throttling_factor"],
+        staticOtpThrottlingFactor:
+            json["static_otp_throttling_factor"] == null
+                ? undefined
+                : json["static_otp_throttling_factor"],
     };
 }
 
@@ -160,5 +200,9 @@ export function PatchedAuthenticatorValidateStageRequestToJSONTyped(
                 ? undefined
                 : (value["webauthnHints"] as Array<any>).map(WebAuthnHintEnumToJSON),
         webauthn_allowed_device_types: value["webauthnAllowedDeviceTypes"],
+        email_otp_throttling_factor: value["emailOtpThrottlingFactor"],
+        sms_otp_throttling_factor: value["smsOtpThrottlingFactor"],
+        totp_otp_throttling_factor: value["totpOtpThrottlingFactor"],
+        static_otp_throttling_factor: value["staticOtpThrottlingFactor"],
     };
 }

packages/django-dramatiq-postgres/django_dramatiq_postgres/broker.py

@@ -23,7 +23,7 @@ from django.utils.functional import cached_property
 from django.utils.module_loading import import_string
 from dramatiq.broker import Broker, Consumer, MessageProxy
 from dramatiq.common import compute_backoff, current_millis, dq_name, q_name, xq_name
-from dramatiq.errors import BrokerConnectionError, QueueJoinTimeout
+from dramatiq.errors import BrokerConnectionError, DecodeError, QueueJoinTimeout
 from dramatiq.message import Message
 from dramatiq.middleware import Middleware
 from pglock.core import _cast_lock_id
@@ -367,7 +367,18 @@ class _PostgresConsumer(Consumer):
         )
         if task is None:
             return None
-        message = Message.decode(cast(bytes, task.message))
+        try:
+            message = Message.decode(cast(bytes, task.message))
+        except DecodeError:
+            self.logger.error(
+                "Failed to decode task, rejecting", queue=self.queue_name, message_id=message_id
+            )
+            self.query_set.filter(message_id=message_id, queue_name=self.queue_name).update(
+                state=TaskState.REJECTED,
+                mtime=timezone.now(),
+                eta=None,
+            )
+            return None
         message.options["task"] = task
         self.in_processing.add(str(message_id))
         return message

schema.yml

@@ -9678,14 +9678,18 @@ paths:
       security:
       - authentik: []
       responses:
-        '200':
+        '204':
           content:
             application/json:
               schema:
                 $ref: '#/components/schemas/BlueprintImportResult'
           description: ''
         '400':
-          $ref: '#/components/responses/ValidationErrorResponse'
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/BlueprintImportResult'
+          description: ''
         '403':
           $ref: '#/components/responses/GenericErrorResponse'
   /oauth2/access_tokens/:
@@ -35609,6 +35613,18 @@ components:
           items:
             $ref: '#/components/schemas/WebAuthnDeviceType'
           readOnly: true
+        email_otp_throttling_factor:
+          type: number
+          format: double
+        sms_otp_throttling_factor:
+          type: number
+          format: double
+        totp_otp_throttling_factor:
+          type: number
+          format: double
+        static_otp_throttling_factor:
+          type: number
+          format: double
       required:
       - component
       - flow_set
@@ -35658,6 +35674,18 @@ components:
           items:
             type: string
             format: uuid
+        email_otp_throttling_factor:
+          type: number
+          format: double
+        sms_otp_throttling_factor:
+          type: number
+          format: double
+        totp_otp_throttling_factor:
+          type: number
+          format: double
+        static_otp_throttling_factor:
+          type: number
+          format: double
       required:
       - name
     AuthenticatorValidationChallenge:
@@ -48091,6 +48119,18 @@ components:
           items:
             type: string
             format: uuid
+        email_otp_throttling_factor:
+          type: number
+          format: double
+        sms_otp_throttling_factor:
+          type: number
+          format: double
+        totp_otp_throttling_factor:
+          type: number
+          format: double
+        static_otp_throttling_factor:
+          type: number
+          format: double
     PatchedAuthenticatorWebAuthnStageRequest:
       type: object
       description: AuthenticatorWebAuthnStage Serializer

web/package-lock.json

@@ -43,7 +43,7 @@
                 "@patternfly/elements": "^4.4.0",
                 "@patternfly/patternfly": "^4.224.2",
                 "@playwright/test": "^1.59.1",
-                "@sentry/browser": "^10.50.0",
+                "@sentry/browser": "^10.51.0",
                 "@storybook/addon-docs": "^10.3.6",
                 "@storybook/addon-links": "^10.3.6",
                 "@storybook/web-components": "^10.3.6",
@@ -78,7 +78,7 @@
                 "globals": "^17.5.0",
                 "guacamole-common-js": "^1.5.0",
                 "hastscript": "^9.0.1",
-                "knip": "^6.7.0",
+                "knip": "^6.9.0",
                 "lex": "^2025.11.0",
                 "lit": "^3.3.2",
                 "lit-analyzer": "^2.0.3",
@@ -687,9 +687,9 @@
             }
         },
         "node_modules/@emnapi/core": {
-            "version": "1.9.2",
-            "resolved": "https://registry.npmjs.org/@emnapi/core/-/core-1.9.2.tgz",
-            "integrity": "sha512-UC+ZhH3XtczQYfOlu3lNEkdW/p4dsJ1r/bP7H8+rhao3TTTMO1ATq/4DdIi23XuGoFY+Cz0JmCbdVl0hz9jZcA==",
+            "version": "1.10.0",
+            "resolved": "https://registry.npmjs.org/@emnapi/core/-/core-1.10.0.tgz",
+            "integrity": "sha512-yq6OkJ4p82CAfPl0u9mQebQHKPJkY7WrIuk205cTYnYe+k2Z8YBh11FrbRG/H6ihirqcacOgl2BIO8oyMQLeXw==",
             "license": "MIT",
             "optional": true,
             "dependencies": {
@@ -698,9 +698,9 @@
             }
         },
         "node_modules/@emnapi/runtime": {
-            "version": "1.9.2",
-            "resolved": "https://registry.npmjs.org/@emnapi/runtime/-/runtime-1.9.2.tgz",
-            "integrity": "sha512-3U4+MIWHImeyu1wnmVygh5WlgfYDtyf0k8AbLhMFxOipihf6nrWC4syIm/SwEeec0mNSafiiNnMJwbza/Is6Lw==",
+            "version": "1.10.0",
+            "resolved": "https://registry.npmjs.org/@emnapi/runtime/-/runtime-1.10.0.tgz",
+            "integrity": "sha512-ewvYlk86xUoGI0zQRNq/mC+16R1QeDlKQy21Ki3oSYXNgLb45GV1P6A0M+/s6nyCuNDqe5VpaY84BzXGwVbwFA==",
             "license": "MIT",
             "optional": true,
             "dependencies": {
@@ -2224,9 +2224,9 @@
             }
         },
         "node_modules/@oxc-parser/binding-android-arm-eabi": {
-            "version": "0.127.0",
-            "resolved": "https://registry.npmjs.org/@oxc-parser/binding-android-arm-eabi/-/binding-android-arm-eabi-0.127.0.tgz",
-            "integrity": "sha512-0LC7ye4hvqbIKxAzThzvswgHLFu2AURKzYLeSVvLdu2TBOYWQDmHnTqPLeA597BcUCxiLqLsS4CJ5uoI5WYWCQ==",
+            "version": "0.128.0",
+            "resolved": "https://registry.npmjs.org/@oxc-parser/binding-android-arm-eabi/-/binding-android-arm-eabi-0.128.0.tgz",
+            "integrity": "sha512-aca6ZvzmCBUGOANQRiRQRZuRKYI3ENhcit6GisnknOOmcezfQc7xJ4dxlPU7MV7mOvrC7RNR1u3LAD7xyaiCxA==",
             "cpu": [
                 "arm"
             ],
@@ -2240,9 +2240,9 @@
             }
         },
         "node_modules/@oxc-parser/binding-android-arm64": {
-            "version": "0.127.0",
-            "resolved": "https://registry.npmjs.org/@oxc-parser/binding-android-arm64/-/binding-android-arm64-0.127.0.tgz",
-            "integrity": "sha512-b5jtVTH6AU5CJXHNdj7Jj9IEiR9yVjjnwHzPJhGyHGPdcsZSzBCkS9GBbV33niRMvKthDwQRFRJfI4a+k4PvYg==",
+            "version": "0.128.0",
+            "resolved": "https://registry.npmjs.org/@oxc-parser/binding-android-arm64/-/binding-android-arm64-0.128.0.tgz",
+            "integrity": "sha512-BbeDmuohoJ7Rz/it5wnkj69i/OsCPS3Z51nLEzwO/Y6YshtC4JU+15oNwhY8v4LRKRYclRc7ggOikwrsJ/eOEQ==",
             "cpu": [
                 "arm64"
             ],
@@ -2256,9 +2256,9 @@
             }
         },
         "node_modules/@oxc-parser/binding-darwin-arm64": {
-            "version": "0.127.0",
-            "resolved": "https://registry.npmjs.org/@oxc-parser/binding-darwin-arm64/-/binding-darwin-arm64-0.127.0.tgz",
-            "integrity": "sha512-obCE8B7ISKkJidjlhv9xRGJPOSDG2Yu6PRga9Ruaz35uintHxbp1Ki/Yc71wx4rj3Edrm0a1kzG1TAwit0wFpg==",
+            "version": "0.128.0",
+            "resolved": "https://registry.npmjs.org/@oxc-parser/binding-darwin-arm64/-/binding-darwin-arm64-0.128.0.tgz",
+            "integrity": "sha512-tRUHPt80417QmvNpoSslJT1VY8NUbWdrWR+L14Zn+RbOTcaqB8E6PYE/ZGN8jjWBzqporiA/H4MfO50ew/NCNA==",
             "cpu": [
                 "arm64"
             ],
@@ -2272,9 +2272,9 @@
             }
         },
         "node_modules/@oxc-parser/binding-darwin-x64": {
-            "version": "0.127.0",
-            "resolved": "https://registry.npmjs.org/@oxc-parser/binding-darwin-x64/-/binding-darwin-x64-0.127.0.tgz",
-            "integrity": "sha512-JL6Xb5IwPQT8rUzlpsX7E+AgfcdNklXNPFp8pjCQQ5MQOQo5rtEB2ui+3Hgg9Sn7Y9Egj6YOLLiHhLpdAe12Aw==",
+            "version": "0.128.0",
+            "resolved": "https://registry.npmjs.org/@oxc-parser/binding-darwin-x64/-/binding-darwin-x64-0.128.0.tgz",
+            "integrity": "sha512-rWI2Hb1Nt3U/vKsjyNvZzDC8i/l144U20DKjhzaTmwIhIiSRGeroPWWiImwypmKLqrw8GuIixbWJkpGWLbkzrQ==",
             "cpu": [
                 "x64"
             ],
@@ -2288,9 +2288,9 @@
             }
         },
         "node_modules/@oxc-parser/binding-freebsd-x64": {
-            "version": "0.127.0",
-            "resolved": "https://registry.npmjs.org/@oxc-parser/binding-freebsd-x64/-/binding-freebsd-x64-0.127.0.tgz",
-            "integrity": "sha512-SDQ/3MQFw58fqQz3Z1PhSKFF3JoCF4gmlNjziDm8X02tTahCw0qJbd7FGPDKw1i4VTBZene9JPyC3mHtSvi+wA==",
+            "version": "0.128.0",
+            "resolved": "https://registry.npmjs.org/@oxc-parser/binding-freebsd-x64/-/binding-freebsd-x64-0.128.0.tgz",
+            "integrity": "sha512-hhpdVMaNCLgQxjgNPeeFzSeJMmZPc5lKfv0NGSI3egZq9EdnEGqeC8JsYsQjK7PoQgbvZ17xlj0SO5ziH5Obkg==",
             "cpu": [
                 "x64"
             ],
@@ -2304,9 +2304,9 @@
             }
         },
         "node_modules/@oxc-parser/binding-linux-arm-gnueabihf": {
-            "version": "0.127.0",
-            "resolved": "https://registry.npmjs.org/@oxc-parser/binding-linux-arm-gnueabihf/-/binding-linux-arm-gnueabihf-0.127.0.tgz",
-            "integrity": "sha512-Av+D1MIqzV0YMGPT9we2SIZaMKD7Cxs4CvXSx/yxaWHewZjYEjScpOf5igc8IILASViw4WTnjlwUdI1KzVtDHQ==",
+            "version": "0.128.0",
+            "resolved": "https://registry.npmjs.org/@oxc-parser/binding-linux-arm-gnueabihf/-/binding-linux-arm-gnueabihf-0.128.0.tgz",
+            "integrity": "sha512-093zNw0zZ/e/obML+rhlSdmnzR0mVZluPcAkxunEc5E3F0yBVsFn24Y1ILfsEte11Ud041qn/gp2OJ1jxNqUng==",
             "cpu": [
                 "arm"
             ],
@@ -2320,9 +2320,9 @@
             }
         },
         "node_modules/@oxc-parser/binding-linux-arm-musleabihf": {
-            "version": "0.127.0",
-            "resolved": "https://registry.npmjs.org/@oxc-parser/binding-linux-arm-musleabihf/-/binding-linux-arm-musleabihf-0.127.0.tgz",
-            "integrity": "sha512-Cs2fdJ8cPpFdeebj6p4dag8A4+56hPvZ0AhQQzlaLswGz1tz7bXt1nETLeorrM9+AMcWFFkqxcXwDGfTVidY8g==",
+            "version": "0.128.0",
+            "resolved": "https://registry.npmjs.org/@oxc-parser/binding-linux-arm-musleabihf/-/binding-linux-arm-musleabihf-0.128.0.tgz",
+            "integrity": "sha512-fq7DmKmfC+dvD97IXrgbph6Jzwe0EDu+PYMofmzZ6fv5X1k9vtaqLpDGMuICO9MmUnyKAQmVl+wIv2RNy4Dz8g==",
             "cpu": [
                 "arm"
             ],
@@ -2336,9 +2336,9 @@
             }
         },
         "node_modules/@oxc-parser/binding-linux-arm64-gnu": {
-            "version": "0.127.0",
-            "resolved": "https://registry.npmjs.org/@oxc-parser/binding-linux-arm64-gnu/-/binding-linux-arm64-gnu-0.127.0.tgz",
-            "integrity": "sha512-qdOfTcT6SY8gsJrrV92uyEUyjqMGPpIB5JZUG6QN5dukYd+7/j0kX6MwK1DgQj39jtUYixxPiaRUiEN1+0CXgQ==",
+            "version": "0.128.0",
+            "resolved": "https://registry.npmjs.org/@oxc-parser/binding-linux-arm64-gnu/-/binding-linux-arm64-gnu-0.128.0.tgz",
+            "integrity": "sha512-Xvm48jJah8TlIrURIjNOP/gNiGe6aKvCB+r06VliflFo8Kq7VOLE8PxtgShJzZIqubrgdMdYfvuPPozn7F6MbQ==",
             "cpu": [
                 "arm64"
             ],
@@ -2352,9 +2352,9 @@
             }
         },
         "node_modules/@oxc-parser/binding-linux-arm64-musl": {
-            "version": "0.127.0",
-            "resolved": "https://registry.npmjs.org/@oxc-parser/binding-linux-arm64-musl/-/binding-linux-arm64-musl-0.127.0.tgz",
-            "integrity": "sha512-EoTCZneNFU/P2qrpEM+RHmQwt+CvDkyGESG6qhr7KaegXLZwePfbrkCDfAk8/rhxbDUVGsZILX+2tqPzFtoFWA==",
+            "version": "0.128.0",
+            "resolved": "https://registry.npmjs.org/@oxc-parser/binding-linux-arm64-musl/-/binding-linux-arm64-musl-0.128.0.tgz",
+            "integrity": "sha512-M7iwBGmYJTx+pKOYFjI0buop4gJvlmcVzFGaXPt21DKpQkbQZG1f63Yg7LloIYT/t9yLxCw0Lhfx/RFlAlMSjA==",
             "cpu": [
                 "arm64"
             ],
@@ -2368,9 +2368,9 @@
             }
         },
         "node_modules/@oxc-parser/binding-linux-ppc64-gnu": {
-            "version": "0.127.0",
-            "resolved": "https://registry.npmjs.org/@oxc-parser/binding-linux-ppc64-gnu/-/binding-linux-ppc64-gnu-0.127.0.tgz",
-            "integrity": "sha512-zALjmZYgxFLHjXeudcDF0xFGNydTAtkAeXAr2EuC17ywCyFxcmQra4w0BMde0Yi/re4Bi4iwEoEXtYN7l6eBLQ==",
+            "version": "0.128.0",
+            "resolved": "https://registry.npmjs.org/@oxc-parser/binding-linux-ppc64-gnu/-/binding-linux-ppc64-gnu-0.128.0.tgz",
+            "integrity": "sha512-21LGNIZb1Pcfk5/EGsqabrxv4yqQOWis1407JJrClS7XpFCrbvr74YAB1V+m54cYbwvO6UWwQqS4WecxiyfCRg==",
             "cpu": [
                 "ppc64"
             ],
@@ -2384,9 +2384,9 @@
             }
         },
         "node_modules/@oxc-parser/binding-linux-riscv64-gnu": {
-            "version": "0.127.0",
-            "resolved": "https://registry.npmjs.org/@oxc-parser/binding-linux-riscv64-gnu/-/binding-linux-riscv64-gnu-0.127.0.tgz",
-            "integrity": "sha512-fPP8M6zQLS7Jz7o9d5ArUSuAuSK3e+WCYVrCpdzeCOejidtZExJ9tjhDrAd3HEPqARBCPmdpqxESPFqy44vkBQ==",
+            "version": "0.128.0",
+            "resolved": "https://registry.npmjs.org/@oxc-parser/binding-linux-riscv64-gnu/-/binding-linux-riscv64-gnu-0.128.0.tgz",
+            "integrity": "sha512-gyHjOTFpg9bTTYjxPmQirvufb89+VdZwVfcMtAUyPr6F5H8ZswvCQshK4qOW+Q+2Xyb33hduRgY/eFHJQjU/vQ==",
             "cpu": [
                 "riscv64"
             ],
@@ -2400,9 +2400,9 @@
             }
         },
         "node_modules/@oxc-parser/binding-linux-riscv64-musl": {
-            "version": "0.127.0",
-            "resolved": "https://registry.npmjs.org/@oxc-parser/binding-linux-riscv64-musl/-/binding-linux-riscv64-musl-0.127.0.tgz",
-            "integrity": "sha512-7IcC4Ao02oGpfnjt+X/oF4U2mllo2qoSkw5xxiXNKL9MCTsTiAC6616beOuehdxGcnz1bRoPC1RQ2f1GQDdN+g==",
+            "version": "0.128.0",
+            "resolved": "https://registry.npmjs.org/@oxc-parser/binding-linux-riscv64-musl/-/binding-linux-riscv64-musl-0.128.0.tgz",
+            "integrity": "sha512-X6Q2oKUrP5GyDd2xniuEBLk6aFQCZ97W2+aVXGgJXdjx5t4/oFuA9ri0wLOUrBIX+qdSuK581snMBio4z910eA==",
             "cpu": [
                 "riscv64"
             ],
@@ -2416,9 +2416,9 @@
             }
         },
         "node_modules/@oxc-parser/binding-linux-s390x-gnu": {
-            "version": "0.127.0",
-            "resolved": "https://registry.npmjs.org/@oxc-parser/binding-linux-s390x-gnu/-/binding-linux-s390x-gnu-0.127.0.tgz",
-            "integrity": "sha512-pbXIhiNFHoqWeqDNLiJ9JkpHz1IM9k4DXa66x+1GTWMG7iLxtkXgE53iiuKSXwmk3zIYmaPVfBvgcAhS583K4Q==",
+            "version": "0.128.0",
+            "resolved": "https://registry.npmjs.org/@oxc-parser/binding-linux-s390x-gnu/-/binding-linux-s390x-gnu-0.128.0.tgz",
+            "integrity": "sha512-BdzTmqxfxoYkpgokoLaSnOX6T+R3/goL42klre2tnG+kHbG2TXS0VN+P5BPofH1axdKOHy5ei4ENZrjmCOt2lA==",
             "cpu": [
                 "s390x"
             ],
@@ -2432,9 +2432,9 @@
             }
         },
         "node_modules/@oxc-parser/binding-linux-x64-gnu": {
-            "version": "0.127.0",
-            "resolved": "https://registry.npmjs.org/@oxc-parser/binding-linux-x64-gnu/-/binding-linux-x64-gnu-0.127.0.tgz",
-            "integrity": "sha512-MYCguB9RvBvlSd6gbuNI7QwiLoCCAlGnlRJFPrzLI6U1/9wkC/WK6LtBAUln55H1Ctqw45PWmqrobKoMhsYQzQ==",
+            "version": "0.128.0",
+            "resolved": "https://registry.npmjs.org/@oxc-parser/binding-linux-x64-gnu/-/binding-linux-x64-gnu-0.128.0.tgz",
+            "integrity": "sha512-OO1nW2Q7sSYYvJZpDHdvyFSdRaVcQqRijZSSmWVMqFxPYy8cEF45zJ9fcdIYuzIT3jYq6YRhEFm/VMWNWhE22Q==",
             "cpu": [
                 "x64"
             ],
@@ -2448,9 +2448,9 @@
             }
         },
         "node_modules/@oxc-parser/binding-linux-x64-musl": {
-            "version": "0.127.0",
-            "resolved": "https://registry.npmjs.org/@oxc-parser/binding-linux-x64-musl/-/binding-linux-x64-musl-0.127.0.tgz",
-            "integrity": "sha512-5eY0B/bxf1xIUxb4NOTvOI3KWtBQfPWYyKAzgcrCt0mDibSZygVpO1Pz8bkeiSZ5Jj9+M09dkggG3H8I5d0Uyg==",
+            "version": "0.128.0",
+            "resolved": "https://registry.npmjs.org/@oxc-parser/binding-linux-x64-musl/-/binding-linux-x64-musl-0.128.0.tgz",
+            "integrity": "sha512-4NehAe404MRdoZVS9DW8C5XbJwbXIc/KfVlYdpi5vE4081zc9Y0YzKVqyOYj/Puye7/Do+ohaONBFWlEHYl9hw==",
             "cpu": [
                 "x64"
             ],
@@ -2464,9 +2464,9 @@
             }
         },
         "node_modules/@oxc-parser/binding-openharmony-arm64": {
-            "version": "0.127.0",
-            "resolved": "https://registry.npmjs.org/@oxc-parser/binding-openharmony-arm64/-/binding-openharmony-arm64-0.127.0.tgz",
-            "integrity": "sha512-Gld0ajrFTUXNtdw20fVBuTQx66FA75nIVg+//pPfR3sXkuABB4mTBhl3r9JNzrJpgW//qiwxf0nWXUWGJSL3UQ==",
+            "version": "0.128.0",
+            "resolved": "https://registry.npmjs.org/@oxc-parser/binding-openharmony-arm64/-/binding-openharmony-arm64-0.128.0.tgz",
+            "integrity": "sha512-kVbqgW9xLL8bh8oc7aYOJilRKXE5G33+tE0jan+duo/9OriaFRpijcCwT2waWs2oqYROYq0GlE7/p3ywoshVeg==",
             "cpu": [
                 "arm64"
             ],
@@ -2480,17 +2480,17 @@
             }
         },
         "node_modules/@oxc-parser/binding-wasm32-wasi": {
-            "version": "0.127.0",
-            "resolved": "https://registry.npmjs.org/@oxc-parser/binding-wasm32-wasi/-/binding-wasm32-wasi-0.127.0.tgz",
-            "integrity": "sha512-T6KVD7rhLzFlwGRXMnxUFfkCZD8FHnb968wVXW1mXzgRFc5RNXOBY2mPPDZ77x5Ln76ltLMgtPg0cOkU1NSrEQ==",
+            "version": "0.128.0",
+            "resolved": "https://registry.npmjs.org/@oxc-parser/binding-wasm32-wasi/-/binding-wasm32-wasi-0.128.0.tgz",
+            "integrity": "sha512-L38ojghJYHmgiz6fJd7jwLB/ESDBpB02NdFxh+smqVM6P2anCEvHn0jhaSrt5eVNR1Ak8+moOeftUlofeyvniA==",
             "cpu": [
                 "wasm32"
             ],
             "license": "MIT",
             "optional": true,
             "dependencies": {
-                "@emnapi/core": "1.9.2",
-                "@emnapi/runtime": "1.9.2",
+                "@emnapi/core": "1.10.0",
+                "@emnapi/runtime": "1.10.0",
                 "@napi-rs/wasm-runtime": "^1.1.4"
             },
             "engines": {
@@ -2498,9 +2498,9 @@
             }
         },
         "node_modules/@oxc-parser/binding-win32-arm64-msvc": {
-            "version": "0.127.0",
-            "resolved": "https://registry.npmjs.org/@oxc-parser/binding-win32-arm64-msvc/-/binding-win32-arm64-msvc-0.127.0.tgz",
-            "integrity": "sha512-Ujvw4X+LD1CCGULcsQcvb4YNVoBGqt+JHgNNzGGaCImELiZLk477ifUH53gIbE7EKd933NdTi25JWEr9K2HwXw==",
+            "version": "0.128.0",
+            "resolved": "https://registry.npmjs.org/@oxc-parser/binding-win32-arm64-msvc/-/binding-win32-arm64-msvc-0.128.0.tgz",
+            "integrity": "sha512-xgvO35GyHBtjlQ5AEpaYr7Rll1rvY7zqIhT6ty8E3ezBW2J1SFLjIDEvI/tcgDg6oaseDAqVcM+jU1HuCekgZw==",
             "cpu": [
                 "arm64"
             ],
@@ -2514,9 +2514,9 @@
             }
         },
         "node_modules/@oxc-parser/binding-win32-ia32-msvc": {
-            "version": "0.127.0",
-            "resolved": "https://registry.npmjs.org/@oxc-parser/binding-win32-ia32-msvc/-/binding-win32-ia32-msvc-0.127.0.tgz",
-            "integrity": "sha512-0cwxKO7KHQQQfo4Uf4B2SQrhgm+cJaP9OvFFhx52Tkg4bezsacu83GB2/In5bC415Ueeym+kXdnge/57rbSfTw==",
+            "version": "0.128.0",
+            "resolved": "https://registry.npmjs.org/@oxc-parser/binding-win32-ia32-msvc/-/binding-win32-ia32-msvc-0.128.0.tgz",
+            "integrity": "sha512-OY+3eM2SN72prHKRB22mPz8o5A/7dJ+f5DFLBVvggyZhEaNDAH9IB+ElMjmOkOIwf5MDCUAowCK7pAncNxzpBA==",
             "cpu": [
                 "ia32"
             ],
@@ -2530,9 +2530,9 @@
             }
         },
         "node_modules/@oxc-parser/binding-win32-x64-msvc": {
-            "version": "0.127.0",
-            "resolved": "https://registry.npmjs.org/@oxc-parser/binding-win32-x64-msvc/-/binding-win32-x64-msvc-0.127.0.tgz",
-            "integrity": "sha512-rOrnSQSCbhI2kowr9XxE7m9a8oQXnBHjnS6j95LxxAnEZ0+Fz20WlRXG4ondQb+ejjt2KOsa65sE6++L6kUd+w==",
+            "version": "0.128.0",
+            "resolved": "https://registry.npmjs.org/@oxc-parser/binding-win32-x64-msvc/-/binding-win32-x64-msvc-0.128.0.tgz",
+            "integrity": "sha512-NE9ny+cPUCCObXa0IKLfj0tCdPd7pe/dz9ZpkxpUOymB3miNeMPybdlYYTBSGJUalMWeBM85/4JcCErCNTqOXw==",
             "cpu": [
                 "x64"
             ],
@@ -3104,27 +3104,6 @@
                 "node": "^20.19.0 || >=22.12.0"
             }
         },
-        "node_modules/@rolldown/binding-wasm32-wasi/node_modules/@emnapi/core": {
-            "version": "1.10.0",
-            "resolved": "https://registry.npmjs.org/@emnapi/core/-/core-1.10.0.tgz",
-            "integrity": "sha512-yq6OkJ4p82CAfPl0u9mQebQHKPJkY7WrIuk205cTYnYe+k2Z8YBh11FrbRG/H6ihirqcacOgl2BIO8oyMQLeXw==",
-            "license": "MIT",
-            "optional": true,
-            "dependencies": {
-                "@emnapi/wasi-threads": "1.2.1",
-                "tslib": "^2.4.0"
-            }
-        },
-        "node_modules/@rolldown/binding-wasm32-wasi/node_modules/@emnapi/runtime": {
-            "version": "1.10.0",
-            "resolved": "https://registry.npmjs.org/@emnapi/runtime/-/runtime-1.10.0.tgz",
-            "integrity": "sha512-ewvYlk86xUoGI0zQRNq/mC+16R1QeDlKQy21Ki3oSYXNgLb45GV1P6A0M+/s6nyCuNDqe5VpaY84BzXGwVbwFA==",
-            "license": "MIT",
-            "optional": true,
-            "dependencies": {
-                "tslib": "^2.4.0"
-            }
-        },
         "node_modules/@rolldown/binding-win32-arm64-msvc": {
             "version": "1.0.0-rc.17",
             "resolved": "https://registry.npmjs.org/@rolldown/binding-win32-arm64-msvc/-/binding-win32-arm64-msvc-1.0.0-rc.17.tgz",
@@ -3614,75 +3593,75 @@
             "license": "MIT"
         },
         "node_modules/@sentry-internal/browser-utils": {
-            "version": "10.50.0",
-            "resolved": "https://registry.npmjs.org/@sentry-internal/browser-utils/-/browser-utils-10.50.0.tgz",
-            "integrity": "sha512-42bxyRTxnCmYlWnvz4CxikuQNanw8UNma2WJrtxJ0f1MAJV2GhQGSHDLnA+lvFlmiz6qct3pfen/NXGyOTegTA==",
+            "version": "10.51.0",
+            "resolved": "https://registry.npmjs.org/@sentry-internal/browser-utils/-/browser-utils-10.51.0.tgz",
+            "integrity": "sha512-lNKBS4P7RUvf1niojXQWe9bU3gnBUCbST4Dj0pSiyat1N96cXVyHkeE+uGxowD0RrVWhs+kGHiVX3FcmRWF6sA==",
             "license": "MIT",
             "dependencies": {
-                "@sentry/core": "10.50.0"
+                "@sentry/core": "10.51.0"
             },
             "engines": {
                 "node": ">=18"
             }
         },
         "node_modules/@sentry-internal/feedback": {
-            "version": "10.50.0",
-            "resolved": "https://registry.npmjs.org/@sentry-internal/feedback/-/feedback-10.50.0.tgz",
-            "integrity": "sha512-0k9XZF0wn86f77mIO2U3gNNyDZooy139CnEanRzHinrN106vVzvBZ6TUEQoHtoO1fqQxr+nWWVrqV/PXUqk47w==",
+            "version": "10.51.0",
+            "resolved": "https://registry.npmjs.org/@sentry-internal/feedback/-/feedback-10.51.0.tgz",
+            "integrity": "sha512-bCM95bcpphx28e6aU0bwRLxOgwosYsdNzezM1sM0pVOkb0TB3hDFRamramVDK+/Hp1o8qmRxS4c5w/A7YBZGkA==",
             "license": "MIT",
             "dependencies": {
-                "@sentry/core": "10.50.0"
+                "@sentry/core": "10.51.0"
             },
             "engines": {
                 "node": ">=18"
             }
         },
         "node_modules/@sentry-internal/replay": {
-            "version": "10.50.0",
-            "resolved": "https://registry.npmjs.org/@sentry-internal/replay/-/replay-10.50.0.tgz",
-            "integrity": "sha512-51FYNfnvVLAWw1rrEWPFfwHuMRb9mkVCFGA4J9/un7SpeGBsQDziGB0Di4fsCxI7+EdSBpfLHPF0csKtCCw0oQ==",
+            "version": "10.51.0",
+            "resolved": "https://registry.npmjs.org/@sentry-internal/replay/-/replay-10.51.0.tgz",
+            "integrity": "sha512-jCpI5HXSwK6ZT2HX70+mDRciAocHzSiDk4DTgvzV69Wvd+Ei5WLgE+d39eaEPsm8lUC0Ydntb5sJIB6uG9D4bw==",
             "license": "MIT",
             "dependencies": {
-                "@sentry-internal/browser-utils": "10.50.0",
-                "@sentry/core": "10.50.0"
+                "@sentry-internal/browser-utils": "10.51.0",
+                "@sentry/core": "10.51.0"
             },
             "engines": {
                 "node": ">=18"
             }
         },
         "node_modules/@sentry-internal/replay-canvas": {
-            "version": "10.50.0",
-            "resolved": "https://registry.npmjs.org/@sentry-internal/replay-canvas/-/replay-canvas-10.50.0.tgz",
-            "integrity": "sha512-jx6RKBmcJSWdI92qDGS/sBv1w+7Cww879Z/moX7bw7ipHa/Ts3iDcB3rgZwvhmi17U+mvYsbJeL2DXkPo3TjPw==",
+            "version": "10.51.0",
+            "resolved": "https://registry.npmjs.org/@sentry-internal/replay-canvas/-/replay-canvas-10.51.0.tgz",
+            "integrity": "sha512-8PW1Pp+Yl3lPwYqhBCr5SgkuhDanu9ZLzUqD2bPKL/ElqbM2eDVIWxq4z4ZzePrmZa6IcCjTv6sVQJ7Z4dLyLA==",
             "license": "MIT",
             "dependencies": {
-                "@sentry-internal/replay": "10.50.0",
-                "@sentry/core": "10.50.0"
+                "@sentry-internal/replay": "10.51.0",
+                "@sentry/core": "10.51.0"
             },
             "engines": {
                 "node": ">=18"
             }
         },
         "node_modules/@sentry/browser": {
-            "version": "10.50.0",
-            "resolved": "https://registry.npmjs.org/@sentry/browser/-/browser-10.50.0.tgz",
-            "integrity": "sha512-1f6rAvET6myiTaSeYqvaaBwvq1LfxqWjAPIoAW/NVC9bPMkeEcuvgDajHrnZMrBeWoJ81NMyoLkyX+iOc7MoFA==",
+            "version": "10.51.0",
+            "resolved": "https://registry.npmjs.org/@sentry/browser/-/browser-10.51.0.tgz",
+            "integrity": "sha512-Zdc0sKfenxUtW/OGhtJ7xHFN44bXR7YqxJ1zBDzlZfW0nTbeTTUZBq9z5NUw6qdS0Vs/i3V4qzAKTbRKWfqSEA==",
             "license": "MIT",
             "dependencies": {
-                "@sentry-internal/browser-utils": "10.50.0",
-                "@sentry-internal/feedback": "10.50.0",
-                "@sentry-internal/replay": "10.50.0",
-                "@sentry-internal/replay-canvas": "10.50.0",
-                "@sentry/core": "10.50.0"
+                "@sentry-internal/browser-utils": "10.51.0",
+                "@sentry-internal/feedback": "10.51.0",
+                "@sentry-internal/replay": "10.51.0",
+                "@sentry-internal/replay-canvas": "10.51.0",
+                "@sentry/core": "10.51.0"
             },
             "engines": {
                 "node": ">=18"
             }
         },
         "node_modules/@sentry/core": {
-            "version": "10.50.0",
-            "resolved": "https://registry.npmjs.org/@sentry/core/-/core-10.50.0.tgz",
-            "integrity": "sha512-J4A+vzUO3adl0TkFCjaN1+4miamrjHiEIYuLHiuu1lmAjq5WIVw32ObvAh4yMwNtxyaEMosTrrh5M6f12XSJFg==",
+            "version": "10.51.0",
+            "resolved": "https://registry.npmjs.org/@sentry/core/-/core-10.51.0.tgz",
+            "integrity": "sha512-Y45V/YXvVLEXmOdkbD1oG1gkRWFi9guCEGg3PlIlIpRjAbZUrvLGgjRJIc1E7XpSzmOnWbs5BbUxMv4PDaPj2w==",
             "license": "MIT",
             "engines": {
                 "node": ">=18"
@@ -6644,9 +6623,9 @@
             }
         },
         "node_modules/basic-ftp": {
-            "version": "5.3.0",
-            "resolved": "https://registry.npmjs.org/basic-ftp/-/basic-ftp-5.3.0.tgz",
-            "integrity": "sha512-5K9eNNn7ywHPsYnFwjKgYH8Hf8B5emh7JKcPaVjjrMJFQQwGpwowEnZNEtHs7DfR7hCZsmaK3VA4HUK0YarT+w==",
+            "version": "5.3.1",
+            "resolved": "https://registry.npmjs.org/basic-ftp/-/basic-ftp-5.3.1.tgz",
+            "integrity": "sha512-bopVNp6ugyA150DDuZfPFdt1KZ5a94ZDiwX4hMgZDzF+GttD80lEy8kj98kbyhLXnPvhtIo93mdnLIjpCAeeOw==",
             "license": "MIT",
             "optional": true,
             "engines": {
@@ -11590,9 +11569,9 @@
             }
         },
         "node_modules/knip": {
-            "version": "6.7.0",
-            "resolved": "https://registry.npmjs.org/knip/-/knip-6.7.0.tgz",
-            "integrity": "sha512-ckL51NDH1YJxnv1kNB0iUdDngB4f/e9Igz8uIqYfmNDoyOFmmk1V0WFv3LQ7/hzC63b2Z9X41gGUE9eOWrZpaA==",
+            "version": "6.9.0",
+            "resolved": "https://registry.npmjs.org/knip/-/knip-6.9.0.tgz",
+            "integrity": "sha512-2GLjxteBwmsSA3Z5sJZpPDaNPBIMnlm4/9Nx4CZadEK7YccJZ2/4kwKgPWhVYEqxhwhD0WO4txWXNGTO/Odkkg==",
             "funding": [
                 {
                     "type": "github",
@@ -11610,7 +11589,7 @@
                 "get-tsconfig": "4.14.0",
                 "jiti": "^2.6.0",
                 "minimist": "^1.2.8",
-                "oxc-parser": "^0.127.0",
+                "oxc-parser": "^0.128.0",
                 "oxc-resolver": "^11.19.1",
                 "picomatch": "^4.0.4",
                 "smol-toml": "^1.6.1",
@@ -14304,12 +14283,12 @@
             }
         },
         "node_modules/oxc-parser": {
-            "version": "0.127.0",
-            "resolved": "https://registry.npmjs.org/oxc-parser/-/oxc-parser-0.127.0.tgz",
-            "integrity": "sha512-bkgD4qHlN7WxLdX8bLXdaU54TtQtAIg/ZBAfm0aje/mo3MRDo3P0hZSgr4U7O3xfX+fQmR5AP04JS/TGcZLcFA==",
+            "version": "0.128.0",
+            "resolved": "https://registry.npmjs.org/oxc-parser/-/oxc-parser-0.128.0.tgz",
+            "integrity": "sha512-XkOw3eiIxAgQ19WRew/Bq9wc5Ga/guaWIzDBzq80z1PyuDNGvWBpPby9k6YGwV8A8uMw+Nlq3xqlzuDYmUFYUw==",
             "license": "MIT",
             "dependencies": {
-                "@oxc-project/types": "^0.127.0"
+                "@oxc-project/types": "^0.128.0"
             },
             "engines": {
                 "node": "^20.19.0 || >=22.12.0"
@@ -14318,26 +14297,35 @@
                 "url": "https://github.com/sponsors/Boshen"
             },
             "optionalDependencies": {
-                "@oxc-parser/binding-android-arm-eabi": "0.127.0",
-                "@oxc-parser/binding-android-arm64": "0.127.0",
-                "@oxc-parser/binding-darwin-arm64": "0.127.0",
-                "@oxc-parser/binding-darwin-x64": "0.127.0",
-                "@oxc-parser/binding-freebsd-x64": "0.127.0",
-                "@oxc-parser/binding-linux-arm-gnueabihf": "0.127.0",
-                "@oxc-parser/binding-linux-arm-musleabihf": "0.127.0",
-                "@oxc-parser/binding-linux-arm64-gnu": "0.127.0",
-                "@oxc-parser/binding-linux-arm64-musl": "0.127.0",
-                "@oxc-parser/binding-linux-ppc64-gnu": "0.127.0",
-                "@oxc-parser/binding-linux-riscv64-gnu": "0.127.0",
-                "@oxc-parser/binding-linux-riscv64-musl": "0.127.0",
-                "@oxc-parser/binding-linux-s390x-gnu": "0.127.0",
-                "@oxc-parser/binding-linux-x64-gnu": "0.127.0",
-                "@oxc-parser/binding-linux-x64-musl": "0.127.0",
-                "@oxc-parser/binding-openharmony-arm64": "0.127.0",
-                "@oxc-parser/binding-wasm32-wasi": "0.127.0",
-                "@oxc-parser/binding-win32-arm64-msvc": "0.127.0",
-                "@oxc-parser/binding-win32-ia32-msvc": "0.127.0",
-                "@oxc-parser/binding-win32-x64-msvc": "0.127.0"
+                "@oxc-parser/binding-android-arm-eabi": "0.128.0",
+                "@oxc-parser/binding-android-arm64": "0.128.0",
+                "@oxc-parser/binding-darwin-arm64": "0.128.0",
+                "@oxc-parser/binding-darwin-x64": "0.128.0",
+                "@oxc-parser/binding-freebsd-x64": "0.128.0",
+                "@oxc-parser/binding-linux-arm-gnueabihf": "0.128.0",
+                "@oxc-parser/binding-linux-arm-musleabihf": "0.128.0",
+                "@oxc-parser/binding-linux-arm64-gnu": "0.128.0",
+                "@oxc-parser/binding-linux-arm64-musl": "0.128.0",
+                "@oxc-parser/binding-linux-ppc64-gnu": "0.128.0",
+                "@oxc-parser/binding-linux-riscv64-gnu": "0.128.0",
+                "@oxc-parser/binding-linux-riscv64-musl": "0.128.0",
+                "@oxc-parser/binding-linux-s390x-gnu": "0.128.0",
+                "@oxc-parser/binding-linux-x64-gnu": "0.128.0",
+                "@oxc-parser/binding-linux-x64-musl": "0.128.0",
+                "@oxc-parser/binding-openharmony-arm64": "0.128.0",
+                "@oxc-parser/binding-wasm32-wasi": "0.128.0",
+                "@oxc-parser/binding-win32-arm64-msvc": "0.128.0",
+                "@oxc-parser/binding-win32-ia32-msvc": "0.128.0",
+                "@oxc-parser/binding-win32-x64-msvc": "0.128.0"
+            }
+        },
+        "node_modules/oxc-parser/node_modules/@oxc-project/types": {
+            "version": "0.128.0",
+            "resolved": "https://registry.npmjs.org/@oxc-project/types/-/types-0.128.0.tgz",
+            "integrity": "sha512-huv1Y/LzBJkBVHt3OlC7u0zHBW9qXf1FdD7sGmc1rXc2P1mTwHssYv7jyGx5KAACSCH+9B3Bhn6Z9luHRvf7pQ==",
+            "license": "MIT",
+            "funding": {
+                "url": "https://github.com/sponsors/Boshen"
             }
         },
         "node_modules/oxc-resolver": {

web/package.json

@@ -119,7 +119,7 @@
         "@patternfly/elements": "^4.4.0",
         "@patternfly/patternfly": "^4.224.2",
         "@playwright/test": "^1.59.1",
-        "@sentry/browser": "^10.50.0",
+        "@sentry/browser": "^10.51.0",
         "@storybook/addon-docs": "^10.3.6",
         "@storybook/addon-links": "^10.3.6",
         "@storybook/web-components": "^10.3.6",
@@ -154,7 +154,7 @@
         "globals": "^17.5.0",
         "guacamole-common-js": "^1.5.0",
         "hastscript": "^9.0.1",
-        "knip": "^6.7.0",
+        "knip": "^6.9.0",
         "lex": "^2025.11.0",
         "lit": "^3.3.2",
         "lit-analyzer": "^2.0.3",

web/src/admin/stages/authenticator_validate/AuthenticatorValidateStageForm.ts

@@ -232,6 +232,70 @@ export class AuthenticatorValidateStageForm extends BaseStageForm<AuthenticatorV
                         : nothing}
                 </div>
             </ak-form-group>
+            <ak-form-group label="${msg("Throttling settings")}">
+                <ak-form-element-horizontal
+                    label=${msg("Email OTP throttling factor")}
+                    required
+                    name="emailOtpThrottlingFactor"
+                >
+                    <input
+                        type="number"
+                        step="0.1"
+                        value=${this.instance?.emailOtpThrottlingFactor || 1}
+                        class="pf-c-form-control pf-m-monospace"
+                        autocomplete="off"
+                        spellcheck="false"
+                        required
+                    />
+                </ak-form-element-horizontal>
+
+                <ak-form-element-horizontal
+                    label=${msg("SMS OTP throttling factor")}
+                    required
+                    name="smsOtpThrottlingFactor"
+                >
+                    <input
+                        type="number"
+                        step="0.1"
+                        value=${this.instance?.smsOtpThrottlingFactor || 1}
+                        class="pf-c-form-control pf-m-monospace"
+                        autocomplete="off"
+                        spellcheck="false"
+                        required
+                    />
+                </ak-form-element-horizontal>
+                <ak-form-element-horizontal
+                    label=${msg("TOTP throttling factor")}
+                    required
+                    name="totpOtpThrottlingFactor"
+                >
+                    <input
+                        type="number"
+                        step="0.1"
+                        value=${this.instance?.totpOtpThrottlingFactor || 1}
+                        class="pf-c-form-control pf-m-monospace"
+                        autocomplete="off"
+                        spellcheck="false"
+                        required
+                    />
+                </ak-form-element-horizontal>
+
+                <ak-form-element-horizontal
+                    label=${msg("Static OTP throttling factor")}
+                    required
+                    name="staticOtpThrottlingFactor"
+                >
+                    <input
+                        type="number"
+                        step="0.1"
+                        value=${this.instance?.staticOtpThrottlingFactor || 1}
+                        class="pf-c-form-control pf-m-monospace"
+                        autocomplete="off"
+                        spellcheck="false"
+                        required
+                    />
+                </ak-form-element-horizontal>
+            </ak-form-group>
             <ak-form-group open label="${msg("WebAuthn-specific settings")}">
                 <div class="pf-c-form">
                     <ak-form-element-horizontal

web/src/admin/users/UserListPage.ts

@@ -73,6 +73,10 @@ export class UserListPage extends WithLicenseSummary(
                 max-width: var(--pf-c-avatar--Width);
                 vertical-align: middle;
             }
+            .pf-c-card.tree .pf-c-card__body {
+                padding-left: 0;
+                padding-right: 0;
+            }
         `,
     ];
 
@@ -92,7 +96,7 @@ export class UserListPage extends WithLicenseSummary(
     public pageIcon = "pf-icon pf-icon-user";
 
     @property({ type: String })
-    public order = "last_login";
+    public order = "-last_login";
 
     @property({ type: String })
     public activePath: string;
@@ -368,7 +372,7 @@ export class UserListPage extends WithLicenseSummary(
 
     protected renderSidebarBefore(): TemplateResult {
         return html`<aside aria-labelledby="sidebar-left-panel-header" class="pf-c-sidebar__panel">
-            <div class="pf-c-card">
+            <div class="pf-c-card tree">
                 <div
                     role="heading"
                     aria-level="2"

web/src/rac/index.entrypoint.ts

@@ -2,6 +2,8 @@ import "#elements/LoadingOverlay";
 
 import Styles from "./index.entrypoint.css";
 
+import { writeToClipboard } from "#common/clipboard";
+
 import { Interface } from "#elements/Interface";
 import { WithBrandConfig } from "#elements/mixins/branding";
 
@@ -155,22 +157,35 @@ export class RacInterface extends WithBrandConfig(Interface) {
             if (/^text\//.exec(mimetype)) {
                 const reader = new Guacamole.StringReader(stream);
                 let data = "";
+
                 reader.ontext = (text) => {
                     data += text;
                 };
+
                 reader.onend = () => {
-                    this._previousClipboardValue = data;
-                    navigator.clipboard.writeText(data);
+                    const trimmed = data.trim();
+                    // Some remote sessions (notably SSH) push empty clipboard
+                    // payloads that would otherwise clobber the user's local
+                    // clipboard, breaking subsequent paste attempts. Ignore
+                    // them so the local clipboard remains intact.
+                    if (!trimmed) {
+                        console.debug("authentik/rac: ignored empty remote clipboard payload");
+                        return;
+                    }
+                    this._previousClipboardValue = trimmed;
+                    writeToClipboard(trimmed);
                 };
             } else {
                 const reader = new Guacamole.BlobReader(stream, mimetype);
+
                 reader.onend = () => {
                     const blob = reader.getBlob();
-                    navigator.clipboard.write([
-                        new ClipboardItem({
-                            [blob.type]: blob,
-                        }),
-                    ]);
+
+                    const item = new ClipboardItem({
+                        [blob.type]: blob,
+                    });
+
+                    writeToClipboard(item);
                 };
             }
             console.debug("authentik/rac: updated clipboard from remote");

web/xliff/fr_FR.xlf

@@ -1335,10 +1335,6 @@
   <source>Open in new tab</source>
   <target>Ouvrir dans un nouvel onglet</target>
 </trans-unit>
-<trans-unit id="s8655c52824caac63">
-  <source>If checked, the launch URL will open in a new browser tab or window from the user&apos;s application library.</source>
-  <target>Si cette case est cochée, l&apos;URL de lancement s&apos;ouvrira dans un nouvel onglet ou une nouvelle fenêtre du navigateur à partir de la bibliothèque d&apos;applications de l&apos;utilisateur.</target>
-</trans-unit>
 <trans-unit id="s909e876731a8febb">
   <source>Select all rows</source>
   <target>Sélectionner toutes les lignes</target>
@@ -1423,18 +1419,10 @@
   <source>Policy</source>
   <target>Politique</target>
 </trans-unit>
-<trans-unit id="s6b85380416964890">
-  <source>Negate result</source>
-  <target>Inverser le résultat</target>
-</trans-unit>
 <trans-unit id="s3bfa0258999fb629">
   <source>Negates the outcome of the binding. Messages are unaffected.</source>
   <target>Inverse le résultat de la liaison. Les messages ne sont pas affectés.</target>
 </trans-unit>
-<trans-unit id="s6b1ed7507f26cb4a">
-  <source>Failure result</source>
-  <target>Résultat échoué</target>
-</trans-unit>
 <trans-unit id="sfdfa5bb4ddd99d70">
   <source>Enterprise only</source>
   <target>Entreprise uniquement</target>
@@ -6344,10 +6332,6 @@ doesn&apos;t pass when either or both of the selected options are equal or above
   <source>Stage used to validate any authenticator. This stage should be used during authentication or authorization flows.</source>
   <target>Étape utilisée pour valider tout type d&apos;authentificateur. Cette étape devrait être utilisée en flux d&apos;authentification ou d&apos;autorisation.</target>
 </trans-unit>
-<trans-unit id="s73c13e5a6f5e38a3">
-  <source>Device classes</source>
-  <target>Classes d&apos;appareil</target>
-</trans-unit>
 <trans-unit id="sd8d9451f86502d1a">
   <source>Device classes which can be used to authenticate.</source>
   <target>Classe d&apos;appareil qui peut être utilisé pour s&apos;authentifier</target>
@@ -6472,18 +6456,6 @@ doesn&apos;t pass when either or both of the selected options are equal or above
   <source>Authenticator Attachment</source>
   <target>Lien à l&apos;authentificateur</target>
 </trans-unit>
-<trans-unit id="s502d2473587032e1">
-  <source>No preference is sent</source>
-  <target>Aucune préférence n&apos;est envoyée</target>
-</trans-unit>
-<trans-unit id="s60cc554fde2676cb">
-  <source>A non-removable authenticator, like TouchID or Windows Hello</source>
-  <target>Un authentificateur inamovible, comme TouchID ou Windows Hello</target>
-</trans-unit>
-<trans-unit id="sdf1d8edef27236f0">
-  <source>A &quot;roaming&quot; authenticator, like a YubiKey</source>
-  <target>Un authentificateur &quot;itinérant&quot;, comme une YubiKey</target>
-</trans-unit>
 <trans-unit id="sbd65aeeb8a3b9bbc">
   <source>Maximum registration attempts</source>
   <target>Nombre maximal de tentatives d&apos;inscription</target>
@@ -6592,10 +6564,6 @@ doesn&apos;t pass when either or both of the selected options are equal or above
   <source>Let the user identify themselves with their username or Email address.</source>
   <target>Laisser l&apos;utilisateur s&apos;identifier lui-même avec son nom d&apos;utilisateur ou son adresse de courriel.</target>
 </trans-unit>
-<trans-unit id="s592ab7d2bc1b8973">
-  <source>User fields</source>
-  <target>Champs de l&apos;utilisateur</target>
-</trans-unit>
 <trans-unit id="s4cdae7635e757555">
   <source>Fields a user can identify themselves with. If no fields are selected, the user will only be able to use sources.</source>
   <target>Champs avec lesquels un utilisateur peut s&apos;identifier. Si aucun champ n&apos;est sélectionné, l&apos;utilisateur ne pourra utiliser que des sources.</target>
@@ -6824,10 +6792,6 @@ doesn&apos;t pass when either or both of the selected options are equal or above
   <source>Selected policies are executed when the stage is submitted to validate the data.</source>
   <target>Les politiques sélectionnées sont exécutées lorsque l&apos;étape est soumise pour valider les données.</target>
 </trans-unit>
-<trans-unit id="sc487e11d5987dbb4">
-  <source>Redirect the user to another flow, potentially with all gathered context</source>
-  <target>Rediriger l&apos;utilisateur vers un autre flux, éventuellement avec le contexte</target>
-</trans-unit>
 <trans-unit id="sad9d5481474d4f5b">
   <source>Static</source>
   <target>Statique</target>
@@ -8867,10 +8831,6 @@ Les liaisons avec les groupes/utilisateurs sont vérifiées par rapport à l&apo
   <source>Ungrouped</source>
   <target>Non groupé</target>
 </trans-unit>
-<trans-unit id="s1cf2298d92c327a6">
-  <source>My Applications</source>
-  <target>Mes Applications</target>
-</trans-unit>
 <trans-unit id="s65b433c52c2ad8eb">
   <source>Search for an application by name...</source>
   <target>Rechercher une application par nom…</target>
@@ -8879,10 +8839,6 @@ Les liaisons avec les groupes/utilisateurs sont vérifiées par rapport à l&apo
   <source>Search returned no results.</source>
   <target>La recherche n&apos;a pas retourné de résultat.</target>
 </trans-unit>
-<trans-unit id="s2656433a3b1f7e86">
-  <source>My applications</source>
-  <target>Mes applications</target>
-</trans-unit>
 <trans-unit id="s91cfe4fac0957ee7">
   <source>Application list</source>
   <target>Liste d&apos;applications</target>
@@ -11747,10 +11703,6 @@ Les liaisons avec les groupes/utilisateurs sont vérifiées par rapport à l&apo
   <source>Require Flow token (flow can only be executed from a generated recovery link)</source>
   <target>Nécessite un jeton de flux (le flux ne peut être lancé que depuis un lien de récupération généré)</target>
 </trans-unit>
-<trans-unit id="s5ca66a541124edd6">
-  <source>Bind New Policy</source>
-  <target>Lier une nouvelle politique</target>
-</trans-unit>
 <trans-unit id="sb41bc87dec355a91">
   <source>Select the type of policy you want to create.</source>
   <target>Sélectionnez le type de politique que vous voulez créer.</target>
@@ -11976,14 +11928,6 @@ Les liaisons avec les groupes/utilisateurs sont vérifiées par rapport à l&apo
   <source>Altered behavior for usage with VMware vCenter.</source>
   <target>Comportement modifié pour utilisation avec VMWare vCenter.</target>
 </trans-unit>
-<trans-unit id="s9eda7101f63a8652">
-  <source>Hide from My applications</source>
-  <target>Masquer de Mes applications</target>
-</trans-unit>
-<trans-unit id="s30f30e9c42594a33">
-  <source>If checked, this application will not be shown on the user&apos;s My applications page.</source>
-  <target>Si coché, cette application ne sera pas affichée dans la page Mes applications de l&apos;utilisateur.</target>
-</trans-unit>
 <trans-unit id="s2ea2e39e4b470249">
   <source>EntityID/Issuer override</source>
   <target>Remplacement de l&apos;EntityID / Emetteur</target>
@@ -12157,6 +12101,179 @@ Les liaisons avec les groupes/utilisateurs sont vérifiées par rapport à l&apo
   <source>Leave empty to skip certificate validation, or select a certificate/keypair containing the LDAP server CA chain to validate the remote certificate.</source>
   <target>Laisser vide pour ignorer la validation du certificat, ou sélectionner un certificat et sa paire de clés contenant la chaîne de certification du serveur LDAP pour valider le certificat distant.</target>
 </trans-unit>
+<trans-unit id="sdcd1a9744efdbd7e">
+  <source>Choose Policy Type</source>
+  <target>Choisir un type de politique</target>
+</trans-unit>
+<trans-unit id="saa5ed8446baaba70">
+  <source>Negate Result</source>
+</trans-unit>
+<trans-unit id="s5387aa645962312a">
+  <source>Failure Result</source>
+</trans-unit>
+<trans-unit id="sea62de98f2e25e03">
+  <source>Device Classes</source>
+</trans-unit>
+<trans-unit id="s41938ae69656ef53">
+  <source>User Fields</source>
+  <target>Champs Utilisateur</target>
+</trans-unit>
+<trans-unit id="s02b73793e5b4e1ba">
+  <source>This flag is deprecated.</source>
+</trans-unit>
+<trans-unit id="s8655c52824caac63">
+  <source>If checked, the launch URL will open in a new browser tab or window from the user&apos;s application library.</source>
+  <target>Si cette case est cochée, l&apos;URL de lancement s&apos;ouvrira dans un nouvel onglet ou une nouvelle fenêtre du navigateur à partir de la bibliothèque d&apos;applications de l&apos;utilisateur.</target>
+</trans-unit>
+<trans-unit id="s9eda7101f63a8652">
+  <source>Hide from My applications</source>
+  <target>Masquer de Mes applications</target>
+</trans-unit>
+<trans-unit id="s30f30e9c42594a33">
+  <source>If checked, this application will not be shown on the user&apos;s My applications page.</source>
+  <target>Si coché, cette application ne sera pas affichée dans la page Mes applications de l&apos;utilisateur.</target>
+</trans-unit>
+<trans-unit id="sc98037ccab57d329">
+  <source>No preference: the browser may offer any available authenticator</source>
+</trans-unit>
+<trans-unit id="s4611c85865abcba9">
+  <source>Platform: a non-removable authenticator built into the device, such as Touch ID, Face ID, or Windows Hello</source>
+</trans-unit>
+<trans-unit id="s0003d0e3fcdacabc">
+  <source>Cross-platform: a roaming authenticator, such as a YubiKey or Google Titan</source>
+</trans-unit>
+<trans-unit id="sc157c7dcb3d1b096">
+  <source>Controls the authenticatorAttachment parameter sent to the browser during WebAuthn registration. If Hints are configured and this is left as &apos;No preference&apos;, a value is inferred from the selected hints for backward compatibility with older browsers.</source>
+</trans-unit>
+<trans-unit id="s1baea1b8ac34d554">
+  <source>New Invitation</source>
+  <target>Nouvelle invitatio</target>
+</trans-unit>
+<trans-unit id="s03eef6107e28d042">
+  <source>New Invitation options</source>
+  <target>Options de nouvelle invitation</target>
+</trans-unit>
+<trans-unit id="s0832ff81b9665e6f">
+  <source>Opens the new invitation wizard and binds the invitation to an existing enrollment flow.</source>
+  <target>Ouvre l&apos;assistant de nouvelle invitation et lie l&apos;invitation à un flux d&apos;enregistrement existant.</target>
+</trans-unit>
+<trans-unit id="sc0819dc3d82d9320">
+  <source>with Existing Enrollment Flow...</source>
+  <target>avec le flux d&apos;enregistrement existant...</target>
+</trans-unit>
+<trans-unit id="s79108cb25e7bf07b">
+  <source>Opens the new invitation wizard, which will create a new enrollment flow and invitation stage.</source>
+</trans-unit>
+<trans-unit id="sb7809157a3ccf613">
+  <source>with New Enrollment Flow and Invitation Stage...</source>
+  <target>avec un nouveau flux d&apos;enregistrement et une étape d&apos;invitation...</target>
+</trans-unit>
+<trans-unit id="seb418067e7d6c6e2">
+  <source>Create a new invitation with an enrollment flow.</source>
+  <target>Créer une nouvelle invitation avec un flux d&apos;enregistrement</target>
+</trans-unit>
+<trans-unit id="sfd74a380e957d0d3">
+  <source>Enrollment Flow</source>
+  <target>Flux d&apos;enregistrement</target>
+</trans-unit>
+<trans-unit id="scc869d556216d748">
+  <source>Invitation Details</source>
+  <target>Détails de l&apos;invitation</target>
+</trans-unit>
+<trans-unit id="se1fba44a9b284052">
+  <source>Invitation Link</source>
+  <target>Lien de l&apos;invitation</target>
+</trans-unit>
+<trans-unit id="s967a2db7049dc90e">
+  <source><x id="0" equiv-text="${step}"/> failed</source>
+</trans-unit>
+<trans-unit id="s971d4cc0ecd106b7">
+  <source>Importing enrollment flow blueprint</source>
+</trans-unit>
+<trans-unit id="sf3b89a70e20af6c8">
+  <source>Blueprint validation failed</source>
+</trans-unit>
+<trans-unit id="sa04b7204708f4f74">
+  <source>Flow with slug &quot;<x id="0" equiv-text="${slugToLookup}"/>&quot; not found after import</source>
+</trans-unit>
+<trans-unit id="s3354be88ad29d171">
+  <source>Creating invitation</source>
+</trans-unit>
+<trans-unit id="s07f41353777196ea">
+  <source>The flow selected in the previous step. The invitation will be bound to this flow.</source>
+</trans-unit>
+<trans-unit id="s7209a11f97da9aff">
+  <source>No invitation available to send</source>
+</trans-unit>
+<trans-unit id="s2772d8285b905006">
+  <source>Failed to queue invitation emails</source>
+</trans-unit>
+<trans-unit id="s3b7910ab9c47a2e3">
+  <source>No enrollment flows with invitation stages found</source>
+</trans-unit>
+<trans-unit id="sa3ca03297e00591c">
+  <source>You can create a new enrollment flow and invitation stage right here, or cancel and bind an invitation stage to an existing flow manually.</source>
+</trans-unit>
+<trans-unit id="s06db43e56ca76be8">
+  <source>Create a new enrollment flow</source>
+</trans-unit>
+<trans-unit id="s8acc687c55e8ccbf">
+  <source>Only enrollment flows that have an invitation stage bound to them are listed here.</source>
+</trans-unit>
+<trans-unit id="s5b3bafd8ffe553ec">
+  <source>Flow name</source>
+  <target>Nom du flux</target>
+</trans-unit>
+<trans-unit id="s699cd34b0dcb4c56">
+  <source>Name for the new enrollment flow.</source>
+</trans-unit>
+<trans-unit id="s8fb6d1bb698d32a0">
+  <source>Flow slug</source>
+</trans-unit>
+<trans-unit id="s0211c07612cf8c97">
+  <source>Invitation stage name</source>
+  <target>Nom de l&apos;étape d&apos;invitation</target>
+</trans-unit>
+<trans-unit id="s42b97ef63fb1a795">
+  <source>Name for the new invitation stage.</source>
+  <target>Nom pour la nouvelle étape d&apos;invitation.</target>
+</trans-unit>
+<trans-unit id="saaa9fd0d3ebc35aa">
+  <source>Enrolled users are created as external (e.g. customers, guests). New users will be placed under users/external.</source>
+</trans-unit>
+<trans-unit id="s726dff63487da085">
+  <source>Enrolled users are created as internal (e.g. employees). New users will be placed under users/internal.</source>
+</trans-unit>
+<trans-unit id="sc1358130ac327120">
+  <source>If enabled, the stage will jump to the next stage when no invitation is given. If disabled, the flow will be cancelled without a valid invitation.</source>
+</trans-unit>
+<trans-unit id="s09fdd952c6eaf7da">
+  <source>No invitation was created.</source>
+  <target>Aucune invitation créée.</target>
+</trans-unit>
+<trans-unit id="s00febd85a4889bb1">
+  <source>Redirect the user to a static URL or another flow, optionally with all gathered context.</source>
+</trans-unit>
+<trans-unit id="sdbc1d47f0f0ed54d">
+  <source>The element could not be loaded. This may be due to a missing import or a version mismatch.</source>
+  <target>L&apos;élément n&apos;a pas pu être chargé. Cela peut être du à un import manquant ou une mauvaise correspondance de version.</target>
+</trans-unit>
+<trans-unit id="scf8a3d48f9969535">
+  <source>An element could not be loaded. Please try refreshing the page or clearing your cache.</source>
+  <target>Un élément n&apos;a pas pu être chargé. Veuillez essayer de rafraîchir la page ou de vider votre cache.</target>
+</trans-unit>
+<trans-unit id="se2f00b2619675217">
+  <source>Failed to load element</source>
+  <target>Échec du chargement de l&apos;élément</target>
+</trans-unit>
+<trans-unit id="s1cf2298d92c327a6">
+  <source>My Applications</source>
+  <target>Mes Applications</target>
+</trans-unit>
+<trans-unit id="s2656433a3b1f7e86">
+  <source>My applications</source>
+  <target>Mes applications</target>
+</trans-unit>
 </body>
 </file>
 </xliff>

web/xliff/no_NO.xlf

@@ -1326,10 +1326,6 @@
   <source>Open in new tab</source>
   <target>Åpne i ny fane</target>
 </trans-unit>
-<trans-unit id="s8655c52824caac63">
-  <source>If checked, the launch URL will open in a new browser tab or window from the user&apos;s application library.</source>
-  <target>Hvis krysset av, vil start-URL åpnes i en ny fane eller et nytt vindu fra brukerens applikasjonsbibliotek.</target>
-</trans-unit>
 <trans-unit id="s909e876731a8febb">
   <source>Select all rows</source>
   <target>Velg alle rader</target>
@@ -1414,18 +1410,10 @@
   <source>Policy</source>
   <target>Policy</target>
 </trans-unit>
-<trans-unit id="s6b85380416964890">
-  <source>Negate result</source>
-  <target>Inverter resultat</target>
-</trans-unit>
 <trans-unit id="s3bfa0258999fb629">
   <source>Negates the outcome of the binding. Messages are unaffected.</source>
   <target>Inverterer utfallet av bindingen. Meldinger påvirkes ikke.</target>
 </trans-unit>
-<trans-unit id="s6b1ed7507f26cb4a">
-  <source>Failure result</source>
-  <target>Feilresultat</target>
-</trans-unit>
 <trans-unit id="sfdfa5bb4ddd99d70">
   <source>Enterprise only</source>
   <target>Kun Enterprise</target>
@@ -2246,10 +2234,6 @@
   <source>Issuer</source>
   <target>Utsteder</target>
 </trans-unit>
-<trans-unit id="sd4fd64791f73d37b">
-  <source>Also known as Entity ID.</source>
-  <target>Også kjent som Enhets-ID.</target>
-</trans-unit>
 <trans-unit id="sd5a4b41c6c883b03">
   <source>Audience</source>
   <target>Publikum</target>
@@ -3922,14 +3906,6 @@ består ikke når ett eller begge av de valgte alternativene er lik eller over t
   <source>Application entitlements</source>
   <target>Applikasjonsrettigheter</target>
 </trans-unit>
-<trans-unit id="application.entitlements.preview.info">
-  <source>Application entitlements are in preview.</source>
-  <target>Applikasjonsrettigheter er i forhåndsvisning.</target>
-</trans-unit>
-<trans-unit id="preview.send-us-feedback">
-  <source>Send us feedback!</source>
-  <target>Send oss tilbakemelding!</target>
-</trans-unit>
 <trans-unit id="s8e1c375a007d1839">
   <source>These entitlements can be used to configure user access in this application.</source>
   <target>Disse rettighetene kan brukes til å konfigurere brukertilgang i denne applikasjonen.</target>
@@ -4466,10 +4442,6 @@ består ikke når ett eller begge av de valgte alternativene er lik eller over t
   <source>TLS Verification Certificate</source>
   <target>TLS-verifiseringssertifikat</target>
 </trans-unit>
-<trans-unit id="sb8c13bd58191cea2">
-  <source>When connecting to an LDAP Server with TLS, certificates are not checked by default. Specify a keypair to validate the remote certificate.</source>
-  <target>Ved tilkobling til en LDAP-server med TLS, sjekkes ikke sertifikater som standard. Spesifiser et nøkkelpar for å validere fjerneresertifikatet.</target>
-</trans-unit>
 <trans-unit id="s000ee3e634868b3c">
   <source>TLS Client authentication certificate</source>
   <target>TLS-klientautentiseringssertifikat</target>
@@ -5453,8 +5425,7 @@ består ikke når ett eller begge av de valgte alternativene er lik eller over t
   <target>Aktiver</target>
 </trans-unit>
 <trans-unit id="s547b687213f48489">
-  <source>Update <x id="0" equiv-text="${user.name || user.username}"/>&apos;s password</source>
-  <target>Oppdater passordet til <x id="0" equiv-text="${user.name || user.username}"/></target>
+  <source>Update <x id="0" equiv-text="${formatUserDisplayName(user)}"/>&apos;s password</source>
 </trans-unit>
 <trans-unit id="sce8d867ca5f35304">
   <source>Set password</source>
@@ -5536,10 +5507,6 @@ består ikke når ett eller begge av de valgte alternativene er lik eller over t
   <source>User Search</source>
   <target>Brukersøk</target>
 </trans-unit>
-<trans-unit id="s3616cc78631f5893">
-  <source>Warning: You&apos;re about to delete the user you&apos;re logged in as (<x id="0" equiv-text="${shouldShowWarning.username}"/>). Proceed at your own risk.</source>
-  <target>Advarsel: Du er i ferd med å slette brukeren du er logget inn som (<x id="0" equiv-text="${shouldShowWarning.username}"/>). Fortsett på eget ansvar.</target>
-</trans-unit>
 <trans-unit id="s7c6c86d9a97ed706">
   <source>Show deactivated users</source>
   <target>Vis deaktiverte brukere</target>
@@ -6352,10 +6319,6 @@ består ikke når ett eller begge av de valgte alternativene er lik eller over t
   <source>Stage used to validate any authenticator. This stage should be used during authentication or authorization flows.</source>
   <target>Trinn brukt for å validere enhver autentisator. Dette trinnet bør brukes under autentiserings- eller autorisasjonsflyter.</target>
 </trans-unit>
-<trans-unit id="s73c13e5a6f5e38a3">
-  <source>Device classes</source>
-  <target>Enhetsklasser</target>
-</trans-unit>
 <trans-unit id="sd8d9451f86502d1a">
   <source>Device classes which can be used to authenticate.</source>
   <target>Enhetsklasser som kan brukes til å autentisere.</target>
@@ -6480,18 +6443,6 @@ består ikke når ett eller begge av de valgte alternativene er lik eller over t
   <source>Authenticator Attachment</source>
   <target>Autentisatorvedlegg</target>
 </trans-unit>
-<trans-unit id="s502d2473587032e1">
-  <source>No preference is sent</source>
-  <target>Ingen preferanse sendes</target>
-</trans-unit>
-<trans-unit id="s60cc554fde2676cb">
-  <source>A non-removable authenticator, like TouchID or Windows Hello</source>
-  <target>En ikke-flyttbar autentisator, som TouchID eller Windows Hello</target>
-</trans-unit>
-<trans-unit id="sdf1d8edef27236f0">
-  <source>A &quot;roaming&quot; authenticator, like a YubiKey</source>
-  <target>En &quot;roaming&quot;-autentisator, som en YubiKey</target>
-</trans-unit>
 <trans-unit id="sbd65aeeb8a3b9bbc">
   <source>Maximum registration attempts</source>
   <target>Maksimalt antall registreringsforsøk</target>
@@ -6600,10 +6551,6 @@ består ikke når ett eller begge av de valgte alternativene er lik eller over t
   <source>Let the user identify themselves with their username or Email address.</source>
   <target>La brukeren identifisere seg med sitt brukernavn eller e-postadresse.</target>
 </trans-unit>
-<trans-unit id="s592ab7d2bc1b8973">
-  <source>User fields</source>
-  <target>Brukerfelt</target>
-</trans-unit>
 <trans-unit id="s4cdae7635e757555">
   <source>Fields a user can identify themselves with. If no fields are selected, the user will only be able to use sources.</source>
   <target>Felt en bruker kan identifisere seg med. Hvis ingen felt er valgt, vil brukeren bare kunne bruke kilder.</target>
@@ -6832,10 +6779,6 @@ består ikke når ett eller begge av de valgte alternativene er lik eller over t
   <source>Selected policies are executed when the stage is submitted to validate the data.</source>
   <target>Valgte policyer kjøres når trinnet sendes inn for å validere dataene.</target>
 </trans-unit>
-<trans-unit id="sc487e11d5987dbb4">
-  <source>Redirect the user to another flow, potentially with all gathered context</source>
-  <target>Omdiriger brukeren til en annen flyt, potensielt med all innhentet kontekst</target>
-</trans-unit>
 <trans-unit id="sad9d5481474d4f5b">
   <source>Static</source>
   <target>Statisk</target>
@@ -7460,10 +7403,6 @@ består ikke når ett eller begge av de valgte alternativene er lik eller over t
   <source>Select the group of users which the alerts are sent to. </source>
   <target>Velg gruppen brukere varslene sendes til. </target>
 </trans-unit>
-<trans-unit id="se630f2ccd39bf9e6">
-  <source>If no group is selected and &apos;Send notification to event user&apos; is disabled the rule is disabled. </source>
-  <target>Hvis ingen gruppe er valgt og &apos;Send varsel til hendelsesbruker&apos; er deaktivert, er regelen deaktivert. </target>
-</trans-unit>
 <trans-unit id="s47966b2a708694e2">
   <source>Send notification to event user</source>
   <target>Send varsel til hendelsesbruker</target>
@@ -8876,10 +8815,6 @@ Bindinger til grupper/brukere sjekkes mot brukeren av hendelsen.</target>
   <source>Ungrouped</source>
   <target>Ugruppert</target>
 </trans-unit>
-<trans-unit id="s1cf2298d92c327a6">
-  <source>My Applications</source>
-  <target>Mine applikasjoner</target>
-</trans-unit>
 <trans-unit id="s65b433c52c2ad8eb">
   <source>Search for an application by name...</source>
   <target>Søk etter en applikasjon ved navn...</target>
@@ -8888,10 +8823,6 @@ Bindinger til grupper/brukere sjekkes mot brukeren av hendelsen.</target>
   <source>Search returned no results.</source>
   <target>Søket ga ingen resultater.</target>
 </trans-unit>
-<trans-unit id="s2656433a3b1f7e86">
-  <source>My applications</source>
-  <target>Mine applikasjoner</target>
-</trans-unit>
 <trans-unit id="s91cfe4fac0957ee7">
   <source>Application list</source>
   <target>Applikasjonsliste</target>
@@ -9437,10 +9368,6 @@ Bindinger til grupper/brukere sjekkes mot brukeren av hendelsen.</target>
   <source>Maximum page size for API requests.</source>
   <target>Maksimal sidestørrelse for API-forespørsler.</target>
 </trans-unit>
-<trans-unit id="sed1058bca1c065f7">
-  <source>When enabled, notification will be sent to the user that triggered the event in addition to any users in the group above. The event user will always be the first user, to send a notification only to the event user enabled &apos;Send once&apos; in the notification transport. If no group is selected and &apos;Send notification to event user&apos; is disabled the rule is disabled. </source>
-  <target>Når aktivert, vil varsel bli sendt til brukeren som utløste hendelsen, i tillegg til eventuelle brukere i gruppen ovenfor. Hendelsesbrukeren vil alltid være den første brukeren, for å sende et varsel kun til hendelsesbrukeren, aktiver &apos;Send én gang&apos; i varslingstransporten. Hvis ingen gruppe er valgt og &apos;Send varsel til hendelsesbruker&apos; er deaktivert, er regelen deaktivert. </target>
-</trans-unit>
 <trans-unit id="s9864bd5cd7bb4bd0">
   <source>Local connection</source>
   <target>Lokal tilkobling</target>
@@ -10141,18 +10068,10 @@ Bindinger til grupper/brukere sjekkes mot brukeren av hendelsen.</target>
   <source>Reviewer groups</source>
   <target>Gjennomgangsgrupper</target>
 </trans-unit>
-<trans-unit id="s94c5d9fea467cdbb">
-  <source>Min reviewers</source>
-  <target>Min. antall gjennomgangspersoner</target>
-</trans-unit>
 <trans-unit id="s693370c05900a1c6">
   <source>Number of users from the selected reviewer groups that must approve the review.</source>
   <target>Antall brukere fra de valgte gjennomgangsgruppene som må godkjenne gjennomgangen.</target>
 </trans-unit>
-<trans-unit id="s20c950d20c8aec84">
-  <source>Min reviewers is per-group</source>
-  <target>Min. antall gjennomgangspersoner er per gruppe</target>
-</trans-unit>
 <trans-unit id="s74906f78877111cb">
   <source>Reviewers</source>
   <target>Gjennomgangspersoner</target>
@@ -11215,10 +11134,6 @@ Bindinger til grupper/brukere sjekkes mot brukeren av hendelsen.</target>
   <source>Search for a lifecycle rule by name or target...</source>
   <target>Søk etter en livssyklusregel ved navn eller mål...</target>
 </trans-unit>
-<trans-unit id="sb5ff45c4476cd097">
-  <source>Search tasks...</source>
-  <target>Søk i oppgaver...</target>
-</trans-unit>
 <trans-unit id="sfc53e352afbca881">
   <source>Review</source>
   <target>Gjennomgang</target>
@@ -11772,10 +11687,6 @@ Bindinger til grupper/brukere sjekkes mot brukeren av hendelsen.</target>
   <source>Require Flow token (flow can only be executed from a generated recovery link)</source>
   <target>Krev flyt-token (flyt kan bare utføres fra en generert gjenopprettingslenke)</target>
 </trans-unit>
-<trans-unit id="s5ca66a541124edd6">
-  <source>Bind New Policy</source>
-  <target>Bind ny policy</target>
-</trans-unit>
 <trans-unit id="sb41bc87dec355a91">
   <source>Select the type of policy you want to create.</source>
   <target>Velg typen policy du ønsker å opprette.</target>
@@ -11852,10 +11763,6 @@ Bindinger til grupper/brukere sjekkes mot brukeren av hendelsen.</target>
   <source>Review <x id="0" equiv-text="${this.verboseName}"/> Activation</source>
   <target>Se over aktivering av <x id="0" equiv-text="${this.verboseName}"/></target>
 </trans-unit>
-<trans-unit id="usedBy.associated-objects.label">
-  <source>Objects associated with this user</source>
-  <target>Objekter tilknyttet denne brukeren</target>
-</trans-unit>
 <trans-unit id="sa2ddb53b55f7432b">
   <source>Objects</source>
   <target>Objekter</target>
@@ -11965,6 +11872,319 @@ Bindinger til grupper/brukere sjekkes mot brukeren av hendelsen.</target>
   <target><x id="0" equiv-text="${verboseName}"/> er ikke tilknyttet noen objekter.</target>
   <note from="lit-localize">Zero: no objects use this entity.</note>
 </trans-unit>
+<trans-unit id="s78a13f8f08d3a317">
+  <source>Authorization Code</source>
+</trans-unit>
+<trans-unit id="s9765a1c7821ec626">
+  <source>Implicit</source>
+</trans-unit>
+<trans-unit id="s6032372e5812d743">
+  <source>Hybrid</source>
+</trans-unit>
+<trans-unit id="s4c21579d264ff019">
+  <source>Refresh token</source>
+</trans-unit>
+<trans-unit id="sec04243bf971ba5c">
+  <source>Client credentials</source>
+</trans-unit>
+<trans-unit id="sf6625f1c093feb17">
+  <source>Device-code</source>
+</trans-unit>
+<trans-unit id="sccb6f4a3d1fb9434">
+  <source>Grant Types</source>
+</trans-unit>
+<trans-unit id="s89c63fb4a8cb6d2b">
+  <source>Grant types this provider may use.</source>
+</trans-unit>
+<trans-unit id="s86a9472dc09ecf48">
+  <source>vCenter</source>
+</trans-unit>
+<trans-unit id="s71724d2ff6637203">
+  <source>Altered behavior for usage with VMware vCenter.</source>
+</trans-unit>
+<trans-unit id="s2ea2e39e4b470249">
+  <source>EntityID/Issuer override</source>
+</trans-unit>
+<trans-unit id="sf7aba95a8c43b7b1">
+  <source>Sets a custom EntityID/Issuer to override the authentik generated default.</source>
+</trans-unit>
+<trans-unit id="sa3a27a128ad87f31">
+  <source>Passwords</source>
+</trans-unit>
+<trans-unit id="s16d13ea527d7fe6b">
+  <source>Setting</source>
+</trans-unit>
+<trans-unit id="sfef81bb4077a56fd">
+  <source>Type a new password...</source>
+</trans-unit>
+<trans-unit id="sf9ec917e3e986bc1">
+  <source>When enabled, your username will be remembered on this device for future logins.</source>
+</trans-unit>
+<trans-unit id="form.submitting.no-entity">
+  <source><x id="0" equiv-text="${submittingVerb}"/>...</source>
+  <note from="lit-localize">The message shown while a form is being submitted, when no entity name is provided.</note>
+</trans-unit>
+<trans-unit id="sddfad4253602f965">
+  <source>Account lockdown flow</source>
+</trans-unit>
+<trans-unit id="sda9155d390bca7b4">
+  <source>Select an account lockdown flow...</source>
+</trans-unit>
+<trans-unit id="s77321fadb314f860">
+  <source>Flow used when a user triggers account lockdown (e.g. in case of compromise). Should contain an Account Lockdown stage.</source>
+</trans-unit>
+<trans-unit id="sf4ccddbac7b6ec31">
+  <source>Account lockdown flows should require authentication so they can only be started from a signed-in session.</source>
+</trans-unit>
+<trans-unit id="sc9e81e2f575bcf24">
+  <source>If no group is selected and &apos;Send notification to event user&apos; is disabled, the rule is disabled.</source>
+</trans-unit>
+<trans-unit id="sd30f00ff2135589c">
+  <source>When enabled, notification will be sent to the user that triggered the event in addition to any users in the group above. The event user will always be the first user, to send a notification only to the event user enabled &apos;Send once&apos; in the notification transport.</source>
+</trans-unit>
+<trans-unit id="s1c0267488c33401b">
+  <source>Minimum reviewers</source>
+</trans-unit>
+<trans-unit id="sa80395e2be5324e4">
+  <source>Minimum reviewers is per-group</source>
+</trans-unit>
+<trans-unit id="se18d75eda2628862">
+  <source>The following reviews apply to this object:</source>
+</trans-unit>
+<trans-unit id="sea618ff863cfa3da">
+  <source>This object has no reviews yet.</source>
+</trans-unit>
+<trans-unit id="sea74bf2b70c27113">
+  <source>Rule</source>
+</trans-unit>
+<trans-unit id="s5ba577d0cda2bad2">
+  <source>This stage executes account lockdown actions on a target user. Configure which actions to perform when this stage runs.</source>
+</trans-unit>
+<trans-unit id="sc2908875e6774352">
+  <source>Type a name for this stage...</source>
+</trans-unit>
+<trans-unit id="scf443deca2f466b6">
+  <source>Deactivate user</source>
+</trans-unit>
+<trans-unit id="s2abd586c2258eae4">
+  <source>Deactivate the user account (set is_active to False).</source>
+</trans-unit>
+<trans-unit id="s89db6a525bb42303">
+  <source>Set unusable password</source>
+</trans-unit>
+<trans-unit id="s52dc7e97dfbb99dd">
+  <source>Set an unusable password for the user.</source>
+</trans-unit>
+<trans-unit id="sb144fbff5de59af3">
+  <source>Delete sessions</source>
+</trans-unit>
+<trans-unit id="s20fb386bfce5e225">
+  <source>Delete all active sessions for the user.</source>
+</trans-unit>
+<trans-unit id="s6216c07f360073f7">
+  <source>Revoke tokens</source>
+</trans-unit>
+<trans-unit id="s334ebfb3605630b0">
+  <source>Revoke all tokens for the user (API, app password, recovery, verification).</source>
+</trans-unit>
+<trans-unit id="sdd3dfdd51bfbcd21">
+  <source>Self-service completion</source>
+</trans-unit>
+<trans-unit id="s0ef55fed99322c71">
+  <source>Configure what happens after a user locks their own account. Since all sessions are deleted, the user cannot continue in the current flow and will be redirected to a separate completion flow.</source>
+</trans-unit>
+<trans-unit id="sa42bdb7e1f7c8b75">
+  <source>Completion flow</source>
+</trans-unit>
+<trans-unit id="sf8f0cfd7ce5e081a">
+  <source>Select a completion flow...</source>
+</trans-unit>
+<trans-unit id="s7f8967e8077f2734">
+  <source>Flow to redirect users to after self-service lockdown. This flow must not require authentication since the user&apos;s session is deleted.</source>
+</trans-unit>
+<trans-unit id="se84707d40ed8f349">
+  <source>Alert (Info): Static alert box with info styling</source>
+</trans-unit>
+<trans-unit id="sb919fcbc8720c669">
+  <source>Alert (Warning): Static alert box with warning styling</source>
+</trans-unit>
+<trans-unit id="sa50b13d36ee4f763">
+  <source>Alert (Danger): Static alert box with danger styling</source>
+</trans-unit>
+<trans-unit id="s1c23a9eed1a415df">
+  <source>Warning: You are about to delete user <x id="0" equiv-text="${shouldShowWarning.username}"/>, but you are currently logged in as this user. Proceed at your own risk.</source>
+</trans-unit>
+<trans-unit id="s11064f3323dac957">
+  <source>Account Lockdown</source>
+</trans-unit>
+<trans-unit id="s01a8d45397ec133b">
+  <source>Security</source>
+</trans-unit>
+<trans-unit id="s5a1cd1f7b7a43204">
+  <source>If you suspect your account has been compromised, you can immediately lock it to prevent unauthorized access.</source>
+</trans-unit>
+<trans-unit id="s36535ff645fd37f7">
+  <source>Lock my account</source>
+</trans-unit>
+<trans-unit id="s7abbf11fd03b3c12">
+  <source>Bind existing group/user</source>
+</trans-unit>
+<trans-unit id="s33bfd42437266a1f">
+  <source>Leave empty to skip certificate validation, or select a certificate/keypair containing the LDAP server CA chain to validate the remote certificate.</source>
+</trans-unit>
+<trans-unit id="sdcd1a9744efdbd7e">
+  <source>Choose Policy Type</source>
+</trans-unit>
+<trans-unit id="saa5ed8446baaba70">
+  <source>Negate Result</source>
+</trans-unit>
+<trans-unit id="s5387aa645962312a">
+  <source>Failure Result</source>
+</trans-unit>
+<trans-unit id="sea62de98f2e25e03">
+  <source>Device Classes</source>
+</trans-unit>
+<trans-unit id="s41938ae69656ef53">
+  <source>User Fields</source>
+</trans-unit>
+<trans-unit id="s02b73793e5b4e1ba">
+  <source>This flag is deprecated.</source>
+</trans-unit>
+<trans-unit id="s8655c52824caac63">
+  <source>If checked, the launch URL will open in a new browser tab or window from the user&apos;s application library.</source>
+  <target>Hvis krysset av, vil start-URL åpnes i en ny fane eller et nytt vindu fra brukerens applikasjonsbibliotek.</target>
+</trans-unit>
+<trans-unit id="s9eda7101f63a8652">
+  <source>Hide from My applications</source>
+</trans-unit>
+<trans-unit id="s30f30e9c42594a33">
+  <source>If checked, this application will not be shown on the user&apos;s My applications page.</source>
+</trans-unit>
+<trans-unit id="sc98037ccab57d329">
+  <source>No preference: the browser may offer any available authenticator</source>
+</trans-unit>
+<trans-unit id="s4611c85865abcba9">
+  <source>Platform: a non-removable authenticator built into the device, such as Touch ID, Face ID, or Windows Hello</source>
+</trans-unit>
+<trans-unit id="s0003d0e3fcdacabc">
+  <source>Cross-platform: a roaming authenticator, such as a YubiKey or Google Titan</source>
+</trans-unit>
+<trans-unit id="sc157c7dcb3d1b096">
+  <source>Controls the authenticatorAttachment parameter sent to the browser during WebAuthn registration. If Hints are configured and this is left as &apos;No preference&apos;, a value is inferred from the selected hints for backward compatibility with older browsers.</source>
+</trans-unit>
+<trans-unit id="s1baea1b8ac34d554">
+  <source>New Invitation</source>
+</trans-unit>
+<trans-unit id="s03eef6107e28d042">
+  <source>New Invitation options</source>
+</trans-unit>
+<trans-unit id="s0832ff81b9665e6f">
+  <source>Opens the new invitation wizard and binds the invitation to an existing enrollment flow.</source>
+</trans-unit>
+<trans-unit id="sc0819dc3d82d9320">
+  <source>with Existing Enrollment Flow...</source>
+</trans-unit>
+<trans-unit id="s79108cb25e7bf07b">
+  <source>Opens the new invitation wizard, which will create a new enrollment flow and invitation stage.</source>
+</trans-unit>
+<trans-unit id="sb7809157a3ccf613">
+  <source>with New Enrollment Flow and Invitation Stage...</source>
+</trans-unit>
+<trans-unit id="seb418067e7d6c6e2">
+  <source>Create a new invitation with an enrollment flow.</source>
+</trans-unit>
+<trans-unit id="sfd74a380e957d0d3">
+  <source>Enrollment Flow</source>
+</trans-unit>
+<trans-unit id="scc869d556216d748">
+  <source>Invitation Details</source>
+</trans-unit>
+<trans-unit id="se1fba44a9b284052">
+  <source>Invitation Link</source>
+</trans-unit>
+<trans-unit id="s967a2db7049dc90e">
+  <source><x id="0" equiv-text="${step}"/> failed</source>
+</trans-unit>
+<trans-unit id="s971d4cc0ecd106b7">
+  <source>Importing enrollment flow blueprint</source>
+</trans-unit>
+<trans-unit id="sf3b89a70e20af6c8">
+  <source>Blueprint validation failed</source>
+</trans-unit>
+<trans-unit id="sa04b7204708f4f74">
+  <source>Flow with slug &quot;<x id="0" equiv-text="${slugToLookup}"/>&quot; not found after import</source>
+</trans-unit>
+<trans-unit id="s3354be88ad29d171">
+  <source>Creating invitation</source>
+</trans-unit>
+<trans-unit id="s07f41353777196ea">
+  <source>The flow selected in the previous step. The invitation will be bound to this flow.</source>
+</trans-unit>
+<trans-unit id="s7209a11f97da9aff">
+  <source>No invitation available to send</source>
+</trans-unit>
+<trans-unit id="s2772d8285b905006">
+  <source>Failed to queue invitation emails</source>
+</trans-unit>
+<trans-unit id="s3b7910ab9c47a2e3">
+  <source>No enrollment flows with invitation stages found</source>
+</trans-unit>
+<trans-unit id="sa3ca03297e00591c">
+  <source>You can create a new enrollment flow and invitation stage right here, or cancel and bind an invitation stage to an existing flow manually.</source>
+</trans-unit>
+<trans-unit id="s06db43e56ca76be8">
+  <source>Create a new enrollment flow</source>
+</trans-unit>
+<trans-unit id="s8acc687c55e8ccbf">
+  <source>Only enrollment flows that have an invitation stage bound to them are listed here.</source>
+</trans-unit>
+<trans-unit id="s5b3bafd8ffe553ec">
+  <source>Flow name</source>
+</trans-unit>
+<trans-unit id="s699cd34b0dcb4c56">
+  <source>Name for the new enrollment flow.</source>
+</trans-unit>
+<trans-unit id="s8fb6d1bb698d32a0">
+  <source>Flow slug</source>
+</trans-unit>
+<trans-unit id="s0211c07612cf8c97">
+  <source>Invitation stage name</source>
+</trans-unit>
+<trans-unit id="s42b97ef63fb1a795">
+  <source>Name for the new invitation stage.</source>
+</trans-unit>
+<trans-unit id="saaa9fd0d3ebc35aa">
+  <source>Enrolled users are created as external (e.g. customers, guests). New users will be placed under users/external.</source>
+</trans-unit>
+<trans-unit id="s726dff63487da085">
+  <source>Enrolled users are created as internal (e.g. employees). New users will be placed under users/internal.</source>
+</trans-unit>
+<trans-unit id="sc1358130ac327120">
+  <source>If enabled, the stage will jump to the next stage when no invitation is given. If disabled, the flow will be cancelled without a valid invitation.</source>
+</trans-unit>
+<trans-unit id="s09fdd952c6eaf7da">
+  <source>No invitation was created.</source>
+</trans-unit>
+<trans-unit id="s00febd85a4889bb1">
+  <source>Redirect the user to a static URL or another flow, optionally with all gathered context.</source>
+</trans-unit>
+<trans-unit id="sdbc1d47f0f0ed54d">
+  <source>The element could not be loaded. This may be due to a missing import or a version mismatch.</source>
+</trans-unit>
+<trans-unit id="scf8a3d48f9969535">
+  <source>An element could not be loaded. Please try refreshing the page or clearing your cache.</source>
+</trans-unit>
+<trans-unit id="se2f00b2619675217">
+  <source>Failed to load element</source>
+</trans-unit>
+<trans-unit id="s1cf2298d92c327a6">
+  <source>My Applications</source>
+  <target>Mine applikasjoner</target>
+</trans-unit>
+<trans-unit id="s2656433a3b1f7e86">
+  <source>My applications</source>
+  <target>Mine applikasjoner</target>
+</trans-unit>
 </body>
 </file>
 </xliff>

web/xliff/zh-Hans.xlf

@@ -1,4 +1,4 @@
-<?xml version="1.0"?><xliff xmlns="urn:oasis:names:tc:xliff:document:1.2" version="1.2">
+<?xml version="1.0" ?><xliff xmlns="urn:oasis:names:tc:xliff:document:1.2" version="1.2">
 <file target-language="zh-Hans" source-language="en" original="lit-localize-inputs" datatype="plaintext">
 <body>
 <!-- #region Locales -->
@@ -942,9 +942,6 @@
 </trans-unit>
 <trans-unit id="s55fa598b754cc3cc">
   <source><x id="0" equiv-text="${item.username}"/> (<x id="1" equiv-text="${item.name}"/>)</source>
-  <target>
-        <x id="0" equiv-text="${ub.name}"/>（
-        <x id="1" equiv-text="${consequence}"/>）</target>
 </trans-unit>
 <trans-unit id="sdc673e73b5c13aea">
   <source>Delete</source>
@@ -1365,18 +1362,12 @@
 </trans-unit>
 <trans-unit id="s030ac0829bb50a49">
   <source>Policy <x id="0" equiv-text="${item.policyObj?.name}"/></source>
-  <target>策略
-        <x id="0" equiv-text="${item.policyObj?.name}"/></target>
 </trans-unit>
 <trans-unit id="s2a64d2dca3da9b0e">
   <source>Group <x id="0" equiv-text="${item.groupObj?.name}"/></source>
-  <target>组
-        <x id="0" equiv-text="${item.groupObj?.name}"/></target>
 </trans-unit>
 <trans-unit id="se5dc026819a32ff8">
   <source>User <x id="0" equiv-text="${item.userObj?.name || item.userObj?.username}"/></source>
-  <target>用户
-        <x id="0" equiv-text="${item.userObj?.name}"/></target>
 </trans-unit>
 <trans-unit id="sc387b20e6d629087">
   <source>Configure Policy/User/Group Bindings</source>
@@ -1752,7 +1743,7 @@
 </trans-unit>
 <trans-unit id="sd62cfc27ad4aa33b">
   <source>Based on the User's Email</source>
-  <target>基于用户电子邮箱</target>
+  <target>基于用户邮箱</target>
 </trans-unit>
 <trans-unit id="s55eb75bedf96be0f">
   <source>This is recommended over the UPN mode.</source>
@@ -2348,7 +2339,7 @@
 </trans-unit>
 <trans-unit id="s38887b94b3320533">
   <source>Email address</source>
-  <target>电子邮箱地址</target>
+  <target>邮箱地址</target>
 </trans-unit>
 <trans-unit id="s2d34c87f67f66c6a">
   <source>Windows</source>
@@ -3611,11 +3602,11 @@ doesn't pass when either or both of the selected options are equal or above the
 </trans-unit>
 <trans-unit id="s1e2e135dac5ba993">
   <source>Email Address</source>
-  <target>电子邮箱地址</target>
+  <target>邮箱地址</target>
 </trans-unit>
 <trans-unit id="s9fd0516c9193c73e">
   <source>Type an optional email address...</source>
-  <target>输入电子邮箱地址...（可选）</target>
+  <target>输入邮箱地址...（可选）</target>
 </trans-unit>
 <trans-unit id="s4c5000e84bc2189a">
   <source>Whether this user is active and allowed to authenticate. Setting this to inactive can be used to temporarily disable a user without deleting their account.</source>
@@ -3811,7 +3802,6 @@ doesn't pass when either or both of the selected options are equal or above the
 </trans-unit>
 <trans-unit id="s037f22187581bf8f">
   <source>Edit "<x id="0" equiv-text="${this.outpost?.name || &quot;outpost&quot;}"/>"</source>
-  <target>编辑“<x id="0" equiv-text="${item.name}"/>”</target>
 </trans-unit>
 <trans-unit id="sdb3b903354fbfb17">
   <source>Open "<x id="0" equiv-text="${item.name}"/>"</source>
@@ -4079,7 +4069,6 @@ doesn't pass when either or both of the selected options are equal or above the
 </trans-unit>
 <trans-unit id="sa10af889ecd36687">
   <source><x id="0" equiv-text="${this.device?.facts.data.hardware?.cpuCount}"/> x <x id="1" equiv-text="${this.device?.facts.data.hardware?.cpuName}"/></source>
-  <target><x id="0" equiv-text="${this.device.facts.data.hardware?.cpuCount}"/>x<x id="1" equiv-text="${this.device.facts.data.hardware?.cpuName}"/></target>
 </trans-unit>
 <trans-unit id="s16e1bead7b9c95ce">
   <source>Memory</source>
@@ -5438,7 +5427,6 @@ doesn't pass when either or both of the selected options are equal or above the
 </trans-unit>
 <trans-unit id="s547b687213f48489">
   <source>Update <x id="0" equiv-text="${formatUserDisplayName(user)}"/>'s password</source>
-  <target>更新 <x id="0" equiv-text="${user.name || user.username}"/> 的密码</target>
 </trans-unit>
 <trans-unit id="sce8d867ca5f35304">
   <source>Set password</source>
@@ -5681,7 +5669,7 @@ doesn't pass when either or both of the selected options are equal or above the
 </trans-unit>
 <trans-unit id="sd1f44f1a8bc20e67">
   <source>Email</source>
-  <target>电子邮箱</target>
+  <target>邮箱</target>
 </trans-unit>
 <trans-unit id="sfb95ad8c25db95ba">
   <source>Last password change</source>
@@ -7525,7 +7513,6 @@ Bindings to groups/users are checked against the user of the event.</source>
 </trans-unit>
 <trans-unit id="s1da3499258024860">
   <source><x id="0" equiv-text="${versionString}"/> (build <x id="1" equiv-text="${item.buildHash.substring(0, 8)}"/>)</source>
-  <target><x id="0" equiv-text="${versionString}"/>（构建 <x id="1" equiv-text="${this.outpostHealth.buildHash.substring(0, 8)}"/>）</target>
 </trans-unit>
 <trans-unit id="s001fd928369d4ddc">
   <source><x id="0" equiv-text="${versionString}"/> (FIPS)</source>
@@ -7537,9 +7524,6 @@ Bindings to groups/users are checked against the user of the event.</source>
 </trans-unit>
 <trans-unit id="s1ac2653a6492b435">
   <source><x id="0" equiv-text="${outdatedOutposts[0].version}"/>, should be <x id="1" equiv-text="${outdatedOutposts[0].versionShould}"/></source>
-  <target>
-        <x id="0" equiv-text="${this.outpostHealth.version}"/>，应该是
-        <x id="1" equiv-text="${this.outpostHealth.versionShould}"/></target>
 </trans-unit>
 <trans-unit id="s322e34cfcba47155">
   <source>Not available</source>
@@ -8327,7 +8311,7 @@ Bindings to groups/users are checked against the user of the event.</source>
 </trans-unit>
 <trans-unit id="s6fe64b4625517333">
   <source>Powered by authentik</source>
-  <target>由 authentik 强力驱动</target>
+  <target>由 authentik 提供支持</target>
 </trans-unit>
 <trans-unit id="sd766cdc29b25ff95">
   <source>Authenticating with Apple...</source>
@@ -8459,7 +8443,6 @@ Bindings to groups/users are checked against the user of the event.</source>
 </trans-unit>
 <trans-unit id="seb6ab868740e4e36">
   <source>Continue with <x id="0" equiv-text="${name}"/></source>
-  <target>以 <x id="0" equiv-text="${source.name}"/> 继续</target>
 </trans-unit>
 <trans-unit id="sc4eedb434536bdb4">
   <source>Need an account?</source>
@@ -9720,12 +9703,15 @@ Bindings to groups/users are checked against the user of the event.</source>
 </trans-unit>
 <trans-unit id="sa8383f7f7ff1a62e">
   <source>When enabled, Fleet teams will be mapped to Device access groups. Missing device access groups are automatically created. Devices assigned to a different group are not re-assigned</source>
+  <target>启用后，Fleet团队将被映射到设备访问组。缺失的设备访问组将自动创建。已分配至其他组的设备不会被重新分配。</target>
 </trans-unit>
 <trans-unit id="sfec0c302ab140e30">
   <source>Software</source>
+  <target>软件</target>
 </trans-unit>
 <trans-unit id="sf4cea728c240ee6b">
   <source>Paste your license key...</source>
+  <target>粘贴您的许可证密钥...</target>
 </trans-unit>
 <trans-unit id="s5f404525692ee652">
   <source>You can select from popular providers with preset configurations or choose a custom setup to specify your own endpoints and keys.</source>
@@ -9735,6 +9721,7 @@ Bindings to groups/users are checked against the user of the event.</source>
 </trans-unit>
 <trans-unit id="s69a0bed6319d085a">
   <source>Secret Key</source>
+  <target>密钥</target>
 </trans-unit>
 <trans-unit id="s4cbbb47ef050cd0e">
   <source>Paste your CAPTCHA secret key...</source>
@@ -9765,6 +9752,7 @@ Bindings to groups/users are checked against the user of the event.</source>
 </trans-unit>
 <trans-unit id="captcha.providers.recaptcha-enterprise.api-key-source">
   <source>Google Cloud Console</source>
+  <target>Google Cloud 控制台</target>
 </trans-unit>
 <trans-unit id="captcha.providers.hcaptcha">
   <source>hCaptcha</source>
@@ -9780,6 +9768,7 @@ Bindings to groups/users are checked against the user of the event.</source>
 </trans-unit>
 <trans-unit id="captcha.providers.custom">
   <source>Custom</source>
+  <target>自定义</target>
 </trans-unit>
 <trans-unit id="s3fdf499bd9e14a92">
   <source>Type an email address...</source>
@@ -9794,6 +9783,7 @@ Bindings to groups/users are checked against the user of the event.</source>
 </trans-unit>
 <trans-unit id="ak-secret-text-input.actions.modify">
   <source>Modify</source>
+  <target>修改</target>
   <note from="lit-localize">Help text for secret input field to indicate that clicking will allow changing the value.</note>
 </trans-unit>
 <trans-unit id="captcha.provider-link">
@@ -9851,6 +9841,7 @@ Bindings to groups/users are checked against the user of the event.</source>
 </trans-unit>
 <trans-unit id="s93aad5cd9b47f65f">
   <source>Custom Attributes</source>
+  <target>自定义属性</target>
 </trans-unit>
 <trans-unit id="s254696510e45f3bb">
   <source>No custom attributes defined.</source>
@@ -9878,9 +9869,11 @@ Bindings to groups/users are checked against the user of the event.</source>
 </trans-unit>
 <trans-unit id="s0ce6e3aa4e7c81a0">
   <source>New Token</source>
+  <target>新令牌</target>
 </trans-unit>
 <trans-unit id="s1bb47213a314465b">
   <source>Create link</source>
+  <target>创建链接</target>
 </trans-unit>
 <trans-unit id="s776c1b64a71fba39">
   <source>To email a recovery link, set an email address for this user.</source>
@@ -9890,12 +9883,14 @@ Bindings to groups/users are checked against the user of the event.</source>
 </trans-unit>
 <trans-unit id="s68be8f284274370a">
   <source>Recovery link</source>
+  <target>恢复链接</target>
 </trans-unit>
 <trans-unit id="s2e318e4a2934eef9">
   <source>Successfully queued email.</source>
 </trans-unit>
 <trans-unit id="s9121335709cfac7a">
   <source>Token duration</source>
+  <target>令牌有效期</target>
 </trans-unit>
 <trans-unit id="s4530f2951a6633e2">
   <source>If a recovery token already exists, its duration is updated.</source>
@@ -9932,9 +9927,11 @@ Bindings to groups/users are checked against the user of the event.</source>
 </trans-unit>
 <trans-unit id="sd02d96c6930f31db">
   <source>Create App Password</source>
+  <target>创建应用密码</target>
 </trans-unit>
 <trans-unit id="scf325f1039d7c82f">
   <source>New App Password</source>
+  <target>新应用密码</target>
 </trans-unit>
 <trans-unit id="saa02cc40143c291e">
   <source>Sidebar left (frame background)</source>
@@ -9944,6 +9941,7 @@ Bindings to groups/users are checked against the user of the event.</source>
 </trans-unit>
 <trans-unit id="s92e22f9319fdb85d">
   <source>Configuration warning</source>
+  <target>配置警告</target>
 </trans-unit>
 <trans-unit id="s304ca1e922bd3278">
   <source>Lifecycle Rules</source>
@@ -9965,12 +9963,14 @@ Bindings to groups/users are checked against the user of the event.</source>
 </trans-unit>
 <trans-unit id="s69e44328a5b45aa2">
   <source>Rule Name</source>
+  <target>规则名称</target>
 </trans-unit>
 <trans-unit id="se319064a2f20deba">
   <source>Type a name for this lifecycle rule...</source>
 </trans-unit>
 <trans-unit id="sb46d3613edb66558">
   <source>Interval</source>
+  <target>间隔</target>
 </trans-unit>
 <trans-unit id="s19feda58eae87c66">
   <source>The interval between opening new reviews for matching objects.</source>
@@ -9992,15 +9992,18 @@ Bindings to groups/users are checked against the user of the event.</source>
 </trans-unit>
 <trans-unit id="sb42871a38d8b61ee">
   <source>Object type</source>
+  <target>对象类型</target>
 </trans-unit>
 <trans-unit id="sd530d226f68ec351">
   <source>When set, the rule will apply to the selected individual object. Otherwise, the rule applies to all objects of the selected type.</source>
 </trans-unit>
 <trans-unit id="sea85769d2d8f3ea8">
   <source>Available Users</source>
+  <target>可用用户</target>
 </trans-unit>
 <trans-unit id="s6251a3b1bbd7b124">
   <source>Selected Users</source>
+  <target>已选用户</target>
 </trans-unit>
 <trans-unit id="s3899116cda378dcb">
   <source>A review will require approval from each of the users selected here in addition to group members as per above settings.</source>
@@ -10022,9 +10025,11 @@ Bindings to groups/users are checked against the user of the event.</source>
 </trans-unit>
 <trans-unit id="s9279704dfc98cdf9">
   <source>No reviews yet.</source>
+  <target>暂无评价。</target>
 </trans-unit>
 <trans-unit id="s08400d94769ba771">
   <source>Reviewed on</source>
+  <target>审核于</target>
 </trans-unit>
 <trans-unit id="sb89da38bc0c0b3fa">
   <source>Reviewer</source>
@@ -10061,6 +10066,7 @@ Bindings to groups/users are checked against the user of the event.</source>
 </trans-unit>
 <trans-unit id="s3be348f8aeeb6a64">
   <source>Review state</source>
+  <target>审查状态</target>
 </trans-unit>
 <trans-unit id="s30c9ff051aa083b0">
   <source>Required reviewers</source>
@@ -10097,6 +10103,7 @@ Bindings to groups/users are checked against the user of the event.</source>
 </trans-unit>
 <trans-unit id="sc68080ce046320cb">
   <source>Overdue</source>
+  <target>逾期</target>
 </trans-unit>
 <trans-unit id="sa30c4d3b566b6b1a">
   <source>Canceled</source>
@@ -10106,6 +10113,7 @@ Bindings to groups/users are checked against the user of the event.</source>
 </trans-unit>
 <trans-unit id="s78adb00480380ad9">
   <source>Sign logout response</source>
+  <target>登出响应</target>
 </trans-unit>
 <trans-unit id="s7faa5610b9493a92">
   <source>When enabled, SAML logout responses will be signed.</source>
@@ -10129,18 +10137,23 @@ Bindings to groups/users are checked against the user of the event.</source>
 </trans-unit>
 <trans-unit id="s5158b7f014cecefc">
   <source>Review completed</source>
+  <target>审核完成</target>
 </trans-unit>
 <trans-unit id="s9a2a2fda9cfa1ddc">
   <source>Copy Link</source>
+  <target>复制链接</target>
 </trans-unit>
 <trans-unit id="s57adf424d57c8a0f">
   <source>Send</source>
+  <target>发送</target>
 </trans-unit>
 <trans-unit id="s28128d03244fa1ca">
   <source>Send Invitation via Email</source>
+  <target>通过邮件发送邀请</target>
 </trans-unit>
 <trans-unit id="s1ed9fed1a5e85d63">
   <source>Send via Email</source>
+  <target>通过邮件发送</target>
 </trans-unit>
 <trans-unit id="safcbc1ba006eba57">
   <source>Please enter at least one email address</source>
@@ -10153,6 +10166,7 @@ Bindings to groups/users are checked against the user of the event.</source>
 </trans-unit>
 <trans-unit id="s8b97ea84af17c029">
   <source>Never</source>
+  <target>永不</target>
 </trans-unit>
 <trans-unit id="s6e0b6a18cc59fd56">
   <source>No flow set</source>
@@ -10177,12 +10191,16 @@ Bindings to groups/users are checked against the user of the event.</source>
 </trans-unit>
 <trans-unit id="sdd2ea73c24b40d5d">
   <source>Site footer</source>
+  <target>网站页脚</target>
 </trans-unit>
 <trans-unit id="sf910cca0f06bbc31">
   <source>Enter the email address or username associated with your account.</source>
+  <target>输入与您账户关联的
+电子邮件地址或用户名。</target>
 </trans-unit>
 <trans-unit id="s6e858c4c4c3b6b76">
   <source>You're about to be redirected to the following URL.</source>
+  <target>您即将被重定向至以下网址。</target>
 </trans-unit>
 <trans-unit id="sd5d2b94a1ccba1a9">
   <source>Log in to continue to <x id="0" equiv-text="${prelude}"/>.</source>
@@ -10417,6 +10435,7 @@ Bindings to groups/users are checked against the user of the event.</source>
 </trans-unit>
 <trans-unit id="s74cb3d66f6a668e1">
   <source>Documentation</source>
+  <target>文档</target>
 </trans-unit>
 <trans-unit id="sdf1d745af5aa858f">
   <source>Release notes</source>
@@ -10654,6 +10673,7 @@ Bindings to groups/users are checked against the user of the event.</source>
 </trans-unit>
 <trans-unit id="s6d46b842e227be57">
   <source>Application Details</source>
+  <target>应用程序详情</target>
 </trans-unit>
 <trans-unit id="sda5e30fff0fb8622">
   <source>Provider Details</source>
@@ -10936,6 +10956,7 @@ Bindings to groups/users are checked against the user of the event.</source>
 </trans-unit>
 <trans-unit id="s8489d5559dda260c">
   <source>Role Object Permissions</source>
+  <target>角色对象权限</target>
 </trans-unit>
 <trans-unit id="se84477a0cb9d8781">
   <source>Object Permission</source>
@@ -10945,6 +10966,7 @@ Bindings to groups/users are checked against the user of the event.</source>
 </trans-unit>
 <trans-unit id="s8b0432eecbd8b034">
   <source>Update</source>
+  <target>更新</target>
 </trans-unit>
 <trans-unit id="sa6f726a43ec55a63">
   <source>Search for a role...</source>
@@ -11410,6 +11432,7 @@ Bindings to groups/users are checked against the user of the event.</source>
 </trans-unit>
 <trans-unit id="sd30f00ff2135589c">
   <source>When enabled, notification will be sent to the user that triggered the event in addition to any users in the group above. The event user will always be the first user, to send a notification only to the event user enabled 'Send once' in the notification transport.</source>
+  <target>启用时，通知不仅会发送给触发事件的用户，还会发送到组中的任何用户。事件用户将总是第一个用户，要只向事件用户发送通知，则需要在通知传输中启用“发送一次”。</target>
 </trans-unit>
 <trans-unit id="s1c0267488c33401b">
   <source>Minimum reviewers</source>
@@ -11521,6 +11544,7 @@ Bindings to groups/users are checked against the user of the event.</source>
 </trans-unit>
 <trans-unit id="s8655c52824caac63">
   <source>If checked, the launch URL will open in a new browser tab or window from the user's application library.</source>
+  <target>如果勾选，在用户的应用程序库中时，启动 URL 将会在新浏览器标签页或窗口中打开。</target>
 </trans-unit>
 <trans-unit id="s9eda7101f63a8652">
   <source>Hide from My applications</source>
@@ -11647,9 +11671,11 @@ Bindings to groups/users are checked against the user of the event.</source>
 </trans-unit>
 <trans-unit id="s1cf2298d92c327a6">
   <source>My Applications</source>
+  <target>我的应用</target>
 </trans-unit>
 <trans-unit id="s2656433a3b1f7e86">
   <source>My applications</source>
+  <target>我的应用</target>
 </trans-unit>
 </body>
 </file>

website/api/package.json

@@ -48,9 +48,9 @@
         "typescript": "^6.0.2"
     },
     "optionalDependencies": {
-        "@rspack/binding-darwin-arm64": "1.7.11",
-        "@rspack/binding-linux-arm64-gnu": "1.7.11",
-        "@rspack/binding-linux-x64-gnu": "1.7.11",
+        "@rspack/binding-darwin-arm64": "2.0.0",
+        "@rspack/binding-linux-arm64-gnu": "2.0.0",
+        "@rspack/binding-linux-x64-gnu": "2.0.0",
         "@swc/core-darwin-arm64": "1.15.33",
         "@swc/core-linux-arm64-gnu": "1.15.33",
         "@swc/core-linux-x64-gnu": "1.15.33",

website/docs/add-secure-apps/flows-stages/flow/context/index.mdx

@@ -29,9 +29,9 @@ Keys prefixed with `goauthentik.io` are used internally by authentik and are sub
 
 #### `pending_user` ([User object](../../../../users-sources/user/user_ref.mdx#object-properties))
 
-`pending_user` is used by multiple stages. In the context of most flow executions, it represents the data of the user that is executing the flow. This value is not set automatically, it is set via the [Identification stage](../../stages/identification/index.mdx).
+`pending_user` is used by multiple stages. In the context of most flow executions, it represents the data of the user that is executing the flow. This value is not set automatically, it is set via the [Identification stage](../../stages/identification/index.md).
 
-Stages that require a user, such as the [Password stage](../../stages/password/index.md), the [Authenticator validation stage](../../stages/authenticator_validate/index.mdx), and others will use this value if it is set, and fall back to the request's user when possible.
+Stages that require a user, such as the [Password stage](../../stages/password/index.md), the [Authenticator validation stage](../../stages/authenticator_validate/index.md), and others will use this value if it is set, and fall back to the request's user when possible.
 
 #### `prompt_data` (Dictionary)
 
@@ -45,7 +45,7 @@ Stages that require a user, such as the [Password stage](../../stages/password/i
 }
 ```
 
-This data can be modified with policies. The data is also used by stages like [User write](../../stages/user_write.md), which takes data in `prompt_data` and writes it to `pending_user`.
+This data can be modified with policies. The data is also used by stages like [User write](../../stages/user_write/index.md), which takes data in `prompt_data` and writes it to `pending_user`.
 
 #### `redirect` (string)
 
@@ -75,7 +75,7 @@ This key is set to `True` when the flow is executed from an "SSO" context. For e
 
 #### `is_restored` (Token object)
 
-This key is set when a flow execution is continued from a token. This happens for example when an [Email stage](../../stages/email/index.mdx) is used and the user clicks on the link within the email. The token object contains the key that was used to restore the flow execution. This field is also used by the [Source stage](../../stages/source/index.md) when returning back to the initial flow the Source stage was run on.
+This key is set when a flow execution is continued from a token. This happens for example when an [Email stage](../../stages/email/index.md) is used and the user clicks on the link within the email. The token object contains the key that was used to restore the flow execution. This field is also used by the [Source stage](../../stages/source/index.md) when returning back to the initial flow the Source stage was run on.
 
 #### `is_redirected` (Flow object)
 
@@ -153,7 +153,7 @@ Set by the [Password stage](../../stages/password/index.md) after successfully a
 
 ##### `auth_method` (string)
 
-Set by the [Password stage](../../stages/password/index.md), the [Authenticator validation stage](../../stages/authenticator_validate/index.mdx), the [OAuth2 Provider](../../../providers/oauth2/index.mdx), and the API authentication depending on which method was used to authenticate.
+Set by the [Password stage](../../stages/password/index.md), the [Authenticator validation stage](../../stages/authenticator_validate/index.md), the [OAuth2 Provider](../../../providers/oauth2/index.mdx), and the API authentication depending on which method was used to authenticate.
 
 Possible options:
 

website/docs/add-secure-apps/flows-stages/flow/executors/headless.md

@@ -6,6 +6,6 @@ The headless flow executor is used by clients that don't have access to the web
 
 The following stages are supported:
 
-- [**Identification stage**](../../stages/identification/index.mdx)
+- [**Identification stage**](../../stages/identification/index.md)
 - [**Password stage**](../../stages/password/index.md)
-- [**Authenticator Validation Stage**](../../stages/authenticator_validate/index.mdx)
+- [**Authenticator Validation Stage**](../../stages/authenticator_validate/index.md)

website/docs/add-secure-apps/flows-stages/flow/executors/sfe.md

@@ -12,14 +12,14 @@ Currently this flow executor is automatically used for the following browsers:
 
 The following stages are supported:
 
-- [**Identification stage**](../../stages/identification/index.mdx)
+- [**Identification stage**](../../stages/identification/index.md)
 
     :::info
     Only user identifier and user identifier + password stage configurations are supported; sources and passwordless configurations are not supported.
     :::
 
 - [**Password stage**](../../stages/password/index.md)
-- [**Authenticator Validation Stage**](../../stages/authenticator_validate/index.mdx)
+- [**Authenticator Validation Stage**](../../stages/authenticator_validate/index.md)
 
 Compared to the [default flow executor](./if-flow.md), this flow executor does _not_ support the following features:
 

website/docs/add-secure-apps/flows-stages/flow/flow_list/_defaultflowlist.mdx

@@ -2,17 +2,17 @@
 
 - **Authorization**: designates a flow to be used for authorization of an application. Can be used to add additional verification steps before the user is allowed to access an application. This flow is defined per provider, when the provider is created, to state whether implicit or explicit authorization is required.
 
-- **Enrollment**: designates a flow for enrollment. This flow can contain any amount of verification stages, such as [**Email**](../../stages/email/index.mdx) or **Captcha**. At the end, to create the user, you can use the [**User Write**](../../stages/user_write.md) stage, which either updates the currently staged user, or if none exists, creates a new one.
+- **Enrollment**: designates a flow for enrollment. This flow can contain any amount of verification stages, such as [**Email**](../../stages/email/index.md) or **Captcha**. At the end, to create the user, you can use the [**User Write**](../../stages/user_write/index.md) stage, which either updates the currently staged user, or if none exists, creates a new one.
 
 - **Invalidation**: designates a default flow to be used to invalidate a session. There are two default invalidation flows:
-    - `default-invalidation-flow`: Used when a user logs out directly from authentik. This flow **includes** a [**User Logout**](../../stages/user_logout.md) stage, which ends the authentik session and triggers [Single Logout](../../../providers/single-logout/index.md) for all connected applications.
+    - `default-invalidation-flow`: Used when a user logs out directly from authentik. This flow **includes** a [**User Logout**](../../stages/user_logout/index.md) stage, which ends the authentik session and triggers [Single Logout](../../../providers/single-logout/index.md) for all connected applications.
 
     - `default-provider-invalidation-flow`: Used when a user logs out from an application (OIDC, SAML, Proxy, or RAC providers). By default, this flow does **not** include a User Logout stage, meaning only the specific application session ends while the authentik session remains active. For instructions on how to also end the authentik session when a user logs out from an application, see the [Single Logout documentation](../../../providers/single-logout/index.md#enable-full-single-logout-for-rp-initiated-logout).
 
     You can also create custom invalidation flows with branded background images or different logout options.
 
-- **Recovery**: designates a flow for recovery. This flow normally contains an [**Identification**](../../stages/identification/index.mdx) stage to find the user. It can also contain any amount of verification stages, such as [**Email**](../../stages/email/index.mdx) or [**CAPTCHA**](../../stages/captcha/index.md). Afterwards, use the [**Prompt**](../../stages/prompt/index.md) stage to ask the user for a new password and the [**User Write**](../../stages/user_write.md) stage to update the password.
+- **Recovery**: designates a flow for recovery. This flow normally contains an [**Identification**](../../stages/identification/index.md) stage to find the user. It can also contain any amount of verification stages, such as [**Email**](../../stages/email/index.md) or [**CAPTCHA**](../../stages/captcha/index.md). Afterwards, use the [**Prompt**](../../stages/prompt/index.md) stage to ask the user for a new password and the [**User Write**](../../stages/user_write/index.md) stage to update the password.
 
 - **Stage configuration**: designates a flow for general setup. This designation doesn't impose any constraints on what you can do. For example, by default this designation is used to configure authenticators, like changing a password and setting up TOTP.
 
-- **Unenrollment**: designates a flow for unenrollment. This flow can contain any amount of verification stages, such as [**email**](../../stages/email/index.mdx) or [**Captcha**](../../stages/captcha/index.md). As a final stage, to delete the account, use the [**user_delete**](../../stages/user_delete.md) stage.
+- **Unenrollment**: designates a flow for unenrollment. This flow can contain any amount of verification stages, such as [**email**](../../stages/email/index.md) or [**Captcha**](../../stages/captcha/index.md). As a final stage, to delete the account, use the [**user_delete**](../../stages/user_delete/index.md) stage.

website/docs/add-secure-apps/flows-stages/flow/index.md

@@ -24,7 +24,7 @@ This default behaviour can be altered by enabling the **Evaluate when flow is pl
 
 ## Policies and permissions
 
-Flows can have [policies](../stages/index.md) assigned to them. These policies determine if the current user is allowed to see and use this flow.
+Flows can have [policies](../../../customize/policies/index.md) assigned to them. These policies determine if the current user is allowed to see and use this flow.
 
 Keep in mind that in certain circumstances, policies cannot match against users and groups as there is no authenticated user yet.
 

website/docs/add-secure-apps/flows-stages/flow/inspector.md

@@ -11,7 +11,7 @@ As shown in the screenshot below, the Flow Inspector displays to the right, besi
 ## Access the Flow Inspector
 
 :::warning
-Be aware that when running a flow with the Inspector enabled, the flow is still executed normally. This means that for example, a [User write](../stages/user_write.md) stage _will_ write user data.
+Be aware that when running a flow with the Inspector enabled, the flow is still executed normally. This means that for example, a [User write](../stages/user_write/index.md) stage _will_ write user data.
 :::
 
 The Inspector is accessible to users that have been granted the [permission](../../../users-sources/access-control/permissions.md) **Can inspect a Flow's execution**, either directly or through a role. Superusers can always inspect flow executions.

website/docs/add-secure-apps/flows-stages/stages/authenticator_duo/index.md

@@ -0,0 +1,45 @@
+---
+title: Duo authenticator setup stage
+---
+
+The Duo Authenticator Setup stage enrolls a Duo authenticator for the current user.
+
+## Overview
+
+This stage connects authentik to Duo and stores a Duo-backed authenticator for the user. Duo can then be used with the [Authenticator Validation stage](../authenticator_validate/index.md).
+
+## Configuration options
+
+- **API hostname**: the Duo API hostname for your tenant.
+- **Client ID**: Duo Auth API client identifier.
+- **Client secret**: Duo Auth API secret.
+- **Admin integration key**: optional Duo Admin API integration key, used for importing existing Duo users and authenticators.
+- **Admin secret key**: optional Duo Admin API secret, used together with the admin integration key.
+- **Authenticator type name**: optional friendly name shown to the user in self-service settings.
+- **Configuration flow**: optional authenticated flow that lets users enroll this authenticator from user settings.
+
+## Flow integration
+
+Use this stage in an enrollment or user-settings flow where the user should enroll Duo.
+
+To require Duo during authentication, add an [Authenticator Validation stage](../authenticator_validate/index.md) to the login flow and allow the **Duo** device class.
+
+## Notes
+
+- Duo authenticators created through this stage are tied to the stage because authentik needs that stage's API credentials during authentication.
+- Deleting the stage also removes the Duo authenticators associated with it.
+
+### Import existing Duo authenticators
+
+:::info
+Due to the way the Duo API works, authentik can only automatically import existing Duo users when a Duo MFA or higher license is active.
+:::
+
+If you already have Duo users, you can import their authenticators into authentik from the admin UI. The Duo username can be found in the Duo Admin dashboard under **Users**. If needed, you can also use the Duo user ID shown in the Duo Admin URL for that user.
+
+For direct API use, the import endpoint accepts:
+
+- `duo_user_id`: the Duo user's ID from the Duo admin portal
+- `username`: the authentik username to assign the imported authenticator to
+
+The `stage_uuid` in the request must be the Duo stage whose API credentials should be used.

website/docs/add-secure-apps/flows-stages/stages/authenticator_duo/index.mdx

@@ -1,30 +0,0 @@
----
-title: Duo Authenticator Setup stage
----
-
-This stage configures a Duo authenticator. To get the API Credentials for this stage, open your Duo Admin dashboard.
-
-Go to Applications, click on Protect an Application and search for "Auth API". Click on Protect.
-
-Copy all of the integration key, secret key and API hostname, and paste them in the Stage form.
-
-Devices created reference the stage they were created with, since the API credentials are needed to authenticate. This also means when the stage is deleted, all devices are removed.
-
-## Importing users
-
-:::info
-Due to the way the Duo API works, authentik can only automatically import existing Duo users when a Duo MFA or higher license is active.
-:::
-
-To import a device, open the Stages list in the authentik Admin interface. On the right next to the import button you'll see an import button, with which you can import Duo devices to authentik users.
-
-The Duo username can be found by navigating to your Duo Admin dashboard and selecting _Users_ in the sidebar. Optionally if you have multiple users with the same username, you can click on a User and copy their ID from the URL, and use that to import the device.
-
-### Older versions
-
-You can call the `/api/v3/stages/authenticator/duo/{stage_uuid}/import_devices/` endpoint ([see here](https://goauthentik.io/api/#post-/stages/authenticator/duo/-stage_uuid-/import_devices/)) using the following parameters:
-
-- `duo_user_id`: The Duo User's ID. This can be found in the Duo Admin Portal, navigating to the user list and clicking on a single user. Their ID is shown in th URL.
-- `username`: The authentik user's username to assign the device to.
-
-Additionally, you need to pass `stage_uuid` which is the `authenticator_duo` stage, in which you entered your API credentials.

website/docs/add-secure-apps/flows-stages/stages/authenticator_email/index.md

@@ -1,43 +1,43 @@
 ---
-title: Email Authenticator Setup stage
+title: Email authenticator setup stage
 authentik_version: "2025.2"
 ---
 
-This stage configures an email-based authenticator that sends a one-time code to a user's email address for authentication.
+The Email Authenticator Setup stage registers an email-based authenticator for the current user, enabling one-time codes to be sent via email during subsequent authentications.
 
-When a user goes through a flow that includes this stage, they are prompted for their email address (if not already set). The user then receives an email with a one-time code, which they enter into the authentik Login panel.
+## Overview
 
-The email address will be saved and can be used with the [Authenticator validation](../authenticator_validate/index.mdx) stage for future authentications.
+During enrollment, the user supplies an email address if one is not already known, then confirms ownership by entering a one-time code.
+
+The enrolled email address can later be used with the [Authenticator Validation stage](../authenticator_validate/index.md).
+
+## Configuration options
+
+- **Use global connection settings**: use authentik's global email configuration instead of stage-specific SMTP settings.
+- **SMTP host**: SMTP server hostname for stage-specific email delivery.
+- **SMTP port**: SMTP server port.
+- **SMTP username**: optional SMTP username.
+- **SMTP password**: optional SMTP password.
+- **Use TLS**: enable STARTTLS for the SMTP connection.
+- **Use SSL**: enable SMTPS for the SMTP connection.
+- **Timeout**: SMTP connection timeout in seconds.
+- **From address**: sender address used for enrollment emails.
+- **Token expiry**: how long the one-time code stays valid.
+- **Subject**: subject line for the enrollment email.
+- **Template**: email template used for the one-time code email.
+- **Authenticator type name**: optional friendly name shown to the user in self-service settings.
+- **Configuration flow**: optional authenticated flow that lets users enroll this authenticator from user settings.
+
+For SMTP requirements and global email delivery settings, see [Email configuration](../../../../install-config/email.mdx).
 
 ## Flow integration
 
-To use the Email Authenticator Setup stage in a flow, follow these steps:
+Use this stage in an enrollment or user-settings flow where the user should add an email authenticator.
 
-1. [Create](../../flow/index.md#create-a-flow) a new flow or edit an existing one.
-2. On the flow's **Stage Bindings** tab, click **New Stage** to create and add the Email Authenticator Setup stage. (If the stage already exists, click **Bind Existing Stage**.)
-3. Configure the stage settings as described below.
-    - **Name**: provide a descriptive name, such as Email Authenticator Setup.
-    - **Authenticator type name**: define the display name for this stage.
-    - **Use global connection settings**: the stage can be configured in two ways: global settings or stage-specific settings.
-        - Enable (toggle on) the **Use global connection settings** option to use authentik's global email configuration. Note that you must already have configured your environment variables to use the global settings. See instructions for [Docker Compose](../../../../install-config/install/docker-compose#email-configuration-optional-but-recommended) and for [Kubernetes](../../../../install-config/install/kubernetes#email-configuration-optional-but-recommended).
+To use the enrolled address during login, add an [Authenticator Validation stage](../authenticator_validate/index.md) to the authentication flow and allow the **Email** device class.
 
-        - If you need different email settings for this stage, disable (toggle off) **Use global connection settings** and configure the following options:
+## Notes
 
-        - **Connection settings**:
-            - **SMTP Host**: SMTP server hostname (default: localhost)
-            - **SMTP Port**: SMTP server port number(default: 25)
-            - **SMTP Username**: SMTP authentication username (optional)
-            - **SMTP Password**: SMTP authentication password (optional)
-                - **Use TLS**: Enable TLS encryption
-                - **Use SSL**: Enable SSL encryption
-            - **Timeout**: Connection timeout in seconds (default: 10)
-            - **From Address**: Email address that messages are sent from (default: system@authentik.local)
-
-        - **Stage-specific settings**:
-            - **Subject**: Email subject line (default: "authentik Sign-in code")
-            - **Token Expiration**: Time in minutes that the sent token is valid (default: 30)
-            - **Configuration flow**: select the flow to which you are binding this stage.
-
-4. Click **Update** to complete the creation and binding of the stage to the flow.
-
-The new Email Authenticator Setup stage now appears on the **Stage Bindings** tab for the flow.
+- If **Use global connection settings** is enabled, configure the global email settings first. See the installation docs for [Docker Compose](../../../../install-config/install/docker-compose#email-configuration-optional-but-recommended) and [Kubernetes](../../../../install-config/install/kubernetes#email-configuration-optional-but-recommended).
+- This stage is separate from the general-purpose [Email stage](../email/index.md), which is used for email verification and recovery.
+- If the user already has an email address on their account, authentik can use that address during enrollment instead of prompting for a new address.

website/docs/add-secure-apps/flows-stages/stages/authenticator_endpoint_gdtc/index.md

@@ -1,83 +1,65 @@
 ---
-title: Google Chrome Device Trust Authenticator Stage
+title: Google Chrome Device Trust authenticator stage
 authentik_version: "2024.10"
 authentik_enterprise: true
 support_level: deprecated
 ---
 
 :::warning Deprecated
-This stage has been deprecated and is being replaced by the [Google Chrome connector](../../../../endpoint-devices/device-compliance/connectors/google-chrome.md) functionality included in the [Endpoint Devices](../../../../endpoint-devices/index.mdx) feature set.
+This stage is deprecated in favor of the [Google Chrome connector](../../../../endpoint-devices/device-compliance/connectors/google-chrome.md) used with the [Endpoint Devices](../../../../endpoint-devices/index.mdx) feature set.
 :::
 
-With this stage, authentik can validate users' Chrome browsers and ensure that users' devices are compliant and up-to-date.
+The Google Chrome Device Trust Authenticator Stage verifies a Chrome browser by using the Chrome Verified Access API.
 
-Support for the Chrome Enterprise Device Trust connector allows organizations to integrate Chrome browsers and ChromeOS devices with authentik as the Identity Provider (IdP), to strengthen their overall security posture.
+## Overview
 
-Device Trust is particularly important in environments with many different device types that are used by a large, remote workforce that might have a BYOD (Bring Your Own Device) policy, or have large teams of contractors, temporary workers, or volunteers.
+This stage validates Chrome Enterprise Device Trust signals from the user's browser. Unlike other authenticator setup stages, it does not enroll a reusable MFA device for later validation through the [Authenticator Validation stage](../authenticator_validate/index.md).
 
-With Device Trust you can enable "context-aware" access policies; for example a policy might require that a device has all security patches installed.
+It was designed to integrate Chrome browsers and ChromeOS devices with authentik as the identity provider so access decisions could take device posture into account.
 
-:::info
-This stage only works with Google Chrome, as it relies on the [Chrome Verified Access API](https://developers.google.com/chrome/verified-access).
-:::
+Typical use cases included remote-work, contractor, and BYOD environments where access should depend on the state of the browser or device in addition to the user's identity.
 
-## Configuration
+## Configuration options
 
-The main steps to set up your Google workspace are as follows:
+- **Credentials**: Google service-account JSON used to access the Chrome Verified Access API.
+- **Authenticator type name**: optional friendly name shown to the user in self-service settings.
+- **Configuration flow**: optional authenticated flow that exposes the stage in user settings.
 
-- [Configuration](#configuration)
-    - [Create a Google cloud project](#create-a-google-cloud-project)
-    - [Create a service account](#create-a-service-account)
-    - [Set credentials for the service account](#set-credentials-for-the-service-account)
-    - [Create the stage](#create-the-stage)
+## Flow integration
 
-For detailed instructions, refer to Google documentation.
+Bind this stage directly into a flow where Chrome browser verification should happen.
 
-### Create a Google cloud project
+Compared to the newer [Endpoint stage](../endpoint/index.md), this stage is Chrome-specific and relies on the legacy Device Trust integration path.
 
-1. Open the Google Cloud Console (https://cloud.google.com/cloud-console).
-2. In upper left, click the drop-down box to open the **Select a project** box, and then select **New Project**.
-3. Create a new project and give it a name like "authentik Chrome Device Trust".
-4. Use the search bar at the top of your new project page to search for "API Library".
-5. On the **API Library** page, use the search bar again to find "Chrome Verified Access API".
-6. On the **Chrome Verified Access API** page, click **Enable**.
+## Notes
 
-### Create a service account
+### Requirements
 
-1. After the new Chrome Verified Access API is enabled (it might take a few minutes), return to the Google Cloud console home page (click on **Google Cloud** in upper left).
-2. Use the search bar to find and navigate to the **IAM** page.
-3. On the **IAM** page, click **Service Accounts** in the left navigation pane.
-4. At the top of the **Service Accounts** page, click **Create Service Account**.
+- Google Chrome is required.
+- A Google Cloud project with the Chrome Verified Access API enabled is required.
+- A service account with exported JSON credentials is required.
+- Chrome Enterprise Device Trust must be configured in the Google admin side to call back into authentik.
 
-- Under **Service account details** page, define the **Name** and **Description** for the new service account, and then click **Create and Continue**.
-- Under **Grant this service account access to project** you do not need to define a role, so click **Continue**.
-- Under **Grant users access to project** you do not need to define a role, so click **Done** to complete the creation of the service account.
+This integration was commonly paired with context-aware access policies, for example only allowing access from devices that meet patching or compliance requirements.
 
-### Set credentials for the service account
+### Google setup outline
 
-1. On the **Service accounts** page, click the account that you just created.
-2. Click the **Keys** tab at top of the page, the click **Add Key > Create new key**.
-3. In the Create box, select JSON as the key type, and then click **Create**.
-   A pop-up displays with the private key, and the key is saved to your computer as a JSON file.
-   Later, when you create the stage in authentik, you will add this key in the **Credentials** field.
-4. On the service account page, click the **Details** tab, and expand the **Advanced settings** area.
-5. Log in to the Admin Console, and then navigate to **Chrome browser > Connectors**.
-6. Click on **New Provider Configuration**.
-7. Under Universal Device Trust, click "Set up".
-8. Enter a name.
-9. Enter the URL: https://authentik.company/endpoint/gdtc/chrome/
-10. Under Service accounts, enter the full name of the service account created above, for example `authentik-gdtc-docs@authentik-enterprise-dev.iam.gserviceaccount.com`.
+The original Chrome Device Trust setup has four main steps:
 
-### Create the stage
+1. Create a Google Cloud project and enable the **Chrome Verified Access API**.
+2. Create a service account.
+3. Export a JSON key for that service account.
+4. Configure Chrome Enterprise Device Trust to call authentik at `/endpoint/gdtc/chrome/`.
 
-1. Log in to authentik as an administrator and open the authentik Admin interface.
-2. Navigate to **Flows > Stages**.
-3. Click **Create**, and select **Endpoint Authenticator Google Device Trust Connector Stage**, and in the **New stage** box, define the following fields:
-    - **Name**: define a descriptive name, such as "chrome-device-trust".
+More concretely:
 
-    - **Google Verified Access API**
-        - **Credentials**: paste the contents of the JSON file (the key) that you downloaded earlier.
+1. Open the Google Cloud Console and create a new project.
+2. Enable the **Chrome Verified Access API** in that project.
+3. In **IAM** > **Service Accounts**, create a service account.
+4. Generate a JSON key from the service account's **Keys** tab.
+5. In the Google admin side, configure a new provider under **Chrome browser > Connectors** and point it at your authentik URL, for example `https://authentik.company/endpoint/gdtc/chrome/`.
+6. Paste the exported JSON key into the stage's **Credentials** field in authentik.
 
-4. Click **Finish**.
+### Why this stage is different
 
-After creating the stage, it can be used in any flow. Compared to other Authenticator stages, this stage does not require enrollment. Instead of adding an [Authenticator Validation Stage](../authenticator_validate/index.mdx), this stage only verifies the user's browser.
+This stage verifies the current Chrome browser directly and does not create a reusable MFA enrollment that is later selected by the Authenticator Validation stage. That difference is why the newer [Endpoint stage](../endpoint/index.md) is a better long-term replacement for most deployments.

website/docs/add-secure-apps/flows-stages/stages/authenticator_sms/index.md

@@ -0,0 +1,107 @@
+---
+title: SMS authenticator setup stage
+---
+
+The SMS Authenticator Setup stage enrolls an SMS-based authenticator for the current user by using either Twilio or a generic HTTP endpoint.
+
+## Overview
+
+This stage stores a phone number, enabling one-time codes to be sent via SMS.
+
+In normal mode, the enrolled phone number can later be used with the [Authenticator Validation stage](../authenticator_validate/index.md). In **verify only** mode, the stage only verifies ownership of a phone number during enrollment and stores a hash instead of the number itself.
+
+## Configuration options
+
+- **Provider**: choose either **Twilio** or **Generic**.
+- **From number**: sender number or identifier used for outbound SMS.
+- **Account SID / External API URL**: for Twilio this is the account SID; for the generic provider this is the target API URL.
+- **Auth / token**: for Twilio this is the auth token; for the generic provider this is the bearer token or basic-auth username.
+- **Auth password**: optional password for generic basic authentication.
+- **Auth type**: choose **Basic** or **Bearer** authentication for the generic provider.
+- **Verify only**: verify phone ownership during enrollment without storing the plain phone number for later MFA use.
+- **Mapping**: optional webhook mapping used to customize the payload sent to custom providers.
+- **Authenticator type name**: optional friendly name shown to the user in self-service settings.
+- **Configuration flow**: optional authenticated flow that lets users enroll this authenticator from user settings.
+
+## Flow integration
+
+Use this stage in an enrollment or user-settings flow where the user should add an SMS authenticator.
+
+To require SMS during login, add an [Authenticator Validation stage](../authenticator_validate/index.md) to the authentication flow and allow the **SMS** device class.
+
+If you enable **Verify only**, phone numbers enrolled through this stage cannot be used by the [Authenticator Validation stage](../authenticator_validate/index.md).
+
+## Notes
+
+### Twilio
+
+For the Twilio provider, create a messaging service and collect the **Account SID**, **Auth token**, and a usable sender number from the Twilio console.
+
+A typical Twilio setup looks like this:
+
+1. Log in to the Twilio console.
+2. Go to **Explore Products** > **Messaging** > **Services**.
+3. Create a new messaging service and choose a verification-oriented use case.
+4. Add a sender from the service's sender pool.
+5. Copy the **Account SID** and **Auth token** into the stage configuration.
+
+Using a property mapping, you can customize the message sent via Twilio. The mapping should return a dictionary with a `message` key. For example:
+
+```python
+return {
+    "message": f"This is a custom message for {request.http_request.brand.branding_title} SMS authentication. The code is {token}."
+}
+```
+
+Useful variables in that mapping include:
+
+- `device.phone_number`
+- `stage.from_number`
+- `request.http_request.brand`
+
+### Generic provider
+
+For the generic provider, authentik sends an HTTP `POST` request to the configured API URL. The default payload contains:
+
+```json
+{
+    "From": "<value of the From number field>",
+    "To": "<the phone number of the user's device>",
+    "Body": "<the token that the user needs to authenticate>",
+    "Message": "<the full SMS message>"
+}
+```
+
+Any response with status `400` or higher is treated as a failed send and blocks the user from proceeding.
+
+You can also customize the generic-provider payload with a webhook mapping. For example:
+
+```python
+return {
+    "from": stage.from_number,
+    "to": device.phone_number,
+    "body": f"foo bar baz {token}",
+}
+```
+
+### Limiting phone numbers
+
+To control which phone numbers are accepted, collect the number in a [Prompt stage](../prompt/index.md) and validate it with an expression policy before this stage runs. If a prompt field uses the key `phone`, the SMS setup stage will read that value from `prompt_data` instead of prompting the user again.
+
+Example expression policy:
+
+```python
+phone_number = regex_replace(request.context["prompt_data"]["phone"], r"\s+", "")
+
+if phone_number.startswith("+1234"):
+    return True
+ak_message("Invalid phone number or missing region code")
+return False
+```
+
+A typical flow for this looks like:
+
+1. Create a required text prompt field with the key `phone`.
+2. Create a Prompt stage that contains that field.
+3. Bind the validation policy to the Prompt stage.
+4. Bind the Prompt stage before the SMS setup stage in the enrollment flow.

website/docs/add-secure-apps/flows-stages/stages/authenticator_sms/index.mdx

@@ -1,98 +0,0 @@
----
-title: SMS Authenticator Setup stage
----
-
-This stage configures an SMS-based authenticator using either Twilio, or a generic HTTP endpoint.
-
-## Providers
-
-### Twilio
-
-Navigate to https://console.twilio.com/, and log in to your existing account, or create a new one.
-
-In the sidebar, navigate to _Explore Products_, then _Messaging_, and _Services_ below that.
-
-Click on _Create Messaging Service_ to create a new set of API credentials.
-
-Give the service a Name, and select _Verify users_ as a use-case.
-
-In the next step, add an address from your Sender Pool. Instructions on how to create numbers are not covered here, please check the Twilio documentation [here](https://www.twilio.com/docs).
-
-The other two steps can be skipped using the _Skip setup_ button.
-
-Navigate back to the root of your Twilio console, and copy the Auth token. This is the value for the _Twilio Auth Token_ field in authentik. Copy the value of **Account SID**. This is the value for the _Twilio Account SID_ field in authentik.
-
-#### Custom SMS message :ak-version[2025.8]
-
-Using a property mapping, it is possible to customize the SMS message sent via Twilio. The mapping should return a dictionary with the `message` key, which will be sent to the user. For example:
-
-```python
-return {
-    "message": f"This is a custom message for {request.http_request.brand.branding_title} SMS authentication. The code is {token}."
-}
-```
-
-Variables related to different objects can be used within the message:
-
-    - The end user device, for example: `device.phone_number`
-    - The stage sending the message, for example: `stage.from_number`
-    - The request this verification code is being sent from, for example: `request.http_request.brand`
-
-### Generic
-
-For the generic provider, a POST request will be sent to the URL you have specified in the _External API URL_ field. The request payload looks like this
-
-```json
-{
-    "From": "<value of the *From number* field>",
-    "To": "<the phone number of the user's device>",
-    "Body": "<the token that the user needs to authenticate>"
-}
-```
-
-Authentication can either be done as HTTP Basic, or via a Bearer Token. Any response with status 400 or above is counted as failed, and will prevent the user from proceeding.
-
-#### Custom SMS message
-
-A custom webhook mapping can be used to customize the SMS message sent to users. For example:
-
-```python
-return {
-    "from": stage.from_number,
-    "to": device.phone_number,
-    "body": f"foo bar baz {token}"
-}
-```
-
-## Verify only
-
-To only verify the validity of a user's phone number, without saving it in an easily accessible way, you can enable this option. Phone numbers from devices enrolled through this stage will only have their hashed phone number saved. These devices can also not be used with the [Authenticator validation](../authenticator_validate/index.mdx) stage.
-
-## Limiting phone numbers
-
-To limit phone numbers (for example to a specific region code), you can create an expression policy to validate the phone number, and use a prompt stage for input.
-
-### Expression policy
-
-Create an expression policy to check the phone number:
-
-```python
-# Trim all whitespace in and around the user input
-phone_number = regex_replace(request.context["prompt_data"]["phone"], r'\s+', '')
-
-# Only allow a specific region code
-if phone_number.startswith("+1234"):
-    return True
-ak_message("Invalid phone number or missing region code")
-return False
-```
-
-### Prompt stage
-
-Create a text prompt field with the _field key_ set to `phone`. Make sure it is selected as a required field.
-
-Create a prompt stage with the phone field you created above, and select the expression policy created above as validation policy.
-
-### Flow
-
-Create a new flow to enroll SMS devices. Bind the prompt stage created above as first stage, and create/bind a _SMS Authenticator Setup Stage_, and bind it to the flow as second stage. This stage will see the `phone` field in the flow's context's `prompt_data`, and not prompt the user for a phone number.

website/docs/add-secure-apps/flows-stages/stages/authenticator_static/index.md

@@ -1,7 +1,29 @@
 ---
-title: Static Authenticator Setup stage
+title: Static authenticator setup stage
 ---
 
-This stage configures static Tokens, which can be used as a backup method to time-based OTP tokens.
+The Static Authenticator Setup stage creates one-time backup codes for a user. These codes are typically used as a fallback when the user's primary authenticator is unavailable.
 
-You can configure how many tokens are shown to the user.
+## Overview
+
+This stage enrolls static backup codes for the current user and generates a set of recovery codes. Each code can be used once.
+
+Because static codes are a device class supported by the [Authenticator Validation stage](../authenticator_validate/index.md), they are usually added as a backup factor rather than the primary factor.
+
+## Configuration options
+
+- **Token count**: how many backup codes to generate for the user.
+- **Token length**: how long each generated code should be.
+- **Authenticator type name**: optional friendly name shown to the user in self-service settings.
+- **Configuration flow**: optional authenticated flow that lets users enroll this authenticator from user settings.
+
+## Flow integration
+
+Use this stage in an enrollment or user-settings flow where the user is already authenticated or otherwise identified.
+
+To use the generated backup codes during authentication, add an [Authenticator Validation stage](../authenticator_validate/index.md) to the login flow and allow the **Static** device class.
+
+## Notes
+
+- Static codes are intended as emergency or backup credentials.
+- Each code is consumed after a successful use.

website/docs/add-secure-apps/flows-stages/stages/authenticator_totp/index.md

@@ -1,9 +1,28 @@
 ---
-title: TOTP Authenticator Setup stage
+title: TOTP authenticator setup stage
 ---
 
-This stage configures a time-based OTP Device, such as Google Authenticator or Authy.
+The TOTP Authenticator Setup stage enrolls a time-based one-time password authenticator for the user, such as Google Authenticator, Authy, 1Password, or similar authenticator apps.
 
-You can configure how many digits should be used for the OTP Token.
+## Overview
 
-The Config URL's Issuer is set based on the currently active brand's branding title. The default setup can cause issues if the same username is used on multiple authentik issues within the same authenticator app, so changing the brand title is recommended.
+This stage creates a TOTP authenticator for the current user and presents a standard OTP configuration URL that authenticator apps can scan or import.
+
+The enrolled TOTP authenticator can then be used with the [Authenticator Validation stage](../authenticator_validate/index.md).
+
+## Configuration options
+
+- **Digits**: choose whether generated codes use 6 or 8 digits.
+- **Authenticator type name**: optional friendly name shown to the user in self-service settings.
+- **Configuration flow**: optional authenticated flow that lets users enroll this authenticator from user settings.
+
+## Flow integration
+
+Use this stage in an enrollment or user-settings flow where the user can add a TOTP authenticator.
+
+To require that authenticator during login, add an [Authenticator Validation stage](../authenticator_validate/index.md) to the authentication flow and allow the **TOTP** device class.
+
+## Notes
+
+- Six-digit TOTP codes are the most widely compatible option.
+- During enrollment, authentik uses the active brand's title as the issuer shown in the TOTP app. If you operate multiple authentik instances with the same usernames, distinct brand titles help avoid confusion in authenticator apps.

website/docs/add-secure-apps/flows-stages/stages/authenticator_validate/index.md

@@ -0,0 +1,168 @@
+---
+title: Authenticator validation stage
+---
+
+The Authenticator Validation stage validates an already enrolled authenticator.
+
+## Overview
+
+This stage is used during authentication after a user has already enrolled one or more authenticators with a setup stage, such as:
+
+- [Duo Authenticator Setup stage](../authenticator_duo/index.md)
+- [Email Authenticator Setup stage](../authenticator_email/index.md)
+- [SMS Authenticator Setup stage](../authenticator_sms/index.md)
+- [Static Authenticator Setup stage](../authenticator_static/index.md)
+- [TOTP Authenticator Setup stage](../authenticator_totp/index.md)
+- [WebAuthn / FIDO2 / Passkeys Authenticator setup stage](../authenticator_webauthn/index.md)
+
+## Configuration options
+
+- **Not configured action**: control what happens when the user has no compatible authenticator.
+    - **Skip**: continue the flow without MFA.
+    - **Deny**: deny access and end the flow.
+    - **Configure**: inject one of the configured enrollment stages and continue after that stage succeeds.
+- **Configuration stages**: stages that can be injected when **Not configured action** is set to **Configure**.
+- **Device classes**: which enrolled authenticator types can be used at this step.
+- **Last validation threshold**: skip validation if the user has successfully used a compatible device within the configured time window.
+- **WebAuthn user verification**: user-verification requirement for WebAuthn authentication.
+- **WebAuthn hints**: browser hints that influence which WebAuthn authenticator is preferred.
+- **WebAuthn device type restrictions**: optionally limit which WebAuthn device types are allowed.
+- **Email OTP throttling factor**: exponential back-off factor for Email devices after failed verification attempts.
+- **SMS OTP throttling factor**: exponential back-off factor for SMS devices after failed verification attempts.
+- **TOTP throttling factor**: exponential back-off factor for TOTP devices after failed verification attempts.
+- **Static OTP throttling factor**: exponential back-off factor for static recovery codes after failed verification attempts.
+
+## Flow integration
+
+This stage normally appears in authentication flows after [Identification](../identification/index.md) and [Password](../password/index.md), and before [User Login](../user_login/index.md).
+
+If **Not configured action** is set to **Configure**, the stage can bootstrap enrollment by injecting one or more authenticator setup stages into the running flow.
+
+## Notes
+
+### Require more than one MFA method
+
+To require users to enroll more than one MFA method and validate with each method on every login, add multiple Authenticator Validation stages to the same authentication flow.
+
+Configure each validation stage with a different set of allowed **Device classes**, and set **Not configured action** to **Configure**.
+
+For example, to require both TOTP and WebAuthn:
+
+1. Create a TOTP setup stage and a WebAuthn setup stage if you do not already have them.
+2. Create an Authenticator Validation stage for TOTP:
+    - Set **Device classes** to `totp`.
+    - Set **Not configured action** to **Configure**.
+    - Set **Configuration stages** to your TOTP setup stage.
+3. Create a second Authenticator Validation stage for WebAuthn:
+    - Set **Device classes** to `webauthn`.
+    - Set **Not configured action** to **Configure**.
+    - Set **Configuration stages** to your WebAuthn setup stage.
+4. Bind both validation stages to your authentication flow in the order that users should enroll and validate them.
+
+On first sign-in, users who do not yet have one of the required methods are prompted to configure it before the flow continues. On later sign-ins, each validation stage checks only the device classes configured on that stage.
+
+### Require at least two enrolled MFA methods of any type
+
+If you want to require users to enroll at least two different MFA methods, regardless of which types they choose, use an [Expression Policy](../../../../customize/policies/types/expression/index.mdx) to count the enrolled device classes for the user.
+
+```python
+from authentik.stages.authenticator import devices_for_user
+
+pending_user = request.context.get("pending_user")
+if not pending_user or not pending_user.pk:
+    return False
+
+device_types = {
+    device.__class__.__name__.lower().replace("device", "")
+    for device in devices_for_user(pending_user, confirmed=True)
+}
+
+return len(device_types) >= 2
+```
+
+Bind the policy to the flow or stage binding that controls whether the user can continue without enrolling another authenticator.
+
+If you select multiple **Configuration stages** on a single validation stage, users can choose which authenticator to enroll for that requirement.
+
+### Less-frequent validation
+
+Set **Last validation threshold** to a non-zero value to avoid prompting on every login. Any compatible authenticator within the allowed classes can satisfy that threshold.
+
+For code-based authenticators such as TOTP, Static, and SMS, values below `seconds=30` are not useful because those authenticators do not store exact validation timestamps at sub-window precision.
+
+### Passwordless authentication
+
+:::caution
+Firefox has known issues with some Touch ID and platform-authenticator flows. See Mozilla bug `1536482` for one longstanding example.
+:::
+
+Passwordless authentication in this stage currently relies on **WebAuthn** authenticators.
+
+To build a dedicated passwordless flow:
+
+1. Create an **Authentication** flow.
+2. Add an Authenticator Validation stage that allows the **WebAuthn** device class.
+3. Add any extra verification stages you still require.
+4. End the flow with a [User Login stage](../user_login/index.md).
+
+If you want users to choose a passkey directly from the browser's autofill UI on the identification screen, configure **Passkey autofill** in the [Identification stage](../identification/index.md#passkey-autofill-webauthn-conditional-ui). This requires a discoverable credential, also known as a resident key.
+
+Users can either access the passwordless flow directly or reach it through an Identification stage's **Passwordless flow** link.
+
+### WebAuthn hints
+
+:::info
+Hints are advisory and browsers can ignore them based on available authenticators or platform capabilities.
+:::
+
+Optional hints can guide the browser toward a preferred authenticator type during WebAuthn authentication:
+
+- **Security key**: prefer a portable FIDO2 device such as a YubiKey.
+- **Client device**: prefer a built-in platform authenticator such as Touch ID or Windows Hello.
+- **Hybrid**: prefer a platform authenticator on a nearby mobile device, typically through a QR code.
+
+The order of selected hints matters. For example, selecting **Security key** before **Hybrid** asks the browser to prefer security keys before hybrid authentication.
+
+### Automatic authenticator selection
+
+If the user has multiple compatible authenticators, authentik lets them choose one. After a successful validation, the last-used authenticator is automatically preferred the next time this stage runs.
+
+### WebAuthn authenticator type restrictions
+
+If you restrict allowed WebAuthn authenticator types, those restrictions only apply to WebAuthn authenticators that authentik knows how to classify. This is useful when you need to limit authentication to specific hardware families or compliance profiles.
+
+### Throttling
+
+To slow down brute-force attacks against code-based authentication methods, the stage applies an exponential back-off to each device after a failed verification attempt. The delay required between verification attempts grows with each successive failure:
+
+```text
+delay_seconds = factor * 2^(n - 1)
+```
+
+In this formula, `factor` is the per-device-class throttling factor configured on the stage and `n` is the number of successive failures on that device.
+
+For example, with the default factor of `1`, the required delay between attempts is `1, 2, 4, 8, 16, ...` seconds. With a factor of `0.5`, it is `0.5, 1, 2, 4, ...` seconds. A successful verification resets the counter.
+
+A factor of `0` disables throttling for that device class.
+
+WebAuthn and Duo devices are not throttled.
+
+### Authentication logging
+
+When passwordless authentication succeeds through this stage, authentik records the method as `auth_webauthn_pwl` in flow context and related events.
+
+Example event context:
+
+```json
+{
+    "auth_method": "auth_webauthn_pwl",
+    "auth_method_args": {
+        "device": {
+            "pk": 1,
+            "app": "authentik_stages_authenticator_webauthn",
+            "name": "test device",
+            "model_name": "webauthndevice"
+        }
+    }
+}
+```

website/docs/add-secure-apps/flows-stages/stages/authenticator_validate/index.mdx

@@ -1,154 +0,0 @@
----
-title: Authenticator Validation stage
----
-
-This stage validates an already configured Authenticator Device. This device has to be configured using any of the other authenticator stages:
-
-- [Duo authenticator stage](../authenticator_duo/index.mdx)
-- [Email authenticator stage](../authenticator_email/index.md)
-- [SMS authenticator stage](../authenticator_sms/index.mdx)
-- [Static authenticator stage](../authenticator_static/index.md)
-- [TOTP authenticator stage](../authenticator_totp/index.md)
-- [WebAuthn authenticator stage](../authenticator_webauthn/index.mdx)
-
-You can select which device classes are allowed.
-
-Using the `Not configured action`, you can choose what happens when a user does not have any matching devices.
-
-- Skip: Validation is skipped and the flow continues
-- Deny: Access is denied, the flow execution ends
-- Configure: This option requires a _Configuration stage_ to be set. The validation stage will be marked as successful, and the configuration stage will be injected into the flow.
-
-By default, authenticator validation is required every time the flow containing this stage is executed. To only change this behavior, set _Last validation threshold_ to a non-zero value. (Requires authentik 2022.5)
-Keep in mind that when using Code-based devices (TOTP, Static and SMS), values lower than `seconds=30` cannot be used, as with the way TOTP devices are saved, there is no exact timestamp.
-
-### Options
-
-#### Require more than one MFA method
-
-To require users to enroll more than one MFA method and validate with each method on every login, add multiple **Authenticator Validation** stages to the same authentication flow.
-
-Configure each authenticator validation stage with a different set of allowed **Device classes**, and set **Not configured action** to **Configure**.
-
-#### Example: require both TOTP and WebAuthn
-
-To require both TOTP and WebAuthn:
-
-1. Log in to authentik as an administrator and open the authentik Admin interface.
-2. Create a TOTP setup stage and a WebAuthn setup stage if you do not already have them.
-3. Navigate to **Flows and Stages** > **Stages** and create an **Authenticator Validation** stage for TOTP:
-    - Set **Device classes** to `totp`.
-    - Set **Not configured action** to **Configure**.
-    - Set **Configuration stages** to your TOTP setup stage.
-4. Create a second **Authenticator Validation** stage for WebAuthn:
-    - Set **Device classes** to `webauthn`.
-    - Set **Not configured action** to **Configure**.
-    - Set **Configuration stages** to your WebAuthn setup stage.
-5. Navigate to **Flows and Stages** > **Flows** and open your authentication flow.
-6. On the **Stage Bindings** tab, bind both validation stages to the flow in the order that you want users to enroll them.
-
-On first sign-in, users who do not yet have one of the required methods are prompted to configure it before the flow continues. On later sign-ins, each validation stage checks only the device classes configured on that stage.
-
-#### Require at least two enrolled MFA methods of any type
-
-If you want to require users to enroll at least two different MFA methods, regardless of which types they choose, use an [Expression Policy](../../../../customize/policies/types/expression/index.mdx) to count the enrolled device classes for the user.
-
-To enforce this requirement:
-
-1. Log in to authentik as an administrator and open the authentik Admin interface.
-2. Navigate to **Customization** > **Policies** and create an **Expression Policy**.
-3. Add an expression like the following to count the user's confirmed authenticator types:
-
-```python
-from authentik.stages.authenticator import devices_for_user
-
-pending_user = request.context.get("pending_user")
-if not pending_user or not pending_user.pk:
-    return False
-
-device_types = {
-    device.__class__.__name__.lower().replace("device", "")
-    for device in devices_for_user(pending_user, confirmed=True)
-}
-
-return len(device_types) >= 2
-```
-
-4. Bind the policy to the flow or stage binding that controls whether the user can continue without enrolling another authenticator.
-
-#### Allow users to choose from multiple enrollment methods
-
-If you select multiple **Configuration stages** on a single validation stage, users can choose which authenticator to enroll for that requirement.
-
-#### Less-frequent validation
-
-You can configure this stage to only ask for MFA validation if the user hasn't authenticated themselves within a defined time period. To configure this, set _Last validation threshold_ to any non-zero value. Any of the user's devices within the selected classes are checked.
-
-#### Passwordless authentication
-
-:::caution
-Firefox has some known issues regarding TouchID (see https://bugzilla.mozilla.org/show_bug.cgi?id=1536482)
-:::
-
-Passwordless authentication currently only supports WebAuthn devices, which support passkeys, security keys, and biometrics. For an alternate passwordless setup, see [Password stage](../password/index.md#passwordless-login), which supports other types.
-
-If you want users to authenticate with a passkey via the browser's built-in passkey/autofill UI on the **Identification** screen ("conditional UI" / passkey autofill), configure it in the [Identification stage](../identification/index.mdx#passkey-autofill-webauthn-conditional-ui). This requires a **discoverable credential (aka resident key)**.
-
-To configure passwordless authentication, create a new Flow with the designation set to _Authentication_.
-
-As the first stage, add an _Authenticator validation_ stage with the WebAuthn device class allowed.
-After this stage you can bind any additional verification stages.
-As the final stage, bind a _User login_ stage.
-
-Users can either access this flow directly via its URL, or you can modify any Identification stage's _Passwordless flow_ setting to add a direct link to this flow.
-
-#### Logging
-
-Logins that used Passwordless authentication have the _auth_method_ context variable set to `auth_webauthn_pwl`, and the device used is saved in the arguments. Example:
-
-```json
-{
-    "auth_method": "auth_webauthn_pwl",
-    "http_request": {
-        "args": {
-            "query": ""
-        },
-        "path": "/api/v3/flows/executor/test/",
-        "method": "GET"
-    },
-    "auth_method_args": {
-        "device": {
-            "pk": 1,
-            "app": "authentik_stages_authenticator_webauthn",
-            "name": "test device",
-            "model_name": "webauthndevice"
-        }
-    }
-}
-```
-
-#### WebAuthn Hints
-
-:::info
-Hints are advisory and browsers may ignore them based on available authenticators or platform capabilities.
-:::
-
-Optional hints can be used to guide the browser in prioritizing the preferred authenticator type during WebAuthn authentication. The available hints are:
-
-- **Security key**: Suggests that the user authenticate with a portable FIDO2 device such as a YubiKey.
-- **Client device**: Suggests that the user authenticate with a built-in platform authenticator such as Touch ID or Windows Hello.
-- **Hybrid**: Suggests that the user authenticate using a platform authenticator on a nearby mobile device, typically via a QR code.
-
-The order of selected hints matters: the first hint has the highest priority. For example, selecting "Security key" first and "Hybrid" second asks the browser to prefer security keys before hybrid registration.
-
-#### WebAuthn Device type restrictions
-
-Optionally restrict which WebAuthn device types can be used to authenticate.
-
-When no restriction is set, all WebAuthn devices a user has registered are allowed.
-
-These restrictions only apply to WebAuthn devices created with authentik 2024.4 or later.
-
-#### Automatic device selection
-
-If the user has more than one device, the user is prompted to select which device they want to use for validation. After the user successfully authenticates with a certain device, that device is marked as "last used". In subsequent prompts by the Authenticator validation stage, the last used device is automatically selected for the user. Should they wish to use another device, the user can return to the device selection screen.

website/docs/add-secure-apps/flows-stages/stages/authenticator_webauthn/index.md

@@ -0,0 +1,83 @@
+---
+title: WebAuthn / FIDO2 / Passkeys authenticator setup stage
+---
+
+The WebAuthn / FIDO2 / Passkeys Authenticator setup stage enrolls a WebAuthn authenticator for the current user.
+
+## Overview
+
+This stage supports common WebAuthn authenticator types, including:
+
+- security keys such as YubiKey or Google Titan
+- platform authenticators such as Windows Hello, Touch ID, or Face ID
+- passkeys stored by operating systems or password managers
+
+Enrolled authenticators can later be used with the [Authenticator Validation stage](../authenticator_validate/index.md).
+
+## Configuration options
+
+- **User verification**: require, prefer, or discourage built-in user verification during registration.
+- **Resident key requirement**: control whether the authenticator should create a discoverable credential.
+- **Authenticator attachment**: restrict enrollment to platform authenticators, cross-platform authenticators, or leave it unrestricted.
+- **Prevent duplicate devices**: reject registration of the same authenticator more than once.
+- **Hints**: browser hints that influence which authenticator is preferred during enrollment.
+- **Device type restrictions**: limit enrollment to specific WebAuthn device types.
+- **Maximum attempts**: maximum number of failed registration attempts before the stage denies access. A value of `0` disables the limit.
+- **Authenticator type name**: optional friendly name shown to the user in self-service settings.
+- **Configuration flow**: optional authenticated flow that lets users enroll this authenticator from user settings.
+
+## Flow integration
+
+Use this stage in an enrollment or user-settings flow where the user should register a passkey or hardware key.
+
+To require those devices during login, add an [Authenticator Validation stage](../authenticator_validate/index.md) to the authentication flow and allow the **WebAuthn** device class.
+
+If you want passkey autofill on the login form itself, configure the [Identification stage](../identification/index.md#passkey-autofill-webauthn-conditional-ui) to reference a WebAuthn-capable Authenticator Validation stage.
+
+## Notes
+
+### User verification
+
+**User verification** controls whether authentik requires, prefers, or discourages user verification on the authenticator itself. On platform authenticators such as Windows Hello, that can determine whether a PIN or biometric check is required.
+
+### Resident key requirement
+
+For passkey-based passwordless login, set **Resident key requirement** to **Preferred** or **Required** so the created credential is discoverable.
+
+### Authenticator attachment
+
+Use **Authenticator attachment** when the flow should prefer either removable authenticators such as YubiKeys or built-in authenticators such as Touch ID, Windows Hello, or password-manager passkeys.
+
+This controls the `authenticatorAttachment` parameter sent to the browser during WebAuthn registration:
+
+- **No preference is sent**: the browser can offer any available authenticator.
+- **Platform**: prefer a non-removable authenticator built into the device, such as Touch ID, Face ID, or Windows Hello.
+- **Cross-platform**: prefer a roaming authenticator, such as a YubiKey or Google Titan.
+
+If [WebAuthn hints](#webauthn-hints) are configured and this option is left unset, authentik infers an attachment value from the selected hints for backward compatibility with older browsers.
+
+### WebAuthn hints
+
+:::info
+Hints are advisory and browsers can ignore them based on available authenticators or platform capabilities.
+:::
+
+Optional hints can guide the browser toward a preferred authenticator type during registration:
+
+- **Security key**: prefer registering a credential with a portable FIDO2 device such as a YubiKey.
+- **Client device**: prefer registering a credential with a built-in platform authenticator such as Touch ID or Windows Hello.
+- **Hybrid**: prefer registering a credential using a platform authenticator on a nearby mobile device, typically through a QR code.
+
+The order of selected hints matters. For example, selecting **Security key** before **Hybrid** asks the browser to prefer security keys before hybrid registration.
+
+For backward compatibility with older browsers that do not support hints, authentik automatically infers the `authenticatorAttachment` parameter from the selected hints when **Authenticator attachment** is not explicitly set:
+
+- Only **Security key** and/or **Hybrid** hints: `cross-platform`
+- Only **Client device** hints: `platform`
+- If both client-device and cross-platform hints are selected, no value is inferred
+
+### Duplicate and restricted devices
+
+**Prevent duplicate devices** can only be enforced when the authenticator exposes a unique attestation certificate.
+
+If **Device type restrictions** are enabled, authentik can also allow the special built-in type `authentik: Unknown devices` for authenticators whose AAGUID is not otherwise known.

website/docs/add-secure-apps/flows-stages/stages/authenticator_webauthn/index.mdx

@@ -1,61 +0,0 @@
----
-title: WebAuthn / FIDO2 / Passkeys Authenticator setup stage
----
-
-This stage configures an authenticator stage for using WebAuthn, FIDO2, Passkeys. This stage supports:
-
-- **Security Keys**: Physical devices like YubiKey, Google Titan, etc.
-- **Platform Authenticators**: Built-in authenticators like Windows Hello, Touch ID, Face ID
-- **Mobile Devices**: Using device biometrics or security keys via mobile browsers
-
-### Options
-
-#### User verification
-
-Configure if authentik should require, prefer or discourage user verification for the authenticator. For example when using a virtual authenticator like Windows Hello, this setting controls if a PIN is required.
-
-#### Resident key requirement
-
-Configure if the created authenticator is stored in the encrypted memory on the device or in persistent memory. When configuring [passwordless login](../identification/index.mdx#passwordless-flow), this should be set to either _Preferred_ or _Required_, otherwise the authenticator cannot be used for passwordless authentication.
-
-#### Authenticator Attachment
-
-Controls the [`authenticatorAttachment`](https://developer.mozilla.org/en-US/docs/Web/API/PublicKeyCredentialCreationOptions/authenticatorSelection#authenticatorattachment) parameter sent to the browser during WebAuthn registration. The available options are:
-
-- **No preference is sent**: The browser may offer any available authenticator (default).
-- **Platform**: A non-removable authenticator built into the device, such as Touch ID, Face ID, or Windows Hello.
-- **Cross-platform**: A "roaming" authenticator, such as a YubiKey or Google Titan.
-
-If [WebAuthn Hints](#webauthn-hints) are configured and this option is left unset, authentik infers a value from the selected hints for backward compatibility with older browsers.
-
-#### WebAuthn Hints
-
-:::info Browser behavior
-Hints are advisory and browsers may ignore them based on available authenticators or platform capabilities.
-:::
-
-Optional hints can be used to guide the browser in prioritizing the preferred authenticator type during registration. The available hints are:
-
-- **Security key**: Suggests that the user register a credential with a portable FIDO2 device such as a YubiKey.
-- **Client device**: Suggests that the user register a credential with a built-in platform authenticator such as Touch ID or Windows Hello.
-- **Hybrid**: Suggests that the user register a credential using a platform authenticator on a nearby mobile device, typically via a QR code.
-
-The order of selected hints matters: the first hint has the highest priority. For example, selecting "Security key" first and "Hybrid" second asks the browser to prefer security keys before hybrid registration.
-
-For backward compatibility with older browsers that do not support hints, authentik automatically infers the [`authenticatorAttachment`](#authenticator-attachment) parameter from the selected hints when it is not explicitly set:
-
-- Only security key and/or hybrid hints: `cross-platform`
-- Only client device hint: `platform`
-- If both client-device and cross-platform hints are selected, no value is inferred
-
-### Prevent duplicate devices
-
-When enabled, any unique authenticator can only be registered once. This check can only be enforced if the authenticator stores a unique attestsion certificate.
-
-#### Device type restrictions
-
-Optionally restrict the types of devices allowed to be enrolled. This option can be used to ensure users are only able to enroll FIPS-compliant devices for example.
-
-When no restrictions are selected, all device types are allowed.
-
-As authentik does not know of all possible device types, it is possible to select the special option `authentik: Unknown devices` to allow unknown devices.

website/docs/add-secure-apps/flows-stages/stages/captcha/index.md

@@ -2,62 +2,79 @@
 title: Captcha stage
 ---
 
-This stage adds a form of verification using [Google's reCAPTCHA](https://www.google.com/recaptcha/intro/v3.html) or compatible services.
+The Captcha stage adds CAPTCHA verification to a flow by using Google reCAPTCHA or compatible alternatives like hCaptcha and Cloudflare Turnstile.
 
-Currently supported implementations:
+## Overview
 
-- [Google reCAPTCHA](#google-recaptcha)
-- [hCaptcha](#hcaptcha)
-- [Cloudflare Turnstile](#cloudflare-turnstile)
+This stage verifies that the current interaction appears human before the flow continues.
 
-## Captcha provider configuration
+It can either be bound to a flow or embedded inside the [Identification stage](../identification/index.md) by setting the Identification stage's **Captcha stage** option.
+
+## Configuration options
+
+- **Public key**: CAPTCHA site key.
+- **Private key**: CAPTCHA secret key.
+- **Interactive**: enable an interactive CAPTCHA widget instead of score-based verification.
+- **Score minimum threshold**: minimum accepted score for score-based providers.
+- **Score maximum threshold**: maximum accepted score for score-based providers.
+- **Error on invalid score**: show an error immediately when the score is outside the configured threshold. If disabled, the flow continues and policies can inspect the result from context.
+- **JS URL**: JavaScript loader URL for the provider.
+- **API URL**: verification endpoint URL for the provider.
+
+## Flow integration
+
+Use this stage anywhere a flow should require a CAPTCHA check, especially in enrollment, recovery, or other public-facing flows.
+
+If you embed it in the [Identification stage](../identification/index.md), configure the CAPTCHA provider for invisible or background use.
+
+## Notes
 
 ### Google reCAPTCHA
 
-This stage has two required fields: Public key and private key. These can both be acquired at https://www.google.com/recaptcha/admin.
+Use the keys from https://www.google.com/recaptcha/admin.
+
+Recommended defaults for reCAPTCHA:
+
+- **Interactive**: disabled for score-based reCAPTCHA
+- **Score minimum threshold**: `0.5`
+- **Score maximum threshold**: `1.0`
+- **JS URL**: `https://www.recaptcha.net/recaptcha/api.js`
+- **API URL**: `https://www.recaptcha.net/recaptcha/api/siteverify`
 
 ![](./captcha-admin.png)
 
-#### Configuration options
-
-- Interactive: Enabled when using reCAPTCHA v3
-- Score minimum threshold: `0.5`
-- Score maximum threshold: `1`
-- JS URL: `https://www.recaptcha.net/recaptcha/api.js`
-- API URL: `https://www.recaptcha.net/recaptcha/api/siteverify`
-
 ### hCaptcha
 
-See https://docs.hcaptcha.com/switch
+See https://docs.hcaptcha.com/switch.
 
-#### Configuration options
+Recommended values:
 
-- Interactive: Enabled
-- JS URL: `https://js.hcaptcha.com/1/api.js`
-- API URL: `https://api.hcaptcha.com/siteverify`
+- **Interactive**: enabled
+- **JS URL**: `https://js.hcaptcha.com/1/api.js`
+- **API URL**: `https://api.hcaptcha.com/siteverify`
 
-**Score options only apply to hCaptcha Enterprise**
-
-- Score minimum threshold: `0`
-- Score maximum threshold: `0.5`
+Score thresholds only apply to hCaptcha Enterprise.
 
 ### Cloudflare Turnstile
 
 See https://developers.cloudflare.com/turnstile/get-started/migrating-from-recaptcha.
 
-#### Configuration options
+Recommended values:
 
-1. Log in to authentik as an administrator and open the authentik Admin interface.
-2. Navigate to **Flows and Stages** > **Stages** and click **New Stage**.
-3. Select **Captcha Stage** and click **Next**.
-4. Provide a descriptive name for the stage (e.g. `authentication-captcha`) and configure the following required settings based on the values of your [Cloudflare Turnstile Widget](https://developers.cloudflare.com/turnstile/concepts/widget/):
-    - Under **Stage-specific settings**:
-        - **Public Key**: set to the **Turnstile Site Key** value from the widget.
-        - **Private Key**: set to the **Turnstile Secret Key** value from the widget.
-        - **Enable Interactive**: Enable this option if the Turnstile instance is configured as **Invisible** or **Managed**.
-        - Leave both score thresholds at their default, as they are not supported for Turnstile.
+- **Public key**: Turnstile site key
+- **Private key**: Turnstile secret key
+- **Interactive**: enable when using invisible or managed Turnstile modes
+- **JS URL**: `https://challenges.cloudflare.com/turnstile/v0/api.js`
+- **API URL**: `https://challenges.cloudflare.com/turnstile/v0/siteverify`
 
-- JS URL: `https://challenges.cloudflare.com/turnstile/v0/api.js`
-- API URL: `https://challenges.cloudflare.com/turnstile/v0/siteverify`
+Turnstile does not use score thresholds.
 
-**Score options do not apply when using with turnstile**
+### Cloudflare Turnstile setup flow
+
+If you are configuring Turnstile from scratch:
+
+1. Create the Turnstile widget in Cloudflare.
+2. Copy the **Site Key** into **Public key**.
+3. Copy the **Secret Key** into **Private key**.
+4. Enable **Interactive** if the Turnstile widget is configured as **Invisible** or **Managed**.
+5. Leave score thresholds at their defaults because Turnstile does not use them.

website/docs/add-secure-apps/flows-stages/stages/consent/index.md

@@ -2,80 +2,72 @@
 title: Consent stage
 ---
 
-The Consent stage is added to a flow to prompt the user for consent to share data such as User ID or other non-credential type information with the relying party (RP), the application the user is logging in to.
+The Consent stage asks the user to approve sharing data with an application or relying party.
 
-A Consent stage is typically added to an [authorization flow](../../flow/index.md#create-a-flow), but can be added to any flow.
+## Overview
 
-:::info Default authorization flow with a Consent stage
-Note that by default, the `default-provider-authorization-explicit-consent` flow already has a Consent stage bound to it. If you use this default flow, you do not need to take any of the below steps; the `default-provider-authorization-explicit-consent` flow is ready for use.
-:::
+This stage is commonly used in authorization flows, where a user should explicitly consent before authentik shares profile data or other claims with an application.
 
-## Example use case
+The default `default-provider-authorization-explicit-consent` flow already includes a Consent stage.
 
-This stage is to prompt users when they access an application to agree that authentik can provide user data to the application that the user is logging in to. This sharing of user data can facilitate tasks in the application; for example, providing an avatar, user name, or email address for the application to immediately use.
+A typical use case is prompting the user to allow authentik to share profile data such as name, email address, or avatar with the application they are signing in to.
 
-## Consent stage modes
+## Configuration options
 
-The Consent stage has three configurable modes:
+- **Mode**: control how long a granted consent remains valid.
+    - **Always require consent**: prompt every time.
+    - **Consent given lasts indefinitely**: store consent without expiration.
+    - **Consent expires**: store consent until the configured expiry time.
+- **Consent expires in**: expiration offset used when the mode is set to expiring consent.
 
-1. **Always require consent**: the user is prompted every time that they log in to give consent by clicking **Continue**.
-2. **Consent given lasts indefinitely**: this mode stores the fact that the user previously clicked **Continue**, and creates a Consent object with a link to the user and to the application, and stores which permissions were consented to.
-3. **Consent expires**: similar to **Consent given lasts indefinitely**, except the consent expires on the date defined in the stage in the field **Consent expires in**.
+## Flow integration
 
-## Create and configure a Consent stage
+Bind this stage into an authorization flow anywhere the user should see the consent prompt.
 
-If you want to add the consent stage to a flow other than the `default-provider-authorization-explicit-consent` flow (which already has a Consent stage bound to it), use the following steps.
+If you use the default explicit-consent authorization flow, the stage is already present and usually does not need to be added manually.
 
-The basic workflow for creating and configuring a Consent stage involves creating the stage and then binding it to an authorization flow.
+## Notes
 
-Optionally, if you also want to customize the exact wording that appears on the consent prompt, you can create an [Expression policy](../../../../customize/policies/types/expression/index.mdx) with the text that you want to display on the Consent prompt, and then [bind](../../../../customize/policies/working_with_policies.md#bind-a-policy-to-a-stage-binding) the policy to the Consent stage binding in the authorization flow.
+### Default flow
 
-### 1. Create a Consent stage
+If you are using the default `default-provider-authorization-explicit-consent` flow, you usually do not need to add a Consent stage manually because it is already present.
 
-1. Log in to authentik as an administrator and open the authentik Admin interface.
-2. Navigate to **Flows and Stages** > **Stages** and click **New Stage**.
-3. On the **New stage** wizard select **Consent Stage** and then click **Next**.
-4. Provide the following configuration settings:
-    - **Name**:
-    - **Stage-specific settings**:
-        - **Mode**: Select the appropriate [mode](#consent-stage-modes) to use with this stage.
-5. Click **Create Stage** to save the new stage.
+If you are building a custom authorization flow, the usual sequence is:
 
-### 2. Bind the Consent stage to an authorization flow
+1. Create the Consent stage.
+2. Bind it into the authorization flow.
+3. Optionally bind an expression policy to the stage binding if the consent text should be customized.
 
-To include the Consent stage in the flow, follow [these directions](../../stages/index.md#bind-a-stage-to-a-flow).
+If you are adding the stage from scratch in the Admin interface, the typical workflow is:
 
-### 3. Create an Expression policy (_optional_)
+1. Go to **Flows and Stages** > **Stages** and create a **Consent Stage**.
+2. Set the **Mode** and, if needed, the expiry duration.
+3. Open the target authorization flow.
+4. Add the Consent stage to that flow's stage bindings.
 
-If you want to customize the text that appears on the consent prompt, you can create an Expression policy with the exact wording you want, and then bind it to the Consent stage in the flow.
+### Custom consent text
 
-1. Log in to authentik as an administrator and open the authentik Admin interface.
-2. Navigate to **Customization** > **Policies** and click **New Policy**.
-3. On the **New policy** wizard select **Expression Policy** and then click **Next**.
-4. Provide the following configuration settings:
-    - **Name**:
-    - **Policy-specific settings**:
-        - **Expression**: use the following syntax to customize the wording on the stage:
-        ````
-        context['flow_plan'].context['consent_header'] = "Are you OK with your IdP provider sharing your user identification data with the application?"
-        return True
-        ```python
-        ````
-5. Click **Create Policy** to save the policy.
+You can customize the text shown on the consent screen by setting the `consent_header` key in flow context before the stage runs, for example from an expression policy:
 
-### 4. Bind the policy to the Consent stage in the authorization flow (_optional_)
+```python
+request.context["flow_plan"].context["consent_header"] = (
+    "Are you OK with your IdP provider sharing your user identification data "
+    "with the application?"
+)
+return True
+```
 
-The last step is to bind the policy that you just created in Step 3 to the Consent stage binding, _within_ the authorization flow.
+Bind that policy to the Consent stage binding inside the authorization flow where you want the wording to change.
 
-:::info Important note about policy binding
-You need to bind the policy to the stage within this flow, so go first to the flow where you added the Consent stage.
-:::
+The binding workflow is:
 
-1. Log in to authentik as an administrator, open the authentik Admin interface, and navigate to **Flows and Stages > Flows**.
-2. In the list of flows, click on the name of the authorization flow that you want to use.
-3. On the **Flow overview** tab, confirm that the flow contains a Consent stage.
-4. Click the **Stage Bindings** tab.
-5. Click the caret (>) beside the Consent stage to which you want to bind the policy, and expand the stage details.
-6. Click **Bind existing Policy/Group/User**.
-7. In the **Create Binding** dialog, click **Policy** and then select the Expression policy that you created above.
-8. Click **Create Policy Binding** to save the binding.
+1. Open the authorization flow that contains the Consent stage.
+2. Go to **Stage Bindings**.
+3. Expand the Consent stage binding that should use the custom text.
+4. Bind the expression policy to that stage binding.
+
+### Stored consent
+
+When consent is stored, authentik keeps track of the user, the application, and the granted permissions so later requests can reuse or re-prompt according to the selected mode.
+
+Users can check their past consent approvals via the User Settings menu.

website/docs/add-secure-apps/flows-stages/stages/deny.md

@@ -1,10 +0,0 @@
----
-title: Deny stage
----
-
-This stage stops the execution of a flow. This can be used to conditionally deny users access to a flow,
-even if they are not signed in (and permissions can't be checked via groups).
-
-:::caution
-To effectively use this stage, make sure _Evaluate when flow is planned_ is **disable** on the Stage binding.
-:::

website/docs/add-secure-apps/flows-stages/stages/deny/index.md

@@ -0,0 +1,44 @@
+---
+title: Deny stage
+---
+
+The Deny stage stops the current flow immediately.
+
+## Overview
+
+Use this stage when the flow should end with access denied, including cases where the user is not signed in yet and group-based permissions are not available.
+
+## Configuration options
+
+This stage has no stage-specific configuration options.
+
+## Flow integration
+
+Bind this stage where a flow should stop after a policy or earlier stage determines that the user must not continue.
+
+## Notes
+
+:::caution
+To use this stage effectively, make sure **Evaluate when flow is planned** is disabled on the stage binding.
+:::
+
+If the binding is evaluated during flow planning, the denial can happen earlier than intended and skip the checks that were meant to decide whether the user should be denied.
+
+### Example: block a known IP range
+
+One common use case is to bind a Deny stage to an expression policy that blocks requests from a specific IP range.
+
+For example:
+
+1. Create a Deny stage.
+2. Create an [Expression policy](../../../../customize/policies/types/expression/index.mdx) with logic such as:
+
+```python
+from ipaddress import ip_network
+
+return ak_client_ip in ip_network("203.0.113.0/24")
+```
+
+3. Bind that policy to the Deny stage in the flow.
+
+When the policy passes, the Deny stage runs and the flow stops immediately.

website/docs/add-secure-apps/flows-stages/stages/email/index.md

@@ -0,0 +1,197 @@
+---
+title: Email stage
+---
+
+The Email stage sends a verification or action email from within a flow.
+
+## Overview
+
+This stage is used for email verification, account recovery, invitations, and similar flow steps where authentik should send a tokenized link or message to a user.
+
+The email is normally sent to the current `pending_user`, but the target address can be overridden from flow context.
+
+When an email cannot be delivered immediately, authentik retries delivery through its background worker.
+
+## Configuration options
+
+- **Use global connection settings**: use authentik's global email configuration instead of stage-specific SMTP settings.
+- **SMTP host**: SMTP server hostname for stage-specific delivery.
+- **SMTP port**: SMTP server port.
+- **SMTP username**: optional SMTP username.
+- **SMTP password**: optional SMTP password.
+- **Use TLS**: enable STARTTLS for the SMTP connection.
+- **Use SSL**: enable SMTPS for the SMTP connection.
+- **Timeout**: SMTP connection timeout in seconds.
+- **From address**: sender address used for flow emails.
+- **Account recovery max attempts**: maximum number of recovery emails allowed in the configured time window.
+- **Account recovery cache timeout**: time window used for recovery-email rate limiting.
+- **Activate user on success**: activate the user after the stage succeeds.
+- **Token expiry**: how long the email token remains valid.
+- **Subject**: subject line used for the email.
+- **Template**: template used to render the email body.
+
+## Flow integration
+
+Use this stage in recovery, enrollment, verification, or invitation flows where an email should be sent before the flow continues.
+
+By default, the message goes to the current `pending_user`. To override the destination, set `email` in the flow plan context before the stage runs:
+
+```python
+request.context["flow_plan"].context["email"] = "foo@bar.baz"
+return True
+```
+
+You can also source the address from prompt data or another user attribute:
+
+```python
+request.context["flow_plan"].context["email"] = request.context["prompt_data"]["email"]
+return True
+```
+
+```python
+request.context["flow_plan"].context["email"] = request.context["pending_user"].attributes.get("otherEmail")
+return True
+```
+
+## Notes
+
+### Rate limiting
+
+The recovery rate-limiting fields only affect recovery-style email sends. They limit how many recent attempts a user can trigger within the configured time window.
+
+### Custom templates
+
+You can provide custom email templates.
+
+:::info
+You can also add a matching `.txt` file next to the `.html` file to send multipart text and HTML emails.
+:::
+
+import TabItem from "@theme/TabItem";
+import Tabs from "@theme/Tabs";
+
+<Tabs
+defaultValue="docker-compose"
+values={[
+{label: 'Docker Compose', value: 'docker-compose'},
+{label: 'Kubernetes', value: 'kubernetes'},
+]}>
+<TabItem value="docker-compose">
+Place custom templates in the `custom-templates` directory next to your Compose file. The template becomes selectable in the Email stage configuration.
+
+  </TabItem>
+  <TabItem value="kubernetes">
+Create a ConfigMap with your email templates:
+
+```yaml
+apiVersion: v1
+kind: ConfigMap
+metadata:
+    name: authentik-templates
+    namespace: authentik
+data:
+    my-template.html: |
+        <tr>...
+```
+
+Then mount it into the worker container from your Helm values:
+
+```yaml
+volumes:
+    - name: email-templates
+      configMap:
+          name: authentik-templates
+volumeMounts:
+    - name: email-templates
+      mountPath: /templates
+```
+
+  </TabItem>
+</Tabs>
+
+If a custom template does not appear in the selector, check the worker logs.
+
+### Template variables
+
+Templates are rendered with Django's templating engine. Common variables include:
+
+- `url`: the full URL the user should open
+- `user`: the pending user
+- `expires`: when the token expires
+
+These templates are rendered with Django's templating engine, so you can also use standard template inheritance and translation tags.
+
+![](./custom_template.png)
+
+### Example template
+
+Templates can extend the base email template and use standard Django template tags. For example:
+
+```html
+{# This comment is not rendered in the final email. #} {% extends "email/base.html" %} {% load i18n
+%} {% load humanize %} {% block content %}
+<tr>
+    <td class="alert alert-success">
+        {% blocktrans with username=user.username %} Hi {{ username }},{% endblocktrans %}
+    </td>
+</tr>
+<tr>
+    <td class="content-wrap">
+        <table width="100%" cellpadding="0" cellspacing="0">
+            <tr>
+                <td class="content-block">
+                    {% trans 'You recently requested to change your password for your authentik
+                    account. Use the button below to set a new password.' %}
+                </td>
+            </tr>
+            <tr>
+                <td class="content-block">
+                    <table
+                        role="presentation"
+                        border="0"
+                        cellpadding="0"
+                        cellspacing="0"
+                        class="btn btn-primary"
+                    >
+                        <tbody>
+                            <tr>
+                                <td align="center">
+                                    <table
+                                        role="presentation"
+                                        border="0"
+                                        cellpadding="0"
+                                        cellspacing="0"
+                                    >
+                                        <tbody>
+                                            <tr>
+                                                <td>
+                                                    <a
+                                                        id="confirm"
+                                                        href="{{ url }}"
+                                                        rel="noopener noreferrer"
+                                                        target="_blank"
+                                                    >
+                                                        {% trans 'Reset Password' %}
+                                                    </a>
+                                                </td>
+                                            </tr>
+                                        </tbody>
+                                    </table>
+                                </td>
+                            </tr>
+                        </tbody>
+                    </table>
+                </td>
+            </tr>
+            <tr>
+                <td class="content-block">
+                    {% blocktrans with expires=expires|naturaltime %} If you did not request a
+                    password change, please ignore this email. The link above is valid for {{
+                    expires }}. {% endblocktrans %}
+                </td>
+            </tr>
+        </table>
+    </td>
+</tr>
+{% endblock %}
+```

website/docs/add-secure-apps/flows-stages/stages/email/index.mdx

@@ -1,177 +0,0 @@
----
-title: Email stage
----
-
-This stage can be used for email verification. authentik's background worker will send an email using the specified connection details.
-
-When an email can't be delivered, authentik automatically retries periodically.
-
-You can also configure rate-limiting for emails requested by users. See the [configure rate limiting](#configure-rate-limiting-for-emails) section for more information.
-
-For information about creating a stage, refer to our [documentation](../#create-a-stage).
-
-## Behaviour
-
-By default, the email is sent to the currently pending user. To override this, you can set `email` in the plan's context to another email address, which will override the user's email address (the user won't be changed).
-
-For example, create this [expression policy](../../../../customize/policies/types/expression/index.mdx) and bind it to the email stage:
-
-```python
-request.context["flow_plan"].context["email"] = "foo@bar.baz"
-# Or get it from a prompt
-# request.context["flow_plan"].context["email"] = request.context["prompt_data"]["email"]
-# Or another user attribute
-# request.context["flow_plan"].context["email"] = request.context["pending_user"].attributes.get("otherEmail")
-return True
-```
-
-## Configure rate limiting for emails
-
-You can configure the Email stage with _a maximum number of emails_ that can be sent within _a specified time period_.
-
-To configure the rate limiting for recovery emails use these two fields when you create or edit an Email stage:
-
-- **Account Recovery Max Attempts**: set the maximum number of emails to send.
-- **Account Recovery Cache Timeout**: specify the time window used to count recent recovery emails sent to the user (account recovery attempts).
-
-## Custom Templates
-
-You can also use custom email templates, to use your own design or layout.
-
-:::info
-Starting with authentik 2024.2, it is possible to create `.txt` files with the same name as the `.html` template. If a matching `.txt` file exists, the email sent will be a multipart email with both the text and HTML template.
-:::
-
-import TabItem from "@theme/TabItem";
-import Tabs from "@theme/Tabs";
-
-<Tabs
-  defaultValue="docker-compose"
-  values={[
-    {label: 'Docker Compose', value: 'docker-compose'},
-    {label: 'Kubernetes', value: 'kubernetes'},
-  ]}>
-  <TabItem value="docker-compose">
-Place any custom templates in the `custom-templates` Folder, which is in the same folder as your Compose file. Afterwards, you'll be able to select the template when creating/editing an Email stage.
-
-  </TabItem>
-  <TabItem value="kubernetes">
-Create a ConfigMap with your email templates:
-
-```yaml
-apiVersion: v1
-kind: ConfigMap
-metadata:
-    name: authentik-templates
-    namespace: authentik
-data:
-    my-template.html: |
-        <tr>...
-```
-
-Then, in the helm chart add this to your `values.yaml` file:
-
-```yaml
-volumes:
-    - name: email-templates
-      configMap:
-          name: authentik-templates
-volumeMounts:
-    - name: email-templates
-      mountPath: /templates
-```
-
-  </TabItem>
-</Tabs>
-
-:::info
-If you have added the line and created a file, and can't see it, check the worker logs using `docker compose logs -f worker` or `kubectl logs -f deployment/authentik-worker`.
-:::
-
-![](./custom_template.png)
-
-### Example template
-
-Templates are rendered using Django's templating engine. The following variables can be used:
-
-- `url`: The full URL for the user to click on
-- `user`: The pending user object.
-- `expires`: The timestamp when the token expires.
-
-<!-- prettier-ignore-start -->
-
-```html
-{# This is how you can write comments which aren't rendered. #}
-{# Extend this template from the base email template, which includes base layout and CSS. #}
-{% extends "email/base.html" %}
-{# Load the internationalization module to translate strings, and humanize to show date-time #}
-{% load i18n %}
-{% load humanize %}
-{# The email/base.html template uses a single "content" block #}
-{% block content %}
-<tr>
-    <td class="alert alert-success">
-        {% blocktrans with username=user.username %} Hi {{ username }},
-        {% endblocktrans %}
-    </td>
-</tr>
-<tr>
-    <td class="content-wrap">
-        <table width="100%" cellpadding="0" cellspacing="0">
-            <tr>
-                <td class="content-block">
-                    {% trans 'You recently requested to change your password for you authentik account. Use the button below to set a new password.' %}
-                </td>
-            </tr>
-            <tr>
-                <td class="content-block">
-                    <table
-                        role="presentation"
-                        border="0"
-                        cellpadding="0"
-                        cellspacing="0"
-                        class="btn btn-primary"
-                    >
-                        <tbody>
-                            <tr>
-                                <td align="center">
-                                    <table
-                                        role="presentation"
-                                        border="0"
-                                        cellpadding="0"
-                                        cellspacing="0"
-                                    >
-                                        <tbody>
-                                            <tr>
-                                                <td>
-                                                    <a
-                                                        id="confirm"
-                                                        href="{{ url }}"
-                                                        rel="noopener noreferrer"
-                                                        target="_blank"
-                                                        >{% trans 'Reset Password' %}</a
-                                                    >
-                                                </td>
-                                            </tr>
-                                        </tbody>
-                                    </table>
-                                </td>
-                            </tr>
-                        </tbody>
-                    </table>
-                </td>
-            </tr>
-            <tr>
-                <td class="content-block">
-                    {% blocktrans with expires=expires|naturaltime %}
-                    If you did not request a password change, please ignore this Email. The link above is valid for {{ expires }}.
-                    {% endblocktrans %}
-                </td>
-            </tr>
-        </table>
-    </td>
-</tr>
-{% endblock %}
-```
-
-<!-- prettier-ignore-end -->

website/docs/add-secure-apps/flows-stages/stages/endpoint/index.md

@@ -2,17 +2,24 @@
 title: Endpoint stage
 ---
 
-This stage integrates with the [Endpoint Device](../../../../endpoint-devices/index.mdx) functionality and allows authentik to verify whether the device executing a flow is registered.
+The Endpoint stage checks whether the current browser or device is known to authentik's Endpoint Devices system and injects device facts into flow context.
 
-The Endpoint stage fetches [device facts](../../../../endpoint-devices/device-compliance/device-reporting.md#device-facts) via a configured [connector](../../../../endpoint-devices/device-compliance/connectors/index.mdx) and injects them into the flow context. These device facts can be used by other stages and policies to make device compliance decisions.
+## Overview
 
-## Connector
+This stage integrates with [Endpoint Devices](../../../../endpoint-devices/index.mdx). It can associate the current session with a managed endpoint and make device facts available to policies and later stages.
 
-Select the [connector](../../../../endpoint-devices/device-compliance/connectors/index.mdx) that the Endpoint stage will use to obtain device facts.
+## Configuration options
 
-## Mode
+- **Connector**: which endpoint connector should be used to gather device information.
+- **Mode**: whether endpoint verification is optional or required.
 
-Select whether the presence of a registered endpoint device is required for the stage to succeed.
+## Flow integration
 
-- If the mode is set to required, and device verification fails, the user is not able to proceed with the flow.
-- If the mode is set to optional, authentik will attempt to verify the device, and if it doesn't receive a response within the specified `challenge_idle_timeout`, authentik will continue without attaching a device to the flow.
+Use this stage in authentication or authorization flows where device posture should influence access decisions.
+
+The device facts gathered by this stage can then be consumed by policies or by later flow logic.
+
+## Notes
+
+- In **required** mode, the flow fails if the device cannot be verified.
+- In **optional** mode, authentik attempts verification and can continue without attaching a device if verification does not complete in time.