release: 2026.2.2

tasks: allow retry for rejected tasks only (cherry-pick #21433 to version-2026.2) (#21436 )
Co-authored-by: Marc 'risson' Schmitt <marc.schmitt@risson.space>
2026-05-06 07:02:51 +02:00 · 2026-04-07 14:47:38 +00:00 · 2026-04-07 14:46:46 +02:00 · 2026-04-07 13:50:40 +02:00 · 2026-04-07 13:42:58 +02:00 · 2026-04-07 13:41:41 +02:00
2945 changed files with 46815 additions and 387923 deletions
--- a/.cargo/config.toml
+++ b/.cargo/config.toml
@@ -1,5 +0,0 @@
-[alias]
-t = ["nextest", "run", "--workspace"]
-
-[build]
-rustflags = ["--cfg", "tokio_unstable"]
--- a/.cargo/deny.toml
+++ b/.cargo/deny.toml
@@ -1,47 +0,0 @@
-[licenses]
-allow = [
-  "Apache-2.0 WITH LLVM-exception",
-  "Apache-2.0",
-  "BSD-3-Clause",
-  "CC0-1.0",
-  "CDLA-Permissive-2.0",
-  "ISC",
-  "MIT",
-  "MPL-2.0",
-  "OpenSSL",
-  "Unicode-3.0",
-  "Zlib",
-]
-
-[licenses.private]
-ignore = true
-
-[bans]
-multiple-versions = "allow"
-wildcards = "deny"
-[bans.workspace-dependencies]
-duplicates = "deny"
-include-path-dependencies = true
-unused = "deny"
-
-# No non-FIPS compliant dependencies
-[[bans.deny]]
-name = "native-tls"
-[[bans.deny]]
-name = "openssl"
-[[bans.deny]]
-name = "openssl-sys"
-[[bans.deny]]
-name = "ring"
-[[bans.features]]
-allow = [
-  "alloc",
-  "aws-lc-sys",
-  "default",
-  "fips",
-  "prebuilt-nasm",
-  "ring-io",
-  "ring-sig-verify",
-]
-name = "aws-lc-rs"
-exact = true
--- a/.cargo/rustfmt.toml
+++ b/.cargo/rustfmt.toml
@@ -1,15 +0,0 @@
-comment_width = 100
-format_code_in_doc_comments = true
-format_strings = true
-group_imports = "StdExternalCrate"
-hex_literal_case = "Lower"
-imports_granularity = "Crate"
-max_width = 100
-newline_style = "Unix"
-normalize_comments = true
-normalize_doc_attributes = true
-reorder_impl_items = true
-style_edition = "2024"
-use_field_init_shorthand = true
-use_try_shorthand = true
-wrap_comments = true
--- a/.dockerignore
+++ b/.dockerignore
@@ -9,5 +9,7 @@ build_docs/**
 **/*Dockerfile
 blueprints/local
 .git
+!gen-ts-api/node_modules
+!gen-ts-api/dist/**
+!gen-go-api/
 .venv
-target
--- a/.gitattributes
+++ b/.gitattributes
@@ -1,9 +0,0 @@
-packages/client-*/** linguist-generated
-web/packages/lex/* linguist-vendored
-web/packages/node-domexception/* linguist-vendored
-web/packages/formdata-polyfill/* linguist-vendored
-web/packages/sfe/vendored/* linguist-vendored
-website/vendored/* linguist-vendored
-website/docs/** linguist-documentation
-website/integrations/** linguist-documentation
-website/api/** linguist-documentation
--- a/.github/actions/docker-push-variables/action.yml
+++ b/.github/actions/docker-push-variables/action.yml
@@ -54,6 +54,10 @@ outputs:
 runs:
  using: "composite"
  steps:
+    - name: Setup authentik env
+      uses: ./.github/actions/setup
+      with:
+        dependencies: "python"
    - name: Generate config
      id: ev
      shell: bash
@@ -64,4 +68,4 @@ runs:
        PR_HEAD_SHA: ${{ github.event.pull_request.head.sha }}
        REF: ${{ github.ref }}
      run: |
-        python3 ${{ github.action_path }}/push_vars.py
+        uv run python3 ${{ github.action_path }}/push_vars.py
--- a/.github/actions/docker-push-variables/push_vars.py
+++ b/.github/actions/docker-push-variables/push_vars.py
@@ -2,19 +2,10 @@

 import os
 from json import dumps
-from pathlib import Path
 from sys import exit as sysexit
 from time import time
-from typing import Any

-
-def authentik_version() -> str:
-    init = Path(__file__).parent.parent.parent.parent / "authentik" / "__init__.py"
-    with open(init) as f:
-        content = f.read()
-    locals: dict[str, Any] = {}
-    exec(content, None, locals)  # nosec
-    return str(locals["VERSION"])
+from authentik import authentik_version


 def must_or_fail(input: str | None, error: str) -> str:
@@ -98,6 +89,8 @@ if should_push:
    _cache_tag = "buildcache"
    if image_arch:
        _cache_tag += f"-{image_arch}"
+    if is_release:
+        _cache_tag += f"-{version_family}"
    cache_to = f"type=registry,ref={get_attest_image_names(image_tags)}:{_cache_tag},mode=max"


@@ -106,7 +99,6 @@ if os.getenv("RELEASE", "false").lower() == "true":
    image_build_args = [f"VERSION={os.getenv('REF')}"]
 else:
    image_build_args = [f"GIT_BUILD_HASH={sha}"]
-image_build_args_str = "\n".join(image_build_args)

 with open(os.environ["GITHUB_OUTPUT"], "a+", encoding="utf-8") as _output:
    print(f"shouldPush={str(should_push).lower()}", file=_output)
@@ -119,4 +111,4 @@ with open(os.environ["GITHUB_OUTPUT"], "a+", encoding="utf-8") as _output:
    print(f"imageMainTag={image_main_tag}", file=_output)
    print(f"imageMainName={image_tags[0]}", file=_output)
    print(f"cacheTo={cache_to}", file=_output)
-    print(f"imageBuildArgs={image_build_args_str}", file=_output)
+    print(f"imageBuildArgs={"\n".join(image_build_args)}", file=_output)
--- a/.github/actions/setup/action.yml
+++ b/.github/actions/setup/action.yml
@@ -4,7 +4,7 @@ description: "Setup authentik testing environment"
 inputs:
  dependencies:
    description: "List of dependencies to setup"
-    default: "system,python,rust,node,go,runtime"
+    default: "system,python,node,go,runtime"
  postgresql_version:
    description: "Optional postgresql image tag"
    default: "16"
@@ -17,27 +17,17 @@ inputs:
 runs:
  using: "composite"
  steps:
-    - name: Cleanup apt
-      if: ${{ contains(inputs.dependencies, 'system') || contains(inputs.dependencies, 'python') }}
-      shell: bash
-      run: sudo apt-get remove --purge man-db
-    - name: Install apt deps
-      if: ${{ contains(inputs.dependencies, 'system') || contains(inputs.dependencies, 'python') }}
-      uses: gerlero/apt-install@f4fa5265092af9e750549565d28c99aec7189639
-      with:
-        packages: libpq-dev openssl libxmlsec1-dev pkg-config gettext krb5-multidev libkrb5-dev heimdal-multidev libclang-dev krb5-kdc krb5-user krb5-admin-server
-        update: true
-        upgrade: false
-        install-recommends: false
-    - name: Make space on disk
+    - name: Install apt deps & cleanup
      if: ${{ contains(inputs.dependencies, 'system') || contains(inputs.dependencies, 'python') }}
      shell: bash
      run: |
-        sudo mkdir -p /tmp/empty/
-        sudo rsync -a --delete /tmp/empty/ /usr/local/lib/android/
+        sudo apt-get remove --purge man-db
+        sudo apt-get update
+        sudo apt-get install --no-install-recommends -y libpq-dev openssl libxmlsec1-dev pkg-config gettext krb5-multidev libkrb5-dev heimdal-multidev libclang-dev krb5-kdc krb5-user krb5-admin-server
+        sudo rm -rf /usr/local/lib/android
    - name: Install uv
      if: ${{ contains(inputs.dependencies, 'python') }}
-      uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v5
+      uses: astral-sh/setup-uv@eac588ad8def6316056a12d4907a9d4d84ff7a3b # v5
      with:
        enable-cache: true
    - name: Setup python
@@ -50,47 +40,17 @@ runs:
      shell: bash
      working-directory: ${{ inputs.working-directory }}
      run: uv sync --all-extras --dev --frozen
-    - name: Setup rust (stable)
-      if: ${{ contains(inputs.dependencies, 'rust') && !contains(inputs.dependencies, 'rust-nightly') }}
-      uses: actions-rust-lang/setup-rust-toolchain@2b1f5e9b395427c92ee4e3331786ca3c37afe2d7 # v1
-      with:
-        rustflags: ""
-    - name: Setup rust (nightly)
-      if: ${{ contains(inputs.dependencies, 'rust-nightly') }}
-      uses: actions-rust-lang/setup-rust-toolchain@2b1f5e9b395427c92ee4e3331786ca3c37afe2d7 # v1
-      with:
-        toolchain: nightly
-        components: rustfmt
-        rustflags: ""
-    - name: Setup rust dependencies
-      if: ${{ contains(inputs.dependencies, 'rust') }}
-      uses: taiki-e/install-action@b5fddbb5361bce8a06fb168c9d403a6cc552b084 # v2
-      with:
-        tool: cargo-deny cargo-machete cargo-llvm-cov nextest
-    - name: Setup node (web)
+    - name: Setup node
      if: ${{ contains(inputs.dependencies, 'node') }}
-      uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v4
+      uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v4
      with:
-        node-version-file: "${{ inputs.working-directory }}web/package.json"
+        node-version-file: ${{ inputs.working-directory }}web/package.json
        cache: "npm"
-        cache-dependency-path: "${{ inputs.working-directory }}web/package-lock.json"
-        registry-url: "https://registry.npmjs.org"
-    - name: Setup node (root)
-      if: ${{ contains(inputs.dependencies, 'node') }}
-      uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v4
-      with:
-        node-version-file: "${{ inputs.working-directory }}package.json"
-        cache: "npm"
-        cache-dependency-path: "${{ inputs.working-directory }}package-lock.json"
-        registry-url: "https://registry.npmjs.org"
-    - name: Install Node deps
-      if: ${{ contains(inputs.dependencies, 'node') }}
-      shell: bash
-      working-directory: ${{ inputs.working-directory }}
-      run: npm ci
+        cache-dependency-path: ${{ inputs.working-directory }}web/package-lock.json
+        registry-url: 'https://registry.npmjs.org'
    - name: Setup go
      if: ${{ contains(inputs.dependencies, 'go') }}
-      uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v5
+      uses: actions/setup-go@7a3fe6cf4cb3a834922a1244abfce67bcef6a0c5 # v5
      with:
        go-version-file: "${{ inputs.working-directory }}go.mod"
    - name: Setup docker cache
@@ -104,7 +64,7 @@ runs:
      working-directory: ${{ inputs.working-directory }}
      run: |
        export PSQL_TAG=${{ inputs.postgresql_version }}
-        docker compose -f .github/actions/setup/compose.yml up -d --wait
+        docker compose -f .github/actions/setup/compose.yml up -d
        cd web && npm ci
    - name: Generate config
      if: ${{ contains(inputs.dependencies, 'python') }}
--- a/.github/actions/setup/compose.yml
+++ b/.github/actions/setup/compose.yml
@@ -2,20 +2,14 @@ services:
  postgresql:
    image: docker.io/library/postgres:${PSQL_TAG:-16}
    volumes:
-      - db-data:/var/lib/postgresql
+      - db-data:/var/lib/postgresql/data
    command: "-c log_statement=all"
    environment:
      POSTGRES_USER: authentik
      POSTGRES_PASSWORD: "EK-5jnKfjrGRm<77"
      POSTGRES_DB: authentik
-      PGDATA: /var/lib/postgresql/data/pgdata
    ports:
      - 5432:5432
-    healthcheck:
-      test: ["CMD-SHELL", "pg_isready -U $${POSTGRES_USER} -d $${POSTGRES_DB} -h 127.0.0.1"]
-      interval: 1s
-      timeout: 5s
-      retries: 60
    restart: always
  s3:
    container_name: s3
--- a/.github/actions/test-results/action.yml
+++ b/.github/actions/test-results/action.yml
@@ -2,22 +2,18 @@ name: "Process test results"
 description: Convert test results to JUnit, add them to GitHub Actions and codecov

 inputs:
-  files:
-    description: Comma-separated explicit list of files to upload
  flags:
    description: Codecov flags

 runs:
  using: "composite"
  steps:
-    - uses: codecov/codecov-action@57e3a136b779b570ffcdbf80b3bdc90e7fab3de2 # v5
+    - uses: codecov/codecov-action@671740ac38dd9b0130fbe1cec585b89eea48d3de # v5
      with:
-        files: ${{ inputs.files }}
        flags: ${{ inputs.flags }}
        use_oidc: true
-    - uses: codecov/codecov-action@57e3a136b779b570ffcdbf80b3bdc90e7fab3de2 # v5
+    - uses: codecov/codecov-action@671740ac38dd9b0130fbe1cec585b89eea48d3de # v5
      with:
-        files: ${{ inputs.files }}
        flags: ${{ inputs.flags }}
        use_oidc: true
        report_type: test_results
--- a/.github/codecov.yml
+++ b/.github/codecov.yml
@@ -8,6 +8,3 @@ coverage:
        threshold: 1%
 comment:
  after_n_builds: 3
-ignore:
-  - packages/client-rust
-  - packages/client-ts
--- a/.github/codespell-dictionary.txt
+++ b/.github/codespell-dictionary.txt
@@ -0,0 +1 @@
+authentic->authentik
--- a/.github/codespell-words.txt
+++ b/.github/codespell-words.txt
@@ -0,0 +1,32 @@
+akadmin
+asgi
+assertIn
+authentik
+authn
+crate
+docstrings
+entra
+goauthentik
+gunicorn
+hass
+jwe
+jwks
+keypair
+keypairs
+kubernetes
+oidc
+ontext
+openid
+passwordless
+plex
+saml
+scim
+singed
+slo
+sso
+totp
+traefik
+# https://github.com/codespell-project/codespell/issues/1224
+upToDate
+warmup
+webauthn
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@@ -20,8 +20,6 @@ updates:
      prefix: "ci:"
    labels:
      - dependencies
-    cooldown:
-      default-days: 3

  #endregion

@@ -37,56 +35,6 @@ updates:
      prefix: "core:"
    labels:
      - dependencies
-    cooldown:
-      default-days: 7
-      semver-major-days: 14
-      semver-patch-days: 3
-      exclude:
-        - "golang.org/x/crypto"
-        - "golang.org/x/net"
-        - "github.com/golang-jwt/jwt/*"
-        - "github.com/coreos/go-oidc/*"
-        - "github.com/go-ldap/ldap/*"
-
-  #endregion
-
-  #region Rust
-
-  - package-ecosystem: cargo
-    directory: "/"
-    schedule:
-      interval: daily
-      time: "04:00"
-    open-pull-requests-limit: 10
-    commit-message:
-      prefix: "core:"
-    labels:
-      - dependencies
-    cooldown:
-      default-days: 7
-      semver-major-days: 14
-      semver-patch-days: 3
-      exclude:
-        - aws-lc-fips-sys
-        - aws-lc-rs
-        - aws-lc-sys
-        - rustls
-        - rustls-pki-types
-        - rustls-platform-verifier
-        - rustls-webpki
-
-  - package-ecosystem: rust-toolchain
-    directory: "/"
-    schedule:
-      interval: daily
-      time: "04:00"
-    open-pull-requests-limit: 10
-    commit-message:
-      prefix: "core:"
-    labels:
-      - dependencies
-    cooldown:
-      default-days: 3

  #endregion

@@ -105,10 +53,6 @@ updates:
    open-pull-requests-limit: 10
    commit-message:
      prefix: "web:"
-    cooldown:
-      default-days: 7
-      semver-major-days: 14
-      semver-patch-days: 3
    groups:
      sentry:
        patterns:
@@ -172,10 +116,6 @@ updates:
    open-pull-requests-limit: 10
    commit-message:
      prefix: "core, web:"
-    cooldown:
-      default-days: 7
-      semver-major-days: 14
-      semver-patch-days: 3
    groups:
      sentry:
        patterns:
@@ -234,10 +174,6 @@ updates:
      prefix: "website:"
    labels:
      - dependencies
-    cooldown:
-      default-days: 7
-      semver-major-days: 14
-      semver-patch-days: 3
    groups:
      docusaurus:
        patterns:
@@ -276,10 +212,6 @@ updates:
      prefix: "lifecycle/aws:"
    labels:
      - dependencies
-    cooldown:
-      default-days: 7
-      semver-major-days: 14
-      semver-patch-days: 3

  #endregion

@@ -295,18 +227,6 @@ updates:
      prefix: "core:"
    labels:
      - dependencies
-    cooldown:
-      default-days: 7
-      semver-major-days: 14
-      semver-patch-days: 3
-      exclude:
-        - "django"
-        - "cryptography"
-        - "pyjwt"
-        - "xmlsec"
-        - "lxml"
-        - "psycopg"
-        - "pyopenssl"

  #endregion

@@ -314,7 +234,7 @@ updates:

  - package-ecosystem: docker
    directories:
-      - /lifecycle/container
+      - /
      - /website
    schedule:
      interval: daily
@@ -324,14 +244,10 @@ updates:
      prefix: "core:"
    labels:
      - dependencies
-    cooldown:
-      default-days: 3
  - package-ecosystem: docker-compose
    directories:
-      - /packages/client-go
-      - /packages/client-rust
-      - /packages/client-ts
      # - /scripts # Maybe
+      - /scripts/api
      - /tests/e2e
    schedule:
      interval: daily
@@ -341,7 +257,5 @@ updates:
      prefix: "core:"
    labels:
      - dependencies
-    cooldown:
-      default-days: 3

  #endregion
--- a/.github/pull_request_template.md
+++ b/.github/pull_request_template.md
@@ -26,7 +26,7 @@ REPLACE ME

 If an API change has been made

-   [ ] The API schema and clients have been updated (`make gen`)
+-   [ ] The API schema has been updated (`make gen-build`)

 If changes to the frontend have been made

--- a/.github/workflows/_reusable-docker-build-single.yml
+++ b/.github/workflows/_reusable-docker-build-single.yml
@@ -43,8 +43,8 @@ jobs:
      contents: read
    steps:
      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v5
-      - uses: docker/setup-qemu-action@ce360397dd3f832beb865e1373c09c0e9f86d70a # v4.0.0
-      - uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0
+      - uses: docker/setup-qemu-action@c7c53464625b32c7a7e944ae62b3e17d2b600130 # v3.7.0
+      - uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3
      - name: prepare variables
        uses: ./.github/actions/docker-push-variables
        id: ev
@@ -56,19 +56,31 @@ jobs:
          release: ${{ inputs.release }}
      - name: Login to Docker Hub
        if: ${{ inputs.registry_dockerhub }}
-        uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0
+        uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3
        with:
          username: ${{ secrets.DOCKER_CORP_USERNAME }}
          password: ${{ secrets.DOCKER_CORP_PASSWORD }}
      - name: Login to GitHub Container Registry
        if: ${{ inputs.registry_ghcr }}
-        uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0
+        uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3
        with:
          registry: ghcr.io
          username: ${{ github.repository_owner }}
          password: ${{ secrets.GITHUB_TOKEN }}
+      - uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v5
+        with:
+          node-version-file: web/package.json
+          cache: "npm"
+          cache-dependency-path: web/package-lock.json
+      - uses: actions/setup-go@7a3fe6cf4cb3a834922a1244abfce67bcef6a0c5 # v6
+        with:
+          go-version-file: "go.mod"
+      - name: Generate API Clients
+        run: |
+          make gen-client-ts
+          make gen-client-go
      - name: Build Docker Image
-        uses: docker/build-push-action@bcafcacb16a39f128d818304e6c9c0c18556b85f # v7.1.0
+        uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6
        id: push
        with:
          context: .
@@ -83,7 +95,7 @@ jobs:
          platforms: linux/${{ inputs.image_arch }}
          cache-from: type=registry,ref=${{ steps.ev.outputs.attestImageNames }}:buildcache-${{ inputs.image_arch }}
          cache-to: ${{ steps.ev.outputs.cacheTo }}
-      - uses: actions/attest-build-provenance@a2bbfa25375fe432b6a289bc6b6cd05ecd0c4c32 # v3
+      - uses: actions/attest-build-provenance@96278af6caaf10aea03fd8d33a09a777ca52d62f # v3
        id: attest
        if: ${{ steps.ev.outputs.shouldPush == 'true' }}
        with:
--- a/.github/workflows/_reusable-docker-build.yml
+++ b/.github/workflows/_reusable-docker-build.yml
@@ -79,25 +79,25 @@ jobs:
          image-name: ${{ inputs.image_name }}
      - name: Login to Docker Hub
        if: ${{ inputs.registry_dockerhub }}
-        uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0
+        uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3
        with:
          username: ${{ secrets.DOCKER_CORP_USERNAME }}
          password: ${{ secrets.DOCKER_CORP_PASSWORD }}
      - name: Login to GitHub Container Registry
        if: ${{ inputs.registry_ghcr }}
-        uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0
+        uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3
        with:
          registry: ghcr.io
          username: ${{ github.repository_owner }}
          password: ${{ secrets.GITHUB_TOKEN }}
-      - uses: int128/docker-manifest-create-action@fa55f72001a6c74b0f4997dca65c70d334905180 # v2
+      - uses: int128/docker-manifest-create-action@1a059c021f1d5e9f2bd39de745d5dd3a0ef6df90 # v2
        id: build
        with:
          tags: ${{ matrix.tag }}
          sources: |
            ${{ steps.ev.outputs.attestImageNames }}@${{ needs.build-server-amd64.outputs.image-digest }}
            ${{ steps.ev.outputs.attestImageNames }}@${{ needs.build-server-arm64.outputs.image-digest }}
-      - uses: actions/attest-build-provenance@a2bbfa25375fe432b6a289bc6b6cd05ecd0c4c32 # v3
+      - uses: actions/attest-build-provenance@96278af6caaf10aea03fd8d33a09a777ca52d62f # v3
        id: attest
        with:
          subject-name: ${{ steps.ev.outputs.attestImageNames }}
--- a/.github/workflows/api-ts-publish.yml
+++ b/.github/workflows/api-ts-publish.yml
@@ -0,0 +1,66 @@
+---
+name: API - Publish Typescript client
+
+on:
+  push:
+    branches: [main]
+    paths:
+      - "schema.yml"
+  workflow_dispatch:
+
+permissions:
+  # Required for NPM OIDC trusted publisher
+  id-token: write
+  contents: read
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    steps:
+      - id: generate_token
+        uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf # v2
+        with:
+          app-id: ${{ secrets.GH_APP_ID }}
+          private-key: ${{ secrets.GH_APP_PRIV_KEY }}
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v5
+        with:
+          token: ${{ steps.generate_token.outputs.token }}
+      - uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v5
+        with:
+          node-version-file: web/package.json
+          registry-url: "https://registry.npmjs.org"
+      - name: Generate API Client
+        run: make gen-client-ts
+      - name: Publish package
+        working-directory: gen-ts-api/
+        run: |
+          npm i
+          npm publish --tag generated
+      - name: Upgrade /web
+        working-directory: web
+        run: |
+          export VERSION=`node -e 'console.log(require("../gen-ts-api/package.json").version)'`
+          npm i @goauthentik/api@$VERSION
+      - name: Upgrade /web/packages/sfe
+        working-directory: web/packages/sfe
+        run: |
+          export VERSION=`node -e 'console.log(require("../gen-ts-api/package.json").version)'`
+          npm i @goauthentik/api@$VERSION
+      - uses: peter-evans/create-pull-request@c0f553fe549906ede9cf27b5156039d195d2ece0 # v7
+        id: cpr
+        with:
+          token: ${{ steps.generate_token.outputs.token }}
+          branch: update-web-api-client
+          commit-message: "web: bump API Client version"
+          title: "web: bump API Client version"
+          body: "web: bump API Client version"
+          delete-branch: true
+          signoff: true
+          # ID from https://api.github.com/users/authentik-automation[bot]
+          author: authentik-automation[bot] <135050075+authentik-automation[bot]@users.noreply.github.com>
+          labels: dependencies
+      - uses: peter-evans/enable-pull-request-automerge@a660677d5469627102a1c1e11409dd063606628d # v3
+        with:
+          token: ${{ steps.generate_token.outputs.token }}
+          pull-request-number: ${{ steps.cpr.outputs.pull-request-number }}
+          merge-method: squash
--- a/.github/workflows/ci-api-docs.yml
+++ b/.github/workflows/ci-api-docs.yml
@@ -33,7 +33,7 @@ jobs:

    steps:
      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v5
-      - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v5
+      - uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v5
        with:
          node-version-file: website/package.json
          cache: "npm"
@@ -41,7 +41,7 @@ jobs:
      - working-directory: website/
        name: Install Dependencies
        run: npm ci
-      - uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v4
+      - uses: actions/cache@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v4
        with:
          path: |
            ${{ github.workspace }}/website/api/.docusaurus
@@ -55,7 +55,7 @@ jobs:
        env:
          NODE_ENV: production
        run: npm run build -w api
-      - uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v4
+      - uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v4
        with:
          name: api-docs
          path: website/api/build
@@ -67,11 +67,11 @@ jobs:
      - build
    steps:
      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v5
-      - uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v5
+      - uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v5
        with:
          name: api-docs
          path: website/api/build
-      - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v5
+      - uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v5
        with:
          node-version-file: website/package.json
          cache: "npm"
--- a/.github/workflows/ci-aws-cfn.yml
+++ b/.github/workflows/ci-aws-cfn.yml
@@ -24,7 +24,7 @@ jobs:
      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v5
      - name: Setup authentik env
        uses: ./.github/actions/setup
-      - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v5
+      - uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v5
        with:
          node-version-file: lifecycle/aws/package.json
          cache: "npm"
--- a/.github/workflows/ci-docs.yml
+++ b/.github/workflows/ci-docs.yml
@@ -36,7 +36,7 @@ jobs:
      NODE_ENV: production
    steps:
      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v5
-      - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v5
+      - uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v5
        with:
          node-version-file: website/package.json
          cache: "npm"
@@ -53,7 +53,7 @@ jobs:
      NODE_ENV: production
    steps:
      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v5
-      - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v5
+      - uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v5
        with:
          node-version-file: website/package.json
          cache: "npm"
@@ -77,9 +77,9 @@ jobs:
        with:
          ref: ${{ github.event.pull_request.head.sha }}
      - name: Set up QEMU
-        uses: docker/setup-qemu-action@ce360397dd3f832beb865e1373c09c0e9f86d70a # v4.0.0
+        uses: docker/setup-qemu-action@c7c53464625b32c7a7e944ae62b3e17d2b600130 # v3.7.0
      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0
+        uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3
      - name: prepare variables
        uses: ./.github/actions/docker-push-variables
        id: ev
@@ -89,14 +89,14 @@ jobs:
          image-name: ghcr.io/goauthentik/dev-docs
      - name: Login to Container Registry
        if: ${{ steps.ev.outputs.shouldPush == 'true' }}
-        uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0
+        uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3
        with:
          registry: ghcr.io
          username: ${{ github.repository_owner }}
          password: ${{ secrets.GITHUB_TOKEN }}
      - name: Build Docker Image
        id: push
-        uses: docker/build-push-action@bcafcacb16a39f128d818304e6c9c0c18556b85f # v7.1.0
+        uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6
        with:
          tags: ${{ steps.ev.outputs.imageTags }}
          file: website/Dockerfile
@@ -105,7 +105,7 @@ jobs:
          context: .
          cache-from: type=registry,ref=ghcr.io/goauthentik/dev-docs:buildcache
          cache-to: ${{ steps.ev.outputs.shouldPush == 'true' && 'type=registry,ref=ghcr.io/goauthentik/dev-docs:buildcache,mode=max' || '' }}
-      - uses: actions/attest-build-provenance@a2bbfa25375fe432b6a289bc6b6cd05ecd0c4c32 # v3
+      - uses: actions/attest-build-provenance@96278af6caaf10aea03fd8d33a09a777ca52d62f # v3
        id: attest
        if: ${{ steps.ev.outputs.shouldPush == 'true' }}
        with:
--- a/.github/workflows/ci-main-daily.yml
+++ b/.github/workflows/ci-main-daily.yml
@@ -6,10 +6,6 @@ on:
  schedule:
    # Every night at 3am
    - cron: "0 3 * * *"
-  pull_request:
-    paths:
-      # Needs to refer to itself
-      - .github/workflows/ci-main-daily.yml

 jobs:
  test-container:
@@ -19,20 +15,14 @@ jobs:
      matrix:
        version:
          - docs
-          - version-2025-12
-          - version-2026-2
+          - version-2025-4
+          - version-2025-2
    steps:
      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v5
      - run: |
-          set -euo pipefail
          current="$(pwd)"
          dir="/tmp/authentik/${{ matrix.version }}"
-          # 2025.12 still serves the legacy docker-compose filename; newer sites use compose.yml.
-          compose_path="compose.yml"
-          if [ "${{ matrix.version }}" = "version-2025-12" ]; then
-            compose_path="docker-compose.yml"
-          fi
-          mkdir -p "${dir}/lifecycle/container"
-          cd "${dir}"
-          wget "https://${{ matrix.version }}.goauthentik.io/${compose_path}" -O "${dir}/lifecycle/container/compose.yml"
-          "${current}/scripts/test_docker.sh"
+          mkdir -p $dir
+          cd $dir
+          wget https://${{ matrix.version }}.goauthentik.io/compose.yml
+          ${current}/scripts/test_docker.sh
--- a/.github/workflows/ci-main.yml
+++ b/.github/workflows/ci-main.yml
@@ -28,52 +28,20 @@ jobs:
    strategy:
      fail-fast: false
      matrix:
-        include:
-          - job: bandit
-            deps: python
-          - job: black
-            deps: python
-          - job: spellcheck
-            deps: node
-          - job: pending-migrations
-            deps: python,runtime
-          - job: ruff
-            deps: python
-          - job: mypy
-            deps: python
-          - job: cargo-deny
-            deps: rust
-          - job: cargo-machete
-            deps: rust
-          - job: clippy
-            deps: rust
-          - job: rustfmt
-            deps: rust-nightly
+        job:
+          - bandit
+          - black
+          - codespell
+          - pending-migrations
+          - ruff
+          - mypy
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v5
      - name: Setup authentik env
        uses: ./.github/actions/setup
-        with:
-          dependencies: ${{ matrix.deps }}
      - name: run job
-        run: make ci-lint-${{ matrix.job }}
-  test-gen:
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v5
-        with:
-          ref: ${{ github.event.pull_request.head.sha }}
-      - name: Setup authentik env
-        uses: ./.github/actions/setup
-        with:
-          dependencies: "system,python,go,node,runtime,rust-nightly"
-      - name: generate schema
-        run: make migrate gen-build
-      - name: generate API clients
-        run: make gen-clients
-      - name: ensure schema is up-to-date
-        run: git diff --exit-code -- schema.yml blueprints/schema.json packages/client-go packages/client-rust packages/client-ts
+        run: uv run make ci-${{ matrix.job }}
  test-migrations:
    runs-on: ubuntu-latest
    steps:
@@ -127,10 +95,7 @@ jobs:
        with:
          postgresql_version: ${{ matrix.psql }}
      - name: run migrations to stable
-        run: |
-          docker ps
-          docker logs setup-postgresql-1
-          uv run python -m lifecycle.migrate
+        run: uv run python -m lifecycle.migrate
      - name: checkout current code
        run: |
          set -x
@@ -195,11 +160,10 @@ jobs:
      - name: Setup authentik env
        uses: ./.github/actions/setup
      - name: Create k8s Kind Cluster
-        uses: helm/kind-action@ef37e7f390d99f746eb8b610417061a60e82a6cc # v1.14.0
+        uses: helm/kind-action@92086f6be054225fa813e0a4b13787fc9088faab # v1.13.0
      - name: run integration
        run: |
          uv run coverage run manage.py test tests/integration
-          uv run coverage combine
          uv run coverage xml
      - uses: ./.github/actions/test-results
        if: ${{ always() }}
@@ -215,60 +179,47 @@ jobs:
        job:
          - name: proxy
            glob: tests/e2e/test_provider_proxy*
-            profiles: selenium
          - name: oauth
            glob: tests/e2e/test_provider_oauth2* tests/e2e/test_source_oauth*
-            profiles: selenium
          - name: oauth-oidc
            glob: tests/e2e/test_provider_oidc*
-            profiles: selenium
          - name: saml
            glob: tests/e2e/test_provider_saml* tests/e2e/test_source_saml*
-            profiles: selenium
          - name: ldap
            glob: tests/e2e/test_provider_ldap* tests/e2e/test_source_ldap*
-          - name: rac
-            glob: tests/e2e/test_provider_rac*
-            profiles: selenium
          - name: ws-fed
            glob: tests/e2e/test_provider_ws_fed*
-            profiles: selenium
          - name: radius
            glob: tests/e2e/test_provider_radius*
          - name: scim
            glob: tests/e2e/test_source_scim*
          - name: flows
            glob: tests/e2e/test_flows*
-            profiles: selenium
          - name: endpoints
            glob: tests/e2e/test_endpoints_*
-            profiles: selenium
    steps:
      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v5
      - name: Setup authentik env
        uses: ./.github/actions/setup
-      - name: Setup e2e env
-        env:
-          COMPOSE_PROFILES: ${{ matrix.job.profiles }}
+      - name: Setup e2e env (chrome, etc)
        run: |
          docker compose -f tests/e2e/compose.yml up -d --quiet-pull
      - id: cache-web
-        uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v4
-        if: contains(matrix.job.profiles, 'selenium')
+        uses: actions/cache@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v4
        with:
          path: web/dist
          key: ${{ runner.os }}-web-${{ hashFiles('web/package-lock.json', 'package-lock.json', 'web/src/**', 'web/packages/sfe/src/**') }}-b
      - name: prepare web ui
-        if: steps.cache-web.outputs.cache-hit != 'true' && contains(matrix.job.profiles, 'selenium')
+        if: steps.cache-web.outputs.cache-hit != 'true'
        working-directory: web
        run: |
          npm ci
+          make -C .. gen-client-ts
          npm run build
          npm run build:sfe
      - name: run e2e
        run: |
          uv run coverage run manage.py test ${{ matrix.job.glob }}
-          uv run coverage combine
          uv run coverage xml
      - uses: ./.github/actions/test-results
        if: ${{ always() }}
@@ -282,32 +233,22 @@ jobs:
      fail-fast: false
      matrix:
        job:
-          - name: oidc_basic
-            glob: tests/openid_conformance/test_oidc_basic.py
-          - name: oidc_implicit
-            glob: tests/openid_conformance/test_oidc_implicit.py
-          - name: oidc_rp-initiated
-            glob: tests/openid_conformance/test_oidc_rp_initiated.py
-          - name: oidc_frontchannel
-            glob: tests/openid_conformance/test_oidc_frontchannel.py
-          - name: oidc_backchannel
-            glob: tests/openid_conformance/test_oidc_backchannel.py
-          - name: ssf_transmitter
-            glob: tests/openid_conformance/test_ssf_transmitter.py
+          - name: basic
+            glob: tests/openid_conformance/test_basic.py
+          - name: implicit
+            glob: tests/openid_conformance/test_implicit.py
    steps:
      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v5
      - name: Setup authentik env
        uses: ./.github/actions/setup
      - name: Setup e2e env (chrome, etc)
-        env:
-          COMPOSE_PROFILES: selenium
        run: |
          docker compose -f tests/e2e/compose.yml up -d --quiet-pull
      - name: Setup conformance suite
        run: |
          docker compose -f tests/openid_conformance/compose.yml up -d --quiet-pull
      - id: cache-web
-        uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v4
+        uses: actions/cache@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v4
        with:
          path: web/dist
          key: ${{ runner.os }}-web-${{ hashFiles('web/package-lock.json', 'web/src/**', 'web/packages/sfe/src/**') }}-b
@@ -316,50 +257,26 @@ jobs:
        working-directory: web
        run: |
          npm ci
+          make -C .. gen-client-ts
          npm run build
          npm run build:sfe
      - name: run conformance
        run: |
          uv run coverage run manage.py test ${{ matrix.job.glob }}
-          uv run coverage combine
          uv run coverage xml
      - uses: ./.github/actions/test-results
        if: ${{ always() }}
        with:
          flags: conformance
      - if: ${{ !cancelled() }}
-        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
+        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6
        with:
          name: conformance-certification-${{ matrix.job.name }}
          path: tests/openid_conformance/exports/
-  test-rust:
-    runs-on: ubuntu-latest
-    timeout-minutes: 30
-    steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v5
-      - name: Setup authentik env
-        uses: ./.github/actions/setup
-        with:
-          dependencies: rust,runtime
-      - name: run tests
-        run: |
-          cargo llvm-cov --no-report nextest --workspace
-          cargo llvm-cov report --codecov --output-path target/llvm-cov-target/rust.json
-      - uses: ./.github/actions/test-results
-        if: ${{ always() }}
-        with:
-          files: target/llvm-cov-target/rust.json
-          flags: rust
-      - if: ${{ !cancelled() }}
-        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
-        with:
-          name: test-rust
-          path: target/llvm-cov-target/rust.json
  ci-core-mark:
    if: always()
    needs:
      - lint
-      - test-gen
      - test-migrations
      - test-migrations-from-stable
      - test-unittest
--- a/.github/workflows/ci-outpost.yml
+++ b/.github/workflows/ci-outpost.yml
@@ -22,7 +22,7 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v5
-      - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6
+      - uses: actions/setup-go@7a3fe6cf4cb3a834922a1244abfce67bcef6a0c5 # v6
        with:
          go-version-file: "go.mod"
      - name: Prepare and generate API
@@ -31,6 +31,8 @@ jobs:
          mkdir -p web/dist
          mkdir -p website/help
          touch web/dist/test website/help/test
+      - name: Generate API
+        run: make gen-client-go
      - name: golangci-lint
        uses: golangci/golangci-lint-action@1e7e51e771db61008b38414a730f564565cf7c20 # v8
        with:
@@ -41,11 +43,13 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v5
-      - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6
+      - uses: actions/setup-go@7a3fe6cf4cb3a834922a1244abfce67bcef6a0c5 # v6
        with:
          go-version-file: "go.mod"
      - name: Setup authentik env
        uses: ./.github/actions/setup
+      - name: Generate API
+        run: make gen-client-go
      - name: prepare database
        run: |
          uv run make migrate
@@ -86,9 +90,9 @@ jobs:
        with:
          ref: ${{ github.event.pull_request.head.sha }}
      - name: Set up QEMU
-        uses: docker/setup-qemu-action@ce360397dd3f832beb865e1373c09c0e9f86d70a # v4.0.0
+        uses: docker/setup-qemu-action@c7c53464625b32c7a7e944ae62b3e17d2b600130 # v3.7.0
      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0
+        uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3
      - name: prepare variables
        uses: ./.github/actions/docker-push-variables
        id: ev
@@ -98,14 +102,16 @@ jobs:
          image-name: ghcr.io/goauthentik/dev-${{ matrix.type }}
      - name: Login to Container Registry
        if: ${{ steps.ev.outputs.shouldPush == 'true' }}
-        uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0
+        uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3
        with:
          registry: ghcr.io
          username: ${{ github.repository_owner }}
          password: ${{ secrets.GITHUB_TOKEN }}
+      - name: Generate API
+        run: make gen-client-go
      - name: Build Docker Image
        id: push
-        uses: docker/build-push-action@bcafcacb16a39f128d818304e6c9c0c18556b85f # v7.1.0
+        uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6
        with:
          tags: ${{ steps.ev.outputs.imageTags }}
          file: lifecycle/container/${{ matrix.type }}.Dockerfile
@@ -116,7 +122,7 @@ jobs:
          context: .
          cache-from: type=registry,ref=ghcr.io/goauthentik/dev-${{ matrix.type }}:buildcache
          cache-to: ${{ steps.ev.outputs.shouldPush == 'true' && format('type=registry,ref=ghcr.io/goauthentik/dev-{0}:buildcache,mode=max', matrix.type) || '' }}
-      - uses: actions/attest-build-provenance@a2bbfa25375fe432b6a289bc6b6cd05ecd0c4c32 # v3
+      - uses: actions/attest-build-provenance@96278af6caaf10aea03fd8d33a09a777ca52d62f # v3
        id: attest
        if: ${{ steps.ev.outputs.shouldPush == 'true' }}
        with:
@@ -142,14 +148,16 @@ jobs:
      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v5
        with:
          ref: ${{ github.event.pull_request.head.sha }}
-      - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6
+      - uses: actions/setup-go@7a3fe6cf4cb3a834922a1244abfce67bcef6a0c5 # v6
        with:
          go-version-file: "go.mod"
-      - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v5
+      - uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v5
        with:
          node-version-file: web/package.json
          cache: "npm"
          cache-dependency-path: web/package-lock.json
+      - name: Generate API
+        run: make gen-client-go
      - name: Build web
        working-directory: web/
        run: |
--- a/.github/workflows/ci-web.yml
+++ b/.github/workflows/ci-web.yml
@@ -32,7 +32,7 @@ jobs:
            project: web
    steps:
      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v5
-      - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v5
+      - uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v5
        with:
          node-version-file: ${{ matrix.project }}/package.json
          cache: "npm"
@@ -40,6 +40,8 @@ jobs:
      - working-directory: ${{ matrix.project }}/
        run: |
          npm ci
+      - name: Generate API
+        run: make gen-client-ts
      - name: Lint
        working-directory: ${{ matrix.project }}/
        run: npm run ${{ matrix.command }}
@@ -47,13 +49,15 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v5
-      - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v5
+      - uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v5
        with:
          node-version-file: web/package.json
          cache: "npm"
          cache-dependency-path: web/package-lock.json
      - working-directory: web/
        run: npm ci
+      - name: Generate API
+        run: make gen-client-ts
      - name: build
        working-directory: web/
        run: npm run build
@@ -73,13 +77,15 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v5
-      - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v5
+      - uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v5
        with:
          node-version-file: web/package.json
          cache: "npm"
          cache-dependency-path: web/package-lock.json
      - working-directory: web/
        run: npm ci
+      - name: Generate API
+        run: make gen-client-ts
      - name: test
        working-directory: web/
        run: npm run test || exit 0
--- a/.github/workflows/gen-image-compress.yml
+++ b/.github/workflows/gen-image-compress.yml
@@ -29,7 +29,7 @@ jobs:
       github.event.pull_request.head.repo.full_name == github.repository)
    steps:
      - id: generate_token
-        uses: actions/create-github-app-token@1b10c78c7865c340bc4f6099eb2f838309f1e8c3 # v2
+        uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf # v2
        with:
          app-id: ${{ secrets.GH_APP_ID }}
          private-key: ${{ secrets.GH_APP_PRIV_KEY }}
@@ -38,11 +38,11 @@ jobs:
          token: ${{ steps.generate_token.outputs.token }}
      - name: Compress images
        id: compress
-        uses: calibreapp/image-actions@e2cc8db5d49c849e00844dfebf01438318e96fa2 # main
+        uses: calibreapp/image-actions@d9c8ee5c3dc52ae4622c82ead88d658f4b16b65f # main
        with:
          GITHUB_TOKEN: ${{ steps.generate_token.outputs.token }}
          compressOnly: ${{ github.event_name != 'pull_request' }}
-      - uses: peter-evans/create-pull-request@5f6978faf089d4d20b00c7766989d076bb2fc7f1 # v7
+      - uses: peter-evans/create-pull-request@c0f553fe549906ede9cf27b5156039d195d2ece0 # v7
        if: "${{ github.event_name != 'pull_request' && steps.compress.outputs.markdown != '' }}"
        id: cpr
        with:
--- a/.github/workflows/gen-update-webauthn-mds.yml
+++ b/.github/workflows/gen-update-webauthn-mds.yml
@@ -16,7 +16,7 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - id: generate_token
-        uses: actions/create-github-app-token@1b10c78c7865c340bc4f6099eb2f838309f1e8c3 # v2
+        uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf # v2
        with:
          app-id: ${{ secrets.GH_APP_ID }}
          private-key: ${{ secrets.GH_APP_PRIV_KEY }}
@@ -26,7 +26,7 @@ jobs:
      - name: Setup authentik env
        uses: ./.github/actions/setup
      - run: uv run ak update_webauthn_mds
-      - uses: peter-evans/create-pull-request@5f6978faf089d4d20b00c7766989d076bb2fc7f1 # v7
+      - uses: peter-evans/create-pull-request@c0f553fe549906ede9cf27b5156039d195d2ece0 # v7
        id: cpr
        with:
          token: ${{ steps.generate_token.outputs.token }}
--- a/.github/workflows/gh-cherry-pick.yml
+++ b/.github/workflows/gh-cherry-pick.yml
@@ -10,7 +10,7 @@ jobs:
    steps:
      - id: app-token
        name: Generate app token
-        uses: actions/create-github-app-token@1b10c78c7865c340bc4f6099eb2f838309f1e8c3 # v2
+        uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf # v2
        if: ${{ env.GH_APP_ID != '' }}
        with:
          app-id: ${{ secrets.GH_APP_ID }}
--- a/.github/workflows/gh-ghcr-retention.yml
+++ b/.github/workflows/gh-ghcr-retention.yml
@@ -16,7 +16,7 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - id: generate_token
-        uses: actions/create-github-app-token@1b10c78c7865c340bc4f6099eb2f838309f1e8c3 # v2
+        uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf # v2
        with:
          app-id: ${{ secrets.GH_APP_ID }}
          private-key: ${{ secrets.GH_APP_PRIV_KEY }}
--- a/.github/workflows/packages-npm-publish.yml
+++ b/.github/workflows/packages-npm-publish.yml
@@ -29,19 +29,18 @@ jobs:
          - packages/eslint-config
          - packages/prettier-config
          - packages/docusaurus-config
-          - packages/logger-js
          - packages/esbuild-plugin-live-reload
    steps:
      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v5
        with:
          fetch-depth: 2
-      - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v5
+      - uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v5
        with:
          node-version-file: ${{ matrix.package }}/package.json
          registry-url: "https://registry.npmjs.org"
      - name: Get changed files
        id: changed-files
-        uses: tj-actions/changed-files@9426d40962ed5378910ee2e21d5f8c6fcbf2dd96 # 24d32ffd492484c1d75e0c0b894501ddb9d30d62
+        uses: tj-actions/changed-files@8cba46e29c11878d930bca7870bb54394d3e8b21 # 24d32ffd492484c1d75e0c0b894501ddb9d30d62
        with:
          files: |
            ${{ matrix.package }}/package.json
--- a/.github/workflows/release-branch-off.yml
+++ b/.github/workflows/release-branch-off.yml
@@ -29,7 +29,7 @@ jobs:
    steps:
      - id: app-token
        name: Generate app token
-        uses: actions/create-github-app-token@1b10c78c7865c340bc4f6099eb2f838309f1e8c3 # v2
+        uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf # v2
        with:
          app-id: ${{ secrets.GH_APP_ID }}
          private-key: ${{ secrets.GH_APP_PRIV_KEY }}
@@ -57,7 +57,7 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - id: generate_token
-        uses: actions/create-github-app-token@1b10c78c7865c340bc4f6099eb2f838309f1e8c3 # v2
+        uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf # v2
        with:
          app-id: ${{ secrets.GH_APP_ID }}
          private-key: ${{ secrets.GH_APP_PRIV_KEY }}
@@ -73,7 +73,7 @@ jobs:
      - name: Bump version
        run: "make bump version=${{ inputs.next_version }}.0-rc1"
      - name: Create pull request
-        uses: peter-evans/create-pull-request@5f6978faf089d4d20b00c7766989d076bb2fc7f1 # v7
+        uses: peter-evans/create-pull-request@c0f553fe549906ede9cf27b5156039d195d2ece0 # v7
        with:
          token: ${{ steps.generate_token.outputs.token }}
          branch: release-bump-${{ inputs.next_version }}
--- a/.github/workflows/release-publish.yml
+++ b/.github/workflows/release-publish.yml
@@ -33,9 +33,9 @@ jobs:
    steps:
      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v5
      - name: Set up QEMU
-        uses: docker/setup-qemu-action@ce360397dd3f832beb865e1373c09c0e9f86d70a # v4.0.0
+        uses: docker/setup-qemu-action@c7c53464625b32c7a7e944ae62b3e17d2b600130 # v3.7.0
      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0
+        uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3
      - name: prepare variables
        uses: ./.github/actions/docker-push-variables
        id: ev
@@ -44,21 +44,21 @@ jobs:
        with:
          image-name: ghcr.io/goauthentik/docs
      - name: Login to GitHub Container Registry
-        uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0
+        uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3
        with:
          registry: ghcr.io
          username: ${{ github.repository_owner }}
          password: ${{ secrets.GITHUB_TOKEN }}
      - name: Build Docker Image
        id: push
-        uses: docker/build-push-action@bcafcacb16a39f128d818304e6c9c0c18556b85f # v7.1.0
+        uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6
        with:
          tags: ${{ steps.ev.outputs.imageTags }}
          file: website/Dockerfile
          push: true
          platforms: linux/amd64,linux/arm64
          context: .
-      - uses: actions/attest-build-provenance@a2bbfa25375fe432b6a289bc6b6cd05ecd0c4c32 # v3
+      - uses: actions/attest-build-provenance@96278af6caaf10aea03fd8d33a09a777ca52d62f # v3
        id: attest
        if: true
        with:
@@ -84,18 +84,18 @@ jobs:
          - rac
    steps:
      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v5
-      - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6
+      - uses: actions/setup-go@7a3fe6cf4cb3a834922a1244abfce67bcef6a0c5 # v6
        with:
          go-version-file: "go.mod"
-      - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v5
+      - uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v5
        with:
          node-version-file: web/package.json
          cache: "npm"
          cache-dependency-path: web/package-lock.json
      - name: Set up QEMU
-        uses: docker/setup-qemu-action@ce360397dd3f832beb865e1373c09c0e9f86d70a # v4.0.0
+        uses: docker/setup-qemu-action@c7c53464625b32c7a7e944ae62b3e17d2b600130 # v3.7.0
      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0
+        uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3
      - name: prepare variables
        uses: ./.github/actions/docker-push-variables
        id: ev
@@ -103,19 +103,23 @@ jobs:
          DOCKER_USERNAME: ${{ secrets.DOCKER_CORP_USERNAME }}
        with:
          image-name: ghcr.io/goauthentik/${{ matrix.type }},authentik/${{ matrix.type }}
+      - name: Generate API Clients
+        run: |
+          make gen-client-ts
+          make gen-client-go
      - name: Docker Login Registry
-        uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0
+        uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3
        with:
          username: ${{ secrets.DOCKER_CORP_USERNAME }}
          password: ${{ secrets.DOCKER_CORP_PASSWORD }}
      - name: Login to GitHub Container Registry
-        uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0
+        uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3
        with:
          registry: ghcr.io
          username: ${{ github.repository_owner }}
          password: ${{ secrets.GITHUB_TOKEN }}
      - name: Build Docker Image
-        uses: docker/build-push-action@bcafcacb16a39f128d818304e6c9c0c18556b85f # v7.1.0
+        uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6
        id: push
        with:
          push: true
@@ -125,7 +129,7 @@ jobs:
          file: lifecycle/container/${{ matrix.type }}.Dockerfile
          platforms: linux/amd64,linux/arm64
          context: .
-      - uses: actions/attest-build-provenance@a2bbfa25375fe432b6a289bc6b6cd05ecd0c4c32 # v3
+      - uses: actions/attest-build-provenance@96278af6caaf10aea03fd8d33a09a777ca52d62f # v3
        id: attest
        with:
          subject-name: ${{ steps.ev.outputs.attestImageNames }}
@@ -148,10 +152,10 @@ jobs:
        goarch: [amd64, arm64]
    steps:
      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v5
-      - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6
+      - uses: actions/setup-go@7a3fe6cf4cb3a834922a1244abfce67bcef6a0c5 # v6
        with:
          go-version-file: "go.mod"
-      - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v5
+      - uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v5
        with:
          node-version-file: web/package.json
          cache: "npm"
@@ -160,6 +164,10 @@ jobs:
        working-directory: web/
        run: |
          npm ci
+      - name: Generate API Clients
+        run: |
+          make gen-client-ts
+          make gen-client-go
      - name: Build web
        working-directory: web/
        run: |
@@ -172,7 +180,7 @@ jobs:
          export CGO_ENABLED=0
          go build -tags=outpost_static_embed -v -o ./authentik-outpost-${{ matrix.type }}_${{ matrix.goos }}_${{ matrix.goarch }} ./cmd/${{ matrix.type }}
      - name: Upload binaries to release
-        uses: svenstaro/upload-release-action@29e53e917877a24fad85510ded594ab3c9ca12de # v2
+        uses: svenstaro/upload-release-action@6b7fa9f267e90b50a19fef07b3596790bb941741 # v2
        with:
          repo_token: ${{ secrets.GITHUB_TOKEN }}
          file: ./authentik-outpost-${{ matrix.type }}_${{ matrix.goos }}_${{ matrix.goarch }}
@@ -191,7 +199,7 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v5
-      - uses: aws-actions/configure-aws-credentials@ec61189d14ec14c8efccab744f656cffd0e33f37 # v6.1.0
+      - uses: aws-actions/configure-aws-credentials@8df5847569e6427dd6c4fb1cf565c83acfa8afa7 # v6.0.0
        with:
          role-to-assume: "arn:aws:iam::016170277896:role/github_goauthentik_authentik"
          aws-region: ${{ env.AWS_REGION }}
@@ -236,7 +244,7 @@ jobs:
          container=$(docker container create ${{ steps.ev.outputs.imageMainName }})
          docker cp ${container}:web/ .
      - name: Create a Sentry.io release
-        uses: getsentry/action-release@5657c9e888b4e2cc85f4d29143ea4131fde4a73a # v3
+        uses: getsentry/action-release@dab6548b3c03c4717878099e43782cf5be654289 # v3
        continue-on-error: true
        env:
          SENTRY_AUTH_TOKEN: ${{ secrets.SENTRY_AUTH_TOKEN }}
--- a/.github/workflows/release-tag.yml
+++ b/.github/workflows/release-tag.yml
@@ -67,7 +67,7 @@ jobs:
    steps:
      - id: app-token
        name: Generate app token
-        uses: actions/create-github-app-token@1b10c78c7865c340bc4f6099eb2f838309f1e8c3 # v2
+        uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf # v2
        with:
          app-id: ${{ secrets.GH_APP_ID }}
          private-key: ${{ secrets.GH_APP_PRIV_KEY }}
@@ -96,7 +96,7 @@ jobs:
          git tag "version/${{ inputs.version }}" HEAD -m "version/${{ inputs.version }}"
          git push --follow-tags
      - name: Create Release
-        uses: softprops/action-gh-release@b4309332981a82ec1c5618f44dd2e27cc8bfbfda # v3.0.0
+        uses: softprops/action-gh-release@a06a81a03ee405af7f2048a818ed3f03bbf83c7b # v2.5.0
        with:
          token: "${{ steps.app-token.outputs.token }}"
          tag_name: "version/${{ inputs.version }}"
@@ -115,7 +115,7 @@ jobs:
    steps:
      - id: app-token
        name: Generate app token
-        uses: actions/create-github-app-token@1b10c78c7865c340bc4f6099eb2f838309f1e8c3 # v2
+        uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf # v2
        with:
          app-id: ${{ secrets.GH_APP_ID }}
          private-key: ${{ secrets.GH_APP_PRIV_KEY }}
@@ -137,7 +137,7 @@ jobs:
          sed -E -i 's/[0-9]{4}\.[0-9]{1,2}\.[0-9]+$/${{ inputs.version }}/' charts/authentik/Chart.yaml
          ./scripts/helm-docs.sh
      - name: Create pull request
-        uses: peter-evans/create-pull-request@5f6978faf089d4d20b00c7766989d076bb2fc7f1 # v7
+        uses: peter-evans/create-pull-request@c0f553fe549906ede9cf27b5156039d195d2ece0 # v7
        with:
          token: "${{ steps.app-token.outputs.token }}"
          branch: bump-${{ inputs.version }}
@@ -157,7 +157,7 @@ jobs:
    steps:
      - id: app-token
        name: Generate app token
-        uses: actions/create-github-app-token@1b10c78c7865c340bc4f6099eb2f838309f1e8c3 # v2
+        uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf # v2
        with:
          app-id: ${{ secrets.GH_APP_ID }}
          private-key: ${{ secrets.GH_APP_PRIV_KEY }}
@@ -196,7 +196,7 @@ jobs:
            '.stable.version = $version | .stable.changelog = $changelog | .stable.changelog_url = $changelog_url | .stable.reason = $reason' version.json > version.new.json
          mv version.new.json version.json
      - name: Create pull request
-        uses: peter-evans/create-pull-request@5f6978faf089d4d20b00c7766989d076bb2fc7f1 # v7
+        uses: peter-evans/create-pull-request@c0f553fe549906ede9cf27b5156039d195d2ece0 # v7
        with:
          token: "${{ steps.app-token.outputs.token }}"
          branch: bump-${{ inputs.version }}
--- a/.github/workflows/repo-stale.yml
+++ b/.github/workflows/repo-stale.yml
@@ -15,11 +15,11 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - id: generate_token
-        uses: actions/create-github-app-token@1b10c78c7865c340bc4f6099eb2f838309f1e8c3 # v2
+        uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf # v2
        with:
          app-id: ${{ secrets.GH_APP_ID }}
          private-key: ${{ secrets.GH_APP_PRIV_KEY }}
-      - uses: actions/stale@b5d41d4e1d5dceea10e7104786b73624c18a190f # v10
+      - uses: actions/stale@997185467fa4f803885201cee163a9f38240193d # v10
        with:
          repo-token: ${{ steps.generate_token.outputs.token }}
          days-before-stale: 60
--- a/.github/workflows/translation-extract-compile.yml
+++ b/.github/workflows/translation-extract-compile.yml
@@ -21,7 +21,7 @@ jobs:
    steps:
      - id: generate_token
        if: ${{ github.event_name != 'pull_request' }}
-        uses: actions/create-github-app-token@1b10c78c7865c340bc4f6099eb2f838309f1e8c3 # v2
+        uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf # v2
        with:
          app-id: ${{ secrets.GH_APP_ID }}
          private-key: ${{ secrets.GH_APP_PRIV_KEY }}
@@ -33,6 +33,8 @@ jobs:
        if: ${{ github.event_name == 'pull_request' }}
      - name: Setup authentik env
        uses: ./.github/actions/setup
+      - name: Generate API
+        run: make gen-client-ts
      - name: run extract
        run: |
          uv run make i18n-extract
@@ -42,7 +44,7 @@ jobs:
          make web-check-compile
      - name: Create Pull Request
        if: ${{ github.event_name != 'pull_request' }}
-        uses: peter-evans/create-pull-request@5f6978faf089d4d20b00c7766989d076bb2fc7f1 # v7
+        uses: peter-evans/create-pull-request@c0f553fe549906ede9cf27b5156039d195d2ece0 # v7
        with:
          token: ${{ steps.generate_token.outputs.token }}
          branch: extract-compile-backend-translation
--- a/.gitignore
+++ b/.gitignore
@@ -15,9 +15,6 @@ media

 node_modules

-.cspellcache
-cspell-report.*
-
 # If your build process includes running collectstatic, then you probably don't need or want to include staticfiles/
 # in your Git repository. Update and uncomment the following line accordingly.
 # <django-project-name>/staticfiles/
@@ -195,24 +192,6 @@ pyvenv.cfg
 pip-selfcheck.json

 # End of https://www.gitignore.io/api/python,django
-
-# Created by https://www.toptal.com/developers/gitignore/api/rust
-# Edit at https://www.toptal.com/developers/gitignore?templates=rust
-
-### Rust ###
-# Generated by Cargo
-# will have compiled files and executables
-debug/
-target/
-
-# These are backup files generated by rustfmt
-**/*.rs.bk
-
-# MSVC Windows builds of rustc generate these, which store debugging information
-*.pdb
-
-# End of https://www.toptal.com/developers/gitignore/api/rust
-
 /static/
 local.env.yml

@@ -220,6 +199,7 @@ media/
 *mmdb

 .idea/
+/gen-*/
 data/

 # Local Netlify folder
@@ -229,11 +209,6 @@ source_docs/

 ### Golang ###
 /vendor/
-server
-proxy
-ldap
-rac
-radius

 ### Docker ###
 tests/openid_conformance/exports/*.zip
--- a/.prettierignore
+++ b/.prettierignore
@@ -1,7 +1,6 @@
 # Prettier Ignorefile

 ## Static Files
-CODEOWNERS
 **/LICENSE

 authentik/stages/**/*
--- a/.vscode/extensions.json
+++ b/.vscode/extensions.json
@@ -17,6 +17,6 @@
        "ms-python.vscode-pylance",
        "redhat.vscode-yaml",
        "Tobermory.es6-string-html",
-        "unifiedjs.vscode-mdx"
+        "unifiedjs.vscode-mdx",
    ]
 }
--- a/.vscode/settings.json
+++ b/.vscode/settings.json
@@ -14,10 +14,6 @@
    "[xml]": {
        "editor.minimap.markSectionHeaderRegex": "<!--\\s*#\\bregion\\s*(?<separator>-?)\\s*(?<label>.*)\\s*-->"
    },
-    "files.associations": {
-        // The built-in "ignore" language gives us enough syntax highlighting to make these files readable.
-        "**/dictionaries/*.txt": "ignore"
-    },
    "todo-tree.tree.showCountsInTree": true,
    "todo-tree.tree.showBadges": true,
    "yaml.customTags": [
@@ -38,10 +34,10 @@
        "!AtIndex scalar",
        "!ParseJSON scalar"
    ],
-    "js/ts.preferences.importModuleSpecifier": "non-relative",
-    "js/ts.preferences.importModuleSpecifierEnding": "index",
-    "js/ts.tsdk.path": "./node_modules/typescript/lib",
-    "js/ts.tsdk.promptToUseWorkspaceVersion": true,
+    "typescript.preferences.importModuleSpecifier": "non-relative",
+    "typescript.preferences.importModuleSpecifierEnding": "index",
+    "typescript.tsdk": "./node_modules/typescript/lib",
+    "typescript.enablePromptUseWorkspaceTsdk": true,
    "yaml.schemas": {
        "./blueprints/schema.json": "blueprints/**/*.yaml"
    },
@@ -53,17 +49,13 @@
            "ignoreCase": false
        }
    ],
-    "go.testFlags": ["-count=1"],
+    "go.testFlags": [
+        "-count=1"
+    ],
    "go.testEnvVars": {
        "WORKSPACE_DIR": "${workspaceFolder}"
    },
-    "github-actions.workflows.pinned.workflows": [".github/workflows/ci-main.yml"],
-    "search.exclude": {
-        "**/*.code-search": true,
-        "**/bower_components": true,
-        "**/node_modules": true,
-        "**/playwright-report/**": true,
-        "**/website/**/build": true,
-        "**/client-*": true
-    }
+    "github-actions.workflows.pinned.workflows": [
+        ".github/workflows/ci-main.yml"
+    ]
 }
--- a/11
+++ b/11
@@ -3,7 +3,6 @@
 # Backend
 authentik/                              @goauthentik/backend
 blueprints/                             @goauthentik/backend
-src/                                    @goauthentik/backend
 cmd/                                    @goauthentik/backend
 internal/                               @goauthentik/backend
 lifecycle/                              @goauthentik/backend
@@ -12,13 +11,8 @@ scripts/                                @goauthentik/backend
 tests/                                  @goauthentik/backend
 pyproject.toml                          @goauthentik/backend
 uv.lock                                 @goauthentik/backend
-Cargo.toml                              @goauthentik/backend
-Cargo.lock                              @goauthentik/backend
-build.rs                                @goauthentik/backend
 go.mod                                  @goauthentik/backend
 go.sum                                  @goauthentik/backend
-.cargo/                                 @goauthentik/backend
-rust-toolchain.toml                     @goauthentik/backend
 # Infrastructure
 .github/                                @goauthentik/infrastructure
 lifecycle/aws/                          @goauthentik/infrastructure
@@ -28,23 +22,18 @@ Makefile                                @goauthentik/infrastructure
 .editorconfig                           @goauthentik/infrastructure
 CODEOWNERS                              @goauthentik/infrastructure
 # Backend packages
-packages/ak-*                           @goauthentik/backend
-packages/client-rust                    @goauthentik/backend
 packages/django-channels-postgres       @goauthentik/backend
 packages/django-postgres-cache          @goauthentik/backend
 packages/django-dramatiq-postgres       @goauthentik/backend
 # Web packages
-tsconfig.json                           @goauthentik/frontend
 package.json                            @goauthentik/frontend
 package-lock.json                       @goauthentik/frontend
 packages/package.json                   @goauthentik/frontend
 packages/package-lock.json              @goauthentik/frontend
-packages/client-ts                      @goauthentik/frontend
 packages/docusaurus-config              @goauthentik/frontend
 packages/esbuild-plugin-live-reload     @goauthentik/frontend
 packages/eslint-config                  @goauthentik/frontend
 packages/prettier-config                @goauthentik/frontend
-packages/logger-js                      @goauthentik/frontend
 packages/tsconfig                       @goauthentik/frontend
 # Web
 web/                                    @goauthentik/frontend
--- a/Cargo.lock
+++ b/Cargo.lock
--- a/Cargo.toml
+++ b/Cargo.toml
@@ -1,305 +0,0 @@
-[workspace]
-members = [
-  "packages/ak-axum",
-  "packages/ak-common",
-  "packages/client-rust",
-  "website/scripts/docsmg",
-]
-resolver = "3"
-
-[workspace.package]
-version = "2026.5.0-rc1"
-authors = ["authentik Team <hello@goauthentik.io>"]
-description = "Making authentication simple."
-edition = "2024"
-readme = "README.md"
-homepage = "https://goauthentik.io"
-repository = "https://github.com/goauthentik/authentik.git"
-license-file = "LICENSE"
-publish = false
-
-[workspace.dependencies]
-arc-swap = "= 1.9.1"
-argh = "= 0.1.19"
-axum-server = { version = "= 0.8.0", features = ["tls-rustls-no-provider"] }
-aws-lc-rs = { version = "= 1.16.3", features = ["fips"] }
-axum = { version = "= 0.8.9", features = ["http2", "macros", "ws"] }
-clap = { version = "= 4.6.1", features = ["derive", "env"] }
-client-ip = { version = "0.2.1", features = ["forwarded-header"] }
-color-eyre = "= 0.6.5"
-colored = "= 3.1.1"
-config-rs = { package = "config", version = "= 0.15.22", default-features = false, features = [
-  "json",
-  "yaml",
-] }
-console-subscriber = "= 0.5.0"
-dotenvy = "= 0.15.7"
-durstr = "= 0.5.1"
-eyre = "= 0.6.12"
-forwarded-header-value = "= 0.1.1"
-futures = "= 0.3.32"
-glob = "= 0.3.3"
-hyper-unix-socket = "= 0.6.1"
-hyper-util = "= 0.1.20"
-ipnet = { version = "= 2.12.0", features = ["serde"] }
-json-subscriber = "= 0.2.8"
-metrics = "= 0.24.5"
-metrics-exporter-prometheus = { version = "= 0.18.3", default-features = false }
-nix = { version = "= 0.31.2", features = ["hostname", "signal"] }
-notify = "= 8.2.0"
-pin-project-lite = "= 0.2.17"
-pyo3 = "= 0.28.3"
-pyo3-build-config = "= 0.28.3"
-rand = "= 0.10.1"
-regex = "= 1.12.3"
-reqwest = { version = "= 0.13.3", features = [
-  "form",
-  "json",
-  "multipart",
-  "query",
-  "rustls",
-  "stream",
-] }
-reqwest-middleware = { version = "= 0.5.1", features = [
-  "form",
-  "json",
-  "multipart",
-  "query",
-  "rustls",
-] }
-rustls = { version = "= 0.23.40", features = ["fips"] }
-sentry = { version = "= 0.47.0", default-features = false, features = [
-  "backtrace",
-  "contexts",
-  "debug-images",
-  "panic",
-  "rustls",
-  "reqwest",
-  "tower",
-  "tracing",
-] }
-serde = { version = "= 1.0.228", features = ["derive"] }
-serde_json = "= 1.0.149"
-serde_repr = "= 0.1.20"
-serde_with = { version = "= 3.18.0", default-features = false, features = [
-  "base64",
-] }
-sqlx = { version = "= 0.8.6", default-features = false, features = [
-  "runtime-tokio",
-  "tls-rustls-aws-lc-rs",
-  "postgres",
-  "derive",
-  "macros",
-  "uuid",
-  "chrono",
-  "ipnet",
-  "json",
-] }
-tempfile = "= 3.27.0"
-thiserror = "= 2.0.18"
-time = { version = "= 0.3.47", features = ["macros"] }
-tokio = { version = "= 1.52.1", features = ["full", "tracing"] }
-tokio-retry2 = "= 0.9.1"
-tokio-rustls = "= 0.26.4"
-tokio-tungstenite = { version = "= 0.29.0", features = [
-  "rustls-tls-webpki-roots",
-  "url",
-] }
-tokio-util = { version = "= 0.7.18", features = ["full"] }
-tower = "= 0.5.3"
-tower-http = { version = "= 0.6.8", features = ["timeout"] }
-tracing = "= 0.1.44"
-tracing-error = "= 0.2.1"
-tracing-subscriber = { version = "= 0.3.23", features = [
-  "env-filter",
-  "json",
-  "local-time",
-  "tracing-log",
-] }
-url = "= 2.5.8"
-uuid = { version = "= 1.23.1", features = ["serde", "v4"] }
-which = "= 8.0.2"
-
-ak-axum = { package = "authentik-axum", version = "2026.5.0-rc1", path = "./packages/ak-axum" }
-ak-client = { package = "authentik-client", version = "2026.5.0-rc1", path = "./packages/client-rust" }
-ak-common = { package = "authentik-common", version = "2026.5.0-rc1", path = "./packages/ak-common", default-features = false }
-
-[workspace.lints.rust]
-ambiguous_negative_literals = "warn"
-closure_returning_async_block = "warn"
-macro_use_extern_crate = "deny"
-# must_not_suspend = "deny", unstable see https://github.com/rust-lang/rust/issues/83310
-non_ascii_idents = "deny"
-redundant_imports = "warn"
-semicolon_in_expressions_from_macros = "warn"
-trivial_casts = "warn"
-trivial_numeric_casts = "warn"
-unit_bindings = "warn"
-unreachable_pub = "warn"
-unsafe_code = "deny"
-unused_extern_crates = "warn"
-unused_import_braces = "warn"
-unused_lifetimes = "warn"
-unused_macro_rules = "warn"
-unused_qualifications = "warn"
-
-[workspace.lints.rustdoc]
-unescaped_backticks = "warn"
-
-[workspace.lints.clippy]
-### enable all lints
-cargo = { priority = -1, level = "warn" }
-complexity = { priority = -1, level = "warn" }
-correctness = { priority = -1, level = "warn" }
-nursery = { priority = -1, level = "warn" }
-pedantic = { priority = -1, level = "warn" }
-perf = { priority = -1, level = "warn" }
-# Those are too restrictive and disabled by default, however we enable some below
-# restriction = { priority = -1, level = "warn" }
-style = { priority = -1, level = "warn" }
-suspicious = { priority = -1, level = "warn" }
-### and disable the ones we don't want
-### cargo group
-multiple_crate_versions = "allow"
-### pedantic group
-missing_errors_doc = "allow"
-missing_panics_doc = "allow"
-must_use_candidate = "allow"
-redundant_closure_for_method_calls = "allow"
-struct_field_names = "allow"
-too_many_lines = "allow"
-### nursery
-missing_const_for_fn = "allow"
-option_if_let_else = "allow"
-redundant_pub_crate = "allow"
-significant_drop_tightening = "allow"
-### restriction group
-allow_attributes = "warn"
-allow_attributes_without_reason = "warn"
-as_conversions = "warn"
-as_pointer_underscore = "warn"
-as_underscore = "warn"
-assertions_on_result_states = "warn"
-clone_on_ref_ptr = "warn"
-create_dir = "warn"
-dbg_macro = "warn"
-default_numeric_fallback = "warn"
-disallowed_script_idents = "warn"
-empty_drop = "warn"
-empty_enum_variants_with_brackets = "warn"
-empty_structs_with_brackets = "warn"
-error_impl_error = "warn"
-exit = "warn"
-filetype_is_file = "warn"
-float_cmp_const = "warn"
-fn_to_numeric_cast_any = "warn"
-get_unwrap = "warn"
-if_then_some_else_none = "warn"
-impl_trait_in_params = "warn"
-infinite_loop = "warn"
-lossy_float_literal = "warn"
-map_with_unused_argument_over_ranges = "warn"
-mem_forget = "warn"
-missing_asserts_for_indexing = "warn"
-missing_trait_methods = "warn"
-mixed_read_write_in_expression = "warn"
-mutex_atomic = "warn"
-mutex_integer = "warn"
-needless_raw_strings = "warn"
-non_zero_suggestions = "warn"
-panic_in_result_fn = "warn"
-pathbuf_init_then_push = "warn"
-print_stdout = "warn"
-rc_buffer = "warn"
-redundant_test_prefix = "warn"
-redundant_type_annotations = "warn"
-ref_patterns = "warn"
-renamed_function_params = "warn"
-rest_pat_in_fully_bound_structs = "warn"
-return_and_then = "warn"
-same_name_method = "warn"
-semicolon_inside_block = "warn"
-str_to_string = "warn"
-string_add = "warn"
-suspicious_xor_used_as_pow = "warn"
-tests_outside_test_module = "warn"
-todo = "warn"
-try_err = "warn"
-undocumented_unsafe_blocks = "warn"
-unimplemented = "warn"
-unnecessary_safety_comment = "warn"
-unnecessary_safety_doc = "warn"
-unnecessary_self_imports = "warn"
-unneeded_field_pattern = "warn"
-unseparated_literal_suffix = "warn"
-unused_result_ok = "warn"
-unused_trait_names = "warn"
-unwrap_in_result = "warn"
-unwrap_used = "warn"
-verbose_file_reads = "warn"
-
-[profile.dev.package.backtrace]
-opt-level = 3
-
-[profile.dev]
-panic = "abort"
-
-[profile.release]
-debug = 2
-lto = "fat"
-# Because of the async runtime, we want to die straightaway if we panic.
-panic = "abort"
-strip = true
-
-[package]
-name = "authentik"
-version.workspace = true
-authors.workspace = true
-edition.workspace = true
-readme.workspace = true
-homepage.workspace = true
-repository.workspace = true
-license-file.workspace = true
-publish.workspace = true
-
-[features]
-default = ["core", "proxy"]
-core = ["ak-common/core", "dep:pyo3", "dep:sqlx"]
-proxy = ["ak-common/proxy", "dep:ak-client"]
-
-[build-dependencies]
-pyo3-build-config.workspace = true
-
-[dependencies]
-ak-axum.workspace = true
-ak-client = { workspace = true, optional = true }
-ak-common.workspace = true
-arc-swap.workspace = true
-argh.workspace = true
-axum.workspace = true
-color-eyre.workspace = true
-eyre.workspace = true
-futures.workspace = true
-hyper-unix-socket.workspace = true
-hyper-util.workspace = true
-metrics-exporter-prometheus.workspace = true
-metrics.workspace = true
-nix.workspace = true
-pyo3 = { workspace = true, optional = true }
-rand.workspace = true
-serde.workspace = true
-serde_json.workspace = true
-serde_repr.workspace = true
-sqlx = { workspace = true, optional = true }
-time.workspace = true
-tokio-retry2.workspace = true
-tokio-tungstenite.workspace = true
-tokio.workspace = true
-tower.workspace = true
-tracing.workspace = true
-url.workspace = true
-uuid.workspace = true
-which.workspace = true
-
-[lints]
-workspace = true
--- a/152
+++ b/152
@@ -15,11 +15,14 @@ else
 	SED_INPLACE = sed -i
 endif

+GEN_API_TS = gen-ts-api
+GEN_API_PY = gen-py-api
+GEN_API_GO = gen-go-api
+
 BREW_LDFLAGS :=
 BREW_CPPFLAGS :=
 BREW_PKG_CONFIG_PATH :=

-CARGO := cargo
 UV := uv

 # For macOS users, add the libxml2 installed from brew libxmlsec1 to the build path
@@ -66,29 +69,22 @@ help:  ## Show this help
 		sort
 	@echo ""

-go-test:  ## Run the golang tests
+go-test:
 	go test -timeout 0 -v -race -cover ./...

-rust-test:  ## Run the Rust tests
-	$(CARGO) nextest run --workspace
-
 test: ## Run the server tests and produce a coverage report (locally)
 	$(UV) run coverage run manage.py test --keepdb $(or $(filter-out $@,$(MAKECMDGOALS)),authentik)
-	$(UV) run coverage combine
 	$(UV) run coverage html
 	$(UV) run coverage report

-lint-fix-rust:
-	$(CARGO) +nightly fmt --all -- --config-path "${PWD}/.cargo/rustfmt.toml"
-
-lint-fix: lint-fix-rust  ## Lint and automatically fix errors in the python source code. Reports spelling errors.
+lint-fix: lint-codespell  ## Lint and automatically fix errors in the python source code. Reports spelling errors.
 	$(UV) run black $(PY_SOURCES)
 	$(UV) run ruff check --fix $(PY_SOURCES)

-lint-spellcheck:  ## Reports spelling errors.
-	npm run lint:spellcheck
+lint-codespell:  ## Reports spelling errors.
+	$(UV) run codespell -w

-lint: ci-lint-bandit ci-lint-mypy ci-lint-cargo-deny ci-lint-cargo-machete  ## Lint the python and golang sources
+lint: ci-bandit ci-mypy ## Lint the python and golang sources
 	golangci-lint run -v

 core-install:
@@ -109,11 +105,11 @@ i18n-extract: core-i18n-extract web-i18n-extract  ## Extract strings that requir
 aws-cfn:
 	cd lifecycle/aws && npm i && $(UV) run npm run aws-cfn

-run:  ## Run the main authentik server and worker processes
-	$(UV) run ak allinone
+run-server:  ## Run the main authentik server process
+	$(UV) run ak server

-run-watch:  ## Run the authentik server and worker, with auto reloading
-	watchexec --on-busy-update=restart --stop-signal=SIGINT --exts py,rs,go --no-meta --notify -- $(UV) run ak allinone
+run-worker:  ## Run the main authentik worker process
+	$(UV) run ak worker

 core-i18n-extract:
 	$(UV) run ak makemessages \
@@ -121,7 +117,8 @@ core-i18n-extract:
 		--no-obsolete \
 		--ignore web \
 		--ignore internal \
-		--ignore packages/client-ts \
+		--ignore ${GEN_API_TS} \
+		--ignore ${GEN_API_GO} \
 		--ignore website \
 		-l en

@@ -144,14 +141,8 @@ dev-create-db:
 dev-reset: dev-drop-db dev-create-db migrate  ## Drop and restore the Authentik PostgreSQL instance to a "fresh install" state.

 update-test-mmdb:  ## Update test GeoIP and ASN Databases
-	curl \
-		-L \
-		-o ${PWD}/tests/geoip/GeoLite2-ASN-Test.mmdb \
-		https://raw.githubusercontent.com/maxmind/MaxMind-DB/refs/heads/main/test-data/GeoLite2-ASN-Test.mmdb
-	curl \
-		-L \
-		-o ${PWD}/tests/geoip/GeoLite2-City-Test.mmdb \
-		https://raw.githubusercontent.com/maxmind/MaxMind-DB/refs/heads/main/test-data/GeoLite2-City-Test.mmdb
+	curl -L https://raw.githubusercontent.com/maxmind/MaxMind-DB/refs/heads/main/test-data/GeoLite2-ASN-Test.mmdb -o ${PWD}/tests/GeoLite2-ASN-Test.mmdb
+	curl -L https://raw.githubusercontent.com/maxmind/MaxMind-DB/refs/heads/main/test-data/GeoLite2-City-Test.mmdb -o ${PWD}/tests/GeoLite2-City-Test.mmdb

 bump:  ## Bump authentik version. Usage: make bump version=20xx.xx.xx
 ifndef version
@@ -160,7 +151,6 @@ endif
 	$(eval current_version := $(shell cat ${PWD}/internal/constants/VERSION))
 	$(SED_INPLACE) 's/^version = ".*"/version = "$(version)"/' ${PWD}/pyproject.toml
 	$(SED_INPLACE) 's/^VERSION = ".*"/VERSION = "$(version)"/' ${PWD}/authentik/__init__.py
-	$(SED_INPLACE) "s/version = \"${current_version}\"/version = \"$(version)\"" ${PWD}/Cargo.toml ${PWD}/Cargo.lock
 	$(MAKE) gen-build gen-compose aws-cfn
 	$(SED_INPLACE) "s/\"${current_version}\"/\"$(version)\"/" ${PWD}/package.json ${PWD}/package-lock.json ${PWD}/web/package.json ${PWD}/web/package-lock.json
 	echo -n $(version) > ${PWD}/internal/constants/VERSION
@@ -178,23 +168,13 @@ gen-build:  ## Extract the schema from the database
 gen-compose:
 	$(UV) run scripts/generate_compose.py

-gen-changelog:  ## (Release) generate the changelog based from the commits since the last version
-# These are best-effort guesses based on commit messages
-	$(eval last_version := $(shell git tag --list 'version/*' --sort 'version:refname' | grep -vE 'rc\d+$$' | tail -1))
-	$(eval current_commit := $(shell git rev-parse HEAD))
-	git log --pretty=format:"- %s" $(shell git merge-base ${last_version} ${current_commit})...${current_commit} > merged_to_current
-	git log --pretty=format:"- %s" $(shell git merge-base ${last_version} ${current_commit})...${last_version} > merged_to_last
-	grep -Eo 'cherry-pick (#\d+)' merged_to_last | cut -d ' ' -f 2 | sed 's/.*/(&)$$/' > cherry_picked_to_last
-	grep -vf cherry_picked_to_last merged_to_current | sort > changelog.md
-	rm merged_to_current
-	rm merged_to_last
-	rm cherry_picked_to_last
+gen-changelog:  ## (Release) generate the changelog based from the commits since the last tag
+	git log --pretty=format:" - %s" $(shell git describe --tags $(shell git rev-list --tags --max-count=1))...$(shell git branch --show-current) | sort > changelog.md
 	npx prettier --write changelog.md

-gen-diff:  ## (Release) generate the changelog diff between the current schema and the last version
-	$(eval last_version := $(shell git tag --list 'version/*' --sort 'version:refname' | grep -vE 'rc\d+$$' | tail -1))
-	git show ${last_version}:schema.yml > schema-old.yml
-	docker compose -f scripts/compose.yml run --rm --user "${UID}:${GID}" diff \
+gen-diff:  ## (Release) generate the changelog diff between the current schema and the last tag
+	git show $(shell git describe --tags $(shell git rev-list --tags --max-count=1)):schema.yml > schema-old.yml
+	docker compose -f scripts/api/compose.yml run --rm --user "${UID}:${GID}" diff \
 		--markdown \
 		/local/diff.md \
 		/local/schema-old.yml \
@@ -204,26 +184,51 @@ gen-diff:  ## (Release) generate the changelog diff between the current schema a
 	$(SED_INPLACE) 's/}/&#125;/g' diff.md
 	npx prettier --write diff.md

-gen-client-go:  ## Build and install the authentik API for Golang
-	$(UV) run make -C "${PWD}/packages/client-go" build
+gen-clean-ts:  ## Remove generated API client for TypeScript
+	rm -rf ${PWD}/${GEN_API_TS}/
+	rm -rf ${PWD}/web/node_modules/@goauthentik/api/

-gen-client-rust:  ## Build and install the authentik API for Rust
-	$(UV) run make -C "${PWD}/packages/client-rust" build version=${NPM_VERSION}
-	make lint-fix-rust
+gen-clean-py:  ## Remove generated API client for Python
+	rm -rf ${PWD}/${GEN_API_PY}

-gen-client-ts:  ## Build and install the authentik API for Typescript into the authentik UI Application
-	make -C "${PWD}/packages/client-ts" build
-	npm --prefix web install
+gen-clean-go:  ## Remove generated API client for Go
+	rm -rf ${PWD}/${GEN_API_GO}

-_gen-clients: gen-client-go gen-client-rust gen-client-ts
-gen-clients:  ## Build and install API clients used by authentik
-	$(MAKE) _gen-clients -j
+gen-clean: gen-clean-ts gen-clean-go gen-clean-py  ## Remove generated API clients

-gen: gen-build gen-clients  ## Build and install API schema and clients used by authentik
+gen-client-ts: gen-clean-ts  ## Build and install the authentik API for Typescript into the authentik UI Application
+	docker compose -f scripts/api/compose.yml run --rm --user "${UID}:${GID}" gen \
+		generate \
+		-i /local/schema.yml \
+		-g typescript-fetch \
+		-o /local/${GEN_API_TS} \
+		-c /local/scripts/api/ts-config.yaml \
+		--additional-properties=npmVersion=${NPM_VERSION} \
+		--git-repo-id authentik \
+		--git-user-id goauthentik
+
+	cd ${PWD}/${GEN_API_TS} && npm i
+	cd ${PWD}/${GEN_API_TS} && npm link
+	cd ${PWD}/web && npm link @goauthentik/api
+
+gen-client-py: gen-clean-py ## Build and install the authentik API for Python
+	mkdir -p ${PWD}/${GEN_API_PY}
+	git clone --depth 1 https://github.com/goauthentik/client-python.git ${PWD}/${GEN_API_PY}
+	cp ${PWD}/schema.yml ${PWD}/${GEN_API_PY}
+	make -C ${PWD}/${GEN_API_PY} build version=${NPM_VERSION}
+
+gen-client-go: gen-clean-go  ## Build and install the authentik API for Golang
+	mkdir -p ${PWD}/${GEN_API_GO}
+	git clone --depth 1 https://github.com/goauthentik/client-go.git ${PWD}/${GEN_API_GO}
+	cp ${PWD}/schema.yml ${PWD}/${GEN_API_GO}
+	make -C ${PWD}/${GEN_API_GO} build version=${NPM_VERSION}
+	go mod edit -replace goauthentik.io/api/v3=./${GEN_API_GO}

 gen-dev-config:  ## Generate a local development config file
 	$(UV) run scripts/generate_config.py

+gen: gen-build gen-client-ts
+
 #########################
 ## Node.js
 #########################
@@ -271,7 +276,7 @@ docs: docs-lint-fix docs-build  ## Automatically fix formatting issues in the Au
 docs-install:
 	npm ci --prefix website

-docs-lint-fix: lint-spellcheck
+docs-lint-fix: lint-codespell
 	npm run --prefix website prettier

 docs-build:
@@ -292,7 +297,7 @@ docs-api-build:
 	npm run --prefix website -w api build

 docs-api-watch:  ## Build and watch the API documentation
-	npm run --prefix website -w api generate
+	npm run --prefix website -w api build:api
 	npm run --prefix website -w api start

 docs-api-clean: ## Clean generated API documentation
@@ -303,6 +308,7 @@ docs-api-clean: ## Clean generated API documentation
 #########################

 docker:  ## Build a docker image of the current source tree
+	mkdir -p ${GEN_API_TS}
 	DOCKER_BUILDKIT=1 docker build . -f lifecycle/container/Dockerfile --progress plain --tag ${DOCKER_IMAGE}

 test-docker:
@@ -315,42 +321,28 @@ test-docker:
 # which makes the YAML File a lot smaller

 ci--meta-debug:
-	$(UV) run python -V || echo "No python installed"
-	$(CARGO) --version || echo "No rust installed"
-	node --version || echo "No node installed"
+	$(UV) run python -V
+	node --version

-ci-lint-mypy: ci--meta-debug
+ci-mypy: ci--meta-debug
 	$(UV) run mypy --strict $(PY_SOURCES)

-ci-lint-black: ci--meta-debug
+ci-black: ci--meta-debug
 	$(UV) run black --check $(PY_SOURCES)

-ci-lint-ruff: ci--meta-debug
+ci-ruff: ci--meta-debug
 	$(UV) run ruff check $(PY_SOURCES)

-ci-lint-spellcheck: ci--meta-debug
-	npm run lint:spellcheck
+ci-codespell: ci--meta-debug
+	$(UV) run codespell -s

-ci-lint-bandit: ci--meta-debug
+ci-bandit: ci--meta-debug
 	$(UV) run bandit -c pyproject.toml -r $(PY_SOURCES) -iii

-ci-lint-pending-migrations: ci--meta-debug
+ci-pending-migrations: ci--meta-debug
 	$(UV) run ak makemigrations --check

-ci-lint-cargo-deny: ci--meta-debug
-	$(CARGO) deny --locked --workspace check --config "${PWD}/.cargo/deny.toml"
-
-ci-lint-cargo-machete: ci--meta-debug
-	$(CARGO) machete
-
-ci-lint-rustfmt: ci--meta-debug
-	$(CARGO) +nightly fmt --all --check -- --config-path "${PWD}/.cargo/rustfmt.toml"
-
-ci-lint-clippy: ci--meta-debug
-	$(CARGO) clippy --workspace -- -D warnings
-
 ci-test: ci--meta-debug
-	$(UV) run coverage run manage.py test --keepdb --parallel auto authentik
-	$(UV) run coverage combine
+	$(UV) run coverage run manage.py test --keepdb authentik
 	$(UV) run coverage report
 	$(UV) run coverage xml
--- a/authentik/init.py
+++ b/authentik/init.py
@@ -3,7 +3,7 @@
 from functools import lru_cache
 from os import environ

-VERSION = "2026.5.0-rc1"
+VERSION = "2026.2.2"
 ENV_GIT_HASH_KEY = "GIT_BUILD_HASH"


--- a/authentik/admin/api/meta.py
+++ b/authentik/admin/api/meta.py
@@ -8,8 +8,8 @@ from rest_framework.response import Response
 from rest_framework.viewsets import ViewSet

 from authentik.core.api.utils import PassiveSerializer
-from authentik.lib.api import Models
 from authentik.lib.utils.reflection import get_apps
+from authentik.policies.event_matcher.models import model_choices


 class AppSerializer(PassiveSerializer):
@@ -42,6 +42,6 @@ class ModelViewSet(ViewSet):
    def list(self, request: Request) -> Response:
        """Read-only view list all installed models"""
        data = []
-        for name, label in Models.choices:
+        for name, label in model_choices():
            data.append({"name": name, "label": label})
        return Response(AppSerializer(data, many=True).data)
--- a/authentik/admin/files/backends/base.py
+++ b/authentik/admin/files/backends/base.py
@@ -94,7 +94,7 @@ class Backend:

        Args:
            file_path: Relative file path
-            request: Optional Django HttpRequest for fully qualified URL building
+            request: Optional Django HttpRequest for fully qualifed URL building
            use_cache: whether to retrieve the URL from cache

        Returns:
@@ -106,7 +106,6 @@ class Backend:
        self,
        name: str,
        request: HttpRequest | None = None,
-        use_cache: bool = True,
    ) -> dict[str, str] | None:
        """
        Get URLs for each theme variant when filename contains %(theme)s.
@@ -122,7 +121,7 @@ class Backend:
            return None

        return {
-            theme: self.file_url(substitute_theme(name, theme), request, use_cache=use_cache)
+            theme: self.file_url(substitute_theme(name, theme), request, use_cache=True)
            for theme in get_valid_themes()
        }

--- a/authentik/admin/files/backends/passthrough.py
+++ b/authentik/admin/files/backends/passthrough.py
@@ -51,7 +51,6 @@ class PassthroughBackend(Backend):
        self,
        name: str,
        request: HttpRequest | None = None,
-        use_cache: bool = True,
    ) -> dict[str, str] | None:
        """Support themed URLs for external URLs with %(theme)s placeholder.

--- a/authentik/admin/files/backends/s3.py
+++ b/authentik/admin/files/backends/s3.py
@@ -1,7 +1,7 @@
 from collections.abc import Generator, Iterator
 from contextlib import contextmanager
 from tempfile import SpooledTemporaryFile
-from urllib.parse import urlsplit, urlunsplit
+from urllib.parse import urlsplit

 import boto3
 from botocore.config import Config
@@ -100,25 +100,13 @@ class S3Backend(ManageableBackend):
            f"storage.{self.usage.value}.{self.name}.addressing_style",
            CONFIG.get(f"storage.{self.name}.addressing_style", "auto"),
        )
-        signature_version = CONFIG.get(
-            f"storage.{self.usage.value}.{self.name}.signature_version",
-            CONFIG.get(f"storage.{self.name}.signature_version", "s3v4"),
-        )
-        # Keep signature_version pass-through and let boto3/botocore handle it.
-        # In boto3's S3 configuration docs, `s3v4` (default) and deprecated `s3`
-        # are the documented values:
-        # https://github.com/boto/boto3/blob/791a3e8f36d83664a47b4281a0586b3546cef3ec/docs/source/guide/configuration.rst?plain=1#L398-L407
-        # Botocore also supports additional signer names, so we intentionally do
-        # not enforce a restricted allowlist here.

        return self.session.client(
            "s3",
            endpoint_url=endpoint_url,
            use_ssl=use_ssl,
            region_name=region_name,
-            config=Config(
-                signature_version=signature_version, s3={"addressing_style": addressing_style}
-            ),
+            config=Config(signature_version="s3v4", s3={"addressing_style": addressing_style}),
        )

    @property
@@ -164,19 +152,16 @@ class S3Backend(ManageableBackend):
        )

        def _file_url(name: str, request: HttpRequest | None) -> str:
-            client = self.client
            params = {
                "Bucket": self.bucket_name,
                "Key": f"{self.base_path}/{name}",
            }

-            operation_name = "GetObject"
-            operation_model = client.meta.service_model.operation_model(operation_name)
-            request_dict = client._convert_to_request_dict(
-                params,
-                operation_model,
-                endpoint_url=client.meta.endpoint_url,
-                context={"is_presign_request": True},
+            url = self.client.generate_presigned_url(
+                "get_object",
+                Params=params,
+                ExpiresIn=expires_in,
+                HttpMethod="GET",
            )

            # Support custom domain for S3-compatible storage (so not AWS)
@@ -186,8 +171,9 @@ class S3Backend(ManageableBackend):
                CONFIG.get(f"storage.{self.name}.custom_domain", None),
            )
            if custom_domain:
+                parsed = urlsplit(url)
                scheme = "https" if use_https else "http"
-                path = request_dict["url_path"]
+                path = parsed.path

                # When using path-style addressing, the presigned URL contains the bucket
                # name in the path (e.g., /bucket-name/key). Since custom_domain must
@@ -202,22 +188,9 @@ class S3Backend(ManageableBackend):
                if not path.startswith("/"):
                    path = f"/{path}"

-                custom_base = urlsplit(f"{scheme}://{custom_domain}")
+                url = f"{scheme}://{custom_domain}{path}?{parsed.query}"

-                # Sign the final public URL instead of signing the internal S3 endpoint and
-                # rewriting it afterwards. Presigned SigV4 URLs include the host header in the
-                # canonical request, so post-sign host changes break strict backends like RustFS.
-                public_path = f"{custom_base.path.rstrip('/')}{path}" if custom_base.path else path
-                request_dict["url_path"] = public_path
-                request_dict["url"] = urlunsplit(
-                    (custom_base.scheme, custom_base.netloc, public_path, "", "")
-                )
-
-            return client._request_signer.generate_presigned_url(
-                request_dict,
-                operation_name,
-                expires_in=expires_in,
-            )
+            return url

        if use_cache:
            return self._cache_get_or_set(name, request, _file_url, expires_in)
--- a/authentik/admin/files/backends/tests/test_s3_backend.py
+++ b/authentik/admin/files/backends/tests/test_s3_backend.py
@@ -1,7 +1,5 @@
 from unittest import skipUnless
-from urllib.parse import parse_qs, urlsplit

-from botocore.exceptions import UnsupportedSignatureVersionError
 from django.test import TestCase

 from authentik.admin.files.tests.utils import FileTestS3BackendMixin, s3_test_server_available
@@ -83,27 +81,6 @@ class TestS3Backend(FileTestS3BackendMixin, TestCase):
        self.assertIn("X-Amz-Signature=", url)
        self.assertIn("test.png", url)

-    def test_client_signature_version_default_v4(self):
-        """Test S3 client defaults to v4 signature when not configured."""
-        self.assertEqual(self.media_s3_backend.client.meta.config.signature_version, "s3v4")
-
-    @CONFIG.patch("storage.s3.signature_version", "s3")
-    def test_client_signature_version_global_override(self):
-        """Test S3 client respects globally configured signature version."""
-        self.assertEqual(self.media_s3_backend.client.meta.config.signature_version, "s3")
-
-    @CONFIG.patch("storage.s3.signature_version", "s3v4")
-    @CONFIG.patch("storage.media.s3.signature_version", "s3")
-    def test_client_signature_version_media_override(self):
-        """Test usage-specific signature version takes precedence over global."""
-        self.assertEqual(self.media_s3_backend.client.meta.config.signature_version, "s3")
-
-    @CONFIG.patch("storage.media.s3.signature_version", "not-a-real-signature")
-    def test_client_signature_version_unsupported(self):
-        """Test unsupported signature version raises botocore error."""
-        with self.assertRaises(UnsupportedSignatureVersionError):
-            self.media_s3_backend.file_url("test.png", use_cache=False)
-
    @CONFIG.patch("storage.s3.bucket_name", "test-bucket")
    def test_file_exists_true(self):
        """Test file_exists returns True for existing file"""
@@ -169,44 +146,6 @@ class TestS3Backend(FileTestS3BackendMixin, TestCase):
            f"URL: {url}",
        )

-    @CONFIG.patch("storage.s3.secure_urls", False)
-    @CONFIG.patch("storage.s3.addressing_style", "path")
-    def test_file_url_custom_domain_resigns_for_custom_host(self):
-        """Test presigned URLs are signed for the custom domain host.
-
-        Host-changing custom domains must produce a signature query string for
-        the public host, not reuse the internal endpoint signature.
-        """
-        bucket_name = self.media_s3_bucket_name
-        key_name = "application-icons/test.svg"
-        custom_domain = f"files.example.test:8020/{bucket_name}"
-
-        endpoint_signed_url = self.media_s3_backend.client.generate_presigned_url(
-            "get_object",
-            Params={
-                "Bucket": bucket_name,
-                "Key": f"{self.media_s3_backend.base_path}/{key_name}",
-            },
-            ExpiresIn=900,
-            HttpMethod="GET",
-        )
-
-        with CONFIG.patch("storage.media.s3.custom_domain", custom_domain):
-            custom_url = self.media_s3_backend.file_url(key_name, use_cache=False)
-
-        endpoint_parts = urlsplit(endpoint_signed_url)
-        custom_parts = urlsplit(custom_url)
-
-        self.assertEqual(custom_parts.scheme, "http")
-        self.assertEqual(custom_parts.netloc, "files.example.test:8020")
-        self.assertEqual(parse_qs(custom_parts.query)["X-Amz-SignedHeaders"], ["host"])
-        self.assertNotEqual(
-            custom_parts.query,
-            endpoint_parts.query,
-            "Custom-domain URLs must be signed for the public host, not reuse the endpoint "
-            "signature query string.",
-        )
-
    def test_themed_urls_without_theme_variable(self):
        """Test themed_urls returns None when filename has no %(theme)s"""
        result = self.media_s3_backend.themed_urls("logo.png")
--- a/authentik/admin/files/manager.py
+++ b/authentik/admin/files/manager.py
@@ -74,10 +74,6 @@ class FileManager:
    ) -> str:
        """
        Get URL for accessing the file.
-
-        Set ``use_cache=False`` when the caller needs a fresh signed URL instead
-        of a cached one, for example when serializing flow/login payloads that
-        may be refreshed after the previous JWT has expired.
        """
        if not name:
            return ""
@@ -87,7 +83,7 @@ class FileManager:

        for backend in self.backends:
            if backend.supports_file(name):
-                return backend.file_url(name, request, use_cache=use_cache)
+                return backend.file_url(name, request)

        LOGGER.warning(f"Could not find file backend for file: {name}")
        return ""
@@ -96,14 +92,10 @@ class FileManager:
        self,
        name: str | None,
        request: HttpRequest | Request | None = None,
-        use_cache: bool = True,
    ) -> dict[str, str] | None:
        """
        Get URLs for each theme variant when filename contains %(theme)s.

-        ``use_cache`` has the same semantics as ``file_url()`` and allows
-        callers to force regeneration of expiring signed URLs.
-
        Returns dict mapping theme to URL if %(theme)s present, None otherwise.
        """
        if not name:
@@ -114,7 +106,7 @@ class FileManager:

        for backend in self.backends:
            if backend.supports_file(name):
-                return backend.themed_urls(name, request, use_cache=use_cache)
+                return backend.themed_urls(name, request)

        return None

--- a/authentik/admin/files/tests/test_manager.py
+++ b/authentik/admin/files/tests/test_manager.py
@@ -1,7 +1,6 @@
 """Test file service layer"""

 from unittest import skipUnless
-from unittest.mock import Mock
 from urllib.parse import urlparse

 from django.http import HttpRequest
@@ -54,19 +53,6 @@ class TestResolveFileUrlBasic(TestCase):
        result = manager.file_url("/static/authentik/sources/icon.svg")
        self.assertEqual(result, "/static/authentik/sources/icon.svg")

-    def test_file_url_forwards_use_cache(self):
-        """Test file_url forwards use_cache to backend."""
-        manager = FileManager(FileUsage.MEDIA)
-        backend = Mock()
-        backend.supports_file.return_value = True
-        backend.file_url.return_value = "/files/media/public/test.png?token=fresh"
-        manager.backends = [backend]
-
-        result = manager.file_url("test.png", use_cache=False)
-
-        self.assertEqual(result, "/files/media/public/test.png?token=fresh")
-        backend.file_url.assert_called_once_with("test.png", None, use_cache=False)
-

 class TestResolveFileUrlFileBackend(FileTestFileBackendMixin, TestCase):
    def test_resolve_storage_file(self):
--- a/authentik/api/authentication.py
+++ b/authentik/api/authentication.py
@@ -106,14 +106,14 @@ class TokenAuthentication(BaseAuthentication):
        if not auth_credentials:
            return None
        # first, check traditional tokens
-        key_token = Token.objects.filter(
+        key_token = Token.filter_not_expired(
            key=auth_credentials, intent=TokenIntents.INTENT_API
        ).first()
        if key_token:
            CTX_AUTH_VIA.set("api_token")
            return key_token.user, key_token
        # then try to auth via JWT
-        jwt_token = AccessToken.objects.filter(
+        jwt_token = AccessToken.filter_not_expired(
            token=auth_credentials, _scope__icontains=SCOPE_AUTHENTIK_API
        ).first()
        if jwt_token:
--- a/authentik/api/pagination.py
+++ b/authentik/api/pagination.py
@@ -1,18 +1,10 @@
 """Pagination which includes total pages and current page"""

-from typing import TYPE_CHECKING
-
 from drf_spectacular.plumbing import build_object_type
 from rest_framework import pagination
 from rest_framework.response import Response

-from authentik.api.search.ql import QLSearch
-from authentik.api.v3.schema.pagination import PAGINATION
-from authentik.api.v3.schema.search import AUTOCOMPLETE_SCHEMA
-
-if TYPE_CHECKING:
-    from django.db.models import QuerySet
-    from rest_framework.request import Request
+from authentik.api.v3.schema.response import PAGINATION


 class Pagination(pagination.PageNumberPagination):
@@ -21,14 +13,14 @@ class Pagination(pagination.PageNumberPagination):
    page_query_param = "page"
    page_size_query_param = "page_size"

-    def get_page_size(self, request: Request) -> int:
+    def get_page_size(self, request):
        if self.page_size_query_param in request.query_params:
            page_size = super().get_page_size(request)
            if page_size is not None:
                return min(super().get_page_size(request), request.tenant.pagination_max_page_size)
        return request.tenant.pagination_default_page_size

-    def get_paginated_response(self, data) -> Response:
+    def get_paginated_response(self, data):
        previous_page_number = 0
        if self.page.has_previous():
            previous_page_number = self.page.previous_page_number()
@@ -47,33 +39,16 @@ class Pagination(pagination.PageNumberPagination):
                    "end_index": self.page.end_index(),
                },
                "results": data,
-                "autocomplete": self.get_autocomplete(),
            }
        )

-    def paginate_queryset(self, queryset: QuerySet, request: Request, view=None):
-        self.view = view
-        return super().paginate_queryset(queryset, request, view)
-
-    def get_autocomplete(self):
-        schema = QLSearch().get_schema(self.request, self.view)
-        introspections = {}
-        if hasattr(self.view, "get_ql_fields"):
-            from authentik.api.search.schema import AKQLSchemaSerializer
-
-            introspections = AKQLSchemaSerializer().serialize(
-                schema(self.page.paginator.object_list.model)
-            )
-        return introspections
-
    def get_paginated_response_schema(self, schema):
        return build_object_type(
            properties={
                "pagination": PAGINATION.ref,
                "results": schema,
-                "autocomplete": AUTOCOMPLETE_SCHEMA.ref,
            },
-            required=["pagination", "results", "autocomplete"],
+            required=["pagination", "results"],
        )


--- a/authentik/api/schema.py
+++ b/authentik/api/schema.py
@@ -0,0 +1,103 @@
+"""Error Response schema, from https://github.com/axnsan12/drf-yasg/issues/224"""
+
+from collections.abc import Callable
+from typing import Any
+
+from drf_spectacular.generators import SchemaGenerator
+from drf_spectacular.plumbing import ResolvedComponent
+from drf_spectacular.renderers import OpenApiJsonRenderer
+from drf_spectacular.settings import spectacular_settings
+from structlog.stdlib import get_logger
+
+from authentik.api.apps import AuthentikAPIConfig
+from authentik.api.v3.schema.query import QUERY_PARAMS
+from authentik.api.v3.schema.response import (
+    GENERIC_ERROR,
+    GENERIC_ERROR_RESPONSE,
+    PAGINATION,
+    VALIDATION_ERROR,
+    VALIDATION_ERROR_RESPONSE,
+)
+
+LOGGER = get_logger()
+
+
+def preprocess_schema_exclude_non_api(endpoints: list[tuple[str, Any, Any, Callable]], **kwargs):
+    """Filter out all API Views which are not mounted under /api"""
+    return [
+        (path, path_regex, method, callback)
+        for path, path_regex, method, callback in endpoints
+        if path.startswith("/" + AuthentikAPIConfig.mountpoint)
+    ]
+
+
+def postprocess_schema_register(
+    result: dict[str, Any], generator: SchemaGenerator, **kwargs
+) -> dict[str, Any]:
+    """Register custom schema components"""
+    LOGGER.debug("Registering custom schemas")
+    generator.registry.register_on_missing(PAGINATION)
+    generator.registry.register_on_missing(GENERIC_ERROR)
+    generator.registry.register_on_missing(GENERIC_ERROR_RESPONSE)
+    generator.registry.register_on_missing(VALIDATION_ERROR)
+    generator.registry.register_on_missing(VALIDATION_ERROR_RESPONSE)
+    for query in QUERY_PARAMS.values():
+        generator.registry.register_on_missing(query)
+    return result
+
+
+def postprocess_schema_responses(
+    result: dict[str, Any], generator: SchemaGenerator, **kwargs
+) -> dict[str, Any]:
+    """Default error responses"""
+    LOGGER.debug("Adding default error responses")
+    for path in result["paths"].values():
+        for method in path.values():
+            method["responses"].setdefault("400", VALIDATION_ERROR_RESPONSE.ref)
+            method["responses"].setdefault("403", GENERIC_ERROR_RESPONSE.ref)
+
+    result["components"] = generator.registry.build(spectacular_settings.APPEND_COMPONENTS)
+
+    # This is a workaround for authentik/stages/prompt/stage.py
+    # since the serializer PromptChallengeResponse
+    # accepts dynamic keys
+    for component in result["components"]["schemas"]:
+        if component == "PromptChallengeResponseRequest":
+            comp = result["components"]["schemas"][component]
+            comp["additionalProperties"] = {}
+    return result
+
+
+def postprocess_schema_query_params(
+    result: dict[str, Any], generator: SchemaGenerator, **kwargs
+) -> dict[str, Any]:
+    """Optimise pagination parameters, instead of redeclaring parameters for each endpoint
+    declare them globally and refer to them"""
+    LOGGER.debug("Deduplicating query parameters")
+    for path in result["paths"].values():
+        for method in path.values():
+            for idx, param in enumerate(method.get("parameters", [])):
+                if param["name"] not in QUERY_PARAMS:
+                    continue
+                method["parameters"][idx] = QUERY_PARAMS[param["name"]].ref
+    return result
+
+
+def postprocess_schema_remove_unused(
+    result: dict[str, Any], generator: SchemaGenerator, **kwargs
+) -> dict[str, Any]:
+    """Remove unused components"""
+    # To check if the schema is used, render it to JSON and then substring check that
+    # less efficient than walking through the tree but a lot simpler and no
+    # possibility that we miss something
+    raw = OpenApiJsonRenderer().render(result, renderer_context={}).decode()
+    count = 0
+    for key in result["components"][ResolvedComponent.SCHEMA].keys():
+        schema_usages = raw.count(f"#/components/{ResolvedComponent.SCHEMA}/{key}")
+        if schema_usages >= 1:
+            continue
+        del generator.registry[(key, ResolvedComponent.SCHEMA)]
+        count += 1
+    LOGGER.debug("Removing unused components", count=count)
+    result["components"] = generator.registry.build(spectacular_settings.APPEND_COMPONENTS)
+    return result
--- a/authentik/api/tests/test_viewsets.py
+++ b/authentik/api/tests/test_viewsets.py
@@ -1,73 +1,31 @@
 """authentik API Modelviewset tests"""

 from collections.abc import Callable
-from urllib.parse import urlencode

 from django.test import TestCase
 from rest_framework.viewsets import ModelViewSet, ReadOnlyModelViewSet

-from authentik.admin.api.version_history import VersionHistoryViewSet
 from authentik.api.v3.urls import router
-from authentik.core.tests.utils import RequestFactory, create_test_admin_user
-from authentik.lib.generators import generate_id
-from authentik.tenants.api.domains import DomainViewSet
-from authentik.tenants.api.tenants import TenantViewSet
-from authentik.tenants.utils import get_current_tenant


 class TestModelViewSets(TestCase):
    """Test Viewset"""

-    def setUp(self):
-        self.user = create_test_admin_user()
-        self.factory = RequestFactory()

-
-def viewset_tester_factory(test_viewset: type[ModelViewSet], full=True) -> dict[str, Callable]:
+def viewset_tester_factory(test_viewset: type[ModelViewSet]) -> Callable:
    """Test Viewset"""

-    def test_attrs(self: TestModelViewSets) -> None:
-        """Test attributes we require on all viewsets"""
-        self.assertIsNotNone(getattr(test_viewset, "ordering", None))
+    def tester(self: TestModelViewSets):
        self.assertIsNotNone(getattr(test_viewset, "search_fields", None))
+        self.assertIsNotNone(getattr(test_viewset, "ordering", None))
        filterset_class = getattr(test_viewset, "filterset_class", None)
        if not filterset_class:
            self.assertIsNotNone(getattr(test_viewset, "filterset_fields", None))

-    def test_ordering(self: TestModelViewSets) -> None:
-        """Test that all ordering fields are correct"""
-        view = test_viewset.as_view({"get": "list"})
-        for ordering_field in test_viewset.ordering:
-            with self.subTest(ordering_field):
-                req = self.factory.get(
-                    f"/?{urlencode({'ordering': ordering_field}, doseq=True)}", user=self.user
-                )
-                req.tenant = get_current_tenant()
-                res = view(req)
-                self.assertEqual(res.status_code, 200)
-
-    def test_search(self: TestModelViewSets) -> None:
-        """Test that search fields are correct"""
-        view = test_viewset.as_view({"get": "list"})
-        req = self.factory.get(
-            f"/?{urlencode({'search': generate_id()}, doseq=True)}", user=self.user
-        )
-        req.tenant = get_current_tenant()
-        res = view(req)
-        self.assertEqual(res.status_code, 200)
-
-    cases = {
-        "attrs": test_attrs,
-    }
-    if full:
-        cases["ordering"] = test_ordering
-        cases["search"] = test_search
-    return cases
+    return tester


 for _, viewset, _ in router.registry:
    if not issubclass(viewset, ModelViewSet | ReadOnlyModelViewSet):
        continue
-    full = viewset not in [VersionHistoryViewSet, DomainViewSet, TenantViewSet]
-    for test, case in viewset_tester_factory(viewset, full=full).items():
-        setattr(TestModelViewSets, f"test_viewset_{viewset.__name__}_{test}", case)
+    setattr(TestModelViewSets, f"test_viewset_{viewset.__name__}", viewset_tester_factory(viewset))
--- a/authentik/api/v3/schema/cleanup.py
+++ b/authentik/api/v3/schema/cleanup.py
@@ -1,75 +0,0 @@
-"""Error Response schema, from https://github.com/axnsan12/drf-yasg/issues/224"""
-
-from collections.abc import Callable
-from typing import Any
-
-from drf_spectacular.contrib.django_filters import (
-    DjangoFilterExtension as BaseDjangoFilterExtension,
-)
-from drf_spectacular.generators import SchemaGenerator
-from drf_spectacular.plumbing import (
-    ResolvedComponent,
-    follow_field_source,
-)
-from drf_spectacular.renderers import OpenApiJsonRenderer
-from drf_spectacular.settings import spectacular_settings
-from structlog.stdlib import get_logger
-
-from authentik.api.apps import AuthentikAPIConfig
-
-LOGGER = get_logger()
-
-
-def preprocess_schema_exclude_non_api(endpoints: list[tuple[str, Any, Any, Callable]], **kwargs):
-    """Filter out all API Views which are not mounted under /api"""
-    return [
-        (path, path_regex, method, callback)
-        for path, path_regex, method, callback in endpoints
-        if path.startswith("/" + AuthentikAPIConfig.mountpoint)
-    ]
-
-
-def postprocess_schema_remove_unused(
-    result: dict[str, Any], generator: SchemaGenerator, **kwargs
-) -> dict[str, Any]:
-    """Remove unused components"""
-    # To check if the schema is used, render it to JSON and then substring check that
-    # less efficient than walking through the tree but a lot simpler and no
-    # possibility that we miss something
-    raw = OpenApiJsonRenderer().render(result, renderer_context={}).decode()
-    count = 0
-    for key in result["components"][ResolvedComponent.SCHEMA].keys():
-        schema_usages = raw.count(f"#/components/{ResolvedComponent.SCHEMA}/{key}")
-        if schema_usages >= 1:
-            continue
-        del generator.registry[(key, ResolvedComponent.SCHEMA)]
-        count += 1
-    LOGGER.debug("Removing unused components", count=count)
-    result["components"] = generator.registry.build(spectacular_settings.APPEND_COMPONENTS)
-    return result
-
-
-class DjangoFilterExtension(BaseDjangoFilterExtension):
-    """
-    From https://github.com/netbox-community/netbox/pull/21521:
-
-    Overrides drf-spectacular's DjangoFilterExtension to fix a regression in v0.29.0 where
-    _get_model_field() incorrectly double-appends to_field_name when field_name already ends
-    with that value (e.g. field_name='tags__slug', to_field_name='slug' produces the invalid
-    path ['tags', 'slug', 'slug']). This caused hundreds of spurious warnings during schema
-    generation for filters such as TagFilter, TenancyFilterSet.tenant, and OwnerFilterMixin.owner.
-
-    See: https://github.com/netbox-community/netbox/issues/20787
-         https://github.com/tfranzel/drf-spectacular/issues/1475
-    """
-
-    priority = 1
-
-    def _get_model_field(self, filter_field, model):
-        if not filter_field.field_name:
-            return None
-        path = filter_field.field_name.split("__")
-        to_field_name = filter_field.extra.get("to_field_name")
-        if to_field_name is not None and path[-1] != to_field_name:
-            path.append(to_field_name)
-        return follow_field_source(model, path, emit_warnings=False)
--- a/authentik/api/v3/schema/enum.py
+++ b/authentik/api/v3/schema/enum.py
@@ -1,287 +0,0 @@
-"""Error Response schema, from https://github.com/axnsan12/drf-yasg/issues/224"""
-
-import functools
-import inspect
-import re
-from collections import defaultdict
-from enum import Enum
-
-from django.db.models import Choices
-from django.utils.translation import get_language
-from drf_spectacular.drainage import error, warn
-from drf_spectacular.hooks import postprocess_schema_enum_id_removal
-from drf_spectacular.plumbing import (
-    ResolvedComponent,
-    deep_import_string,
-    list_hash,
-    safe_ref,
-)
-from drf_spectacular.settings import spectacular_settings
-from inflection import camelize
-from structlog.stdlib import get_logger
-
-LOGGER = get_logger()
-
-
-# See https://github.com/tfranzel/drf-spectacular/blob/master/drf_spectacular/hooks.py
-# and https://github.com/tfranzel/drf-spectacular/issues/520
-def postprocess_schema_enums(result, generator, **kwargs):  # noqa: PLR0912, PLR0915
-    """
-    simple replacement of Enum/Choices that globally share the same name and have
-    the same choices. Aids client generation to not generate a separate enum for
-    every occurrence. only takes effect when replacement is guaranteed to be correct.
-    """
-
-    def is_enum_prop(prop_schema):
-        return (
-            "enum" in prop_schema
-            or prop_schema.get("type") == "array"
-            and "enum" in prop_schema.get("items", {})
-        )
-
-    def iter_field_schemas():
-        def iter_prop_containers(schema, component_name=None):
-            if not component_name:
-                for _component_name, _schema in schema.items():
-                    if spectacular_settings.COMPONENT_SPLIT_PATCH:
-                        _component_name = re.sub("^Patched(.+)", r"\1", _component_name)
-                    if spectacular_settings.COMPONENT_SPLIT_REQUEST:
-                        _component_name = re.sub("(.+)Request$", r"\1", _component_name)
-                    yield from iter_prop_containers(_schema, _component_name)
-            elif isinstance(schema, list):
-                for item in schema:
-                    yield from iter_prop_containers(item, component_name)
-            elif isinstance(schema, dict):
-                if schema.get("properties"):
-                    yield component_name, schema["properties"]
-                yield from iter_prop_containers(schema.get("oneOf", []), component_name)
-                yield from iter_prop_containers(schema.get("allOf", []), component_name)
-                yield from iter_prop_containers(schema.get("anyOf", []), component_name)
-
-        def iter_path_parameters():
-            for path in result.get("paths", {}).values():
-                for operation in path.values():
-                    for parameter in operation.get("parameters", []):
-                        parameter_schema = parameter.get("schema", {})
-                        if is_enum_prop(parameter_schema):
-                            # Move description into enum schema
-                            if "description" in parameter:
-                                parameter_schema["description"] = parameter.pop("description")
-                        if "name" not in parameter:
-                            continue
-                        yield "", {parameter["name"]: parameter_schema}
-
-        component_schemas = result.get("components", {}).get("schemas", {})
-
-        yield from iter_prop_containers(component_schemas)
-        yield from iter_path_parameters()
-
-    def create_enum_component(name, schema):
-        component = ResolvedComponent(
-            name=name,
-            type=ResolvedComponent.SCHEMA,
-            schema=schema,
-            object=name,
-        )
-        generator.registry.register_on_missing(component)
-        return component
-
-    def extract_hash(schema):
-        if "x-spec-enum-id" in schema:
-            # try to use the injected enum hash first as it generated from (name, value) tuples,
-            # which prevents collisions on choice sets only differing in labels not values.
-            return schema["x-spec-enum-id"]
-        else:
-            # fall back to actual list hashing when we encounter enums not generated by us.
-            # remove blank/null entry for hashing. will be reconstructed in the last step
-            return list_hash([(i, i) for i in schema["enum"] if i not in ("", None)])
-
-    overrides = load_enum_name_overrides()
-
-    prop_hash_mapping = defaultdict(set)
-    hash_name_mapping = defaultdict(set)
-    # collect all enums, their names and choice sets
-    for component_name, props in iter_field_schemas():
-        for prop_name, prop_schema in props.items():
-            _prop_schema = prop_schema
-            if prop_schema.get("type") == "array":
-                _prop_schema = prop_schema.get("items", {})
-            if "enum" not in _prop_schema:
-                continue
-
-            prop_enum_cleaned_hash = extract_hash(_prop_schema)
-            prop_hash_mapping[prop_name].add(prop_enum_cleaned_hash)
-            hash_name_mapping[prop_enum_cleaned_hash].add((component_name, prop_name))
-
-    # get the suffix to be used for enums from settings
-    enum_suffix = spectacular_settings.ENUM_SUFFIX
-
-    # traverse all enum properties and generate a name for the choice set. naming collisions
-    # are resolved and a warning is emitted. giving a choice set multiple names is technically
-    # correct but potentially unwanted. also emit a warning there to make the user aware.
-    enum_name_mapping = {}
-    for prop_name, prop_hash_set in prop_hash_mapping.items():
-        for prop_hash in prop_hash_set:
-            if prop_hash in overrides:
-                enum_name = overrides[prop_hash]
-            elif len(prop_hash_set) == 1:
-                # prop_name has been used exclusively for one choice set (best case)
-                enum_name = f"{camelize(prop_name)}{enum_suffix}"
-            elif len(hash_name_mapping[prop_hash]) == 1:
-                # prop_name has multiple choice sets, but each one limited to one component only
-                component_name, _ = next(iter(hash_name_mapping[prop_hash]))
-                enum_name = f"{camelize(component_name)}{camelize(prop_name)}{enum_suffix}"
-            else:
-                enum_name = f"{camelize(prop_name)}{prop_hash[:3].capitalize()}{enum_suffix}"
-                warn(
-                    f"enum naming encountered a non-optimally resolvable collision for fields "
-                    f'named "{prop_name}". The same name has been used for multiple choice sets '
-                    f'in multiple components. The collision was resolved with "{enum_name}". '
-                    f"add an entry to ENUM_NAME_OVERRIDES to fix the naming."
-                )
-            if enum_name_mapping.get(prop_hash, enum_name) != enum_name:
-                warn(
-                    f"encountered multiple names for the same choice set ({enum_name}). This "
-                    f"may be unwanted even though the generated schema is technically correct. "
-                    f"Add an entry to ENUM_NAME_OVERRIDES to fix the naming."
-                )
-                del enum_name_mapping[prop_hash]
-            else:
-                enum_name_mapping[prop_hash] = enum_name
-            enum_name_mapping[(prop_hash, prop_name)] = enum_name
-
-    # replace all enum occurrences with a enum schema component. cut out the
-    # enum, replace it with a reference and add a corresponding component.
-    for _, props in iter_field_schemas():
-        for prop_name, _prop_schema in props.items():
-            prop_schema = _prop_schema
-            is_array = prop_schema.get("type") == "array"
-            if is_array:
-                prop_schema = prop_schema.get("items", {})
-
-            if "enum" not in prop_schema:
-                continue
-
-            prop_enum_original_list = prop_schema["enum"]
-            prop_schema["enum"] = [i for i in prop_schema["enum"] if i not in ["", None]]
-            prop_hash = extract_hash(prop_schema)
-            # when choice sets are reused under multiple names, the generated name cannot be
-            # resolved from the hash alone. fall back to prop_name and hash for resolution.
-            enum_name = enum_name_mapping.get(prop_hash) or enum_name_mapping[prop_hash, prop_name]
-
-            # split property into remaining property and enum component parts
-            enum_schema = {k: v for k, v in prop_schema.items() if k in ["type", "enum"]}
-            prop_schema = {
-                k: v for k, v in prop_schema.items() if k not in ["type", "enum", "x-spec-enum-id"]
-            }
-
-            # separate actual description from name-value tuples
-            if spectacular_settings.ENUM_GENERATE_CHOICE_DESCRIPTION:
-                if prop_schema.get("description", "").startswith("*"):
-                    enum_schema["description"] = prop_schema.pop("description")
-                elif "\n\n*" in prop_schema.get("description", ""):
-                    _, _, post = prop_schema["description"].partition("\n\n*")
-                    enum_schema["description"] = "*" + post
-
-            components = [create_enum_component(enum_name, schema=enum_schema)]
-            if spectacular_settings.ENUM_ADD_EXPLICIT_BLANK_NULL_CHOICE:
-                if "" in prop_enum_original_list:
-                    components.append(
-                        create_enum_component(f"Blank{enum_suffix}", schema={"enum": [""]})
-                    )
-                if None in prop_enum_original_list:
-                    if spectacular_settings.OAS_VERSION.startswith("3.1"):
-                        components.append(
-                            create_enum_component(f"Null{enum_suffix}", schema={"type": "null"})
-                        )
-                    else:
-                        components.append(
-                            create_enum_component(f"Null{enum_suffix}", schema={"enum": [None]})
-                        )
-
-            # undo OAS 3.1 type list NULL construction as we cover
-            # this in a separate component already
-            if spectacular_settings.OAS_VERSION.startswith("3.1") and isinstance(
-                enum_schema["type"], list
-            ):
-                enum_schema["type"] = [t for t in enum_schema["type"] if t != "null"][0]
-
-            if len(components) == 1:
-                prop_schema.update(components[0].ref)
-            else:
-                prop_schema.update({"oneOf": [c.ref for c in components]})
-
-            patch_target = props[prop_name]  # noqa: PLR1733
-            if is_array:
-                patch_target = patch_target["items"]
-
-            # Replace existing schema information with reference
-            patch_target.clear()
-            patch_target.update(safe_ref(prop_schema))
-
-    # sort again with additional components
-    result["components"] = generator.registry.build(spectacular_settings.APPEND_COMPONENTS)
-
-    # remove remaining ids that were not part of this hook (operation parameters mainly)
-    postprocess_schema_enum_id_removal(result, generator)
-
-    return result
-
-
-# Fixed version of `load_enum_name_overrides()` with a LRU cache based on language
-# *and* enum overrides.
-# Without this, API generation breaks if there is more than 1 API present (such as in split APIs)
-# Original source: drf-spectacular/drf_spectacular/plumbing.py
-def load_enum_name_overrides():
-    cache_key = get_language() or ""
-
-    for k, v in sorted(spectacular_settings.ENUM_NAME_OVERRIDES.items()):
-        cache_key += f";{k}:{v}"
-
-    return _load_enum_name_overrides(cache_key)
-
-
-# Original source: drf-spectacular/drf_spectacular/plumbing.py
-# Only change: cache_key argument instead of language.
-@functools.lru_cache
-def _load_enum_name_overrides(cache_key):
-    overrides = {}
-    for name, _choices in spectacular_settings.ENUM_NAME_OVERRIDES.items():
-        choices = _choices
-        if isinstance(choices, str):
-            choices = deep_import_string(choices)
-        if not choices:
-            warn(
-                f"unable to load choice override for {name} from ENUM_NAME_OVERRIDES. "
-                f"please check module path string."
-            )
-            continue
-        if inspect.isclass(choices) and issubclass(choices, Choices):
-            choices = choices.choices
-        if inspect.isclass(choices) and issubclass(choices, Enum):
-            choices = [(c.value, c.name) for c in choices]
-        normalized_choices = []
-        for choice in choices:
-            # Allow None values in the simple values list case
-            if isinstance(choice, str) or choice is None:
-                # TODO warning
-                normalized_choices.append((choice, choice))  # simple choice list
-            elif isinstance(choice[1], (list, tuple)):
-                normalized_choices.extend(choice[1])  # categorized nested choices
-            else:
-                normalized_choices.append(choice)  # normal 2-tuple form
-
-        # Get all of choice values that should be used in the hash, blank and
-        # None values get excluded in the post-processing hook for enum overrides,
-        # so we do the same here to ensure the hashes match
-        hashable_values = [
-            (value, label) for value, label in normalized_choices if value not in ["", None]
-        ]
-        overrides[list_hash(hashable_values)] = name
-
-    if len(spectacular_settings.ENUM_NAME_OVERRIDES) != len(overrides):
-        error(
-            "ENUM_NAME_OVERRIDES has duplication issues. Encountered multiple names "
-            "for the same choice set. Enum naming might be unexpected."
-        )
-    return overrides
--- a/authentik/api/v3/schema/pagination.py
+++ b/authentik/api/v3/schema/pagination.py
@@ -1,32 +0,0 @@
-from drf_spectacular.plumbing import (
-    ResolvedComponent,
-    build_basic_type,
-    build_object_type,
-)
-from drf_spectacular.types import OpenApiTypes
-
-PAGINATION = ResolvedComponent(
-    name="Pagination",
-    type=ResolvedComponent.SCHEMA,
-    object="Pagination",
-    schema=build_object_type(
-        properties={
-            "next": build_basic_type(OpenApiTypes.NUMBER),
-            "previous": build_basic_type(OpenApiTypes.NUMBER),
-            "count": build_basic_type(OpenApiTypes.NUMBER),
-            "current": build_basic_type(OpenApiTypes.NUMBER),
-            "total_pages": build_basic_type(OpenApiTypes.NUMBER),
-            "start_index": build_basic_type(OpenApiTypes.NUMBER),
-            "end_index": build_basic_type(OpenApiTypes.NUMBER),
-        },
-        required=[
-            "next",
-            "previous",
-            "count",
-            "current",
-            "total_pages",
-            "start_index",
-            "end_index",
-        ],
-    ),
-)
--- a/authentik/api/v3/schema/query.py
+++ b/authentik/api/v3/schema/query.py
@@ -1,17 +1,10 @@
-from typing import Any
-
 from django.utils.translation import gettext_lazy as _
-from drf_spectacular.generators import SchemaGenerator
 from drf_spectacular.plumbing import (
    ResolvedComponent,
    build_basic_type,
    build_parameter_type,
 )
 from drf_spectacular.types import OpenApiTypes
-from structlog.stdlib import get_logger
-
-LOGGER = get_logger()
-

 QUERY_PARAMS = {
    "ordering": ResolvedComponent(
@@ -70,18 +63,3 @@ QUERY_PARAMS = {
        ),
    ),
 }
-
-
-def postprocess_schema_query_params(
-    result: dict[str, Any], generator: SchemaGenerator, **kwargs
-) -> dict[str, Any]:
-    """Optimize pagination parameters, instead of redeclaring parameters for each endpoint
-    declare them globally and refer to them"""
-    LOGGER.debug("Deduplicating query parameters")
-    for path in result["paths"].values():
-        for method in path.values():
-            for idx, param in enumerate(method.get("parameters", [])):
-                if param["name"] not in QUERY_PARAMS:
-                    continue
-                method["parameters"][idx] = QUERY_PARAMS[param["name"]].ref
-    return result
--- a/authentik/api/v3/schema/response.py
+++ b/authentik/api/v3/schema/response.py
@@ -1,22 +1,12 @@
-from typing import Any
-
 from django.utils.translation import gettext_lazy as _
-from drf_spectacular.generators import SchemaGenerator
 from drf_spectacular.plumbing import (
    ResolvedComponent,
    build_array_type,
    build_basic_type,
    build_object_type,
 )
-from drf_spectacular.settings import spectacular_settings
 from drf_spectacular.types import OpenApiTypes
 from rest_framework.settings import api_settings
-from structlog.stdlib import get_logger
-
-from authentik.api.v3.schema.pagination import PAGINATION
-from authentik.api.v3.schema.query import QUERY_PARAMS
-
-LOGGER = get_logger()

 GENERIC_ERROR = ResolvedComponent(
    name="GenericError",
@@ -67,40 +57,28 @@ VALIDATION_ERROR_RESPONSE = ResolvedComponent(
        "description": "",
    },
 )
-
-
-def postprocess_schema_register(
-    result: dict[str, Any], generator: SchemaGenerator, **kwargs
-) -> dict[str, Any]:
-    """Register custom schema components"""
-    LOGGER.debug("Registering custom schemas")
-    generator.registry.register_on_missing(PAGINATION)
-    generator.registry.register_on_missing(GENERIC_ERROR)
-    generator.registry.register_on_missing(GENERIC_ERROR_RESPONSE)
-    generator.registry.register_on_missing(VALIDATION_ERROR)
-    generator.registry.register_on_missing(VALIDATION_ERROR_RESPONSE)
-    for query in QUERY_PARAMS.values():
-        generator.registry.register_on_missing(query)
-    return result
-
-
-def postprocess_schema_responses(
-    result: dict[str, Any], generator: SchemaGenerator, **kwargs
-) -> dict[str, Any]:
-    """Default error responses"""
-    LOGGER.debug("Adding default error responses")
-    for path in result["paths"].values():
-        for method in path.values():
-            method["responses"].setdefault("400", VALIDATION_ERROR_RESPONSE.ref)
-            method["responses"].setdefault("403", GENERIC_ERROR_RESPONSE.ref)
-
-    result["components"] = generator.registry.build(spectacular_settings.APPEND_COMPONENTS)
-
-    # This is a workaround for authentik/stages/prompt/stage.py
-    # since the serializer PromptChallengeResponse
-    # accepts dynamic keys
-    for component in result["components"]["schemas"]:
-        if component == "PromptChallengeResponseRequest":
-            comp = result["components"]["schemas"][component]
-            comp["additionalProperties"] = {}
-    return result
+PAGINATION = ResolvedComponent(
+    name="Pagination",
+    type=ResolvedComponent.SCHEMA,
+    object="Pagination",
+    schema=build_object_type(
+        properties={
+            "next": build_basic_type(OpenApiTypes.NUMBER),
+            "previous": build_basic_type(OpenApiTypes.NUMBER),
+            "count": build_basic_type(OpenApiTypes.NUMBER),
+            "current": build_basic_type(OpenApiTypes.NUMBER),
+            "total_pages": build_basic_type(OpenApiTypes.NUMBER),
+            "start_index": build_basic_type(OpenApiTypes.NUMBER),
+            "end_index": build_basic_type(OpenApiTypes.NUMBER),
+        },
+        required=[
+            "next",
+            "previous",
+            "count",
+            "current",
+            "total_pages",
+            "start_index",
+            "end_index",
+        ],
+    ),
+)
--- a/authentik/api/v3/schema/search.py
+++ b/authentik/api/v3/schema/search.py
@@ -1,20 +0,0 @@
-from typing import TYPE_CHECKING
-
-from drf_spectacular.plumbing import ResolvedComponent, build_object_type
-
-if TYPE_CHECKING:
-    from drf_spectacular.generators import SchemaGenerator
-
-
-AUTOCOMPLETE_SCHEMA = ResolvedComponent(
-    name="Autocomplete",
-    object="Autocomplete",
-    type=ResolvedComponent.SCHEMA,
-    schema=build_object_type(additionalProperties={}),
-)
-
-
-def postprocess_schema_search_autocomplete(result, generator: SchemaGenerator, **kwargs):
-    generator.registry.register_on_missing(AUTOCOMPLETE_SCHEMA)
-
-    return result
--- a/authentik/blueprints/api.py
+++ b/authentik/blueprints/api.py
@@ -1,60 +1,24 @@
 """Serializer mixin for managed models"""

-from typing import cast
-
-from django.conf import settings
-from django.core.files.uploadedfile import InMemoryUploadedFile
 from django.utils.translation import gettext_lazy as _
 from drf_spectacular.utils import extend_schema, inline_serializer
 from rest_framework.decorators import action
-from rest_framework.exceptions import PermissionDenied, ValidationError
-from rest_framework.fields import (
-    BooleanField,
-    CharField,
-    DateTimeField,
-    FileField,
-)
-from rest_framework.parsers import MultiPartParser
+from rest_framework.exceptions import ValidationError
+from rest_framework.fields import CharField, DateTimeField
 from rest_framework.request import Request
 from rest_framework.response import Response
 from rest_framework.serializers import ListSerializer
 from rest_framework.viewsets import ModelViewSet

-from authentik.api.validation import validate
 from authentik.blueprints.models import BlueprintInstance
-from authentik.blueprints.v1.common import Blueprint
 from authentik.blueprints.v1.importer import Importer
 from authentik.blueprints.v1.oci import OCI_PREFIX
 from authentik.blueprints.v1.tasks import apply_blueprint, blueprints_find_dict
 from authentik.core.api.used_by import UsedByMixin
 from authentik.core.api.utils import JSONDictField, ModelSerializer, PassiveSerializer
-from authentik.core.models import User
-from authentik.events.logs import LogEventSerializer
 from authentik.rbac.decorators import permission_required


-def get_blueprints():
-    if settings.DEBUG:
-        return blueprints_find_dict()
-    return blueprints_find_dict.send().get_result(block=True)
-
-
-class BlueprintUploadSerializer(PassiveSerializer):
-    """Serializer to upload file"""
-
-    file = FileField(required=False)
-    path = CharField(required=False)
-
-    def validate_path(self, path: str) -> str:
-        """Ensure the path (if set) specified is retrievable"""
-        if path == "":
-            return path
-        files: list[dict] = get_blueprints()
-        if path not in [file["path"] for file in files]:
-            raise ValidationError(_("Blueprint file does not exist"))
-        return path
-
-
 class ManagedSerializer:
    """Managed Serializer"""

@@ -75,7 +39,7 @@ class BlueprintInstanceSerializer(ModelSerializer):
        """Ensure the path (if set) specified is retrievable"""
        if path == "" or path.startswith(OCI_PREFIX):
            return path
-        files: list[dict] = get_blueprints()
+        files: list[dict] = blueprints_find_dict.send().get_result(block=True)
        if path not in [file["path"] for file in files]:
            raise ValidationError(_("Blueprint file does not exist"))
        return path
@@ -124,33 +88,6 @@ class BlueprintInstanceSerializer(ModelSerializer):
        }


-def check_blueprint_perms(blueprint: Blueprint, user: User, explicit_action: str | None = None):
-    """Check for individual permissions for each model in a blueprint"""
-    for entry in blueprint.iter_entries():
-        full_model = entry.get_model(blueprint)
-        app, __, model = full_model.partition(".")
-        perms = [
-            f"{app}.add_{model}",
-            f"{app}.change_{model}",
-            f"{app}.delete_{model}",
-        ]
-        if explicit_action:
-            perms = [f"{app}.{explicit_action}_{model}"]
-        for perm in perms:
-            if not user.has_perm(perm):
-                raise PermissionDenied(
-                    {
-                        entry.id: _(
-                            "User lacks permission to create {model}".format_map(
-                                {
-                                    "model": full_model,
-                                }
-                            )
-                        )
-                    }
-                )
-
-
 class BlueprintInstanceViewSet(UsedByMixin, ModelViewSet):
    """Blueprint instances"""

@@ -160,12 +97,6 @@ class BlueprintInstanceViewSet(UsedByMixin, ModelViewSet):
    filterset_fields = ["name", "path"]
    ordering = ["name"]

-    class BlueprintImportResultSerializer(PassiveSerializer):
-        """Logs of an attempted blueprint import"""
-
-        logs = LogEventSerializer(many=True, read_only=True)
-        success = BooleanField(read_only=True)
-
    @extend_schema(
        responses={
            200: ListSerializer(
@@ -184,7 +115,7 @@ class BlueprintInstanceViewSet(UsedByMixin, ModelViewSet):
    @action(detail=False, pagination_class=None, filter_backends=[])
    def available(self, request: Request) -> Response:
        """Get blueprints"""
-        files: list[dict] = get_blueprints()
+        files: list[dict] = blueprints_find_dict.send().get_result(block=True)
        return Response(files)

    @permission_required("authentik_blueprints.view_blueprintinstance")
@@ -200,53 +131,3 @@ class BlueprintInstanceViewSet(UsedByMixin, ModelViewSet):
        blueprint = self.get_object()
        apply_blueprint.send_with_options(args=(blueprint.pk,), rel_obj=blueprint)
        return self.retrieve(request, *args, **kwargs)
-
-    @extend_schema(
-        request={"multipart/form-data": BlueprintUploadSerializer},
-        responses={
-            204: BlueprintImportResultSerializer,
-            400: BlueprintImportResultSerializer,
-        },
-    )
-    @action(url_path="import", detail=False, methods=["POST"], parser_classes=(MultiPartParser,))
-    @validate(
-        BlueprintUploadSerializer,
-    )
-    def import_(self, request: Request, body: BlueprintUploadSerializer) -> Response:
-        """Import blueprint from .yaml file and apply it once, without creating an instance"""
-        string_contents = ""
-        if body.validated_data.get("file"):
-            file = cast(InMemoryUploadedFile, body.validated_data["file"])
-            string_contents = file.read().decode()
-        elif body.validated_data.get("path"):
-            string_contents = BlueprintInstance(
-                path=body.validated_data.get("path")
-            ).retrieve_file()
-        else:
-            raise ValidationError("Either path or file must be set")
-        importer = Importer.from_string(string_contents)
-
-        check_blueprint_perms(importer.blueprint, request.user)
-
-        valid, logs = importer.validate()
-
-        import_response = self.BlueprintImportResultSerializer(
-            data={
-                "logs": [],
-                "success": False,
-            }
-        )
-        import_response.is_valid(raise_exception=True)
-
-        import_response.initial_data["logs"] = [LogEventSerializer(log).data for log in logs]
-        import_response.initial_data["success"] = valid
-        import_response.is_valid()
-        if not valid:
-            return Response(data=import_response.initial_data, status=200)
-
-        successful = importer.apply()
-        import_response.initial_data["success"] = successful
-        import_response.is_valid()
-        if not successful:
-            return Response(data=import_response.initial_data, status=200)
-        return Response(data=import_response.initial_data, status=200)
--- a/authentik/blueprints/apps.py
+++ b/authentik/blueprints/apps.py
@@ -3,6 +3,7 @@
 import traceback
 from collections.abc import Callable
 from importlib import import_module
+from inspect import ismethod

 from django.apps import AppConfig
 from django.conf import settings
@@ -71,19 +72,12 @@ class ManagedAppConfig(AppConfig):

    def _reconcile(self, prefix: str) -> None:
        for meth_name in dir(self):
-            # Check the attribute on the class to avoid evaluating @property descriptors.
-            # Using getattr(self, ...) on a @property would evaluate it, which can trigger
-            # expensive side effects (e.g. tenant_schedule_specs iterating all providers
-            # and running PolicyEngine queries for every user).
-            class_attr = getattr(type(self), meth_name, None)
-            if class_attr is None or isinstance(class_attr, property):
+            meth = getattr(self, meth_name)
+            if not ismethod(meth):
                continue
-            if not callable(class_attr):
-                continue
-            category = getattr(class_attr, "_authentik_managed_reconcile", None)
+            category = getattr(meth, "_authentik_managed_reconcile", None)
            if category != prefix:
                continue
-            meth = getattr(self, meth_name)
            name = meth_name.replace(prefix, "")
            try:
                self.logger.debug("Starting reconciler", name=name)
--- a/authentik/blueprints/management/commands/apply_blueprint.py
+++ b/authentik/blueprints/management/commands/apply_blueprint.py
@@ -1,6 +1,5 @@
 """Apply blueprint from commandline"""

-from argparse import ArgumentParser
 from sys import exit as sys_exit

 from django.core.management.base import BaseCommand, no_translations
@@ -32,5 +31,5 @@ class Command(BaseCommand):
                        sys_exit(1)
                    importer.apply()

-    def add_arguments(self, parser: ArgumentParser):
+    def add_arguments(self, parser):
        parser.add_argument("blueprints", nargs="+", type=str)
--- a/authentik/blueprints/tests/test_v1_conditions.py
+++ b/authentik/blueprints/tests/test_v1_conditions.py
@@ -1,11 +1,8 @@
 """Test blueprints v1"""

-from unittest.mock import patch
-
 from django.test import TransactionTestCase

 from authentik.blueprints.v1.importer import Importer
-from authentik.enterprise.license import LicenseKey
 from authentik.flows.models import Flow
 from authentik.lib.generators import generate_id
 from authentik.lib.tests.utils import load_fixture
@@ -45,45 +42,3 @@ class TestBlueprintsV1Conditions(TransactionTestCase):
        # Ensure objects do not exist
        self.assertFalse(Flow.objects.filter(slug=flow_slug1))
        self.assertFalse(Flow.objects.filter(slug=flow_slug2))
-
-    def test_enterprise_license_context_unlicensed(self):
-        """Test enterprise license context defaults to a false boolean when unlicensed."""
-        license_key = LicenseKey("test", 0, "Test license", 0, 0)
-
-        with patch("authentik.enterprise.license.LicenseKey.get_total", return_value=license_key):
-            importer = Importer.from_string("""
-version: 1
-entries:
-    - identifiers:
-          name: enterprise-test
-          slug: enterprise-test
-      model: authentik_flows.flow
-      conditions:
-          - !Context goauthentik.io/enterprise/licensed
-      attrs:
-          designation: stage_configuration
-          title: foo
-""")
-
-        self.assertIs(importer.blueprint.context["goauthentik.io/enterprise/licensed"], False)
-
-    def test_enterprise_license_context_licensed(self):
-        """Test enterprise license context defaults to a true boolean when licensed."""
-        license_key = LicenseKey("test", 253402300799, "Test license", 1000, 1000)
-
-        with patch("authentik.enterprise.license.LicenseKey.get_total", return_value=license_key):
-            importer = Importer.from_string("""
-version: 1
-entries:
-    - identifiers:
-          name: enterprise-test
-          slug: enterprise-test
-      model: authentik_flows.flow
-      conditions:
-          - !Context goauthentik.io/enterprise/licensed
-      attrs:
-          designation: stage_configuration
-          title: foo
-""")
-
-        self.assertIs(importer.blueprint.context["goauthentik.io/enterprise/licensed"], True)
--- a/authentik/blueprints/v1/importer.py
+++ b/authentik/blueprints/v1/importer.py
@@ -146,7 +146,9 @@ class Importer:
        try:
            from authentik.enterprise.license import LicenseKey

-            context["goauthentik.io/enterprise/licensed"] = LicenseKey.get_total().status().is_valid
+            context["goauthentik.io/enterprise/licensed"] = (
+                LicenseKey.get_total().status().is_valid,
+            )
        except ModuleNotFoundError:
            pass
        return context
@@ -270,7 +272,7 @@ class Importer:
            and entry.state != BlueprintEntryDesiredState.MUST_CREATED
        ):
            self.logger.debug(
-                "Initialize serializer with instance",
+                "Initialise serializer with instance",
                model=model,
                instance=model_instance,
                pk=model_instance.pk,
@@ -288,7 +290,7 @@ class Importer:
            )
        else:
            self.logger.debug(
-                "Initialized new serializer instance",
+                "Initialised new serializer instance",
                model=model,
                **cleanse_dict(updated_identifiers),
            )
--- a/authentik/brands/api.py
+++ b/authentik/brands/api.py
@@ -64,7 +64,6 @@ class BrandSerializer(ModelSerializer):
            "flow_unenrollment",
            "flow_user_settings",
            "flow_device_code",
-            "flow_lockdown",
            "default_application",
            "web_certificate",
            "client_certificates",
@@ -118,7 +117,6 @@ class CurrentBrandSerializer(PassiveSerializer):
    flow_unenrollment = CharField(source="flow_unenrollment.slug", required=False)
    flow_user_settings = CharField(source="flow_user_settings.slug", required=False)
    flow_device_code = CharField(source="flow_device_code.slug", required=False)
-    flow_lockdown = CharField(source="flow_lockdown.slug", required=False)

    default_locale = CharField(read_only=True)
    flags = SerializerMethodField()
@@ -156,7 +154,6 @@ class BrandViewSet(UsedByMixin, ModelViewSet):
        "flow_unenrollment",
        "flow_user_settings",
        "flow_device_code",
-        "flow_lockdown",
        "web_certificate",
        "client_certificates",
    ]
--- a/authentik/brands/migrations/0012_brand_flow_lockdown.py
+++ b/authentik/brands/migrations/0012_brand_flow_lockdown.py
@@ -1,25 +0,0 @@
-# Generated by Django 5.2.12 on 2026-03-14 02:58
-
-import django.db.models.deletion
-from django.db import migrations, models
-
-
-class Migration(migrations.Migration):
-
-    dependencies = [
-        ("authentik_brands", "0011_alter_brand_branding_default_flow_background_and_more"),
-        ("authentik_flows", "0031_alter_flow_layout"),
-    ]
-
-    operations = [
-        migrations.AddField(
-            model_name="brand",
-            name="flow_lockdown",
-            field=models.ForeignKey(
-                null=True,
-                on_delete=django.db.models.deletion.SET_NULL,
-                related_name="brand_lockdown",
-                to="authentik_flows.flow",
-            ),
-        ),
-    ]
--- a/authentik/brands/models.py
+++ b/authentik/brands/models.py
@@ -58,9 +58,6 @@ class Brand(SerializerModel):
    flow_device_code = models.ForeignKey(
        Flow, null=True, on_delete=models.SET_NULL, related_name="brand_device_code"
    )
-    flow_lockdown = models.ForeignKey(
-        Flow, null=True, on_delete=models.SET_NULL, related_name="brand_lockdown"
-    )

    default_application = models.ForeignKey(
        "authentik_core.Application",
@@ -104,23 +101,13 @@ class Brand(SerializerModel):
        """Get themed URLs for branding_favicon if it contains %(theme)s"""
        return get_file_manager(FileUsage.MEDIA).themed_urls(self.branding_favicon)

-    def branding_default_flow_background_url(self, request=None, use_cache: bool = True) -> str:
+    def branding_default_flow_background_url(self) -> str:
        """Get branding_default_flow_background URL"""
-        return get_file_manager(FileUsage.MEDIA).file_url(
-            self.branding_default_flow_background,
-            request,
-            use_cache=use_cache,
-        )
+        return get_file_manager(FileUsage.MEDIA).file_url(self.branding_default_flow_background)

-    def branding_default_flow_background_themed_urls(
-        self, request=None, use_cache: bool = True
-    ) -> dict[str, str] | None:
+    def branding_default_flow_background_themed_urls(self) -> dict[str, str] | None:
        """Get themed URLs for branding_default_flow_background if it contains %(theme)s"""
-        return get_file_manager(FileUsage.MEDIA).themed_urls(
-            self.branding_default_flow_background,
-            request,
-            use_cache=use_cache,
-        )
+        return get_file_manager(FileUsage.MEDIA).themed_urls(self.branding_default_flow_background)

    @property
    def serializer(self) -> type[Serializer]:
--- a/authentik/brands/tests.py
+++ b/authentik/brands/tests.py
@@ -20,16 +20,11 @@ class TestBrands(APITestCase):

    def setUp(self):
        super().setUp()
+        self.default_flags = {}
+        for flag in Flag.available(visibility="public"):
+            self.default_flags[flag().key] = flag.get()
        Brand.objects.all().delete()

-    @property
-    def default_flags(self) -> dict[str, object]:
-        """Get current public flags.
-
-        Some tests define temporary Flag subclasses, so this can't be cached in setUp.
-        """
-        return {flag().key: flag.get() for flag in Flag.available(visibility="public")}
-
    def test_current_brand(self):
        """Test Current brand API"""
        brand = create_test_brand()
--- a/authentik/common/oauth/constants.py
+++ b/authentik/common/oauth/constants.py
@@ -5,7 +5,6 @@ from django.utils.translation import gettext_lazy as _

 GRANT_TYPE_AUTHORIZATION_CODE = "authorization_code"
 GRANT_TYPE_IMPLICIT = "implicit"
-GRANT_TYPE_HYBRID = "hybrid"
 GRANT_TYPE_REFRESH_TOKEN = "refresh_token"  # nosec
 GRANT_TYPE_CLIENT_CREDENTIALS = "client_credentials"
 GRANT_TYPE_PASSWORD = "password"  # nosec
@@ -22,9 +21,6 @@ PROMPT_CONSENT = "consent"
 PROMPT_LOGIN = "login"

 PLAN_CONTEXT_OIDC_LOGOUT_IFRAME_SESSIONS = "goauthentik.io/providers/oauth2/iframe_sessions"
-PLAN_CONTEXT_POST_LOGOUT_REDIRECT_URI = "goauthentik.io/providers/oauth2/post_logout_redirect_uri"
-
-OAUTH2_BINDING = "redirect"

 SCOPE_OPENID = "openid"
 SCOPE_OPENID_PROFILE = "profile"
@@ -41,9 +37,6 @@ TOKEN_TYPE = "Bearer"  # nosec

 SCOPE_AUTHENTIK_API = "goauthentik.io/api"

-# URI schemes that are forbidden for redirect URIs
-FORBIDDEN_URI_SCHEMES = {"javascript", "data", "vbscript"}
-
 # Read/write full user (including email)
 SCOPE_GITHUB_USER = "user"
 # Read user (without email)
--- a/authentik/common/saml/constants.py
+++ b/authentik/common/saml/constants.py
@@ -30,8 +30,6 @@ SAML_BINDING_REDIRECT = "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"

 SAML_STATUS_SUCCESS = "urn:oasis:names:tc:SAML:2.0:status:Success"

-DEFAULT_ISSUER = "authentik"
-
 DSA_SHA1 = "http://www.w3.org/2000/09/xmldsig#dsa-sha1"
 RSA_SHA1 = "http://www.w3.org/2000/09/xmldsig#rsa-sha1"
 # https://datatracker.ietf.org/doc/html/rfc4051#section-2.3.2
--- a/authentik/core/api/application_entitlements.py
+++ b/authentik/core/api/application_entitlements.py
@@ -47,8 +47,7 @@ class ApplicationEntitlementViewSet(UsedByMixin, ModelViewSet):
    search_fields = [
        "pbm_uuid",
        "name",
-        "app__name",
-        "app__slug",
+        "app",
        "attributes",
    ]
    filterset_fields = [
--- a/authentik/core/api/applications.py
+++ b/authentik/core/api/applications.py
@@ -25,7 +25,6 @@ from authentik.core.api.providers import ProviderSerializer
 from authentik.core.api.used_by import UsedByMixin
 from authentik.core.api.users import UserSerializer
 from authentik.core.api.utils import ModelSerializer, ThemedUrlsSerializer
-from authentik.core.apps import AppAccessWithoutBindings
 from authentik.core.models import Application, User
 from authentik.events.logs import LogEventSerializer, capture_logs
 from authentik.policies.api.exec import PolicyTestResultSerializer
@@ -36,13 +35,9 @@ from authentik.rbac.filters import ObjectFilter
 LOGGER = get_logger()


-def user_app_cache_key(
-    user_pk: str, page_number: int | None = None, only_with_launch_url: bool = False
-) -> str:
+def user_app_cache_key(user_pk: str, page_number: int | None = None) -> str:
    """Cache key where application list for user is saved"""
    key = f"{CACHE_PREFIX}app_access/{user_pk}"
-    if only_with_launch_url:
-        key += "/launch"
    if page_number:
        key += f"/{page_number}"
    return key
@@ -120,7 +115,6 @@ class ApplicationSerializer(ModelSerializer):
            "meta_publisher",
            "policy_engine_mode",
            "group",
-            "meta_hide",
        ]
        extra_kwargs = {
            "backchannel_providers": {"required": False},
@@ -165,16 +159,15 @@ class ApplicationViewSet(UsedByMixin, ModelViewSet):
        return queryset

    def _get_allowed_applications(
-        self, paginated_apps: Iterator[Application], user: User | None = None
+        self, pagined_apps: Iterator[Application], user: User | None = None
    ) -> list[Application]:
        applications = []
        request = self.request._request
        if user:
            request = copy(request)
            request.user = user
-        for application in paginated_apps:
+        for application in pagined_apps:
            engine = PolicyEngine(application, request.user, request)
-            engine.empty_result = AppAccessWithoutBindings.get()
            engine.build()
            if engine.passing:
                applications.append(application)
@@ -232,7 +225,6 @@ class ApplicationViewSet(UsedByMixin, ModelViewSet):
            if not for_user:
                raise ValidationError({"for_user": "User not found"})
        engine = PolicyEngine(application, for_user, request)
-        engine.empty_result = AppAccessWithoutBindings.get()
        engine.use_cache = False
        with capture_logs() as logs:
            engine.build()
@@ -279,17 +271,11 @@ class ApplicationViewSet(UsedByMixin, ModelViewSet):
        if superuser_full_list and request.user.is_superuser:
            return super().list(request)

-        only_with_launch_url = (
-            str(request.query_params.get("only_with_launch_url", "false")).lower()
-        ) == "true"
+        only_with_launch_url = str(
+            request.query_params.get("only_with_launch_url", "false")
+        ).lower()

        queryset = self._filter_queryset_for_list(self.get_queryset())
-        queryset = queryset.exclude(meta_hide=True)
-        if only_with_launch_url:
-            # Pre-filter at DB level to skip expensive per-app policy evaluation
-            # for apps that can never appear in the launcher (no meta_launch_url
-            # and no provider, so no possible launch URL).
-            queryset = queryset.exclude(meta_launch_url="", provider__isnull=True)
        paginator: Pagination = self.paginator
        paginated_apps = paginator.paginate_queryset(queryset, request)

@@ -306,6 +292,7 @@ class ApplicationViewSet(UsedByMixin, ModelViewSet):
            except ValueError as exc:
                raise ValidationError from exc
            allowed_applications = self._get_allowed_applications(paginated_apps, user=for_user)
+            allowed_applications = self._expand_applications(allowed_applications)

            serializer = self.get_serializer(allowed_applications, many=True)
            return self.get_paginated_response(serializer.data)
@@ -315,26 +302,19 @@ class ApplicationViewSet(UsedByMixin, ModelViewSet):
            allowed_applications = self._get_allowed_applications(paginated_apps)
        if should_cache:
            allowed_applications = cache.get(
-                user_app_cache_key(
-                    self.request.user.pk, paginator.page.number, only_with_launch_url
-                )
+                user_app_cache_key(self.request.user.pk, paginator.page.number)
            )
-            if allowed_applications:
-                # Re-fetch cached applications since pickled instances lose prefetched
-                # relationships, causing N+1 queries during serialization
-                allowed_applications = self._expand_applications(allowed_applications)
-            else:
+            if not allowed_applications:
                LOGGER.debug("Caching allowed application list", page=paginator.page.number)
                allowed_applications = self._get_allowed_applications(paginated_apps)
                cache.set(
-                    user_app_cache_key(
-                        self.request.user.pk, paginator.page.number, only_with_launch_url
-                    ),
+                    user_app_cache_key(self.request.user.pk, paginator.page.number),
                    allowed_applications,
                    timeout=86400,
                )
+        allowed_applications = self._expand_applications(allowed_applications)

-        if only_with_launch_url:
+        if only_with_launch_url == "true":
            allowed_applications = self._filter_applications_with_launch_url(allowed_applications)

        serializer = self.get_serializer(allowed_applications, many=True)
--- a/authentik/core/api/authenticated_sessions.py
+++ b/authentik/core/api/authenticated_sessions.py
@@ -32,19 +32,19 @@ from authentik.rbac.decorators import permission_required
 class UserAgentDeviceDict(TypedDict):
    """User agent device"""

-    brand: str | None = None
+    brand: str
    family: str
-    model: str | None = None
+    model: str


 class UserAgentOSDict(TypedDict):
    """User agent os"""

    family: str
-    major: str | None = None
-    minor: str | None = None
-    patch: str | None = None
-    patch_minor: str | None = None
+    major: str
+    minor: str
+    patch: str
+    patch_minor: str


 class UserAgentBrowserDict(TypedDict):
--- a/authentik/core/api/groups.py
+++ b/authentik/core/api/groups.py
@@ -7,7 +7,6 @@ from django.http import Http404
 from django.utils.translation import gettext as _
 from django_filters.filters import CharFilter, ModelMultipleChoiceFilter
 from django_filters.filterset import FilterSet
-from djangoql.schema import BoolField, StrField
 from drf_spectacular.utils import (
    OpenApiParameter,
    OpenApiResponse,
@@ -19,16 +18,13 @@ from rest_framework.authentication import SessionAuthentication
 from rest_framework.decorators import action
 from rest_framework.fields import CharField, IntegerField, SerializerMethodField
 from rest_framework.permissions import IsAuthenticated
-from rest_framework.relations import ManyRelatedField, PrimaryKeyRelatedField
+from rest_framework.relations import PrimaryKeyRelatedField
 from rest_framework.request import Request
 from rest_framework.response import Response
 from rest_framework.serializers import ListSerializer, ValidationError
 from rest_framework.viewsets import ModelViewSet

 from authentik.api.authentication import TokenAuthentication
-from authentik.api.search.fields import (
-    JSONSearchField,
-)
 from authentik.api.validation import validate
 from authentik.core.api.used_by import UsedByMixin
 from authentik.core.api.utils import JSONDictField, ModelSerializer, PassiveSerializer
@@ -37,77 +33,6 @@ from authentik.endpoints.connectors.agent.auth import AgentAuth
 from authentik.rbac.api.roles import RoleSerializer
 from authentik.rbac.decorators import permission_required

-
-class BulkManyRelatedField(ManyRelatedField):
-    """ManyRelatedField that validates all PKs in a single query instead of one per PK."""
-
-    def to_internal_value(self, data):
-        if isinstance(data, str) or not hasattr(data, "__iter__"):
-            self.fail("not_a_list", input_type=type(data).__name__)
-        if not self.allow_empty and len(data) == 0:
-            self.fail("empty")
-
-        child = self.child_relation
-        pk_field = child.pk_field
-        # Coerce PKs through pk_field if defined
-        pk_map = {}
-        for item in data:
-            if isinstance(item, bool):
-                self.fail("incorrect_type", data_type=type(item).__name__)
-            pk = pk_field.to_internal_value(item) if pk_field else item
-            pk_map[pk] = item  # map coerced PK -> original value for error reporting
-
-        queryset = child.get_queryset()
-        # Use count to validate all PKs exist in a single query
-        found_count = queryset.filter(pk__in=pk_map.keys()).count()
-        if found_count < len(pk_map):
-            # Some PKs not found — fall back to per-PK checks for error reporting.
-            # This only runs when there's an actual validation error (rare path).
-            for pk, original in pk_map.items():
-                if not queryset.filter(pk=pk).exists():
-                    child.fail("does_not_exist", pk_value=original)
-
-        # Return raw PKs — Django's M2M set() accepts both objects and PKs,
-        # using get_prep_value() for type coercion. This avoids loading all
-        # objects into memory and avoids triggering post_init signals.
-        return list(pk_map.keys())
-
-    def to_representation(self, iterable):
-        # For non-prefetched querysets, get PKs directly without loading model instances.
-        # When prefetched, _result_cache is a list (possibly empty); when not, it's None.
-        if hasattr(iterable, "values_list") and getattr(iterable, "_result_cache", None) is None:
-            return list(iterable.values_list("pk", flat=True))
-        return super().to_representation(iterable)
-
-
-class BulkPrimaryKeyRelatedField(PrimaryKeyRelatedField):
-    """PrimaryKeyRelatedField that uses bulk validation when many=True."""
-
-    @classmethod
-    def many_init(cls, *args, **kwargs):
-        allow_empty = kwargs.pop("allow_empty", None)
-        max_length = kwargs.pop("max_length", None)
-        min_length = kwargs.pop("min_length", None)
-        child_relation = cls(*args, **kwargs)
-        list_kwargs = {
-            "child_relation": child_relation,
-        }
-        if allow_empty is not None:
-            list_kwargs["allow_empty"] = allow_empty
-        if max_length is not None:
-            list_kwargs["max_length"] = max_length
-        if min_length is not None:
-            list_kwargs["min_length"] = min_length
-        list_kwargs.update(
-            {
-                key: value
-                for key, value in kwargs.items()
-                if key in ("required", "default", "source")
-            }
-        )
-        return BulkManyRelatedField(**list_kwargs)
-
-
 PARTIAL_USER_SERIALIZER_MODEL_FIELDS = [
    "pk",
    "username",
@@ -150,7 +75,6 @@ class GroupSerializer(ModelSerializer):
    """Group Serializer"""

    attributes = JSONDictField(required=False)
-    users = BulkPrimaryKeyRelatedField(queryset=User.objects.all(), many=True, default=list)
    parents = PrimaryKeyRelatedField(queryset=Group.objects.all(), many=True, required=False)
    parents_obj = SerializerMethodField(allow_null=True)
    children_obj = SerializerMethodField(allow_null=True)
@@ -265,6 +189,9 @@ class GroupSerializer(ModelSerializer):
            "children_obj",
        ]
        extra_kwargs = {
+            "users": {
+                "default": list,
+            },
            "children": {
                "required": False,
                "default": list,
@@ -294,7 +221,6 @@ class GroupFilter(FilterSet):
    members_by_pk = ModelMultipleChoiceFilter(
        field_name="users",
        queryset=User.objects.all(),
-        distinct=False,
    )

    def filter_attributes(self, queryset, name, value):
@@ -339,6 +265,12 @@ class GroupViewSet(UsedByMixin, ModelViewSet):
    ]

    def get_ql_fields(self):
+        from djangoql.schema import BoolField, StrField
+
+        from authentik.enterprise.search.fields import (
+            JSONSearchField,
+        )
+
        return [
            StrField(Group, "name"),
            BoolField(Group, "is_superuser", nullable=True),
@@ -346,8 +278,7 @@ class GroupViewSet(UsedByMixin, ModelViewSet):
        ]

    def get_queryset(self):
-        # Always prefetch parents and children since their PKs are always serialized
-        base_qs = Group.objects.all().prefetch_related("roles", "parents", "children")
+        base_qs = Group.objects.all().prefetch_related("roles")

        if self.serializer_class(context={"request": self.request})._should_include_users:
            # Only fetch fields needed by PartialUserSerializer to reduce DB load and instantiation
@@ -358,9 +289,16 @@ class GroupViewSet(UsedByMixin, ModelViewSet):
                    queryset=User.objects.all().only(*PARTIAL_USER_SERIALIZER_MODEL_FIELDS),
                )
            )
-        # When include_users=false, skip users prefetch entirely.
-        # BulkManyRelatedField.to_representation will use values_list to get PKs
-        # directly without loading User instances into memory.
+        else:
+            base_qs = base_qs.prefetch_related(
+                Prefetch("users", queryset=User.objects.all().only("id"))
+            )
+
+        if self.serializer_class(context={"request": self.request})._should_include_children:
+            base_qs = base_qs.prefetch_related("children")
+
+        if self.serializer_class(context={"request": self.request})._should_include_parents:
+            base_qs = base_qs.prefetch_related("parents")

        return base_qs

--- a/authentik/core/api/tokens.py
+++ b/authentik/core/api/tokens.py
@@ -124,7 +124,7 @@ class TokenViewSet(UsedByMixin, ModelViewSet):
    """Token Viewset"""

    lookup_field = "identifier"
-    queryset = Token.objects.including_expired().all()
+    queryset = Token.objects.all()
    serializer_class = TokenSerializer
    search_fields = [
        "identifier",
--- a/authentik/core/api/transactional_applications.py
+++ b/authentik/core/api/transactional_applications.py
@@ -2,8 +2,9 @@

 from django.apps import apps
 from django.db.models import Model
+from django.utils.translation import gettext as _
 from drf_spectacular.utils import PolymorphicProxySerializer, extend_schema, extend_schema_field
-from rest_framework.exceptions import ValidationError
+from rest_framework.exceptions import PermissionDenied, ValidationError
 from rest_framework.fields import BooleanField, CharField, ChoiceField, DictField, ListField
 from rest_framework.permissions import IsAuthenticated
 from rest_framework.request import Request
@@ -12,7 +13,6 @@ from rest_framework.views import APIView
 from yaml import ScalarNode

 from authentik.api.validation import validate
-from authentik.blueprints.api import check_blueprint_perms
 from authentik.blueprints.v1.common import (
    Blueprint,
    BlueprintEntry,
@@ -165,7 +165,21 @@ class TransactionalApplicationView(APIView):
    def put(self, request: Request, body: TransactionApplicationSerializer) -> Response:
        """Convert data into a blueprint, validate it and apply it"""
        blueprint: Blueprint = body.validated_data
-        check_blueprint_perms(blueprint, request.user, explicit_action="add")
+        for entry in blueprint.entries:
+            full_model = entry.get_model(blueprint)
+            app, __, model = full_model.partition(".")
+            if not request.user.has_perm(f"{app}.add_{model}"):
+                raise PermissionDenied(
+                    {
+                        entry.id: _(
+                            "User lacks permission to create {model}".format_map(
+                                {
+                                    "model": full_model,
+                                }
+                            )
+                        )
+                    }
+                )
        importer = Importer(blueprint, {})
        applied = importer.apply()
        response = {"applied": False, "logs": []}
--- a/authentik/core/api/users.py
+++ b/authentik/core/api/users.py
@@ -6,7 +6,6 @@ from typing import Any

 from django.contrib.auth import update_session_auth_hash
 from django.contrib.auth.models import AnonymousUser, Permission
-from django.db.models import Exists, OuterRef, Prefetch, Q
 from django.db.transaction import atomic
 from django.db.utils import IntegrityError
 from django.urls import reverse_lazy
@@ -14,7 +13,6 @@ from django.utils.http import urlencode
 from django.utils.text import slugify
 from django.utils.timezone import now
 from django.utils.translation import gettext as _
-from django.utils.translation import gettext_lazy
 from django_filters.filters import (
    BooleanFilter,
    CharFilter,
@@ -24,7 +22,6 @@ from django_filters.filters import (
    UUIDFilter,
 )
 from django_filters.filterset import FilterSet
-from djangoql.schema import BoolField, StrField
 from drf_spectacular.types import OpenApiTypes
 from drf_spectacular.utils import (
    OpenApiParameter,
@@ -58,10 +55,6 @@ from rest_framework.viewsets import ModelViewSet
 from structlog.stdlib import get_logger

 from authentik.api.authentication import TokenAuthentication
-from authentik.api.search.fields import (
-    ChoiceSearchField,
-    JSONSearchField,
-)
 from authentik.api.validation import validate
 from authentik.blueprints.v1.importer import SERIALIZER_CONTEXT_BLUEPRINT
 from authentik.brands.models import Brand
@@ -107,10 +100,6 @@ from authentik.stages.email.utils import TemplateEmailMessage

 LOGGER = get_logger()

-INVALID_PASSWORD_HASH_MESSAGE = gettext_lazy(
-    "Invalid password hash format. Must be a valid Django password hash."
-)
-

 class ParamUserSerializer(PassiveSerializer):
    """Partial serializer for query parameters to select a user"""
@@ -137,7 +126,7 @@ class PartialGroupSerializer(ModelSerializer):
 class UserSerializer(ModelSerializer):
    """User Serializer"""

-    is_superuser = SerializerMethodField()
+    is_superuser = BooleanField(read_only=True)
    avatar = SerializerMethodField()
    attributes = JSONDictField(required=False)
    groups = PrimaryKeyRelatedField(
@@ -174,14 +163,6 @@ class UserSerializer(ModelSerializer):
            return True
        return str(request.query_params.get("include_roles", "true")).lower() == "true"

-    @extend_schema_field(BooleanField)
-    def get_is_superuser(self, instance: User) -> bool:
-        """Use annotation if available to avoid N+1 query"""
-        ann = getattr(instance, "_annotated_is_superuser", None)
-        if ann is not None:
-            return ann
-        return instance.is_superuser
-
    @extend_schema_field(PartialGroupSerializer(many=True))
    def get_groups_obj(self, instance: User) -> list[PartialGroupSerializer] | None:
        if not self._should_include_groups:
@@ -195,79 +176,47 @@ class UserSerializer(ModelSerializer):
        return RoleSerializer(instance.roles, many=True).data

    def __init__(self, *args, **kwargs):
-        """Setting password and permissions directly is allowed only in blueprints."""
        super().__init__(*args, **kwargs)
        if SERIALIZER_CONTEXT_BLUEPRINT in self.context:
            self.fields["password"] = CharField(required=False, allow_null=True)
-            self.fields["password_hash"] = CharField(required=False, allow_null=True)
            self.fields["permissions"] = ListField(
                required=False,
                child=ChoiceField(choices=get_permission_choices()),
            )

    def create(self, validated_data: dict) -> User:
-        """Create a user, with blueprint-only password and permission writes."""
-        is_blueprint = SERIALIZER_CONTEXT_BLUEPRINT in self.context
-        if is_blueprint:
-            password = validated_data.pop("password", None)
-            password_hash = validated_data.pop("password_hash", None)
-            permissions = validated_data.pop("permissions", [])
-            self._validate_password_inputs(password, password_hash)
-
+        """If this serializer is used in the blueprint context, we allow for
+        directly setting a password. However should be done via the `set_password`
+        method instead of directly setting it like rest_framework."""
+        password = validated_data.pop("password", None)
+        perms_qs = Permission.objects.filter(
+            codename__in=[x.split(".")[1] for x in validated_data.pop("permissions", [])]
+        ).values_list("content_type__app_label", "codename")
+        perms_list = [f"{ct}.{name}" for ct, name in list(perms_qs)]
        instance: User = super().create(validated_data)
-        if is_blueprint:
-            self._set_password(instance, password, password_hash)
-            perms_qs = Permission.objects.filter(
-                codename__in=[permission.split(".")[1] for permission in permissions]
-            ).values_list("content_type__app_label", "codename")
-            perms_list = [f"{ct}.{name}" for ct, name in perms_qs]
-            instance.assign_perms_to_managed_role(perms_list)
-        self._ensure_password_not_empty(instance)
+        self._set_password(instance, password)
+        instance.assign_perms_to_managed_role(perms_list)
        return instance

    def update(self, instance: User, validated_data: dict) -> User:
-        """Update a user, with blueprint-only password and permission writes."""
-        is_blueprint = SERIALIZER_CONTEXT_BLUEPRINT in self.context
-        if is_blueprint:
-            password = validated_data.pop("password", None)
-            password_hash = validated_data.pop("password_hash", None)
-            permissions = validated_data.pop("permissions", [])
-            self._validate_password_inputs(password, password_hash)
-
+        """Same as `create` above, set the password directly if we're in a blueprint
+        context"""
+        password = validated_data.pop("password", None)
+        perms_qs = Permission.objects.filter(
+            codename__in=[x.split(".")[1] for x in validated_data.pop("permissions", [])]
+        ).values_list("content_type__app_label", "codename")
+        perms_list = [f"{ct}.{name}" for ct, name in list(perms_qs)]
        instance = super().update(instance, validated_data)
-        if is_blueprint:
-            self._set_password(instance, password, password_hash)
-            perms_qs = Permission.objects.filter(
-                codename__in=[permission.split(".")[1] for permission in permissions]
-            ).values_list("content_type__app_label", "codename")
-            perms_list = [f"{ct}.{name}" for ct, name in perms_qs]
-            instance.assign_perms_to_managed_role(perms_list)
-        self._ensure_password_not_empty(instance)
+        self._set_password(instance, password)
+        instance.assign_perms_to_managed_role(perms_list)
        return instance

-    def _validate_password_inputs(self, password: str | None, password_hash: str | None):
-        """Validate mutually-exclusive password inputs before any model mutation."""
-        if password is not None and password_hash is not None:
-            raise ValidationError(_("Cannot set both password and password_hash. Use only one."))
-        if password_hash is None:
-            return
-        try:
-            User.validate_password_hash(password_hash)
-        except ValueError as exc:
-            LOGGER.warning("Failed to identify password hash format", exc_info=exc)
-            raise ValidationError(INVALID_PASSWORD_HASH_MESSAGE) from exc
-
-    def _set_password(self, instance: User, password: str | None, password_hash: str | None = None):
-        """Set password from plain text or hash."""
-        if password_hash is not None:
-            instance.set_password_from_hash(password_hash)
-            instance.save()
-        elif password:
+    def _set_password(self, instance: User, password: str | None):
+        """Set password of user if we're in a blueprint context, and if it's an empty
+        string then use an unusable password"""
+        if SERIALIZER_CONTEXT_BLUEPRINT in self.context and password:
            instance.set_password(password)
            instance.save()
-
-    def _ensure_password_not_empty(self, instance: User):
-        """Store an explicit unusable password instead of an empty password field."""
        if len(instance.password) == 0:
            instance.set_unusable_password()
            instance.save()
@@ -436,12 +385,6 @@ class UserPasswordSetSerializer(PassiveSerializer):
    password = CharField(required=True)


-class UserPasswordHashSetSerializer(PassiveSerializer):
-    """Payload to set a users' password hash directly"""
-
-    password = CharField(required=True)
-
-
 class UserServiceAccountSerializer(PassiveSerializer):
    """Payload to create a service account"""

@@ -563,9 +506,6 @@ class UsersFilter(FilterSet):


 class UserViewSet(
-    ConditionalInheritance(
-        "authentik.enterprise.stages.account_lockdown.api.UserAccountLockdownMixin"
-    ),
    ConditionalInheritance("authentik.enterprise.reports.api.reports.ExportMixin"),
    UsedByMixin,
    ModelViewSet,
@@ -584,6 +524,13 @@ class UserViewSet(
    ]

    def get_ql_fields(self):
+        from djangoql.schema import BoolField, StrField
+
+        from authentik.enterprise.search.fields import (
+            ChoiceSearchField,
+            JSONSearchField,
+        )
+
        return [
            StrField(User, "username"),
            StrField(User, "name"),
@@ -596,30 +543,10 @@ class UserViewSet(

    def get_queryset(self):
        base_qs = User.objects.all().exclude_anonymous()
-        # Always prefetch groups since group PKs are always serialized.
-        # Use full prefetch when include_groups=true (for groups_obj), ID-only otherwise.
        if self.serializer_class(context={"request": self.request})._should_include_groups:
            base_qs = base_qs.prefetch_related("groups")
-        else:
-            base_qs = base_qs.prefetch_related(
-                Prefetch("groups", queryset=Group.objects.all().only("group_uuid"))
-            )
        if self.serializer_class(context={"request": self.request})._should_include_roles:
            base_qs = base_qs.prefetch_related("roles")
-        else:
-            base_qs = base_qs.prefetch_related(
-                Prefetch("roles", queryset=Role.objects.all().only("uuid"))
-            )
-        # Annotate is_superuser to avoid N+1 query per user
-        base_qs = base_qs.annotate(
-            _annotated_is_superuser=Exists(
-                Group.objects.filter(
-                    is_superuser=True,
-                ).filter(
-                    Q(users=OuterRef("pk")) | Q(descendant_nodes__descendant__users=OuterRef("pk"))
-                )
-            )
-        )
        return base_qs

    @extend_schema(
@@ -788,11 +715,6 @@ class UserViewSet(
        self.request.session.modified = True
        return Response(serializer.initial_data)

-    def _update_session_hash_after_password_change(self, request: Request, user: User):
-        if user.pk == request.user.pk and SESSION_KEY_IMPERSONATE_USER not in self.request.session:
-            LOGGER.debug("Updating session hash after password change")
-            update_session_auth_hash(self.request, user)
-
    @permission_required("authentik_core.reset_user_password")
    @extend_schema(
        request=UserPasswordSetSerializer,
@@ -816,45 +738,9 @@ class UserViewSet(
        except (ValidationError, IntegrityError) as exc:
            LOGGER.debug("Failed to set password", exc=exc)
            return Response(status=400)
-        self._update_session_hash_after_password_change(request, user)
-        return Response(status=204)
-
-    @permission_required("authentik_core.reset_user_password")
-    @extend_schema(
-        request=UserPasswordHashSetSerializer,
-        responses={
-            204: OpenApiResponse(description="Successfully changed password"),
-            400: OpenApiResponse(description="Bad request"),
-        },
-    )
-    @action(
-        detail=True,
-        methods=["POST"],
-        permission_classes=[IsAuthenticated],
-    )
-    @validate(UserPasswordHashSetSerializer)
-    def set_password_hash(
-        self, request: Request, pk: int, body: UserPasswordHashSetSerializer
-    ) -> Response:
-        """Set a user's password from a pre-hashed Django password value.
-
-        Submit the Django password hash in the shared ``password`` request field.
-
-        This updates authentik's local password verifier only. It does not attempt
-        to propagate the password change to LDAP or Kerberos because no raw password
-        is available from the request payload.
-        """
-        user: User = self.get_object()
-        try:
-            user.set_password_from_hash(body.validated_data["password"], request=request)
-            user.save()
-        except ValueError as exc:
-            LOGGER.debug("Failed to set password hash", exc=exc)
-            return Response(data={"password": [INVALID_PASSWORD_HASH_MESSAGE]}, status=400)
-        except (ValidationError, IntegrityError) as exc:
-            LOGGER.debug("Failed to set password hash", exc=exc)
-            return Response(status=400)
-        self._update_session_hash_after_password_change(request, user)
+        if user.pk == request.user.pk and SESSION_KEY_IMPERSONATE_USER not in self.request.session:
+            LOGGER.debug("Updating session hash after password change")
+            update_session_auth_hash(self.request, user)
        return Response(status=204)

    @permission_required("authentik_core.reset_user_password")
--- a/authentik/core/apps.py
+++ b/authentik/core/apps.py
@@ -1,26 +1,7 @@
 """authentik core app config"""

-from django.utils.translation import gettext_lazy as _
-
 from authentik.blueprints.apps import ManagedAppConfig
 from authentik.tasks.schedules.common import ScheduleSpec
-from authentik.tenants.flags import Flag
-
-
-class Setup(Flag[bool], key="setup"):
-
-    default = False
-    visibility = "system"
-
-
-class AppAccessWithoutBindings(Flag[bool], key="core_default_app_access"):
-
-    default = True
-    visibility = "none"
-    description = _(
-        "Configure if applications without any policy/group/user bindings "
-        "should be accessible to any user."
-    )


 class AuthentikCoreConfig(ManagedAppConfig):
@@ -32,10 +13,6 @@ class AuthentikCoreConfig(ManagedAppConfig):
    mountpoint = ""
    default = True

-    def import_related(self):
-        super().import_related()
-        self.import_module("authentik.core.setup.signals")
-
    @ManagedAppConfig.reconcile_tenant
    def source_inbuilt(self):
        """Reconcile inbuilt source"""
--- a/authentik/core/auth.py
+++ b/authentik/core/auth.py
@@ -81,7 +81,7 @@ class TokenBackend(InbuiltBackend):
            User().set_password(password, request=request)
            return None

-        tokens = Token.objects.filter(
+        tokens = Token.filter_not_expired(
            user=user, key=password, intent=TokenIntents.INTENT_APP_PASSWORD
        )
        if not tokens.exists():
--- a/authentik/core/management/commands/hash_password.py
+++ b/authentik/core/management/commands/hash_password.py
@@ -1,28 +0,0 @@
-"""Hash password using Django's password hashers"""
-
-from django.contrib.auth.hashers import make_password
-from django.core.management.base import BaseCommand, CommandError
-
-
-class Command(BaseCommand):
-    """Hash a password using Django's password hashers"""
-
-    help = "Hash a password for use with AUTHENTIK_BOOTSTRAP_PASSWORD_HASH"
-
-    def add_arguments(self, parser):
-        parser.add_argument(
-            "password",
-            type=str,
-            help="Password to hash",
-        )
-
-    def handle(self, *args, **options):
-        password = options["password"]
-
-        if not password:
-            raise CommandError("Password cannot be empty")
-        try:
-            hashed = make_password(password)
-            self.stdout.write(hashed)
-        except ValueError as exc:
-            raise CommandError(f"Error hashing password: {exc}") from exc
--- a/authentik/core/migrations/0058_setup.py
+++ b/authentik/core/migrations/0058_setup.py
@@ -1,61 +0,0 @@
-# Generated by Django 5.2.13 on 2026-04-21 18:49
-from django.apps.registry import Apps
-
-from django.db.backends.base.schema import BaseDatabaseSchemaEditor
-
-from django.db import migrations
-
-
-def check_is_already_setup(apps: Apps, schema_editor: BaseDatabaseSchemaEditor):
-    from django.conf import settings
-    from authentik.flows.models import FlowAuthenticationRequirement
-
-    VersionHistory = apps.get_model("authentik_admin", "VersionHistory")
-    Flow = apps.get_model("authentik_flows", "Flow")
-    User = apps.get_model("authentik_core", "User")
-
-    db_alias = schema_editor.connection.alias
-
-    # Upgrading from a previous version
-    if not settings.TEST and VersionHistory.objects.using(db_alias).count() > 1:
-        return True
-    # OOBE flow sets itself to this authentication requirement once finished
-    if (
-        Flow.objects.using(db_alias)
-        .filter(
-            slug="initial-setup", authentication=FlowAuthenticationRequirement.REQUIRE_SUPERUSER
-        )
-        .exists()
-    ):
-        return True
-    # non-akadmin and non-guardian anonymous user exist
-    if (
-        User.objects.using(db_alias)
-        .exclude(username="akadmin")
-        .exclude(username="AnonymousUser")
-        .exists()
-    ):
-        return True
-    return False
-
-
-def update_setup_flag(apps: Apps, schema_editor: BaseDatabaseSchemaEditor):
-    from authentik.core.apps import Setup
-    from authentik.tenants.utils import get_current_tenant
-
-    is_already_setup = check_is_already_setup(apps, schema_editor)
-    if is_already_setup:
-        tenant = get_current_tenant()
-        tenant.flags[Setup().key] = True
-        tenant.save()
-
-
-class Migration(migrations.Migration):
-
-    dependencies = [
-        ("authentik_core", "0057_remove_user_groups_remove_user_user_permissions_and_more"),
-        # 0024_flow_authentication adds the `authentication` field.
-        ("authentik_flows", "0024_flow_authentication"),
-    ]
-
-    operations = [migrations.RunPython(update_setup_flag, migrations.RunPython.noop)]
--- a/authentik/core/migrations/0059_add_application_meta_hide.py
+++ b/authentik/core/migrations/0059_add_application_meta_hide.py
@@ -1,33 +0,0 @@
-# Generated by Django 5.2.12 on 2026-04-09 18:04
-
-from django.apps.registry import Apps
-from django.db import migrations, models
-from django.db.backends.base.schema import BaseDatabaseSchemaEditor
-
-
-def migrate_blank_launch_url(apps: Apps, schema_editor: BaseDatabaseSchemaEditor):
-    db_alias = schema_editor.connection.alias
-    Application = apps.get_model("authentik_core", "Application")
-
-    Application.objects.using(db_alias).filter(meta_launch_url="blank://blank").update(
-        meta_hide=True, meta_launch_url=""
-    )
-
-
-class Migration(migrations.Migration):
-
-    dependencies = [
-        ("authentik_core", "0058_setup"),
-    ]
-
-    operations = [
-        migrations.AddField(
-            model_name="application",
-            name="meta_hide",
-            field=models.BooleanField(
-                default=False,
-                help_text="Hide this application from the user's My applications page.",
-            ),
-        ),
-        migrations.RunPython(migrate_blank_launch_url, migrations.RunPython.noop),
-    ]
--- a/authentik/core/models.py
+++ b/authentik/core/models.py
@@ -2,7 +2,7 @@

 import re
 import traceback
-from datetime import datetime
+from datetime import datetime, timedelta
 from enum import StrEnum
 from hashlib import sha256
 from typing import Any, Self
@@ -10,13 +10,13 @@ from uuid import uuid4

 import pgtrigger
 from deepmerge import always_merger
-from django.contrib.auth.hashers import check_password, identify_hasher
+from django.contrib.auth.hashers import check_password
 from django.contrib.auth.models import AbstractUser, Permission
 from django.contrib.auth.models import UserManager as DjangoUserManager
 from django.contrib.sessions.base_session import AbstractBaseSession
 from django.core.validators import validate_slug
 from django.db import models
-from django.db.models import Manager, Q, QuerySet, options
+from django.db.models import Q, QuerySet, options
 from django.http import HttpRequest
 from django.utils.functional import cached_property
 from django.utils.timezone import now
@@ -45,7 +45,6 @@ from authentik.lib.models import (
    SerializerModel,
 )
 from authentik.lib.utils.inheritance import get_deepest_child
-from authentik.lib.utils.reflection import class_to_path
 from authentik.lib.utils.time import timedelta_from_string
 from authentik.policies.models import PolicyBindingModel
 from authentik.rbac.models import Role
@@ -518,7 +517,7 @@ class User(SerializerModel, AttributesMixin, AbstractUser):
    @property
    def ak_groups(self):
        """This is a proxy for a renamed, deprecated field."""
-        from authentik.events.models import Event
+        from authentik.events.models import Event, EventAction

        deprecation = "authentik.core.models.User.ak_groups"
        replacement = "authentik.core.models.User.groups"
@@ -545,9 +544,21 @@ class User(SerializerModel, AttributesMixin, AbstractUser):
            cause=cause,
            stacktrace=stacktrace,
        )
-        Event.log_deprecation(
-            deprecation, message=message_event, cause=cause, replacement=replacement
-        )
+        if not Event.filter_not_expired(
+            action=EventAction.CONFIGURATION_WARNING,
+            context__deprecation=deprecation,
+            context__cause=cause,
+        ).exists():
+            event = Event.new(
+                EventAction.CONFIGURATION_WARNING,
+                deprecation=deprecation,
+                replacement=replacement,
+                message=message_event,
+                cause=cause,
+            )
+            event.expires = datetime.now() + timedelta(days=30)
+            event.save()
+
        return self.groups

    def set_password(self, raw_password, signal=True, sender=None, request=None):
@@ -560,33 +571,6 @@ class User(SerializerModel, AttributesMixin, AbstractUser):
        self.password_change_date = now()
        return super().set_password(raw_password)

-    @staticmethod
-    def validate_password_hash(password_hash: str):
-        """Validate that the value is a recognized Django password hash."""
-        identify_hasher(password_hash)  # Raises ValueError if invalid
-
-    def set_password_from_hash(self, password_hash: str, signal=True, sender=None, request=None):
-        """Set password directly from a pre-hashed value.
-
-        Unlike set_password(), this does not hash the input again. The provided value
-        must already be a valid Django password hash, and it is stored directly on the
-        user after validation.
-
-        Because no raw password is available, downstream password sync integrations
-        such as LDAP and Kerberos cannot be updated from this code path.
-
-        Raises ValueError if the hash format is not recognized.
-        """
-        self.validate_password_hash(password_hash)
-        if self.pk and signal:
-            from authentik.core.signals import password_hash_changed
-
-            if not sender:
-                sender = self
-            password_hash_changed.send(sender=sender, user=self, request=request)
-        self.password = password_hash
-        self.password_change_date = now()
-
    def check_password(self, raw_password: str) -> bool:
        """
        Return a boolean of whether the raw_password was correct. Handles
@@ -762,9 +746,6 @@ class Application(SerializerModel, PolicyBindingModel):
    meta_icon = FileField(default="", blank=True)
    meta_description = models.TextField(default="", blank=True)
    meta_publisher = models.TextField(default="", blank=True)
-    meta_hide = models.BooleanField(
-        default=False, help_text=_("Hide this application from the user's My applications page.")
-    )

    objects = ApplicationQuerySet.as_manager()

@@ -820,21 +801,17 @@ class Application(SerializerModel, PolicyBindingModel):

    def get_provider(self) -> Provider | None:
        """Get casted provider instance. Needs Application queryset with_provider"""
-        if hasattr(self, "_cached_provider"):
-            return self._cached_provider
        if not self.provider:
-            self._cached_provider = None
            return None
-        self._cached_provider = get_deepest_child(self.provider)
-        return self._cached_provider
+        return get_deepest_child(self.provider)

    def backchannel_provider_for[T: Provider](self, provider_type: type[T], **kwargs) -> T | None:
        """Get Backchannel provider for a specific type"""
-        provider: BackchannelProvider | None = self.backchannel_providers.filter(
+        providers = self.backchannel_providers.filter(
            **{f"{provider_type._meta.model_name}__isnull": False},
            **kwargs,
-        ).first()
-        return getattr(provider, provider_type._meta.model_name) if provider else None
+        )
+        return getattr(providers.first(), provider_type._meta.model_name)

    def __str__(self):
        return str(self.name)
@@ -985,34 +962,21 @@ class Source(ManagedModel, SerializerModel, PolicyBindingModel):

    objects = InheritanceManager()

-    def get_icon_url(self, request=None, use_cache: bool = True) -> str | None:
-        """Get the URL to the source icon."""
-        if not self.icon:
-            return None
-        return get_file_manager(FileUsage.MEDIA).file_url(self.icon, request, use_cache=use_cache)
-
    @property
    def icon_url(self) -> str | None:
        """Get the URL to the source icon"""
-        return self.get_icon_url()
-
-    def get_icon_themed_urls(
-        self,
-        request=None,
-        use_cache: bool = True,
-    ) -> dict[str, str] | None:
-        """Get themed URLs for icon if it contains %(theme)s."""
        if not self.icon:
            return None
-        return get_file_manager(FileUsage.MEDIA).themed_urls(
-            self.icon,
-            request,
-            use_cache=use_cache,
-        )
+
+        return get_file_manager(FileUsage.MEDIA).file_url(self.icon)

    @property
    def icon_themed_urls(self) -> dict[str, str] | None:
-        return self.get_icon_themed_urls()
+        """Get themed URLs for icon if it contains %(theme)s"""
+        if not self.icon:
+            return None
+
+        return get_file_manager(FileUsage.MEDIA).themed_urls(self.icon)

    def get_user_path(self) -> str:
        """Get user path, fallback to default for formatting errors"""
@@ -1132,24 +1096,12 @@ class GroupSourceConnection(SerializerModel, CreatedUpdatedModel):
        unique_together = (("group", "source"),)


-class ExpiringManager(Manager):
-    """Manager for expiring objects which filters out expired objects by default"""
-
-    def get_queryset(self):
-        return QuerySet(self.model, using=self._db).exclude(expires__lt=now(), expiring=True)
-
-    def including_expired(self):
-        return QuerySet(self.model, using=self._db)
-
-
 class ExpiringModel(models.Model):
    """Base Model which can expire, and is automatically cleaned up."""

    expires = models.DateTimeField(default=None, null=True)
    expiring = models.BooleanField(default=True)

-    objects = ExpiringManager()
-
    class Meta:
        abstract = True
        indexes = [
@@ -1173,23 +1125,7 @@ class ExpiringModel(models.Model):
    def filter_not_expired(cls, **kwargs) -> QuerySet[Self]:
        """Filer for tokens which are not expired yet or are not expiring,
        and match filters in `kwargs`"""
-        from authentik.events.models import Event
-
-        deprecation_id = f"{class_to_path(cls)}.filter_not_expired"
-
-        Event.log_deprecation(
-            deprecation_id,
-            message=(
-                ".filter_not_expired() is deprecated as the default lookup now excludes "
-                "expired objects."
-            ),
-        )
-
-        for obj in (
-            cls.objects.including_expired()
-            .filter(**kwargs)
-            .filter(Q(expires__lt=now(), expiring=True))
-        ):
+        for obj in cls.objects.filter(**kwargs).filter(Q(expires__lt=now(), expiring=True)):
            obj.delete()
        return cls.objects.filter(**kwargs)

--- a/authentik/core/sessions.py
+++ b/authentik/core/sessions.py
@@ -72,7 +72,6 @@ class SessionStore(SessionBase):
            #                  and their descriptors fail to initialize (e.g., missing storage)
            # TypeError - can happen with incompatible pickled objects
            # If any of these happen, just return an empty dictionary (an empty session)
-            LOGGER.warning("Failed to decode session data", exc_info=True)
            pass
        return {}

--- a/authentik/core/setup/signals.py
+++ b/authentik/core/setup/signals.py
@@ -1,42 +0,0 @@
-from os import getenv
-
-from django.dispatch import receiver
-from structlog.stdlib import get_logger
-
-from authentik.blueprints.models import BlueprintInstance
-from authentik.blueprints.v1.importer import Importer
-from authentik.core.apps import Setup
-from authentik.root.signals import post_startup
-from authentik.tenants.models import Tenant
-
-BOOTSTRAP_BLUEPRINT = "system/bootstrap.yaml"
-
-LOGGER = get_logger()
-
-
-@receiver(post_startup)
-def post_startup_setup_bootstrap(sender, **_):
-    if (
-        not getenv("AUTHENTIK_BOOTSTRAP_PASSWORD")
-        and not getenv("AUTHENTIK_BOOTSTRAP_PASSWORD_HASH")
-        and not getenv("AUTHENTIK_BOOTSTRAP_TOKEN")
-    ):
-        return
-    LOGGER.info("Configuring authentik through bootstrap environment variables")
-    content = BlueprintInstance(path=BOOTSTRAP_BLUEPRINT).retrieve()
-    # If we have bootstrap credentials set, run bootstrap tasks outside of main server
-    # sync, so that we can sure the first start actually has working bootstrap
-    # credentials
-    for tenant in Tenant.objects.filter(ready=True):
-        if Setup.get(tenant=tenant):
-            LOGGER.info("Tenant is already setup, skipping", tenant=tenant.schema_name)
-            continue
-        with tenant:
-            importer = Importer.from_string(content)
-            valid, logs = importer.validate()
-            if not valid:
-                LOGGER.warning("Blueprint invalid", tenant=tenant.schema_name)
-                for log in logs:
-                    log.log()
-            importer.apply()
-            Setup.set(True, tenant=tenant)
--- a/authentik/core/setup/views.py
+++ b/authentik/core/setup/views.py
@@ -1,80 +0,0 @@
-from functools import lru_cache
-from http import HTTPMethod, HTTPStatus
-
-from django.contrib.staticfiles import finders
-from django.db import transaction
-from django.http import HttpRequest, HttpResponse
-from django.shortcuts import redirect
-from django.urls import reverse
-from django.views import View
-from structlog.stdlib import get_logger
-
-from authentik.blueprints.models import BlueprintInstance
-from authentik.core.apps import Setup
-from authentik.flows.models import Flow, FlowAuthenticationRequirement, in_memory_stage
-from authentik.flows.planner import FlowPlanner
-from authentik.flows.stage import StageView
-
-LOGGER = get_logger()
-FLOW_CONTEXT_START_BY = "goauthentik.io/core/setup/started-by"
-
-
-@lru_cache
-def read_static(path: str) -> str | None:
-    result = finders.find(path)
-    if not result:
-        return None
-    with open(result, encoding="utf8") as _file:
-        return _file.read()
-
-
-class SetupView(View):
-
-    setup_flow_slug = "initial-setup"
-
-    def dispatch(self, request: HttpRequest, *args, **kwargs):
-        if request.method != HTTPMethod.HEAD and Setup.get():
-            return redirect(reverse("authentik_core:root-redirect"))
-        return super().dispatch(request, *args, **kwargs)
-
-    def head(self, request: HttpRequest, *args, **kwargs):
-        if Setup.get():
-            return HttpResponse(status=HTTPStatus.SERVICE_UNAVAILABLE)
-        if not Flow.objects.filter(slug=self.setup_flow_slug).exists():
-            return HttpResponse(status=HTTPStatus.SERVICE_UNAVAILABLE)
-        return HttpResponse(status=HTTPStatus.OK)
-
-    def get(self, request: HttpRequest):
-        flow = Flow.objects.filter(slug=self.setup_flow_slug).first()
-        if not flow:
-            LOGGER.info("Setup flow does not exist yet, waiting for worker to finish")
-            return HttpResponse(
-                read_static("dist/standalone/loading/startup.html"),
-                status=HTTPStatus.SERVICE_UNAVAILABLE,
-            )
-        planner = FlowPlanner(flow)
-        plan = planner.plan(request, {FLOW_CONTEXT_START_BY: "setup"})
-        plan.append_stage(in_memory_stage(PostSetupStageView))
-        return plan.to_redirect(request, flow)
-
-
-class PostSetupStageView(StageView):
-    """Run post-setup tasks"""
-
-    def post(self, request: HttpRequest, *args, **kwargs) -> HttpResponse:
-        """Wrapper when this stage gets hit with a post request"""
-        return self.get(request, *args, **kwargs)
-
-    def get(self, requeset: HttpRequest, *args, **kwargs):
-        with transaction.atomic():
-            # Remember we're setup
-            Setup.set(True)
-            # Disable OOBE Blueprints
-            BlueprintInstance.objects.filter(
-                **{"metadata__labels__blueprints.goauthentik.io/system-oobe": "true"}
-            ).update(enabled=False)
-            # Make flow inaccessible
-            Flow.objects.filter(slug="initial-setup").update(
-                authentication=FlowAuthenticationRequirement.REQUIRE_SUPERUSER
-            )
-        return self.executor.stage_ok()
--- a/authentik/core/signals.py
+++ b/authentik/core/signals.py
@@ -1,5 +1,6 @@
 """authentik core signals"""

+from asgiref.sync import async_to_sync
 from channels.layers import get_channel_layer
 from django.contrib.auth.signals import user_logged_in
 from django.core.cache import cache
@@ -23,8 +24,6 @@ from authentik.root.ws.consumer import build_device_group

 # Arguments: user: User, password: str
 password_changed = Signal()
-# Arguments: user: User, request: HttpRequest | None
-password_hash_changed = Signal()
 # Arguments: credentials: dict[str, any], request: HttpRequest,
 #            stage: Stage, context: dict[str, any]
 login_failed = Signal()
@@ -58,7 +57,7 @@ def user_logged_in_session(sender, request: HttpRequest, user: User, **_):
    layer = get_channel_layer()
    device_cookie = request.COOKIES.get("authentik_device")
    if device_cookie:
-        layer.group_send_blocking(
+        async_to_sync(layer.group_send)(
            build_device_group(device_cookie),
            {"type": "event.session.authenticated"},
        )
--- a/authentik/core/tasks.py
+++ b/authentik/core/tasks.py
@@ -27,10 +27,7 @@ def clean_expired_models():
    for cls in ExpiringModel.__subclasses__():
        cls: ExpiringModel
        objects = (
-            cls.objects.including_expired()
-            .all()
-            .exclude(expiring=False)
-            .exclude(expiring=True, expires__gt=now())
+            cls.objects.all().exclude(expiring=False).exclude(expiring=True, expires__gt=now())
        )
        amount = objects.count()
        for obj in chunked_queryset(objects):
--- a/authentik/core/templates/base/skeleton.html
+++ b/authentik/core/templates/base/skeleton.html
@@ -21,10 +21,6 @@
        {% block head_before %}
        {% endblock %}

-        {% block interface_stylesheet %}
-        <link rel="stylesheet" type="text/css" href="{% versioned_script 'dist/styles/interface-%v.css' %}" />
-        {% endblock %}
-
        {% include "base/theme.html" %}

        <style data-id="brand-css">{{ brand_css }}</style>
--- a/authentik/core/templates/base/theme.html
+++ b/authentik/core/templates/base/theme.html
@@ -1,6 +1,8 @@
 {% load static %}
 {% load authentik_core %}

+<link rel="stylesheet" type="text/css" href="{% versioned_script 'dist/styles/interface-%v.css' %}" />
+
 {% if ui_theme == "dark" %}
  <meta name="color-scheme" content="dark" />
  <meta name="theme-color" content="#18191a">
--- a/authentik/core/templates/login/base_full.html
+++ b/authentik/core/templates/login/base_full.html
@@ -12,7 +12,7 @@
 {% block head %}
 <style data-id="static-styles">
    :root {
-        --ak-global--background-image: url("{{ request.brand.branding_default_flow_background_url|iriencode|safe }}");
+        --ak-global--background-image: url("{{ request.brand.branding_default_flow_background_url }}");
    }
 </style>

--- a/authentik/core/tests/test_applications_api.py
+++ b/authentik/core/tests/test_applications_api.py
@@ -129,7 +129,6 @@ class TestApplicationsAPI(APITestCase):
                        "meta_icon_url": None,
                        "meta_icon_themed_urls": None,
                        "meta_description": "",
-                        "meta_hide": False,
                        "meta_publisher": "",
                        "policy_engine_mode": "any",
                    },
@@ -188,14 +187,12 @@ class TestApplicationsAPI(APITestCase):
                        "meta_icon_url": None,
                        "meta_icon_themed_urls": None,
                        "meta_description": "",
-                        "meta_hide": False,
                        "meta_publisher": "",
                        "policy_engine_mode": "any",
                    },
                    {
                        "launch_url": None,
                        "meta_description": "",
-                        "meta_hide": False,
                        "meta_icon": "",
                        "meta_icon_url": None,
                        "meta_icon_themed_urls": None,
--- a/authentik/core/tests/test_hash_password_command.py
+++ b/authentik/core/tests/test_hash_password_command.py
@@ -1,28 +0,0 @@
-"""Tests for hash_password management command."""
-
-from io import StringIO
-
-from django.contrib.auth.hashers import check_password
-from django.core.management import call_command
-from django.core.management.base import CommandError
-from django.test import TestCase
-
-
-class TestHashPasswordCommand(TestCase):
-    """Test hash_password management command."""
-
-    def test_hash_password(self):
-        """Test hashing a password."""
-        out = StringIO()
-        call_command("hash_password", "test123", stdout=out)
-        hashed = out.getvalue().strip()
-
-        self.assertTrue(hashed.startswith("pbkdf2_sha256$"))
-        self.assertTrue(check_password("test123", hashed))
-
-    def test_hash_password_empty_fails(self):
-        """Test that empty password raises error."""
-        with self.assertRaises(CommandError) as ctx:
-            call_command("hash_password", "")
-
-        self.assertIn("Password cannot be empty", str(ctx.exception))
--- a/authentik/core/tests/test_interface_views.py
+++ b/authentik/core/tests/test_interface_views.py
@@ -1,103 +0,0 @@
-"""Test interface view redirect behavior by user type"""
-
-from django.test import TestCase
-from django.urls import reverse
-
-from authentik.brands.models import Brand
-from authentik.core.apps import Setup
-from authentik.core.models import Application, UserTypes
-from authentik.core.tests.utils import create_test_brand, create_test_user
-
-
-class TestInterfaceRedirects(TestCase):
-    """Test RootRedirectView and BrandDefaultRedirectView redirect logic by user type"""
-
-    def setUp(self):
-        Setup.set(True)
-        self.app = Application.objects.create(name="test-app", slug="test-app")
-        self.brand: Brand = create_test_brand(default_application=self.app)
-
-    def _assert_redirects_to_app(self, url_name: str, user_type: UserTypes):
-        user = create_test_user(type=user_type)
-        self.client.force_login(user)
-        response = self.client.get(reverse(f"authentik_core:{url_name}"))
-        self.assertRedirects(
-            response,
-            reverse(
-                "authentik_core:application-launch", kwargs={"application_slug": self.app.slug}
-            ),
-            fetch_redirect_response=False,
-        )
-
-    def _assert_no_redirect(self, url_name: str, user_type: UserTypes):
-        """Internal users should not be redirected away."""
-        user = create_test_user(type=user_type)
-        self.client.force_login(user)
-        response = self.client.get(reverse(f"authentik_core:{url_name}"))
-        # Internal users get a 200 (rendered template) or redirect to if-user, not to the app
-        app_url = reverse(
-            "authentik_core:application-launch", kwargs={"application_slug": self.app.slug}
-        )
-        self.assertNotEqual(response.get("Location"), app_url)
-
-    # --- RootRedirectView ---
-
-    def test_root_redirect_external_user(self):
-        """External users are redirected to the default app from root"""
-        self._assert_redirects_to_app("root-redirect", UserTypes.EXTERNAL)
-
-    def test_root_redirect_service_account(self):
-        """Service accounts are redirected to the default app from root"""
-        self._assert_redirects_to_app("root-redirect", UserTypes.SERVICE_ACCOUNT)
-
-    def test_root_redirect_internal_service_account(self):
-        """Internal service accounts are redirected to the default app from root"""
-        self._assert_redirects_to_app("root-redirect", UserTypes.INTERNAL_SERVICE_ACCOUNT)
-
-    def test_root_redirect_internal_user(self):
-        """Internal users are NOT redirected to the app from root"""
-        self._assert_no_redirect("root-redirect", UserTypes.INTERNAL)
-
-    # --- BrandDefaultRedirectView (if/user/) ---
-
-    def test_if_user_external_user(self):
-        """External users are redirected to the default app from if/user/"""
-        self._assert_redirects_to_app("if-user", UserTypes.EXTERNAL)
-
-    def test_if_user_service_account(self):
-        """Service accounts are redirected to the default app from if/user/"""
-        self._assert_redirects_to_app("if-user", UserTypes.SERVICE_ACCOUNT)
-
-    def test_if_user_internal_service_account(self):
-        """Internal service accounts are redirected to the default app from if/user/"""
-        self._assert_redirects_to_app("if-user", UserTypes.INTERNAL_SERVICE_ACCOUNT)
-
-    def test_if_user_internal_user(self):
-        """Internal users are NOT redirected to the app from if/user/"""
-        self._assert_no_redirect("if-user", UserTypes.INTERNAL)
-
-    # --- BrandDefaultRedirectView (if/admin/) ---
-
-    def test_if_admin_service_account(self):
-        """Service accounts are redirected to the default app from if/admin/"""
-        self._assert_redirects_to_app("if-admin", UserTypes.SERVICE_ACCOUNT)
-
-    def test_if_admin_internal_service_account(self):
-        """Internal service accounts are redirected to the default app from if/admin/"""
-        self._assert_redirects_to_app("if-admin", UserTypes.INTERNAL_SERVICE_ACCOUNT)
-
-    def test_if_admin_internal_user(self):
-        """Internal users are NOT redirected to the app from if/admin/"""
-        self._assert_no_redirect("if-admin", UserTypes.INTERNAL)
-
-    # --- No default app set ---
-
-    def test_service_account_no_default_app_access_denied(self):
-        """Service accounts get access denied when no default app is configured"""
-        self.brand.default_application = None
-        self.brand.save()
-        user = create_test_user(type=UserTypes.SERVICE_ACCOUNT)
-        self.client.force_login(user)
-        response = self.client.get(reverse("authentik_core:if-user"))
-        self.assertEqual(response.status_code, 200)
-        self.assertIn(b"Interface can only be accessed by internal users", response.content)
--- a/authentik/core/tests/test_models.py
+++ b/authentik/core/tests/test_models.py
@@ -2,7 +2,6 @@

 from collections.abc import Callable
 from datetime import timedelta
-from unittest.mock import patch

 from django.test import RequestFactory, TestCase
 from django.utils.timezone import now
@@ -10,9 +9,6 @@ from freezegun import freeze_time
 from guardian.shortcuts import get_anonymous_user

 from authentik.core.models import Provider, Source, Token
-from authentik.events.models import Event, EventAction
-from authentik.flows.models import Flow
-from authentik.lib.generators import generate_id
 from authentik.lib.utils.reflection import all_subclasses


@@ -33,74 +29,6 @@ class TestModels(TestCase):
            freeze.tick(timedelta(seconds=1))
            self.assertFalse(token.is_expired)

-    def test_filter_not_expired_warning(self):
-        """Test filter_not_expired's deprecation message"""
-        id = generate_id()
-        Token.objects.create(
-            expires=now() - timedelta(hours=1),
-            expiring=True,
-            user=get_anonymous_user(),
-            identifier=id,
-        )
-        self.assertFalse(Token.filter_not_expired(identifier=id).exists())
-        event = Event.objects.filter(action=EventAction.CONFIGURATION_WARNING).first()
-        self.assertIsNotNone(event)
-        self.assertEqual(
-            event.context["deprecation"], "authentik.core.models.Token.filter_not_expired"
-        )
-
-    @patch("authentik.core.models.get_file_manager")
-    def test_source_icon_url_can_bypass_cache(self, get_file_manager):
-        request = RequestFactory().get("/")
-        manager = get_file_manager.return_value
-        manager.file_url.return_value = "/files/media/public/source-icons/icon.svg?token=fresh"
-
-        source = Source(icon="source-icons/icon.svg")
-
-        self.assertEqual(
-            source.get_icon_url(request, use_cache=False),
-            "/files/media/public/source-icons/icon.svg?token=fresh",
-        )
-        manager.file_url.assert_called_once_with(
-            "source-icons/icon.svg",
-            request,
-            use_cache=False,
-        )
-
-    @patch("authentik.flows.models.get_file_manager")
-    def test_flow_background_urls_can_bypass_cache(self, get_file_manager):
-        request = RequestFactory().get("/")
-        manager = get_file_manager.return_value
-        manager.file_url.return_value = "/files/media/public/background.svg?token=fresh"
-        manager.themed_urls.return_value = {
-            "light": "/files/media/public/background-light.svg?token=fresh",
-            "dark": "/files/media/public/background-dark.svg?token=fresh",
-        }
-
-        flow = Flow(background="background-%(theme)s.svg")
-
-        self.assertEqual(
-            flow.background_url(request, use_cache=False),
-            "/files/media/public/background.svg?token=fresh",
-        )
-        self.assertEqual(
-            flow.background_themed_urls(request, use_cache=False),
-            {
-                "light": "/files/media/public/background-light.svg?token=fresh",
-                "dark": "/files/media/public/background-dark.svg?token=fresh",
-            },
-        )
-        manager.file_url.assert_called_once_with(
-            "background-%(theme)s.svg",
-            request,
-            use_cache=False,
-        )
-        manager.themed_urls.assert_called_once_with(
-            "background-%(theme)s.svg",
-            request,
-            use_cache=False,
-        )
-

 def source_tester_factory(test_model: type[Source]) -> Callable:
    """Test source"""
--- a/authentik/core/tests/test_property_mapping_api.py
+++ b/authentik/core/tests/test_property_mapping_api.py
@@ -63,7 +63,7 @@ class TestPropertyMappingAPI(APITestCase):
            PropertyMappingSerializer().validate_expression("/")

    def test_types(self):
-        """Test PropertyMapping's types endpoint"""
+        """Test PropertyMappigns's types endpoint"""
        response = self.client.get(
            reverse("authentik_api:propertymapping-types"),
        )
--- a/authentik/core/tests/test_setup.py
+++ b/authentik/core/tests/test_setup.py
@@ -1,174 +0,0 @@
-from http import HTTPStatus
-from os import environ
-
-from django.contrib.auth.hashers import make_password
-from django.urls import reverse
-
-from authentik.blueprints.tests import apply_blueprint
-from authentik.core.apps import Setup
-from authentik.core.models import Token, TokenIntents, User
-from authentik.flows.models import Flow
-from authentik.flows.tests import FlowTestCase
-from authentik.lib.generators import generate_id
-from authentik.root.signals import post_startup, pre_startup
-from authentik.tenants.flags import patch_flag
-
-
-class TestSetup(FlowTestCase):
-    def tearDown(self):
-        environ.pop("AUTHENTIK_BOOTSTRAP_PASSWORD", None)
-        environ.pop("AUTHENTIK_BOOTSTRAP_PASSWORD_HASH", None)
-        environ.pop("AUTHENTIK_BOOTSTRAP_TOKEN", None)
-
-    @patch_flag(Setup, True)
-    def test_setup(self):
-        """Test existing instance"""
-        res = self.client.get(reverse("authentik_core:root-redirect"))
-        self.assertEqual(res.status_code, HTTPStatus.FOUND)
-        self.assertRedirects(
-            res,
-            reverse("authentik_flows:default-authentication") + "?next=/",
-            fetch_redirect_response=False,
-        )
-
-        res = self.client.head(reverse("authentik_core:setup"))
-        self.assertEqual(res.status_code, HTTPStatus.SERVICE_UNAVAILABLE)
-
-        res = self.client.get(reverse("authentik_core:setup"))
-        self.assertEqual(res.status_code, HTTPStatus.FOUND)
-        self.assertRedirects(
-            res,
-            reverse("authentik_core:root-redirect"),
-            fetch_redirect_response=False,
-        )
-
-    @patch_flag(Setup, False)
-    def test_not_setup_no_flow(self):
-        """Test case on initial startup; setup flag is not set and oobe flow does
-        not exist yet"""
-        Flow.objects.filter(slug="initial-setup").delete()
-        res = self.client.get(reverse("authentik_core:root-redirect"))
-        self.assertEqual(res.status_code, HTTPStatus.FOUND)
-        self.assertRedirects(res, reverse("authentik_core:setup"), fetch_redirect_response=False)
-        # Flow does not exist, hence 503
-        res = self.client.get(reverse("authentik_core:setup"))
-        self.assertEqual(res.status_code, HTTPStatus.SERVICE_UNAVAILABLE)
-        res = self.client.head(reverse("authentik_core:setup"))
-        self.assertEqual(res.status_code, HTTPStatus.SERVICE_UNAVAILABLE)
-
-    @patch_flag(Setup, False)
-    @apply_blueprint("default/flow-oobe.yaml")
-    def test_not_setup(self):
-        """Test case for when worker comes up, and has created flow"""
-        res = self.client.get(reverse("authentik_core:root-redirect"))
-        self.assertEqual(res.status_code, HTTPStatus.FOUND)
-        self.assertRedirects(res, reverse("authentik_core:setup"), fetch_redirect_response=False)
-        # Flow does not exist, hence 503
-        res = self.client.head(reverse("authentik_core:setup"))
-        self.assertEqual(res.status_code, HTTPStatus.OK)
-        res = self.client.get(reverse("authentik_core:setup"))
-        self.assertEqual(res.status_code, HTTPStatus.FOUND)
-        self.assertRedirects(
-            res,
-            reverse("authentik_core:if-flow", kwargs={"flow_slug": "initial-setup"}),
-            fetch_redirect_response=False,
-        )
-
-    @apply_blueprint("default/flow-oobe.yaml")
-    @apply_blueprint("system/bootstrap.yaml")
-    def test_setup_flow_full(self):
-        """Test full setup flow"""
-        Setup.set(False)
-
-        res = self.client.get(reverse("authentik_core:setup"))
-        self.assertEqual(res.status_code, HTTPStatus.FOUND)
-        self.assertRedirects(
-            res,
-            reverse("authentik_core:if-flow", kwargs={"flow_slug": "initial-setup"}),
-            fetch_redirect_response=False,
-        )
-
-        res = self.client.get(
-            reverse("authentik_api:flow-executor", kwargs={"flow_slug": "initial-setup"}),
-        )
-        self.assertEqual(res.status_code, HTTPStatus.OK)
-        self.assertStageResponse(res, component="ak-stage-prompt")
-
-        pw = generate_id()
-        res = self.client.post(
-            reverse("authentik_api:flow-executor", kwargs={"flow_slug": "initial-setup"}),
-            {
-                "email": f"{generate_id()}@t.goauthentik.io",
-                "password": pw,
-                "password_repeat": pw,
-                "component": "ak-stage-prompt",
-            },
-        )
-        self.assertEqual(res.status_code, HTTPStatus.FOUND)
-
-        res = self.client.get(
-            reverse("authentik_api:flow-executor", kwargs={"flow_slug": "initial-setup"}),
-        )
-        self.assertEqual(res.status_code, HTTPStatus.FOUND)
-
-        res = self.client.get(
-            reverse("authentik_api:flow-executor", kwargs={"flow_slug": "initial-setup"}),
-        )
-        self.assertEqual(res.status_code, HTTPStatus.FOUND)
-
-        res = self.client.get(
-            reverse("authentik_api:flow-executor", kwargs={"flow_slug": "initial-setup"}),
-        )
-        self.assertEqual(res.status_code, HTTPStatus.OK)
-
-        self.assertTrue(Setup.get())
-        user = User.objects.get(username="akadmin")
-        self.assertTrue(user.check_password(pw))
-
-    @patch_flag(Setup, False)
-    @apply_blueprint("default/flow-oobe.yaml")
-    @apply_blueprint("system/bootstrap.yaml")
-    def test_setup_flow_direct(self):
-        """Test setup flow, directly accessing the flow"""
-        res = self.client.get(
-            reverse("authentik_api:flow-executor", kwargs={"flow_slug": "initial-setup"})
-        )
-        self.assertStageResponse(
-            res,
-            component="ak-stage-access-denied",
-            error_message="Access the authentik setup by navigating to http://testserver/",
-        )
-
-    def test_setup_bootstrap_env(self):
-        """Test setup with env vars"""
-        User.objects.filter(username="akadmin").delete()
-        Setup.set(False)
-
-        environ["AUTHENTIK_BOOTSTRAP_PASSWORD"] = generate_id()
-        environ["AUTHENTIK_BOOTSTRAP_TOKEN"] = generate_id()
-        pre_startup.send(sender=self)
-        post_startup.send(sender=self)
-
-        self.assertTrue(Setup.get())
-        user = User.objects.get(username="akadmin")
-        self.assertTrue(user.check_password(environ["AUTHENTIK_BOOTSTRAP_PASSWORD"]))
-
-        token = Token.objects.filter(identifier="authentik-bootstrap-token").first()
-        self.assertEqual(token.intent, TokenIntents.INTENT_API)
-        self.assertEqual(token.key, environ["AUTHENTIK_BOOTSTRAP_TOKEN"])
-
-    def test_setup_bootstrap_env_password_hash(self):
-        """Test setup with password hash env var"""
-        User.objects.filter(username="akadmin").delete()
-        Setup.set(False)
-
-        password = generate_id()
-        password_hash = make_password(password)
-        environ["AUTHENTIK_BOOTSTRAP_PASSWORD_HASH"] = password_hash
-        pre_startup.send(sender=self)
-        post_startup.send(sender=self)
-
-        self.assertTrue(Setup.get())
-        user = User.objects.get(username="akadmin")
-        self.assertEqual(user.password, password_hash)
-        self.assertTrue(user.check_password(password))
--- a/authentik/core/tests/test_token_api.py
+++ b/authentik/core/tests/test_token_api.py
@@ -173,7 +173,7 @@ class TestTokenAPI(APITestCase):

    def test_list(self):
        """Test Token List (Test normal authentication)"""
-        Token.objects.including_expired().all().delete()
+        Token.objects.all().delete()
        token_should: Token = Token.objects.create(
            identifier="test", expiring=False, user=self.user
        )
@@ -185,7 +185,7 @@ class TestTokenAPI(APITestCase):

    def test_list_with_permission(self):
        """Test Token List (Test with `view_token` permission)"""
-        Token.objects.including_expired().all().delete()
+        Token.objects.all().delete()
        token_should: Token = Token.objects.create(
            identifier="test", expiring=False, user=self.user
        )
--- a/Show More
+++ b/Show More