web/e2e: fix three regressions blocking the parallel suite

Locally and in CI the new `e2e (playwright)` job appeared to "hang" under `fullyParallel: true` + `workers: "50%"`. The hang was actually five tests sharing two unrelated bugs that all manifest as 30s test timeouts; the cluster only *looks* like a parallelism issue because multiple workers stall on the same wall-clock window. With these three fixes the full suite is green in 1m48s on `--workers=2` (was: 5 failed / 17 passed in 5m30s). 1. `web/test/browser/600-providers.test.ts` PR #21647 dropped the `to:` argument on the `session.login()` call in this file's `beforeEach`. Without it, `SessionFixture.login()` waits for the auth-flow URL pattern to re-appear — which it does immediately, since we just navigated there — so the helper returns *before* the post-login redirect lands. The wizard buttons probed afterward live on `/if/admin/#/core/providers`, which the user never actually reaches; every test in the file then hits the 30s `beforeEach` timeout. Pin the destination explicitly, matching the shape of every other test file. 2. `web/src/admin/roles/ak-role-list.ts` The role-list row anchor had no aria-label, so its accessible name was the (random, generated) role name. `500-roles.test.ts` searches for that anchor with `getByRole("link", { name: "view details" })` — the same selector `400-groups.test.ts` uses against the group list, where `GroupListPage.row()` *does* set `aria-label="View details of group ..."`. Bring the role row to parity with groups; the test wasn't wrong, the UI was missing the accessibility hook. 3. `web/test/browser/500-roles.test.ts` ("Edit role from view page") The post-edit verification used `page.getByText(updatedName)`, but on the role view page the new name renders in two places (the "Role <name>" page-navbar heading and the description-list value), so the bare text match resolves to two elements and trips strict-mode. Add `{ exact: true }` so we assert the canonical value the edit wrote rather than the heading template. Co-Authored-By: Agent (authentik-i21996-internal-achievable-raisin) <279763771+playpen-agent@users.noreply.github.com>
ci/web: post Playwright result comment + gated S3 upload + !cancelled() guards
2026-05-15 11:26:31 +02:00 · 2026-05-01 15:42:07 +00:00 · 2026-05-01 14:57:35 +00:00 · 2026-05-01 16:05:16 +02:00 · 2026-05-01 15:48:29 +02:00 · 2026-05-01 04:04:57 +02:00
1795 changed files with 16975 additions and 51921 deletions
--- a/.github/actions/setup-node/action.yml
+++ b/.github/actions/setup-node/action.yml
@@ -0,0 +1,81 @@
+name: "Setup Node.js and NPM"
+description: "Sets up Node.js with a specific NPM version via Corepack"
+inputs:
+  working-directory:
+    description: "Path to the working directory containing the package.json file"
+    required: false
+    default: "."
+  dependencies:
+    required: false
+    description: "List of dependencies to setup"
+    default: "monorepo,working-directory"
+  node-version-file:
+    description: "Path to file containing the Node.js version"
+    required: false
+    default: "package.json"
+  cache-dependency-path:
+    description: "Path to dependency lock file for caching"
+    required: false
+    default: "package-lock.json"
+  cache:
+    description: "Package manager to cache"
+    default: "npm"
+  registry-url:
+    description: "npm registry URL"
+    default: "https://registry.npmjs.org"
+
+runs:
+  using: "composite"
+  steps:
+    - name: Setup Node.js (Corepack bootstrap)
+      uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v4
+      with:
+        node-version-file: ${{ inputs.node-version-file }}
+        registry-url: ${{ inputs.registry-url }}
+        # The setup-node action will attempt to create a cache using a version of
+        # npm that may not be compatible with the range specified in package.json.
+        # This can be enabled **after** corepack is installed and the correct npm version is available.
+        package-manager-cache: false
+    - name: Install Corepack
+      working-directory: ${{ github.workspace}}
+      shell: bash
+      run: | #shell
+        node ./scripts/node/lint-runtime.mjs
+        node ./scripts/node/setup-corepack.mjs --force
+        corepack enable
+    - name: Lint Node.js and NPM versions
+      shell: bash
+      run: node ./scripts/node/lint-runtime.mjs
+    - name: Setup Node.js (Monorepo Root)
+      uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v4
+      with:
+        node-version-file: ${{ inputs.node-version-file }}
+        cache: ${{ inputs.cache }}
+        cache-dependency-path: ${{ inputs.cache-dependency-path }}
+        registry-url: ${{ inputs.registry-url }}
+    - name: Install monorepo dependencies
+      if: ${{ contains(inputs.dependencies, 'monorepo') }}
+      shell: bash
+      run: | #shell
+        node ./scripts/node/lint-lockfile.mjs
+        corepack npm ci
+    - name: Setup Node.js (Working Directory)
+      if: ${{ contains(inputs.dependencies, 'working-directory') }}
+      uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v4
+      with:
+        node-version-file: ${{ inputs.working-directory }}/${{ inputs.node-version-file }}
+        cache: ${{ inputs.cache }}
+        cache-dependency-path: ${{ inputs.working-directory }}/${{ inputs.cache-dependency-path }}
+        registry-url: ${{ inputs.registry-url }}
+
+    - name: Install working directory dependencies
+      if: ${{ contains(inputs.dependencies, 'working-directory') }}
+      shell: bash
+      run: | # shell
+        corepack install
+
+        echo "node version: $(node --version)"
+        echo "npm version: $(corepack npm --version)"
+
+        node ./scripts/node/lint-lockfile.mjs ${{ inputs.working-directory }}
+        corepack npm ci --prefix ${{ inputs.working-directory }}
--- a/.github/actions/setup/action.yml
+++ b/.github/actions/setup/action.yml
@@ -18,19 +18,24 @@ runs:
  using: "composite"
  steps:
    - name: Cleanup apt
-      if: ${{ contains(inputs.dependencies, 'system') || contains(inputs.dependencies, 'python') }}
+      if: ${{ contains(inputs.dependencies, 'system') || contains(inputs.dependencies,
+        'python') }}
      shell: bash
      run: sudo apt-get remove --purge man-db
    - name: Install apt deps
-      if: ${{ contains(inputs.dependencies, 'system') || contains(inputs.dependencies, 'python') }}
+      if: ${{ contains(inputs.dependencies, 'system') || contains(inputs.dependencies,
+        'python') }}
      uses: gerlero/apt-install@f4fa5265092af9e750549565d28c99aec7189639
      with:
-        packages: libpq-dev openssl libxmlsec1-dev pkg-config gettext libclang-dev libkadm5clnt-mit12 libkadm5clnt7t64-heimdal libkrb5-dev krb5-kdc krb5-user krb5-admin-server
+        packages: libpq-dev openssl libxmlsec1-dev pkg-config gettext krb5-multidev
+          libkrb5-dev heimdal-multidev libclang-dev krb5-kdc krb5-user
+          krb5-admin-server
        update: true
        upgrade: false
        install-recommends: false
    - name: Make space on disk
-      if: ${{ contains(inputs.dependencies, 'system') || contains(inputs.dependencies, 'python') }}
+      if: ${{ contains(inputs.dependencies, 'system') || contains(inputs.dependencies,
+        'python') }}
      shell: bash
      run: |
        sudo mkdir -p /tmp/empty/
@@ -49,45 +54,30 @@ runs:
      if: ${{ contains(inputs.dependencies, 'python') }}
      shell: bash
      working-directory: ${{ inputs.working-directory }}
-      run: uv sync --all-extras --dev --locked
+      run: uv sync --all-extras --dev --frozen
    - name: Setup rust (stable)
-      if: ${{ contains(inputs.dependencies, 'rust') && !contains(inputs.dependencies, 'rust-nightly') }}
-      uses: actions-rust-lang/setup-rust-toolchain@46268bd060767258de96ed93c1251119784f2ab6 # v1
+      if: ${{ contains(inputs.dependencies, 'rust') && !contains(inputs.dependencies,
+        'rust-nightly') }}
+      uses: actions-rust-lang/setup-rust-toolchain@2b1f5e9b395427c92ee4e3331786ca3c37afe2d7 # v1
      with:
        rustflags: ""
    - name: Setup rust (nightly)
      if: ${{ contains(inputs.dependencies, 'rust-nightly') }}
-      uses: actions-rust-lang/setup-rust-toolchain@46268bd060767258de96ed93c1251119784f2ab6 # v1
+      uses: actions-rust-lang/setup-rust-toolchain@2b1f5e9b395427c92ee4e3331786ca3c37afe2d7 # v1
      with:
        toolchain: nightly
        components: rustfmt
        rustflags: ""
    - name: Setup rust dependencies
      if: ${{ contains(inputs.dependencies, 'rust') }}
-      uses: taiki-e/install-action@3fa6878dc4ae603f73960271565a082bf196ab96 # v2
+      uses: taiki-e/install-action@481c34c1cf3a84c68b5e46f4eccfc82af798415a # v2
      with:
        tool: cargo-deny cargo-machete cargo-llvm-cov nextest
-    - name: Setup node (web)
+    - name: Setup node (root, web)
      if: ${{ contains(inputs.dependencies, 'node') }}
-      uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v4
+      uses: ./.github/actions/setup-node
      with:
-        node-version-file: "${{ inputs.working-directory }}web/package.json"
-        cache: "npm"
-        cache-dependency-path: "${{ inputs.working-directory }}web/package-lock.json"
-        registry-url: "https://registry.npmjs.org"
-    - name: Setup node (root)
-      if: ${{ contains(inputs.dependencies, 'node') }}
-      uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v4
-      with:
-        node-version-file: "${{ inputs.working-directory }}package.json"
-        cache: "npm"
-        cache-dependency-path: "${{ inputs.working-directory }}package-lock.json"
-        registry-url: "https://registry.npmjs.org"
-    - name: Install Node deps
-      if: ${{ contains(inputs.dependencies, 'node') }}
-      shell: bash
-      working-directory: ${{ inputs.working-directory }}
-      run: npm ci
+        working-directory: web
    - name: Setup go
      if: ${{ contains(inputs.dependencies, 'go') }}
      uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v5
@@ -97,7 +87,9 @@ runs:
      if: ${{ contains(inputs.dependencies, 'runtime') }}
      uses: AndreKurait/docker-cache@0fe76702a40db986d9663c24954fc14c6a6031b7
      with:
-        key: docker-images-${{ runner.os }}-${{ hashFiles('.github/actions/setup/compose.yml', 'Makefile') }}-${{ inputs.postgresql_version }}
+        key: docker-images-${{ runner.os }}-${{
+          hashFiles('.github/actions/setup/compose.yml', 'Makefile') }}-${{
+          inputs.postgresql_version }}
    - name: Setup dependencies
      if: ${{ contains(inputs.dependencies, 'runtime') }}
      shell: bash
@@ -105,7 +97,7 @@ runs:
      run: |
        export PSQL_TAG=${{ inputs.postgresql_version }}
        docker compose -f .github/actions/setup/compose.yml up -d --wait
-        cd web && npm ci
+        corepack npm ci --prefix web
    - name: Generate config
      if: ${{ contains(inputs.dependencies, 'python') }}
      shell: uv run python {0}
--- a/.github/workflows/_reusable-docker-build-single.yml
+++ b/.github/workflows/_reusable-docker-build-single.yml
@@ -67,6 +67,16 @@ jobs:
          registry: ghcr.io
          username: ${{ github.repository_owner }}
          password: ${{ secrets.GITHUB_TOKEN }}
+      - uses: ./.github/actions/setup-node
+        with:
+          working-directory: web
+          dependencies: "monorepo"
+      - uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6
+        with:
+          go-version-file: "go.mod"
+      - name: Generate API Clients
+        run: |
+          make gen-client-ts
      - name: Build Docker Image
        uses: docker/build-push-action@bcafcacb16a39f128d818304e6c9c0c18556b85f # v7.1.0
        id: push
@@ -81,7 +91,8 @@ jobs:
            ${{ steps.ev.outputs.imageBuildArgs }}
          tags: ${{ steps.ev.outputs.imageTags }}
          platforms: linux/${{ inputs.image_arch }}
-          cache-from: type=registry,ref=${{ steps.ev.outputs.attestImageNames }}:buildcache-${{ inputs.image_arch }}
+          cache-from: type=registry,ref=${{ steps.ev.outputs.attestImageNames
+            }}:buildcache-${{ inputs.image_arch }}
          cache-to: ${{ steps.ev.outputs.cacheTo }}
      - uses: actions/attest-build-provenance@a2bbfa25375fe432b6a289bc6b6cd05ecd0c4c32 # v3
        id: attest
--- a/.github/workflows/_reusable-docker-build.yml
+++ b/.github/workflows/_reusable-docker-build.yml
@@ -90,7 +90,7 @@ jobs:
          registry: ghcr.io
          username: ${{ github.repository_owner }}
          password: ${{ secrets.GITHUB_TOKEN }}
-      - uses: int128/docker-manifest-create-action@fa55f72001a6c74b0f4997dca65c70d334905180 # v2
+      - uses: int128/docker-manifest-create-action@7df7f9e221d927eaadf87db231ddf728047308a4 # v2
        id: build
        with:
          tags: ${{ matrix.tag }}
--- a/.github/workflows/api-ts-publish.yml
+++ b/.github/workflows/api-ts-publish.yml
@@ -0,0 +1,65 @@
+---
+name: API - Publish Typescript client
+
+on:
+  push:
+    branches: [main]
+    paths:
+      - "schema.yml"
+  workflow_dispatch:
+
+permissions:
+  # Required for NPM OIDC trusted publisher
+  id-token: write
+  contents: read
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    steps:
+      - id: generate_token
+        uses: actions/create-github-app-token@f8d387b68d61c58ab83c6c016672934102569859 # v2
+        with:
+          app-id: ${{ secrets.GH_APP_ID }}
+          private-key: ${{ secrets.GH_APP_PRIV_KEY }}
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v5
+        with:
+          token: ${{ steps.generate_token.outputs.token }}
+      - uses: ./.github/actions/setup-node
+        with:
+          working-directory: web
+      - name: Generate API Client
+        run: make gen-client-ts
+      - name: Publish package
+        working-directory: gen-ts-api/
+        run: |
+          npm i
+          npm publish --tag generated
+      - name: Upgrade /web
+        working-directory: web
+        run: |
+          export VERSION=`node -e 'import mod from "./gen-ts-api/package.json" with { type: "json" };console.log(mod.version);'`
+          npm i @goauthentik/api@$VERSION
+      - name: Upgrade /web/packages/sfe
+        working-directory: web/packages/sfe
+        run: |
+          export VERSION=`node -e 'import mod from "./gen-ts-api/package.json" with { type: "json" };console.log(mod.version);'`
+          npm i @goauthentik/api@$VERSION
+      - uses: peter-evans/create-pull-request@c0f553fe549906ede9cf27b5156039d195d2ece0 # v7
+        id: cpr
+        with:
+          token: ${{ steps.generate_token.outputs.token }}
+          branch: update-web-api-client
+          commit-message: "web: bump API Client version"
+          title: "web: bump API Client version"
+          body: "web: bump API Client version"
+          delete-branch: true
+          signoff: true
+          # ID from https://api.github.com/users/authentik-automation[bot]
+          author: authentik-automation[bot] <135050075+authentik-automation[bot]@users.noreply.github.com>
+          labels: dependencies
+      - uses: peter-evans/enable-pull-request-automerge@a660677d5469627102a1c1e11409dd063606628d # v3
+        with:
+          token: ${{ steps.generate_token.outputs.token }}
+          pull-request-number: ${{ steps.cpr.outputs.pull-request-number }}
+          merge-method: squash
--- a/.github/workflows/ci-api-docs.yml
+++ b/.github/workflows/ci-api-docs.yml
@@ -22,25 +22,19 @@ jobs:
          - prettier-check
    steps:
      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v5
-      - name: Install Dependencies
-        working-directory: website/
-        run: npm ci
+      - uses: ./.github/actions/setup-node
+        with:
+          working-directory: website
      - name: Lint
-        working-directory: website/
-        run: npm run ${{ matrix.command }}
+        run: corepack npm run ${{ matrix.command }} --prefix website
  build:
    runs-on: ubuntu-latest

    steps:
      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v5
-      - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v5
+      - uses: ./.github/actions/setup-node
        with:
-          node-version-file: website/package.json
-          cache: "npm"
-          cache-dependency-path: website/package-lock.json
-      - working-directory: website/
-        name: Install Dependencies
-        run: npm ci
+          working-directory: website
      - uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v4
        with:
          path: |
@@ -54,7 +48,7 @@ jobs:
        working-directory: website
        env:
          NODE_ENV: production
-        run: npm run build -w api
+        run: corepack npm run build -w api
      - uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v4
        with:
          name: api-docs
@@ -71,11 +65,9 @@ jobs:
        with:
          name: api-docs
          path: website/api/build
-      - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v5
+      - uses: ./.github/actions/setup-node
        with:
-          node-version-file: website/package.json
-          cache: "npm"
-          cache-dependency-path: website/package-lock.json
+          working-directory: website
      - name: Deploy Netlify (Production)
        working-directory: website/api
        if: github.event_name == 'push' && github.ref == 'refs/heads/main'
--- a/.github/workflows/ci-aws-cfn.yml
+++ b/.github/workflows/ci-aws-cfn.yml
@@ -24,14 +24,9 @@ jobs:
      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v5
      - name: Setup authentik env
        uses: ./.github/actions/setup
-      - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v5
+      - uses: ./.github/actions/setup-node
        with:
-          node-version-file: lifecycle/aws/package.json
-          cache: "npm"
-          cache-dependency-path: lifecycle/aws/package-lock.json
-      - working-directory: lifecycle/aws/
-        run: |
-          npm ci
+          working-directory: lifecycle/aws
      - name: Check changes have been applied
        run: |
          uv run make aws-cfn
--- a/.github/workflows/ci-docs.yml
+++ b/.github/workflows/ci-docs.yml
@@ -24,46 +24,34 @@ jobs:
          - prettier-check
    steps:
      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v5
-      - name: Install dependencies
-        working-directory: website/
-        run: npm ci
+      - uses: ./.github/actions/setup-node
+        with:
+          working-directory: website
      - name: Lint
-        working-directory: website/
-        run: npm run ${{ matrix.command }}
+        run: corepack npm run ${{ matrix.command }} --prefix website
  build-docs:
    runs-on: ubuntu-latest
    env:
      NODE_ENV: production
    steps:
      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v5
-      - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v5
+      - uses: ./.github/actions/setup-node
+        name: Setup Node.js
        with:
-          node-version-file: website/package.json
-          cache: "npm"
-          cache-dependency-path: website/package-lock.json
-      - working-directory: website/
-        name: Install Dependencies
-        run: npm ci
+          working-directory: website
      - name: Build Documentation via Docusaurus
-        working-directory: website/
-        run: npm run build
+        run: corepack npm run build --prefix website
  build-integrations:
    runs-on: ubuntu-latest
    env:
      NODE_ENV: production
    steps:
      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v5
-      - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v5
+      - uses: ./.github/actions/setup-node
        with:
-          node-version-file: website/package.json
-          cache: "npm"
-          cache-dependency-path: website/package-lock.json
-      - working-directory: website/
-        name: Install Dependencies
-        run: npm ci
+          working-directory: website
      - name: Build Integrations via Docusaurus
-        working-directory: website/
-        run: npm run build -w integrations
+        run: corepack npm run build -w integrations --prefix website
  build-container:
    runs-on: ubuntu-latest
    permissions:
@@ -104,7 +92,9 @@ jobs:
          platforms: linux/amd64,linux/arm64
          context: .
          cache-from: type=registry,ref=ghcr.io/goauthentik/dev-docs:buildcache
-          cache-to: ${{ steps.ev.outputs.shouldPush == 'true' && 'type=registry,ref=ghcr.io/goauthentik/dev-docs:buildcache,mode=max' || '' }}
+          cache-to: ${{ steps.ev.outputs.shouldPush == 'true' &&
+            'type=registry,ref=ghcr.io/goauthentik/dev-docs:buildcache,mode=max'
+            || '' }}
      - uses: actions/attest-build-provenance@a2bbfa25375fe432b6a289bc6b6cd05ecd0c4c32 # v3
        id: attest
        if: ${{ steps.ev.outputs.shouldPush == 'true' }}
--- a/.github/workflows/ci-main.yml
+++ b/.github/workflows/ci-main.yml
@@ -73,7 +73,8 @@ jobs:
      - name: generate API clients
        run: make gen-clients
      - name: ensure schema is up-to-date
-        run: git diff --exit-code -- schema.yml blueprints/schema.json packages/client-go packages/client-rust packages/client-ts
+        run: git diff --exit-code -- schema.yml blueprints/schema.json
+          packages/client-go packages/client-rust packages/client-ts
  test-migrations:
    runs-on: ubuntu-latest
    steps:
@@ -91,7 +92,8 @@ jobs:
    outputs:
      seed: ${{ steps.seed.outputs.seed }}
  test-migrations-from-stable:
-    name: test-migrations-from-stable - PostgreSQL ${{ matrix.psql }} - Run ${{ matrix.run_id }}/5
+    name: test-migrations-from-stable - PostgreSQL ${{ matrix.psql }} - Run ${{
+      matrix.run_id }}/5
    runs-on: ubuntu-latest
    timeout-minutes: 30
    needs: test-make-seed
@@ -101,7 +103,7 @@ jobs:
        psql:
          - 14-alpine
          - 18-alpine
-        run_id: [1, 2, 3, 4, 5]
+        run_id: [ 1, 2, 3, 4, 5 ]
    steps:
      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v5
        with:
@@ -109,8 +111,13 @@ jobs:
      - name: checkout stable
        run: |
          set -e -o pipefail
+
          cp -R .github ..
          cp -R scripts ..
+
+          mkdir -p ../packages
+          cp -R packages/logger-js ../packages/logger-js
+
          # Previous stable tag
          prev_stable=$(git tag --sort=version:refname | grep '^version/' | grep -vE -- '-rc[0-9]+$' | tail -n1)
          # Current version family based on
@@ -118,10 +125,13 @@ jobs:
          if [[ -n $current_version_family ]]; then
              prev_stable="version/${current_version_family}"
          fi
+
          echo "::notice::Checking out ${prev_stable} as stable version..."
          git checkout ${prev_stable}
-          rm -rf .github/ scripts/
+
+          rm -rf .github/ scripts/ packages/logger-js/
          mv ../.github ../scripts .
+          mv ../packages/logger-js ./packages/
      - name: Setup authentik env (stable)
        uses: ./.github/actions/setup
        with:
@@ -169,7 +179,7 @@ jobs:
        psql:
          - 14-alpine
          - 18-alpine
-        run_id: [1, 2, 3, 4, 5]
+        run_id: [ 1, 2, 3, 4, 5 ]
    steps:
      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v5
      - name: Setup authentik env
@@ -252,19 +262,22 @@ jobs:
          COMPOSE_PROFILES: ${{ matrix.job.profiles }}
        run: |
          docker compose -f tests/e2e/compose.yml up -d --quiet-pull
+      - uses: ./.github/actions/setup-node
      - id: cache-web
        uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v4
        if: contains(matrix.job.profiles, 'selenium')
        with:
          path: web/dist
-          key: ${{ runner.os }}-web-${{ hashFiles('web/package-lock.json', 'package-lock.json', 'web/src/**', 'web/packages/sfe/src/**') }}-b
+          key: ${{ runner.os }}-web-${{ hashFiles('web/package-lock.json',
+            'package-lock.json', 'web/src/**', 'web/packages/sfe/src/**') }}-b
      - name: prepare web ui
-        if: steps.cache-web.outputs.cache-hit != 'true' && contains(matrix.job.profiles, 'selenium')
+        if: steps.cache-web.outputs.cache-hit != 'true' && contains(matrix.job.profiles,
+          'selenium')
        working-directory: web
        run: |
-          npm ci
-          npm run build
-          npm run build:sfe
+          corepack npm ci
+          corepack npm run build
+          corepack npm run build:sfe
      - name: run e2e
        run: |
          uv run coverage run manage.py test ${{ matrix.job.glob }}
@@ -282,18 +295,10 @@ jobs:
      fail-fast: false
      matrix:
        job:
-          - name: oidc_basic
-            glob: tests/openid_conformance/test_oidc_basic.py
-          - name: oidc_implicit
-            glob: tests/openid_conformance/test_oidc_implicit.py
-          - name: oidc_rp-initiated
-            glob: tests/openid_conformance/test_oidc_rp_initiated.py
-          - name: oidc_frontchannel
-            glob: tests/openid_conformance/test_oidc_frontchannel.py
-          - name: oidc_backchannel
-            glob: tests/openid_conformance/test_oidc_backchannel.py
-          - name: ssf_transmitter
-            glob: tests/openid_conformance/test_ssf_transmitter.py
+          - name: basic
+            glob: tests/openid_conformance/test_basic.py
+          - name: implicit
+            glob: tests/openid_conformance/test_implicit.py
    steps:
      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v5
      - name: Setup authentik env
@@ -310,14 +315,14 @@ jobs:
        uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v4
        with:
          path: web/dist
-          key: ${{ runner.os }}-web-${{ hashFiles('web/package-lock.json', 'web/src/**', 'web/packages/sfe/src/**') }}-b
+          key: ${{ runner.os }}-web-${{ hashFiles('web/package-lock.json', 'web/src/**',
+            'web/packages/sfe/src/**') }}-b
      - name: prepare web ui
        if: steps.cache-web.outputs.cache-hit != 'true'
-        working-directory: web
        run: |
-          npm ci
-          npm run build
-          npm run build:sfe
+          corepack npm ci --prefix web
+          corepack npm run build --prefix web
+          corepack npm run build:sfe --prefix web
      - name: run conformance
        run: |
          uv run coverage run manage.py test ${{ matrix.job.glob }}
@@ -383,7 +388,9 @@ jobs:
    uses: ./.github/workflows/_reusable-docker-build.yml
    secrets: inherit
    with:
-      image_name: ${{ github.repository == 'goauthentik/authentik-internal' && 'ghcr.io/goauthentik/internal-server' || 'ghcr.io/goauthentik/dev-server' }}
+      image_name: ${{ github.repository == 'goauthentik/authentik-internal' &&
+        'ghcr.io/goauthentik/internal-server' ||
+        'ghcr.io/goauthentik/dev-server' }}
      release: false
  pr-comment:
    needs:
--- a/.github/workflows/ci-outpost.yml
+++ b/.github/workflows/ci-outpost.yml
@@ -114,8 +114,11 @@ jobs:
            GIT_BUILD_HASH=${{ steps.ev.outputs.sha }}
          platforms: linux/amd64,linux/arm64
          context: .
-          cache-from: type=registry,ref=ghcr.io/goauthentik/dev-${{ matrix.type }}:buildcache
-          cache-to: ${{ steps.ev.outputs.shouldPush == 'true' && format('type=registry,ref=ghcr.io/goauthentik/dev-{0}:buildcache,mode=max', matrix.type) || '' }}
+          cache-from: type=registry,ref=ghcr.io/goauthentik/dev-${{ matrix.type
+            }}:buildcache
+          cache-to: ${{ steps.ev.outputs.shouldPush == 'true' &&
+            format('type=registry,ref=ghcr.io/goauthentik/dev-{0}:buildcache,mode=max',
+            matrix.type) || '' }}
      - uses: actions/attest-build-provenance@a2bbfa25375fe432b6a289bc6b6cd05ecd0c4c32 # v3
        id: attest
        if: ${{ steps.ev.outputs.shouldPush == 'true' }}
@@ -136,8 +139,8 @@ jobs:
          - ldap
          - radius
          - rac
-        goos: [linux]
-        goarch: [amd64, arm64]
+        goos: [ linux ]
+        goarch: [ amd64, arm64 ]
    steps:
      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v5
        with:
@@ -145,16 +148,11 @@ jobs:
      - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6
        with:
          go-version-file: "go.mod"
-      - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v5
+      - uses: ./.github/actions/setup-node
        with:
-          node-version-file: web/package.json
-          cache: "npm"
-          cache-dependency-path: web/package-lock.json
+          working-directory: web
      - name: Build web
-        working-directory: web/
-        run: |
-          npm ci
-          npm run build-proxy
+        run: corepack npm run build-proxy --prefix web
      - name: Build outpost
        run: |
          set -x
--- a/.github/workflows/ci-web.yml
+++ b/.github/workflows/ci-web.yml
@@ -12,51 +12,280 @@ on:
      - main
      - version-*

+env:
+  POSTGRES_DB: authentik
+  POSTGRES_USER: authentik
+  POSTGRES_PASSWORD: "EK-5jnKfjrGRm<77"
+  AUTHENTIK_BLUEPRINTS_DIR: "./blueprints"
+  AUTHENTIK_OUTPOSTS__DISABLE_EMBEDDED_OUTPOST: "true"
+  # Drives the system/bootstrap.yaml blueprint at startup: creates akadmin with
+  # these credentials and flips the Setup flag (Setup.set(True)) so the SPA's
+  # post-login redirect to "/" doesn't bounce through /setup, which would 500
+  # because the OOBE policy refuses to run once akadmin already has a usable
+  # password. See authentik/core/setup/signals.py and blueprints/default/flow-oobe.yaml.
+  AUTHENTIK_BOOTSTRAP_EMAIL: "test-admin@goauthentik.io"
+  AUTHENTIK_BOOTSTRAP_PASSWORD: "test-runner"
+
 jobs:
  lint:
    runs-on: ubuntu-latest
-    strategy:
-      fail-fast: false
-      matrix:
-        command:
-          - lint
-          - lint:lockfile
-          - tsc
-          - prettier-check
-        project:
-          - web
-        include:
-          - command: tsc
-            project: web
-          - command: lit-analyse
-            project: web
    steps:
      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v5
-      - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v5
+      - uses: ./.github/actions/setup-node
        with:
-          node-version-file: ${{ matrix.project }}/package.json
-          cache: "npm"
-          cache-dependency-path: ${{ matrix.project }}/package-lock.json
-      - working-directory: ${{ matrix.project }}/
-        run: |
-          npm ci
+          working-directory: web
      - name: Lint
-        working-directory: ${{ matrix.project }}/
-        run: npm run ${{ matrix.command }}
+        run: corepack npm run lint --prefix web
+      - name: Check types
+        run: corepack npm run tsc --prefix web
+      - name: Check formatting
+        run: corepack npm run prettier-check --prefix web
+      - name: Lit analyse
+        run: corepack npm run lit-analyse --prefix web
+
  build:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v5
-      - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v5
+      - uses: ./.github/actions/setup-node
        with:
-          node-version-file: web/package.json
-          cache: "npm"
-          cache-dependency-path: web/package-lock.json
-      - working-directory: web/
-        run: npm ci
+          working-directory: web
      - name: build
        working-directory: web/
-        run: npm run build
+        run: corepack npm run build
+  e2e:
+    name: e2e (playwright)
+    runs-on: ubuntu-latest
+    timeout-minutes: 60
+    permissions:
+      contents: read
+      # Required so the "Comment Playwright result on PR" step can update its
+      # marker comment via the gh CLI / REST API.
+      pull-requests: write
+      # Required so the optional "Upload HTML report to S3" step can mint OIDC
+      # credentials with aws-actions/configure-aws-credentials. Harmless when
+      # the upload is gated off.
+      id-token: write
+    steps:
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v5
+      - name: Setup authentik env
+        uses: ./.github/actions/setup
+        with:
+          dependencies: system,python,node,go,rust,runtime
+      - name: Build web UI
+        run: corepack npm run --prefix web build
+      - name: Build authentik server (Go)
+        run: | # shell
+          go build -o ./bin/authentik-server ./cmd/server
+          sudo install -m 0755 ./bin/authentik-server /usr/local/bin/authentik-server
+      - name: Build authentik worker (Rust)
+        run: | # shell
+          cargo build --release --bin authentik
+          sudo install -m 0755 ./target/release/authentik /usr/local/bin/authentik
+      - name: Apply migrations
+        run: uv run python -m lifecycle.migrate
+      - name: Resolve Playwright version
+        id: playwright-version
+        working-directory: web
+        run: | # shell
+          version=$(node -p "require('@playwright/test/package.json').version")
+          if [ -z "$version" ]; then
+            echo "Failed to resolve @playwright/test version" >&2
+            exit 1
+          fi
+          echo "version=${version}" >> "$GITHUB_OUTPUT"
+      - name: Cache Playwright browsers
+        id: playwright-cache
+        uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v4
+        with:
+          path: ~/.cache/ms-playwright
+          key: ${{ runner.os }}-playwright-${{ steps.playwright-version.outputs.version }}
+      - name: Install Playwright browsers
+        working-directory: web
+        run: | # shell
+          if [ "${{ steps.playwright-cache.outputs.cache-hit }}" = "true" ]; then
+            corepack npm exec -- playwright install-deps chromium
+          else
+            corepack npm exec -- playwright install --with-deps chromium
+          fi
+      - name: Start authentik server and worker
+        run: | # shell
+          set -euo pipefail
+          mkdir -p /tmp/ak-logs
+
+          # The Go server (authentik-server) spawns gunicorn as a child via PATH lookup
+          # and inherits the env that `uv run` set up for it. Verify gunicorn resolves
+          # under the same launcher so we fail fast here instead of waiting for an
+          # empty 200 from the proxy fallback later.
+          uv run --frozen sh -c 'command -v gunicorn' \
+            || { echo "gunicorn not resolvable from uv run"; exit 1; }
+
+          uv run ak server > /tmp/ak-logs/server.log 2>&1 &
+          echo $! > /tmp/ak-logs/server.pid
+
+          # The Rust worker also opens an HTTP/metrics server on listen.http /
+          # listen.metrics (default :9000 / :9300). On a single CI host that races the
+          # Go server's binds and silently steals :9000, leaving Playwright talking to
+          # a healthcheck-only axum router that returns 200/empty for /if/* paths.
+          # Pin the worker to disjoint ports so the Go server keeps the public 9000.
+          AUTHENTIK_LISTEN__HTTP="[::]:9001" \
+          AUTHENTIK_LISTEN__METRICS="[::]:9301" \
+          uv run ak worker > /tmp/ak-logs/worker.log 2>&1 &
+          echo $! > /tmp/ak-logs/worker.pid
+      - name: Wait for authentik to be ready
+        run: | # shell
+          set -euo pipefail
+          # Readiness probes must verify the Go server is actually serving the request,
+          # not just that *something* on :9000 returned 200. The Go proxy stamps
+          # `X-authentik-version` on its static responses and the rendered flow page
+          # contains the <ak-flow-executor> custom element — both are absent from the
+          # worker's axum healthcheck router, so checking either rules out the
+          # port-collision failure mode.
+          timeout 240 bash -c '
+            until curl -fsS -o /dev/null http://localhost:9000/-/health/ready/; do
+              sleep 2
+            done'
+          timeout 300 bash -c '
+            until curl -fsS http://localhost:9000/if/flow/default-authentication-flow/ \
+              | grep -q "ak-flow-executor"; do
+              sleep 3
+            done'
+      - name: Run Playwright tests
+        working-directory: web
+        env:
+          AK_TEST_RUNNER_PAGE_URL: http://localhost:9000
+        run: corepack npm run test:e2e
+      # Reporting / upload steps below intentionally use `!cancelled()` rather
+      # than `failure()`: a cancelled run (e.g. superseded by a newer push) is
+      # not a real result and shouldn't produce reviewer-facing artifacts or
+      # comments. `if-no-files-found: ignore` keeps the "passed" case quiet.
+      - name: Upload Playwright HTML report
+        if: ${{ !cancelled() }}
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
+        with:
+          name: playwright-report
+          path: web/playwright-report/
+          retention-days: 14
+          if-no-files-found: ignore
+      - name: Upload Playwright traces and videos
+        if: ${{ !cancelled() }}
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
+        with:
+          name: playwright-traces
+          path: web/test-results/
+          retention-days: 14
+          if-no-files-found: ignore
+      - name: Upload authentik server and worker logs
+        if: ${{ !cancelled() }}
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
+        with:
+          name: authentik-logs
+          path: /tmp/ak-logs/
+          retention-days: 14
+          if-no-files-found: ignore
+      - name: Parse Playwright results
+        id: playwright-results
+        if: ${{ !cancelled() }}
+        run: | # shell
+          set -euo pipefail
+          report=web/playwright-report/results.json
+          if [ ! -f "$report" ]; then
+            {
+              echo "available=false"
+              echo "passed=0"
+              echo "failed=0"
+              echo "flaky=0"
+              echo "skipped=0"
+            } >> "$GITHUB_OUTPUT"
+            exit 0
+          fi
+          {
+            echo "available=true"
+            echo "passed=$(jq -r '.stats.expected // 0' "$report")"
+            echo "failed=$(jq -r '.stats.unexpected // 0' "$report")"
+            echo "flaky=$(jq -r '.stats.flaky // 0' "$report")"
+            echo "skipped=$(jq -r '.stats.skipped // 0' "$report")"
+          } >> "$GITHUB_OUTPUT"
+      # The S3 publishing pair below is intentionally gated off until the
+      # `authentik-playwright-artifacts` bucket is provisioned by infra. Flip
+      # the repo variable `PLAYWRIGHT_S3_ENABLED=true` to turn it on; the URL
+      # baked into the PR comment below already points at the eventual key.
+      - name: Configure AWS credentials for HTML report upload
+        if: ${{ !cancelled() && github.event_name == 'pull_request' && github.event.pull_request.head.repo.full_name == github.repository && vars.PLAYWRIGHT_S3_ENABLED == 'true' }}
+        uses: aws-actions/configure-aws-credentials@ec61189d14ec14c8efccab744f656cffd0e33f37 # v6.1.0
+        with:
+          role-to-assume: "arn:aws:iam::016170277896:role/github_goauthentik_authentik"
+          aws-region: eu-central-1
+      - name: Upload HTML report to S3
+        if: ${{ !cancelled() && github.event_name == 'pull_request' && github.event.pull_request.head.repo.full_name == github.repository && vars.PLAYWRIGHT_S3_ENABLED == 'true' }}
+        env:
+          S3_BUCKET: authentik-playwright-artifacts
+          S3_KEY_PREFIX: pr-${{ github.event.pull_request.number }}/run-${{ github.run_id }}/attempt-${{ github.run_attempt }}
+        run: | # shell
+          set -euo pipefail
+          if [ ! -d web/playwright-report ]; then
+            echo "No playwright-report/ produced; skipping S3 upload"
+            exit 0
+          fi
+          aws s3 cp \
+            --recursive \
+            --acl=public-read \
+            --cache-control "public, max-age=600" \
+            web/playwright-report/ \
+            "s3://${S3_BUCKET}/${S3_KEY_PREFIX}/"
+      # Same-repo guard: fork PRs run with a read-only GITHUB_TOKEN (even after
+      # maintainer approval), so the comment + edit calls would 403. Skip cleanly
+      # rather than failing the job on every fork PR run.
+      - name: Comment Playwright result on PR
+        if: ${{ !cancelled() && github.event_name == 'pull_request' && github.event.pull_request.head.repo.full_name == github.repository }}
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          PR_NUMBER: ${{ github.event.pull_request.number }}
+          AVAILABLE: ${{ steps.playwright-results.outputs.available }}
+          PASSED: ${{ steps.playwright-results.outputs.passed }}
+          FAILED: ${{ steps.playwright-results.outputs.failed }}
+          FLAKY: ${{ steps.playwright-results.outputs.flaky }}
+          SKIPPED: ${{ steps.playwright-results.outputs.skipped }}
+          S3_ENABLED: ${{ vars.PLAYWRIGHT_S3_ENABLED }}
+          REPORT_URL: https://authentik-playwright-artifacts.s3.amazonaws.com/pr-${{ github.event.pull_request.number }}/run-${{ github.run_id }}/attempt-${{ github.run_attempt }}/index.html
+          RUN_URL: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}/attempts/${{ github.run_attempt }}
+        run: | # shell
+          set -euo pipefail
+          marker='<!-- playwright-result -->'
+
+          if [ "$AVAILABLE" = "true" ]; then
+            if [ "$FAILED" -gt 0 ]; then
+              status='❌ Failed'
+            elif [ "$FLAKY" -gt 0 ]; then
+              status='⚠️ Passed with flakes'
+            else
+              status='✅ Passed'
+            fi
+            stats=$(printf '| Result | Count |\n|---|---|\n| ✅ Passed | %s |\n| ❌ Failed | %s |\n| ⚠️ Flaky | %s |\n| ⏭️ Skipped | %s |\n' "$PASSED" "$FAILED" "$FLAKY" "$SKIPPED")
+          else
+            status='⚠️ No results produced'
+            stats='The job did not produce `playwright-report/results.json`. The suite likely crashed before the JSON reporter wrote its output — see the workflow run for setup-step failures.'
+          fi
+
+          if [ "$S3_ENABLED" = "true" ]; then
+            report_line=$(printf '[HTML report](%s) · [Workflow run](%s)' "$REPORT_URL" "$RUN_URL")
+          else
+            report_line=$(printf '[Workflow run](%s) · _HTML report hosting is gated off until the `authentik-playwright-artifacts` S3 bucket is provisioned (`vars.PLAYWRIGHT_S3_ENABLED`). Until then, download the `playwright-report` artifact from the run page._' "$RUN_URL")
+          fi
+
+          body=$(printf '%s\n## Playwright e2e — %s\n\n%s\n\n%s\n' "$marker" "$status" "$stats" "$report_line")
+
+          existing=$(gh api "repos/${GITHUB_REPOSITORY}/issues/${PR_NUMBER}/comments" \
+            --paginate \
+            --jq "[.[] | select(.body != null and (.body | startswith(\"$marker\")))] | .[0].id // empty")
+
+          if [ -n "$existing" ]; then
+            gh api -X PATCH "repos/${GITHUB_REPOSITORY}/issues/comments/${existing}" -f body="$body" > /dev/null
+            echo "Updated existing comment ${existing}"
+          else
+            gh api -X POST "repos/${GITHUB_REPOSITORY}/issues/${PR_NUMBER}/comments" -f body="$body" > /dev/null
+            echo "Created new playwright-result comment"
+          fi
  ci-web-mark:
    if: always()
    needs:
@@ -73,13 +302,9 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v5
-      - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v5
+      - uses: ./.github/actions/setup-node
        with:
-          node-version-file: web/package.json
-          cache: "npm"
-          cache-dependency-path: web/package-lock.json
-      - working-directory: web/
-        run: npm ci
+          working-directory: web
      - name: test
        working-directory: web/
-        run: npm run test || exit 0
+        run: corepack npm run test || exit 0
--- a/.github/workflows/packages-npm-publish.yml
+++ b/.github/workflows/packages-npm-publish.yml
@@ -3,7 +3,7 @@ name: Packages - Publish NPM packages

 on:
  push:
-    branches: [main]
+    branches: [ main ]
    paths:
      - packages/tsconfig/**
      - packages/eslint-config/**
@@ -35,22 +35,19 @@ jobs:
      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v5
        with:
          fetch-depth: 2
-      - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v5
+      - uses: ./.github/actions/setup-node
        with:
-          node-version-file: ${{ matrix.package }}/package.json
-          registry-url: "https://registry.npmjs.org"
+          working-directory: ${{ matrix.package }}
      - name: Get changed files
        id: changed-files
        uses: tj-actions/changed-files@9426d40962ed5378910ee2e21d5f8c6fcbf2dd96 # 24d32ffd492484c1d75e0c0b894501ddb9d30d62
        with:
          files: |
            ${{ matrix.package }}/package.json
-      - name: Install Dependencies
-        run: npm ci
      - name: Publish package
        if: steps.changed-files.outputs.any_changed == 'true'
        working-directory: ${{ matrix.package }}
        run: |
-          npm ci
-          npm run build
-          npm publish
+          corepack npm ci
+          corepack npm run build
+          corepack npm publish
--- a/.github/workflows/qa-codeql.yml
+++ b/.github/workflows/qa-codeql.yml
@@ -28,10 +28,10 @@ jobs:
      - name: Setup authentik env
        uses: ./.github/actions/setup
      - name: Initialize CodeQL
-        uses: github/codeql-action/init@v4.35.3
+        uses: github/codeql-action/init@v4
        with:
          languages: ${{ matrix.language }}
      - name: Autobuild
-        uses: github/codeql-action/autobuild@v4.35.3
+        uses: github/codeql-action/autobuild@v4
      - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@v4.35.3
+        uses: github/codeql-action/analyze@v4
--- a/.github/workflows/release-branch-off.yml
+++ b/.github/workflows/release-branch-off.yml
@@ -5,7 +5,7 @@ on:
  workflow_dispatch:
    inputs:
      next_version:
-        description: Next version (for example, if you're currently releasing 2026.5, then enter 2026.8)
+        description: Next major version (for example, if releasing 2042.2, this is 2042.4)
        required: true
        type: string

@@ -68,14 +68,10 @@ jobs:
          token: ${{ steps.generate_token.outputs.token }}
      - name: Setup authentik env
        uses: ./.github/actions/setup
-        with:
-          dependencies: "system,python,go,node,runtime,rust-nightly"
      - name: Run migrations
        run: make migrate
      - name: Bump version
        run: "make bump version=${{ inputs.next_version }}.0-rc1"
-      - name: Re-generate API Clients
-        run: make gen
      - name: Create pull request
        uses: peter-evans/create-pull-request@5f6978faf089d4d20b00c7766989d076bb2fc7f1 # v7
        with:
--- a/.github/workflows/release-publish.yml
+++ b/.github/workflows/release-publish.yml
@@ -3,7 +3,7 @@ name: Release - On publish

 on:
  release:
-    types: [published, created]
+    types: [ published, created ]

 jobs:
  build-server:
@@ -87,11 +87,9 @@ jobs:
      - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6
        with:
          go-version-file: "go.mod"
-      - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v5
+      - uses: ./.github/actions/setup-node
        with:
-          node-version-file: web/package.json
-          cache: "npm"
-          cache-dependency-path: web/package-lock.json
+          working-directory: web
      - name: Set up QEMU
        uses: docker/setup-qemu-action@ce360397dd3f832beb865e1373c09c0e9f86d70a # v4.0.0
      - name: Set up Docker Buildx
@@ -144,22 +142,16 @@ jobs:
          - proxy
          - ldap
          - radius
-        goos: [linux, darwin]
-        goarch: [amd64, arm64]
+        goos: [ linux, darwin ]
+        goarch: [ amd64, arm64 ]
    steps:
      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v5
      - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6
        with:
          go-version-file: "go.mod"
-      - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v5
+      - uses: ./.github/actions/setup-node
        with:
-          node-version-file: web/package.json
-          cache: "npm"
-          cache-dependency-path: web/package-lock.json
-      - name: Install web dependencies
-        working-directory: web/
-        run: |
-          npm ci
+          working-directory: web
      - name: Build web
        working-directory: web/
        run: |
@@ -175,8 +167,10 @@ jobs:
        uses: svenstaro/upload-release-action@29e53e917877a24fad85510ded594ab3c9ca12de # v2
        with:
          repo_token: ${{ secrets.GITHUB_TOKEN }}
-          file: ./authentik-outpost-${{ matrix.type }}_${{ matrix.goos }}_${{ matrix.goarch }}
-          asset_name: authentik-outpost-${{ matrix.type }}_${{ matrix.goos }}_${{ matrix.goarch }}
+          file: ./authentik-outpost-${{ matrix.type }}_${{ matrix.goos }}_${{
+            matrix.goarch }}
+          asset_name: authentik-outpost-${{ matrix.type }}_${{ matrix.goos }}_${{
+            matrix.goarch }}
          tag: ${{ github.ref }}
  upload-aws-cfn-template:
    permissions:
@@ -191,7 +185,7 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v5
-      - uses: aws-actions/configure-aws-credentials@d979d5b3a71173a29b74b5b88418bfda9437d885 # v6.1.1
+      - uses: aws-actions/configure-aws-credentials@ec61189d14ec14c8efccab744f656cffd0e33f37 # v6.1.0
        with:
          role-to-assume: "arn:aws:iam::016170277896:role/github_goauthentik_authentik"
          aws-region: ${{ env.AWS_REGION }}
--- a/.github/workflows/release-tag.yml
+++ b/.github/workflows/release-tag.yml
@@ -82,14 +82,10 @@ jobs:
          token: "${{ steps.app-token.outputs.token }}"
      - name: Setup authentik env
        uses: ./.github/actions/setup
-        with:
-          dependencies: "system,python,go,node,runtime,rust-nightly"
      - name: Run migrations
        run: make migrate
      - name: Bump version
        run: "make bump version=${{ inputs.version }}"
-      - name: Re-generate API Clients
-        run: make gen
      - name: Commit and push
        run: |
          # ID from https://api.github.com/users/authentik-automation[bot]
--- a/.gitignore
+++ b/.gitignore
@@ -14,6 +14,8 @@ media
 # Node

 node_modules
+corepack.tgz
+.corepack

 .cspellcache
 cspell-report.*
@@ -229,11 +231,6 @@ source_docs/

 ### Golang ###
 /vendor/
-server
-proxy
-ldap
-rac
-radius

 ### Docker ###
 tests/openid_conformance/exports/*.zip
--- a/.npmrc
+++ b/.npmrc
@@ -1,22 +0,0 @@
-# Block lifecycle scripts (preinstall/install/postinstall/prepare) from
-# dependencies. This neutralizes the dominant npm supply-chain attack
-# vector. Packages that legitimately need a build step (e.g. esbuild,
-# chromedriver, tree-sitter) must be rebuilt explicitly:
-#
-#   npm rebuild --foreground-scripts esbuild chromedriver tree-sitter tree-sitter-json
-ignore-scripts=true
-
-# Fail fast if the active Node/npm doesn't match the "engines" field.
-engine-strict=true
-
-# Pin exact versions so `npm install <pkg>` writes "1.2.3" not "^1.2.3".
-save-exact=true
-
-# Surface CVE warnings during install; doesn't block.
-audit=true
-
-# Suppress funding banners.
-fund=false
-
-# Prefer the local cache over a refetch when both are valid.
-prefer-offline=true
--- a/Cargo.lock
+++ b/Cargo.lock
@@ -17,6 +17,18 @@ version = "2.0.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "320119579fcad9c21884f5c4861d16174d0e06250625266f50fe6898340abefa"

+[[package]]
+name = "ahash"
+version = "0.8.12"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "5a15f179cd60c4584b8a8c596927aadc462e27f2ca70c04e0071964a73ba7a75"
+dependencies = [
+ "cfg-if",
+ "once_cell",
+ "version_check",
+ "zerocopy",
+]
+
 [[package]]
 name = "aho-corasick"
 version = "1.1.4"
@@ -171,7 +183,7 @@ checksum = "1505bd5d3d116872e7271a6d4e16d81d0c8570876c8de68093a09ac269d8aac0"

 [[package]]
 name = "authentik"
-version = "2026.8.0-rc1"
+version = "2026.5.0-rc1"
 dependencies = [
 "arc-swap",
 "argh",
@@ -191,12 +203,11 @@ dependencies = [
 "tokio",
 "tracing",
 "uuid",
- "which",
 ]

 [[package]]
 name = "authentik-axum"
-version = "2026.8.0-rc1"
+version = "2026.5.0-rc1"
 dependencies = [
 "authentik-common",
 "axum",
@@ -216,7 +227,7 @@ dependencies = [

 [[package]]
 name = "authentik-client"
-version = "2026.8.0-rc1"
+version = "2026.5.0-rc1"
 dependencies = [
 "aws-lc-rs",
 "reqwest",
@@ -232,7 +243,7 @@ dependencies = [

 [[package]]
 name = "authentik-common"
-version = "2026.8.0-rc1"
+version = "2026.5.0-rc1"
 dependencies = [
 "arc-swap",
 "authentik-client",
@@ -1003,17 +1014,6 @@ dependencies = [
 "pin-project-lite",
 ]

-[[package]]
-name = "evmap"
-version = "11.0.0"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "1b8874945f036109c72242964c1174cf99434e30cfa45bf45fedc983f50046f8"
-dependencies = [
- "hashbag",
- "left-right",
- "smallvec",
-]
-
 [[package]]
 name = "eyre"
 version = "0.6.12"
@@ -1230,21 +1230,6 @@ dependencies = [
 "slab",
 ]

-[[package]]
-name = "generator"
-version = "0.8.8"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "52f04ae4152da20c76fe800fa48659201d5cf627c5149ca0b707b69d7eef6cf9"
-dependencies = [
- "cc",
- "cfg-if",
- "libc",
- "log",
- "rustversion",
- "windows-link",
- "windows-result",
-]
-
 [[package]]
 name = "generic-array"
 version = "0.14.7"
@@ -1326,12 +1311,6 @@ dependencies = [
 "tracing",
 ]

-[[package]]
-name = "hashbag"
-version = "0.1.13"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "7040a10f52cba493ddb09926e15d10a9d8a28043708a405931fe4c6f19fac064"
-
 [[package]]
 name = "hashbrown"
 version = "0.15.5"
@@ -1744,6 +1723,16 @@ dependencies = [
 "serde",
 ]

+[[package]]
+name = "iri-string"
+version = "0.7.11"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "d8e7418f59cc01c88316161279a7f665217ae316b388e58a0d10e29f54f1e5eb"
+dependencies = [
+ "memchr",
+ "serde",
+]
+
 [[package]]
 name = "is_terminal_polyfill"
 version = "1.70.2"
@@ -1879,17 +1868,6 @@ version = "0.1.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "09edd9e8b54e49e587e4f6295a7d29c3ea94d469cb40ab8ca70b288248a81db2"

-[[package]]
-name = "left-right"
-version = "0.11.7"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "0f0c21e4c8ff95f487fb34e6f9182875f42c84cef966d29216bf115d9bba835a"
-dependencies = [
- "crossbeam-utils",
- "loom",
- "slab",
-]
-
 [[package]]
 name = "libc"
 version = "0.2.183"
@@ -1961,19 +1939,6 @@ version = "0.4.29"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "5e5032e24019045c762d3c0f28f5b6b8bbf38563a65908389bf7978758920897"

-[[package]]
-name = "loom"
-version = "0.7.2"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "419e0dc8046cb947daa77eb95ae174acfbddb7673b4151f56d1eed8e93fbfaca"
-dependencies = [
- "cfg-if",
- "generator",
- "scoped-tls",
- "tracing",
- "tracing-subscriber",
-]
-
 [[package]]
 name = "lru-slab"
 version = "0.1.2"
@@ -2013,22 +1978,21 @@ checksum = "f8ca58f447f06ed17d5fc4043ce1b10dd205e060fb3ce5b979b8ed8e59ff3f79"

 [[package]]
 name = "metrics"
-version = "0.24.5"
+version = "0.24.3"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "ff56c2e7dce6bd462e3b8919986a617027481b1dcc703175b58cf9dd98a2f071"
+checksum = "5d5312e9ba3771cfa961b585728215e3d972c950a3eed9252aa093d6301277e8"
 dependencies = [
+ "ahash",
 "portable-atomic",
- "rapidhash",
 ]

 [[package]]
 name = "metrics-exporter-prometheus"
-version = "0.18.3"
+version = "0.18.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "1db0d8f1fc9e62caebd0319e11eaec5822b0186c171568f0480b46a0137f9108"
+checksum = "3589659543c04c7dc5526ec858591015b87cd8746583b51b48ef4353f99dbcda"
 dependencies = [
 "base64 0.22.1",
- "evmap",
 "indexmap",
 "metrics",
 "metrics-util",
@@ -2047,7 +2011,7 @@ dependencies = [
 "hashbrown 0.16.1",
 "metrics",
 "quanta",
- "rand 0.9.4",
+ "rand 0.9.2",
 "rand_xoshiro",
 "sketches-ddsketch",
 ]
@@ -2734,7 +2698,7 @@ dependencies = [
 "bytes",
 "getrandom 0.3.4",
 "lru-slab",
- "rand 0.9.4",
+ "rand 0.9.2",
 "ring",
 "rustc-hash",
 "rustls",
@@ -2794,9 +2758,9 @@ dependencies = [

 [[package]]
 name = "rand"
-version = "0.9.4"
+version = "0.9.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "44c5af06bb1b7d3216d91932aed5265164bf384dc89cd6ba05cf59a35f5f76ea"
+checksum = "6db2770f06117d490610c7488547d543617b21bfa07796d7a12f6f1bd53850d1"
 dependencies = [
 "rand_chacha 0.9.0",
 "rand_core 0.9.5",
@@ -2849,15 +2813,6 @@ dependencies = [
 "rand_core 0.9.5",
 ]

-[[package]]
-name = "rapidhash"
-version = "4.4.1"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "b5e48930979c155e2f33aa36ab3119b5ee81332beb6482199a8ecd6029b80b59"
-dependencies = [
- "rustversion",
-]
-
 [[package]]
 name = "raw-cpuid"
 version = "11.6.0"
@@ -2916,9 +2871,9 @@ checksum = "dc897dd8d9e8bd1ed8cdad82b5966c3e0ecae09fb1907d58efaa013543185d0a"

 [[package]]
 name = "reqwest"
-version = "0.13.3"
+version = "0.13.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "62e0021ea2c22aed41653bc7e1419abb2c97e038ff2c33d0e1309e49a97deec0"
+checksum = "ab3f43e3283ab1488b624b44b0e988d0acea0b3214e694730a055cb6b2efa801"
 dependencies = [
 "base64 0.22.1",
 "bytes",
@@ -3150,12 +3105,6 @@ dependencies = [
 "windows-sys 0.61.2",
 ]

-[[package]]
-name = "scoped-tls"
-version = "1.0.1"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "e1cf6437eb19a8f4a6cc0f7dca544973b0b78843adbfeb3683d1a94a0024a294"
-
 [[package]]
 name = "scopeguard"
 version = "1.2.0"
@@ -3193,9 +3142,9 @@ checksum = "d767eb0aabc880b29956c35734170f26ed551a859dbd361d140cdbeca61ab1e2"

 [[package]]
 name = "sentry"
-version = "0.48.1"
+version = "0.47.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "b93b3e19f45495ddd41d8222a152c48c84f6ba45abe9c69e2527e9cdea29bb5b"
+checksum = "eb25f439f97d26fea01d717fa626167ceffcd981addaa670001e70505b72acbb"
 dependencies = [
 "cfg_aliases",
 "httpdate",
@@ -3214,9 +3163,9 @@ dependencies = [

 [[package]]
 name = "sentry-backtrace"
-version = "0.48.1"
+version = "0.47.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "dc84c325ace9ca2388e510fe7d6672b5d60cd8b3bd0eb4bb4ee8314c323cd686"
+checksum = "46a8c2c1bd5c1f735e84f28b48e7d72efcaafc362b7541bc8253e60e8fcdffc6"
 dependencies = [
 "backtrace",
 "regex",
@@ -3225,9 +3174,9 @@ dependencies = [

 [[package]]
 name = "sentry-contexts"
-version = "0.48.1"
+version = "0.47.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "896c1ab62dbfe1746fb262bbf72e6feb2fb9dfb2c14709077bf71beb532e44b2"
+checksum = "9b88a90baa654d7f0e1f4b667f6b434293d9f72c71bef16b197c76af5b7d5803"
 dependencies = [
 "hostname",
 "libc",
@@ -3239,11 +3188,11 @@ dependencies = [

 [[package]]
 name = "sentry-core"
-version = "0.48.1"
+version = "0.47.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "d5f5abf20c42cb1593ec1638976e2647da55f79bccac956444c1707b6cce259a"
+checksum = "0ac170a5bba8bec6e3339c90432569d89641fa7a3d3e4f44987d24f0762e6adf"
 dependencies = [
- "rand 0.9.4",
+ "rand 0.9.2",
 "sentry-types",
 "serde",
 "serde_json",
@@ -3252,9 +3201,9 @@ dependencies = [

 [[package]]
 name = "sentry-debug-images"
-version = "0.48.1"
+version = "0.47.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "4b88bbe6a760d5724bb40689827e82e8db1e275947df2c59abe171bfc30bb671"
+checksum = "dd9646a972b57896d4a92ed200cf76139f8e30b3cfd03b6662ae59926d26633c"
 dependencies = [
 "findshlibs",
 "sentry-core",
@@ -3262,9 +3211,9 @@ dependencies = [

 [[package]]
 name = "sentry-panic"
-version = "0.48.1"
+version = "0.47.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "0260dcb52562b6a79ae7702312a26dba94b79fb5baee7301087529e5ca4e872e"
+checksum = "6127d3d304ba5ce0409401e85aae538e303a569f8dbb031bf64f9ba0f7174346"
 dependencies = [
 "sentry-backtrace",
 "sentry-core",
@@ -3272,9 +3221,9 @@ dependencies = [

 [[package]]
 name = "sentry-tower"
-version = "0.48.1"
+version = "0.47.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "d669616d5d5279b5712febfc80c343acc3695e499de0d101ed70fceacadf37f2"
+checksum = "61c5253dc4ad89863a866b93aeaaac1c9d60f2f774663b5024afe2d57e0a101c"
 dependencies = [
 "sentry-core",
 "tower-layer",
@@ -3283,9 +3232,9 @@ dependencies = [

 [[package]]
 name = "sentry-tracing"
-version = "0.48.1"
+version = "0.47.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "a1c035f3a0a8671ae1a231c5b457abb68b71acba2bf3054dab2a09a9d4ea487e"
+checksum = "27701acc51e68db5281802b709010395bfcbcb128b1d0a4e5873680d3b47ff0c"
 dependencies = [
 "bitflags 2.11.0",
 "sentry-backtrace",
@@ -3296,13 +3245,13 @@ dependencies = [

 [[package]]
 name = "sentry-types"
-version = "0.48.1"
+version = "0.47.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "82d8e81058ec155992191f61c7b29bfa7b2cf12012131e7cdc0678020898a7c9"
+checksum = "56780cb5597d676bf22e6c11d1f062eb4def46390ea3bfb047bcbcf7dfd19bdb"
 dependencies = [
 "debugid",
 "hex",
- "rand 0.9.4",
+ "rand 0.9.2",
 "serde",
 "serde_json",
 "thiserror 2.0.18",
@@ -3390,9 +3339,9 @@ dependencies = [

 [[package]]
 name = "serde_with"
-version = "3.19.0"
+version = "3.18.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "f05839ce67618e14a09b286535c0d9c94e85ef25469b0e13cb4f844e5593eb19"
+checksum = "dd5414fad8e6907dbdd5bc441a50ae8d6e26151a03b1de04d89a5576de61d01f"
 dependencies = [
 "base64 0.22.1",
 "chrono",
@@ -3924,9 +3873,9 @@ checksum = "1f3ccbac311fea05f86f61904b462b55fb3df8837a366dfc601a0161d0532f20"

 [[package]]
 name = "tokio"
-version = "1.52.2"
+version = "1.52.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "110a78583f19d5cdb2c5ccf321d1290344e71313c6c37d43520d386027d18386"
+checksum = "b67dee974fe86fd92cc45b7a95fdd2f99a36a6d7b0d431a231178d3d670bbcc6"
 dependencies = [
 "bytes",
 "libc",
@@ -4072,21 +4021,21 @@ dependencies = [

 [[package]]
 name = "tower-http"
-version = "0.6.10"
+version = "0.6.8"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "68d6fdd9f81c2819c9a8b0e0cd91660e7746a8e6ea2ba7c6b2b057985f6bcb51"
+checksum = "d4e6559d53cc268e5031cd8429d05415bc4cb4aefc4aa5d6cc35fbf5b924a1f8"
 dependencies = [
 "bitflags 2.11.0",
 "bytes",
 "futures-util",
 "http",
 "http-body",
+ "iri-string",
 "pin-project-lite",
 "tokio",
 "tower",
 "tower-layer",
 "tower-service",
- "url",
 ]

 [[package]]
@@ -4204,7 +4153,7 @@ dependencies = [
 "http",
 "httparse",
 "log",
- "rand 0.9.4",
+ "rand 0.9.2",
 "sha1",
 "thiserror 2.0.18",
 ]
@@ -4566,15 +4515,6 @@ dependencies = [
 "rustls-pki-types",
 ]

-[[package]]
-name = "which"
-version = "8.0.2"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "81995fafaaaf6ae47a7d0cc83c67caf92aeb7e5331650ae6ff856f7c0c60c459"
-dependencies = [
- "libc",
-]
-
 [[package]]
 name = "whoami"
 version = "1.6.1"
--- a/Cargo.toml
+++ b/Cargo.toml
@@ -8,7 +8,7 @@ members = [
 resolver = "3"

 [workspace.package]
-version = "2026.8.0-rc1"
+version = "2026.5.0-rc1"
 authors = ["authentik Team <hello@goauthentik.io>"]
 description = "Making authentication simple."
 edition = "2024"
@@ -43,15 +43,15 @@ hyper-unix-socket = "= 0.6.1"
 hyper-util = "= 0.1.20"
 ipnet = { version = "= 2.12.0", features = ["serde"] }
 json-subscriber = "= 0.2.8"
-metrics = "= 0.24.5"
-metrics-exporter-prometheus = { version = "= 0.18.3", default-features = false }
+metrics = "= 0.24.3"
+metrics-exporter-prometheus = { version = "= 0.18.1", default-features = false }
 nix = { version = "= 0.31.2", features = ["hostname", "signal"] }
 notify = "= 8.2.0"
 pin-project-lite = "= 0.2.17"
 pyo3 = "= 0.28.3"
 pyo3-build-config = "= 0.28.3"
 regex = "= 1.12.3"
-reqwest = { version = "= 0.13.3", features = [
+reqwest = { version = "= 0.13.2", features = [
  "form",
  "json",
  "multipart",
@@ -67,7 +67,7 @@ reqwest-middleware = { version = "= 0.5.1", features = [
  "rustls",
 ] }
 rustls = { version = "= 0.23.40", features = ["fips"] }
-sentry = { version = "= 0.48.1", default-features = false, features = [
+sentry = { version = "= 0.47.0", default-features = false, features = [
  "backtrace",
  "contexts",
  "debug-images",
@@ -80,7 +80,7 @@ sentry = { version = "= 0.48.1", default-features = false, features = [
 serde = { version = "= 1.0.228", features = ["derive"] }
 serde_json = "= 1.0.149"
 serde_repr = "= 0.1.20"
-serde_with = { version = "= 3.19.0", default-features = false, features = [
+serde_with = { version = "= 3.18.0", default-features = false, features = [
  "base64",
 ] }
 sqlx = { version = "= 0.8.6", default-features = false, features = [
@@ -97,12 +97,12 @@ sqlx = { version = "= 0.8.6", default-features = false, features = [
 tempfile = "= 3.27.0"
 thiserror = "= 2.0.18"
 time = { version = "= 0.3.47", features = ["macros"] }
-tokio = { version = "= 1.52.2", features = ["full", "tracing"] }
+tokio = { version = "= 1.52.1", features = ["full", "tracing"] }
 tokio-retry2 = "= 0.9.1"
 tokio-rustls = "= 0.26.4"
 tokio-util = { version = "= 0.7.18", features = ["full"] }
 tower = "= 0.5.3"
-tower-http = { version = "= 0.6.10", features = ["timeout"] }
+tower-http = { version = "= 0.6.8", features = ["timeout"] }
 tracing = "= 0.1.44"
 tracing-error = "= 0.2.1"
 tracing-subscriber = { version = "= 0.3.23", features = [
@@ -113,11 +113,10 @@ tracing-subscriber = { version = "= 0.3.23", features = [
 ] }
 url = "= 2.5.8"
 uuid = { version = "= 1.23.1", features = ["serde", "v4"] }
-which = "= 8.0.2"

-ak-axum = { package = "authentik-axum", version = "2026.8.0-rc1", path = "./packages/ak-axum" }
-ak-client = { package = "authentik-client", version = "2026.8.0-rc1", path = "./packages/client-rust" }
-ak-common = { package = "authentik-common", version = "2026.8.0-rc1", path = "./packages/ak-common", default-features = false }
+ak-axum = { package = "authentik-axum", version = "2026.5.0-rc1", path = "./packages/ak-axum" }
+ak-client = { package = "authentik-client", version = "2026.5.0-rc1", path = "./packages/client-rust" }
+ak-common = { package = "authentik-common", version = "2026.5.0-rc1", path = "./packages/ak-common", default-features = false }

 [workspace.lints.rust]
 ambiguous_negative_literals = "warn"
@@ -283,7 +282,6 @@ sqlx = { workspace = true, optional = true }
 tokio.workspace = true
 tracing.workspace = true
 uuid.workspace = true
-which.workspace = true

 [lints]
 workspace = true
--- a/102
+++ b/102
@@ -106,14 +106,18 @@ migrate: ## Run the Authentik Django server's migrations

 i18n-extract: core-i18n-extract web-i18n-extract  ## Extract strings that require translation into files to send to a translation service

-aws-cfn:
-	cd lifecycle/aws && npm i && $(UV) run npm run aws-cfn
+aws-cfn: node-install
+	corepack npm install --prefix lifecycle/aws
+	$(UV) run corepack npm run aws-cfn --prefix lifecycle/aws

-run:  ## Run the main authentik server and worker processes
-	$(UV) run ak allinone
+run-server:  ## Run the main authentik server process
+	$(UV) run ak server

-run-watch:  ## Run the authentik server and worker, with auto reloading
-	watchexec --on-busy-update=restart --stop-signal=SIGINT --exts py,rs,go --no-meta --notify -- $(UV) run ak allinone
+run-worker:  ## Run the main authentik worker process
+	$(UV) run ak worker
+
+run-worker-watch:  ## Run the authentik worker, with auto reloading
+	watchexec --on-busy-update=restart --stop-signal=SIGINT --exts py,rs --no-meta --notify -- $(UV) run ak worker

 core-i18n-extract:
 	$(UV) run ak makemessages \
@@ -125,7 +129,7 @@ core-i18n-extract:
 		--ignore website \
 		-l en

-install: node-install docs-install core-install  ## Install all requires dependencies for `node`, `docs` and `core`
+install: node-install web-install core-install  ## Install all requires dependencies for `node`, `web` and `core`

 dev-drop-db:
 	$(eval pg_user := $(shell $(UV) run python -m authentik.lib.config postgresql.user 2>/dev/null))
@@ -160,7 +164,7 @@ endif
 	$(eval current_version := $(shell cat ${PWD}/internal/constants/VERSION))
 	$(SED_INPLACE) 's/^version = ".*"/version = "$(version)"/' ${PWD}/pyproject.toml
 	$(SED_INPLACE) 's/^VERSION = ".*"/VERSION = "$(version)"/' ${PWD}/authentik/__init__.py
-	$(SED_INPLACE) "s/version = \"${current_version}\"/version = \"$(version)\"/" ${PWD}/Cargo.toml ${PWD}/Cargo.lock
+	$(SED_INPLACE) "s/version = \"${current_version}\"/version = \"$(version)\"" ${PWD}/Cargo.toml ${PWD}/Cargo.lock
 	$(MAKE) gen-build gen-compose aws-cfn
 	$(SED_INPLACE) "s/\"${current_version}\"/\"$(version)\"/" ${PWD}/package.json ${PWD}/package-lock.json ${PWD}/web/package.json ${PWD}/web/package-lock.json
 	echo -n $(version) > ${PWD}/internal/constants/VERSION
@@ -228,62 +232,47 @@ gen-dev-config:  ## Generate a local development config file
 ## Node.js
 #########################

-# Packages whose install/postinstall scripts are required for correct
-# operation (binary downloads, native bindings). The root .npmrc sets
-# `ignore-scripts=true` to block dependency lifecycle scripts by default;
-# this list is rebuilt explicitly with scripts re-enabled. Audit any
-# additions: each entry runs arbitrary code at install time.
-TRUSTED_INSTALL_SCRIPTS := esbuild chromedriver tree-sitter tree-sitter-json
+node-install:  ## Install the necessary libraries to build Node.js packages
+	node ./scripts/node/setup-corepack.mjs
+	node ./scripts/node/lint-runtime.mjs

-root-node-install:
-	npm ci
-
-node-install: root-node-install  ## Install the necessary libraries to build Node.js packages
-	npm ci --prefix web
-	npm rebuild --prefix web --ignore-scripts=false --foreground-scripts $(TRUSTED_INSTALL_SCRIPTS)
-
-node-install-containerized:  ## Run node-install inside an Apple container (macOS 15+, Apple Silicon)
-ifeq ($(UNAME_S),Darwin)
-	./scripts/container-sandbox sh -c '\
-		npm ci && \
-		npm ci --prefix web && \
-		npm rebuild --prefix web --ignore-scripts=false --foreground-scripts $(TRUSTED_INSTALL_SCRIPTS) \
-	'
-else
-	@echo "node-install-containerized is macOS-only (uses Apple's container runtime)." >&2
-	@echo "Falling back to plain node-install." >&2
-	$(MAKE) node-install
-endif
+	node ./scripts/node/lint-runtime.mjs

 #########################
 ## Web
 #########################

-web-build: node-install  ## Build the Authentik UI
-	npm run --prefix web build
+web-install: ## Install the necessary libraries to build the Authentik UI
+	node ./scripts/node/lint-runtime.mjs web
+
+	corepack npm ci
+	corepack npm ci --prefix web
+
+web-build:  ## Build the Authentik UI
+	corepack npm run --prefix web build

 web: web-lint-fix web-lint web-check-compile  ## Automatically fix formatting issues in the Authentik UI source code, lint the code, and compile it

 web-test: ## Run tests for the Authentik UI
-	npm run --prefix web test
+	corepack npm run --prefix web test

 web-watch:  ## Build and watch the Authentik UI for changes, updating automatically
-	npm run --prefix web watch
+	corepack npm run --prefix web watch
 web-storybook-watch:  ## Build and run the storybook documentation server
-	npm run --prefix web storybook
+	corepack npm run --prefix web storybook

 web-lint-fix:
-	npm run --prefix web prettier
+	corepack npm run --prefix web prettier

 web-lint:
-	npm run --prefix web lint
-	npm run --prefix web lit-analyse
+	corepack npm run --prefix web lint
+	corepack npm run --prefix web lit-analyse

 web-check-compile:
-	npm run --prefix web tsc
+	corepack npm run --prefix web tsc

 web-i18n-extract:
-	npm run --prefix web extract-locales
+	corepack npm run --prefix web extract-locales

 #########################
 ## Docs
@@ -291,35 +280,40 @@ web-i18n-extract:

 docs: docs-lint-fix docs-build  ## Automatically fix formatting issues in the Authentik docs source code, lint the code, and compile it

-docs-install: root-node-install
-	npm ci --prefix website
+docs-install: node-install  ## Install the necessary libraries to build the Authentik documentation
+	node ./scripts/node/lint-runtime.mjs
+
+	corepack npm ci
+
+	corepack npm ci --prefix website

 docs-lint-fix: lint-spellcheck
-	npm run --prefix website prettier
+	corepack npm run --prefix website prettier

 docs-build:
-	npm run --prefix website build
+	node ./scripts/node/lint-runtime.mjs website
+	corepack npm run --prefix website build

 docs-watch:  ## Build and watch the topics documentation
-	npm run --prefix website start
+	corepack npm run --prefix website start

 integrations: docs-lint-fix integrations-build ## Fix formatting issues in the integrations source code, lint the code, and compile it

 integrations-build:
-	npm run --prefix website -w integrations build
+	corepack npm run --prefix website -w integrations build

 integrations-watch:  ## Build and watch the Integrations documentation
-	npm run --prefix website -w integrations start
+	corepack npm run --prefix website -w integrations start

 docs-api-build:
-	npm run --prefix website -w api build
+	corepack npm run --prefix website -w api build

 docs-api-watch:  ## Build and watch the API documentation
-	npm run --prefix website -w api generate
-	npm run --prefix website -w api start
+	corepack npm run --prefix website -w api generate
+	corepack npm run --prefix website -w api start

 docs-api-clean: ## Clean generated API documentation
-	npm run --prefix website -w api build:api:clean
+	corepack npm run --prefix website -w api build:api:clean

 #########################
 ## Docker
--- a/authentik/init.py
+++ b/authentik/init.py
@@ -3,7 +3,7 @@
 from functools import lru_cache
 from os import environ

-VERSION = "2026.8.0-rc1"
+VERSION = "2026.5.0-rc1"
 ENV_GIT_HASH_KEY = "GIT_BUILD_HASH"


--- a/authentik/api/ordering.py
+++ b/authentik/api/ordering.py
@@ -1,36 +0,0 @@
-from django.db.models import F, QuerySet
-from rest_framework.filters import OrderingFilter
-from rest_framework.request import Request
-from rest_framework.views import APIView
-
-
-class NullsAwareOrderingFilter(OrderingFilter):
-    """OrderingFilter that sorts NULL values consistently.
-
-    For any nullable field, NULLs are treated as the smallest possible value:
-    - ascending  → NULLs appear first  (nulls_first=True)
-    - descending → NULLs appear last   (nulls_last=True)
-    """
-
-    def _nullable_field_names(self, queryset: QuerySet) -> set[str]:
-        return {f.name for f in queryset.model._meta.get_fields() if hasattr(f, "null") and f.null}
-
-    def filter_queryset(self, request: Request, queryset: QuerySet, view: APIView):
-        queryset = super().filter_queryset(request, queryset, view)
-        ordering = queryset.query.order_by
-        if not ordering:
-            return queryset
-        nullable = self._nullable_field_names(queryset)
-        new_ordering = []
-        changed = False
-        for term in ordering:
-            name = term.lstrip("-")
-            if name in nullable:
-                changed = True
-                if term.startswith("-"):
-                    new_ordering.append(F(name).desc(nulls_last=True))
-                else:
-                    new_ordering.append(F(name).asc(nulls_first=True))
-            else:
-                new_ordering.append(term)
-        return queryset.order_by(*new_ordering) if changed else queryset
--- a/authentik/api/tests/test_ordering.py
+++ b/authentik/api/tests/test_ordering.py
@@ -1,59 +0,0 @@
-from django.db.models import OrderBy
-from django.test import TestCase
-from rest_framework.request import Request
-from rest_framework.test import APIRequestFactory
-
-from authentik.api.ordering import NullsAwareOrderingFilter
-from authentik.core.models import Token, User
-
-
-class MockView:
-    ordering_fields = "__all__"
-    ordering = None
-
-
-class TestNullsAwareOrderingFilter(TestCase):
-
-    def setUp(self):
-        self.filter = NullsAwareOrderingFilter()
-        self.view = MockView()
-        factory = APIRequestFactory()
-        self._req = lambda ordering: Request(factory.get("/", {"ordering": ordering}))
-
-    def _order_by(self, model, ordering):
-        qs = model.objects.all()
-        return self.filter.filter_queryset(self._req(ordering), qs, self.view).query.order_by
-
-    def test_nullable_asc_nulls_first(self):
-        """Ascending sort on a nullable field rewrites to nulls_first=True."""
-        (expr,) = self._order_by(User, "last_login")
-        self.assertIsInstance(expr, OrderBy)
-        self.assertFalse(expr.descending)
-        self.assertTrue(expr.nulls_first)
-
-    def test_nullable_desc_nulls_last(self):
-        """Descending sort on a nullable field rewrites to nulls_last=True."""
-        (expr,) = self._order_by(User, "-last_login")
-        self.assertIsInstance(expr, OrderBy)
-        self.assertTrue(expr.descending)
-        self.assertTrue(expr.nulls_last)
-
-    def test_non_nullable_passes_through(self):
-        """Non-nullable fields are left as plain string terms."""
-        (expr,) = self._order_by(User, "username")
-        self.assertEqual(expr, "username")
-
-    def test_mixed_ordering(self):
-        """Only nullable terms are rewritten; non-nullable terms pass through unchanged."""
-        first, second = self._order_by(User, "username,-last_login")
-        self.assertEqual(first, "username")
-        self.assertIsInstance(second, OrderBy)
-        self.assertTrue(second.descending)
-        self.assertTrue(second.nulls_last)
-
-    def test_expires_nullable(self):
-        """expires on ExpiringModel is nullable and is rewritten correctly."""
-        (expr,) = self._order_by(Token, "-expires")
-        self.assertIsInstance(expr, OrderBy)
-        self.assertTrue(expr.descending)
-        self.assertTrue(expr.nulls_last)
--- a/authentik/blueprints/api.py
+++ b/authentik/blueprints/api.py
@@ -1,6 +1,5 @@
 """Serializer mixin for managed models"""

-from json import JSONDecodeError, loads
 from typing import cast

 from django.conf import settings
@@ -45,7 +44,6 @@ class BlueprintUploadSerializer(PassiveSerializer):

    file = FileField(required=False)
    path = CharField(required=False)
-    context = CharField(required=False, allow_blank=True)

    def validate_path(self, path: str) -> str:
        """Ensure the path (if set) specified is retrievable"""
@@ -56,18 +54,6 @@ class BlueprintUploadSerializer(PassiveSerializer):
            raise ValidationError(_("Blueprint file does not exist"))
        return path

-    def validate_context(self, context: str) -> dict:
-        """Parse context as a JSON object"""
-        if not context:
-            return {}
-        try:
-            parsed = loads(context)
-        except JSONDecodeError as exc:
-            raise ValidationError(_("Context must be valid JSON")) from exc
-        if not isinstance(parsed, dict):
-            raise ValidationError(_("Context must be a JSON object"))
-        return parsed
-

 class ManagedSerializer:
    """Managed Serializer"""
@@ -217,7 +203,10 @@ class BlueprintInstanceViewSet(UsedByMixin, ModelViewSet):

    @extend_schema(
        request={"multipart/form-data": BlueprintUploadSerializer},
-        responses={200: BlueprintImportResultSerializer},
+        responses={
+            204: BlueprintImportResultSerializer,
+            400: BlueprintImportResultSerializer,
+        },
    )
    @action(url_path="import", detail=False, methods=["POST"], parser_classes=(MultiPartParser,))
    @validate(
@@ -235,8 +224,7 @@ class BlueprintInstanceViewSet(UsedByMixin, ModelViewSet):
            ).retrieve_file()
        else:
            raise ValidationError("Either path or file must be set")
-        context = body.validated_data.get("context") or {}
-        importer = Importer.from_string(string_contents, context)
+        importer = Importer.from_string(string_contents)

        check_blueprint_perms(importer.blueprint, request.user)

@@ -244,13 +232,21 @@ class BlueprintInstanceViewSet(UsedByMixin, ModelViewSet):

        import_response = self.BlueprintImportResultSerializer(
            data={
-                "logs": [LogEventSerializer(log).data for log in logs],
-                "success": valid,
+                "logs": [],
+                "success": False,
            }
        )
        import_response.is_valid(raise_exception=True)

-        if valid:
-            import_response.initial_data["success"] = importer.apply()
-            import_response.is_valid()
+        import_response.initial_data["logs"] = [LogEventSerializer(log).data for log in logs]
+        import_response.initial_data["success"] = valid
+        import_response.is_valid()
+        if not valid:
+            return Response(data=import_response.initial_data, status=200)
+
+        successful = importer.apply()
+        import_response.initial_data["success"] = successful
+        import_response.is_valid()
+        if not successful:
+            return Response(data=import_response.initial_data, status=200)
        return Response(data=import_response.initial_data, status=200)
--- a/authentik/blueprints/tests/test_v1_api.py
+++ b/authentik/blueprints/tests/test_v1_api.py
@@ -1,19 +1,14 @@
 """Test blueprints v1 api"""

-from json import dumps, loads
+from json import loads
 from tempfile import NamedTemporaryFile, mkdtemp

-from django.core.files.uploadedfile import SimpleUploadedFile
 from django.urls import reverse
 from rest_framework.test import APITestCase
 from yaml import dump

 from authentik.core.tests.utils import create_test_admin_user
-from authentik.flows.models import Flow
 from authentik.lib.config import CONFIG
-from authentik.lib.generators import generate_id
-from authentik.stages.invitation.models import InvitationStage
-from authentik.stages.user_write.models import UserWriteStage

 TMP = mkdtemp("authentik-blueprints")

@@ -85,121 +80,3 @@ class TestBlueprintsV1API(APITestCase):
            res.content.decode(),
            {"content": ["Failed to validate blueprint", "- Invalid blueprint version"]},
        )
-
-    def test_api_import_with_context(self):
-        """Test that the import endpoint applies the supplied context to the real blueprint"""
-        slug = f"invitation-enrollment-{generate_id()}"
-        flow_name = f"Invitation Enrollment {generate_id()}"
-        stage_name = f"invitation-stage-{generate_id()}"
-        user_type = "internal"
-        continue_without_invitation = True
-
-        res = self.client.post(
-            reverse("authentik_api:blueprintinstance-import-"),
-            data={
-                "path": "example/flows-invitation-enrollment-minimal.yaml",
-                "context": dumps(
-                    {
-                        "flow_slug": slug,
-                        "flow_name": flow_name,
-                        "stage_name": stage_name,
-                        "continue_flow_without_invitation": continue_without_invitation,
-                        "user_type": user_type,
-                    }
-                ),
-            },
-            format="multipart",
-        )
-        self.assertEqual(res.status_code, 200)
-        self.assertTrue(res.json()["success"])
-
-        flow = Flow.objects.get(slug=slug)
-        self.assertEqual(flow.name, flow_name)
-        self.assertEqual(flow.title, flow_name)
-
-        invitation_stage = InvitationStage.objects.get(name=stage_name)
-        self.assertEqual(
-            invitation_stage.continue_flow_without_invitation,
-            continue_without_invitation,
-        )
-
-        user_write_stage = UserWriteStage.objects.get(
-            name=f"invitation-enrollment-user-write-{slug}"
-        )
-        self.assertEqual(user_write_stage.user_type, user_type)
-        self.assertEqual(user_write_stage.user_path_template, f"users/{user_type}")
-
-    def test_api_import_blank_path(self):
-        """Validator returns empty path unchanged (covers api.py:53)."""
-        with NamedTemporaryFile(mode="w+", suffix=".yaml") as file:
-            file.write(dump({"version": 1, "entries": []}))
-            file.flush()
-            file.seek(0)
-            res = self.client.post(
-                reverse("authentik_api:blueprintinstance-import-"),
-                data={"path": "", "file": file},
-                format="multipart",
-            )
-        self.assertEqual(res.status_code, 200)
-
-    def test_api_import_invalid_blueprint_returns_result_payload(self):
-        """Invalid blueprint content returns a result payload instead of a 400 response."""
-        file = SimpleUploadedFile("invalid-blueprint.yaml", b'{"version": 3}')
-
-        res = self.client.post(
-            reverse("authentik_api:blueprintinstance-import-"),
-            data={"file": file},
-            format="multipart",
-        )
-
-        self.assertEqual(res.status_code, 200)
-        self.assertFalse(res.json()["success"])
-        self.assertGreater(len(res.json()["logs"]), 0)
-
-    def test_api_import_unknown_path(self):
-        """Path not in available blueprints is rejected (covers api.py:56)."""
-        res = self.client.post(
-            reverse("authentik_api:blueprintinstance-import-"),
-            data={"path": "does/not/exist.yaml"},
-            format="multipart",
-        )
-        self.assertEqual(res.status_code, 400)
-        self.assertIn("Blueprint file does not exist", res.content.decode())
-
-    def test_api_import_blank_context(self):
-        """Blank context is normalized to empty dict (covers api.py:62)."""
-        res = self.client.post(
-            reverse("authentik_api:blueprintinstance-import-"),
-            data={
-                "path": "example/flows-invitation-enrollment-minimal.yaml",
-                "context": "",
-            },
-            format="multipart",
-        )
-        self.assertEqual(res.status_code, 200)
-
-    def test_api_import_invalid_json_context(self):
-        """Malformed JSON context raises ValidationError (covers api.py:65-66)."""
-        res = self.client.post(
-            reverse("authentik_api:blueprintinstance-import-"),
-            data={
-                "path": "example/flows-invitation-enrollment-minimal.yaml",
-                "context": "{not json",
-            },
-            format="multipart",
-        )
-        self.assertEqual(res.status_code, 400)
-        self.assertIn("Context must be valid JSON", res.content.decode())
-
-    def test_api_import_non_object_context(self):
-        """JSON context that isn't an object is rejected (covers api.py:68)."""
-        res = self.client.post(
-            reverse("authentik_api:blueprintinstance-import-"),
-            data={
-                "path": "example/flows-invitation-enrollment-minimal.yaml",
-                "context": "[1, 2, 3]",
-            },
-            format="multipart",
-        )
-        self.assertEqual(res.status_code, 400)
-        self.assertIn("Context must be a JSON object", res.content.decode())
--- a/authentik/core/api/authenticated_sessions.py
+++ b/authentik/core/api/authenticated_sessions.py
@@ -32,19 +32,19 @@ from authentik.rbac.decorators import permission_required
 class UserAgentDeviceDict(TypedDict):
    """User agent device"""

-    brand: str | None = None
+    brand: str
    family: str
-    model: str | None = None
+    model: str


 class UserAgentOSDict(TypedDict):
    """User agent os"""

    family: str
-    major: str | None = None
-    minor: str | None = None
-    patch: str | None = None
-    patch_minor: str | None = None
+    major: str
+    minor: str
+    patch: str
+    patch_minor: str


 class UserAgentBrowserDict(TypedDict):
--- a/authentik/core/signals.py
+++ b/authentik/core/signals.py
@@ -1,5 +1,6 @@
 """authentik core signals"""

+from asgiref.sync import async_to_sync
 from channels.layers import get_channel_layer
 from django.contrib.auth.signals import user_logged_in
 from django.core.cache import cache
@@ -58,7 +59,7 @@ def user_logged_in_session(sender, request: HttpRequest, user: User, **_):
    layer = get_channel_layer()
    device_cookie = request.COOKIES.get("authentik_device")
    if device_cookie:
-        layer.group_send_blocking(
+        async_to_sync(layer.group_send)(
            build_device_group(device_cookie),
            {"type": "event.session.authenticated"},
        )
--- a/authentik/enterprise/providers/ssf/migrations/0002_ssfprovider_push_verify_certificates_and_more.py
+++ b/authentik/enterprise/providers/ssf/migrations/0002_ssfprovider_push_verify_certificates_and_more.py
@@ -1,7 +1,6 @@
 # Generated by Django 5.2.12 on 2026-04-04 16:58

 from django.db import migrations, models
-import django.contrib.postgres.fields


 class Migration(migrations.Migration):
@@ -41,109 +40,4 @@ class Migration(migrations.Migration):
                ]
            ),
        ),
-        migrations.AlterField(
-            model_name="stream",
-            name="events_requested",
-            field=django.contrib.postgres.fields.ArrayField(
-                base_field=models.TextField(
-                    choices=[
-                        (
-                            "https://schemas.openid.net/secevent/caep/event-type/session-revoked",
-                            "Caep Session Revoked",
-                        ),
-                        (
-                            "https://schemas.openid.net/secevent/caep/event-type/token-claims-change",
-                            "Caep Token Claims Change",
-                        ),
-                        (
-                            "https://schemas.openid.net/secevent/caep/event-type/credential-change",
-                            "Caep Credential Change",
-                        ),
-                        (
-                            "https://schemas.openid.net/secevent/caep/event-type/assurance-level-change",
-                            "Caep Assurance Level Change",
-                        ),
-                        (
-                            "https://schemas.openid.net/secevent/caep/event-type/device-compliance-change",
-                            "Caep Device Compliance Change",
-                        ),
-                        (
-                            "https://schemas.openid.net/secevent/caep/event-type/session-established",
-                            "Caep Session Established",
-                        ),
-                        (
-                            "https://schemas.openid.net/secevent/caep/event-type/session-presented",
-                            "Caep Session Presented",
-                        ),
-                        (
-                            "https://schemas.openid.net/secevent/caep/event-type/risk-level-change",
-                            "Caep Risk Level Change",
-                        ),
-                        (
-                            "https://schemas.openid.net/secevent/ssf/event-type/verification",
-                            "Set Verification",
-                        ),
-                    ]
-                ),
-                default=list,
-                size=None,
-            ),
-        ),
-        migrations.AlterField(
-            model_name="stream",
-            name="status",
-            field=models.TextField(
-                choices=[
-                    ("enabled", "Enabled"),
-                    ("paused", "Paused"),
-                    ("disabled", "Disabled"),
-                    ("disabled_deleted", "Disabled Deleted"),
-                ],
-                default="enabled",
-            ),
-        ),
-        migrations.AlterField(
-            model_name="streamevent",
-            name="type",
-            field=models.TextField(
-                choices=[
-                    (
-                        "https://schemas.openid.net/secevent/caep/event-type/session-revoked",
-                        "Caep Session Revoked",
-                    ),
-                    (
-                        "https://schemas.openid.net/secevent/caep/event-type/token-claims-change",
-                        "Caep Token Claims Change",
-                    ),
-                    (
-                        "https://schemas.openid.net/secevent/caep/event-type/credential-change",
-                        "Caep Credential Change",
-                    ),
-                    (
-                        "https://schemas.openid.net/secevent/caep/event-type/assurance-level-change",
-                        "Caep Assurance Level Change",
-                    ),
-                    (
-                        "https://schemas.openid.net/secevent/caep/event-type/device-compliance-change",
-                        "Caep Device Compliance Change",
-                    ),
-                    (
-                        "https://schemas.openid.net/secevent/caep/event-type/session-established",
-                        "Caep Session Established",
-                    ),
-                    (
-                        "https://schemas.openid.net/secevent/caep/event-type/session-presented",
-                        "Caep Session Presented",
-                    ),
-                    (
-                        "https://schemas.openid.net/secevent/caep/event-type/risk-level-change",
-                        "Caep Risk Level Change",
-                    ),
-                    (
-                        "https://schemas.openid.net/secevent/ssf/event-type/verification",
-                        "Set Verification",
-                    ),
-                ]
-            ),
-        ),
    ]
--- a/authentik/enterprise/providers/ssf/models.py
+++ b/authentik/enterprise/providers/ssf/models.py
@@ -24,31 +24,8 @@ class EventTypes(models.TextChoices):
    """SSF Event types supported by authentik"""

    CAEP_SESSION_REVOKED = "https://schemas.openid.net/secevent/caep/event-type/session-revoked"
-    """https://openid.net/specs/openid-caep-1_0-final.html#section-3.1"""
-    CAEP_TOKEN_CLAIMS_CHANGE = (
-        "https://schemas.openid.net/secevent/caep/event-type/token-claims-change"
-    )
-    """https://openid.net/specs/openid-caep-1_0-final.html#section-3.2"""
    CAEP_CREDENTIAL_CHANGE = "https://schemas.openid.net/secevent/caep/event-type/credential-change"
-    """https://openid.net/specs/openid-caep-1_0-final.html#section-3.3"""
-    CAEP_ASSURANCE_LEVEL_CHANGE = (
-        "https://schemas.openid.net/secevent/caep/event-type/assurance-level-change"
-    )
-    """https://openid.net/specs/openid-caep-1_0-final.html#section-3.4"""
-    CAEP_DEVICE_COMPLIANCE_CHANGE = (
-        "https://schemas.openid.net/secevent/caep/event-type/device-compliance-change"
-    )
-    """https://openid.net/specs/openid-caep-1_0-final.html#section-3.5"""
-    CAEP_SESSION_ESTABLISHED = (
-        "https://schemas.openid.net/secevent/caep/event-type/session-established"
-    )
-    """https://openid.net/specs/openid-caep-1_0-final.html#section-3.6"""
-    CAEP_SESSION_PRESENTED = "https://schemas.openid.net/secevent/caep/event-type/session-presented"
-    """https://openid.net/specs/openid-caep-1_0-final.html#section-3.7"""
-    CAEP_RISK_LEVEL_CHANGE = "https://schemas.openid.net/secevent/caep/event-type/risk-level-change"
-    """https://openid.net/specs/openid-caep-1_0-final.html#section-3.8"""
    SET_VERIFICATION = "https://schemas.openid.net/secevent/ssf/event-type/verification"
-    """https://openid.net/specs/openid-sharedsignals-framework-1_0.html#section-8.1.4.1"""


 class DeliveryMethods(models.TextChoices):
@@ -69,12 +46,10 @@ class SSFEventStatus(models.TextChoices):


 class StreamStatus(models.TextChoices):
-    """SSF Stream status"""

    ENABLED = "enabled"
    PAUSED = "paused"
    DISABLED = "disabled"
-    DISABLED_DELETED = "disabled_deleted"


 class SSFProvider(TasksModel, BackchannelProvider):
--- a/authentik/enterprise/providers/ssf/tasks.py
+++ b/authentik/enterprise/providers/ssf/tasks.py
@@ -108,13 +108,13 @@ def send_ssf_event(stream_uuid: UUID, event_data: dict[str, Any]):
        event.save()
        self.info("Event successfully sent", status=response.status_code)
        # Cleanup, if we were the last pending message for this stream and it has been deleted
-        # (status=StreamStatus.DISABLED_DELETED), then we can delete the stream
+        # (status=StreamStatus.DISABLED), then we can delete the stream
        if (
            not StreamEvent.objects.filter(
                stream=stream,
                status__in=[SSFEventStatus.PENDING_FAILED, SSFEventStatus.PENDING_NEW],
            ).exists()
-            and stream.status == StreamStatus.DISABLED_DELETED
+            and stream.status == StreamStatus.DISABLED
        ):
            LOGGER.info(
                "Deleting inactive stream as all pending messages were sent.", stream=stream
--- a/authentik/enterprise/providers/ssf/tests/test_auth.py
+++ b/authentik/enterprise/providers/ssf/tests/test_auth.py
@@ -62,7 +62,7 @@ class TestSSFAuth(APITestCase):
        self.assertEqual(event.status, SSFEventStatus.PENDING_FAILED)
        self.assertEqual(
            event.payload["events"],
-            {"https://schemas.openid.net/secevent/ssf/event-type/verification": {}},
+            {"https://schemas.openid.net/secevent/ssf/event-type/verification": {"state": None}},
        )

    def test_stream_add_oidc(self):
@@ -115,7 +115,7 @@ class TestSSFAuth(APITestCase):
        self.assertEqual(event.status, SSFEventStatus.PENDING_FAILED)
        self.assertEqual(
            event.payload["events"],
-            {"https://schemas.openid.net/secevent/ssf/event-type/verification": {}},
+            {"https://schemas.openid.net/secevent/ssf/event-type/verification": {"state": None}},
        )

    def test_token_invalid(self):
--- a/authentik/enterprise/providers/ssf/tests/test_stream.py
+++ b/authentik/enterprise/providers/ssf/tests/test_stream.py
@@ -54,7 +54,7 @@ class TestStream(APITestCase):
        self.assertEqual(event.status, SSFEventStatus.PENDING_FAILED)
        self.assertEqual(
            event.payload["events"],
-            {"https://schemas.openid.net/secevent/ssf/event-type/verification": {}},
+            {"https://schemas.openid.net/secevent/ssf/event-type/verification": {"state": None}},
        )

    def test_stream_add_poll(self):
@@ -96,7 +96,7 @@ class TestStream(APITestCase):
        )
        self.assertEqual(res.status_code, 204)
        stream.refresh_from_db()
-        self.assertEqual(stream.status, StreamStatus.DISABLED_DELETED)
+        self.assertEqual(stream.status, StreamStatus.DISABLED)

    def test_stream_get(self):
        """get stream"""
@@ -225,26 +225,3 @@ class TestStream(APITestCase):
            HTTP_AUTHORIZATION=f"Bearer {self.provider.token.key}",
        )
        self.assertEqual(res.status_code, 404)
-
-    def test_stream_status_update(self):
-        stream = Stream.objects.create(provider=self.provider)
-        res = self.client.post(
-            reverse(
-                "authentik_providers_ssf:stream-status",
-                kwargs={"application_slug": self.application.slug},
-            ),
-            data={
-                "stream_id": str(stream.pk),
-                "status": StreamStatus.DISABLED,
-            },
-            HTTP_AUTHORIZATION=f"Bearer {self.provider.token.key}",
-        )
-        self.assertEqual(res.status_code, 200)
-        stream.refresh_from_db()
-        self.assertJSONEqual(
-            res.content,
-            {
-                "stream_id": str(stream.pk),
-                "status": str(stream.status),
-            },
-        )
--- a/authentik/enterprise/providers/ssf/tests/test_tasks.py
+++ b/authentik/enterprise/providers/ssf/tests/test_tasks.py
@@ -33,7 +33,7 @@ class TestTasks(APITestCase):
        )
        event_data = stream.prepare_event_payload(
            EventTypes.SET_VERIFICATION,
-            {},
+            {"state": None},
            sub_id={"format": "opaque", "id": str(stream.uuid)},
        )
        with Mocker() as mocker:
@@ -46,7 +46,7 @@ class TestTasks(APITestCase):
        )
        jwt = decode_complete(mocker.request_history[0].body, options={"verify_signature": False})
        self.assertEqual(jwt["header"]["typ"], "secevent+jwt")
-        self.assertEqual(jwt["payload"]["events"][EventTypes.SET_VERIFICATION], {})
+        self.assertIsNone(jwt["payload"]["events"][EventTypes.SET_VERIFICATION]["state"])

    def test_push_auth(self):
        auth = generate_id()
@@ -58,7 +58,7 @@ class TestTasks(APITestCase):
        )
        event_data = stream.prepare_event_payload(
            EventTypes.SET_VERIFICATION,
-            {},
+            {"state": None},
            sub_id={"format": "opaque", "id": str(stream.uuid)},
        )
        with Mocker() as mocker:
@@ -72,7 +72,7 @@ class TestTasks(APITestCase):
        )
        jwt = decode_complete(mocker.request_history[0].body, options={"verify_signature": False})
        self.assertEqual(jwt["header"]["typ"], "secevent+jwt")
-        self.assertEqual(jwt["payload"]["events"][EventTypes.SET_VERIFICATION], {})
+        self.assertIsNone(jwt["payload"]["events"][EventTypes.SET_VERIFICATION]["state"])

    def test_push_stream_disable(self):
        auth = generate_id()
@@ -81,11 +81,11 @@ class TestTasks(APITestCase):
            delivery_method=DeliveryMethods.RFC_PUSH,
            endpoint_url="http://localhost/ssf-push",
            authorization_header=auth,
-            status=StreamStatus.DISABLED_DELETED,
+            status=StreamStatus.DISABLED,
        )
        event_data = stream.prepare_event_payload(
            EventTypes.SET_VERIFICATION,
-            {},
+            {"state": None},
            sub_id={"format": "opaque", "id": str(stream.uuid)},
        )
        with Mocker() as mocker:
@@ -95,7 +95,7 @@ class TestTasks(APITestCase):
            ).get_result(block=True, timeout=1)
        jwt = decode_complete(mocker.request_history[0].body, options={"verify_signature": False})
        self.assertEqual(jwt["header"]["typ"], "secevent+jwt")
-        self.assertEqual(jwt["payload"]["events"][EventTypes.SET_VERIFICATION], {})
+        self.assertIsNone(jwt["payload"]["events"][EventTypes.SET_VERIFICATION]["state"])
        self.assertFalse(Stream.objects.filter(pk=stream.pk).exists())

    def test_push_error(self):
@@ -106,7 +106,7 @@ class TestTasks(APITestCase):
        )
        event_data = stream.prepare_event_payload(
            EventTypes.SET_VERIFICATION,
-            {},
+            {"state": None},
            sub_id={"format": "opaque", "id": str(stream.uuid)},
        )
        with Mocker() as mocker:
--- a/authentik/enterprise/providers/ssf/views/base.py
+++ b/authentik/enterprise/providers/ssf/views/base.py
@@ -24,10 +24,10 @@ class SSFView(APIView):


 class SSFStreamView(SSFView):
-    def get_object(self) -> Stream:
-        streams = Stream.objects.filter(provider=self.provider).exclude(
-            status=StreamStatus.DISABLED_DELETED
-        )
+    def get_object(self, any_status=False) -> Stream:
+        streams = Stream.objects.filter(provider=self.provider)
+        if not any_status:
+            streams = streams.filter(status__in=[StreamStatus.ENABLED, StreamStatus.PAUSED])
        if "stream_id" in self.request.query_params:
            streams = streams.filter(pk=self.request.query_params["stream_id"])
        if "stream_id" in self.request.data:
--- a/authentik/enterprise/providers/ssf/views/stream.py
+++ b/authentik/enterprise/providers/ssf/views/stream.py
@@ -1,6 +1,6 @@
 from uuid import uuid4

-from django.http import Http404, HttpRequest
+from django.http import HttpRequest
 from django.urls import reverse
 from rest_framework.exceptions import PermissionDenied, ValidationError
 from rest_framework.fields import CharField, ChoiceField, ListField, SerializerMethodField
@@ -106,11 +106,7 @@ class StreamResponseSerializer(PassiveSerializer):
        }

    def get_events_supported(self, instance: Stream) -> list[str]:
-        return [
-            EventTypes.CAEP_SESSION_REVOKED,
-            EventTypes.CAEP_CREDENTIAL_CHANGE,
-            EventTypes.SET_VERIFICATION,
-        ]
+        return [x.value for x in EventTypes]


 class StreamView(SSFStreamView):
@@ -132,9 +128,10 @@ class StreamView(SSFStreamView):
        LOGGER.info("Sending verification event", stream=instance)
        send_ssf_events(
            EventTypes.SET_VERIFICATION,
-            {},
+            {
+                "state": None,
+            },
            stream_filter={"pk": instance.uuid},
-            request=request,
            sub_id={"format": "opaque", "id": str(instance.uuid)},
        )
        response = StreamResponseSerializer(instance=instance, context={"request": request}).data
@@ -162,9 +159,7 @@ class StreamView(SSFStreamView):

    def delete(self, request: Request, *args, **kwargs) -> Response:
        stream = self.get_object()
-        if stream.status == StreamStatus.DISABLED_DELETED:
-            raise Http404
-        stream.status = StreamStatus.DISABLED_DELETED
+        stream.status = StreamStatus.DISABLED
        stream.save()
        return Response(status=204)

@@ -180,7 +175,6 @@ class StreamVerifyView(SSFStreamView):
                "state": state,
            },
            stream_filter={"pk": stream.uuid},
-            request=request,
            sub_id={"format": "opaque", "id": str(stream.uuid)},
        )
        return Response(status=204)
@@ -188,25 +182,8 @@ class StreamVerifyView(SSFStreamView):

 class StreamStatusView(SSFStreamView):

-    class StreamStatusSerializer(PassiveSerializer):
-        stream_id = CharField()
-        status = ChoiceField(choices=StreamStatus.choices)
-
    def get(self, request: Request, *args, **kwargs):
-        stream = self.get_object()
-        return Response(
-            {
-                "stream_id": str(stream.pk),
-                "status": str(stream.status),
-            }
-        )
-
-    def post(self, request: Request, *args, **kwargs):
-        stream = self.get_object()
-        serializer = self.StreamStatusSerializer(stream, data=request.data)
-        serializer.is_valid(raise_exception=True)
-        stream.status = serializer.validated_data["status"]
-        stream.save()
+        stream = self.get_object(any_status=True)
        return Response(
            {
                "stream_id": str(stream.pk),
--- a/authentik/events/api/notification_rules.py
+++ b/authentik/events/api/notification_rules.py
@@ -11,9 +11,7 @@ from authentik.events.models import NotificationRule
 class NotificationRuleSerializer(ModelSerializer):
    """NotificationRule Serializer"""

-    destination_group_obj = GroupSerializer(
-        read_only=True, source="destination_group", required=False, allow_null=True
-    )
+    destination_group_obj = GroupSerializer(read_only=True, source="destination_group")

    class Meta:
        model = NotificationRule
--- a/authentik/events/models.py
+++ b/authentik/events/models.py
@@ -8,6 +8,7 @@ from inspect import currentframe
 from typing import Any
 from uuid import uuid4

+from asgiref.sync import async_to_sync
 from channels.layers import get_channel_layer
 from django.apps import apps
 from django.db import models
@@ -409,7 +410,7 @@ class NotificationTransport(TasksModel, SerializerModel):
            )
        notification.save()
        layer = get_channel_layer()
-        layer.group_send_blocking(
+        async_to_sync(layer.group_send)(
            build_user_group(notification.user),
            {
                "type": "event.notification",
--- a/authentik/flows/apps.py
+++ b/authentik/flows/apps.py
@@ -29,7 +29,6 @@ class RefreshOtherFlowsAfterAuthentication(Flag[bool], key="flows_refresh_others
    default = False
    visibility = "public"
    description = _("Refresh other tabs after successful authentication.")
-    deprecated = True


 class ContinuousLogin(Flag[bool], key="flows_continuous_login"):
--- a/authentik/providers/oauth2/tests/test_end_session.py
+++ b/authentik/providers/oauth2/tests/test_end_session.py
@@ -53,16 +53,6 @@ class TestEndSessionView(OAuthTestCase):
        self.brand.flow_invalidation = self.invalidation_flow
        self.brand.save()

-    def _id_token_hint(self, host: str) -> str:
-        """Issue a valid id_token_hint for the test provider under the given host."""
-        return self.provider.encode(
-            {
-                "iss": f"http://{host}/application/o/{self.app.slug}/",
-                "aud": self.provider.client_id,
-                "sub": str(self.user.pk),
-            }
-        )
-
    def test_post_logout_redirect_uri_strict_match(self):
        """Test strict URI matching redirects to flow"""
        self.client.force_login(self.user)
@@ -71,10 +61,7 @@ class TestEndSessionView(OAuthTestCase):
                "authentik_providers_oauth2:end-session",
                kwargs={"application_slug": self.app.slug},
            ),
-            {
-                "post_logout_redirect_uri": "http://testserver/logout",
-                "id_token_hint": self._id_token_hint(self.brand.domain),
-            },
+            {"post_logout_redirect_uri": "http://testserver/logout"},
            HTTP_HOST=self.brand.domain,
        )
        # Should redirect to the invalidation flow
@@ -82,12 +69,7 @@ class TestEndSessionView(OAuthTestCase):
        self.assertIn(self.invalidation_flow.slug, response.url)

    def test_post_logout_redirect_uri_strict_no_match(self):
-        """Test strict URI not matching returns an error and does not start logout flow.
-
-        Required by OIDC RP-Initiated Logout 1.0: on an unregistered
-        post_logout_redirect_uri, the OP MUST NOT redirect and MUST NOT proceed with
-        logout that targets the RP.
-        """
+        """Test strict URI not matching still proceeds with flow (no redirect URI in context)"""
        self.client.force_login(self.user)
        invalid_uri = "http://testserver/other"
        response = self.client.get(
@@ -95,14 +77,12 @@ class TestEndSessionView(OAuthTestCase):
                "authentik_providers_oauth2:end-session",
                kwargs={"application_slug": self.app.slug},
            ),
-            {
-                "post_logout_redirect_uri": invalid_uri,
-                "id_token_hint": self._id_token_hint(self.brand.domain),
-            },
+            {"post_logout_redirect_uri": invalid_uri},
            HTTP_HOST=self.brand.domain,
        )
-        self.assertEqual(response.status_code, 400)
-        self.assertNotIn(invalid_uri, response.content.decode())
+        # Should still redirect to flow, but invalid URI should not be in response
+        self.assertEqual(response.status_code, 302)
+        self.assertNotIn(invalid_uri, response.url)

    def test_post_logout_redirect_uri_regex_match(self):
        """Test regex URI matching redirects to flow"""
@@ -112,10 +92,7 @@ class TestEndSessionView(OAuthTestCase):
                "authentik_providers_oauth2:end-session",
                kwargs={"application_slug": self.app.slug},
            ),
-            {
-                "post_logout_redirect_uri": "https://app.example.com/logout",
-                "id_token_hint": self._id_token_hint(self.brand.domain),
-            },
+            {"post_logout_redirect_uri": "https://app.example.com/logout"},
            HTTP_HOST=self.brand.domain,
        )
        # Should redirect to the invalidation flow
@@ -123,7 +100,7 @@ class TestEndSessionView(OAuthTestCase):
        self.assertIn(self.invalidation_flow.slug, response.url)

    def test_post_logout_redirect_uri_regex_no_match(self):
-        """Test regex URI not matching returns an error and does not start logout flow."""
+        """Test regex URI not matching"""
        self.client.force_login(self.user)
        invalid_uri = "https://malicious.com/logout"
        response = self.client.get(
@@ -131,14 +108,12 @@ class TestEndSessionView(OAuthTestCase):
                "authentik_providers_oauth2:end-session",
                kwargs={"application_slug": self.app.slug},
            ),
-            {
-                "post_logout_redirect_uri": invalid_uri,
-                "id_token_hint": self._id_token_hint(self.brand.domain),
-            },
+            {"post_logout_redirect_uri": invalid_uri},
            HTTP_HOST=self.brand.domain,
        )
-        self.assertEqual(response.status_code, 400)
-        self.assertNotIn(invalid_uri, response.content.decode())
+        # Should still proceed to flow, but invalid URI should not be in response
+        self.assertEqual(response.status_code, 302)
+        self.assertNotIn(invalid_uri, response.url)

    def test_state_parameter_appended_to_uri(self):
        """Test state parameter is appended to validated redirect URI"""
@@ -148,7 +123,6 @@ class TestEndSessionView(OAuthTestCase):
            {
                "post_logout_redirect_uri": "http://testserver/logout",
                "state": "test-state-123",
-                "id_token_hint": self._id_token_hint("testserver"),
            },
        )
        request.user = self.user
@@ -158,7 +132,6 @@ class TestEndSessionView(OAuthTestCase):
        view.request = request
        view.kwargs = {"application_slug": self.app.slug}
        view.resolve_provider_application()
-        view.validate()

        self.assertIn("state=test-state-123", view.post_logout_redirect_uri)

@@ -173,7 +146,6 @@ class TestEndSessionView(OAuthTestCase):
            {
                "post_logout_redirect_uri": "http://testserver/logout",
                "state": "xyz789",
-                "id_token_hint": self._id_token_hint(self.brand.domain),
            },
            HTTP_HOST=self.brand.domain,
        )
--- a/authentik/providers/oauth2/views/end_session.py
+++ b/authentik/providers/oauth2/views/end_session.py
@@ -5,8 +5,6 @@ from urllib.parse import quote, urlparse

 from django.http import Http404, HttpRequest, HttpResponse
 from django.shortcuts import get_object_or_404
-from jwt import PyJWTError
-from jwt import decode as jwt_decode

 from authentik.common.oauth.constants import (
    FORBIDDEN_URI_SCHEMES,
@@ -23,14 +21,11 @@ from authentik.flows.planner import (
 from authentik.flows.stage import SessionEndStage
 from authentik.flows.views.executor import SESSION_KEY_PLAN
 from authentik.lib.views import bad_request_message
-from authentik.policies.views import PolicyAccessView
+from authentik.policies.views import PolicyAccessView, RequestValidationError
 from authentik.providers.iframe_logout import IframeLogoutStageView
-from authentik.providers.oauth2.errors import TokenError
 from authentik.providers.oauth2.models import (
    AccessToken,
-    JWTAlgorithms,
    OAuth2LogoutMethod,
-    OAuth2Provider,
    RedirectURIMatchingMode,
 )
 from authentik.providers.oauth2.tasks import send_backchannel_logout_request
@@ -52,45 +47,21 @@ class EndSessionView(PolicyAccessView):
        if not self.flow:
            raise Http404

-    def validate(self):
        # Parse end session parameters
        query_dict = self.request.POST if self.request.method == "POST" else self.request.GET
        state = query_dict.get("state")
        request_redirect_uri = query_dict.get("post_logout_redirect_uri")
-        id_token_hint = query_dict.get("id_token_hint")
        self.post_logout_redirect_uri = None

-        # OIDC Certification: Verify id_token_hint. If invalid or missing, throw an error
-        if id_token_hint:
-            # Load a fresh provider instance that's not part of the flow
-            # since it'll have the cryptography Certificate that can't be pickled
-            provider = OAuth2Provider.objects.get(pk=self.provider.pk)
-            key, alg = provider.jwt_key
-            if alg != JWTAlgorithms.HS256:
-                key = provider.signing_key.public_key
-            try:
-                jwt_decode(
-                    id_token_hint,
-                    key,
-                    algorithms=[alg],
-                    audience=provider.client_id,
-                    issuer=provider.get_issuer(self.request),
-                    # ID Tokens are short-lived; a logout request arriving
-                    # after expiry is still legitimate and must succeed.
-                    options={"verify_exp": False},
-                )
-            except PyJWTError:
-                raise TokenError("invalid_request").with_cause(
-                    "id_token_hint_decode_failed"
-                ) from None
-
        # Validate post_logout_redirect_uri against registered URIs
        if request_redirect_uri:
-            # OIDC Certification: id_token_hint required with post_logout_redirect_uri
-            if not id_token_hint:
-                raise TokenError("invalid_request").with_cause("id_token_hint_missing")
            if urlparse(request_redirect_uri).scheme in FORBIDDEN_URI_SCHEMES:
-                raise TokenError("invalid_request").with_cause("post_logout_redirect_uri")
+                raise RequestValidationError(
+                    bad_request_message(
+                        self.request,
+                        "Forbidden URI scheme in post_logout_redirect_uri",
+                    )
+                )
            for allowed in self.provider.post_logout_redirect_uris:
                if allowed.matching_mode == RedirectURIMatchingMode.STRICT:
                    if request_redirect_uri == allowed.url:
@@ -100,10 +71,6 @@ class EndSessionView(PolicyAccessView):
                    if fullmatch(allowed.url, request_redirect_uri):
                        self.post_logout_redirect_uri = request_redirect_uri
                        break
-            # OIDC Certification: OP MUST NOT perform post-logout redirection
-            # if the supplied URI does not exactly match a registered one
-            if self.post_logout_redirect_uri is None:
-                raise TokenError("invalid_request").with_cause("invalid_post_logout_redirect_uri")

        # Append state to the redirect URI if both are present
        if self.post_logout_redirect_uri and state:
@@ -124,43 +91,50 @@ class EndSessionView(PolicyAccessView):
                "<html><body>Logout successful</body></html>", content_type="text/html", status=200
            )

+        # Otherwise, continue with normal policy checks
        return super().dispatch(request, *args, **kwargs)

    def get(self, request: HttpRequest, *args, **kwargs) -> HttpResponse:
        """Dispatch the flow planner for the invalidation flow"""
-        try:
-            self.validate()
-        except TokenError as exc:
-            return bad_request_message(
-                self.request,
-                exc.description,
-            )
        planner = FlowPlanner(self.flow)
        planner.allow_empty_flows = True

+        # Build flow context with logout parameters
        context = {
            PLAN_CONTEXT_APPLICATION: self.application,
        }

+        # Get session info for logout notifications and token invalidation
        auth_session = AuthenticatedSession.from_request(request, request.user)

+        # Add validated redirect URI (with state appended) to context if available
        if self.post_logout_redirect_uri:
            context[PLAN_CONTEXT_POST_LOGOUT_REDIRECT_URI] = self.post_logout_redirect_uri
-
+            # Invalidate tokens for this provider/session (RP-initiated logout:
+            # user stays logged into authentik, only this provider's tokens are revoked)
+            if request.user.is_authenticated and auth_session:
+                AccessToken.objects.filter(
+                    user=request.user,
+                    provider=self.provider,
+                    session=auth_session,
+                ).delete()
        session_key = (
            auth_session.session.session_key if auth_session and auth_session.session else None
        )

+        # Handle frontchannel logout
        frontchannel_logout_url = None
        if self.provider.logout_method == OAuth2LogoutMethod.FRONTCHANNEL:
            frontchannel_logout_url = build_frontchannel_logout_url(
                self.provider, request, session_key
            )

+        # Handle backchannel logout
        if (
            self.provider.logout_method == OAuth2LogoutMethod.BACKCHANNEL
            and self.provider.logout_uri
        ):
+            # Find access token to get iss and sub for the logout token
            access_token = AccessToken.objects.filter(
                user=request.user,
                provider=self.provider,
@@ -189,16 +163,9 @@ class EndSessionView(PolicyAccessView):
                }
            ]

-        access_tokens = AccessToken.objects.filter(
-            user=request.user,
-            provider=self.provider,
-        )
-        if auth_session:
-            access_tokens = access_tokens.filter(session=auth_session)
-        access_tokens.delete()
-
        plan = planner.plan(request, context)

+        # Inject iframe logout stage if frontchannel logout is configured
        if frontchannel_logout_url:
            plan.insert_stage(in_memory_stage(IframeLogoutStageView))

--- a/authentik/providers/rac/signals.py
+++ b/authentik/providers/rac/signals.py
@@ -1,5 +1,6 @@
 """RAC Signals"""

+from asgiref.sync import async_to_sync
 from channels.layers import get_channel_layer
 from django.core.cache import cache
 from django.db.models.signals import post_delete, post_save, pre_delete
@@ -17,7 +18,7 @@ from authentik.providers.rac.models import ConnectionToken, Endpoint
@receiver(pre_delete, sender=AuthenticatedSession)
 def user_session_deleted(sender, instance: AuthenticatedSession, **_):
    layer = get_channel_layer()
-    layer.group_send_blocking(
+    async_to_sync(layer.group_send)(
        build_rac_client_group_session(instance.session.session_key),
        {"type": "event.disconnect", "reason": "session_logout"},
    )
@@ -27,7 +28,7 @@ def user_session_deleted(sender, instance: AuthenticatedSession, **_):
 def pre_delete_connection_token_disconnect(sender, instance: ConnectionToken, **_):
    """Disconnect session when connection token is deleted"""
    layer = get_channel_layer()
-    layer.group_send_blocking(
+    async_to_sync(layer.group_send)(
        build_rac_client_group_token(instance.token),
        {"type": "event.disconnect", "reason": "token_delete"},
    )
--- a/authentik/providers/saml/api/providers.py
+++ b/authentik/providers/saml/api/providers.py
@@ -61,11 +61,6 @@ class SAMLProviderSerializer(ProviderSerializer):
    url_download_metadata = SerializerMethodField()
    url_issuer = SerializerMethodField()

-    # Unified SAML endpoint (primary)
-    url_unified = SerializerMethodField()
-    url_unified_init = SerializerMethodField()
-
-    # Legacy endpoints (for backward compatibility)
    url_sso_post = SerializerMethodField()
    url_sso_redirect = SerializerMethodField()
    url_sso_init = SerializerMethodField()
@@ -102,21 +97,6 @@ class SAMLProviderSerializer(ProviderSerializer):
        if "request" not in self._context:
            return DEFAULT_ISSUER
        request: HttpRequest = self._context["request"]._request
-        try:
-            return request.build_absolute_uri(
-                reverse(
-                    "authentik_providers_saml:metadata-download",
-                    kwargs={"application_slug": instance.application.slug},
-                )
-            )
-        except Provider.application.RelatedObjectDoesNotExist:
-            return DEFAULT_ISSUER
-
-    def get_url_unified(self, instance: SAMLProvider) -> str:
-        """Get unified SAML endpoint URL (handles SSO and SLO)"""
-        if "request" not in self._context:
-            return ""
-        request: HttpRequest = self._context["request"]._request
        try:
            return request.build_absolute_uri(
                reverse(
@@ -125,22 +105,7 @@ class SAMLProviderSerializer(ProviderSerializer):
                )
            )
        except Provider.application.RelatedObjectDoesNotExist:
-            return "-"
-
-    def get_url_unified_init(self, instance: SAMLProvider) -> str:
-        """Get IdP-initiated SAML URL"""
-        if "request" not in self._context:
-            return ""
-        request: HttpRequest = self._context["request"]._request
-        try:
-            return request.build_absolute_uri(
-                reverse(
-                    "authentik_providers_saml:init",
-                    kwargs={"application_slug": instance.application.slug},
-                )
-            )
-        except Provider.application.RelatedObjectDoesNotExist:
-            return "-"
+            return DEFAULT_ISSUER

    def get_url_sso_post(self, instance: SAMLProvider) -> str:
        """Get SSO Post URL"""
@@ -278,8 +243,6 @@ class SAMLProviderSerializer(ProviderSerializer):
            "default_name_id_policy",
            "url_download_metadata",
            "url_issuer",
-            "url_unified",
-            "url_unified_init",
            "url_sso_post",
            "url_sso_redirect",
            "url_sso_init",
--- a/authentik/providers/saml/models.py
+++ b/authentik/providers/saml/models.py
@@ -241,7 +241,7 @@ class SAMLProvider(Provider):
        """Use IDP-Initiated SAML flow as launch URL"""
        try:
            return reverse(
-                "authentik_providers_saml:init",
+                "authentik_providers_saml:sso-init",
                kwargs={"application_slug": self.application.slug},
            )
        except Provider.application.RelatedObjectDoesNotExist:
--- a/authentik/providers/saml/processors/assertion.py
+++ b/authentik/providers/saml/processors/assertion.py
@@ -147,7 +147,7 @@ class AssertionProcessor:

        return self.http_request.build_absolute_uri(
            reverse(
-                "authentik_providers_saml:metadata-download",
+                "authentik_providers_saml:base",
                kwargs={"application_slug": self.provider.application.slug},
            )
        )
--- a/authentik/providers/saml/processors/metadata.py
+++ b/authentik/providers/saml/processors/metadata.py
@@ -48,7 +48,7 @@ class MetadataProcessor:

        return self.http_request.build_absolute_uri(
            reverse(
-                "authentik_providers_saml:metadata-download",
+                "authentik_providers_saml:base",
                kwargs={"application_slug": self.provider.application.slug},
            )
        )
@@ -81,35 +81,54 @@ class MetadataProcessor:
            element.text = name_id_format
            yield element

-    def _get_unified_url(self) -> str:
-        """Get the unified SAML endpoint URL"""
-        return self.http_request.build_absolute_uri(
-            reverse(
-                "authentik_providers_saml:base",
-                kwargs={"application_slug": self.provider.application.slug},
-            )
-        )
-
    def get_sso_bindings(self) -> Iterator[Element]:
-        """Get all SSO Bindings - both point to unified endpoint"""
-        unified_url = self._get_unified_url()
-        for binding in [SAML_BINDING_REDIRECT, SAML_BINDING_POST]:
+        """Get all Bindings supported"""
+        binding_url_map = {
+            (SAML_BINDING_REDIRECT, "SingleSignOnService"): self.http_request.build_absolute_uri(
+                reverse(
+                    "authentik_providers_saml:sso-redirect",
+                    kwargs={"application_slug": self.provider.application.slug},
+                )
+            ),
+            (SAML_BINDING_POST, "SingleSignOnService"): self.http_request.build_absolute_uri(
+                reverse(
+                    "authentik_providers_saml:sso-post",
+                    kwargs={"application_slug": self.provider.application.slug},
+                )
+            ),
+        }
+        for binding_svc, url in binding_url_map.items():
+            binding, svc = binding_svc
            if self.force_binding and self.force_binding != binding:
                continue
-            element = Element(f"{{{NS_SAML_METADATA}}}SingleSignOnService")
+            element = Element(f"{{{NS_SAML_METADATA}}}{svc}")
            element.attrib["Binding"] = binding
-            element.attrib["Location"] = unified_url
+            element.attrib["Location"] = url
            yield element

    def get_slo_bindings(self) -> Iterator[Element]:
-        """Get all SLO Bindings - both point to unified endpoint"""
-        unified_url = self._get_unified_url()
-        for binding in [SAML_BINDING_REDIRECT, SAML_BINDING_POST]:
+        """Get all Bindings supported"""
+        binding_url_map = {
+            (SAML_BINDING_REDIRECT, "SingleLogoutService"): self.http_request.build_absolute_uri(
+                reverse(
+                    "authentik_providers_saml:slo-redirect",
+                    kwargs={"application_slug": self.provider.application.slug},
+                )
+            ),
+            (SAML_BINDING_POST, "SingleLogoutService"): self.http_request.build_absolute_uri(
+                reverse(
+                    "authentik_providers_saml:slo-post",
+                    kwargs={"application_slug": self.provider.application.slug},
+                )
+            ),
+        }
+        for binding_svc, url in binding_url_map.items():
+            binding, svc = binding_svc
            if self.force_binding and self.force_binding != binding:
                continue
-            element = Element(f"{{{NS_SAML_METADATA}}}SingleLogoutService")
+            element = Element(f"{{{NS_SAML_METADATA}}}{svc}")
            element.attrib["Binding"] = binding
-            element.attrib["Location"] = unified_url
+            element.attrib["Location"] = url
            yield element

    def _prepare_signature(self, entity_descriptor: _Element):
--- a/authentik/providers/saml/urls.py
+++ b/authentik/providers/saml/urls.py
@@ -4,26 +4,19 @@ from django.urls import path

 from authentik.providers.saml.api.property_mappings import SAMLPropertyMappingViewSet
 from authentik.providers.saml.api.providers import SAMLProviderViewSet
-from authentik.providers.saml.views import metadata, sso, unified
+from authentik.providers.saml.views import metadata, sso
 from authentik.providers.saml.views.sp_slo import (
    SPInitiatedSLOBindingPOSTView,
    SPInitiatedSLOBindingRedirectView,
 )

 urlpatterns = [
-    # Unified Endpoint - handles SSO and SLO based on message type
+    # Base path for Issuer/Entity ID
    path(
        "<slug:application_slug>/",
-        unified.SAMLUnifiedView.as_view(),
+        sso.SAMLSSOBindingRedirectView.as_view(),
        name="base",
    ),
-    # IdP-initiated
-    path(
-        "<slug:application_slug>/init/",
-        sso.SAMLSSOBindingInitView.as_view(),
-        name="init",
-    ),
-    # LEGACY Endpoints (backward compatibility)
    # SSO Bindings
    path(
        "<slug:application_slug>/sso/binding/redirect/",
--- a/authentik/providers/saml/views/unified.py
+++ b/authentik/providers/saml/views/unified.py
@@ -1,118 +0,0 @@
-"""Unified SAML endpoint - handles SSO and SLO based on message type"""
-
-from base64 import b64decode
-
-from defusedxml.lxml import fromstring
-from django.http import HttpRequest, HttpResponse
-from django.utils.decorators import method_decorator
-from django.views import View
-from django.views.decorators.clickjacking import xframe_options_sameorigin
-from django.views.decorators.csrf import csrf_exempt
-from structlog.stdlib import get_logger
-
-from authentik.common.saml.constants import NS_MAP
-from authentik.flows.views.executor import SESSION_KEY_POST
-from authentik.lib.views import bad_request_message
-from authentik.providers.saml.utils.encoding import decode_base64_and_inflate
-from authentik.providers.saml.views.flows import (
-    REQUEST_KEY_SAML_REQUEST,
-    REQUEST_KEY_SAML_RESPONSE,
-)
-from authentik.providers.saml.views.sp_slo import (
-    SPInitiatedSLOBindingPOSTView,
-    SPInitiatedSLOBindingRedirectView,
-)
-from authentik.providers.saml.views.sso import (
-    SAMLSSOBindingPOSTView,
-    SAMLSSOBindingRedirectView,
-)
-
-LOGGER = get_logger()
-
-# SAML message type constants
-SAML_MESSAGE_TYPE_AUTHN_REQUEST = "AuthnRequest"
-SAML_MESSAGE_TYPE_LOGOUT_REQUEST = "LogoutRequest"
-
-
-def detect_saml_message_type(saml_request: str, is_post_binding: bool) -> str | None:
-    """Parse SAML request to determine if AuthnRequest or LogoutRequest."""
-    try:
-        if is_post_binding:
-            decoded_xml = b64decode(saml_request.encode())
-        else:
-            decoded_xml = decode_base64_and_inflate(saml_request)
-
-        root = fromstring(decoded_xml)
-        if len(root.xpath("//samlp:AuthnRequest", namespaces=NS_MAP)):
-            return SAML_MESSAGE_TYPE_AUTHN_REQUEST
-        if len(root.xpath("//samlp:LogoutRequest", namespaces=NS_MAP)):
-            return SAML_MESSAGE_TYPE_LOGOUT_REQUEST
-        return None
-    except Exception:  # noqa: BLE001
-        return None
-
-
-@method_decorator(xframe_options_sameorigin, name="dispatch")
-@method_decorator(csrf_exempt, name="dispatch")
-class SAMLUnifiedView(View):
-    """Unified SAML endpoint - handles SSO and SLO based on message type.
-
-    The operation type is determined by parsing
-    the incoming SAML message:
-    - AuthnRequest -> SSO flow (delegates to SAMLSSOBindingRedirectView/POSTView)
-    - LogoutRequest -> SLO flow (delegates to SPInitiatedSLOBindingRedirectView/POSTView)
-    - LogoutResponse -> SLO completion (delegates to SPInitiatedSLOBindingRedirectView/POSTView)
-    """
-
-    def dispatch(self, request: HttpRequest, application_slug: str) -> HttpResponse:
-        """Route the request based on SAML message type."""
-        # ak user was not logged in, redirected to login, and is back w POST payload in session
-        if SESSION_KEY_POST in request.session:
-            return self._delegate_to_sso(request, application_slug, is_post_binding=True)
-
-        # Determine binding from HTTP method
-        is_post_binding = request.method == "POST"
-        data = request.POST if is_post_binding else request.GET
-
-        # LogoutResponse - delegate to SLO view (handles it in dispatch)
-        if REQUEST_KEY_SAML_RESPONSE in data:
-            return self._delegate_to_slo(request, application_slug, is_post_binding)
-
-        # Check for SAML request
-        if REQUEST_KEY_SAML_REQUEST not in data:
-            LOGGER.info("SAML payload missing")
-            return bad_request_message(request, "The SAML request payload is missing.")
-
-        # Detect message type and delegate
-        saml_request = data[REQUEST_KEY_SAML_REQUEST]
-        message_type = detect_saml_message_type(saml_request, is_post_binding)
-
-        if message_type == SAML_MESSAGE_TYPE_AUTHN_REQUEST:
-            return self._delegate_to_sso(request, application_slug, is_post_binding)
-        elif message_type == SAML_MESSAGE_TYPE_LOGOUT_REQUEST:
-            return self._delegate_to_slo(request, application_slug, is_post_binding)
-        else:
-            LOGGER.warning("Unknown SAML message type", message_type=message_type)
-            return bad_request_message(
-                request, f"Unsupported SAML message type: {message_type or 'unknown'}"
-            )
-
-    def _delegate_to_sso(
-        self, request: HttpRequest, application_slug: str, is_post_binding: bool
-    ) -> HttpResponse:
-        """Delegate to the appropriate SSO view."""
-        if is_post_binding:
-            view = SAMLSSOBindingPOSTView.as_view()
-        else:
-            view = SAMLSSOBindingRedirectView.as_view()
-        return view(request, application_slug=application_slug)
-
-    def _delegate_to_slo(
-        self, request: HttpRequest, application_slug: str, is_post_binding: bool
-    ) -> HttpResponse:
-        """Delegate to the appropriate SLO view."""
-        if is_post_binding:
-            view = SPInitiatedSLOBindingPOSTView.as_view()
-        else:
-            view = SPInitiatedSLOBindingRedirectView.as_view()
-        return view(request, application_slug=application_slug)
--- a/authentik/rbac/migrations/0010_remove_role_group_alter_role_name.py
+++ b/authentik/rbac/migrations/0010_remove_role_group_alter_role_name.py
@@ -6,7 +6,6 @@ from django.db import migrations, models
 class Migration(migrations.Migration):

    dependencies = [
-        ("authentik_core", "0056_user_roles"),  # must run before group field is removed
        ("authentik_rbac", "0009_remove_initialpermissions_mode"),
    ]

--- a/authentik/root/settings.py
+++ b/authentik/root/settings.py
@@ -187,7 +187,6 @@ SPECTACULAR_SETTINGS = {
        "PolicyEngineMode": "authentik.policies.models.PolicyEngineMode",
        "PromptTypeEnum": "authentik.stages.prompt.models.FieldTypes",
        "ProxyMode": "authentik.providers.proxy.models.ProxyMode",
-        "RedirectURITypeEnum": "authentik.providers.oauth2.models.RedirectURIType",
        "SAMLBindingsEnum": "authentik.providers.saml.models.SAMLBindings",
        "SAMLLogoutMethods": "authentik.providers.saml.models.SAMLLogoutMethods",
        "SAMLNameIDPolicyEnum": "authentik.sources.saml.models.SAMLNameIDPolicy",
@@ -221,7 +220,7 @@ REST_FRAMEWORK = {
        "authentik.api.search.ql.QLSearch",
        "authentik.rbac.filters.ObjectFilter",
        "django_filters.rest_framework.DjangoFilterBackend",
-        "authentik.api.ordering.NullsAwareOrderingFilter",
+        "rest_framework.filters.OrderingFilter",
    ],
    "DEFAULT_PERMISSION_CLASSES": ("authentik.rbac.permissions.ObjectPermissions",),
    "DEFAULT_AUTHENTICATION_CLASSES": (
--- a/authentik/stages/authenticator/models.py
+++ b/authentik/stages/authenticator/models.py
@@ -389,19 +389,17 @@ class ThrottlingMixin(models.Model):
        """Check if throttling is enabled"""
        return self.get_throttle_factor() > 0

-    def get_throttle_factor(self) -> float:  # pragma: no cover
+    def get_throttle_factor(self):  # pragma: no cover
        """
-        Returns the throttling factor.
-        """
-        return getattr(self, "_throttle_factor", 1.0)
-
-    def set_throttle_factor(self, throttle_factor: float) -> None:
-        """
-        Sets the throttle factor to use. Call this to override the default value of 1.
+        This must be implemented to return the throttle factor.

        The number of seconds required between verification attempts will be
        :math:`c2^{n-1}` where `c` is this factor and `n` is the number of
        previous failures. A factor of 1 translates to delays of 1, 2, 4, 8,
        etc. seconds. A factor of 0 disables the throttling.
+
+        Normally this is just a wrapper for a plugin-specific setting like
+        :setting:`OTP_EMAIL_THROTTLE_FACTOR`.
+
        """
-        self._throttle_factor = throttle_factor
+        raise NotImplementedError()
--- a/authentik/stages/authenticator/tests.py
+++ b/authentik/stages/authenticator/tests.py
@@ -6,6 +6,7 @@ from threading import Thread
 from django.contrib.auth.models import AnonymousUser
 from django.db import connection
 from django.test import TestCase, TransactionTestCase
+from django.test.utils import override_settings
 from django.utils import timezone
 from freezegun import freeze_time

@@ -109,24 +110,8 @@ class ThrottlingTestMixin:
            self.assertEqual(verify_is_allowed3, True)
            self.assertEqual(data3, None)

-    def test_set_throttle_factor_is_reflected(self):
-        """`set_throttle_factor` must drive `get_throttle_factor`."""
-        self.device.set_throttle_factor(5.5)
-        self.assertEqual(self.device.get_throttle_factor(), 5.5)
-        self.device.set_throttle_factor(0)
-        self.assertEqual(self.device.get_throttle_factor(), 0)
-
-    def test_throttling_disabled_by_factor_zero(self):
-        """Setting the throttle factor to 0 must actually disable throttling.
-
-        A failed attempt followed by a successful one must succeed. The lockout
-        path must not kick in when the factor is 0.
-        """
-        self.device.set_throttle_factor(0)
-        self.assertFalse(self.device.verify_token(self.invalid_token()))
-        self.assertTrue(self.device.verify_token(self.valid_token()))
-

+@override_settings(OTP_STATIC_THROTTLE_FACTOR=0)
 class APITestCase(TestCase):
    """Test API"""

@@ -134,7 +119,6 @@ class APITestCase(TestCase):
        self.alice = create_test_admin_user("alice")
        self.bob = create_test_admin_user("bob")
        device = self.alice.staticdevice_set.create()
-        device.set_throttle_factor(0)
        self.valid = generate_id(length=16)
        device.token_set.create(token=self.valid)

@@ -154,8 +138,6 @@ class APITestCase(TestCase):
        verified = verify_token(self.alice, device.persistent_id, "bogus")
        self.assertIsNone(verified)

-        self.alice.staticdevice_set.get().throttle_reset()
-
        verified = verify_token(self.alice, device.persistent_id, self.valid)
        self.assertIsNotNone(verified)

@@ -164,12 +146,11 @@ class APITestCase(TestCase):
        verified = match_token(self.alice, "bogus")
        self.assertIsNone(verified)

-        self.alice.staticdevice_set.get().throttle_reset()
-
        verified = match_token(self.alice, self.valid)
        self.assertEqual(verified, self.alice.staticdevice_set.first())


+@override_settings(OTP_STATIC_THROTTLE_FACTOR=0)
 class ConcurrencyTestCase(TransactionTestCase):
    """Test concurrent verifications"""

--- a/authentik/stages/authenticator_email/migrations/0003_emaildevice_throttling_failure_count_and_more.py
+++ b/authentik/stages/authenticator_email/migrations/0003_emaildevice_throttling_failure_count_and_more.py
@@ -1,33 +0,0 @@
-# Generated by Django 5.2.12 on 2026-04-02 15:14
-
-from django.db import migrations, models
-
-
-class Migration(migrations.Migration):
-
-    dependencies = [
-        (
-            "authentik_stages_authenticator_email",
-            "0002_alter_authenticatoremailstage_friendly_name",
-        ),
-    ]
-
-    operations = [
-        migrations.AddField(
-            model_name="emaildevice",
-            name="throttling_failure_count",
-            field=models.PositiveIntegerField(
-                default=0, help_text="Number of successive failed attempts."
-            ),
-        ),
-        migrations.AddField(
-            model_name="emaildevice",
-            name="throttling_failure_timestamp",
-            field=models.DateTimeField(
-                blank=True,
-                default=None,
-                help_text="A timestamp of the last failed verification attempt. Null if last attempt succeeded.",
-                null=True,
-            ),
-        ),
-    ]
--- a/authentik/stages/authenticator_email/models.py
+++ b/authentik/stages/authenticator_email/models.py
@@ -14,7 +14,7 @@ from authentik.flows.models import ConfigurableStage, FriendlyNamedStage, Stage
 from authentik.lib.config import CONFIG
 from authentik.lib.models import SerializerModel
 from authentik.lib.utils.time import timedelta_string_validator
-from authentik.stages.authenticator.models import SideChannelDevice, ThrottlingMixin
+from authentik.stages.authenticator.models import SideChannelDevice
 from authentik.stages.email.models import EmailTemplates
 from authentik.stages.email.utils import TemplateEmailMessage

@@ -116,7 +116,7 @@ class AuthenticatorEmailStage(ConfigurableStage, FriendlyNamedStage, Stage):
        verbose_name_plural = _("Email Authenticator Setup Stages")


-class EmailDevice(SerializerModel, ThrottlingMixin, SideChannelDevice):
+class EmailDevice(SerializerModel, SideChannelDevice):
    """Email Device"""

    user = models.ForeignKey(get_user_model(), on_delete=models.CASCADE)
@@ -130,20 +130,6 @@ class EmailDevice(SerializerModel, ThrottlingMixin, SideChannelDevice):

        return EmailDeviceSerializer

-    def verify_token(self, token: str) -> bool:
-        verify_allowed, _ = self.verify_is_allowed()
-        if verify_allowed:
-            verified = super().verify_token(token)
-
-            if verified:
-                self.throttle_reset()
-            else:
-                self.throttle_increment()
-        else:
-            verified = False
-
-        return verified
-
    def _compose_email(self) -> TemplateEmailMessage:
        try:
            pending_user = self.user
--- a/authentik/stages/authenticator_email/tests.py
+++ b/authentik/stages/authenticator_email/tests.py
@@ -8,7 +8,6 @@ from django.core.mail.backends.locmem import EmailBackend
 from django.core.mail.backends.smtp import EmailBackend as SMTPEmailBackend
 from django.db.utils import IntegrityError
 from django.template.exceptions import TemplateDoesNotExist
-from django.test import TestCase
 from django.urls import reverse
 from django.utils.timezone import now

@@ -17,7 +16,6 @@ from authentik.flows.models import FlowStageBinding
 from authentik.flows.tests import FlowTestCase
 from authentik.lib.config import CONFIG
 from authentik.lib.utils.email import mask_email
-from authentik.stages.authenticator.tests import ThrottlingTestMixin
 from authentik.stages.authenticator_email.api import (
    AuthenticatorEmailStageSerializer,
    EmailDeviceSerializer,
@@ -81,7 +79,6 @@ class TestAuthenticatorEmailStage(FlowTestCase):
        self.assertFalse(self.device.verify_token("000000"))

        # Verify correct token (should clear token after verification)
-        self.device.throttle_reset(commit=False)
        self.assertTrue(self.device.verify_token(token))
        self.assertIsNone(self.device.token)

@@ -332,27 +329,3 @@ class TestAuthenticatorEmailStage(FlowTestCase):
        # Test AuthenticatorEmailStage send method
        self.stage.send(self.device)
        self.assertEqual(len(mail.outbox), 1)
-
-
-class TestEmailDeviceThrottling(ThrottlingTestMixin, TestCase):
-    def setUp(self):
-        super().setUp()
-        flow = create_test_flow()
-        user = create_test_user()
-        stage = AuthenticatorEmailStage.objects.create(
-            name="email-authenticator-throttle",
-            use_global_settings=True,
-            from_address="test@authentik.local",
-            configure_flow=flow,
-            token_expiry="minutes=30",
-        )  # nosec
-        self.device = EmailDevice.objects.create(
-            user=user, stage=stage, email="throttle@authentik.local"
-        )
-        self.device.generate_token()
-
-    def valid_token(self):
-        return self.device.token
-
-    def invalid_token(self):
-        return "000000" if self.device.token != "000000" else "111111"
--- a/authentik/stages/authenticator_sms/migrations/0009_smsdevice_throttling_failure_count_and_more.py
+++ b/authentik/stages/authenticator_sms/migrations/0009_smsdevice_throttling_failure_count_and_more.py
@@ -1,30 +0,0 @@
-# Generated by Django 5.2.12 on 2026-04-16 17:28
-
-from django.db import migrations, models
-
-
-class Migration(migrations.Migration):
-
-    dependencies = [
-        ("authentik_stages_authenticator_sms", "0008_alter_authenticatorsmsstage_friendly_name"),
-    ]
-
-    operations = [
-        migrations.AddField(
-            model_name="smsdevice",
-            name="throttling_failure_count",
-            field=models.PositiveIntegerField(
-                default=0, help_text="Number of successive failed attempts."
-            ),
-        ),
-        migrations.AddField(
-            model_name="smsdevice",
-            name="throttling_failure_timestamp",
-            field=models.DateTimeField(
-                blank=True,
-                default=None,
-                help_text="A timestamp of the last failed verification attempt. Null if last attempt succeeded.",
-                null=True,
-            ),
-        ),
-    ]
--- a/authentik/stages/authenticator_sms/models.py
+++ b/authentik/stages/authenticator_sms/models.py
@@ -20,7 +20,7 @@ from authentik.events.utils import sanitize_item
 from authentik.flows.models import ConfigurableStage, FriendlyNamedStage, Stage
 from authentik.lib.models import SerializerModel
 from authentik.lib.utils.http import get_http_session
-from authentik.stages.authenticator.models import SideChannelDevice, ThrottlingMixin
+from authentik.stages.authenticator.models import SideChannelDevice

 LOGGER = get_logger()

@@ -197,7 +197,7 @@ def hash_phone_number(phone_number: str) -> str:
    return "hash:" + sha256(phone_number.encode()).hexdigest()


-class SMSDevice(SerializerModel, ThrottlingMixin, SideChannelDevice):
+class SMSDevice(SerializerModel, SideChannelDevice):
    """SMS Device"""

    user = models.ForeignKey(get_user_model(), on_delete=models.CASCADE)
@@ -224,19 +224,11 @@ class SMSDevice(SerializerModel, ThrottlingMixin, SideChannelDevice):

        return SMSDeviceSerializer

-    def verify_token(self, token: str) -> bool:
-        verify_allowed, _ = self.verify_is_allowed()
-        if verify_allowed:
-            verified = super().verify_token(token)
-
-            if verified:
-                self.throttle_reset()
-            else:
-                self.throttle_increment()
-        else:
-            verified = False
-
-        return verified
+    def verify_token(self, token):
+        valid = super().verify_token(token)
+        if valid:
+            self.save()
+        return valid

    def __str__(self):
        return str(self.name) or str(self.user_id)
--- a/authentik/stages/authenticator_sms/tests.py
+++ b/authentik/stages/authenticator_sms/tests.py
@@ -3,7 +3,6 @@
 from unittest.mock import MagicMock, patch
 from urllib.parse import parse_qsl

-from django.test import TestCase
 from django.urls import reverse
 from requests_mock import Mocker

@@ -13,7 +12,6 @@ from authentik.flows.planner import FlowPlan
 from authentik.flows.tests import FlowTestCase
 from authentik.flows.views.executor import SESSION_KEY_PLAN
 from authentik.lib.generators import generate_id
-from authentik.stages.authenticator.tests import ThrottlingTestMixin
 from authentik.stages.authenticator_sms.models import (
    AuthenticatorSMSStage,
    SMSDevice,
@@ -359,30 +357,3 @@ class AuthenticatorSMSStageTests(FlowTestCase):
            },
            phone_number_required=False,
        )
-
-
-class TestSMSDeviceThrottling(ThrottlingTestMixin, TestCase):
-    """Test ThrottlingMixin behaviour on SMSDevice.verify_token"""
-
-    def setUp(self):
-        super().setUp()
-        flow = create_test_flow()
-        user = create_test_admin_user()
-        stage = AuthenticatorSMSStage.objects.create(
-            flow=flow,
-            name="sms-throttle",
-            provider=SMSProviders.GENERIC,
-            from_number="1234",
-        )
-        self.device = SMSDevice.objects.create(
-            user=user,
-            stage=stage,
-            phone_number="+15551230001",
-        )
-        self.device.generate_token()
-
-    def valid_token(self):
-        return self.device.token
-
-    def invalid_token(self):
-        return "000000" if self.device.token != "000000" else "111111"
--- a/authentik/stages/authenticator_static/models.py
+++ b/authentik/stages/authenticator_static/models.py
@@ -3,6 +3,7 @@
 from base64 import b32encode
 from os import urandom

+from django.conf import settings
 from django.core.validators import MaxValueValidator
 from django.db import models
 from django.utils.translation import gettext_lazy as _
@@ -77,6 +78,9 @@ class StaticDevice(SerializerModel, ThrottlingMixin, Device):

        return StaticDeviceSerializer

+    def get_throttle_factor(self):
+        return getattr(settings, "OTP_STATIC_THROTTLE_FACTOR", 1)
+
    def verify_token(self, token):
        verify_allowed, _ = self.verify_is_allowed()
        if verify_allowed:
--- a/authentik/stages/authenticator_static/tests.py
+++ b/authentik/stages/authenticator_static/tests.py
@@ -1,5 +1,6 @@
 """Test Static API"""

+from django.test.utils import override_settings
 from django.urls import reverse
 from rest_framework.test import APITestCase

@@ -43,6 +44,9 @@ class DeviceTest(TestCase):
        str(device)


+@override_settings(
+    OTP_STATIC_THROTTLE_FACTOR=1,
+)
 class ThrottlingTestCase(ThrottlingTestMixin, TestCase):
    """Test static device throttling"""

--- a/authentik/stages/authenticator_totp/models.py
+++ b/authentik/stages/authenticator_totp/models.py
@@ -194,6 +194,9 @@ class TOTPDevice(SerializerModel, ThrottlingMixin, Device):

        return verified

+    def get_throttle_factor(self):
+        return getattr(settings, "OTP_TOTP_THROTTLE_FACTOR", 1)
+
    @property
    def config_url(self):
        """
--- a/authentik/stages/authenticator_totp/tests.py
+++ b/authentik/stages/authenticator_totp/tests.py
@@ -63,14 +63,11 @@ class TOTPDeviceMixin:

@override_settings(
    OTP_TOTP_SYNC=False,
+    OTP_TOTP_THROTTLE_FACTOR=0,
 )
 class TOTPTest(TOTPDeviceMixin, TestCase):
    """TOTP tests"""

-    def setUp(self):
-        super().setUp()
-        self.device.set_throttle_factor(0)
-
    def test_default_key(self):
        """Ensure default_key is valid"""
        device = self.alice.totpdevice_set.create()
@@ -193,6 +190,9 @@ class TOTPTest(TOTPDeviceMixin, TestCase):
        self.assertEqual(params["image"][0], image_url)


+@override_settings(
+    OTP_TOTP_THROTTLE_FACTOR=1,
+)
 class ThrottlingTestCase(TOTPDeviceMixin, ThrottlingTestMixin, TestCase):
    """Test TOTP Throttling"""

--- a/authentik/stages/authenticator_validate/api.py
+++ b/authentik/stages/authenticator_validate/api.py
@@ -39,10 +39,6 @@ class AuthenticatorValidateStageSerializer(StageSerializer):
            "webauthn_hints",
            "webauthn_allowed_device_types",
            "webauthn_allowed_device_types_obj",
-            "email_otp_throttling_factor",
-            "sms_otp_throttling_factor",
-            "totp_otp_throttling_factor",
-            "static_otp_throttling_factor",
        ]


--- a/authentik/stages/authenticator_validate/challenge.py
+++ b/authentik/stages/authenticator_validate/challenge.py
@@ -3,7 +3,6 @@
 from typing import TYPE_CHECKING
 from urllib.parse import urlencode

-from django.db import transaction
 from django.http import HttpRequest
 from django.http.response import Http404
 from django.shortcuts import get_object_or_404
@@ -30,8 +29,8 @@ from authentik.flows.stage import StageView
 from authentik.lib.utils.email import mask_email
 from authentik.lib.utils.time import timedelta_from_string
 from authentik.root.middleware import ClientIPMiddleware
-from authentik.stages.authenticator import devices_for_user
-from authentik.stages.authenticator.models import Device, ThrottlingMixin
+from authentik.stages.authenticator import match_token
+from authentik.stages.authenticator.models import Device
 from authentik.stages.authenticator_duo.models import AuthenticatorDuoStage, DuoDevice
 from authentik.stages.authenticator_email.models import EmailDevice
 from authentik.stages.authenticator_sms.models import SMSDevice
@@ -144,20 +143,7 @@ def select_challenge_email(request: HttpRequest, device: EmailDevice):
 def validate_challenge_code(code: str, stage_view: StageView, user: User) -> Device:
    """Validate code-based challenges. We test against every device, on purpose, as
    the user mustn't choose between totp and static devices."""
-
-    with transaction.atomic():
-        for device in devices_for_user(user, for_verify=True):
-            if isinstance(device, ThrottlingMixin):
-                throttling_factor = stage_view.executor.current_stage.get_throttling_factor(
-                    DeviceClasses.from_model_label(device.model_label())
-                )
-                if throttling_factor is not None:
-                    device.set_throttle_factor(throttling_factor)
-            if device.verify_token(code):
-                break
-        else:
-            device = None
-
+    device = match_token(user, code)
    if not device:
        login_failed.send(
            sender=__name__,
--- a/authentik/stages/authenticator_validate/migrations/0016_authenticatorvalidatestage_email_otp_throttling_factor_and_more.py
+++ b/authentik/stages/authenticator_validate/migrations/0016_authenticatorvalidatestage_email_otp_throttling_factor_and_more.py
@@ -1,36 +0,0 @@
-# Generated by Django 5.2.12 on 2026-04-16 16:33
-
-from django.db import migrations, models
-
-
-class Migration(migrations.Migration):
-
-    dependencies = [
-        (
-            "authentik_stages_authenticator_validate",
-            "0015_authenticatorvalidatestage_webauthn_hints",
-        ),
-    ]
-
-    operations = [
-        migrations.AddField(
-            model_name="authenticatorvalidatestage",
-            name="email_otp_throttling_factor",
-            field=models.FloatField(default=1),
-        ),
-        migrations.AddField(
-            model_name="authenticatorvalidatestage",
-            name="sms_otp_throttling_factor",
-            field=models.FloatField(default=1),
-        ),
-        migrations.AddField(
-            model_name="authenticatorvalidatestage",
-            name="static_otp_throttling_factor",
-            field=models.FloatField(default=1),
-        ),
-        migrations.AddField(
-            model_name="authenticatorvalidatestage",
-            name="totp_otp_throttling_factor",
-            field=models.FloatField(default=1),
-        ),
-    ]
--- a/authentik/stages/authenticator_validate/models.py
+++ b/authentik/stages/authenticator_validate/models.py
@@ -22,12 +22,6 @@ class DeviceClasses(models.TextChoices):
    SMS = "sms", _("SMS")
    EMAIL = "email", _("Email")

-    @staticmethod
-    def from_model_label(model_label: str) -> DeviceClasses:
-        return getattr(
-            DeviceClasses, model_label.rsplit(".", maxsplit=1)[-1][: -len("device")].upper()
-        )
-

 def default_device_classes() -> list:
    """By default, accept all device classes"""
@@ -88,11 +82,6 @@ class AuthenticatorValidateStage(Stage):
        "authentik_stages_authenticator_webauthn.WebAuthnDeviceType", blank=True
    )

-    email_otp_throttling_factor = models.FloatField(default=1)
-    sms_otp_throttling_factor = models.FloatField(default=1)
-    totp_otp_throttling_factor = models.FloatField(default=1)
-    static_otp_throttling_factor = models.FloatField(default=1)
-
    @property
    def serializer(self) -> type[BaseSerializer]:
        from authentik.stages.authenticator_validate.api import AuthenticatorValidateStageSerializer
@@ -109,17 +98,6 @@ class AuthenticatorValidateStage(Stage):
    def component(self) -> str:
        return "ak-stage-authenticator-validate-form"

-    def get_throttling_factor(self, device_class: DeviceClasses) -> float | None:
-        if device_class == DeviceClasses.EMAIL:
-            return self.email_otp_throttling_factor
-        elif device_class == DeviceClasses.SMS:
-            return self.sms_otp_throttling_factor
-        elif device_class == DeviceClasses.TOTP:
-            return self.totp_otp_throttling_factor
-        elif device_class == DeviceClasses.STATIC:
-            return self.static_otp_throttling_factor
-        return None
-
    class Meta:
        verbose_name = _("Authenticator Validation Stage")
        verbose_name_plural = _("Authenticator Validation Stages")
--- a/authentik/stages/authenticator_validate/tests/test_throttling.py
+++ b/authentik/stages/authenticator_validate/tests/test_throttling.py
@@ -1,247 +0,0 @@
-from django.test import TestCase
-from django.test.client import RequestFactory
-from django.urls.base import reverse
-from rest_framework.exceptions import ValidationError
-
-from authentik.core.tests.utils import create_test_admin_user, create_test_flow
-from authentik.flows.models import FlowStageBinding
-from authentik.flows.stage import StageView
-from authentik.flows.tests import FlowTestCase
-from authentik.flows.views.executor import FlowExecutorView
-from authentik.lib.generators import generate_id
-from authentik.stages.authenticator_email.models import AuthenticatorEmailStage, EmailDevice
-from authentik.stages.authenticator_sms.models import (
-    AuthenticatorSMSStage,
-    SMSDevice,
-    SMSProviders,
-)
-from authentik.stages.authenticator_validate.challenge import validate_challenge_code
-from authentik.stages.authenticator_validate.models import (
-    AuthenticatorValidateStage,
-    DeviceClasses,
-)
-from authentik.stages.identification.models import IdentificationStage, UserFields
-
-
-class DeviceClassesHelperTests(TestCase):
-    """Tests for the DeviceClasses.from_model_label helper."""
-
-    def test_from_model_label_all_classes(self):
-        cases = {
-            "authentik_stages_authenticator_email.emaildevice": DeviceClasses.EMAIL,
-            "authentik_stages_authenticator_sms.smsdevice": DeviceClasses.SMS,
-            "authentik_stages_authenticator_totp.totpdevice": DeviceClasses.TOTP,
-            "authentik_stages_authenticator_static.staticdevice": DeviceClasses.STATIC,
-            "authentik_stages_authenticator_duo.duodevice": DeviceClasses.DUO,
-            "authentik_stages_authenticator_webauthn.webauthndevice": DeviceClasses.WEBAUTHN,
-        }
-        for label, expected in cases.items():
-            with self.subTest(label=label):
-                self.assertEqual(DeviceClasses.from_model_label(label), expected)
-
-
-class AuthenticatorValidateStageFactorTests(TestCase):
-    """Tests for AuthenticatorValidateStage.get_throttling_factor."""
-
-    def test_per_class_factors_returned(self):
-        stage = AuthenticatorValidateStage.objects.create(
-            name=generate_id(),
-            email_otp_throttling_factor=5,
-            sms_otp_throttling_factor=6,
-            totp_otp_throttling_factor=7,
-            static_otp_throttling_factor=8,
-        )
-        self.assertEqual(stage.get_throttling_factor(DeviceClasses.EMAIL), 5)
-        self.assertEqual(stage.get_throttling_factor(DeviceClasses.SMS), 6)
-        self.assertEqual(stage.get_throttling_factor(DeviceClasses.TOTP), 7)
-        self.assertEqual(stage.get_throttling_factor(DeviceClasses.STATIC), 8)
-
-    def test_no_factor_for_webauthn_or_duo(self):
-        stage = AuthenticatorValidateStage.objects.create(name=generate_id())
-        self.assertIsNone(stage.get_throttling_factor(DeviceClasses.WEBAUTHN))
-        self.assertIsNone(stage.get_throttling_factor(DeviceClasses.DUO))
-
-
-class ValidateChallengeCodeThrottlingTests(FlowTestCase):
-    """Tests for validate_challenge_code throttling behavior."""
-
-    def setUp(self) -> None:
-        super().setUp()
-        self.user = create_test_admin_user()
-        self.request_factory = RequestFactory()
-        self.email_stage = AuthenticatorEmailStage.objects.create(
-            name="email-stage-validate-throttle",
-            use_global_settings=True,
-            from_address="test@authentik.local",
-            token_expiry="minutes=30",
-        )  # nosec
-        self.sms_stage = AuthenticatorSMSStage.objects.create(
-            name="sms-stage-validate-throttle",
-            provider=SMSProviders.GENERIC,
-            from_number="1234",
-        )
-
-    def _validate_stage(self, **factors) -> AuthenticatorValidateStage:
-        return AuthenticatorValidateStage.objects.create(
-            name=generate_id(),
-            device_classes=[
-                DeviceClasses.EMAIL,
-                DeviceClasses.SMS,
-                DeviceClasses.TOTP,
-                DeviceClasses.STATIC,
-            ],
-            **factors,
-        )
-
-    def _stage_view(self, validate_stage: AuthenticatorValidateStage) -> StageView:
-        request = self.request_factory.get("/")
-        return StageView(FlowExecutorView(current_stage=validate_stage), request=request)
-
-    def _email_device(self, email: str = "throttle@authentik.local") -> EmailDevice:
-        return EmailDevice.objects.create(
-            user=self.user,
-            stage=self.email_stage,
-            confirmed=True,
-            email=email,
-        )
-
-    def _sms_device(self, phone_number: str = "+15551230101") -> SMSDevice:
-        return SMSDevice.objects.create(
-            user=self.user,
-            stage=self.sms_stage,
-            confirmed=True,
-            phone_number=phone_number,
-        )
-
-    def test_stage_factor_applied_to_email_device(self):
-        """The stage's email_otp_throttling_factor is pushed onto the device before verify."""
-        stage = self._validate_stage(email_otp_throttling_factor=3)
-        device = self._email_device()
-        device.generate_token()
-        with self.assertRaises(ValidationError):
-            validate_challenge_code("000000", self._stage_view(stage), self.user)
-        device.refresh_from_db()
-        self.assertEqual(device.throttling_failure_count, 1)
-        # verify_is_allowed must compute the delay using factor=3 (3 * 2^0 = 3s).
-        device.set_throttle_factor(3)
-        allowed, data = device.verify_is_allowed()
-        self.assertFalse(allowed)
-        required = data["locked_until"] - device.throttling_failure_timestamp
-        self.assertAlmostEqual(required.total_seconds(), 3, places=3)
-
-    def test_factor_zero_disables_throttling_end_to_end(self):
-        """With email_otp_throttling_factor=0, repeated failures do not lock the device."""
-        stage = self._validate_stage(email_otp_throttling_factor=0)
-        device = self._email_device()
-        device.generate_token()
-        token = device.token
-        for _ in range(10):
-            with self.assertRaises(ValidationError):
-                validate_challenge_code("000000", self._stage_view(stage), self.user)
-        matched = validate_challenge_code(token, self._stage_view(stage), self.user)
-        self.assertEqual(matched.pk, device.pk)
-
-    def test_lockout_persists_across_calls(self):
-        """
-        A correct token on the second call is still blocked and does not increment the counter.
-        """
-        stage = self._validate_stage(email_otp_throttling_factor=1)
-        device = self._email_device()
-        device.generate_token()
-        token = device.token
-        invalid_token = "000000" if token != "000000" else "111111"  # nosec
-        with self.assertRaises(ValidationError):
-            validate_challenge_code(invalid_token, self._stage_view(stage), self.user)
-        # Immediately try with the correct token: lockout still active, attempt must be rejected.
-        with self.assertRaises(ValidationError):
-            validate_challenge_code(token, self._stage_view(stage), self.user)
-        device.refresh_from_db()
-        # Token wasn't consumed (verification never ran), and counter didn't get incremented.
-        self.assertEqual(device.token, token)
-        self.assertEqual(device.throttling_failure_count, 1)
-
-
-class ValidateStageThrottlingFlowTests(FlowTestCase):
-    """End-to-end lockout behavior through the flow executor HTTP API."""
-
-    def setUp(self) -> None:
-        super().setUp()
-        self.user = create_test_admin_user()
-        self.email_stage = AuthenticatorEmailStage.objects.create(
-            name="email-stage-flow-throttle",
-            use_global_settings=True,
-            from_address="test@authentik.local",
-            token_expiry="minutes=30",
-        )  # nosec
-        self.ident_stage = IdentificationStage.objects.create(
-            name=generate_id(),
-            user_fields=[UserFields.USERNAME],
-        )
-        self.validate_stage = AuthenticatorValidateStage.objects.create(
-            name=generate_id(),
-            device_classes=[DeviceClasses.EMAIL],
-            email_otp_throttling_factor=1,
-        )
-        self.flow = create_test_flow()
-        FlowStageBinding.objects.create(target=self.flow, stage=self.ident_stage, order=0)
-        FlowStageBinding.objects.create(target=self.flow, stage=self.validate_stage, order=1)
-
-    def _identify(self):
-        response = self.client.post(
-            reverse("authentik_api:flow-executor", kwargs={"flow_slug": self.flow.slug}),
-            {"uid_field": self.user.username},
-            follow=True,
-        )
-        self.assertEqual(response.status_code, 200)
-
-    def _select_email(self, device: EmailDevice):
-        self.client.post(
-            reverse("authentik_api:flow-executor", kwargs={"flow_slug": self.flow.slug}),
-            {
-                "component": "ak-stage-authenticator-validate",
-                "selected_challenge": {
-                    "device_class": "email",
-                    "device_uid": str(device.pk),
-                    "challenge": {},
-                    "last_used": None,
-                },
-            },
-        )
-
-    def test_bad_code_then_correct_code_is_still_blocked(self):
-        """After a bad code over HTTP, a subsequent correct code is still rejected
-        because the lockout persists in the database."""
-        device = EmailDevice.objects.create(
-            user=self.user,
-            confirmed=True,
-            stage=self.email_stage,
-            email="throttle-flow@authentik.local",
-        )
-        self._identify()
-        self._select_email(device)
-        # Server generated and stored the token - grab it from DB.
-        device.refresh_from_db()
-        token = device.token
-        # First attempt: bad code - must increment the DB counter.
-        self.client.post(
-            reverse("authentik_api:flow-executor", kwargs={"flow_slug": self.flow.slug}),
-            {"component": "ak-stage-authenticator-validate", "code": "000000"},
-        )
-        device.refresh_from_db()
-        self.assertEqual(device.throttling_failure_count, 1)
-        self.assertEqual(device.token, token)
-        # Second attempt with the correct token - still blocked.
-        response = self.client.post(
-            reverse("authentik_api:flow-executor", kwargs={"flow_slug": self.flow.slug}),
-            {"component": "ak-stage-authenticator-validate", "code": token},
-        )
-        self.assertStageResponse(
-            response,
-            flow=self.flow,
-            component="ak-stage-authenticator-validate",
-        )
-        device.refresh_from_db()
-        # Counter wasn't incremented on a blocked attempt
-        self.assertEqual(device.throttling_failure_count, 1)
-        # Token wasn't consumed.
-        self.assertEqual(device.token, token)
--- a/authentik/stages/authenticator_webauthn/mds/blob.jwt
+++ b/authentik/stages/authenticator_webauthn/mds/blob.jwt
--- a/authentik/stages/redirect/models.py
+++ b/authentik/stages/redirect/models.py
@@ -16,7 +16,7 @@ class RedirectMode(models.TextChoices):


 class RedirectStage(Stage):
-    """Redirect the user to a static URL or another flow, optionally with all gathered context."""
+    """Redirect the user to another flow, potentially with all gathered context."""

    keep_context = models.BooleanField(default=True)
    mode = models.TextField(choices=RedirectMode.choices)
--- a/authentik/tasks/test.py
+++ b/authentik/tasks/test.py
@@ -7,7 +7,7 @@ from dramatiq.broker import Broker, MessageProxy, get_broker
 from dramatiq.middleware.middleware import Middleware
 from dramatiq.middleware.retries import Retries
 from dramatiq.results.middleware import Results
-from dramatiq.worker import ConsumerThread, Worker, WorkerThread
+from dramatiq.worker import Worker, _ConsumerThread, _WorkerThread

 from authentik.tasks.broker import PostgresBroker

@@ -20,7 +20,7 @@ class TestWorker(Worker):
        self.worker_id = 1000
        self.work_queue = PriorityQueue()
        self.consumers = {
-            TESTING_QUEUE: ConsumerThread(
+            TESTING_QUEUE: _ConsumerThread(
                broker=self.broker,
                queue_name=TESTING_QUEUE,
                prefetch=2,
@@ -33,7 +33,7 @@ class TestWorker(Worker):
            prefetch=2,
            timeout=1,
        )
-        self._worker = WorkerThread(
+        self._worker = _WorkerThread(
            broker=self.broker,
            consumers=self.consumers,
            work_queue=self.work_queue,
@@ -78,18 +78,17 @@ def use_test_broker():
        actor.broker = broker
        actor.broker.declare_actor(actor)

-    for middleware_class_path, middleware_kwargs in Conf().middlewares:
-        middleware_class = import_string(middleware_class_path)
-        if issubclass(middleware_class, Results):
-            middleware_kwargs["backend"] = import_string(Conf().result_backend)(
-                *Conf().result_backend_args,
-                **Conf().result_backend_kwargs,
-            )
-        middleware: Middleware = middleware_class(
+    for middleware_class, middleware_kwargs in Conf().middlewares:
+        middleware: Middleware = import_string(middleware_class)(
            **middleware_kwargs,
        )
        if isinstance(middleware, Retries):
            middleware.max_retries = 0
+        if isinstance(middleware, Results):
+            middleware.backend = import_string(Conf().result_backend)(
+                *Conf().result_backend_args,
+                **Conf().result_backend_kwargs,
+            )
        broker.add_middleware(middleware)

    broker.start()
--- a/authentik/tenants/api/settings.py
+++ b/authentik/tenants/api/settings.py
@@ -19,30 +19,24 @@ from authentik.tenants.models import Tenant

 class FlagJSONField(JSONDictField):

-    def to_internal_value(self, data: str):
-        flags = super().to_internal_value(data)
-        for flag in Flag.available(visibility="system", exclude_system=False):
-            flags[flag().key] = flag.get()
-        return flags
-
    def to_representation(self, value: dict) -> dict:
+        """Exclude any system flags that aren't modifiable"""
        new_value = value.copy()
        for flag in Flag.available(exclude_system=False):
            _flag = flag()
-            # Exclude any system flags that aren't modifiable
            if _flag.visibility == "system":
                new_value.pop(_flag.key, None)
-            # Explicitly present unset flags as if they were set to default
-            if _flag.key not in value:
-                value[_flag.key] = _flag.default
        return super().to_representation(new_value)

    def run_validators(self, value: dict):
        super().run_validators(value)
-        for flag in Flag.available():
+        for flag in Flag.available(exclude_system=False):
            _flag = flag()
            if _flag.key not in value:
                continue
+            if _flag.visibility == "system":
+                value.pop(_flag.key, None)
+                continue
            flag_value = value.get(_flag.key)
            flag_type = get_args(_flag.__orig_bases__[0])[0]
            if flag_value and not isinstance(flag_value, flag_type):
@@ -65,8 +59,6 @@ class FlagsJSONExtension(OpenApiSerializerFieldExtension):
            props[_flag.key] = build_basic_type(get_args(_flag.__orig_bases__[0])[0])
            if _flag.description:
                props[_flag.key]["description"] = _flag.description
-            if _flag.deprecated:
-                props[_flag.key]["deprecated"] = _flag.deprecated
        return build_object_type(props, required=props.keys())


--- a/authentik/tenants/flags.py
+++ b/authentik/tenants/flags.py
@@ -18,7 +18,6 @@ class Flag[T]:
        Literal["none"] | Literal["public"] | Literal["authenticated"] | Literal["system"]
    ) = "none"
    description: str | None = None
-    deprecated = False

    def __init_subclass__(cls, key: str, **kwargs):
        cls.__key = key
--- a/authentik/tenants/tests/test_local_settings.py
+++ b/authentik/tenants/tests/test_local_settings.py
@@ -85,30 +85,10 @@ class TestLocalSettingsAPI(APITestCase):
                "flags": {"tenants_test_flag_sys": 123},
            },
        )
+        print(response.content)
        self.assertEqual(response.status_code, 200)
        self.tenant.refresh_from_db()
-        self.assertEqual(self.tenant.flags, {"setup": False, "tenants_test_flag_sys": False})
-
-    def test_settings_flags_system_empty_put(self):
-        """Test settings API"""
-        self.tenant.flags = {}
-        self.tenant.save()
-
-        class _TestFlag(Flag[bool], key="tenants_test_flag_sys"):
-
-            default = False
-            visibility = "system"
-
-        self.client.force_login(self.local_admin)
-        response = self.client.patch(
-            reverse("authentik_api:tenant_settings"),
-            data={
-                "flags": {},
-            },
-        )
-        self.assertEqual(response.status_code, 200)
-        self.tenant.refresh_from_db()
-        self.assertEqual(self.tenant.flags, {"setup": False, "tenants_test_flag_sys": False})
+        self.assertEqual(self.tenant.flags, {})

    def test_command(self):
        self.tenant.flags = {}
--- a/blueprints/example/flows-invitation-enrollment-minimal.yaml
+++ b/blueprints/example/flows-invitation-enrollment-minimal.yaml
@@ -1,211 +0,0 @@
-# Minimal Invitation-based Enrollment Blueprint
-#
-# Companion to flows-invitation-enrollment.yaml, intended for the "New Invitation"
-# wizard in the admin UI. Creates a single enrollment flow with an invitation stage
-# bound to it, plus the supporting prompt/user-write/user-login stages.
-#
-# All user-facing fields are parameterized via !Context with fallback defaults, so
-# this blueprint can be imported directly (without context) or through the wizard
-# with custom values.
-#
-# Context keys (all optional):
-#   flow_name                        Display name of the enrollment flow.
-#   flow_slug                        URL slug of the flow and suffix for sub-entity
-#                                    identifiers (so repeated imports with different
-#                                    slugs don't overwrite each other).
-#   stage_name                       Name of the invitation stage.
-#   continue_flow_without_invitation Whether the flow continues when no invitation
-#                                    is supplied (default: false).
-#   user_type                        "external" or "internal" (default: "external").
-#                                    Drives the user-write stage's user_type and
-#                                    user_path_template.
-version: 1
-metadata:
-  labels:
-    blueprints.goauthentik.io/instantiate: "false"
-  name: Invitation-based Enrollment (minimal)
-entries:
-  - identifiers:
-      slug: !Context [flow_slug, invitation-enrollment-flow]
-    model: authentik_flows.flow
-    id: flow
-    attrs:
-      name: !Context [flow_name, Invitation Enrollment Flow]
-      title: !Context [flow_name, Invitation Enrollment Flow]
-      designation: enrollment
-      authentication: require_unauthenticated
-
-  - identifiers:
-      name: !Context [stage_name, invitation-stage]
-    id: invitation-stage
-    model: authentik_stages_invitation.invitationstage
-    attrs:
-      continue_flow_without_invitation: !Context [continue_flow_without_invitation, false]
-
-  - identifiers:
-      name:
-        !Format [
-          "invitation-enrollment-field-username-%s",
-          !Context [flow_slug, invitation-enrollment-flow],
-        ]
-    id: prompt-field-username
-    model: authentik_stages_prompt.prompt
-    attrs:
-      field_key: username
-      label: Username
-      type: username
-      required: true
-      placeholder: Username
-      placeholder_expression: false
-      order: 0
-
-  - identifiers:
-      name:
-        !Format [
-          "invitation-enrollment-field-password-%s",
-          !Context [flow_slug, invitation-enrollment-flow],
-        ]
-    id: prompt-field-password
-    model: authentik_stages_prompt.prompt
-    attrs:
-      field_key: password
-      label: Password
-      type: password
-      required: true
-      placeholder: Password
-      placeholder_expression: false
-      order: 1
-
-  - identifiers:
-      name:
-        !Format [
-          "invitation-enrollment-field-password-repeat-%s",
-          !Context [flow_slug, invitation-enrollment-flow],
-        ]
-    id: prompt-field-password-repeat
-    model: authentik_stages_prompt.prompt
-    attrs:
-      field_key: password_repeat
-      label: Password (repeat)
-      type: password
-      required: true
-      placeholder: Password (repeat)
-      placeholder_expression: false
-      order: 2
-
-  - identifiers:
-      name:
-        !Format [
-          "invitation-enrollment-field-name-%s",
-          !Context [flow_slug, invitation-enrollment-flow],
-        ]
-    id: prompt-field-name
-    model: authentik_stages_prompt.prompt
-    attrs:
-      field_key: name
-      label: Name
-      type: text
-      required: true
-      placeholder: Name
-      placeholder_expression: false
-      order: 0
-
-  - identifiers:
-      name:
-        !Format [
-          "invitation-enrollment-field-email-%s",
-          !Context [flow_slug, invitation-enrollment-flow],
-        ]
-    id: prompt-field-email
-    model: authentik_stages_prompt.prompt
-    attrs:
-      field_key: email
-      label: Email
-      type: email
-      required: true
-      placeholder: Email
-      placeholder_expression: false
-      order: 1
-
-  - identifiers:
-      name:
-        !Format [
-          "invitation-enrollment-prompt-credentials-%s",
-          !Context [flow_slug, invitation-enrollment-flow],
-        ]
-    id: prompt-stage-credentials
-    model: authentik_stages_prompt.promptstage
-    attrs:
-      fields:
-        - !KeyOf prompt-field-username
-        - !KeyOf prompt-field-password
-        - !KeyOf prompt-field-password-repeat
-
-  - identifiers:
-      name:
-        !Format [
-          "invitation-enrollment-prompt-details-%s",
-          !Context [flow_slug, invitation-enrollment-flow],
-        ]
-    id: prompt-stage-details
-    model: authentik_stages_prompt.promptstage
-    attrs:
-      fields:
-        - !KeyOf prompt-field-name
-        - !KeyOf prompt-field-email
-
-  - identifiers:
-      name:
-        !Format [
-          "invitation-enrollment-user-write-%s",
-          !Context [flow_slug, invitation-enrollment-flow],
-        ]
-    id: user-write-stage
-    model: authentik_stages_user_write.userwritestage
-    attrs:
-      user_creation_mode: always_create
-      user_type: !Context [user_type, external]
-      user_path_template:
-        !Format ["users/%s", !Context [user_type, external]]
-
-  - identifiers:
-      name:
-        !Format [
-          "invitation-enrollment-user-login-%s",
-          !Context [flow_slug, invitation-enrollment-flow],
-        ]
-    id: user-login-stage
-    model: authentik_stages_user_login.userloginstage
-
-  - identifiers:
-      target: !KeyOf flow
-      stage: !KeyOf invitation-stage
-      order: 5
-    model: authentik_flows.flowstagebinding
-    attrs:
-      evaluate_on_plan: true
-      re_evaluate_policies: true
-
-  - identifiers:
-      target: !KeyOf flow
-      stage: !KeyOf prompt-stage-credentials
-      order: 10
-    model: authentik_flows.flowstagebinding
-
-  - identifiers:
-      target: !KeyOf flow
-      stage: !KeyOf prompt-stage-details
-      order: 15
-    model: authentik_flows.flowstagebinding
-
-  - identifiers:
-      target: !KeyOf flow
-      stage: !KeyOf user-write-stage
-      order: 20
-    model: authentik_flows.flowstagebinding
-
-  - identifiers:
-      target: !KeyOf flow
-      stage: !KeyOf user-login-stage
-      order: 100
-    model: authentik_flows.flowstagebinding
--- a/blueprints/schema.json
+++ b/blueprints/schema.json
@@ -2,7 +2,7 @@
    "$schema": "http://json-schema.org/draft-07/schema",
    "$id": "https://goauthentik.io/blueprints/schema.json",
    "type": "object",
-    "title": "authentik 2026.8.0-rc1 Blueprint schema",
+    "title": "authentik 2026.5.0-rc1 Blueprint schema",
    "required": [
        "version",
        "entries"
@@ -14936,22 +14936,6 @@
                        "format": "uuid"
                    },
                    "title": "Webauthn allowed device types"
-                },
-                "email_otp_throttling_factor": {
-                    "type": "number",
-                    "title": "Email otp throttling factor"
-                },
-                "sms_otp_throttling_factor": {
-                    "type": "number",
-                    "title": "Sms otp throttling factor"
-                },
-                "totp_otp_throttling_factor": {
-                    "type": "number",
-                    "title": "Totp otp throttling factor"
-                },
-                "static_otp_throttling_factor": {
-                    "type": "number",
-                    "title": "Static otp throttling factor"
                }
            },
            "required": []
--- a/blueprints/testing/oidc-conformance.yaml
+++ b/blueprints/testing/oidc-conformance.yaml
@@ -73,16 +73,8 @@ entries:
      redirect_uris:
        - matching_mode: strict
          url: https://localhost:8443/test/a/authentik/callback
-          redirect_uri_type: authorization
        - matching_mode: strict
          url: https://host.docker.internal:8443/test/a/authentik/callback
-          redirect_uri_type: authorization
-        - matching_mode: strict
-          url: https://localhost:8443/test/a/authentik/post_logout_redirect
-          redirect_uri_type: logout
-        - matching_mode: strict
-          url: https://host.docker.internal:8443/test/a/authentik/post_logout_redirect
-          redirect_uri_type: logout
      grant_types:
        - authorization_code
        - implicit
@@ -116,16 +108,8 @@ entries:
      redirect_uris:
        - matching_mode: strict
          url: https://localhost:8443/test/a/authentik/callback
-          redirect_uri_type: authorization
        - matching_mode: strict
          url: https://host.docker.internal:8443/test/a/authentik/callback
-          redirect_uri_type: authorization
-        - matching_mode: strict
-          url: https://localhost:8443/test/a/authentik/post_logout_redirect
-          redirect_uri_type: logout
-        - matching_mode: strict
-          url: https://host.docker.internal:8443/test/a/authentik/post_logout_redirect
-          redirect_uri_type: logout
      grant_types:
        - authorization_code
        - implicit
--- a/cmd/server/healthcheck.go
+++ b/cmd/server/healthcheck.go
@@ -26,8 +26,6 @@ var healthcheckCmd = &cobra.Command{
 		exitCode := 1
 		log.WithField("mode", mode).Debug("checking health")
 		switch strings.ToLower(mode) {
-		case "allinone":
-			fallthrough
 		case "server":
 			exitCode = check(fmt.Sprintf("http://localhost%s-/health/live/", config.Get().Web.Path))
 		case "worker":
--- a/go.mod
+++ b/go.mod
@@ -7,10 +7,10 @@ require (
 	beryju.io/radius-eap v0.1.0
 	github.com/avast/retry-go/v4 v4.7.0
 	github.com/coreos/go-oidc/v3 v3.18.0
-	github.com/getsentry/sentry-go v0.46.2
+	github.com/getsentry/sentry-go v0.46.0
 	github.com/go-http-utils/etag v0.0.0-20161124023236-513ea8f21eb1
 	github.com/go-ldap/ldap/v3 v3.4.13
-	github.com/go-openapi/runtime v0.29.5
+	github.com/go-openapi/runtime v0.29.4
 	github.com/golang-jwt/jwt/v5 v5.3.1
 	github.com/google/uuid v1.6.0
 	github.com/gorilla/handlers v1.5.2
@@ -57,7 +57,7 @@ require (
 	github.com/go-openapi/jsonreference v0.21.5 // indirect
 	github.com/go-openapi/loads v0.23.3 // indirect
 	github.com/go-openapi/spec v0.22.4 // indirect
-	github.com/go-openapi/strfmt v0.26.2 // indirect
+	github.com/go-openapi/strfmt v0.26.1 // indirect
 	github.com/go-openapi/swag/conv v0.26.0 // indirect
 	github.com/go-openapi/swag/fileutils v0.26.0 // indirect
 	github.com/go-openapi/swag/jsonname v0.25.5 // indirect
@@ -90,10 +90,10 @@ require (
 	go.opentelemetry.io/otel/trace v1.43.0 // indirect
 	go.yaml.in/yaml/v2 v2.4.2 // indirect
 	go.yaml.in/yaml/v3 v3.0.4 // indirect
-	golang.org/x/crypto v0.50.0 // indirect
-	golang.org/x/net v0.53.0 // indirect
-	golang.org/x/sys v0.43.0 // indirect
-	golang.org/x/text v0.36.0 // indirect
+	golang.org/x/crypto v0.49.0 // indirect
+	golang.org/x/net v0.52.0 // indirect
+	golang.org/x/sys v0.42.0 // indirect
+	golang.org/x/text v0.35.0 // indirect
 	google.golang.org/protobuf v1.36.8 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
 )
--- a/go.sum
+++ b/go.sum
@@ -20,8 +20,8 @@ github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/felixge/httpsnoop v1.0.3 h1:s/nj+GCswXYzN5v2DpNMuMQYe+0DDwt5WVCU6CWBdXk=
 github.com/felixge/httpsnoop v1.0.3/go.mod h1:m8KPJKqk1gH5J9DgRY2ASl2lWCfGKXixSwevea8zH2U=
-github.com/getsentry/sentry-go v0.46.2 h1:1jhYwrKGa3sIpo/y5iDNXS5wDoT7I1KNzMHrnK6ojns=
-github.com/getsentry/sentry-go v0.46.2/go.mod h1:evVbw2qotNUdYG8KxXbAdjOQWWvWIwKxpjdZZIvcIPw=
+github.com/getsentry/sentry-go v0.46.0 h1:mbdDaarbUdOt9X+dx6kDdntkShLEX3/+KyOsVDTPDj0=
+github.com/getsentry/sentry-go v0.46.0/go.mod h1:evVbw2qotNUdYG8KxXbAdjOQWWvWIwKxpjdZZIvcIPw=
 github.com/go-asn1-ber/asn1-ber v1.5.8-0.20250403174932-29230038a667 h1:BP4M0CvQ4S3TGls2FvczZtj5Re/2ZzkV9VwqPHH/3Bo=
 github.com/go-asn1-ber/asn1-ber v1.5.8-0.20250403174932-29230038a667/go.mod h1:hEBeB/ic+5LoWskz+yKT7vGhhPYkProFKoKdwZRWMe0=
 github.com/go-errors/errors v1.4.2 h1:J6MZopCL4uSllY1OfXM374weqZFFItUbrImctkmUxIA=
@@ -51,12 +51,12 @@ github.com/go-openapi/jsonreference v0.21.5 h1:6uCGVXU/aNF13AQNggxfysJ+5ZcU4nEAe
 github.com/go-openapi/jsonreference v0.21.5/go.mod h1:u25Bw85sX4E2jzFodh1FOKMTZLcfifd1Q+iKKOUxExw=
 github.com/go-openapi/loads v0.23.3 h1:g5Xap1JfwKkUnZdn+S0L3SzBDpcTIYzZ5Qaag0YDkKQ=
 github.com/go-openapi/loads v0.23.3/go.mod h1:NOH07zLajXo8y55hom0omlHWDVVvCwBM/S+csCK8LqA=
-github.com/go-openapi/runtime v0.29.5 h1:uc5+/TtqLIfDBTUxnF3uppoGMt+9DzonwUWsviINlrY=
-github.com/go-openapi/runtime v0.29.5/go.mod h1:D9IUbWccdYv+km8QwmAm90FZvDcQk47vP2Y7y5as/D8=
+github.com/go-openapi/runtime v0.29.4 h1:k2lDxrGoSAJRdhFG2tONKMpkizY/4X1cciSdtzk4Jjo=
+github.com/go-openapi/runtime v0.29.4/go.mod h1:K0k/2raY6oqXJnZAgWJB2i/12QKrhUKpZcH4PfV9P18=
 github.com/go-openapi/spec v0.22.4 h1:4pxGjipMKu0FzFiu/DPwN3CTBRlVM2yLf/YTWorYfDQ=
 github.com/go-openapi/spec v0.22.4/go.mod h1:WQ6Ai0VPWMZgMT4XySjlRIE6GP1bGQOtEThn3gcWLtQ=
-github.com/go-openapi/strfmt v0.26.2 h1:ysjheCh4i1rmFEo2LanhELDNucNzfWTZhUDKgWWPaFM=
-github.com/go-openapi/strfmt v0.26.2/go.mod h1:fXh1e449cyUn2NYuz+wb3wARBUdMl7qPEZwX00nqivY=
+github.com/go-openapi/strfmt v0.26.1 h1:7zGCHji7zSYDC2tCXIusoxYQz/48jAf2q+sF6wXTG+c=
+github.com/go-openapi/strfmt v0.26.1/go.mod h1:Zslk5VZPOISLwmWTMBIS7oiVFem1o1EI6zULY8Uer7Y=
 github.com/go-openapi/swag/conv v0.26.0 h1:5yGGsPYI1ZCva93U0AoKi/iZrNhaJEjr324YVsiD89I=
 github.com/go-openapi/swag/conv v0.26.0/go.mod h1:tpAmIL7X58VPnHHiSO4uE3jBeRamGsFsfdDeDtb5ECE=
 github.com/go-openapi/swag/fileutils v0.26.0 h1:WJoPRvsA7QRiiWluowkLJa9jaYR7FCuxmDvnCgaRRxU=
@@ -77,10 +77,10 @@ github.com/go-openapi/swag/typeutils v0.26.0 h1:2kdEwdiNWy+JJdOvu5MA2IIg2SylWAFu
 github.com/go-openapi/swag/typeutils v0.26.0/go.mod h1:oovDuIUvTrEHVMqWilQzKzV4YlSKgyZmFh7AlfABNVE=
 github.com/go-openapi/swag/yamlutils v0.25.5 h1:kASCIS+oIeoc55j28T4o8KwlV2S4ZLPT6G0iq2SSbVQ=
 github.com/go-openapi/swag/yamlutils v0.25.5/go.mod h1:Gek1/SjjfbYvM+Iq4QGwa/2lEXde9n2j4a3wI3pNuOQ=
-github.com/go-openapi/testify/enable/yaml/v2 v2.5.0 h1:3hZD1fwydvCx/cc1R2uYNQirHqf2s6lqpKV3FcNTURA=
-github.com/go-openapi/testify/enable/yaml/v2 v2.5.0/go.mod h1:TvDZKBH7ZbMaF3EqH2AwTvNQCmzyZq8K1agRjf1B+Nk=
-github.com/go-openapi/testify/v2 v2.5.0 h1:UOCr63aAsMIDydZbZGqo5Ev01D4eydItRbekDuZMJLw=
-github.com/go-openapi/testify/v2 v2.5.0/go.mod h1:SgsVHtfooshd0tublTtJ50FPKhujf47YRqauXXOUxfw=
+github.com/go-openapi/testify/enable/yaml/v2 v2.4.2 h1:5zRca5jw7lzVREKCZVNBpysDNBjj74rBh0N2BGQbSR0=
+github.com/go-openapi/testify/enable/yaml/v2 v2.4.2/go.mod h1:XVevPw5hUXuV+5AkI1u1PeAm27EQVrhXTTCPAF85LmE=
+github.com/go-openapi/testify/v2 v2.4.2 h1:tiByHpvE9uHrrKjOszax7ZvKB7QOgizBWGBLuq0ePx4=
+github.com/go-openapi/testify/v2 v2.4.2/go.mod h1:SgsVHtfooshd0tublTtJ50FPKhujf47YRqauXXOUxfw=
 github.com/go-openapi/validate v0.25.2 h1:12NsfLAwGegqbGWr2CnvT65X/Q2USJipmJ9b7xDJZz0=
 github.com/go-openapi/validate v0.25.2/go.mod h1:Pgl1LpPPGFnZ+ys4/hTlDiRYQdI1ocKypgE+8Q8BLfY=
 github.com/go-viper/mapstructure/v2 v2.5.0 h1:vM5IJoUAy3d7zRSVtIwQgBj7BiWtMPfmPEgAXnvj1Ro=
@@ -216,8 +216,8 @@ go.yaml.in/yaml/v3 v3.0.4/go.mod h1:DhzuOOF2ATzADvBadXxruRBLzYTpT36CKvDb3+aBEFg=
 golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
 golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
 golang.org/x/crypto v0.13.0/go.mod h1:y6Z2r+Rw4iayiXXAIxJIDAJ1zMW4yaTpebo8fPOliYc=
-golang.org/x/crypto v0.50.0 h1:zO47/JPrL6vsNkINmLoo/PH1gcxpls50DNogFvB5ZGI=
-golang.org/x/crypto v0.50.0/go.mod h1:3muZ7vA7PBCE6xgPX7nkzzjiUq87kRItoJQM1Yo8S+Q=
+golang.org/x/crypto v0.49.0 h1:+Ng2ULVvLHnJ/ZFEq4KdcDd/cfjrrjjNSXNzxg0Y4U4=
+golang.org/x/crypto v0.49.0/go.mod h1:ErX4dUh2UM+CFYiXZRTcMpEcN8b/1gxEuv3nODoYtCA=
 golang.org/x/exp v0.0.0-20230210204819-062eb4c674ab h1:628ME69lBm9C6JY2wXhAph/yjN3jezx1z7BIDLUwxjo=
 golang.org/x/exp v0.0.0-20230210204819-062eb4c674ab/go.mod h1:CxIveKay+FTh1D0yPZemJVgC/95VzuuOLq5Qi4xnoYc=
 golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4=
@@ -227,8 +227,8 @@ golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v
 golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c=
 golang.org/x/net v0.6.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs=
 golang.org/x/net v0.10.0/go.mod h1:0qNGK6F8kojg2nk9dLZ2mShWaEBan6FAoqfSigmmuDg=
-golang.org/x/net v0.53.0 h1:d+qAbo5L0orcWAr0a9JweQpjXF19LMXJE8Ey7hwOdUA=
-golang.org/x/net v0.53.0/go.mod h1:JvMuJH7rrdiCfbeHoo3fCQU24Lf5JJwT9W3sJFulfgs=
+golang.org/x/net v0.52.0 h1:He/TN1l0e4mmR3QqHMT2Xab3Aj3L9qjbhRm78/6jrW0=
+golang.org/x/net v0.52.0/go.mod h1:R1MAz7uMZxVMualyPXb+VaqGSa3LIaUqk0eEt3w36Sw=
 golang.org/x/oauth2 v0.36.0 h1:peZ/1z27fi9hUOFCAZaHyrpWG5lwe0RJEEEeH0ThlIs=
 golang.org/x/oauth2 v0.36.0/go.mod h1:YDBUJMTkDnJS+A4BP4eZBjCqtokkg1hODuPjwiGPO7Q=
 golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
@@ -245,8 +245,8 @@ golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBc
 golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.8.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.12.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.43.0 h1:Rlag2XtaFTxp19wS8MXlJwTvoh8ArU6ezoyFsMyCTNI=
-golang.org/x/sys v0.43.0/go.mod h1:4GL1E5IUh+htKOUEOaiffhrAeqysfVGipDYzABqnCmw=
+golang.org/x/sys v0.42.0 h1:omrd2nAlyT5ESRdCLYdm3+fMfNFE/+Rf4bDIQImRJeo=
+golang.org/x/sys v0.42.0/go.mod h1:4GL1E5IUh+htKOUEOaiffhrAeqysfVGipDYzABqnCmw=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
 golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
 golang.org/x/term v0.5.0/go.mod h1:jMB1sMXY+tzblOD4FWmEbocvup2/aLOaQEp7JmGp78k=
@@ -258,8 +258,8 @@ golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ=
 golang.org/x/text v0.7.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8=
 golang.org/x/text v0.9.0/go.mod h1:e1OnstbJyHTd6l/uOt8jFFHp6TRDWZR/bV3emEE/zU8=
 golang.org/x/text v0.13.0/go.mod h1:TvPlkZtksWOMsz7fbANvkp4WM8x/WCo/om8BMLbz+aE=
-golang.org/x/text v0.36.0 h1:JfKh3XmcRPqZPKevfXVpI1wXPTqbkE5f7JA92a55Yxg=
-golang.org/x/text v0.36.0/go.mod h1:NIdBknypM8iqVmPiuco0Dh6P5Jcdk8lJL0CUebqK164=
+golang.org/x/text v0.35.0 h1:JOVx6vVDFokkpaq1AEptVzLTpDe9KGpj5tR4/X+ybL8=
+golang.org/x/text v0.35.0/go.mod h1:khi/HExzZJ2pGnjenulevKNX1W67CUy0AsXcNubPGCA=
 golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
 golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
 golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc=
--- a/internal/constants/VERSION
+++ b/internal/constants/VERSION
@@ -1 +1 @@
-2026.8.0-rc1
+2026.5.0-rc1
--- a/lifecycle/ak
+++ b/lifecycle/ak
@@ -31,17 +31,13 @@ function run_authentik {
            echo go run ./cmd/server "$@"
        fi
        ;;
-    allinone | worker)
+    worker)
        if [[ -x "$(command -v authentik)" ]]; then
            echo authentik "$@"
        else
            echo cargo run -- "$@"
        fi
        ;;
-    manage)
-        shift 1
-        echo python -m manage "$@"
-        ;;
    *)
        echo "$@"
        ;;
@@ -83,7 +79,7 @@ function prepare_debug {
    apt-get update
    apt-get install -y --no-install-recommends krb5-kdc krb5-user krb5-admin-server libkrb5-dev gcc
    source "${VENV_PATH}/bin/activate"
-    uv sync --active --locked
+    uv sync --active --frozen
    touch /unittest.xml
    chown authentik:authentik /unittest.xml
 }
@@ -109,7 +105,7 @@ elif [[ "$1" == "test-all" ]]; then
    prepare_debug
    chmod 777 /root
    check_if_root_and_run manage test authentik
-elif [[ "$1" == "allinone" ]] || [[ "$1" == "server" ]] || [[ "$1" == "worker" ]]; then
+elif [[ "$1" == "server" ]] || [[ "$1" == "worker" ]]; then
    wait_for_db
    check_if_root_and_run "$@"
 elif [[ "$1" == "healthcheck" ]]; then
--- a/lifecycle/aws/package-lock.json
+++ b/lifecycle/aws/package-lock.json
@@ -9,12 +9,12 @@
            "version": "0.0.0",
            "license": "MIT",
            "devDependencies": {
-                "aws-cdk": "^2.1120.0",
+                "aws-cdk": "^2.1118.4",
                "cross-env": "^10.1.0"
            },
            "engines": {
-                "node": ">=20",
-                "npm": ">=11.6.2"
+                "node": ">=24",
+                "npm": ">=11.10.1"
            }
        },
        "node_modules/@epic-web/invariant": {
@@ -25,9 +25,9 @@
            "license": "MIT"
        },
        "node_modules/aws-cdk": {
-            "version": "2.1120.0",
-            "resolved": "https://registry.npmjs.org/aws-cdk/-/aws-cdk-2.1120.0.tgz",
-            "integrity": "sha512-vDVa0IX0FhizARdY/GLSParFglKbdHCIhM8IDmynrAv9w8uLLljzWMeLUOhC1XpMErDZ/npYEihAOjfKxTaMIw==",
+            "version": "2.1118.4",
+            "resolved": "https://registry.npmjs.org/aws-cdk/-/aws-cdk-2.1118.4.tgz",
+            "integrity": "sha512-wJfRQdvb+FJ2cni059mYdmjhfwhMskP+PAB59BL9jhon+jYtjy8X3pbj3uzHgAOJwNhh6jGkP8xq36Cffccbbw==",
            "dev": true,
            "license": "Apache-2.0",
            "bin": {
--- a/lifecycle/aws/package.json
+++ b/lifecycle/aws/package.json
@@ -7,11 +7,24 @@
        "aws-cfn": "cross-env CI=false cdk synth --version-reporting=false > template.yaml"
    },
    "devDependencies": {
-        "aws-cdk": "^2.1120.0",
+        "aws-cdk": "^2.1118.4",
        "cross-env": "^10.1.0"
    },
    "engines": {
-        "node": ">=20",
-        "npm": ">=11.6.2"
-    }
+        "node": ">=24",
+        "npm": ">=11.10.1"
+    },
+    "devEngines": {
+        "runtime": {
+            "name": "node",
+            "onFail": "warn",
+            "version": ">=24"
+        },
+        "packageManager": {
+            "name": "npm",
+            "version": ">=11.10.1",
+            "onFail": "warn"
+        }
+    },
+    "packageManager": "npm@11.11.0+sha512.f36811c4aae1fde639527368ae44c571d050006a608d67a191f195a801a52637a312d259186254aa3a3799b05335b7390539cf28656d18f0591a1125ba35f973"
 }
--- a/lifecycle/aws/template.yaml
+++ b/lifecycle/aws/template.yaml
@@ -18,7 +18,7 @@ Parameters:
    Description: authentik Docker image
  AuthentikVersion:
    Type: String
-    Default: 2026.8.0-rc1
+    Default: 2026.5.0-rc1
    Description: authentik Docker image tag
  AuthentikServerCPU:
    Type: Number
--- a/lifecycle/container/Dockerfile
+++ b/lifecycle/container/Dockerfile
@@ -1,12 +1,23 @@
 # syntax=docker/dockerfile:1

 # Stage: Build webui
-FROM --platform=${BUILDPLATFORM} docker.io/library/node:24-trixie-slim@sha256:4f2b45e32dc7d2caf66b6dbd59fac50e32f8077769efe0ef4d4c3f114672537d AS node-builder
+FROM --platform=${BUILDPLATFORM} docker.io/library/node:24-trixie-slim@sha256:735dd688da64d22ebd9dd374b3e7e5a874635668fd2a6ec20ca1f99264294086 AS node-builder

 ARG GIT_BUILD_HASH
 ENV GIT_BUILD_HASH=$GIT_BUILD_HASH
 ENV NODE_ENV=production

+WORKDIR /work
+
+RUN --mount=type=bind,target=/work/package.json,src=./package.json \
+    --mount=type=bind,target=/work/package-lock.json,src=./package-lock.json \
+    --mount=type=bind,target=/work/web/package.json,src=./web/package.json \
+    --mount=type=bind,target=/work/web/package-lock.json,src=./web/package-lock.json \
+    --mount=type=bind,target=/work/scripts/node/,src=./scripts/node/ \
+    --mount=type=bind,target=/work/packages/logger-js/,src=./packages/logger-js/ \
+    node ./scripts/node/setup-corepack.mjs --force && \
+    node ./scripts/node/lint-runtime.mjs ./web
+
 WORKDIR /work/web

 # These files need to be copied and cannot be mounted as `npm ci` will build the client's typescript
@@ -18,7 +29,7 @@ RUN --mount=type=bind,target=/work/web/package.json,src=./web/package.json \
    --mount=type=bind,target=/work/web/packages/sfe/package.json,src=./web/packages/sfe/package.json \
    --mount=type=bind,target=/work/web/scripts,src=./web/scripts \
    --mount=type=cache,id=npm-ak,sharing=shared,target=/root/.npm \
-    npm ci
+    corepack npm ci

 COPY ./package.json /work
 COPY ./web /work/web/
@@ -200,7 +211,7 @@ RUN --mount=type=bind,target=pyproject.toml,src=pyproject.toml \
    --mount=type=bind,target=packages/django-postgres-cache,src=packages/django-postgres-cache \
    --mount=type=bind,target=rust-toolchain.toml,src=rust-toolchain.toml \
    --mount=type=cache,id=uv-python-deps-$TARGETARCH$TARGETVARIANT,target=/root/.cache/uv \
-    uv sync --locked --no-install-project --no-dev
+    uv sync --frozen --no-install-project --no-dev

 # Stage: Run
 FROM python-base AS final-image
@@ -228,7 +239,8 @@ RUN apt-get update && \
    # Required for runtime
    apt-get install -y --no-install-recommends \
    libpq5 libmaxminddb0 ca-certificates \
-    libkadm5clnt-mit12 libkadm5clnt7t64-heimdal \
+    krb5-multidev libkrb5-3 libkdb5-10 libkadm5clnt-mit12 \
+    heimdal-multidev libkadm5clnt7t64-heimdal \
    libltdl7 libxslt1.1 && \
    # Required for bootstrap & healtcheck
    apt-get install -y --no-install-recommends runit && \
--- a/lifecycle/container/compose.yml
+++ b/lifecycle/container/compose.yml
@@ -31,7 +31,7 @@ services:
      AUTHENTIK_POSTGRESQL__PASSWORD: ${PG_PASS}
      AUTHENTIK_POSTGRESQL__USER: ${PG_USER:-authentik}
      AUTHENTIK_SECRET_KEY: ${AUTHENTIK_SECRET_KEY:?secret key required}
-    image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2026.8.0-rc1}
+    image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2026.5.0-rc1}
    ports:
    - ${COMPOSE_PORT_HTTP:-9000}:9000
    - ${COMPOSE_PORT_HTTPS:-9443}:9443
@@ -53,7 +53,7 @@ services:
      AUTHENTIK_POSTGRESQL__PASSWORD: ${PG_PASS}
      AUTHENTIK_POSTGRESQL__USER: ${PG_USER:-authentik}
      AUTHENTIK_SECRET_KEY: ${AUTHENTIK_SECRET_KEY:?secret key required}
-    image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2026.8.0-rc1}
+    image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2026.5.0-rc1}
    restart: unless-stopped
    shm_size: 512mb
    user: root
--- a/lifecycle/container/proxy.Dockerfile
+++ b/lifecycle/container/proxy.Dockerfile
@@ -10,12 +10,22 @@ WORKDIR /static
 COPY ./packages /packages
 COPY ./web/packages /static/packages

+RUN --mount=type=bind,target=/static/package.json,src=./package.json \
+    --mount=type=bind,target=/static/package-lock.json,src=./package-lock.json \
+    --mount=type=bind,target=/static/web/package.json,src=./web/package.json \
+    --mount=type=bind,target=/static/web/package-lock.json,src=./web/package-lock.json \
+    --mount=type=bind,target=/static/scripts/node/,src=./scripts/node/ \
+    --mount=type=bind,target=/static/packages/logger-js/,src=./packages/logger-js/ \
+    node ./scripts/node/setup-corepack.mjs --force && \
+    node ./scripts/node/lint-runtime.mjs ./web
+
 COPY package.json /
+
 RUN --mount=type=bind,target=/static/package.json,src=./web/package.json \
    --mount=type=bind,target=/static/package-lock.json,src=./web/package-lock.json \
    --mount=type=bind,target=/static/scripts,src=./web/scripts \
    --mount=type=cache,target=/root/.npm \
-    npm ci
+    corepack npm ci

 COPY web .
 RUN npm run build-proxy
--- a/lifecycle/worker_process.py
+++ b/lifecycle/worker_process.py
@@ -28,39 +28,20 @@ class HttpHandler(BaseHTTPRequestHandler):
            _ = db_conn.cursor()

    def do_GET(self):
-        from django.db import DatabaseError, InterfaceError, OperationalError, connections
-        from psycopg.errors import AdminShutdown
-
-        from authentik.root.monitoring import monitoring_set
-
-        DATABASE_ERRORS = (
-            AdminShutdown,
-            InterfaceError,
-            DatabaseError,
-            OperationalError,
-        )
-
        if self.path == "/-/metrics/":
-            try:
-                monitoring_set.send(self)
-            except DATABASE_ERRORS as exc:
-                LOGGER.warning("failed to send monitoring_set", exc=exc)
-                for db_conn in connections.all():
-                    db_conn.close()
-                self.send_response(503)
-            else:
-                self.send_response(200)
+            from authentik.root.monitoring import monitoring_set
+
+            monitoring_set.send_robust(self)
+            self.send_response(200)
            self.end_headers()
        elif self.path == "/-/health/ready/":
+            from django.db.utils import OperationalError
+
            try:
                self.check_db()
-            except DATABASE_ERRORS as exc:
-                LOGGER.warning("failed to check database health", exc=exc)
-                for db_conn in connections.all():
-                    db_conn.close()
+            except OperationalError:
                self.send_response(503)
-            else:
-                self.send_response(200)
+            self.send_response(200)
            self.end_headers()
        else:
            self.send_response(200)
--- a/locale/bg_BG/LC_MESSAGES/django.mo
+++ b/locale/bg_BG/LC_MESSAGES/django.mo
--- a/locale/bg_BG/LC_MESSAGES/django.po
+++ b/locale/bg_BG/LC_MESSAGES/django.po
--- a/locale/cs_CZ/LC_MESSAGES/django.mo
+++ b/locale/cs_CZ/LC_MESSAGES/django.mo
--- a/locale/cs_CZ/LC_MESSAGES/django.po
+++ b/locale/cs_CZ/LC_MESSAGES/django.po
@@ -12,7 +12,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: PACKAGE VERSION\n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2026-05-06 00:27+0000\n"
+"POT-Creation-Date: 2026-02-10 19:27+0000\n"
 "PO-Revision-Date: 2025-12-01 19:09+0000\n"
 "Last-Translator: Václav Nováček <waclaw661@gmail.com>, 2026\n"
 "Language-Team: Czech (Czech Republic) (https://app.transifex.com/authentik/teams/119923/cs_CZ/)\n"
@@ -106,14 +106,6 @@ msgstr "Chyba validace"
 msgid "Blueprint file does not exist"
 msgstr "Soubor s konfigurační šablonou neexistuje"

-#: authentik/blueprints/api.py
-msgid "Context must be valid JSON"
-msgstr ""
-
-#: authentik/blueprints/api.py
-msgid "Context must be a JSON object"
-msgstr ""
-
 #: authentik/blueprints/api.py
 msgid "Failed to validate blueprint"
 msgstr "Ověřování konfigurační šablony selhalo"
@@ -122,11 +114,6 @@ msgstr "Ověřování konfigurační šablony selhalo"
 msgid "Either path or content must be set."
 msgstr "Musí být nastavena buď cesta, nebo obsah."

-#: authentik/blueprints/api.py
-#, python-brace-format
-msgid "User lacks permission to create {model}"
-msgstr "Uživatel nemá oprávnění vytvořit {model}"
-
 #: authentik/blueprints/models.py
 msgid "Managed by authentik"
 msgstr "Spravuje authentik"
@@ -257,13 +244,10 @@ msgstr ""
 "pouze poskytovatele backchannel. Pokud je vypnuto, backchannel poskytovatelé"
 " nejsou zahrnuti."

-#: authentik/core/api/users.py
-msgid "Invalid password hash format. Must be a valid Django password hash."
-msgstr ""
-
-#: authentik/core/api/users.py
-msgid "Cannot set both password and password_hash. Use only one."
-msgstr ""
+#: authentik/core/api/transactional_applications.py
+#, python-brace-format
+msgid "User lacks permission to create {model}"
+msgstr "Uživatel nemá oprávnění vytvořit {model}"

 #: authentik/core/api/users.py
 msgid "No leading or trailing slashes allowed."
@@ -325,12 +309,6 @@ msgstr ""
 msgid "This field is required."
 msgstr "Toto pole je povinné."

-#: authentik/core/apps.py
-msgid ""
-"Configure if applications without any policy/group/user bindings should be "
-"accessible to any user."
-msgstr ""
-
 #: authentik/core/models.py
 msgid "name"
 msgstr "Jméno"
@@ -437,10 +415,6 @@ msgstr "Interní název aplikace, používaný v URI."
 msgid "Open launch URL in a new browser tab or window."
 msgstr "Otevřít úvodní URL v novém okně nebo kartě prohlížeče."

-#: authentik/core/models.py
-msgid "Hide this application from the user's My applications page."
-msgstr ""
-
 #: authentik/core/models.py
 msgid "Application"
 msgstr "Aplikace"
@@ -632,14 +606,6 @@ msgstr "Odstranit dočasné uživatele vytvořené zdroji SAML."
 msgid "Go home"
 msgstr "Přejít domů"

-#: authentik/core/templates/login/base_full.html
-msgid "Site footer"
-msgstr ""
-
-#: authentik/core/templates/login/base_full.html
-msgid "Flow links"
-msgstr ""
-
 #: authentik/core/templates/login/base_full.html
 #: authentik/flows/templates/if/flow-sfe.html
 msgid "Powered by authentik"
@@ -746,10 +712,6 @@ msgstr ""
 msgid "Discover, import and update certificates from the filesystem."
 msgstr "Objevit, importovat a aktualizovat certifikáty na souborovém systému."

-#: authentik/endpoints/api/stages.py
-msgid "Selected connector is not compatible with this stage."
-msgstr ""
-
 #: authentik/endpoints/connectors/agent/api/connectors.py
 msgid "Selected platform not supported"
 msgstr ""
@@ -804,14 +766,6 @@ msgstr ""
 msgid "Apple Nonces"
 msgstr ""

-#: authentik/endpoints/connectors/agent/models.py
-msgid "Apple Independent Secure Enclave"
-msgstr ""
-
-#: authentik/endpoints/connectors/agent/models.py
-msgid "Apple Independent Secure Enclaves"
-msgstr ""
-
 #: authentik/endpoints/facts.py
 msgid "Operating System name, such as 'Server 2022' or 'Ubuntu'"
 msgstr ""
@@ -883,12 +837,6 @@ msgstr ""
 msgid "Enterprise is required to use this endpoint."
 msgstr ""

-#: authentik/enterprise/audit/apps.py
-msgid ""
-"Include additional information in audit logs, may incur a performance "
-"penalty."
-msgstr ""
-
 #: authentik/enterprise/endpoints/connectors/fleet/models.py
 #: authentik/events/models.py
 msgid ""
@@ -906,19 +854,6 @@ msgstr ""
 msgid "Fleet Connectors"
 msgstr ""

-#: authentik/enterprise/endpoints/connectors/google_chrome/models.py
-msgid "Google Device Trust Connector"
-msgstr ""
-
-#: authentik/enterprise/endpoints/connectors/google_chrome/models.py
-msgid "Google Device Trust Connectors"
-msgstr ""
-
-#: authentik/enterprise/endpoints/connectors/google_chrome/stage.py
-#: authentik/enterprise/stages/authenticator_endpoint_gdtc/stage.py
-msgid "Verifying your browser..."
-msgstr "Ověřuji Váš prohlížeč..."
-
 #: authentik/enterprise/lifecycle/api/reviews.py
 msgid "You are not allowed to submit a review for this object."
 msgstr ""
@@ -935,6 +870,10 @@ msgstr ""
 msgid "Grace period must be shorter than the interval."
 msgstr ""

+#: authentik/enterprise/lifecycle/api/rules.py
+msgid "Only one type-wide rule for each object type is allowed."
+msgstr ""
+
 #: authentik/enterprise/lifecycle/models.py
 msgid ""
 "Select which transports should be used to notify the reviewers. If none are "
@@ -962,8 +901,7 @@ msgid "Go to {self._get_model_name()}"
 msgstr ""

 #: authentik/enterprise/lifecycle/models.py
-msgid ""
-"Access review is due for {self.content_type.name.lower()} {object_label}"
+msgid "Access review is due for {self.content_type.name} {str(self.object)}"
 msgstr ""

 #: authentik/enterprise/lifecycle/models.py
@@ -977,7 +915,7 @@ msgid ""
 msgstr ""

 #: authentik/enterprise/lifecycle/tasks.py
-msgid "Dispatch tasks to apply lifecycle rules."
+msgid "Dispatch tasks to validate lifecycle rules."
 msgstr ""

 #: authentik/enterprise/lifecycle/tasks.py
@@ -1220,14 +1158,6 @@ msgstr "Pro použití EAP-TLS je nutná Enterprise licence."
 msgid "Enterprise is required to use the OAuth mode."
 msgstr "Pro použití OAuth režimu je vyžadována Enterprise licence."

-#: authentik/enterprise/providers/ssf/models.py
-msgid "SSF RFC Push"
-msgstr ""
-
-#: authentik/enterprise/providers/ssf/models.py
-msgid "SSF RFC Pull"
-msgstr ""
-
 #: authentik/enterprise/providers/ssf/models.py
 #: authentik/providers/oauth2/models.py
 msgid "Signing Key"
@@ -1309,78 +1239,6 @@ msgstr ""
 msgid "Generate data export."
 msgstr ""

-#: authentik/enterprise/stages/account_lockdown/api.py
-msgid "User to lock. If omitted, locks the current user (self-service)."
-msgstr ""
-
-#: authentik/enterprise/stages/account_lockdown/api.py
-msgid "No lockdown flow configured."
-msgstr ""
-
-#: authentik/enterprise/stages/account_lockdown/api.py
-msgid "Lockdown flow is not applicable."
-msgstr ""
-
-#: authentik/enterprise/stages/account_lockdown/api.py
-msgid "Choose the target account, then return a flow link."
-msgstr ""
-
-#: authentik/enterprise/stages/account_lockdown/api.py
-msgid "No lockdown flow configured or the flow is not applicable"
-msgstr ""
-
-#: authentik/enterprise/stages/account_lockdown/api.py
-msgid "Permission denied (when targeting another user)"
-msgstr ""
-
-#: authentik/enterprise/stages/account_lockdown/models.py
-msgid "Deactivate the user account (set is_active to False)"
-msgstr ""
-
-#: authentik/enterprise/stages/account_lockdown/models.py
-msgid "Set an unusable password for the user"
-msgstr ""
-
-#: authentik/enterprise/stages/account_lockdown/models.py
-msgid "Delete all active sessions for the user"
-msgstr ""
-
-#: authentik/enterprise/stages/account_lockdown/models.py
-msgid ""
-"Revoke all tokens for the user (API, app password, recovery, verification, "
-"OAuth)"
-msgstr ""
-
-#: authentik/enterprise/stages/account_lockdown/models.py
-msgid ""
-"Flow to redirect users to after self-service lockdown. This flow should not "
-"require authentication since the user's session is deleted."
-msgstr ""
-
-#: authentik/enterprise/stages/account_lockdown/models.py
-msgid "Account Lockdown Stage"
-msgstr ""
-
-#: authentik/enterprise/stages/account_lockdown/models.py
-msgid "Account Lockdown Stages"
-msgstr ""
-
-#: authentik/enterprise/stages/account_lockdown/stage.py
-msgid "No target user specified for account lockdown"
-msgstr ""
-
-#: authentik/enterprise/stages/account_lockdown/stage.py
-msgid "You do not have permission to lock down this account."
-msgstr ""
-
-#: authentik/enterprise/stages/account_lockdown/stage.py
-msgid "Account lockdown failed for this account."
-msgstr ""
-
-#: authentik/enterprise/stages/account_lockdown/stage.py
-msgid "Self-service account lockdown requires a completion flow."
-msgstr ""
-
 #: authentik/enterprise/stages/authenticator_endpoint_gdtc/models.py
 msgid "Endpoint Authenticator Google Device Trust Connector Stage"
 msgstr "Fáze konektoru Endpoint Authenticator Google Device Trust"
@@ -1397,6 +1255,10 @@ msgstr "Koncové zařízení"
 msgid "Endpoint Devices"
 msgstr "Koncová zařízení"

+#: authentik/enterprise/stages/authenticator_endpoint_gdtc/stage.py
+msgid "Verifying your browser..."
+msgstr "Ověřuji Váš prohlížeč..."
+
 #: authentik/enterprise/stages/mtls/models.py
 msgid ""
 "Configure certificate authorities to validate the certificate against. This "
@@ -1479,12 +1341,6 @@ msgstr ""
 "Odeslat oznámení pouze jednou, například při posílání webhooku do kanálu "
 "chatu."

-#: authentik/events/models.py
-msgid ""
-"When set, the selected ceritifcate is used to validate the certificate of "
-"the webhook server."
-msgstr ""
-
 #: authentik/events/models.py
 msgid ""
 "Customize the body of the request. Mapping should return data that is JSON-"
@@ -1655,15 +1511,6 @@ msgstr "Zásady před tokem"
 msgid "Flow"
 msgstr "Tok"

-#: authentik/flows/apps.py
-msgid "Refresh other tabs after successful authentication."
-msgstr ""
-
-#: authentik/flows/apps.py
-msgid ""
-"Upon successful authentication, re-start authentication in other open tabs."
-msgstr ""
-
 #: authentik/flows/exceptions.py
 msgid "Flow does not apply to current user."
 msgstr "Tok se nevztahuje na aktuálního uživatele."
@@ -1773,8 +1620,8 @@ msgstr "Token Toku"
 msgid "Flow Tokens"
 msgstr "Tokeny Toků"

-#: authentik/flows/planner.py
-msgid "This link is invalid or has expired. Please request a new one."
+#: authentik/flows/templates/if/flow.html
+msgid "Site footer"
 msgstr ""

 #: authentik/flows/views/executor.py
@@ -2159,6 +2006,22 @@ msgstr "Reputační skóre"
 msgid "Reputation Scores"
 msgstr "Reputační skóre"

+#: authentik/policies/templates/policies/buffer.html
+msgid "Waiting for authentication..."
+msgstr "Čeká se na ověření..."
+
+#: authentik/policies/templates/policies/buffer.html
+msgid ""
+"You're already authenticating in another tab. This page will refresh once "
+"authentication is completed."
+msgstr ""
+"Už se přihlašujete na jiné záložce. Stránka se obnoví, jakmile bude ověření "
+"dokončeno."
+
+#: authentik/policies/templates/policies/buffer.html
+msgid "Authenticate in this tab"
+msgstr "Ověřit na této záložce"
+
 #: authentik/policies/templates/policies/denied.html
 msgid "Permission denied"
 msgstr "Nedostatečná oprávnění"
@@ -2284,14 +2147,6 @@ msgstr "Striktní porovnání URL"
 msgid "Regular Expression URL matching"
 msgstr "Porovnání URL regulárním výrazem"

-#: authentik/providers/oauth2/models.py
-msgid "Authorization"
-msgstr ""
-
-#: authentik/providers/oauth2/models.py
-msgid "Logout"
-msgstr ""
-
 #: authentik/providers/oauth2/models.py
 msgid "Back-channel"
 msgstr "Back-channel"
@@ -2649,6 +2504,10 @@ msgstr "Poskytovatel proxy"
 msgid "Proxy Providers"
 msgstr "Poskytovatelé proxy"

+#: authentik/providers/proxy/tasks.py
+msgid "Terminate session on Proxy outpost."
+msgstr "Ukončit relaci na outpostu proxy."
+
 #: authentik/providers/rac/models.py authentik/stages/user_login/models.py
 msgid ""
 "Determines how long a session lasts. Default of 0 means that the sessions "
@@ -2776,10 +2635,8 @@ msgstr ""
 "omezení publika nebude přidáno."

 #: authentik/providers/saml/models.py
-msgid ""
-"Also known as EntityID. Providing a value overrides the default issuer "
-"generated by authentik."
-msgstr ""
+msgid "Also known as EntityID"
+msgstr "Také známé jako EntityID."

 #: authentik/providers/saml/models.py
 msgid "SLS URL"
@@ -2997,10 +2854,6 @@ msgstr "Hodnota SAML NameID pro tuto relaci"
 msgid "SAML NameID format"
 msgstr "Formát SAML NameID"

-#: authentik/providers/saml/models.py
-msgid "SAML Issuer used for this session"
-msgstr ""
-
 #: authentik/providers/saml/models.py
 msgid "SAML Session"
 msgstr "Relace SAML"
@@ -3029,14 +2882,6 @@ msgstr "Slack"
 msgid "Salesforce"
 msgstr ""

-#: authentik/providers/scim/models.py
-msgid "Webex"
-msgstr ""
-
-#: authentik/providers/scim/models.py
-msgid "vCenter"
-msgstr ""
-
 #: authentik/providers/scim/models.py
 msgid "Group filters used to define sync-scope for groups."
 msgstr ""
@@ -3313,7 +3158,7 @@ msgstr ""
 "                    Prosím, kontaktujte správce.\n"
 "                "

-#: authentik/sources/ldap/api/sources.py
+#: authentik/sources/ldap/api.py
 msgid "Only a single LDAP Source with password synchronization is allowed"
 msgstr "Je dovolen pouze jeden zdroj LDAP se synchronizací hesel"

@@ -3843,12 +3688,6 @@ msgstr ""
 "Povolit autentikační tok iniciovaný Identity Providerem. Může představovat "
 "bezpečnostní riziko, protože se nekontroluje request ID."

-#: authentik/sources/saml/models.py
-msgid ""
-"When enabled, the IdP will re-authenticate the user even if a session "
-"exists."
-msgstr ""
-
 #: authentik/sources/saml/models.py
 msgid ""
 "NameID Policy sent to the IdP. Can be unset, in which case no Policy is "
@@ -4269,10 +4108,6 @@ msgstr "Kroky validace autentikátoru"
 msgid "No (allowed) MFA authenticator configured."
 msgstr "Žádný (povolený) MFA autentikátor nebyl nastaven."

-#: authentik/stages/authenticator_webauthn/models.py
-msgid "When enabled, a given device can only be registered once."
-msgstr ""
-
 #: authentik/stages/authenticator_webauthn/models.py
 msgid "WebAuthn Authenticator Setup Stage"
 msgstr "Krok nastavení autentikátoru WebAuthn"
@@ -4408,10 +4243,6 @@ msgstr "Email OTP"
 msgid "Event Notification"
 msgstr "Oznámení o události"

-#: authentik/stages/email/models.py authentik/stages/invitation/models.py
-msgid "Invitation"
-msgstr "Pozvánka"
-
 #: authentik/stages/email/models.py
 msgid ""
 "The time window used to count recent account recovery attempts. If the "
@@ -4530,62 +4361,6 @@ msgstr ""
 "\n"
 "Tento email byl odeslán z transportu oznámení %(name)s.\n"

-#: authentik/stages/email/templates/email/invitation.html
-msgid ""
-"\n"
-"      You're Invited!\n"
-"      "
-msgstr ""
-
-#: authentik/stages/email/templates/email/invitation.html
-#, python-format
-msgid ""
-"\n"
-"          You have been invited to join %(host)s. Click the button below to get started.\n"
-"          "
-msgstr ""
-
-#: authentik/stages/email/templates/email/invitation.html
-#, python-format
-msgid ""
-"\n"
-"          This invitation expires %(expires)s.\n"
-"          "
-msgstr ""
-
-#: authentik/stages/email/templates/email/invitation.html
-#: authentik/stages/email/templates/email/invitation.txt
-msgid "Accept Invitation"
-msgstr ""
-
-#: authentik/stages/email/templates/email/invitation.html
-msgid ""
-"\n"
-"    If you cannot click the button above, please copy and paste the following URL into your browser:\n"
-"    "
-msgstr ""
-
-#: authentik/stages/email/templates/email/invitation.txt
-msgid "You're Invited!"
-msgstr ""
-
-#: authentik/stages/email/templates/email/invitation.txt
-#, python-format
-msgid ""
-"You have been invited to join %(host)s. Use the link below to get started."
-msgstr ""
-
-#: authentik/stages/email/templates/email/invitation.txt
-#, python-format
-msgid "This invitation expires %(expires)s."
-msgstr ""
-
-#: authentik/stages/email/templates/email/invitation.txt
-msgid ""
-"If you cannot click the link above, please copy and paste the following URL "
-"into your browser:"
-msgstr ""
-
 #: authentik/stages/email/templates/email/password_reset.html
 msgid ""
 "\n"
@@ -4763,6 +4538,10 @@ msgstr "Pokud je povoleno, pozvánka bude po použití smazána."
 msgid "Optional fixed data to enforce on user enrollment."
 msgstr ""

+#: authentik/stages/invitation/models.py
+msgid "Invitation"
+msgstr "Pozvánka"
+
 #: authentik/stages/invitation/models.py
 msgid "Invitations"
 msgstr "Pozvánky"
@@ -4875,18 +4654,6 @@ msgstr ""
 msgid "Static: Static value, displayed as-is."
 msgstr ""

-#: authentik/stages/prompt/models.py
-msgid "Alert (Info): Static alert box with info styling"
-msgstr ""
-
-#: authentik/stages/prompt/models.py
-msgid "Alert (Warning): Static alert box with warning styling"
-msgstr ""
-
-#: authentik/stages/prompt/models.py
-msgid "Alert (Danger): Static alert box with danger styling"
-msgstr ""
-
 #: authentik/stages/prompt/models.py
 msgid "authentik: Selection of locales authentik supports"
 msgstr "authentik: Výběr jazyků, které authentik podporuje"
--- a/locale/de_DE/LC_MESSAGES/django.mo
+++ b/locale/de_DE/LC_MESSAGES/django.mo
--- a/locale/de_DE/LC_MESSAGES/django.po
+++ b/locale/de_DE/LC_MESSAGES/django.po
@@ -14,7 +14,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: PACKAGE VERSION\n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2026-05-06 00:27+0000\n"
+"POT-Creation-Date: 2026-04-23 00:25+0000\n"
 "PO-Revision-Date: 2025-12-01 19:09+0000\n"
 "Last-Translator: Lukas Nielsen, 2026\n"
 "Language-Team: German (Germany) (https://app.transifex.com/authentik/teams/119923/de_DE/)\n"
@@ -111,14 +111,6 @@ msgstr "Validierungsfehler"
 msgid "Blueprint file does not exist"
 msgstr "Vorlagendatei existiert nicht"

-#: authentik/blueprints/api.py
-msgid "Context must be valid JSON"
-msgstr ""
-
-#: authentik/blueprints/api.py
-msgid "Context must be a JSON object"
-msgstr ""
-
 #: authentik/blueprints/api.py
 msgid "Failed to validate blueprint"
 msgstr "Fehler bei der Validierung der Vorlage"
@@ -265,14 +257,6 @@ msgstr ""
 "werden nur die backchannel Provider zurück gegeben. Zudem werden bei "
 "Deaktivierung die backchannel Provider ausgeschlossen."

-#: authentik/core/api/users.py
-msgid "Invalid password hash format. Must be a valid Django password hash."
-msgstr ""
-
-#: authentik/core/api/users.py
-msgid "Cannot set both password and password_hash. Use only one."
-msgstr ""
-
 #: authentik/core/api/users.py
 msgid "No leading or trailing slashes allowed."
 msgstr "Es sind keine führenden oder abschließenden Schrägstriche erlaubt."
@@ -451,10 +435,6 @@ msgstr "Interner Anwendungsname, wird in URLs verwendet."
 msgid "Open launch URL in a new browser tab or window."
 msgstr "Start-URL in einem neuen Browser-Fenster öffnen."

-#: authentik/core/models.py
-msgid "Hide this application from the user's My applications page."
-msgstr ""
-
 #: authentik/core/models.py
 msgid "Application"
 msgstr "Anwendung"
@@ -954,6 +934,10 @@ msgstr "Es muss entweder eine Prüfergruppe oder ein Prüfer festgelegt werden."
 msgid "Grace period must be shorter than the interval."
 msgstr "Die Nachfrist muss kürzer sein als das Intervall."

+#: authentik/enterprise/lifecycle/api/rules.py
+msgid "Only one type-wide rule for each object type is allowed."
+msgstr "Für jeden Objekttyp ist nur eine typweite Regel zulässig."
+
 #: authentik/enterprise/lifecycle/models.py
 msgid ""
 "Select which transports should be used to notify the reviewers. If none are "
@@ -984,9 +968,10 @@ msgid "Go to {self._get_model_name()}"
 msgstr "Gehe zu {self._get_model_name()}"

 #: authentik/enterprise/lifecycle/models.py
-msgid ""
-"Access review is due for {self.content_type.name.lower()} {object_label}"
+msgid "Access review is due for {self.content_type.name} {str(self.object)}"
 msgstr ""
+"Die Zugriffsüberprüfung für {self.content_type.name} {str(self.object)} "
+"steht an"

 #: authentik/enterprise/lifecycle/models.py
 msgid ""
@@ -1003,8 +988,8 @@ msgstr ""
 "erledigt"

 #: authentik/enterprise/lifecycle/tasks.py
-msgid "Dispatch tasks to apply lifecycle rules."
-msgstr ""
+msgid "Dispatch tasks to validate lifecycle rules."
+msgstr "Aufgaben zur Überprüfung von Lebenszyklusregeln zuweisen."

 #: authentik/enterprise/lifecycle/tasks.py
 msgid "Apply lifecycle rule."
@@ -1347,78 +1332,6 @@ msgstr "Download"
 msgid "Generate data export."
 msgstr "Datenexport generieren."

-#: authentik/enterprise/stages/account_lockdown/api.py
-msgid "User to lock. If omitted, locks the current user (self-service)."
-msgstr ""
-
-#: authentik/enterprise/stages/account_lockdown/api.py
-msgid "No lockdown flow configured."
-msgstr ""
-
-#: authentik/enterprise/stages/account_lockdown/api.py
-msgid "Lockdown flow is not applicable."
-msgstr ""
-
-#: authentik/enterprise/stages/account_lockdown/api.py
-msgid "Choose the target account, then return a flow link."
-msgstr ""
-
-#: authentik/enterprise/stages/account_lockdown/api.py
-msgid "No lockdown flow configured or the flow is not applicable"
-msgstr ""
-
-#: authentik/enterprise/stages/account_lockdown/api.py
-msgid "Permission denied (when targeting another user)"
-msgstr ""
-
-#: authentik/enterprise/stages/account_lockdown/models.py
-msgid "Deactivate the user account (set is_active to False)"
-msgstr ""
-
-#: authentik/enterprise/stages/account_lockdown/models.py
-msgid "Set an unusable password for the user"
-msgstr ""
-
-#: authentik/enterprise/stages/account_lockdown/models.py
-msgid "Delete all active sessions for the user"
-msgstr ""
-
-#: authentik/enterprise/stages/account_lockdown/models.py
-msgid ""
-"Revoke all tokens for the user (API, app password, recovery, verification, "
-"OAuth)"
-msgstr ""
-
-#: authentik/enterprise/stages/account_lockdown/models.py
-msgid ""
-"Flow to redirect users to after self-service lockdown. This flow should not "
-"require authentication since the user's session is deleted."
-msgstr ""
-
-#: authentik/enterprise/stages/account_lockdown/models.py
-msgid "Account Lockdown Stage"
-msgstr ""
-
-#: authentik/enterprise/stages/account_lockdown/models.py
-msgid "Account Lockdown Stages"
-msgstr ""
-
-#: authentik/enterprise/stages/account_lockdown/stage.py
-msgid "No target user specified for account lockdown"
-msgstr ""
-
-#: authentik/enterprise/stages/account_lockdown/stage.py
-msgid "You do not have permission to lock down this account."
-msgstr ""
-
-#: authentik/enterprise/stages/account_lockdown/stage.py
-msgid "Account lockdown failed for this account."
-msgstr ""
-
-#: authentik/enterprise/stages/account_lockdown/stage.py
-msgid "Self-service account lockdown requires a completion flow."
-msgstr ""
-
 #: authentik/enterprise/stages/authenticator_endpoint_gdtc/models.py
 msgid "Endpoint Authenticator Google Device Trust Connector Stage"
 msgstr "Endpunkt-Authenticator für Google Gerätevertrauen Verbindungs Stage"
@@ -2864,10 +2777,8 @@ msgstr ""
 "Feld leer, wird keine Zielgruppenbeschränkung hinzugefügt."

 #: authentik/providers/saml/models.py
-msgid ""
-"Also known as EntityID. Providing a value overrides the default issuer "
-"generated by authentik."
-msgstr ""
+msgid "Also known as EntityID"
+msgstr "Auch bekannt als EntityID"

 #: authentik/providers/saml/models.py
 msgid "SLS URL"
@@ -3089,10 +3000,6 @@ msgstr "SAML-NameID-Wert für diese Sitzung"
 msgid "SAML NameID format"
 msgstr "SAML-NameID-Format"

-#: authentik/providers/saml/models.py
-msgid "SAML Issuer used for this session"
-msgstr ""
-
 #: authentik/providers/saml/models.py
 msgid "SAML Session"
 msgstr "SAML Sitzung"
@@ -3125,10 +3032,6 @@ msgstr "Salesforce"
 msgid "Webex"
 msgstr "Webex"

-#: authentik/providers/scim/models.py
-msgid "vCenter"
-msgstr ""
-
 #: authentik/providers/scim/models.py
 msgid "Group filters used to define sync-scope for groups."
 msgstr ""
@@ -5043,18 +4946,6 @@ msgstr ""
 msgid "Static: Static value, displayed as-is."
 msgstr "Statisch: Statischer Wert, wird so angezeigt, wie er ist."

-#: authentik/stages/prompt/models.py
-msgid "Alert (Info): Static alert box with info styling"
-msgstr ""
-
-#: authentik/stages/prompt/models.py
-msgid "Alert (Warning): Static alert box with warning styling"
-msgstr ""
-
-#: authentik/stages/prompt/models.py
-msgid "Alert (Danger): Static alert box with danger styling"
-msgstr ""
-
 #: authentik/stages/prompt/models.py
 msgid "authentik: Selection of locales authentik supports"
 msgstr "Authentik: Auswahl der von Authentik unterstützten Gebietsschemata"
--- a/locale/en/LC_MESSAGES/django.po
+++ b/locale/en/LC_MESSAGES/django.po
@@ -8,7 +8,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: PACKAGE VERSION\n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2026-05-06 00:27+0000\n"
+"POT-Creation-Date: 2026-04-30 00:27+0000\n"
 "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
 "Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
 "Language-Team: LANGUAGE <LL@li.org>\n"
@@ -101,14 +101,6 @@ msgstr ""
 msgid "Blueprint file does not exist"
 msgstr ""

-#: authentik/blueprints/api.py
-msgid "Context must be valid JSON"
-msgstr ""
-
-#: authentik/blueprints/api.py
-msgid "Context must be a JSON object"
-msgstr ""
-
 #: authentik/blueprints/api.py
 msgid "Failed to validate blueprint"
 msgstr ""
@@ -880,6 +872,10 @@ msgstr ""
 msgid "Grace period must be shorter than the interval."
 msgstr ""

+#: authentik/enterprise/lifecycle/api/rules.py
+msgid "Only one type-wide rule for each object type is allowed."
+msgstr ""
+
 #: authentik/enterprise/lifecycle/models.py
 msgid ""
 "Select which transports should be used to notify the reviewers. If none are "
@@ -907,8 +903,7 @@ msgid "Go to {self._get_model_name()}"
 msgstr ""

 #: authentik/enterprise/lifecycle/models.py
-msgid ""
-"Access review is due for {self.content_type.name.lower()} {object_label}"
+msgid "Access review is due for {self.content_type.name} {str(self.object)}"
 msgstr ""

 #: authentik/enterprise/lifecycle/models.py
@@ -921,7 +916,7 @@ msgid "Access review completed for {self.content_type.name} {str(self.object)}"
 msgstr ""

 #: authentik/enterprise/lifecycle/tasks.py
-msgid "Dispatch tasks to apply lifecycle rules."
+msgid "Dispatch tasks to validate lifecycle rules."
 msgstr ""

 #: authentik/enterprise/lifecycle/tasks.py
@@ -1234,78 +1229,6 @@ msgstr ""
 msgid "Generate data export."
 msgstr ""

-#: authentik/enterprise/stages/account_lockdown/api.py
-msgid "User to lock. If omitted, locks the current user (self-service)."
-msgstr ""
-
-#: authentik/enterprise/stages/account_lockdown/api.py
-msgid "No lockdown flow configured."
-msgstr ""
-
-#: authentik/enterprise/stages/account_lockdown/api.py
-msgid "Lockdown flow is not applicable."
-msgstr ""
-
-#: authentik/enterprise/stages/account_lockdown/api.py
-msgid "Choose the target account, then return a flow link."
-msgstr ""
-
-#: authentik/enterprise/stages/account_lockdown/api.py
-msgid "No lockdown flow configured or the flow is not applicable"
-msgstr ""
-
-#: authentik/enterprise/stages/account_lockdown/api.py
-msgid "Permission denied (when targeting another user)"
-msgstr ""
-
-#: authentik/enterprise/stages/account_lockdown/models.py
-msgid "Deactivate the user account (set is_active to False)"
-msgstr ""
-
-#: authentik/enterprise/stages/account_lockdown/models.py
-msgid "Set an unusable password for the user"
-msgstr ""
-
-#: authentik/enterprise/stages/account_lockdown/models.py
-msgid "Delete all active sessions for the user"
-msgstr ""
-
-#: authentik/enterprise/stages/account_lockdown/models.py
-msgid ""
-"Revoke all tokens for the user (API, app password, recovery, verification, "
-"OAuth)"
-msgstr ""
-
-#: authentik/enterprise/stages/account_lockdown/models.py
-msgid ""
-"Flow to redirect users to after self-service lockdown. This flow should not "
-"require authentication since the user's session is deleted."
-msgstr ""
-
-#: authentik/enterprise/stages/account_lockdown/models.py
-msgid "Account Lockdown Stage"
-msgstr ""
-
-#: authentik/enterprise/stages/account_lockdown/models.py
-msgid "Account Lockdown Stages"
-msgstr ""
-
-#: authentik/enterprise/stages/account_lockdown/stage.py
-msgid "No target user specified for account lockdown"
-msgstr ""
-
-#: authentik/enterprise/stages/account_lockdown/stage.py
-msgid "You do not have permission to lock down this account."
-msgstr ""
-
-#: authentik/enterprise/stages/account_lockdown/stage.py
-msgid "Account lockdown failed for this account."
-msgstr ""
-
-#: authentik/enterprise/stages/account_lockdown/stage.py
-msgid "Self-service account lockdown requires a completion flow."
-msgstr ""
-
 #: authentik/enterprise/stages/authenticator_endpoint_gdtc/models.py
 msgid "Endpoint Authenticator Google Device Trust Connector Stage"
 msgstr ""
@@ -4533,18 +4456,6 @@ msgstr ""
 msgid "Static: Static value, displayed as-is."
 msgstr ""

-#: authentik/stages/prompt/models.py
-msgid "Alert (Info): Static alert box with info styling"
-msgstr ""
-
-#: authentik/stages/prompt/models.py
-msgid "Alert (Warning): Static alert box with warning styling"
-msgstr ""
-
-#: authentik/stages/prompt/models.py
-msgid "Alert (Danger): Static alert box with danger styling"
-msgstr ""
-
 #: authentik/stages/prompt/models.py
 msgid "authentik: Selection of locales authentik supports"
 msgstr ""
--- a/locale/en/dictionaries/integrations.txt
+++ b/locale/en/dictionaries/integrations.txt
@@ -22,12 +22,9 @@ Gestionnaire
 ghec
 Gitea
 Gravitee
-HACS
 Homarr
 Informatique
-Jellyseerr
 Kimai
-Kiota
 Knoc
 Knocknoc
 Komodo
@@ -46,20 +43,16 @@ Organizr
 Packagify
 Palo
 Papra
-PhotoPrism
 pfSense
 phpipam
 Planka
 Plesk
-PostHog
 proftpd
 Qube
 Relatedly
-Seerr
 Sidero
 snipeit
 sonarqube
-Technitium
 Terrakube
 Ueberauth
 Veeam
@@ -67,6 +60,7 @@ Vikunja
 Wazuh
 Wdio
 Weixin
+Kiota
 Wekan
 Xcreds
 Zammad
--- a/locale/es_ES/LC_MESSAGES/django.mo
+++ b/locale/es_ES/LC_MESSAGES/django.mo
--- a/locale/es_ES/LC_MESSAGES/django.po
+++ b/locale/es_ES/LC_MESSAGES/django.po
@@ -11,7 +11,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: PACKAGE VERSION\n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2026-05-06 00:27+0000\n"
+"POT-Creation-Date: 2026-02-10 19:27+0000\n"
 "PO-Revision-Date: 2025-12-01 19:09+0000\n"
 "Last-Translator: Marc Schmitt, 2025\n"
 "Language-Team: Spanish (Spain) (https://app.transifex.com/authentik/teams/119923/es_ES/)\n"
@@ -105,14 +105,6 @@ msgstr "Error de validación"
 msgid "Blueprint file does not exist"
 msgstr "El archivo de plantilla(blueprint) no existe"

-#: authentik/blueprints/api.py
-msgid "Context must be valid JSON"
-msgstr ""
-
-#: authentik/blueprints/api.py
-msgid "Context must be a JSON object"
-msgstr ""
-
 #: authentik/blueprints/api.py
 msgid "Failed to validate blueprint"
 msgstr "No se pudo validar la plantilla(blueprint)"
@@ -121,11 +113,6 @@ msgstr "No se pudo validar la plantilla(blueprint)"
 msgid "Either path or content must be set."
 msgstr "Se debe establecer una ruta o contenido."

-#: authentik/blueprints/api.py
-#, python-brace-format
-msgid "User lacks permission to create {model}"
-msgstr "El usuario carece de permisos para crear {model}"
-
 #: authentik/blueprints/models.py
 msgid "Managed by authentik"
 msgstr "Administrado por authentik"
@@ -261,13 +248,10 @@ msgstr ""
 "secundario. Cuando se configura como falso, se excluyen los proveedores de "
 "canal secundario."

-#: authentik/core/api/users.py
-msgid "Invalid password hash format. Must be a valid Django password hash."
-msgstr ""
-
-#: authentik/core/api/users.py
-msgid "Cannot set both password and password_hash. Use only one."
-msgstr ""
+#: authentik/core/api/transactional_applications.py
+#, python-brace-format
+msgid "User lacks permission to create {model}"
+msgstr "El usuario carece de permisos para crear {model}"

 #: authentik/core/api/users.py
 msgid "No leading or trailing slashes allowed."
@@ -329,12 +313,6 @@ msgstr ""
 msgid "This field is required."
 msgstr ""

-#: authentik/core/apps.py
-msgid ""
-"Configure if applications without any policy/group/user bindings should be "
-"accessible to any user."
-msgstr ""
-
 #: authentik/core/models.py
 msgid "name"
 msgstr "nombre"
@@ -441,10 +419,6 @@ msgstr "Nombre de la aplicación interna, utilizado en las URL."
 msgid "Open launch URL in a new browser tab or window."
 msgstr "Abrir la URL de inicio en una nueva pestaña o ventana del navegador."

-#: authentik/core/models.py
-msgid "Hide this application from the user's My applications page."
-msgstr ""
-
 #: authentik/core/models.py
 msgid "Application"
 msgstr "Aplicación"
@@ -635,14 +609,6 @@ msgstr "Eliminar usuarios temporales creados por SAML Sources."
 msgid "Go home"
 msgstr "Ir al inicio"

-#: authentik/core/templates/login/base_full.html
-msgid "Site footer"
-msgstr ""
-
-#: authentik/core/templates/login/base_full.html
-msgid "Flow links"
-msgstr ""
-
 #: authentik/core/templates/login/base_full.html
 #: authentik/flows/templates/if/flow-sfe.html
 msgid "Powered by authentik"
@@ -750,10 +716,6 @@ msgid "Discover, import and update certificates from the filesystem."
 msgstr ""
 "Descubra, importe y actualice certificados desde el sistema de archivos."

-#: authentik/endpoints/api/stages.py
-msgid "Selected connector is not compatible with this stage."
-msgstr ""
-
 #: authentik/endpoints/connectors/agent/api/connectors.py
 msgid "Selected platform not supported"
 msgstr ""
@@ -808,14 +770,6 @@ msgstr ""
 msgid "Apple Nonces"
 msgstr ""

-#: authentik/endpoints/connectors/agent/models.py
-msgid "Apple Independent Secure Enclave"
-msgstr ""
-
-#: authentik/endpoints/connectors/agent/models.py
-msgid "Apple Independent Secure Enclaves"
-msgstr ""
-
 #: authentik/endpoints/facts.py
 msgid "Operating System name, such as 'Server 2022' or 'Ubuntu'"
 msgstr ""
@@ -886,12 +840,6 @@ msgstr "Se requiere de Enterprise para crear/actualizar este objeto."
 msgid "Enterprise is required to use this endpoint."
 msgstr ""

-#: authentik/enterprise/audit/apps.py
-msgid ""
-"Include additional information in audit logs, may incur a performance "
-"penalty."
-msgstr ""
-
 #: authentik/enterprise/endpoints/connectors/fleet/models.py
 #: authentik/events/models.py
 msgid ""
@@ -909,19 +857,6 @@ msgstr ""
 msgid "Fleet Connectors"
 msgstr ""

-#: authentik/enterprise/endpoints/connectors/google_chrome/models.py
-msgid "Google Device Trust Connector"
-msgstr ""
-
-#: authentik/enterprise/endpoints/connectors/google_chrome/models.py
-msgid "Google Device Trust Connectors"
-msgstr ""
-
-#: authentik/enterprise/endpoints/connectors/google_chrome/stage.py
-#: authentik/enterprise/stages/authenticator_endpoint_gdtc/stage.py
-msgid "Verifying your browser..."
-msgstr "Verificando tu navegador..."
-
 #: authentik/enterprise/lifecycle/api/reviews.py
 msgid "You are not allowed to submit a review for this object."
 msgstr ""
@@ -938,6 +873,10 @@ msgstr ""
 msgid "Grace period must be shorter than the interval."
 msgstr ""

+#: authentik/enterprise/lifecycle/api/rules.py
+msgid "Only one type-wide rule for each object type is allowed."
+msgstr ""
+
 #: authentik/enterprise/lifecycle/models.py
 msgid ""
 "Select which transports should be used to notify the reviewers. If none are "
@@ -965,8 +904,7 @@ msgid "Go to {self._get_model_name()}"
 msgstr ""

 #: authentik/enterprise/lifecycle/models.py
-msgid ""
-"Access review is due for {self.content_type.name.lower()} {object_label}"
+msgid "Access review is due for {self.content_type.name} {str(self.object)}"
 msgstr ""

 #: authentik/enterprise/lifecycle/models.py
@@ -980,7 +918,7 @@ msgid ""
 msgstr ""

 #: authentik/enterprise/lifecycle/tasks.py
-msgid "Dispatch tasks to apply lifecycle rules."
+msgid "Dispatch tasks to validate lifecycle rules."
 msgstr ""

 #: authentik/enterprise/lifecycle/tasks.py
@@ -1221,14 +1159,6 @@ msgstr ""
 msgid "Enterprise is required to use the OAuth mode."
 msgstr ""

-#: authentik/enterprise/providers/ssf/models.py
-msgid "SSF RFC Push"
-msgstr ""
-
-#: authentik/enterprise/providers/ssf/models.py
-msgid "SSF RFC Pull"
-msgstr ""
-
 #: authentik/enterprise/providers/ssf/models.py
 #: authentik/providers/oauth2/models.py
 msgid "Signing Key"
@@ -1310,78 +1240,6 @@ msgstr ""
 msgid "Generate data export."
 msgstr ""

-#: authentik/enterprise/stages/account_lockdown/api.py
-msgid "User to lock. If omitted, locks the current user (self-service)."
-msgstr ""
-
-#: authentik/enterprise/stages/account_lockdown/api.py
-msgid "No lockdown flow configured."
-msgstr ""
-
-#: authentik/enterprise/stages/account_lockdown/api.py
-msgid "Lockdown flow is not applicable."
-msgstr ""
-
-#: authentik/enterprise/stages/account_lockdown/api.py
-msgid "Choose the target account, then return a flow link."
-msgstr ""
-
-#: authentik/enterprise/stages/account_lockdown/api.py
-msgid "No lockdown flow configured or the flow is not applicable"
-msgstr ""
-
-#: authentik/enterprise/stages/account_lockdown/api.py
-msgid "Permission denied (when targeting another user)"
-msgstr ""
-
-#: authentik/enterprise/stages/account_lockdown/models.py
-msgid "Deactivate the user account (set is_active to False)"
-msgstr ""
-
-#: authentik/enterprise/stages/account_lockdown/models.py
-msgid "Set an unusable password for the user"
-msgstr ""
-
-#: authentik/enterprise/stages/account_lockdown/models.py
-msgid "Delete all active sessions for the user"
-msgstr ""
-
-#: authentik/enterprise/stages/account_lockdown/models.py
-msgid ""
-"Revoke all tokens for the user (API, app password, recovery, verification, "
-"OAuth)"
-msgstr ""
-
-#: authentik/enterprise/stages/account_lockdown/models.py
-msgid ""
-"Flow to redirect users to after self-service lockdown. This flow should not "
-"require authentication since the user's session is deleted."
-msgstr ""
-
-#: authentik/enterprise/stages/account_lockdown/models.py
-msgid "Account Lockdown Stage"
-msgstr ""
-
-#: authentik/enterprise/stages/account_lockdown/models.py
-msgid "Account Lockdown Stages"
-msgstr ""
-
-#: authentik/enterprise/stages/account_lockdown/stage.py
-msgid "No target user specified for account lockdown"
-msgstr ""
-
-#: authentik/enterprise/stages/account_lockdown/stage.py
-msgid "You do not have permission to lock down this account."
-msgstr ""
-
-#: authentik/enterprise/stages/account_lockdown/stage.py
-msgid "Account lockdown failed for this account."
-msgstr ""
-
-#: authentik/enterprise/stages/account_lockdown/stage.py
-msgid "Self-service account lockdown requires a completion flow."
-msgstr ""
-
 #: authentik/enterprise/stages/authenticator_endpoint_gdtc/models.py
 msgid "Endpoint Authenticator Google Device Trust Connector Stage"
 msgstr ""
@@ -1402,6 +1260,10 @@ msgstr "Dispositivo de Punto de Conexión"
 msgid "Endpoint Devices"
 msgstr "Dispositivos de Punto de Conexión"

+#: authentik/enterprise/stages/authenticator_endpoint_gdtc/stage.py
+msgid "Verifying your browser..."
+msgstr "Verificando tu navegador..."
+
 #: authentik/enterprise/stages/mtls/models.py
 msgid ""
 "Configure certificate authorities to validate the certificate against. This "
@@ -1485,12 +1347,6 @@ msgstr ""
 "Envía notificaciones solo una vez, por ejemplo, al enviar un webhook a un "
 "canal de chat."

-#: authentik/events/models.py
-msgid ""
-"When set, the selected ceritifcate is used to validate the certificate of "
-"the webhook server."
-msgstr ""
-
 #: authentik/events/models.py
 msgid ""
 "Customize the body of the request. Mapping should return data that is JSON-"
@@ -1662,15 +1518,6 @@ msgstr "Políticas pre-flujo"
 msgid "Flow"
 msgstr "Flujo"

-#: authentik/flows/apps.py
-msgid "Refresh other tabs after successful authentication."
-msgstr ""
-
-#: authentik/flows/apps.py
-msgid ""
-"Upon successful authentication, re-start authentication in other open tabs."
-msgstr ""
-
 #: authentik/flows/exceptions.py
 msgid "Flow does not apply to current user."
 msgstr "El flujo no aplica al usuario actual."
@@ -1783,8 +1630,8 @@ msgstr "Token de flujo"
 msgid "Flow Tokens"
 msgstr "Tokens de flujo"

-#: authentik/flows/planner.py
-msgid "This link is invalid or has expired. Please request a new one."
+#: authentik/flows/templates/if/flow.html
+msgid "Site footer"
 msgstr ""

 #: authentik/flows/views/executor.py
@@ -2175,6 +2022,22 @@ msgstr "Puntuación de Reputacion"
 msgid "Reputation Scores"
 msgstr "Puntuaciones de Reputacion"

+#: authentik/policies/templates/policies/buffer.html
+msgid "Waiting for authentication..."
+msgstr "Esperando autenticación"
+
+#: authentik/policies/templates/policies/buffer.html
+msgid ""
+"You're already authenticating in another tab. This page will refresh once "
+"authentication is completed."
+msgstr ""
+"Ya estás autenticándote en otra pestaña. Esta página se actualizará una vez "
+"que la autenticación se haya completado."
+
+#: authentik/policies/templates/policies/buffer.html
+msgid "Authenticate in this tab"
+msgstr "Autenticar en esta pestaña"
+
 #: authentik/policies/templates/policies/denied.html
 msgid "Permission denied"
 msgstr "Permiso denegado"
@@ -2303,14 +2166,6 @@ msgstr "Comparación de URL estricta"
 msgid "Regular Expression URL matching"
 msgstr "Coincidencia de URL con Expresiones Regulares"

-#: authentik/providers/oauth2/models.py
-msgid "Authorization"
-msgstr ""
-
-#: authentik/providers/oauth2/models.py
-msgid "Logout"
-msgstr ""
-
 #: authentik/providers/oauth2/models.py
 msgid "Back-channel"
 msgstr ""
@@ -2673,6 +2528,10 @@ msgstr "Proveedor de Proxy"
 msgid "Proxy Providers"
 msgstr "Proveedores de Proxy"

+#: authentik/providers/proxy/tasks.py
+msgid "Terminate session on Proxy outpost."
+msgstr "Terminar sesión en Proxy outpost."
+
 #: authentik/providers/rac/models.py authentik/stages/user_login/models.py
 msgid ""
 "Determines how long a session lasts. Default of 0 means that the sessions "
@@ -2804,10 +2663,8 @@ msgstr ""
 "vacío, no se agregará ninguna restricción de audiencia."

 #: authentik/providers/saml/models.py
-msgid ""
-"Also known as EntityID. Providing a value overrides the default issuer "
-"generated by authentik."
-msgstr ""
+msgid "Also known as EntityID"
+msgstr "También conocido como EntityID"

 #: authentik/providers/saml/models.py
 msgid "SLS URL"
@@ -3020,10 +2877,6 @@ msgstr ""
 msgid "SAML NameID format"
 msgstr ""

-#: authentik/providers/saml/models.py
-msgid "SAML Issuer used for this session"
-msgstr ""
-
 #: authentik/providers/saml/models.py
 msgid "SAML Session"
 msgstr ""
@@ -3052,14 +2905,6 @@ msgstr "Slack"
 msgid "Salesforce"
 msgstr ""

-#: authentik/providers/scim/models.py
-msgid "Webex"
-msgstr ""
-
-#: authentik/providers/scim/models.py
-msgid "vCenter"
-msgstr ""
-
 #: authentik/providers/scim/models.py
 msgid "Group filters used to define sync-scope for groups."
 msgstr ""
@@ -3343,7 +3188,7 @@ msgstr ""
 "                    Por favor, contacta a tu administrador.\n"
 "                "

-#: authentik/sources/ldap/api/sources.py
+#: authentik/sources/ldap/api.py
 msgid "Only a single LDAP Source with password synchronization is allowed"
 msgstr ""
 "Solo está permitida una Fuente de LDAP con sincronización de contraseña"
@@ -3877,12 +3722,6 @@ msgstr ""
 " un riesgo para la seguridad, ya que no se valida el identificador de la "
 "solicitud."

-#: authentik/sources/saml/models.py
-msgid ""
-"When enabled, the IdP will re-authenticate the user even if a session "
-"exists."
-msgstr ""
-
 #: authentik/sources/saml/models.py
 msgid ""
 "NameID Policy sent to the IdP. Can be unset, in which case no Policy is "
@@ -4311,10 +4150,6 @@ msgstr "Etapas de Validación del Autenticador"
 msgid "No (allowed) MFA authenticator configured."
 msgstr "No hay un autenticador MFA (permitido) configurado."

-#: authentik/stages/authenticator_webauthn/models.py
-msgid "When enabled, a given device can only be registered once."
-msgstr ""
-
 #: authentik/stages/authenticator_webauthn/models.py
 msgid "WebAuthn Authenticator Setup Stage"
 msgstr "Etapa de Configuración del Autenticador WebAuthn"
@@ -4453,10 +4288,6 @@ msgstr "OTP por Correo Electrónico"
 msgid "Event Notification"
 msgstr ""

-#: authentik/stages/email/models.py authentik/stages/invitation/models.py
-msgid "Invitation"
-msgstr "Invitación"
-
 #: authentik/stages/email/models.py
 msgid ""
 "The time window used to count recent account recovery attempts. If the "
@@ -4577,62 +4408,6 @@ msgstr ""
 "\n"
 "Este correo electrónico fue enviado desde el transporte de notificaciones %(name)s.\n"

-#: authentik/stages/email/templates/email/invitation.html
-msgid ""
-"\n"
-"      You're Invited!\n"
-"      "
-msgstr ""
-
-#: authentik/stages/email/templates/email/invitation.html
-#, python-format
-msgid ""
-"\n"
-"          You have been invited to join %(host)s. Click the button below to get started.\n"
-"          "
-msgstr ""
-
-#: authentik/stages/email/templates/email/invitation.html
-#, python-format
-msgid ""
-"\n"
-"          This invitation expires %(expires)s.\n"
-"          "
-msgstr ""
-
-#: authentik/stages/email/templates/email/invitation.html
-#: authentik/stages/email/templates/email/invitation.txt
-msgid "Accept Invitation"
-msgstr ""
-
-#: authentik/stages/email/templates/email/invitation.html
-msgid ""
-"\n"
-"    If you cannot click the button above, please copy and paste the following URL into your browser:\n"
-"    "
-msgstr ""
-
-#: authentik/stages/email/templates/email/invitation.txt
-msgid "You're Invited!"
-msgstr ""
-
-#: authentik/stages/email/templates/email/invitation.txt
-#, python-format
-msgid ""
-"You have been invited to join %(host)s. Use the link below to get started."
-msgstr ""
-
-#: authentik/stages/email/templates/email/invitation.txt
-#, python-format
-msgid "This invitation expires %(expires)s."
-msgstr ""
-
-#: authentik/stages/email/templates/email/invitation.txt
-msgid ""
-"If you cannot click the link above, please copy and paste the following URL "
-"into your browser:"
-msgstr ""
-
 #: authentik/stages/email/templates/email/password_reset.html
 msgid ""
 "\n"
@@ -4816,6 +4591,10 @@ msgstr "Cuando se habilita, la invitación se eliminará después de su uso."
 msgid "Optional fixed data to enforce on user enrollment."
 msgstr "Datos fijos opcionales para aplicar en la inscripción de usuarios."

+#: authentik/stages/invitation/models.py
+msgid "Invitation"
+msgstr "Invitación"
+
 #: authentik/stages/invitation/models.py
 msgid "Invitations"
 msgstr "Invitaciones"
@@ -4940,18 +4719,6 @@ msgstr ""
 msgid "Static: Static value, displayed as-is."
 msgstr "Estático: valor estático, que se muestra tal cual."

-#: authentik/stages/prompt/models.py
-msgid "Alert (Info): Static alert box with info styling"
-msgstr ""
-
-#: authentik/stages/prompt/models.py
-msgid "Alert (Warning): Static alert box with warning styling"
-msgstr ""
-
-#: authentik/stages/prompt/models.py
-msgid "Alert (Danger): Static alert box with danger styling"
-msgstr ""
-
 #: authentik/stages/prompt/models.py
 msgid "authentik: Selection of locales authentik supports"
 msgstr ""
--- a/locale/fi_FI/LC_MESSAGES/django.mo
+++ b/locale/fi_FI/LC_MESSAGES/django.mo
--- a/locale/fi_FI/LC_MESSAGES/django.po
+++ b/locale/fi_FI/LC_MESSAGES/django.po
@@ -5,18 +5,18 @@
 # 
 # Translators:
 # Marc Schmitt, 2025
+# Skyler Mäntysaari, 2025
 # Jiri Grönroos <jiri.gronroos@iki.fi>, 2025
-# Uumas, 2026
-# Skyler Mäntysaari, 2026
+# Viima Veteläinen, 2026
 # 
 #, fuzzy
 msgid ""
 msgstr ""
 "Project-Id-Version: PACKAGE VERSION\n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2026-05-06 00:27+0000\n"
+"POT-Creation-Date: 2026-02-10 19:27+0000\n"
 "PO-Revision-Date: 2025-12-01 19:09+0000\n"
-"Last-Translator: Skyler Mäntysaari, 2026\n"
+"Last-Translator: Viima Veteläinen, 2026\n"
 "Language-Team: Finnish (Finland) (https://app.transifex.com/authentik/teams/119923/fi_FI/)\n"
 "MIME-Version: 1.0\n"
 "Content-Type: text/plain; charset=UTF-8\n"
@@ -113,14 +113,6 @@ msgstr "Vahvistusvirhe"
 msgid "Blueprint file does not exist"
 msgstr "Suunnitelman tiedostoa ei löydetty"

-#: authentik/blueprints/api.py
-msgid "Context must be valid JSON"
-msgstr ""
-
-#: authentik/blueprints/api.py
-msgid "Context must be a JSON object"
-msgstr ""
-
 #: authentik/blueprints/api.py
 msgid "Failed to validate blueprint"
 msgstr "Suunnitelman validointi ei onnistunut"
@@ -129,11 +121,6 @@ msgstr "Suunnitelman validointi ei onnistunut"
 msgid "Either path or content must be set."
 msgstr "Joko polku tai sisältö on määritettävä."

-#: authentik/blueprints/api.py
-#, python-brace-format
-msgid "User lacks permission to create {model}"
-msgstr "Käyttäjältä puuttuu oikeus luoda {model}"
-
 #: authentik/blueprints/models.py
 msgid "Managed by authentik"
 msgstr "Authentikin hallinnoima"
@@ -261,13 +248,10 @@ msgstr ""
 "true, vain taustakanava-tarjoajat palautetaan. Kun asetus on false, "
 "takakanava-tarjoajat suljetaan pois."

-#: authentik/core/api/users.py
-msgid "Invalid password hash format. Must be a valid Django password hash."
-msgstr ""
-
-#: authentik/core/api/users.py
-msgid "Cannot set both password and password_hash. Use only one."
-msgstr ""
+#: authentik/core/api/transactional_applications.py
+#, python-brace-format
+msgid "User lacks permission to create {model}"
+msgstr "Käyttäjältä puuttuu oikeus luoda {model}"

 #: authentik/core/api/users.py
 msgid "No leading or trailing slashes allowed."
@@ -329,12 +313,6 @@ msgstr "Sähköpostivaihetta ei löydetty."
 msgid "This field is required."
 msgstr "Tämä kenttä on pakollinen."

-#: authentik/core/apps.py
-msgid ""
-"Configure if applications without any policy/group/user bindings should be "
-"accessible to any user."
-msgstr ""
-
 #: authentik/core/models.py
 msgid "name"
 msgstr "nimi"
@@ -441,10 +419,6 @@ msgstr "Sovelluksen sisäinen nimi, jota käytetään URLeissa."
 msgid "Open launch URL in a new browser tab or window."
 msgstr "Avaa käynnistys-URL uuteen selainvälilehteen tai -ikkunaan."

-#: authentik/core/models.py
-msgid "Hide this application from the user's My applications page."
-msgstr ""
-
 #: authentik/core/models.py
 msgid "Application"
 msgstr "Sovellus"
@@ -634,14 +608,6 @@ msgstr "Poista SAML-lähteiden luomat tilapäiset käyttäjät."
 msgid "Go home"
 msgstr "Siirry etusivulle"

-#: authentik/core/templates/login/base_full.html
-msgid "Site footer"
-msgstr "Sivuston alatunniste"
-
-#: authentik/core/templates/login/base_full.html
-msgid "Flow links"
-msgstr ""
-
 #: authentik/core/templates/login/base_full.html
 #: authentik/flows/templates/if/flow-sfe.html
 msgid "Powered by authentik"
@@ -748,10 +714,6 @@ msgstr ""
 msgid "Discover, import and update certificates from the filesystem."
 msgstr "Havaitse, tuo ja päivitä sertifikaatteja levyjärjestelmästä."

-#: authentik/endpoints/api/stages.py
-msgid "Selected connector is not compatible with this stage."
-msgstr ""
-
 #: authentik/endpoints/connectors/agent/api/connectors.py
 msgid "Selected platform not supported"
 msgstr "Valittu alusta ei ole tuettu"
@@ -806,14 +768,6 @@ msgstr ""
 msgid "Apple Nonces"
 msgstr ""

-#: authentik/endpoints/connectors/agent/models.py
-msgid "Apple Independent Secure Enclave"
-msgstr ""
-
-#: authentik/endpoints/connectors/agent/models.py
-msgid "Apple Independent Secure Enclaves"
-msgstr ""
-
 #: authentik/endpoints/facts.py
 msgid "Operating System name, such as 'Server 2022' or 'Ubuntu'"
 msgstr ""
@@ -884,12 +838,6 @@ msgstr "Tämän objektin luontiin/päivittämiseen tarvitaan Enterprise-versiota
 msgid "Enterprise is required to use this endpoint."
 msgstr ""

-#: authentik/enterprise/audit/apps.py
-msgid ""
-"Include additional information in audit logs, may incur a performance "
-"penalty."
-msgstr ""
-
 #: authentik/enterprise/endpoints/connectors/fleet/models.py
 #: authentik/events/models.py
 msgid ""
@@ -907,19 +855,6 @@ msgstr ""
 msgid "Fleet Connectors"
 msgstr ""

-#: authentik/enterprise/endpoints/connectors/google_chrome/models.py
-msgid "Google Device Trust Connector"
-msgstr ""
-
-#: authentik/enterprise/endpoints/connectors/google_chrome/models.py
-msgid "Google Device Trust Connectors"
-msgstr ""
-
-#: authentik/enterprise/endpoints/connectors/google_chrome/stage.py
-#: authentik/enterprise/stages/authenticator_endpoint_gdtc/stage.py
-msgid "Verifying your browser..."
-msgstr "Selaintasi varmennetaan..."
-
 #: authentik/enterprise/lifecycle/api/reviews.py
 msgid "You are not allowed to submit a review for this object."
 msgstr ""
@@ -936,6 +871,10 @@ msgstr ""
 msgid "Grace period must be shorter than the interval."
 msgstr ""

+#: authentik/enterprise/lifecycle/api/rules.py
+msgid "Only one type-wide rule for each object type is allowed."
+msgstr ""
+
 #: authentik/enterprise/lifecycle/models.py
 msgid ""
 "Select which transports should be used to notify the reviewers. If none are "
@@ -963,8 +902,7 @@ msgid "Go to {self._get_model_name()}"
 msgstr ""

 #: authentik/enterprise/lifecycle/models.py
-msgid ""
-"Access review is due for {self.content_type.name.lower()} {object_label}"
+msgid "Access review is due for {self.content_type.name} {str(self.object)}"
 msgstr ""

 #: authentik/enterprise/lifecycle/models.py
@@ -978,7 +916,7 @@ msgid ""
 msgstr ""

 #: authentik/enterprise/lifecycle/tasks.py
-msgid "Dispatch tasks to apply lifecycle rules."
+msgid "Dispatch tasks to validate lifecycle rules."
 msgstr ""

 #: authentik/enterprise/lifecycle/tasks.py
@@ -1222,14 +1160,6 @@ msgstr "EAP-TLS:n käyttöön tarvitaan Enterprise-versiota."
 msgid "Enterprise is required to use the OAuth mode."
 msgstr "OAuth-tilan käyttöön tarvitaan Enterprise-versiota."

-#: authentik/enterprise/providers/ssf/models.py
-msgid "SSF RFC Push"
-msgstr ""
-
-#: authentik/enterprise/providers/ssf/models.py
-msgid "SSF RFC Pull"
-msgstr ""
-
 #: authentik/enterprise/providers/ssf/models.py
 #: authentik/providers/oauth2/models.py
 msgid "Signing Key"
@@ -1311,78 +1241,6 @@ msgstr "Lataa"
 msgid "Generate data export."
 msgstr ""

-#: authentik/enterprise/stages/account_lockdown/api.py
-msgid "User to lock. If omitted, locks the current user (self-service)."
-msgstr ""
-
-#: authentik/enterprise/stages/account_lockdown/api.py
-msgid "No lockdown flow configured."
-msgstr ""
-
-#: authentik/enterprise/stages/account_lockdown/api.py
-msgid "Lockdown flow is not applicable."
-msgstr ""
-
-#: authentik/enterprise/stages/account_lockdown/api.py
-msgid "Choose the target account, then return a flow link."
-msgstr ""
-
-#: authentik/enterprise/stages/account_lockdown/api.py
-msgid "No lockdown flow configured or the flow is not applicable"
-msgstr ""
-
-#: authentik/enterprise/stages/account_lockdown/api.py
-msgid "Permission denied (when targeting another user)"
-msgstr ""
-
-#: authentik/enterprise/stages/account_lockdown/models.py
-msgid "Deactivate the user account (set is_active to False)"
-msgstr ""
-
-#: authentik/enterprise/stages/account_lockdown/models.py
-msgid "Set an unusable password for the user"
-msgstr ""
-
-#: authentik/enterprise/stages/account_lockdown/models.py
-msgid "Delete all active sessions for the user"
-msgstr ""
-
-#: authentik/enterprise/stages/account_lockdown/models.py
-msgid ""
-"Revoke all tokens for the user (API, app password, recovery, verification, "
-"OAuth)"
-msgstr ""
-
-#: authentik/enterprise/stages/account_lockdown/models.py
-msgid ""
-"Flow to redirect users to after self-service lockdown. This flow should not "
-"require authentication since the user's session is deleted."
-msgstr ""
-
-#: authentik/enterprise/stages/account_lockdown/models.py
-msgid "Account Lockdown Stage"
-msgstr ""
-
-#: authentik/enterprise/stages/account_lockdown/models.py
-msgid "Account Lockdown Stages"
-msgstr ""
-
-#: authentik/enterprise/stages/account_lockdown/stage.py
-msgid "No target user specified for account lockdown"
-msgstr ""
-
-#: authentik/enterprise/stages/account_lockdown/stage.py
-msgid "You do not have permission to lock down this account."
-msgstr ""
-
-#: authentik/enterprise/stages/account_lockdown/stage.py
-msgid "Account lockdown failed for this account."
-msgstr ""
-
-#: authentik/enterprise/stages/account_lockdown/stage.py
-msgid "Self-service account lockdown requires a completion flow."
-msgstr ""
-
 #: authentik/enterprise/stages/authenticator_endpoint_gdtc/models.py
 msgid "Endpoint Authenticator Google Device Trust Connector Stage"
 msgstr "Päätepisteen todentaja Google Device Trust Connector -vaihe"
@@ -1399,6 +1257,10 @@ msgstr "Päätelaite"
 msgid "Endpoint Devices"
 msgstr "Päätelaitteet"

+#: authentik/enterprise/stages/authenticator_endpoint_gdtc/stage.py
+msgid "Verifying your browser..."
+msgstr "Selaintasi varmennetaan..."
+
 #: authentik/enterprise/stages/mtls/models.py
 msgid ""
 "Configure certificate authorities to validate the certificate against. This "
@@ -1482,12 +1344,6 @@ msgstr ""
 "Lähetä notifikaatio vain kerran, esimerkiksi kun lähetetään webhook-"
 "tapahtuma pikaviestinkanavalle."

-#: authentik/events/models.py
-msgid ""
-"When set, the selected ceritifcate is used to validate the certificate of "
-"the webhook server."
-msgstr ""
-
 #: authentik/events/models.py
 msgid ""
 "Customize the body of the request. Mapping should return data that is JSON-"
@@ -1659,15 +1515,6 @@ msgstr "Prosessia edeltävät käytännöt"
 msgid "Flow"
 msgstr "Prosessi"

-#: authentik/flows/apps.py
-msgid "Refresh other tabs after successful authentication."
-msgstr ""
-
-#: authentik/flows/apps.py
-msgid ""
-"Upon successful authentication, re-start authentication in other open tabs."
-msgstr ""
-
 #: authentik/flows/exceptions.py
 msgid "Flow does not apply to current user."
 msgstr "Prosessi ei koske nykyistä käyttäjää."
@@ -1777,9 +1624,9 @@ msgstr "Prosessin tunniste"
 msgid "Flow Tokens"
 msgstr "Prosessin tunnisteet"

-#: authentik/flows/planner.py
-msgid "This link is invalid or has expired. Please request a new one."
-msgstr ""
+#: authentik/flows/templates/if/flow.html
+msgid "Site footer"
+msgstr "Sivuston alatunniste"

 #: authentik/flows/views/executor.py
 msgid "Invalid next URL"
@@ -2165,6 +2012,22 @@ msgstr "Mainepistemäärä"
 msgid "Reputation Scores"
 msgstr "Mainepistemäärät"

+#: authentik/policies/templates/policies/buffer.html
+msgid "Waiting for authentication..."
+msgstr "Odotetaan todennusta..."
+
+#: authentik/policies/templates/policies/buffer.html
+msgid ""
+"You're already authenticating in another tab. This page will refresh once "
+"authentication is completed."
+msgstr ""
+"Kirjaudut jo toisella välilehdellä. Tämä sivu päivittyy kun todennus on "
+"valmis."
+
+#: authentik/policies/templates/policies/buffer.html
+msgid "Authenticate in this tab"
+msgstr "Kirjaudu tällä välilehdellä"
+
 #: authentik/policies/templates/policies/denied.html
 msgid "Permission denied"
 msgstr "Käyttö evätty"
@@ -2293,14 +2156,6 @@ msgstr "Tiukka URL-vertailu"
 msgid "Regular Expression URL matching"
 msgstr "Regular Expression -pohjainen URL-vertailu"

-#: authentik/providers/oauth2/models.py
-msgid "Authorization"
-msgstr "Valtuutus"
-
-#: authentik/providers/oauth2/models.py
-msgid "Logout"
-msgstr "Kirjaudu ulos"
-
 #: authentik/providers/oauth2/models.py
 msgid "Back-channel"
 msgstr "Taustakanava"
@@ -2665,6 +2520,10 @@ msgstr "Välityspalveluntarjoaja"
 msgid "Proxy Providers"
 msgstr "Välityspalveluntarjoajat"

+#: authentik/providers/proxy/tasks.py
+msgid "Terminate session on Proxy outpost."
+msgstr "Katkaise istunto välityspalvelutukikohdasta."
+
 #: authentik/providers/rac/models.py authentik/stages/user_login/models.py
 msgid ""
 "Determines how long a session lasts. Default of 0 means that the sessions "
@@ -2797,10 +2656,8 @@ msgstr ""
 "yleisörajoitusta ei lisätä."

 #: authentik/providers/saml/models.py
-msgid ""
-"Also known as EntityID. Providing a value overrides the default issuer "
-"generated by authentik."
-msgstr ""
+msgid "Also known as EntityID"
+msgstr "Tunnetaan myös nimellä EntityID"

 #: authentik/providers/saml/models.py
 msgid "SLS URL"
@@ -3023,10 +2880,6 @@ msgstr "SAML NameID:n arvo tälle istunnolle"
 msgid "SAML NameID format"
 msgstr "SAML NameID:n muoto"

-#: authentik/providers/saml/models.py
-msgid "SAML Issuer used for this session"
-msgstr ""
-
 #: authentik/providers/saml/models.py
 msgid "SAML Session"
 msgstr "SAML-istunto"
@@ -3055,14 +2908,6 @@ msgstr "Slack"
 msgid "Salesforce"
 msgstr "Salesforce"

-#: authentik/providers/scim/models.py
-msgid "Webex"
-msgstr ""
-
-#: authentik/providers/scim/models.py
-msgid "vCenter"
-msgstr ""
-
 #: authentik/providers/scim/models.py
 msgid "Group filters used to define sync-scope for groups."
 msgstr ""
@@ -3348,7 +3193,7 @@ msgstr ""
 "                    Ota yhteyttä ylläpitäjään.\n"
 "                "

-#: authentik/sources/ldap/api/sources.py
+#: authentik/sources/ldap/api.py
 msgid "Only a single LDAP Source with password synchronization is allowed"
 msgstr "Vain yksi LDAP-lähde salasanojen synkronoinnilla on sallittu"

@@ -3885,12 +3730,6 @@ msgstr ""
 "Sallii IdP-lähtöiset todentamisprosessit. Tämä voi olla tietoturvariski, "
 "koska pyynnön ID:tä ei validoida."

-#: authentik/sources/saml/models.py
-msgid ""
-"When enabled, the IdP will re-authenticate the user even if a session "
-"exists."
-msgstr ""
-
 #: authentik/sources/saml/models.py
 msgid ""
 "NameID Policy sent to the IdP. Can be unset, in which case no Policy is "
@@ -4316,10 +4155,6 @@ msgstr "Todentajan validaatiovaiheet"
 msgid "No (allowed) MFA authenticator configured."
 msgstr "Yhtään (sallittua) MFA-todentajaa ei ole määritelty."

-#: authentik/stages/authenticator_webauthn/models.py
-msgid "When enabled, a given device can only be registered once."
-msgstr ""
-
 #: authentik/stages/authenticator_webauthn/models.py
 msgid "WebAuthn Authenticator Setup Stage"
 msgstr "WebAuthn-todentajan asetusvaihe"
@@ -4458,10 +4293,6 @@ msgstr "Sähköposti-OTP"
 msgid "Event Notification"
 msgstr "Tapahtumanotifikaatio"

-#: authentik/stages/email/models.py authentik/stages/invitation/models.py
-msgid "Invitation"
-msgstr "Kutsu"
-
 #: authentik/stages/email/models.py
 msgid ""
 "The time window used to count recent account recovery attempts. If the "
@@ -4580,62 +4411,6 @@ msgstr ""
 "\n"
 "Tämä viesti on lähetetty notifikaatiokanavasta %(name)s.\n"

-#: authentik/stages/email/templates/email/invitation.html
-msgid ""
-"\n"
-"      You're Invited!\n"
-"      "
-msgstr ""
-
-#: authentik/stages/email/templates/email/invitation.html
-#, python-format
-msgid ""
-"\n"
-"          You have been invited to join %(host)s. Click the button below to get started.\n"
-"          "
-msgstr ""
-
-#: authentik/stages/email/templates/email/invitation.html
-#, python-format
-msgid ""
-"\n"
-"          This invitation expires %(expires)s.\n"
-"          "
-msgstr ""
-
-#: authentik/stages/email/templates/email/invitation.html
-#: authentik/stages/email/templates/email/invitation.txt
-msgid "Accept Invitation"
-msgstr ""
-
-#: authentik/stages/email/templates/email/invitation.html
-msgid ""
-"\n"
-"    If you cannot click the button above, please copy and paste the following URL into your browser:\n"
-"    "
-msgstr ""
-
-#: authentik/stages/email/templates/email/invitation.txt
-msgid "You're Invited!"
-msgstr ""
-
-#: authentik/stages/email/templates/email/invitation.txt
-#, python-format
-msgid ""
-"You have been invited to join %(host)s. Use the link below to get started."
-msgstr ""
-
-#: authentik/stages/email/templates/email/invitation.txt
-#, python-format
-msgid "This invitation expires %(expires)s."
-msgstr ""
-
-#: authentik/stages/email/templates/email/invitation.txt
-msgid ""
-"If you cannot click the link above, please copy and paste the following URL "
-"into your browser:"
-msgstr ""
-
 #: authentik/stages/email/templates/email/password_reset.html
 msgid ""
 "\n"
@@ -4816,6 +4591,10 @@ msgid "Optional fixed data to enforce on user enrollment."
 msgstr ""
 "Valinnainen kiinteä data joka pakotetaan käyttäjän rekisteröitymisessä."

+#: authentik/stages/invitation/models.py
+msgid "Invitation"
+msgstr "Kutsu"
+
 #: authentik/stages/invitation/models.py
 msgid "Invitations"
 msgstr "Kutsut"
@@ -4940,18 +4719,6 @@ msgstr ""
 msgid "Static: Static value, displayed as-is."
 msgstr "Staattinen: Staattinen arvo, näytetään sellaisenaan."

-#: authentik/stages/prompt/models.py
-msgid "Alert (Info): Static alert box with info styling"
-msgstr ""
-
-#: authentik/stages/prompt/models.py
-msgid "Alert (Warning): Static alert box with warning styling"
-msgstr ""
-
-#: authentik/stages/prompt/models.py
-msgid "Alert (Danger): Static alert box with danger styling"
-msgstr ""
-
 #: authentik/stages/prompt/models.py
 msgid "authentik: Selection of locales authentik supports"
 msgstr "authentik: Valittavat kielialueet, joita authentik tukee"
--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
Teffen Ellis	90f27f93e1	web/e2e: fix three regressions blocking the parallel suite Locally and in CI the new `e2e (playwright)` job appeared to "hang" under `fullyParallel: true` + `workers: "50%"`. The hang was actually five tests sharing two unrelated bugs that all manifest as 30s test timeouts; the cluster only looks like a parallelism issue because multiple workers stall on the same wall-clock window. With these three fixes the full suite is green in 1m48s on `--workers=2` (was: 5 failed / 17 passed in 5m30s). 1. `web/test/browser/600-providers.test.ts` PR #21647 dropped the `to:` argument on the `session.login()` call in this file's `beforeEach`. Without it, `SessionFixture.login()` waits for the auth-flow URL pattern to re-appear — which it does immediately, since we just navigated there — so the helper returns before the post-login redirect lands. The wizard buttons probed afterward live on `/if/admin/#/core/providers`, which the user never actually reaches; every test in the file then hits the 30s `beforeEach` timeout. Pin the destination explicitly, matching the shape of every other test file. 2. `web/src/admin/roles/ak-role-list.ts` The role-list row anchor had no aria-label, so its accessible name was the (random, generated) role name. `500-roles.test.ts` searches for that anchor with `getByRole("link", { name: "view details" })` — the same selector `400-groups.test.ts` uses against the group list, where `GroupListPage.row()` does set `aria-label="View details of group ..."`. Bring the role row to parity with groups; the test wasn't wrong, the UI was missing the accessibility hook. 3. `web/test/browser/500-roles.test.ts` ("Edit role from view page") The post-edit verification used `page.getByText(updatedName)`, but on the role view page the new name renders in two places (the "Role <name>" page-navbar heading and the description-list value), so the bare text match resolves to two elements and trips strict-mode. Add `{ exact: true }` so we assert the canonical value the edit wrote rather than the heading template. Co-Authored-By: Agent (authentik-i21996-internal-achievable-raisin) <279763771+playpen-agent@users.noreply.github.com>	2026-05-01 15:42:07 +00:00
Teffen Ellis	d92bfc473f	ci/web: post Playwright result comment + gated S3 upload + !cancelled() guards Three reviewer-facing improvements to the e2e job: 1. Idempotent PR comment summarising Playwright pass/fail/flaky/skipped counts. Marker `<!-- playwright-result -->` lets re-runs edit the same comment instead of piling up. Skipped on fork PRs where the default GITHUB_TOKEN is read-only. 2. Optional S3 publish of the HTML report to `s3://authentik-playwright-artifacts/pr-<n>/run-<id>/attempt-<n>/`, gated behind `vars.PLAYWRIGHT_S3_ENABLED == 'true'`. The bucket is pending infra provisioning; the public URL pattern is already wired into the comment so flipping the variable on later requires no workflow changes. Borrows the OIDC + IAM role plumbing from `.github/workflows/release-publish.yml`. 3. Switch the failure-guarded reporting/upload steps to `!cancelled()` so a superseded (cancelled) run no longer emits failure-shaped noise, and so successful runs still produce the artifact bundle reviewers expect. Adds the Playwright JSON reporter so the parse step can pull pass/fail counts from `playwright-report/results.json` for the comment body. Co-Authored-By: Agent (authentik-i21996-internal-achievable-raisin) <279763771+playpen-agent@users.noreply.github.com>	2026-05-01 14:57:35 +00:00
Teffen Ellis	4d3ac3f63a	Flesh out types.	2026-05-01 16:05:16 +02:00
Teffen Ellis	e29d37bb8a	Always parallel.	2026-05-01 15:48:29 +02:00
Teffen Ellis	6fee629926	Update expected path.	2026-05-01 04:04:57 +02:00
Teffen Ellis	cad8395dad	Ignore playwright-traces.	2026-05-01 04:04:57 +02:00
Teffen Ellis	191ecc51bd	Reorder tests.	2026-05-01 04:04:57 +02:00
Teffen Ellis	71e9092810	Remove guard.	2026-05-01 04:04:56 +02:00
Teffen Ellis	34dbb78df0	Use parallelism.	2026-05-01 04:04:56 +02:00
Teffen Ellis	e29a3eb35a	ci/web: format test-admin-user.yaml with prettier Pick up the 4-space indent that web/'s prettier config enforces. The file was added under issue #21994 with 2-space indent and tripped the ci-web format check on push. Co-Authored-By: Agent (authentik-i21994-better-mobile-tangelo) <279763771+playpen-agent@users.noreply.github.com>	2026-05-01 04:04:56 +02:00
Teffen Ellis	fe8b3d1687	ci/web: make test-admin blueprint self-contained The previous blueprint used !Find to look up the authentik Admins group, which raced against system/bootstrap.yaml and resolved to None when the explicit apply_blueprint step ran before the worker had applied bootstrap. The serializer rejected groups: [None] with Invalid pk "None". Define the group in the same blueprint with state: present and reference it via !KeyOf, so the test admin setup does not depend on any pre-existing data. If bootstrap has already created the group, state: present is a no-op on the identifiers; otherwise the group is created here. Co-Authored-By: Agent (authentik-i21994-better-mobile-tangelo) <279763771+playpen-agent@users.noreply.github.com>	2026-05-01 04:04:56 +02:00
Teffen Ellis	0fd2a13b35	Bump package.json	2026-05-01 04:04:55 +02:00
Teffen Ellis	17d49aa99a	ci/web: run Playwright e2e suite on every PR Boots the full authentik stack (postgres + Go server + Rust worker) inside the existing ci-web workflow, applies migrations and the test-admin user blueprint, then runs `corepack npm run --prefix web test:e2e` against http://localhost:9000. Uploads the HTML report, traces/videos, and authentik logs as artifacts on failure so reviewers can debug without rerunning locally. Also enables the HTML reporter and screenshot/video capture on CI in playwright.config.js, and updates the full dev-environment docs to point at the same npm scripts CI uses so local and CI runs stay in lockstep. Closes #21994 Co-Authored-By: Agent (authentik-i21994-better-mobile-tangelo) <279763771+playpen-agent@users.noreply.github.com>	2026-05-01 04:04:55 +02:00
Teffen Ellis	b9389544be	Flesh out github actions.	2026-05-01 01:23:13 +02:00
Teffen Ellis	ed82b3f623	Lint.	2026-05-01 01:21:05 +02:00
Teffen Ellis	b281bb819d	Bump.	2026-05-01 01:21:05 +02:00
Teffen Ellis	3ca633c10a	lint.	2026-05-01 01:21:05 +02:00
Teffen Ellis	ad1582c43f	Clean up docs container.	2026-05-01 01:21:05 +02:00
Teffen Ellis	53f2826ea1	Flesh out github actions.	2026-05-01 01:21:03 +02:00
Teffen Ellis	ccf7225f03	Update makefile.	2026-05-01 01:20:18 +02:00
Teffen Ellis	85469c86d1	Prep containers.	2026-05-01 01:20:18 +02:00
Teffen Ellis	0bfce2d1f9	Bump engines.	2026-05-01 01:20:18 +02:00
Teffen Ellis	7b4e175d59	Flesh out node scripts.	2026-05-01 01:20:18 +02:00
Teffen Ellis	b47f6f8e56	Fix mounted references.	2026-05-01 01:20:17 +02:00