Fix typos.

Clarify comment.
Add additional regional codes.
2026-05-05 22:52:42 +02:00 · 2025-12-02 16:34:46 +01:00 · 2025-12-02 16:34:46 +01:00 · 2025-12-02 16:34:46 +01:00 · 2025-12-02 16:34:46 +01:00 · 2025-12-02 16:34:46 +01:00
867 changed files with 201463 additions and 227475 deletions
--- a/.github/ISSUE_TEMPLATE/1-bug-report.yml
+++ b/.github/ISSUE_TEMPLATE/1-bug-report.yml
@@ -0,0 +1,81 @@
+name: Bug report
+description: Create a report to help us improve
+labels: ["bug", "triage"]
+type: bug
+body:
+  - type: markdown
+    attributes:
+      value: |
+        Thank you for taking the time to fill out this bug report!
+  - type: textarea
+    id: describe-the-bug
+    attributes:
+      label: Describe the bug
+      description: "A clear and concise description of what the bug is."
+      placeholder: "Describe the issue"
+    validations:
+      required: true
+  - type: textarea
+    id: how-to-reproduce
+    attributes:
+      label: How to reproduce
+      description: "Steps to reproduce the behavior."
+      placeholder: |
+        1. Go to '...'
+        2. Click on '....'
+        3. Scroll down to '....'
+        4. See error
+    validations:
+      required: true
+  - type: textarea
+    id: expected-behavior
+    attributes:
+      label: Expected behavior
+      description: "A clear and concise description of what you expected to happen."
+      placeholder: "The behavior that I expect to see is [...]"
+    validations:
+      required: true
+  - type: textarea
+    id: screenshots
+    attributes:
+      label: Screenshots
+      description: "If applicable, add screenshots to help explain your problem."
+    validations:
+      required: false
+  - type: textarea
+    id: additional-context
+    attributes:
+      label: Additional context
+      description: "Add any other context about the problem here."
+      placeholder: "Also note that [...]"
+    validations:
+      required: false
+  - type: dropdown
+    id: deployment-method
+    attributes:
+      label: Deployment Method
+      description: "What deployment method are you using for authentik? Only Docker, Kubernetes and AWS CloudFormation are supported."
+      options:
+        - Docker
+        - Kubernetes
+        - AWS CloudFormation
+        - Other (please specify)
+      default: 0
+    validations:
+      required: true
+  - type: input
+    id: version
+    attributes:
+      label: Version
+      description: "What version of authentik are you using?"
+      placeholder: "[e.g. 2025.10.1]"
+    validations:
+      required: true
+  - type: textarea
+    id: logs
+    attributes:
+      label: Relevant log output
+      description: "Please copy and paste any relevant log output. This will be automatically formatted into code, so no need for backticks."
+      render: shell
+    validations:
+      required: false
--- a/.github/ISSUE_TEMPLATE/2-docs-issue.yml
+++ b/.github/ISSUE_TEMPLATE/2-docs-issue.yml
@@ -0,0 +1,49 @@
+name: Documentation suggestion/problem
+description: Suggest an improvement or report a problem in our docs
+labels: ["area: docs", "triage"]
+type: task
+body:
+  - type: markdown
+    attributes:
+      value: |
+        Thank you for taking the time to fill out this documentation issue!
+  - type: markdown
+    attributes:
+      value: |
+
+        **Consider opening a PR!**
+        If the issue is one that you can fix, or even make a good pass at, we'd appreciate a PR.
+
+        For more information about making a contribution to the docs, and using our Style Guide and our templates, refer to ["Writing documentation"](https://docs.goauthentik.io/docs/developer-docs/docs/writing-documentation).
+  - type: textarea
+    id: issue
+    attributes:
+      label: Do you see an area that can be clarified or expanded, a technical inaccuracy, or a broken link?
+      description: "A clear and concise description of what the problem is, or where the document can be improved."
+      placeholder: "I believe we need more details about [...]"
+    validations:
+      required: true
+  - type: input
+    id: link
+    attributes:
+      label: Link
+      description: "Provide the URL or link to the exact page in the documentation to which you are referring."
+      placeholder: "If there are multiple pages, list them all"
+    validations:
+      required: true
+  - type: textarea
+    id: solution
+    attributes:
+      label: Solution
+      description: "A clear and concise description of what you suggest as a solution"
+      placeholder: "This issue could be resolved by [...]"
+    validations:
+      required: true
+  - type: textarea
+    id: additional-context
+    attributes:
+      label: Additional context
+      description: "Add any other context or screenshots about the documentation issue here."
+      placeholder: "Also note that [...]"
+    validations:
+      required: false
--- a/.github/ISSUE_TEMPLATE/3-feature-request.yml
+++ b/.github/ISSUE_TEMPLATE/3-feature-request.yml
@@ -0,0 +1,41 @@
+name: Feature request
+description: Suggest an idea for a feature
+labels: ["enhancement", "triage"]
+type: feature
+body:
+  - type: markdown
+    attributes:
+      value: |
+        Thank you for taking the time to fill out this feature request!
+  - type: textarea
+    id: related-to-problem
+    attributes:
+      label: Is your feature request related to a problem?
+      description: "A clear and concise description of what the problem is."
+      placeholder: "I'm always frustrated when [...]"
+    validations:
+      required: true
+  - type: textarea
+    id: feature
+    attributes:
+      label: Describe the solution you'd like
+      description: A clear and concise description of what you want to happen.
+      placeholder: "I'd like authentik to have [...]"
+    validations:
+      required: false
+  - type: textarea
+    id: alternatives
+    attributes:
+      label: Describe alternatives that you've considered
+      description: "A clear and concise description of any alternative solutions or features you've considered."
+      placeholder: "I've tried this but [...]"
+    validations:
+      required: true
+  - type: textarea
+    id: additional-context
+    attributes:
+      label: Additional context
+      description: "Add any other context or screenshots about the feature request here."
+      placeholder: "Also note that [...]"
+    validations:
+      required: false
--- a/.github/ISSUE_TEMPLATE/bug_report.md
+++ b/.github/ISSUE_TEMPLATE/bug_report.md
@@ -1,39 +0,0 @@
---
-name: Bug report
-about: Create a report to help us improve
-title: ""
-labels: bug
-assignees: ""
---
-
-**Describe the bug**
-A clear and concise description of what the bug is.
-
-**To Reproduce**
-Steps to reproduce the behavior:
-
-1. Go to '...'
-2. Click on '....'
-3. Scroll down to '....'
-4. See error
-
-**Expected behavior**
-A clear and concise description of what you expected to happen.
-
-**Screenshots**
-If applicable, add screenshots to help explain your problem.
-
-**Logs**
-Output of docker-compose logs or kubectl logs respectively
-
-**Version and Deployment (please complete the following information):**
-
-<!--
-Notice: authentik supports installation via Docker, Kubernetes, and AWS CloudFormation only. Support is not available for other methods. For detailed installation and configuration instructions, please refer to the official documentation at https://docs.goauthentik.io/docs/install-config/.
-->
-
-   authentik version: [e.g. 2025.2.0]
-   Deployment: [e.g. docker-compose, helm]
-
-**Additional context**
-Add any other context about the problem here.
--- a/.github/ISSUE_TEMPLATE/config.yml
+++ b/.github/ISSUE_TEMPLATE/config.yml
@@ -0,0 +1,8 @@
+blank_issues_enabled: false
+contact_links:
+  - name: Question
+    url: https://github.com/goauthentik/authentik/discussions
+    about: Please ask questions via GitHub Discussions rather than creating issues.
+  - name: authentik Discord
+    url: https://discord.com/invite/jg33eMhnj6
+    about: For community support, visit our Discord server.
--- a/.github/ISSUE_TEMPLATE/docs_issue.md
+++ b/.github/ISSUE_TEMPLATE/docs_issue.md
@@ -1,22 +0,0 @@
---
-name: Documentation issue
-about: Suggest an improvement or report a problem
-title: ""
-labels: documentation
-assignees: ""
---
-
-**Do you see an area that can be clarified or expanded, a technical inaccuracy, or a broken link? Please describe.**
-A clear and concise description of what the problem is, or where the document can be improved. Ex. I believe we need more details about [...]
-
-**Provide the URL or link to the exact page in the documentation to which you are referring.**
-If there are multiple pages, list them all, and be sure to state the header or section where the content is.
-
-**Describe the solution you'd like**
-A clear and concise description of what you want to happen.
-
-**Additional context**
-Add any other context or screenshots about the documentation issue here.
-
-**Consider opening a PR!**
-If the issue is one that you can fix, or even make a good pass at, we'd appreciate a PR. For more information about making a contribution to the docs, and using our Style Guide and our templates, refer to ["Writing documentation"](https://docs.goauthentik.io/docs/developer-docs/docs/writing-documentation).
--- a/.github/ISSUE_TEMPLATE/feature_request.md
+++ b/.github/ISSUE_TEMPLATE/feature_request.md
@@ -1,19 +0,0 @@
---
-name: Feature request
-about: Suggest an idea for this project
-title: ""
-labels: enhancement
-assignees: ""
---
-
-**Is your feature request related to a problem? Please describe.**
-A clear and concise description of what the problem is. Ex. I'm always frustrated when [...]
-
-**Describe the solution you'd like**
-A clear and concise description of what you want to happen.
-
-**Describe alternatives you've considered**
-A clear and concise description of any alternative solutions or features you've considered.
-
-**Additional context**
-Add any other context or screenshots about the feature request here.
--- a/.github/ISSUE_TEMPLATE/hackathon_idea.md
+++ b/.github/ISSUE_TEMPLATE/hackathon_idea.md
@@ -1,17 +0,0 @@
---
-name: Hackathon Idea
-about: Propose an idea for the hackathon
-title: ""
-labels: hackathon
-assignees: ""
---
-
-**Describe the idea**
-
-A clear concise description of the idea you want to implement
-
-You're also free to work on existing GitHub issues, whether they be feature requests or bugs, just link the existing GitHub issue here.
-
-<!-- Don't modify below here -->
-
-If you want to help working on this idea or want to contribute in any other way, react to this issue with a :rocket:
--- a/.github/ISSUE_TEMPLATE/issue_template.md
+++ b/.github/ISSUE_TEMPLATE/issue_template.md
@@ -0,0 +1,7 @@
+---
+name: Blank issue
+about: This issue type is only for internal use
+title:
+labels:
+assignees:
+---
--- a/.github/ISSUE_TEMPLATE/question.md
+++ b/.github/ISSUE_TEMPLATE/question.md
@@ -1,32 +0,0 @@
---
-name: Question
-about: Ask a question about a feature or specific configuration
-title: ""
-labels: question
-assignees: ""
---
-
-**Describe your question/**
-A clear and concise description of what you're trying to do.
-
-**Relevant info**
-i.e. Version of other software you're using, specifics of your setup
-
-**Screenshots**
-If applicable, add screenshots to help explain your problem.
-
-**Logs**
-Output of docker-compose logs or kubectl logs respectively
-
-**Version and Deployment (please complete the following information):**
-
-<!--
-Notice: authentik supports installation via Docker, Kubernetes, and AWS CloudFormation only. Support is not available for other methods. For detailed installation and configuration instructions, please refer to the official documentation at https://docs.goauthentik.io/docs/install-config/.
-->
-
-
-   authentik version: [e.g. 2025.2.0]
-   Deployment: [e.g. docker-compose, helm]
-
-**Additional context**
-Add any other context about the problem here.
--- a/.github/actions/setup/action.yml
+++ b/.github/actions/setup/action.yml
@@ -21,12 +21,12 @@ runs:
        sudo apt-get install --no-install-recommends -y libpq-dev openssl libxmlsec1-dev pkg-config gettext libkrb5-dev krb5-kdc krb5-user krb5-admin-server
    - name: Install uv
      if: ${{ contains(inputs.dependencies, 'python') }}
-      uses: astral-sh/setup-uv@2ddd2b9cb38ad8efd50337e8ab201519a34c9f24 # v5
+      uses: astral-sh/setup-uv@1e862dfacbd1d6d858c55d9b792c756523627244 # v5
      with:
        enable-cache: true
    - name: Setup python
      if: ${{ contains(inputs.dependencies, 'python') }}
-      uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v5
+      uses: actions/setup-python@83679a892e2d95755f2dac6acb0bfd1e9ac5d548 # v5
      with:
        python-version-file: "pyproject.toml"
    - name: Install Python deps
@@ -43,7 +43,7 @@ runs:
        registry-url: 'https://registry.npmjs.org'
    - name: Setup go
      if: ${{ contains(inputs.dependencies, 'go') }}
-      uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v5
+      uses: actions/setup-go@4dc6199c7b1a012772edbd06daecab0f50c9053c # v5
      with:
        go-version-file: "go.mod"
    - name: Setup docker cache
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@@ -142,7 +142,9 @@ updates:
    labels:
      - dependencies
  - package-ecosystem: docker
-    directory: "/"
+    directories:
+      - /
+      - /website
    schedule:
      interval: daily
      time: "04:00"
--- a/.github/transifex.yml
+++ b/.github/transifex.yml
@@ -1,3 +1,4 @@
+---
 git:
  filters:
    - filter_type: file
--- a/.github/workflows/_reusable-docker-build-single.yml
+++ b/.github/workflows/_reusable-docker-build-single.yml
@@ -42,8 +42,8 @@ jobs:
      # Needed for checkout
      contents: read
    steps:
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
-      - uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392 # v3.6.0
+      - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v5
+      - uses: docker/setup-qemu-action@c7c53464625b32c7a7e944ae62b3e17d2b600130 # v3.7.0
      - uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3
      - name: prepare variables
        uses: ./.github/actions/docker-push-variables
--- a/.github/workflows/_reusable-docker-build.yml
+++ b/.github/workflows/_reusable-docker-build.yml
@@ -49,7 +49,7 @@ jobs:
      tags: ${{ steps.ev.outputs.imageTagsJSON }}
      shouldPush: ${{ steps.ev.outputs.shouldPush }}
    steps:
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
+      - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v5
      - name: prepare variables
        uses: ./.github/actions/docker-push-variables
        id: ev
@@ -69,7 +69,7 @@ jobs:
      matrix:
        tag: ${{ fromJson(needs.get-tags.outputs.tags) }}
    steps:
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
+      - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v5
      - name: prepare variables
        uses: ./.github/actions/docker-push-variables
        id: ev
--- a/.github/workflows/api-ts-publish.yml
+++ b/.github/workflows/api-ts-publish.yml
@@ -15,15 +15,14 @@ permissions:

 jobs:
  build:
-    if: ${{ github.repository != 'goauthentik/authentik-internal' }}
    runs-on: ubuntu-latest
    steps:
      - id: generate_token
-        uses: actions/create-github-app-token@67018539274d69449ef7c02e8e71183d1719ab42 # v2
+        uses: actions/create-github-app-token@7e473efe3cb98aa54f8d4bac15400b15fad77d94 # v2
        with:
          app-id: ${{ secrets.GH_APP_ID }}
          private-key: ${{ secrets.GH_APP_PRIVATE_KEY }}
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
+      - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v5
        with:
          token: ${{ steps.generate_token.outputs.token }}
      - uses: actions/setup-node@2028fbc5c25fe9cf00d9f06a71cc4710d4507903 # v5
@@ -47,7 +46,7 @@ jobs:
        run: |
          export VERSION=`node -e 'console.log(require("../gen-ts-api/package.json").version)'`
          npm i @goauthentik/api@$VERSION
-      - uses: peter-evans/create-pull-request@271a8d0340265f705b14b6d32b9829c1cb33d45e # v7
+      - uses: peter-evans/create-pull-request@84ae59a2cdc2258d6fa0732dd66352dddae2a412 # v7
        id: cpr
        with:
          token: ${{ steps.generate_token.outputs.token }}
--- a/.github/workflows/ci-api-docs.yml
+++ b/.github/workflows/ci-api-docs.yml
@@ -21,7 +21,7 @@ jobs:
        command:
          - prettier-check
    steps:
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
+      - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v5
      - name: Install Dependencies
        working-directory: website/
        run: npm ci
@@ -32,7 +32,7 @@ jobs:
    runs-on: ubuntu-latest

    steps:
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
+      - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v5
      - uses: actions/setup-node@2028fbc5c25fe9cf00d9f06a71cc4710d4507903 # v5
        with:
          node-version-file: website/package.json
@@ -55,7 +55,7 @@ jobs:
        env:
          NODE_ENV: production
        run: npm run build -w api
-      - uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4
+      - uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v4
        with:
          name: api-docs
          path: website/api/build
@@ -66,8 +66,8 @@ jobs:
      - lint
      - build
    steps:
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
-      - uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 # v5
+      - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v5
+      - uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v5
        with:
          name: api-docs
          path: website/api/build
--- a/.github/workflows/ci-aws-cfn.yml
+++ b/.github/workflows/ci-aws-cfn.yml
@@ -21,7 +21,7 @@ jobs:
  check-changes-applied:
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
+      - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v5
      - name: Setup authentik env
        uses: ./.github/actions/setup
      - uses: actions/setup-node@2028fbc5c25fe9cf00d9f06a71cc4710d4507903 # v5
@@ -42,6 +42,6 @@ jobs:
      - check-changes-applied
    runs-on: ubuntu-latest
    steps:
-      - uses: re-actors/alls-green@release/v1
+      - uses: re-actors/alls-green@05ac9388f0aebcb5727afa17fcccfecd6f8ec5fe # release/v1
        with:
          jobs: ${{ toJSON(needs) }}
--- a/.github/workflows/ci-docs-source.yml
+++ b/.github/workflows/ci-docs-source.yml
@@ -13,11 +13,10 @@ env:

 jobs:
  publish-source-docs:
-    if: ${{ github.repository != 'goauthentik/authentik-internal' }}
    runs-on: ubuntu-latest
    timeout-minutes: 120
    steps:
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
+      - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v5
      - name: Setup authentik env
        uses: ./.github/actions/setup
      - name: generate docs
--- a/.github/workflows/ci-docs.yml
+++ b/.github/workflows/ci-docs.yml
@@ -21,7 +21,7 @@ jobs:
        command:
          - prettier-check
    steps:
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
+      - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v5
      - name: Install dependencies
        working-directory: website/
        run: npm ci
@@ -32,7 +32,7 @@ jobs:
    runs-on: ubuntu-latest

    steps:
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
+      - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v5
      - uses: actions/setup-node@2028fbc5c25fe9cf00d9f06a71cc4710d4507903 # v5
        with:
          node-version-file: website/package.json
@@ -48,7 +48,7 @@ jobs:
    runs-on: ubuntu-latest

    steps:
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
+      - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v5
      - uses: actions/setup-node@2028fbc5c25fe9cf00d9f06a71cc4710d4507903 # v5
        with:
          node-version-file: website/package.json
@@ -61,7 +61,6 @@ jobs:
        working-directory: website/
        run: npm run build -w integrations
  build-container:
-    if: ${{ github.repository != 'goauthentik/authentik-internal' }}
    runs-on: ubuntu-latest
    permissions:
      # Needed to upload container images to ghcr.io
@@ -70,11 +69,11 @@ jobs:
      id-token: write
      attestations: write
    steps:
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
+      - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v5
        with:
          ref: ${{ github.event.pull_request.head.sha }}
      - name: Set up QEMU
-        uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392 # v3.6.0
+        uses: docker/setup-qemu-action@c7c53464625b32c7a7e944ae62b3e17d2b600130 # v3.7.0
      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3
      - name: prepare variables
@@ -118,7 +117,6 @@ jobs:
      - build-container
    runs-on: ubuntu-latest
    steps:
-      - uses: re-actors/alls-green@release/v1
+      - uses: re-actors/alls-green@05ac9388f0aebcb5727afa17fcccfecd6f8ec5fe # release/v1
        with:
          jobs: ${{ toJSON(needs) }}
-          allowed-skips: ${{ github.repository == 'goauthentik/authentik-internal' && 'build-container' || '[]' }}
--- a/.github/workflows/ci-main-daily.yml
+++ b/.github/workflows/ci-main-daily.yml
@@ -9,7 +9,6 @@ on:

 jobs:
  test-container:
-    if: ${{ github.repository != 'goauthentik/authentik-internal' }}
    runs-on: ubuntu-latest
    strategy:
      fail-fast: false
@@ -19,7 +18,7 @@ jobs:
          - version-2025-4
          - version-2025-2
    steps:
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
+      - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v5
      - run: |
          current="$(pwd)"
          dir="/tmp/authentik/${{ matrix.version }}"
--- a/.github/workflows/ci-main.yml
+++ b/.github/workflows/ci-main.yml
@@ -37,7 +37,7 @@ jobs:
          - mypy
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
+      - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v5
      - name: Setup authentik env
        uses: ./.github/actions/setup
      - name: run job
@@ -45,7 +45,7 @@ jobs:
  test-migrations:
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
+      - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v5
      - name: Setup authentik env
        uses: ./.github/actions/setup
      - name: run migrations
@@ -71,16 +71,23 @@ jobs:
          - 18-alpine
        run_id: [1, 2, 3, 4, 5]
    steps:
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
+      - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v5
        with:
          fetch-depth: 0
      - name: checkout stable
        run: |
-          # Copy current, latest config to local
-          cp authentik/lib/default.yml local.env.yml
+          set -e -o pipefail
          cp -R .github ..
          cp -R scripts ..
-          git checkout $(git tag --sort=version:refname | grep '^version/' | grep -vE -- '-rc[0-9]+$' | tail -n1)
+          # Previous stable tag
+          prev_stable=$(git tag --sort=version:refname | grep '^version/' | grep -vE -- '-rc[0-9]+$' | tail -n1)
+          # Current version family based on
+          current_version_family=$(cat internal/constants/VERSION | grep -vE -- 'rc[0-9]+$' || true)
+          if [[ -n $current_version_family ]]; then
+              prev_stable=$current_version_family
+          fi
+          echo "::notice::Checking out ${prev_stable} as stable version..."
+          git checkout ${prev_stable}
          rm -rf .github/ scripts/
          mv ../.github ../scripts .
      - name: Setup authentik env (stable)
@@ -129,7 +136,7 @@ jobs:
          - 18-alpine
        run_id: [1, 2, 3, 4, 5]
    steps:
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
+      - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v5
      - name: Setup authentik env
        uses: ./.github/actions/setup
        with:
@@ -149,11 +156,11 @@ jobs:
    runs-on: ubuntu-latest
    timeout-minutes: 30
    steps:
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
+      - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v5
      - name: Setup authentik env
        uses: ./.github/actions/setup
      - name: Create k8s Kind Cluster
-        uses: helm/kind-action@a1b0e391336a6ee6713a0583f8c6240d70863de3 # v1.12.0
+        uses: helm/kind-action@92086f6be054225fa813e0a4b13787fc9088faab # v1.13.0
      - name: run integration
        run: |
          uv run coverage run manage.py test tests/integration
@@ -187,7 +194,7 @@ jobs:
          - name: flows
            glob: tests/e2e/test_flows*
    steps:
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
+      - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v5
      - name: Setup authentik env
        uses: ./.github/actions/setup
      - name: Setup e2e env (chrome, etc)
@@ -225,7 +232,7 @@ jobs:
      - test-e2e
    runs-on: ubuntu-latest
    steps:
-      - uses: re-actors/alls-green@release/v1
+      - uses: re-actors/alls-green@05ac9388f0aebcb5727afa17fcccfecd6f8ec5fe # release/v1
        with:
          jobs: ${{ toJSON(needs) }}
  build:
@@ -253,7 +260,7 @@ jobs:
      pull-requests: write
    timeout-minutes: 120
    steps:
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
+      - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v5
        with:
          ref: ${{ github.event.pull_request.head.sha }}
      - name: prepare variables
--- a/.github/workflows/ci-outpost.yml
+++ b/.github/workflows/ci-outpost.yml
@@ -21,8 +21,8 @@ jobs:
  lint-golint:
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
-      - uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6
+      - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v5
+      - uses: actions/setup-go@4dc6199c7b1a012772edbd06daecab0f50c9053c # v6
        with:
          go-version-file: "go.mod"
      - name: Prepare and generate API
@@ -34,7 +34,7 @@ jobs:
      - name: Generate API
        run: make gen-client-go
      - name: golangci-lint
-        uses: golangci/golangci-lint-action@4afd733a84b1f43292c63897423277bb7f4313a9 # v8
+        uses: golangci/golangci-lint-action@e7fa5ac41e1cf5b7d48e45e42232ce7ada589601 # v8
        with:
          version: latest
          args: --timeout 5000s --verbose
@@ -42,8 +42,8 @@ jobs:
  test-unittest:
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
-      - uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6
+      - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v5
+      - uses: actions/setup-go@4dc6199c7b1a012772edbd06daecab0f50c9053c # v6
        with:
          go-version-file: "go.mod"
      - name: Setup authentik env
@@ -63,11 +63,10 @@ jobs:
      - test-unittest
    runs-on: ubuntu-latest
    steps:
-      - uses: re-actors/alls-green@release/v1
+      - uses: re-actors/alls-green@05ac9388f0aebcb5727afa17fcccfecd6f8ec5fe # release/v1
        with:
          jobs: ${{ toJSON(needs) }}
  build-container:
-    if: ${{ github.repository != 'goauthentik/authentik-internal' }}
    timeout-minutes: 120
    needs:
      - ci-outpost-mark
@@ -87,11 +86,11 @@ jobs:
      id-token: write
      attestations: write
    steps:
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
+      - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v5
        with:
          ref: ${{ github.event.pull_request.head.sha }}
      - name: Set up QEMU
-        uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392 # v3.6.0
+        uses: docker/setup-qemu-action@c7c53464625b32c7a7e944ae62b3e17d2b600130 # v3.7.0
      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3
      - name: prepare variables
@@ -146,10 +145,10 @@ jobs:
        goos: [linux]
        goarch: [amd64, arm64]
    steps:
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
+      - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v5
        with:
          ref: ${{ github.event.pull_request.head.sha }}
-      - uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6
+      - uses: actions/setup-go@4dc6199c7b1a012772edbd06daecab0f50c9053c # v6
        with:
          go-version-file: "go.mod"
      - uses: actions/setup-node@2028fbc5c25fe9cf00d9f06a71cc4710d4507903 # v5
--- a/.github/workflows/ci-web.yml
+++ b/.github/workflows/ci-web.yml
@@ -31,7 +31,7 @@ jobs:
          - command: lit-analyse
            project: web
    steps:
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
+      - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v5
      - uses: actions/setup-node@2028fbc5c25fe9cf00d9f06a71cc4710d4507903 # v5
        with:
          node-version-file: ${{ matrix.project }}/package.json
@@ -48,7 +48,7 @@ jobs:
  build:
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
+      - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v5
      - uses: actions/setup-node@2028fbc5c25fe9cf00d9f06a71cc4710d4507903 # v5
        with:
          node-version-file: web/package.json
@@ -68,7 +68,7 @@ jobs:
      - lint
    runs-on: ubuntu-latest
    steps:
-      - uses: re-actors/alls-green@release/v1
+      - uses: re-actors/alls-green@05ac9388f0aebcb5727afa17fcccfecd6f8ec5fe # release/v1
        with:
          jobs: ${{ toJSON(needs) }}
  test:
@@ -76,7 +76,7 @@ jobs:
      - ci-web-mark
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
+      - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v5
      - uses: actions/setup-node@2028fbc5c25fe9cf00d9f06a71cc4710d4507903 # v5
        with:
          node-version-file: web/package.json
--- a/.github/workflows/gen-image-compress.yml
+++ b/.github/workflows/gen-image-compress.yml
@@ -29,20 +29,20 @@ jobs:
       github.event.pull_request.head.repo.full_name == github.repository)
    steps:
      - id: generate_token
-        uses: actions/create-github-app-token@67018539274d69449ef7c02e8e71183d1719ab42 # v2
+        uses: actions/create-github-app-token@7e473efe3cb98aa54f8d4bac15400b15fad77d94 # v2
        with:
          app-id: ${{ secrets.GH_APP_ID }}
          private-key: ${{ secrets.GH_APP_PRIVATE_KEY }}
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
+      - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v5
        with:
          token: ${{ steps.generate_token.outputs.token }}
      - name: Compress images
        id: compress
-        uses: calibreapp/image-actions@05b1cf44e88c3b041b841452482df9497f046ef7 # main
+        uses: calibreapp/image-actions@420075c115b26f8785e293c5bd5bef0911c506e5 # main
        with:
          GITHUB_TOKEN: ${{ steps.generate_token.outputs.token }}
          compressOnly: ${{ github.event_name != 'pull_request' }}
-      - uses: peter-evans/create-pull-request@271a8d0340265f705b14b6d32b9829c1cb33d45e # v7
+      - uses: peter-evans/create-pull-request@84ae59a2cdc2258d6fa0732dd66352dddae2a412 # v7
        if: "${{ github.event_name != 'pull_request' && steps.compress.outputs.markdown != '' }}"
        id: cpr
        with:
--- a/.github/workflows/gen-update-webauthn-mds.yml
+++ b/.github/workflows/gen-update-webauthn-mds.yml
@@ -13,21 +13,20 @@ env:

 jobs:
  build:
-    if: ${{ github.repository != 'goauthentik/authentik-internal' }}
    runs-on: ubuntu-latest
    steps:
      - id: generate_token
-        uses: actions/create-github-app-token@67018539274d69449ef7c02e8e71183d1719ab42 # v2
+        uses: actions/create-github-app-token@7e473efe3cb98aa54f8d4bac15400b15fad77d94 # v2
        with:
          app-id: ${{ secrets.GH_APP_ID }}
          private-key: ${{ secrets.GH_APP_PRIVATE_KEY }}
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
+      - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v5
        with:
          token: ${{ steps.generate_token.outputs.token }}
      - name: Setup authentik env
        uses: ./.github/actions/setup
      - run: uv run ak update_webauthn_mds
-      - uses: peter-evans/create-pull-request@271a8d0340265f705b14b6d32b9829c1cb33d45e # v7
+      - uses: peter-evans/create-pull-request@84ae59a2cdc2258d6fa0732dd66352dddae2a412 # v7
        id: cpr
        with:
          token: ${{ steps.generate_token.outputs.token }}
--- a/.github/workflows/gh-cherry-pick.yml
+++ b/.github/workflows/gh-cherry-pick.yml
@@ -10,14 +10,14 @@ jobs:
    steps:
      - id: app-token
        name: Generate app token
-        uses: actions/create-github-app-token@67018539274d69449ef7c02e8e71183d1719ab42 # v2
+        uses: actions/create-github-app-token@7e473efe3cb98aa54f8d4bac15400b15fad77d94 # v2
        if: ${{ env.GH_APP_ID != '' }}
        with:
          app-id: ${{ secrets.GH_APP_ID }}
          private-key: ${{ secrets.GH_APP_PRIVATE_KEY }}
        env:
          GH_APP_ID: ${{ secrets.GH_APP_ID }}
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
+      - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v5
        if: ${{ steps.app-token.outcome != 'skipped' }}
        with:
          fetch-depth: 0
--- a/.github/workflows/gh-gha-cache-cleanup.yml
+++ b/.github/workflows/gh-gha-cache-cleanup.yml
@@ -16,7 +16,7 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - name: Check out code
-        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
+        uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v5

      - name: Cleanup
        run: |
--- a/.github/workflows/gh-ghcr-retention.yml
+++ b/.github/workflows/gh-ghcr-retention.yml
@@ -5,25 +5,28 @@ on:
  # schedule:
  #   - cron: "0 0 * * *" # every day at midnight
  workflow_dispatch:
+    inputs:
+      dry-run:
+        type: boolean
+        description: Enable dry-run mode

 jobs:
  clean-ghcr:
-    if: ${{ github.repository != 'goauthentik/authentik-internal' }}
    name: Delete old unused container images
    runs-on: ubuntu-latest
    steps:
      - id: generate_token
-        uses: actions/create-github-app-token@67018539274d69449ef7c02e8e71183d1719ab42 # v2
+        uses: actions/create-github-app-token@7e473efe3cb98aa54f8d4bac15400b15fad77d94 # v2
        with:
          app-id: ${{ secrets.GH_APP_ID }}
          private-key: ${{ secrets.GH_APP_PRIVATE_KEY }}
      - name: Delete 'dev' containers older than a week
-        uses: snok/container-retention-policy@3b0972b2276b171b212f8c4efbca59ebba26eceb # v2
+        uses: snok/container-retention-policy@3b0972b2276b171b212f8c4efbca59ebba26eceb # v3.0.1
        with:
          image-names: dev-server,dev-ldap,dev-proxy
+          image-tags: "!gh-next,!gh-main"
          cut-off: One week ago UTC
-          account-type: org
-          org-name: goauthentik
-          untagged-only: false
+          account: goauthentik
+          tag-selection: untagged
          token: ${{ steps.generate_token.outputs.token }}
-          skip-tags: gh-next,gh-main
+          dry-run: ${{ inputs.dry-run }}
--- a/.github/workflows/packages-npm-publish.yml
+++ b/.github/workflows/packages-npm-publish.yml
@@ -5,10 +5,10 @@ on:
  push:
    branches: [main]
    paths:
-      - packages/docusaurus-config/**
+      - packages/tsconfig/**
      - packages/eslint-config/**
      - packages/prettier-config/**
-      - packages/tsconfig/**
+      - packages/docusaurus-config/**
      - packages/esbuild-plugin-live-reload/**
  workflow_dispatch:

@@ -19,19 +19,19 @@ permissions:

 jobs:
  publish:
-    if: ${{ github.repository != 'goauthentik/authentik-internal' }}
    runs-on: ubuntu-latest
    strategy:
      fail-fast: false
      matrix:
        package:
-          - packages/docusaurus-config
+          # The order of the `*config` packages should not be changed, as they depend on each other.
+          - packages/tsconfig
          - packages/eslint-config
          - packages/prettier-config
-          - packages/tsconfig
+          - packages/docusaurus-config
          - packages/esbuild-plugin-live-reload
    steps:
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
+      - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v5
        with:
          fetch-depth: 2
      - uses: actions/setup-node@2028fbc5c25fe9cf00d9f06a71cc4710d4507903 # v5
@@ -44,6 +44,8 @@ jobs:
        with:
          files: |
            ${{ matrix.package }}/package.json
+      - name: Install Dependencies
+        run: npm ci
      - name: Publish package
        if: steps.changed-files.outputs.any_changed == 'true'
        working-directory: ${{ matrix.package }}
--- a/.github/workflows/qa-codeql.yml
+++ b/.github/workflows/qa-codeql.yml
@@ -24,7 +24,7 @@ jobs:
        language: ["go", "javascript", "python"]
    steps:
      - name: Checkout repository
-        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
+        uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v5
      - name: Setup authentik env
        uses: ./.github/actions/setup
      - name: Initialize CodeQL
--- a/.github/workflows/qa-semgrep.yml
+++ b/.github/workflows/qa-semgrep.yml
@@ -26,5 +26,5 @@ jobs:
      image: semgrep/semgrep
    if: (github.actor != 'dependabot[bot]')
    steps:
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
+      - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v5
      - run: semgrep ci
--- a/.github/workflows/release-branch-off.yml
+++ b/.github/workflows/release-branch-off.yml
@@ -29,12 +29,12 @@ jobs:
    steps:
      - id: app-token
        name: Generate app token
-        uses: actions/create-github-app-token@67018539274d69449ef7c02e8e71183d1719ab42 # v2
+        uses: actions/create-github-app-token@7e473efe3cb98aa54f8d4bac15400b15fad77d94 # v2
        with:
          app-id: ${{ secrets.GH_APP_ID }}
          private-key: ${{ secrets.GH_APP_PRIVATE_KEY }}
      - name: Checkout main
-        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
+        uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v5
        with:
          ref: main
          token: "${{ steps.app-token.outputs.token }}"
@@ -57,12 +57,12 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - id: generate_token
-        uses: actions/create-github-app-token@67018539274d69449ef7c02e8e71183d1719ab42 # v2
+        uses: actions/create-github-app-token@7e473efe3cb98aa54f8d4bac15400b15fad77d94 # v2
        with:
          app-id: ${{ secrets.GH_APP_ID }}
          private-key: ${{ secrets.GH_APP_PRIVATE_KEY }}
      - name: Checkout main
-        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
+        uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v5
        with:
          ref: main
          token: ${{ steps.generate_token.outputs.token }}
@@ -73,7 +73,7 @@ jobs:
      - name: Bump version
        run: "make bump version=${{ inputs.next_version }}.0-rc1"
      - name: Create pull request
-        uses: peter-evans/create-pull-request@271a8d0340265f705b14b6d32b9829c1cb33d45e # v7
+        uses: peter-evans/create-pull-request@84ae59a2cdc2258d6fa0732dd66352dddae2a412 # v7
        with:
          token: ${{ steps.generate_token.outputs.token }}
          branch: release-bump-${{ inputs.next_version }}
--- a/.github/workflows/release-next-branch.yml
+++ b/.github/workflows/release-next-branch.yml
@@ -12,11 +12,10 @@ permissions:

 jobs:
  update-next:
-    if: ${{ github.repository != 'goauthentik/authentik-internal' }}
    runs-on: ubuntu-latest
    environment: internal-production
    steps:
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
+      - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v5
        with:
          ref: main
      - run: |
--- a/.github/workflows/release-publish.yml
+++ b/.github/workflows/release-publish.yml
@@ -31,9 +31,9 @@ jobs:
      id-token: write
      attestations: write
    steps:
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
+      - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v5
      - name: Set up QEMU
-        uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392 # v3.6.0
+        uses: docker/setup-qemu-action@c7c53464625b32c7a7e944ae62b3e17d2b600130 # v3.7.0
      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3
      - name: prepare variables
@@ -83,12 +83,12 @@ jobs:
          - radius
          - rac
    steps:
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
-      - uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6
+      - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v5
+      - uses: actions/setup-go@4dc6199c7b1a012772edbd06daecab0f50c9053c # v6
        with:
          go-version-file: "go.mod"
      - name: Set up QEMU
-        uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392 # v3.6.0
+        uses: docker/setup-qemu-action@c7c53464625b32c7a7e944ae62b3e17d2b600130 # v3.7.0
      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3
      - name: prepare variables
@@ -146,8 +146,8 @@ jobs:
        goos: [linux, darwin]
        goarch: [amd64, arm64]
    steps:
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
-      - uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6
+      - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v5
+      - uses: actions/setup-go@4dc6199c7b1a012772edbd06daecab0f50c9053c # v6
        with:
          go-version-file: "go.mod"
      - uses: actions/setup-node@2028fbc5c25fe9cf00d9f06a71cc4710d4507903 # v5
@@ -168,7 +168,7 @@ jobs:
          export CGO_ENABLED=0
          go build -tags=outpost_static_embed -v -o ./authentik-outpost-${{ matrix.type }}_${{ matrix.goos }}_${{ matrix.goarch }} ./cmd/${{ matrix.type }}
      - name: Upload binaries to release
-        uses: svenstaro/upload-release-action@81c65b7cd4de9b2570615ce3aad67a41de5b1a13 # v2
+        uses: svenstaro/upload-release-action@6b7fa9f267e90b50a19fef07b3596790bb941741 # v2
        with:
          repo_token: ${{ secrets.GITHUB_TOKEN }}
          file: ./authentik-outpost-${{ matrix.type }}_${{ matrix.goos }}_${{ matrix.goarch }}
@@ -186,8 +186,8 @@ jobs:
      AWS_REGION: eu-central-1
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
-      - uses: aws-actions/configure-aws-credentials@00943011d9042930efac3dcd3a170e4273319bc8 # v5
+      - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v5
+      - uses: aws-actions/configure-aws-credentials@61815dcd50bd041e203e49132bacad1fd04d2708 # v5
        with:
          role-to-assume: "arn:aws:iam::016170277896:role/github_goauthentik_authentik"
          aws-region: ${{ env.AWS_REGION }}
@@ -202,7 +202,7 @@ jobs:
      - build-outpost-binary
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
+      - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v5
      - name: Run test suite in final docker images
        run: |
          echo "PG_PASS=$(openssl rand 32 | base64 -w 0)" >> .env
@@ -218,7 +218,7 @@ jobs:
      - build-outpost-binary
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
+      - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v5
      - name: prepare variables
        uses: ./.github/actions/docker-push-variables
        id: ev
@@ -232,7 +232,7 @@ jobs:
          container=$(docker container create ${{ steps.ev.outputs.imageMainName }})
          docker cp ${container}:web/ .
      - name: Create a Sentry.io release
-        uses: getsentry/action-release@4f502acc1df792390abe36f2dcb03612ef144818 # v3
+        uses: getsentry/action-release@128c5058bbbe93c8e02147fe0a9c713f166259a6 # v3
        continue-on-error: true
        env:
          SENTRY_AUTH_TOKEN: ${{ secrets.SENTRY_AUTH_TOKEN }}
--- a/.github/workflows/release-tag.yml
+++ b/.github/workflows/release-tag.yml
@@ -35,8 +35,10 @@ jobs:
          echo "major_version=${{ inputs.version }}" | grep -oE "^major_version=[0-9]{4}\.[0-9]{1,2}" >> "$GITHUB_OUTPUT"
      - id: changelog-url
        run: |
-          if [ "${{ inputs.release_reason }}" = "feature" ] || [ "${{ inputs.release_reason }}" = "prerelease" ]; then
+          if [ "${{ inputs.release_reason }}" = "feature" ]; then
            changelog_url="https://docs.goauthentik.io/docs/releases/${{ steps.check.outputs.major_version }}"
+          elif [ "${{ inputs.release_reason }}" = "prerelease" ]; then
+            changelog_url="https://next.goauthentik.io/docs/releases/${{ steps.check.outputs.major_version }}"
          else
            changelog_url="https://docs.goauthentik.io/docs/releases/${{ steps.check.outputs.major_version }}#fixed-in-$(echo -n ${{ inputs.version }} | sed 's/\.//g')"
          fi
@@ -48,7 +50,7 @@ jobs:
    name: Pre-release test
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
+      - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v5
      - run: make test-docker
  bump-authentik:
    name: Bump authentik version
@@ -59,7 +61,7 @@ jobs:
    steps:
      - id: app-token
        name: Generate app token
-        uses: actions/create-github-app-token@67018539274d69449ef7c02e8e71183d1719ab42 # v2
+        uses: actions/create-github-app-token@7e473efe3cb98aa54f8d4bac15400b15fad77d94 # v2
        with:
          app-id: ${{ secrets.GH_APP_ID }}
          private-key: ${{ secrets.GH_APP_PRIVATE_KEY }}
@@ -68,7 +70,7 @@ jobs:
        run: echo "user-id=$(gh api "/users/${{ steps.app-token.outputs.app-slug }}[bot]" --jq .id)" >> "$GITHUB_OUTPUT"
        env:
          GH_TOKEN: "${{ steps.app-token.outputs.token }}"
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
+      - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v5
        with:
          ref: "version-${{ needs.check-inputs.outputs.major_version }}"
          token: "${{ steps.app-token.outputs.token }}"
@@ -87,7 +89,7 @@ jobs:
          git tag "version/${{ inputs.version }}" HEAD -m "version/${{ inputs.version }}"
          git push --follow-tags
      - name: Create Release
-        uses: softprops/action-gh-release@6da8fa9354ddfdc4aeace5fc48d7f679b5214090 # v2
+        uses: softprops/action-gh-release@a06a81a03ee405af7f2048a818ed3f03bbf83c7b # v2.5.0
        with:
          token: "${{ steps.app-token.outputs.token }}"
          tag_name: "version/${{ inputs.version }}"
@@ -106,7 +108,7 @@ jobs:
    steps:
      - id: app-token
        name: Generate app token
-        uses: actions/create-github-app-token@67018539274d69449ef7c02e8e71183d1719ab42 # v2
+        uses: actions/create-github-app-token@7e473efe3cb98aa54f8d4bac15400b15fad77d94 # v2
        with:
          app-id: ${{ secrets.GH_APP_ID }}
          private-key: ${{ secrets.GH_APP_PRIVATE_KEY }}
@@ -116,7 +118,7 @@ jobs:
        run: echo "user-id=$(gh api "/users/${{ steps.app-token.outputs.app-slug }}[bot]" --jq .id)" >> "$GITHUB_OUTPUT"
        env:
          GH_TOKEN: "${{ steps.app-token.outputs.token }}"
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
+      - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v5
        with:
          repository: "${{ github.repository_owner }}/helm"
          token: "${{ steps.app-token.outputs.token }}"
@@ -128,7 +130,7 @@ jobs:
          sed -E -i 's/[0-9]{4}\.[0-9]{1,2}\.[0-9]+$/${{ inputs.version }}/' charts/authentik/Chart.yaml
          ./scripts/helm-docs.sh
      - name: Create pull request
-        uses: peter-evans/create-pull-request@271a8d0340265f705b14b6d32b9829c1cb33d45e # v7
+        uses: peter-evans/create-pull-request@84ae59a2cdc2258d6fa0732dd66352dddae2a412 # v7
        with:
          token: "${{ steps.app-token.outputs.token }}"
          branch: bump-${{ inputs.version }}
@@ -148,7 +150,7 @@ jobs:
    steps:
      - id: app-token
        name: Generate app token
-        uses: actions/create-github-app-token@67018539274d69449ef7c02e8e71183d1719ab42 # v2
+        uses: actions/create-github-app-token@7e473efe3cb98aa54f8d4bac15400b15fad77d94 # v2
        with:
          app-id: ${{ secrets.GH_APP_ID }}
          private-key: ${{ secrets.GH_APP_PRIVATE_KEY }}
@@ -158,7 +160,7 @@ jobs:
        run: echo "user-id=$(gh api "/users/${{ steps.app-token.outputs.app-slug }}[bot]" --jq .id)" >> "$GITHUB_OUTPUT"
        env:
          GH_TOKEN: "${{ steps.app-token.outputs.token }}"
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
+      - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v5
        with:
          repository: "${{ github.repository_owner }}/version"
          token: "${{ steps.app-token.outputs.token }}"
@@ -183,7 +185,7 @@ jobs:
            '.stable.version = $version | .stable.changelog = $changelog | .stable.changelog_url = $changelog_url' version.json > version.new.json
          mv version.new.json version.json
      - name: Create pull request
-        uses: peter-evans/create-pull-request@271a8d0340265f705b14b6d32b9829c1cb33d45e # v7
+        uses: peter-evans/create-pull-request@84ae59a2cdc2258d6fa0732dd66352dddae2a412 # v7
        with:
          token: "${{ steps.app-token.outputs.token }}"
          branch: bump-${{ inputs.version }}
--- a/.github/workflows/repo-mirror-cleanup.yml
+++ b/.github/workflows/repo-mirror-cleanup.yml
@@ -1,22 +0,0 @@
---
-name: Repo - Cleanup internal mirror
-
-on:
-  workflow_dispatch:
-
-jobs:
-  to_internal:
-    if: ${{ github.repository != 'goauthentik/authentik-internal' }}
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
-        with:
-          fetch-depth: 0
-      - if: ${{ env.MIRROR_KEY != '' }}
-        uses: BeryJu/repository-mirroring-action@5cf300935bc2e068f73ea69bcc411a8a997208eb # 5cf300935bc2e068f73ea69bcc411a8a997208eb
-        with:
-          target_repo_url: git@github.com:goauthentik/authentik-internal.git
-          ssh_private_key: ${{ secrets.GH_MIRROR_KEY }}
-          args: --tags --force --prune
-        env:
-          MIRROR_KEY: ${{ secrets.GH_MIRROR_KEY }}
--- a/.github/workflows/repo-mirror.yml
+++ b/.github/workflows/repo-mirror.yml
@@ -1,21 +0,0 @@
---
-name: Repo - Mirror to internal
-
-on: [push, delete]
-
-jobs:
-  to_internal:
-    if: ${{ github.repository != 'goauthentik/authentik-internal' }}
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
-        with:
-          fetch-depth: 0
-      - if: ${{ env.MIRROR_KEY != '' }}
-        uses: BeryJu/repository-mirroring-action@5cf300935bc2e068f73ea69bcc411a8a997208eb # 5cf300935bc2e068f73ea69bcc411a8a997208eb
-        with:
-          target_repo_url: git@github.com:goauthentik/authentik-internal.git
-          ssh_private_key: ${{ secrets.GH_MIRROR_KEY }}
-          args: --tags --force
-        env:
-          MIRROR_KEY: ${{ secrets.GH_MIRROR_KEY }}
--- a/.github/workflows/repo-stale.yml
+++ b/.github/workflows/repo-stale.yml
@@ -12,11 +12,10 @@ permissions:

 jobs:
  stale:
-    if: ${{ github.repository != 'goauthentik/authentik-internal' }}
    runs-on: ubuntu-latest
    steps:
      - id: generate_token
-        uses: actions/create-github-app-token@67018539274d69449ef7c02e8e71183d1719ab42 # v2
+        uses: actions/create-github-app-token@7e473efe3cb98aa54f8d4bac15400b15fad77d94 # v2
        with:
          app-id: ${{ secrets.GH_APP_ID }}
          private-key: ${{ secrets.GH_APP_PRIVATE_KEY }}
--- a/.github/workflows/translation-extract-compile.yml
+++ b/.github/workflows/translation-extract-compile.yml
@@ -17,20 +17,19 @@ env:

 jobs:
  compile:
-    if: ${{ github.repository != 'goauthentik/authentik-internal' }}
    runs-on: ubuntu-latest
    steps:
      - id: generate_token
        if: ${{ github.event_name != 'pull_request' }}
-        uses: actions/create-github-app-token@67018539274d69449ef7c02e8e71183d1719ab42 # v2
+        uses: actions/create-github-app-token@7e473efe3cb98aa54f8d4bac15400b15fad77d94 # v2
        with:
          app-id: ${{ secrets.GH_APP_ID }}
          private-key: ${{ secrets.GH_APP_PRIVATE_KEY }}
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
+      - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v5
        if: ${{ github.event_name != 'pull_request' }}
        with:
          token: ${{ steps.generate_token.outputs.token }}
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
+      - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v5
        if: ${{ github.event_name == 'pull_request' }}
      - name: Setup authentik env
        uses: ./.github/actions/setup
@@ -45,7 +44,7 @@ jobs:
          make web-check-compile
      - name: Create Pull Request
        if: ${{ github.event_name != 'pull_request' }}
-        uses: peter-evans/create-pull-request@271a8d0340265f705b14b6d32b9829c1cb33d45e # v7
+        uses: peter-evans/create-pull-request@84ae59a2cdc2258d6fa0732dd66352dddae2a412 # v7
        with:
          token: ${{ steps.generate_token.outputs.token }}
          branch: extract-compile-backend-translation
--- a/.github/workflows/translation-rename.yml
+++ b/.github/workflows/translation-rename.yml
@@ -1,41 +0,0 @@
---
-# Rename transifex pull requests to have a correct naming
-# Also enables auto squash-merge
-name: Translation - Auto-rename Transifex PRs
-
-on:
-  pull_request:
-    types: [opened, reopened]
-
-permissions:
-  # Permission to rename PR
-  pull-requests: write
-
-jobs:
-  rename_pr:
-    runs-on: ubuntu-latest
-    if: ${{ github.event.pull_request.user.login == 'transifex-integration[bot]'}}
-    steps:
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
-      - id: generate_token
-        uses: actions/create-github-app-token@67018539274d69449ef7c02e8e71183d1719ab42 # v2
-        with:
-          app-id: ${{ secrets.GH_APP_ID }}
-          private-key: ${{ secrets.GH_APP_PRIVATE_KEY }}
-      - name: Get current title
-        id: title
-        env:
-          GH_TOKEN: ${{ steps.generate_token.outputs.token }}
-        run: |
-          title=$(gh pr view ${{ github.event.pull_request.number }} --json  "title" -q ".title")
-          echo "title=${title}" >> "$GITHUB_OUTPUT"
-      - name: Rename
-        env:
-          GH_TOKEN: ${{ steps.generate_token.outputs.token }}
-        run: |
-          gh pr edit ${{ github.event.pull_request.number }} -t "translate: ${{ steps.title.outputs.title }}" --add-label dependencies
-      - uses: peter-evans/enable-pull-request-automerge@a660677d5469627102a1c1e11409dd063606628d # v3
-        with:
-          token: ${{ steps.generate_token.outputs.token }}
-          pull-request-number: ${{ github.event.pull_request.number }}
-          merge-method: squash
--- a/.prettierignore
+++ b/.prettierignore
@@ -26,6 +26,10 @@ website/api/reference
 node_modules
 coverage

+## Vendored files
+vendored
+*.min.js
+
 ## Configs
 *.log
 *.yaml
--- a/11
+++ b/11
@@ -1,7 +1,7 @@
 # syntax=docker/dockerfile:1

 # Stage 1: Build webui
-FROM --platform=${BUILDPLATFORM} docker.io/library/node:24-slim AS node-builder
+FROM --platform=${BUILDPLATFORM} docker.io/library/node:24-trixie-slim@sha256:45babd1b4ce0349fb12c4e24bf017b90b96d52806db32e001e3013f341bef0fe AS node-builder

 ARG GIT_BUILD_HASH
 ENV GIT_BUILD_HASH=$GIT_BUILD_HASH
@@ -26,7 +26,7 @@ RUN npm run build && \
    npm run build:sfe

 # Stage 2: Build go proxy
-FROM --platform=${BUILDPLATFORM} docker.io/library/golang:1.25.3-bookworm AS go-builder
+FROM --platform=${BUILDPLATFORM} docker.io/library/golang:1.25.4-trixie@sha256:a02d35efc036053fdf0da8c15919276bf777a80cbfda6a35c5e9f087e652adfc AS go-builder

 ARG TARGETOS
 ARG TARGETARCH
@@ -63,7 +63,7 @@ RUN --mount=type=cache,sharing=locked,target=/go/pkg/mod \
    go build -o /go/authentik ./cmd/server

 # Stage 3: MaxMind GeoIP
-FROM --platform=${BUILDPLATFORM} ghcr.io/maxmind/geoipupdate:v7.1.1 AS geoip
+FROM --platform=${BUILDPLATFORM} ghcr.io/maxmind/geoipupdate:v7.1.1@sha256:faecdca22579730ab0b7dea5aa9af350bb3c93cb9d39845c173639ead30346d2 AS geoip

 ENV GEOIPUPDATE_EDITION_IDS="GeoLite2-City GeoLite2-ASN"
 ENV GEOIPUPDATE_VERBOSE="1"
@@ -76,9 +76,9 @@ RUN --mount=type=secret,id=GEOIPUPDATE_ACCOUNT_ID \
    /bin/sh -c "GEOIPUPDATE_LICENSE_KEY_FILE=/run/secrets/GEOIPUPDATE_LICENSE_KEY /usr/bin/entry.sh || echo 'Failed to get GeoIP database, disabling'; exit 0"

 # Stage 4: Download uv
-FROM ghcr.io/astral-sh/uv:0.9.4 AS uv
+FROM ghcr.io/astral-sh/uv:0.9.14@sha256:fef8e5fb8809f4b57069e919ffcd1529c92b432a2c8d8ad1768087b0b018d840 AS uv
 # Stage 5: Base python image
-FROM ghcr.io/goauthentik/fips-python:3.13.9-slim-trixie-fips AS python-base
+FROM ghcr.io/goauthentik/fips-python:3.13.9-slim-trixie-fips@sha256:700fc8c1e290bd14e5eaca50b1d8e8c748c820010559cbfb4c4f8dfbe2c4c9ff AS python-base

 ENV VENV_PATH="/ak-root/.venv" \
    PATH="/lifecycle:/ak-root/.venv/bin:$PATH" \
@@ -139,6 +139,7 @@ ARG GIT_BUILD_HASH
 ENV GIT_BUILD_HASH=$GIT_BUILD_HASH

 LABEL org.opencontainers.image.authors="Authentik Security Inc." \
+    org.opencontainers.image.source="https://github.com/goauthentik/authentik" \
    org.opencontainers.image.description="goauthentik.io Main server image, see https://goauthentik.io for more info." \
    org.opencontainers.image.documentation="https://docs.goauthentik.io" \
    org.opencontainers.image.licenses="https://github.com/goauthentik/authentik/blob/main/LICENSE" \
--- a/34
+++ b/34
@@ -17,21 +17,20 @@ pg_user := $(shell uv run python -m authentik.lib.config postgresql.user 2>/dev/
 pg_host := $(shell uv run python -m authentik.lib.config postgresql.host 2>/dev/null)
 pg_name := $(shell uv run python -m authentik.lib.config postgresql.name 2>/dev/null)

-UNAME := $(shell uname)
-
 # For macOS users, add the libxml2 installed from brew libxmlsec1 to the build path
 # to prevent SAML-related tests from failing and ensure correct pip dependency compilation
-ifeq ($(UNAME), Darwin)
-# Only add for brew users who installed libxmlsec1
-	BREW_EXISTS := $(shell command -v brew 2> /dev/null)
-	ifdef BREW_EXISTS
-		LIBXML2_EXISTS := $(shell brew list libxml2 2> /dev/null)
-		ifdef LIBXML2_EXISTS
-			BREW_LDFLAGS := -L$(shell brew --prefix libxml2)/lib $(LDFLAGS)
-			BREW_CPPFLAGS := -I$(shell brew --prefix libxml2)/include $(CPPFLAGS)
-			BREW_PKG_CONFIG_PATH := $(shell brew --prefix libxml2)/lib/pkgconfig:$(PKG_CONFIG_PATH)
-		endif
-	endif
+# These functions are only evaluated when called in specific targets
+LIBXML2_EXISTS = $(shell brew list libxml2 2> /dev/null)
+KRB5_EXISTS = $(shell brew list krb5 2> /dev/null)
+
+LIBXML2_LDFLAGS = -L$(shell brew --prefix libxml2)/lib $(LDFLAGS)
+LIBXML2_CPPFLAGS = -I$(shell brew --prefix libxml2)/include $(CPPFLAGS)
+LIBXML2_PKG_CONFIG = $(shell brew --prefix libxml2)/lib/pkgconfig:$(PKG_CONFIG_PATH)
+
+KRB_PATH =
+
+ifneq ($(KRB5_EXISTS),)
+	KRB_PATH = PATH="$(shell brew --prefix krb5)/sbin:$(shell brew --prefix krb5)/bin:$$PATH"
 endif

 all: lint-fix lint gen web test  ## Lint, build, and test everything
@@ -50,7 +49,7 @@ go-test:
 	go test -timeout 0 -v -race -cover ./...

 test: ## Run the server tests and produce a coverage report (locally)
-	uv run coverage run manage.py test --keepdb authentik
+	$(KRB_PATH) uv run coverage run manage.py test --keepdb $(or $(filter-out $@,$(MAKECMDGOALS)),authentik)
 	uv run coverage html
 	uv run coverage report

@@ -66,11 +65,11 @@ lint: ## Lint the python and golang sources
 	golangci-lint run -v

 core-install:
-ifdef LIBXML2_EXISTS
+ifneq ($(LIBXML2_EXISTS),)
 # Clear cache to ensure fresh compilation
 	uv cache clean
 # Force compilation from source for lxml and xmlsec with correct environment
-	LDFLAGS="$(BREW_LDFLAGS)" CPPFLAGS="$(BREW_CPPFLAGS)" PKG_CONFIG_PATH="$(BREW_PKG_CONFIG_PATH)" uv sync --frozen --reinstall-package lxml --reinstall-package xmlsec --no-binary-package lxml --no-binary-package xmlsec
+	LDFLAGS="$(LIBXML2_LDFLAGS)" CPPFLAGS="$(LIBXML2_CPPFLAGS)" PKG_CONFIG_PATH="$(LIBXML2_PKG_CONFIG)" uv sync --frozen --reinstall-package lxml --reinstall-package xmlsec --no-binary-package lxml --no-binary-package xmlsec
 else
 	uv sync --frozen
 endif
@@ -197,11 +196,12 @@ endif
 	cp ${PWD}/schema.yml ${PWD}/${GEN_API_PY}
 	make -C ${PWD}/${GEN_API_PY} build version=${NPM_VERSION}

-gen-client-go: gen-clean-go  ## Build and install the authentik API for Golang
+gen-client-go:  ## Build and install the authentik API for Golang
 	mkdir -p ${PWD}/${GEN_API_GO}
 ifeq ($(wildcard ${PWD}/${GEN_API_GO}/.*),)
 	git clone --depth 1 https://github.com/goauthentik/client-go.git ${PWD}/${GEN_API_GO}
 else
+	cd ${PWD}/${GEN_API_GO} && git reset --hard
 	cd ${PWD}/${GEN_API_GO} && git pull
 endif
 	cp ${PWD}/schema.yml ${PWD}/${GEN_API_GO}
--- a/README.md
+++ b/README.md
@@ -10,7 +10,7 @@
 [![GitHub Workflow Status](https://img.shields.io/github/actions/workflow/status/goauthentik/authentik/ci-web.yml?branch=main&label=web%20build&style=for-the-badge)](https://github.com/goauthentik/authentik/actions/workflows/ci-web.yml)
 [![Code Coverage](https://img.shields.io/codecov/c/gh/goauthentik/authentik?style=for-the-badge)](https://codecov.io/gh/goauthentik/authentik)
 ![Latest version](https://img.shields.io/docker/v/authentik/server?sort=semver&style=for-the-badge)
-[![](https://img.shields.io/badge/Help%20translate-transifex-blue?style=for-the-badge)](https://www.transifex.com/authentik/authentik/)
+[![](https://img.shields.io/badge/Help%20translate-transifex-blue?style=for-the-badge)](https://explore.transifex.com/authentik/authentik/)

 ## What is authentik?

--- a/SECURITY.md
+++ b/SECURITY.md
@@ -18,10 +18,10 @@ Even if the issue is not a CVE, we still greatly appreciate your help in hardeni

 (.x being the latest patch release for each version)

-| Version   | Supported |
-| --------- | --------- |
-| 2025.6.x  | ✅        |
-| 2025.8.x  | ✅        |
+| Version    | Supported  |
+| ---------- | ---------- |
+| 2025.8.x   | ✅         |
+| 2025.10.x  | ✅         |

 ## Reporting a Vulnerability

--- a/authentik/init.py
+++ b/authentik/init.py
@@ -3,7 +3,7 @@
 from functools import lru_cache
 from os import environ

-VERSION = "2025.10.0-rc1"
+VERSION = "2025.12.0-rc1"
 ENV_GIT_HASH_KEY = "GIT_BUILD_HASH"


--- a/authentik/api/authentication.py
+++ b/authentik/api/authentication.py
@@ -27,16 +27,16 @@ except OSError:
    ipc_key = None


-def validate_auth(header: bytes) -> str | None:
+def validate_auth(header: bytes, format="bearer") -> str | None:
    """Validate that the header is in a correct format,
    returns type and credentials"""
    auth_credentials = header.decode().strip()
    if auth_credentials == "" or " " not in auth_credentials:
        return None
    auth_type, _, auth_credentials = auth_credentials.partition(" ")
-    if auth_type.lower() != "bearer":
+    if not compare_digest(auth_type.lower(), format):
        LOGGER.debug("Unsupported authentication type, denying", type=auth_type.lower())
-        raise AuthenticationFailed("Unsupported authentication type")
+        return None
    if auth_credentials == "":  # nosec # noqa
        raise AuthenticationFailed("Malformed header")
    return auth_credentials
--- a/authentik/api/tests/test_auth.py
+++ b/authentik/api/tests/test_auth.py
@@ -24,8 +24,7 @@ class TestAPIAuth(TestCase):

    def test_invalid_type(self):
        """Test invalid type"""
-        with self.assertRaises(AuthenticationFailed):
-            bearer_auth(b"foo bar")
+        self.assertIsNone(bearer_auth(b"foo bar"))

    def test_invalid_empty(self):
        """Test invalid type"""
@@ -34,9 +33,8 @@ class TestAPIAuth(TestCase):

    def test_invalid_no_token(self):
        """Test invalid with no token"""
-        with self.assertRaises(AuthenticationFailed):
-            auth = b64encode(b":abc").decode()
-            self.assertIsNone(bearer_auth(f"Basic :{auth}".encode()))
+        auth = b64encode(b":abc").decode()
+        self.assertIsNone(bearer_auth(f"Basic :{auth}".encode()))

    def test_bearer_valid(self):
        """Test valid token"""
--- a/authentik/api/v3/config.py
+++ b/authentik/api/v3/config.py
@@ -5,6 +5,7 @@ from pathlib import Path
 from django.conf import settings
 from django.db import models
 from django.dispatch import Signal
+from django.http import HttpRequest
 from drf_spectacular.utils import extend_schema
 from rest_framework.fields import (
    BooleanField,
@@ -63,7 +64,8 @@ class ConfigView(APIView):

    permission_classes = [AllowAny]

-    def get_capabilities(self) -> list[Capabilities]:
+    @staticmethod
+    def get_capabilities(request: HttpRequest) -> list[Capabilities]:
        """Get all capabilities this server instance supports"""
        caps = []
        deb_test = settings.DEBUG or settings.TEST
@@ -76,18 +78,19 @@ class ConfigView(APIView):
        for processor in get_context_processors():
            if cap := processor.capability():
                caps.append(cap)
-        if self.request.tenant.impersonation:
+        if request.tenant.impersonation:
            caps.append(Capabilities.CAN_IMPERSONATE)
        if settings.DEBUG:  # pragma: no cover
            caps.append(Capabilities.CAN_DEBUG)
        if "authentik.enterprise" in settings.INSTALLED_APPS:
            caps.append(Capabilities.IS_ENTERPRISE)
-        for _, result in capabilities.send(sender=self):
+        for _, result in capabilities.send(sender=ConfigView):
            if result:
                caps.append(result)
        return caps

-    def get_config(self) -> ConfigSerializer:
+    @staticmethod
+    def get_config(request: HttpRequest) -> ConfigSerializer:
        """Get Config"""
        return ConfigSerializer(
            {
@@ -98,7 +101,7 @@ class ConfigView(APIView):
                    "send_pii": CONFIG.get("error_reporting.send_pii"),
                    "traces_sample_rate": float(CONFIG.get("error_reporting.sample_rate", 0.4)),
                },
-                "capabilities": self.get_capabilities(),
+                "capabilities": ConfigView.get_capabilities(request),
                "cache_timeout": CONFIG.get_int("cache.timeout"),
                "cache_timeout_flows": CONFIG.get_int("cache.timeout_flows"),
                "cache_timeout_policies": CONFIG.get_int("cache.timeout_policies"),
@@ -108,4 +111,4 @@ class ConfigView(APIView):
    @extend_schema(responses={200: ConfigSerializer(many=False)})
    def get(self, request: Request) -> Response:
        """Retrieve public configuration options"""
-        return Response(self.get_config().data)
+        return Response(ConfigView.get_config(request).data)
--- a/authentik/api/validation.py
+++ b/authentik/api/validation.py
@@ -0,0 +1,50 @@
+from collections.abc import Callable
+from functools import wraps
+from typing import Literal
+
+from rest_framework.request import Request
+from rest_framework.response import Response
+from rest_framework.serializers import Serializer
+from rest_framework.viewsets import ViewSet
+
+
+def validate(serializer_type: type[Serializer], location: Literal["body", "query"] = "body"):
+    """Validate incoming data with the specified serializer. Raw data can either be taken
+    from request body or query string, defaulting to body.
+
+    Validated data is added to the function this decorator is used on with a named parameter
+    based on the location of the data.
+
+    Example:
+
+        @validate(MySerializer)
+        @validate(MyQuerySerializer, location="query")
+        def my_action(self, request, *, body: MySerializer, query: MyQuerySerializer):
+            ...
+
+    """
+
+    def wrapper_outer(func: Callable):
+
+        @wraps(func)
+        def wrapper(self: ViewSet, request: Request, *args, **kwargs) -> Response:
+            data = {}
+            if location == "body":
+                data = request.data
+            elif location == "query":
+                data = request.query_params
+            else:
+                raise ValueError(f"Invalid data location '{location}'")
+            instance = serializer_type(
+                data=data,
+                context={
+                    "request": request,
+                },
+            )
+            instance.is_valid(raise_exception=True)
+            kwargs[location] = instance
+            return func(self, request, *args, **kwargs)
+
+        return wrapper
+
+    return wrapper_outer
--- a/authentik/blueprints/management/commands/make_blueprint_schema.py
+++ b/authentik/blueprints/management/commands/make_blueprint_schema.py
@@ -118,7 +118,10 @@ class Command(BaseCommand):
                model_instance: Model = model()
                if not isinstance(model_instance, SerializerModel):
                    continue
-                serializer_class = model_instance.serializer
+                try:
+                    serializer_class = model_instance.serializer
+                except NotImplementedError as exc:
+                    raise NotImplementedError(model_instance) from exc
            serializer = serializer_class(
                context={
                    SERIALIZER_CONTEXT_BLUEPRINT: False,
--- a/authentik/blueprints/v1/importer.py
+++ b/authentik/blueprints/v1/importer.py
@@ -42,6 +42,15 @@ from authentik.core.models import (
    User,
    UserSourceConnection,
 )
+from authentik.endpoints.connectors.agent.models import (
+    AgentDeviceConnection,
+    AppleNonce,
+    DeviceAuthenticationToken,
+)
+from authentik.endpoints.connectors.agent.models import (
+    DeviceToken as EndpointDeviceToken,
+)
+from authentik.endpoints.models import Connector, Device, DeviceConnection, DeviceFactSnapshot
 from authentik.enterprise.license import LicenseKey
 from authentik.enterprise.models import LicenseUsage
 from authentik.enterprise.providers.google_workspace.models import (
@@ -112,6 +121,7 @@ def excluded_models() -> list[type[Model]]:
        OutpostServiceConnection,
        Policy,
        PolicyBindingModel,
+        Connector,
        # Classes that have other dependencies
        Session,
        AuthenticatedSession,
@@ -139,6 +149,13 @@ def excluded_models() -> list[type[Model]]:
        MicrosoftEntraProviderGroup,
        EndpointDevice,
        EndpointDeviceConnection,
+        EndpointDeviceToken,
+        Device,
+        DeviceConnection,
+        DeviceAuthenticationToken,
+        AppleNonce,
+        AgentDeviceConnection,
+        DeviceFactSnapshot,
        DeviceToken,
        StreamEvent,
        UserConsent,
@@ -313,6 +330,7 @@ class Importer:

        serializer_kwargs = {}
        model_instance = existing_models.first()
+        override_serializer_instance = False
        if (
            not isinstance(model(), BaseMetaModel)
            and model_instance
@@ -341,11 +359,7 @@ class Importer:
                model=model,
                **cleanse_dict(updated_identifiers),
            )
-            model_instance = model()
-            # pk needs to be set on the model instance otherwise a new one will be generated
-            if "pk" in updated_identifiers:
-                model_instance.pk = updated_identifiers["pk"]
-            serializer_kwargs["instance"] = model_instance
+            override_serializer_instance = True
        try:
            full_data = self.__update_pks_for_attrs(entry.get_attrs(self._import))
        except ValueError as exc:
@@ -368,6 +382,12 @@ class Importer:
                entry=entry,
                serializer=serializer,
            ) from exc
+        if override_serializer_instance:
+            model_instance = model()
+            # pk needs to be set on the model instance otherwise a new one will be generated
+            if "pk" in updated_identifiers:
+                model_instance.pk = updated_identifiers["pk"]
+            serializer.instance = model_instance
        return serializer

    def _apply_permissions(self, instance: Model, entry: BlueprintEntry):
@@ -446,7 +466,7 @@ class Importer:
                self._apply_permissions(instance, entry)
            elif state == BlueprintEntryDesiredState.ABSENT:
                instance: Model | None = serializer.instance
-                if instance.pk:
+                if instance and instance.pk:
                    instance.delete()
                    self.logger.debug("Deleted model", mode=instance)
                    continue
--- a/authentik/brands/tests.py
+++ b/authentik/brands/tests.py
@@ -1,8 +1,11 @@
 """Test brands"""

+from json import loads
+
 from django.urls import reverse
 from rest_framework.test import APITestCase

+from authentik.blueprints.tests import apply_blueprint
 from authentik.brands.api import Themes
 from authentik.brands.models import Brand
 from authentik.core.models import Application
@@ -23,6 +26,7 @@ class TestBrands(APITestCase):
            _flag = flag()
            if _flag.visibility == "public":
                self.default_flags[_flag.key] = _flag.get()
+        Brand.objects.all().delete()

    def test_current_brand(self):
        """Test Current brand API"""
@@ -44,7 +48,6 @@ class TestBrands(APITestCase):

    def test_brand_subdomain(self):
        """Test Current brand API"""
-        Brand.objects.all().delete()
        Brand.objects.create(domain="bar.baz", branding_title="custom")
        self.assertJSONEqual(
            self.client.get(
@@ -65,7 +68,6 @@ class TestBrands(APITestCase):

    def test_fallback(self):
        """Test fallback brand"""
-        Brand.objects.all().delete()
        self.assertJSONEqual(
            self.client.get(reverse("authentik_api:brand-current")).content.decode(),
            {
@@ -81,6 +83,109 @@ class TestBrands(APITestCase):
            },
        )

+    @apply_blueprint("default/default-brand.yaml")
+    def test_blueprint(self):
+        """Test Current brand API"""
+        response = loads(self.client.get(reverse("authentik_api:brand-current")).content.decode())
+        response.pop("flow_authentication", None)
+        response.pop("flow_invalidation", None)
+        response.pop("flow_user_settings", None)
+        self.assertEqual(
+            response,
+            {
+                "branding_logo": "/static/dist/assets/icons/icon_left_brand.svg",
+                "branding_favicon": "/static/dist/assets/icons/icon.png",
+                "branding_title": "authentik",
+                "branding_custom_css": "",
+                "matched_domain": "authentik-default",
+                "ui_footer_links": [],
+                "ui_theme": Themes.AUTOMATIC,
+                "default_locale": "",
+                "flags": self.default_flags,
+            },
+        )
+
+    @apply_blueprint("default/default-brand.yaml")
+    def test_blueprint_with_other_brand(self):
+        """Test Current brand API"""
+        Brand.objects.create(domain="bar.baz", branding_title="custom")
+        response = loads(self.client.get(reverse("authentik_api:brand-current")).content.decode())
+        response.pop("flow_authentication", None)
+        response.pop("flow_invalidation", None)
+        response.pop("flow_user_settings", None)
+        self.assertEqual(
+            response,
+            {
+                "branding_logo": "/static/dist/assets/icons/icon_left_brand.svg",
+                "branding_favicon": "/static/dist/assets/icons/icon.png",
+                "branding_title": "authentik",
+                "branding_custom_css": "",
+                "matched_domain": "authentik-default",
+                "ui_footer_links": [],
+                "ui_theme": Themes.AUTOMATIC,
+                "default_locale": "",
+                "flags": self.default_flags,
+            },
+        )
+        self.assertJSONEqual(
+            self.client.get(
+                reverse("authentik_api:brand-current"), HTTP_HOST="foo.bar.baz"
+            ).content.decode(),
+            {
+                "branding_logo": "/static/dist/assets/icons/icon_left_brand.svg",
+                "branding_favicon": "/static/dist/assets/icons/icon.png",
+                "branding_title": "custom",
+                "branding_custom_css": "",
+                "matched_domain": "bar.baz",
+                "ui_footer_links": [],
+                "ui_theme": Themes.AUTOMATIC,
+                "default_locale": "",
+                "flags": self.default_flags,
+            },
+        )
+
+    def test_brand_subdomain_same_suffix(self):
+        """Test Current brand API"""
+        Brand.objects.create(domain="bar.baz", branding_title="custom-weak")
+        Brand.objects.create(domain="foo.bar.baz", branding_title="custom-strong")
+        self.assertJSONEqual(
+            self.client.get(
+                reverse("authentik_api:brand-current"), HTTP_HOST="foo.bar.baz"
+            ).content.decode(),
+            {
+                "branding_logo": "/static/dist/assets/icons/icon_left_brand.svg",
+                "branding_favicon": "/static/dist/assets/icons/icon.png",
+                "branding_title": "custom-strong",
+                "branding_custom_css": "",
+                "matched_domain": "foo.bar.baz",
+                "ui_footer_links": [],
+                "ui_theme": Themes.AUTOMATIC,
+                "default_locale": "",
+                "flags": self.default_flags,
+            },
+        )
+
+    def test_brand_subdomain_other_suffix(self):
+        """Test Current brand API"""
+        Brand.objects.create(domain="bar.baz", branding_title="custom-weak")
+        Brand.objects.create(domain="foo.bar.baz", branding_title="custom-strong")
+        self.assertJSONEqual(
+            self.client.get(
+                reverse("authentik_api:brand-current"), HTTP_HOST="other.bar.baz"
+            ).content.decode(),
+            {
+                "branding_logo": "/static/dist/assets/icons/icon_left_brand.svg",
+                "branding_favicon": "/static/dist/assets/icons/icon.png",
+                "branding_title": "custom-weak",
+                "branding_custom_css": "",
+                "matched_domain": "bar.baz",
+                "ui_footer_links": [],
+                "ui_theme": Themes.AUTOMATIC,
+                "default_locale": "",
+                "flags": self.default_flags,
+            },
+        )
+
    def test_create_default_multiple(self):
        """Test attempted creation of multiple default brands"""
        Brand.objects.create(
--- a/authentik/brands/utils.py
+++ b/authentik/brands/utils.py
@@ -2,8 +2,8 @@

 from typing import Any

-from django.db.models import F, Q
-from django.db.models import Value as V
+from django.db.models import Case, F, IntegerField, Q, Value, When
+from django.db.models.functions import Length
 from django.http.request import HttpRequest
 from django.utils.html import _json_script_escapes
 from django.utils.safestring import mark_safe
@@ -19,15 +19,36 @@ DEFAULT_BRAND = Brand(domain="fallback")

 def get_brand_for_request(request: HttpRequest) -> Brand:
    """Get brand object for current request"""
-    db_brands = (
-        Brand.objects.annotate(host_domain=V(request.get_host()))
-        .filter(Q(host_domain__iendswith=F("domain")) | _q_default)
-        .order_by("default")
+
+    brand = (
+        Brand.objects.annotate(
+            host_domain=Value(request.get_host()),
+            domain_length=Length("domain"),
+            match_priority=Case(
+                When(
+                    condition=Q(host_domain__iendswith=F("domain")),
+                    then=F("domain_length"),
+                ),
+                default=Value(-1),
+                output_field=IntegerField(),
+            ),
+            is_default_fallback=Case(
+                When(
+                    condition=Q(default=True),
+                    then=Value(0),
+                ),
+                default=Value(-2),
+                output_field=IntegerField(),
+            ),
+        )
+        .filter(Q(match_priority__gt=-1) | Q(default=True))
+        .order_by("-match_priority", "-is_default_fallback")
+        .first()
    )
-    brands = list(db_brands.all())
-    if len(brands) < 1:
+
+    if brand is None:
        return DEFAULT_BRAND
-    return brands[0]
+    return brand


 def context_processor(request: HttpRequest) -> dict[str, Any]:
--- a/authentik/core/api/devices.py
+++ b/authentik/core/api/devices.py
@@ -13,6 +13,7 @@ from rest_framework.request import Request
 from rest_framework.response import Response
 from rest_framework.viewsets import ViewSet

+from authentik.api.validation import validate
 from authentik.core.api.users import ParamUserSerializer
 from authentik.core.api.utils import MetaNameSerializer
 from authentik.enterprise.stages.authenticator_endpoint_gdtc.models import EndpointDevice
@@ -85,8 +86,7 @@ class AdminDeviceViewSet(ViewSet):
        parameters=[ParamUserSerializer],
        responses={200: DeviceSerializer(many=True)},
    )
-    def list(self, request: Request) -> Response:
+    @validate(ParamUserSerializer, "query")
+    def list(self, request: Request, query: ParamUserSerializer) -> Response:
        """Get all devices for current user"""
-        args = ParamUserSerializer(data=request.query_params)
-        args.is_valid(raise_exception=True)
-        return Response(DeviceSerializer(self.get_devices(**args.validated_data), many=True).data)
+        return Response(DeviceSerializer(self.get_devices(**query.validated_data), many=True).data)
--- a/authentik/core/api/groups.py
+++ b/authentik/core/api/groups.py
@@ -14,6 +14,7 @@ from drf_spectacular.utils import (
    extend_schema_field,
 )
 from guardian.shortcuts import get_objects_for_user
+from rest_framework.authentication import SessionAuthentication
 from rest_framework.decorators import action
 from rest_framework.fields import CharField, IntegerField, SerializerMethodField
 from rest_framework.request import Request
@@ -22,9 +23,12 @@ from rest_framework.serializers import ListSerializer, ValidationError
 from rest_framework.validators import UniqueValidator
 from rest_framework.viewsets import ModelViewSet

+from authentik.api.authentication import TokenAuthentication
+from authentik.api.validation import validate
 from authentik.core.api.used_by import UsedByMixin
 from authentik.core.api.utils import JSONDictField, ModelSerializer, PassiveSerializer
 from authentik.core.models import Group, User
+from authentik.endpoints.connectors.agent.auth import AgentAuth
 from authentik.rbac.api.roles import RoleSerializer
 from authentik.rbac.decorators import permission_required

@@ -227,6 +231,11 @@ class GroupViewSet(UsedByMixin, ModelViewSet):
    search_fields = ["name", "is_superuser"]
    filterset_class = GroupFilter
    ordering = ["name"]
+    authentication_classes = [
+        TokenAuthentication,
+        SessionAuthentication,
+        AgentAuth,
+    ]

    def get_ql_fields(self):
        from djangoql.schema import BoolField, StrField
@@ -289,13 +298,14 @@ class GroupViewSet(UsedByMixin, ModelViewSet):
        filter_backends=[],
        permission_classes=[],
    )
-    def add_user(self, request: Request, pk: str) -> Response:
+    @validate(UserAccountSerializer)
+    def add_user(self, request: Request, body: UserAccountSerializer, pk: str) -> Response:
        """Add user to group"""
        group: Group = self.get_object()
        user: User = (
            get_objects_for_user(request.user, "authentik_core.view_user")
            .filter(
-                pk=request.data.get("pk"),
+                pk=body.validated_data.get("pk"),
            )
            .first()
        )
@@ -319,13 +329,14 @@ class GroupViewSet(UsedByMixin, ModelViewSet):
        filter_backends=[],
        permission_classes=[],
    )
-    def remove_user(self, request: Request, pk: str) -> Response:
+    @validate(UserAccountSerializer)
+    def remove_user(self, request: Request, body: UserAccountSerializer, pk: str) -> Response:
        """Remove user from group"""
        group: Group = self.get_object()
        user: User = (
            get_objects_for_user(request.user, "authentik_core.view_user")
            .filter(
-                pk=request.data.get("pk"),
+                pk=body.validated_data.get("pk"),
            )
            .first()
        )
--- a/authentik/core/api/property_mappings.py
+++ b/authentik/core/api/property_mappings.py
@@ -21,6 +21,7 @@ from rest_framework.request import Request
 from rest_framework.response import Response
 from rest_framework.viewsets import GenericViewSet

+from authentik.api.validation import validate
 from authentik.blueprints.api import ManagedSerializer
 from authentik.core.api.object_types import TypesMixin
 from authentik.core.api.used_by import UsedByMixin
@@ -128,23 +129,20 @@ class PropertyMappingViewSet(
        ],
    )
    @action(detail=True, pagination_class=None, filter_backends=[], methods=["POST"])
-    def test(self, request: Request, pk: str) -> Response:
+    @validate(PropertyMappingTestSerializer)
+    def test(self, request: Request, pk: str, body: PropertyMappingTestSerializer) -> Response:
        """Test Property Mapping"""
        _mapping: PropertyMapping = self.get_object()
        # Use `get_subclass` to get correct class and correct `.evaluate` implementation
        mapping: PropertyMapping = PropertyMapping.objects.get_subclass(pk=_mapping.pk)
        # FIXME: when we separate policy mappings between ones for sources
        # and ones for providers, we need to make the user field optional for the source mapping
-        test_params = self.PropertyMappingTestSerializer(data=request.data)
-        if not test_params.is_valid():
-            return Response(test_params.errors, status=400)
-
        format_result = str(request.GET.get("format_result", "false")).lower() == "true"

-        context: dict = test_params.validated_data.get("context", {})
+        context: dict = body.validated_data.get("context", {})
        context.setdefault("user", None)

-        if user := test_params.validated_data.get("user"):
+        if user := body.validated_data.get("user"):
            # User permission check, only allow mapping testing for users that are readable
            users = get_objects_for_user(request.user, "authentik_core.view_user").filter(
                pk=user.pk
@@ -152,7 +150,7 @@ class PropertyMappingViewSet(
            if not users.exists():
                raise PermissionDenied()
            context["user"] = user
-        if group := test_params.validated_data.get("group"):
+        if group := body.validated_data.get("group"):
            # Group permission check, only allow mapping testing for groups that are readable
            groups = get_objects_for_user(request.user, "authentik_core.view_group").filter(
                pk=group.pk
--- a/authentik/core/api/sources.py
+++ b/authentik/core/api/sources.py
@@ -56,6 +56,7 @@ class SourceSerializer(ModelSerializer, MetaNameSerializer):
            "name",
            "slug",
            "enabled",
+            "promoted",
            "authentication_flow",
            "enrollment_flow",
            "user_property_mappings",
--- a/authentik/core/api/tokens.py
+++ b/authentik/core/api/tokens.py
@@ -3,7 +3,7 @@
 from typing import Any

 from django.utils.timezone import now
-from drf_spectacular.utils import OpenApiResponse, extend_schema, inline_serializer
+from drf_spectacular.utils import OpenApiResponse, extend_schema
 from guardian.shortcuts import assign_perm, get_anonymous_user
 from rest_framework.decorators import action
 from rest_framework.exceptions import ValidationError
@@ -12,6 +12,7 @@ from rest_framework.request import Request
 from rest_framework.response import Response
 from rest_framework.viewsets import ModelViewSet

+from authentik.api.validation import validate
 from authentik.blueprints.api import ManagedSerializer
 from authentik.blueprints.v1.importer import SERIALIZER_CONTEXT_BLUEPRINT
 from authentik.core.api.used_by import UsedByMixin
@@ -107,6 +108,12 @@ class TokenSerializer(ManagedSerializer, ModelSerializer):
        }


+class TokenSetKeySerializer(PassiveSerializer):
+    """Set token's key"""
+
+    key = CharField()
+
+
 class TokenViewSerializer(PassiveSerializer):
    """Show token's current key"""

@@ -170,12 +177,7 @@ class TokenViewSet(UsedByMixin, ModelViewSet):

    @permission_required("authentik_core.set_token_key")
    @extend_schema(
-        request=inline_serializer(
-            "TokenSetKey",
-            {
-                "key": CharField(),
-            },
-        ),
+        request=TokenSetKeySerializer(),
        responses={
            204: OpenApiResponse(description="Successfully changed key"),
            400: OpenApiResponse(description="Missing key"),
@@ -183,11 +185,12 @@ class TokenViewSet(UsedByMixin, ModelViewSet):
        },
    )
    @action(detail=True, pagination_class=None, filter_backends=[], methods=["POST"])
-    def set_key(self, request: Request, identifier: str) -> Response:
+    @validate(TokenSetKeySerializer)
+    def set_key(self, request: Request, identifier: str, body: TokenSetKeySerializer) -> Response:
        """Set token key. Action is logged as event. `authentik_core.set_token_key` permission
        is required."""
        token: Token = self.get_object()
-        key = request.data.get("key")
+        key = body.validated_data.get("key")
        if not key:
            return Response(status=400)
        token.key = key
--- a/authentik/core/api/transactional_applications.py
+++ b/authentik/core/api/transactional_applications.py
@@ -12,6 +12,7 @@ from rest_framework.response import Response
 from rest_framework.views import APIView
 from yaml import ScalarNode

+from authentik.api.validation import validate
 from authentik.blueprints.v1.common import (
    Blueprint,
    BlueprintEntry,
@@ -160,11 +161,10 @@ class TransactionalApplicationView(APIView):
            200: TransactionApplicationResponseSerializer(),
        },
    )
-    def put(self, request: Request) -> Response:
+    @validate(TransactionApplicationSerializer)
+    def put(self, request: Request, body: TransactionApplicationSerializer) -> Response:
        """Convert data into a blueprint, validate it and apply it"""
-        data = TransactionApplicationSerializer(data=request.data)
-        data.is_valid(raise_exception=True)
-        blueprint: Blueprint = data.validated_data
+        blueprint: Blueprint = body.validated_data
        for entry in blueprint.entries:
            full_model = entry.get_model(blueprint)
            app, __, model = full_model.partition(".")
--- a/authentik/core/api/users.py
+++ b/authentik/core/api/users.py
@@ -31,6 +31,7 @@ from drf_spectacular.utils import (
    inline_serializer,
 )
 from guardian.shortcuts import get_objects_for_user
+from rest_framework.authentication import SessionAuthentication
 from rest_framework.decorators import action
 from rest_framework.exceptions import ValidationError
 from rest_framework.fields import (
@@ -52,6 +53,8 @@ from rest_framework.validators import UniqueValidator
 from rest_framework.viewsets import ModelViewSet
 from structlog.stdlib import get_logger

+from authentik.api.authentication import TokenAuthentication
+from authentik.api.validation import validate
 from authentik.blueprints.v1.importer import SERIALIZER_CONTEXT_BLUEPRINT
 from authentik.brands.models import Brand
 from authentik.core.api.used_by import UsedByMixin
@@ -75,6 +78,7 @@ from authentik.core.models import (
    User,
    UserTypes,
 )
+from authentik.endpoints.connectors.agent.auth import AgentAuth
 from authentik.events.models import Event, EventAction
 from authentik.flows.exceptions import FlowNonApplicableException
 from authentik.flows.models import FlowToken
@@ -432,6 +436,11 @@ class UserViewSet(UsedByMixin, ModelViewSet):
    serializer_class = UserSerializer
    filterset_class = UsersFilter
    search_fields = ["email", "name", "uuid", "username"]
+    authentication_classes = [
+        TokenAuthentication,
+        SessionAuthentication,
+        AgentAuth,
+    ]

    def get_ql_fields(self):
        from djangoql.schema import BoolField, StrField
@@ -529,14 +538,13 @@ class UserViewSet(UsedByMixin, ModelViewSet):
        pagination_class=None,
        filter_backends=[],
    )
-    def service_account(self, request: Request) -> Response:
+    @validate(UserServiceAccountSerializer)
+    def service_account(self, request: Request, body: UserServiceAccountSerializer) -> Response:
        """Create a new user account that is marked as a service account"""
-        data = UserServiceAccountSerializer(data=request.data)
-        data.is_valid(raise_exception=True)
-        expires = data.validated_data.get("expires", now() + timedelta(days=360))
+        expires = body.validated_data.get("expires", now() + timedelta(days=360))

-        username = data.validated_data["name"]
-        expiring = data.validated_data["expiring"]
+        username = body.validated_data["name"]
+        expiring = body.validated_data["expiring"]
        with atomic():
            try:
                user: User = User.objects.create(
@@ -554,7 +562,7 @@ class UserViewSet(UsedByMixin, ModelViewSet):
                    "user_uid": user.uid,
                    "user_pk": user.pk,
                }
-                if data.validated_data["create_group"] and self.request.user.has_perm(
+                if body.validated_data["create_group"] and self.request.user.has_perm(
                    "authentik_core.add_group"
                ):
                    group = Group.objects.create(name=username)
@@ -625,13 +633,12 @@ class UserViewSet(UsedByMixin, ModelViewSet):
        },
    )
    @action(detail=True, methods=["POST"], permission_classes=[])
-    def set_password(self, request: Request, pk: int) -> Response:
+    @validate(UserPasswordSetSerializer)
+    def set_password(self, request: Request, pk: int, body: UserPasswordSetSerializer) -> Response:
        """Set password for user"""
-        data = UserPasswordSetSerializer(data=request.data)
-        data.is_valid(raise_exception=True)
        user: User = self.get_object()
        try:
-            user.set_password(data.validated_data["password"], request=request)
+            user.set_password(body.validated_data["password"], request=request)
            user.save()
        except (ValidationError, IntegrityError) as exc:
            LOGGER.debug("Failed to set password", exc=exc)
--- a/authentik/core/migrations/0052_source_promoted.py
+++ b/authentik/core/migrations/0052_source_promoted.py
@@ -0,0 +1,21 @@
+# Generated by Django 5.2.8 on 2025-11-23 14:21
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ("authentik_core", "0051_group_authentik_c_is_supe_1e5a97_idx"),
+    ]
+
+    operations = [
+        migrations.AddField(
+            model_name="source",
+            name="promoted",
+            field=models.BooleanField(
+                default=False,
+                help_text="When enabled, this source will be displayed as a prominent button on the login page, instead of a small icon.",
+            ),
+        ),
+    ]
--- a/authentik/core/migrations/0053_alter_application_slug_alter_source_slug.py
+++ b/authentik/core/migrations/0053_alter_application_slug_alter_source_slug.py
@@ -0,0 +1,45 @@
+# Generated by Django 5.2.8 on 2025-11-25 16:36
+
+import django.core.validators
+import re
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ("authentik_core", "0052_source_promoted"),
+    ]
+
+    operations = [
+        migrations.AlterField(
+            model_name="application",
+            name="slug",
+            field=models.TextField(
+                help_text="Internal application name, used in URLs.",
+                unique=True,
+                validators=[
+                    django.core.validators.RegexValidator(
+                        re.compile("^[-a-zA-Z0-9_]+\\Z"),
+                        "Enter a valid “slug” consisting of letters, numbers, underscores or hyphens.",
+                        "invalid",
+                    )
+                ],
+            ),
+        ),
+        migrations.AlterField(
+            model_name="source",
+            name="slug",
+            field=models.TextField(
+                help_text="Internal source name, used in URLs.",
+                unique=True,
+                validators=[
+                    django.core.validators.RegexValidator(
+                        re.compile("^[-a-zA-Z0-9_]+\\Z"),
+                        "Enter a valid “slug” consisting of letters, numbers, underscores or hyphens.",
+                        "invalid",
+                    )
+                ],
+            ),
+        ),
+    ]
--- a/authentik/core/models.py
+++ b/authentik/core/models.py
@@ -11,11 +11,12 @@ from django.contrib.auth.hashers import check_password
 from django.contrib.auth.models import AbstractUser
 from django.contrib.auth.models import UserManager as DjangoUserManager
 from django.contrib.sessions.base_session import AbstractBaseSession
+from django.core.validators import validate_slug
 from django.db import models
 from django.db.models import Q, QuerySet, options
 from django.db.models.constants import LOOKUP_SEP
 from django.http import HttpRequest
-from django.utils.functional import SimpleLazyObject, cached_property
+from django.utils.functional import cached_property
 from django.utils.timezone import now
 from django.utils.translation import gettext_lazy as _
 from django_cte import CTE, with_cte
@@ -44,18 +45,19 @@ from authentik.tenants.models import DEFAULT_TOKEN_DURATION, DEFAULT_TOKEN_LENGT
 from authentik.tenants.utils import get_current_tenant, get_unique_identifier

 LOGGER = get_logger()
-USER_ATTRIBUTE_DEBUG = "goauthentik.io/user/debug"
-USER_ATTRIBUTE_GENERATED = "goauthentik.io/user/generated"
-USER_ATTRIBUTE_EXPIRES = "goauthentik.io/user/expires"
-USER_ATTRIBUTE_DELETE_ON_LOGOUT = "goauthentik.io/user/delete-on-logout"
-USER_ATTRIBUTE_SOURCES = "goauthentik.io/user/sources"
-USER_ATTRIBUTE_TOKEN_EXPIRING = "goauthentik.io/user/token-expires"  # nosec
-USER_ATTRIBUTE_TOKEN_MAXIMUM_LIFETIME = "goauthentik.io/user/token-maximum-lifetime"  # nosec
-USER_ATTRIBUTE_CHANGE_USERNAME = "goauthentik.io/user/can-change-username"
-USER_ATTRIBUTE_CHANGE_NAME = "goauthentik.io/user/can-change-name"
-USER_ATTRIBUTE_CHANGE_EMAIL = "goauthentik.io/user/can-change-email"
 USER_PATH_SYSTEM_PREFIX = "goauthentik.io"
-USER_PATH_SERVICE_ACCOUNT = USER_PATH_SYSTEM_PREFIX + "/service-accounts"
+_USER_ATTR_PREFIX = f"{USER_PATH_SYSTEM_PREFIX}/user"
+USER_ATTRIBUTE_DEBUG = f"{_USER_ATTR_PREFIX}/debug"
+USER_ATTRIBUTE_GENERATED = f"{_USER_ATTR_PREFIX}/generated"
+USER_ATTRIBUTE_EXPIRES = f"{_USER_ATTR_PREFIX}/expires"
+USER_ATTRIBUTE_DELETE_ON_LOGOUT = f"{_USER_ATTR_PREFIX}/delete-on-logout"
+USER_ATTRIBUTE_SOURCES = f"{_USER_ATTR_PREFIX}/sources"
+USER_ATTRIBUTE_TOKEN_EXPIRING = f"{_USER_ATTR_PREFIX}/token-expires"  # nosec
+USER_ATTRIBUTE_TOKEN_MAXIMUM_LIFETIME = f"{_USER_ATTR_PREFIX}/token-maximum-lifetime"  # nosec
+USER_ATTRIBUTE_CHANGE_USERNAME = f"{_USER_ATTR_PREFIX}/can-change-username"
+USER_ATTRIBUTE_CHANGE_NAME = f"{_USER_ATTR_PREFIX}/can-change-name"
+USER_ATTRIBUTE_CHANGE_EMAIL = f"{_USER_ATTR_PREFIX}/can-change-email"
+USER_PATH_SERVICE_ACCOUNT = f"{USER_PATH_SYSTEM_PREFIX}/service-accounts"

 options.DEFAULT_NAMES = options.DEFAULT_NAMES + (
    # used_by API that allows models to specify if they shadow an object
@@ -533,7 +535,11 @@ class Application(SerializerModel, PolicyBindingModel):
    add custom fields and other properties"""

    name = models.TextField(help_text=_("Application's display Name."))
-    slug = models.SlugField(help_text=_("Internal application name, used in URLs."), unique=True)
+    slug = models.TextField(
+        validators=[validate_slug],
+        help_text=_("Internal application name, used in URLs."),
+        unique=True,
+    )
    group = models.TextField(blank=True, default="")

    provider = models.OneToOneField(
@@ -585,18 +591,16 @@ class Application(SerializerModel, PolicyBindingModel):

    def get_launch_url(self, user: Optional["User"] = None) -> str | None:
        """Get launch URL if set, otherwise attempt to get launch URL based on provider."""
+        from authentik.core.api.users import UserSerializer
+
        url = None
        if self.meta_launch_url:
            url = self.meta_launch_url
        elif provider := self.get_provider():
            url = provider.launch_url
        if user and url:
-            if isinstance(user, SimpleLazyObject):
-                user._setup()
-                user = user._wrapped
            try:
-                return url % user.__dict__
-
+                return url % UserSerializer(instance=user).data
            except Exception as exc:  # noqa
                LOGGER.warning("Failed to format launch url", exc=exc)
                return url
@@ -721,11 +725,22 @@ class Source(ManagedModel, SerializerModel, PolicyBindingModel):
    MANAGED_INBUILT = "goauthentik.io/sources/inbuilt"

    name = models.TextField(help_text=_("Source's display Name."))
-    slug = models.SlugField(help_text=_("Internal source name, used in URLs."), unique=True)
+    slug = models.TextField(
+        validators=[validate_slug],
+        help_text=_("Internal source name, used in URLs."),
+        unique=True,
+    )

    user_path_template = models.TextField(default="goauthentik.io/sources/%(slug)s")

    enabled = models.BooleanField(default=True)
+    promoted = models.BooleanField(
+        default=False,
+        help_text=_(
+            "When enabled, this source will be displayed as a prominent button on the "
+            "login page, instead of a small icon."
+        ),
+    )
    user_property_mappings = models.ManyToManyField(
        "PropertyMapping", default=None, blank=True, related_name="source_userpropertymappings_set"
    )
@@ -930,7 +945,7 @@ class ExpiringModel(models.Model):
        return self.delete(*args, **kwargs)

    @classmethod
-    def filter_not_expired(cls, **kwargs) -> QuerySet["Token"]:
+    def filter_not_expired(cls, **kwargs) -> QuerySet["Self"]:
        """Filer for tokens which are not expired yet or are not expiring,
        and match filters in `kwargs`"""
        for obj in cls.objects.filter(**kwargs).filter(Q(expires__lt=now(), expiring=True)):
--- a/authentik/core/templates/base/header_js.html
+++ b/authentik/core/templates/base/header_js.html
@@ -1,11 +1,13 @@
 {% load i18n %}
 {% get_current_language as LANGUAGE_CODE %}

-<script>
+<script data-id="authentik-config">
+    "use strict";
+
    window.authentik = {
        locale: "{{ LANGUAGE_CODE }}",
-        config: JSON.parse('{{ config_json|escapejs }}'),
-        brand: JSON.parse('{{ brand_json|escapejs }}'),
+        config: JSON.parse('{{ config_json|escapejs }}' || "{}"),
+        brand: JSON.parse('{{ brand_json|escapejs }}' || "{}"),
        versionFamily: "{{ version_family }}",
        versionSubdomain: "{{ version_subdomain }}",
        build: "{{ build }}",
--- a/authentik/core/templates/base/placeholder.html
+++ b/authentik/core/templates/base/placeholder.html
@@ -0,0 +1,13 @@
+{% load i18n %}
+
+<div class="ak-c-placeholder" id="ak-placeholder" slot="placeholder">
+    <span
+        class="pf-c-spinner"
+        role="progressbar"
+        aria-valuetext="Loading..."
+        >
+        <span class="pf-c-spinner__clipper"></span>
+        <span class="pf-c-spinner__lead-ball"></span>
+        <span class="pf-c-spinner__tail-ball"></span>
+    </span>
+</div>
--- a/authentik/core/templates/base/skeleton.html
+++ b/authentik/core/templates/base/skeleton.html
@@ -1,10 +1,14 @@
 {% load static %}
 {% load i18n %}
 {% load authentik_core %}
+{% get_current_language as LANGUAGE_CODE %}

 <!DOCTYPE html>
-
-<html>
+<html
+    lang="{{ LANGUAGE_CODE }}"
+    data-theme="{% if ui_theme == "dark" %}dark{% else %}light{% endif %}"
+    data-theme-choice="{% if ui_theme == "dark" %}dark{% elif ui_theme == "light" %}light{% else %}auto{% endif %}"
+>
    <head>
        <meta charset="UTF-8">
        <meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=1">
@@ -13,16 +17,14 @@
        <title>{% block title %}{% trans title|default:brand.branding_title %}{% endblock %}</title>
        <link rel="icon" href="{{ brand.branding_favicon_url }}">
        <link rel="shortcut icon" href="{{ brand.branding_favicon_url }}">
+
        {% block head_before %}
        {% endblock %}

        {% include "base/theme.html" %}

-        <link rel="stylesheet" type="text/css" href="{% static 'dist/authentik.css' %}">
-
-        <style>{{ brand_css }}</style>
+        <style data-id="brand-css">{{ brand_css }}</style>
        <script src="{% versioned_script 'dist/poly-%v.js' %}" type="module"></script>
-        <script src="{% versioned_script 'dist/standalone/loading/index-%v.js' %}" type="module"></script>
        {% block head %}
        {% endblock %}
        {% for key, value in html_meta.items %}
--- a/authentik/core/templates/base/theme.html
+++ b/authentik/core/templates/base/theme.html
@@ -1,10 +1,45 @@
+{% load static %}
+{% load authentik_core %}
+
+<link rel="stylesheet" type="text/css" href="{% versioned_script 'dist/styles/interface-%v.css' %}" />
+
 {% if ui_theme == "dark" %}
  <meta name="color-scheme" content="dark" />
  <meta name="theme-color" content="#18191a">
-{% elif ui_theme == "light" %}
+
+  {% elif ui_theme == "light" %}
  <meta name="color-scheme" content="light" />
  <meta name="theme-color" content="#ffffff">
 {% else %}
+  <script data-id="theme-script">
+    "use strict";
+
+    (function () {
+        try {
+            const initialThemeChoice =
+                new URLSearchParams(window.location.search).get("theme") ||
+                window.localStorage?.getItem("theme");
+
+            const themeChoice =
+                initialThemeChoice || document.documentElement.dataset.themeChoice || "auto";
+
+            document.documentElement.dataset.themeChoice = themeChoice;
+
+            if (themeChoice === "auto") {
+                document.documentElement.dataset.theme = window.matchMedia(
+                    "(prefers-color-scheme: dark)",
+                ).matches
+                    ? "dark"
+                    : "light";
+            } else {
+                document.documentElement.dataset.theme = themeChoice;
+            }
+        } catch (e) {
+            console.error("Failed to apply theme", e);
+        }
+    })();
+  </script>
+
  <meta name="color-scheme" content="light dark" />
  <meta name="theme-color" content="#ffffff" media="(prefers-color-scheme: light)">
  <meta name="theme-color" content="#18191a" media="(prefers-color-scheme: dark)">
--- a/authentik/core/templates/if/admin.html
+++ b/authentik/core/templates/if/admin.html
@@ -11,6 +11,6 @@
 <ak-skip-to-content></ak-skip-to-content>
 <ak-message-container alignment="bottom"></ak-message-container>
 <ak-interface-admin>
-    <ak-loading></ak-loading>
+    {% include "base/placeholder.html" %}
 </ak-interface-admin>
 {% endblock %}
--- a/authentik/core/templates/if/error.html
+++ b/authentik/core/templates/if/error.html
@@ -12,10 +12,13 @@
 {% endblock %}

 {% block card %}
-<form method="POST" class="pf-c-form">
+<div class="pf-c-form">
    <p>{% trans message %}</p>
-    <a id="ak-back-home" href="{% url 'authentik_core:root-redirect' %}" class="pf-c-button pf-m-primary">
-        {% trans 'Go home' %}
-    </a>
-</form>
+
+    <div class="pf-c-form__group">
+        <a id="ak-back-home" href="{% url 'authentik_core:root-redirect' %}" class="pf-c-button pf-m-primary pf-m-block">
+            {% trans 'Go home' %}
+        </a>
+    </div>
+</div>
 {% endblock %}
--- a/authentik/core/templates/if/user.html
+++ b/authentik/core/templates/if/user.html
@@ -11,6 +11,6 @@
 <ak-skip-to-content></ak-skip-to-content>
 <ak-message-container></ak-message-container>
 <ak-interface-user>
-    <ak-loading></ak-loading>
+    {% include "base/placeholder.html" %}
 </ak-interface-user>
 {% endblock %}
--- a/authentik/core/templates/login/base_full.html
+++ b/authentik/core/templates/login/base_full.html
@@ -2,82 +2,66 @@

 {% load static %}
 {% load i18n %}
+{% load authentik_core %}

 {% block head_before %}
 <link rel="prefetch" href="{{ request.brand.branding_default_flow_background_url }}" />
-<link rel="stylesheet" type="text/css" href="{% static 'dist/patternfly.min.css' %}">
-<link rel="stylesheet" type="text/css" href="{% static 'dist/theme-dark.css' %}" media="(prefers-color-scheme: dark)">
 {% include "base/header_js.html" %}
 {% endblock %}

 {% block head %}
-<style>
-:root {
-    --ak-flow-background: url("{{ request.brand.branding_default_flow_background_url }}");
-    --pf-c-background-image--BackgroundImage: var(--ak-flow-background);
-    --pf-c-background-image--BackgroundImage-2x: var(--ak-flow-background);
-    --pf-c-background-image--BackgroundImage--sm: var(--ak-flow-background);
-    --pf-c-background-image--BackgroundImage--sm-2x: var(--ak-flow-background);
-    --pf-c-background-image--BackgroundImage--lg: var(--ak-flow-background);
-}
-/* Form with user */
-.form-control-static {
-    margin-top: var(--pf-global--spacer--sm);
-    display: flex;
-    align-items: center;
-    justify-content: space-between;
-}
-.form-control-static .avatar {
-    display: flex;
-    align-items: center;
-}
-.form-control-static img {
-    margin-right: var(--pf-global--spacer--xs);
-}
-.form-control-static a {
-    padding-top: var(--pf-global--spacer--xs);
-    padding-bottom: var(--pf-global--spacer--xs);
-    line-height: var(--pf-global--spacer--xl);
-}
+<style data-id="static-styles">
+    :root {
+        --ak-global--background-image: url("{{ request.brand.branding_default_flow_background_url }}");
+    }
 </style>
+
+<link rel="stylesheet" type="text/css" href="{% versioned_script 'dist/styles/static-%v.css' %}" />
 {% endblock %}

 {% block body %}
-<div class="pf-c-background-image">
-</div>
 <ak-skip-to-content></ak-skip-to-content>
 <ak-message-container></ak-message-container>
-<div class="pf-c-login stacked">
-    <div class="ak-login-container">
-        <main class="pf-c-login__main">
-            <div class="pf-c-login__main-header pf-c-brand ak-brand">
-                <img src="{{ brand.branding_logo_url }}" alt="authentik Logo" />
+
+<div class="pf-c-page__drawer">
+    <div class="pf-c-drawer pf-m-collapsed">
+        <div class="pf-c-drawer__main">
+            <div class="pf-c-drawer__content">
+                <div class="pf-c-drawer__body">
+                    <div class="pf-c-login" data-layout="stacked">
+                        <main class="pf-c-login__main" aria-label="Authentication form">
+                            <div class="pf-c-login__main-header pf-c-brand">
+                                <img class="branding-logo" src="{{ brand.branding_logo_url }}" alt="authentik Logo" />
+                            </div>
+                            <div class="pf-c-login__main-header">
+                                <h1 class="pf-c-title pf-m-3xl" data-test-id="card-title">
+                                    {% block card_title %}
+                                    {% endblock %}
+                                </h1>
+                            </div>
+                            <div class="pf-c-login__main-body">
+                                {% block card %}
+                                {% endblock %}
+                            </div>
+                        </main>
+                        <footer aria-label="Site footer" class="pf-c-login__footer pf-m-dark">
+                            <ul class="pf-c-list pf-m-inline">
+                                {% for link in footer_links %}
+                                <li>
+                                    <a href="{{ link.href }}">{{ link.name }}</a>
+                                </li>
+                                {% endfor %}
+                                <li>
+                                    <span>
+                                        {% trans 'Powered by authentik' %}
+                                    </span>
+                                </li>
+                            </ul>
+                        </footer>
+                    </div>
+                </div>
            </div>
-            <header class="pf-c-login__main-header">
-                <h1 class="pf-c-title pf-m-3xl">
-                    {% block card_title %}
-                    {% endblock %}
-                </h1>
-            </header>
-            <div class="pf-c-login__main-body">
-                {% block card %}
-                {% endblock %}
-            </div>
-        </main>
-        <footer class="pf-c-login__footer">
-            <ul class="pf-c-list pf-m-inline">
-                {% for link in footer_links %}
-                <li>
-                    <a href="{{ link.href }}">{{ link.name }}</a>
-                </li>
-                {% endfor %}
-                <li>
-                    <span>
-                        {% trans 'Powered by authentik' %}
-                    </span>
-                </li>
-            </ul>
-        </footer>
+        </div>
    </div>
 </div>
 {% endblock %}
--- a/authentik/core/tests/test_applications_views.py
+++ b/authentik/core/tests/test_applications_views.py
@@ -8,6 +8,8 @@ from authentik.brands.models import Brand
 from authentik.core.models import Application
 from authentik.core.tests.utils import create_test_admin_user, create_test_brand, create_test_flow
 from authentik.flows.tests import FlowTestCase
+from authentik.lib.generators import generate_id
+from authentik.providers.oauth2.models import OAuth2Provider


 class TestApplicationsViews(FlowTestCase):
@@ -15,7 +17,7 @@ class TestApplicationsViews(FlowTestCase):

    def setUp(self) -> None:
        self.user = create_test_admin_user()
-        self.allowed = Application.objects.create(
+        self.app = Application.objects.create(
            name="allowed", slug="allowed", meta_launch_url="https://goauthentik.io/%(username)s"
        )

@@ -28,7 +30,7 @@ class TestApplicationsViews(FlowTestCase):
        response = self.client.get(
            reverse(
                "authentik_core:application-launch",
-                kwargs={"application_slug": self.allowed.slug},
+                kwargs={"application_slug": self.app.slug},
            ),
            follow=True,
        )
@@ -52,8 +54,63 @@ class TestApplicationsViews(FlowTestCase):
        response = self.client.get(
            reverse(
                "authentik_core:application-launch",
-                kwargs={"application_slug": self.allowed.slug},
+                kwargs={"application_slug": self.app.slug},
            ),
        )
        self.assertEqual(response.status_code, 302)
        self.assertEqual(response.url, f"https://goauthentik.io/{self.user.username}")
+
+    def test_redirect_application_auth_flow(self):
+        """Test launching an application with a provider and an authentication flow set"""
+        self.client.logout()
+        auth_flow = create_test_flow()
+        prov = OAuth2Provider.objects.create(
+            name=generate_id(),
+            authentication_flow=auth_flow,
+        )
+        self.app.provider = prov
+        self.app.save()
+        with self.assertFlowFinishes() as plan:
+            response = self.client.get(
+                reverse(
+                    "authentik_core:application-launch",
+                    kwargs={"application_slug": self.app.slug},
+                ),
+            )
+            self.assertEqual(response.status_code, 302)
+            self.assertEqual(
+                response.url,
+                reverse("authentik_core:if-flow", kwargs={"flow_slug": auth_flow.slug}),
+            )
+        plan = plan()
+        self.assertEqual(len(plan.bindings), 1)
+        self.assertTrue(plan.bindings[0].stage.is_in_memory)
+
+    def test_redirect_application_no_auth(self):
+        """Test launching an application with a provider and an authentication flow set"""
+        self.client.logout()
+        empty_flow = create_test_flow()
+        brand: Brand = create_test_brand()
+        brand.flow_authentication = empty_flow
+        brand.save()
+
+        prov = OAuth2Provider.objects.create(
+            name=generate_id(),
+        )
+        self.app.provider = prov
+        self.app.save()
+        with self.assertFlowFinishes() as plan:
+            response = self.client.get(
+                reverse(
+                    "authentik_core:application-launch",
+                    kwargs={"application_slug": self.app.slug},
+                ),
+            )
+            self.assertEqual(response.status_code, 302)
+            self.assertEqual(
+                response.url,
+                reverse("authentik_core:if-flow", kwargs={"flow_slug": empty_flow.slug}),
+            )
+        plan = plan()
+        self.assertEqual(len(plan.bindings), 1)
+        self.assertTrue(plan.bindings[0].stage.is_in_memory)
--- a/authentik/core/tests/test_source_flow_manager.py
+++ b/authentik/core/tests/test_source_flow_manager.py
@@ -8,11 +8,10 @@ from guardian.utils import get_anonymous_user
 from authentik.core.models import SourceUserMatchingModes, User
 from authentik.core.sources.flow_manager import Action
 from authentik.core.sources.stage import PostSourceStage
-from authentik.core.tests.utils import create_test_flow
+from authentik.core.tests.utils import RequestFactory, create_test_flow
 from authentik.flows.planner import FlowPlan
 from authentik.flows.views.executor import SESSION_KEY_PLAN
 from authentik.lib.generators import generate_id
-from authentik.lib.tests.utils import get_request
 from authentik.policies.denied import AccessDeniedResponse
 from authentik.policies.expression.models import ExpressionPolicy
 from authentik.policies.models import PolicyBinding
@@ -34,10 +33,11 @@ class TestSourceFlowManager(TestCase):
            enrollment_flow=self.enrollment_flow,
        )
        self.identifier = generate_id()
+        self.request_factory = RequestFactory()

    def test_unauthenticated_enroll(self):
        """Test un-authenticated user enrolling"""
-        request = get_request("/", user=AnonymousUser())
+        request = self.request_factory.get("/", user=AnonymousUser())
        flow_manager = OAuthSourceFlowManager(
            self.source, request, self.identifier, {"info": {}}, {}
        )
@@ -53,7 +53,7 @@ class TestSourceFlowManager(TestCase):
        UserOAuthSourceConnection.objects.create(
            user=get_anonymous_user(), source=self.source, identifier=self.identifier
        )
-        request = get_request("/", user=AnonymousUser())
+        request = self.request_factory.get("/", user=AnonymousUser())
        flow_manager = OAuthSourceFlowManager(
            self.source, request, self.identifier, {"info": {}}, {}
        )
@@ -67,7 +67,7 @@ class TestSourceFlowManager(TestCase):
    def test_authenticated_link(self):
        """Test authenticated user linking"""
        user = User.objects.create(username="foo", email="foo@bar.baz")
-        request = get_request("/", user=user)
+        request = self.request_factory.get("/", user=user)
        flow_manager = OAuthSourceFlowManager(
            self.source, request, self.identifier, {"info": {}}, {}
        )
@@ -87,7 +87,7 @@ class TestSourceFlowManager(TestCase):
        UserOAuthSourceConnection.objects.create(
            user=user, source=self.source, identifier=self.identifier
        )
-        request = get_request("/", user=user)
+        request = self.request_factory.get("/", user=user)
        flow_manager = OAuthSourceFlowManager(
            self.source, request, self.identifier, {"info": {}}, {}
        )
@@ -100,7 +100,11 @@ class TestSourceFlowManager(TestCase):
    def test_unauthenticated_link(self):
        """Test un-authenticated user linking"""
        flow_manager = OAuthSourceFlowManager(
-            self.source, get_request("/"), self.identifier, {"info": {}}, {}
+            self.source,
+            self.request_factory.get("/", user=get_anonymous_user()),
+            self.identifier,
+            {"info": {}},
+            {},
        )
        action, connection = flow_manager.get_action()
        self.assertEqual(action, Action.LINK)
@@ -114,7 +118,11 @@ class TestSourceFlowManager(TestCase):

        # Without email, deny
        flow_manager = OAuthSourceFlowManager(
-            self.source, get_request("/", user=AnonymousUser()), self.identifier, {"info": {}}, {}
+            self.source,
+            self.request_factory.get("/", user=AnonymousUser()),
+            self.identifier,
+            {"info": {}},
+            {},
        )
        action, _ = flow_manager.get_action()
        self.assertEqual(action, Action.DENY)
@@ -122,7 +130,7 @@ class TestSourceFlowManager(TestCase):
        # With email
        flow_manager = OAuthSourceFlowManager(
            self.source,
-            get_request("/", user=AnonymousUser()),
+            self.request_factory.get("/", user=AnonymousUser()),
            self.identifier,
            {
                "info": {
@@ -142,7 +150,11 @@ class TestSourceFlowManager(TestCase):

        # Without username, deny
        flow_manager = OAuthSourceFlowManager(
-            self.source, get_request("/", user=AnonymousUser()), self.identifier, {"info": {}}, {}
+            self.source,
+            self.request_factory.get("/", user=AnonymousUser()),
+            self.identifier,
+            {"info": {}},
+            {},
        )
        action, _ = flow_manager.get_action()
        self.assertEqual(action, Action.DENY)
@@ -150,7 +162,7 @@ class TestSourceFlowManager(TestCase):
        # With username
        flow_manager = OAuthSourceFlowManager(
            self.source,
-            get_request("/", user=AnonymousUser()),
+            self.request_factory.get("/", user=AnonymousUser()),
            self.identifier,
            {
                "info": {"username": "foo"},
@@ -169,7 +181,7 @@ class TestSourceFlowManager(TestCase):
        # With non-existent username, enroll
        flow_manager = OAuthSourceFlowManager(
            self.source,
-            get_request("/", user=AnonymousUser()),
+            self.request_factory.get("/", user=AnonymousUser()),
            self.identifier,
            {
                "info": {
@@ -184,7 +196,7 @@ class TestSourceFlowManager(TestCase):
        # With username
        flow_manager = OAuthSourceFlowManager(
            self.source,
-            get_request("/", user=AnonymousUser()),
+            self.request_factory.get("/", user=AnonymousUser()),
            self.identifier,
            {
                "info": {"username": "foo"},
@@ -201,7 +213,7 @@ class TestSourceFlowManager(TestCase):

        flow_manager = OAuthSourceFlowManager(
            self.source,
-            get_request("/", user=AnonymousUser()),
+            self.request_factory.get("/", user=AnonymousUser()),
            self.identifier,
            {
                "info": {"username": "foo"},
@@ -230,7 +242,7 @@ class TestSourceFlowManager(TestCase):

        flow_manager = OAuthSourceFlowManager(
            self.source,
-            get_request("/", user=AnonymousUser()),
+            self.request_factory.get("/", user=AnonymousUser()),
            self.identifier,
            {
                "info": {"username": "foo"},
--- a/authentik/core/tests/test_token_auth.py
+++ b/authentik/core/tests/test_token_auth.py
@@ -4,9 +4,9 @@ from django.test import TestCase

 from authentik.core.auth import TokenBackend
 from authentik.core.models import Token, TokenIntents, User
+from authentik.core.tests.utils import RequestFactory
 from authentik.flows.planner import FlowPlan
 from authentik.flows.views.executor import SESSION_KEY_PLAN
-from authentik.lib.tests.utils import get_request


 class TestTokenAuth(TestCase):
@@ -17,8 +17,9 @@ class TestTokenAuth(TestCase):
        self.token = Token.objects.create(
            expiring=False, user=self.user, intent=TokenIntents.INTENT_APP_PASSWORD
        )
+        self.request_factory = RequestFactory()
        # To test with session we need to create a request and pass it through all middlewares
-        self.request = get_request("/")
+        self.request = self.request_factory.get("/")
        self.request.session[SESSION_KEY_PLAN] = FlowPlan("test")

    def test_token_auth(self):
--- a/authentik/core/tests/utils.py
+++ b/authentik/core/tests/utils.py
@@ -1,5 +1,12 @@
 """Test Utils"""

+from typing import Any
+
+from django.contrib.auth.models import AnonymousUser
+from django.contrib.messages.middleware import MessageMiddleware
+from django.contrib.sessions.middleware import SessionMiddleware
+from django.http import HttpRequest
+from django.test import RequestFactory as BaseRequestFactory
 from django.utils.text import slugify

 from authentik.brands.models import Brand
@@ -60,3 +67,45 @@ def create_test_cert(alg=PrivateKeyAlg.RSA) -> CertificateKeyPair:
    )
    builder.common_name = generate_id()
    return builder.save()
+
+
+def dummy_get_response(request: HttpRequest):  # pragma: no cover
+    """Dummy get_response for SessionMiddleware"""
+    return None
+
+
+class RequestFactory(BaseRequestFactory):
+
+    def generic(
+        self,
+        method: str,
+        path: str,
+        data: Any = "",
+        content_type="application/octet-stream",
+        secure=False,
+        *,
+        headers=None,
+        query_params=None,
+        **extra,
+    ):
+        user = extra.pop("user", None)
+        request = super().generic(
+            method,
+            path,
+            data,
+            content_type,
+            secure,
+            headers=headers,
+            query_params=query_params,
+            **extra,
+        )
+        request.user = user if user else AnonymousUser()
+
+        middleware = SessionMiddleware(dummy_get_response)
+        middleware.process_request(request)
+        request.session.save()
+        middleware = MessageMiddleware(dummy_get_response)
+        middleware.process_request(request)
+        request.session.save()
+
+        return request
--- a/authentik/core/types.py
+++ b/authentik/core/types.py
@@ -21,6 +21,9 @@ class UILoginButton:
    # Icon URL, used as-is
    icon_url: str | None = None

+    # Whether this source should be displayed as a prominent button
+    promoted: bool = False
+

 class UserSettingSerializer(PassiveSerializer):
    """Serializer for User settings for stages and sources"""
--- a/authentik/core/views/apps.py
+++ b/authentik/core/views/apps.py
@@ -16,7 +16,6 @@ from authentik.flows.models import FlowDesignation, in_memory_stage
 from authentik.flows.planner import PLAN_CONTEXT_APPLICATION, FlowPlanner
 from authentik.flows.stage import ChallengeStageView
 from authentik.flows.views.executor import (
-    SESSION_KEY_APPLICATION_PRE,
    ToDefaultFlow,
 )
 from authentik.stages.consent.stage import (
@@ -37,10 +36,14 @@ class RedirectToAppLaunch(View):
        # Check if we're authenticated already, saves us the flow run
        if request.user.is_authenticated:
            return HttpResponseRedirect(app.get_launch_url(request.user))
-        self.request.session[SESSION_KEY_APPLICATION_PRE] = app
        # otherwise, do a custom flow plan that includes the application that's
        # being accessed, to improve usability
-        flow = ToDefaultFlow(request=request, designation=FlowDesignation.AUTHENTICATION).get_flow()
+        if app and app.provider and app.provider.authentication_flow:
+            flow = app.provider.authentication_flow
+        else:
+            flow = ToDefaultFlow.get_flow(
+                request=request, designation=FlowDesignation.AUTHENTICATION
+            )
        planner = FlowPlanner(flow)
        planner.allow_empty_flows = True
        try:
@@ -55,6 +58,8 @@ class RedirectToAppLaunch(View):
            )
        except FlowNonApplicableException:
            raise Http404 from None
+        # We redirect with an in_memory stage instead of `?next=...` as the launch URL
+        # might be formatted with the user, which hasn't logged in yet
        plan.append_stage(in_memory_stage(RedirectToAppStage))
        return plan.to_redirect(request, flow)

--- a/authentik/core/views/interface.py
+++ b/authentik/core/views/interface.py
@@ -8,7 +8,6 @@ from django.http.response import HttpResponse
 from django.shortcuts import redirect
 from django.utils.translation import gettext as _
 from django.views.generic.base import RedirectView, TemplateView
-from rest_framework.request import Request

 from authentik import authentik_build_hash
 from authentik.admin.tasks import LOCAL_VERSION
@@ -47,7 +46,7 @@ class InterfaceView(TemplateView):

    def get_context_data(self, **kwargs: Any) -> dict[str, Any]:
        brand = CurrentBrandSerializer(self.request.brand)
-        kwargs["config_json"] = dumps(ConfigView(request=Request(self.request)).get_config().data)
+        kwargs["config_json"] = dumps(ConfigView.get_config(self.request).data)
        kwargs["ui_theme"] = brand.data["ui_theme"]
        kwargs["brand_json"] = dumps(brand.data)
        kwargs["version_family"] = f"{LOCAL_VERSION.major}.{LOCAL_VERSION.minor}"
--- a/authentik/crypto/api.py
+++ b/authentik/crypto/api.py
@@ -9,9 +9,14 @@ from django.http.response import HttpResponse
 from django.urls import reverse
 from django.utils.translation import gettext_lazy as _
 from django_filters import FilterSet
-from django_filters.filters import BooleanFilter
+from django_filters.filters import BooleanFilter, MultipleChoiceFilter
 from drf_spectacular.types import OpenApiTypes
-from drf_spectacular.utils import OpenApiParameter, OpenApiResponse, extend_schema
+from drf_spectacular.utils import (
+    OpenApiParameter,
+    OpenApiResponse,
+    extend_schema,
+    extend_schema_field,
+)
 from rest_framework.decorators import action
 from rest_framework.exceptions import ValidationError
 from rest_framework.fields import (
@@ -28,12 +33,13 @@ from rest_framework.validators import UniqueValidator
 from rest_framework.viewsets import ModelViewSet
 from structlog.stdlib import get_logger

+from authentik.api.validation import validate
 from authentik.core.api.used_by import UsedByMixin
 from authentik.core.api.utils import ModelSerializer, PassiveSerializer
 from authentik.core.models import UserTypes
 from authentik.crypto.apps import MANAGED_KEY
 from authentik.crypto.builder import CertificateBuilder, PrivateKeyAlg
-from authentik.crypto.models import CertificateKeyPair
+from authentik.crypto.models import CertificateKeyPair, KeyType
 from authentik.events.models import Event, EventAction
 from authentik.rbac.decorators import permission_required
 from authentik.rbac.filters import ObjectFilter, SecretKeyFilter
@@ -50,7 +56,7 @@ class CertificateKeyPairSerializer(ModelSerializer):
    cert_expiry = SerializerMethodField()
    cert_subject = SerializerMethodField()
    private_key_available = SerializerMethodField()
-    private_key_type = SerializerMethodField()
+    key_type = SerializerMethodField()

    certificate_download_url = SerializerMethodField()
    private_key_download_url = SerializerMethodField()
@@ -90,14 +96,12 @@ class CertificateKeyPairSerializer(ModelSerializer):
        """Show if this keypair has a private key configured or not"""
        return instance.key_data != "" and instance.key_data is not None

-    def get_private_key_type(self, instance: CertificateKeyPair) -> str | None:
-        """Get the private key's type, if set"""
+    @extend_schema_field(ChoiceField(choices=KeyType.choices, allow_null=True))
+    def get_key_type(self, instance: CertificateKeyPair) -> str | None:
+        """Get the key algorithm type from the certificate's public key"""
        if not self._should_include_details:
            return None
-        key = instance.private_key
-        if key:
-            return key.__class__.__name__.replace("_", "").lower().replace("privatekey", "")
-        return None
+        return instance.key_type

    def get_certificate_download_url(self, instance: CertificateKeyPair) -> str:
        """Get URL to download certificate"""
@@ -161,7 +165,7 @@ class CertificateKeyPairSerializer(ModelSerializer):
            "cert_expiry",
            "cert_subject",
            "private_key_available",
-            "private_key_type",
+            "key_type",
            "certificate_download_url",
            "private_key_download_url",
            "managed",
@@ -198,12 +202,31 @@ class CertificateKeyPairFilter(FilterSet):
        label="Only return certificate-key pairs with keys", method="filter_has_key"
    )

+    key_type = MultipleChoiceFilter(
+        choices=KeyType.choices,
+        label="Filter by key algorithm type",
+        method="filter_key_type",
+    )
+
    def filter_has_key(self, queryset, name, value):  # pragma: no cover
        """Only return certificate-key pairs with keys"""
        if not value:
            return queryset
        return queryset.exclude(key_data__exact="")

+    def filter_key_type(self, queryset, name, value):  # pragma: no cover
+        """Filter certificates by key type using the public key from the certificate"""
+        if not value:
+            return queryset
+
+        # value is a list of KeyType enum values from MultipleChoiceFilter
+        filtered_pks = []
+        for cert in queryset:
+            if cert.key_type in value:
+                filtered_pks.append(cert.pk)
+
+        return queryset.filter(pk__in=filtered_pks)
+
    class Meta:
        model = CertificateKeyPair
        fields = ["name", "managed"]
@@ -228,6 +251,17 @@ class CertificateKeyPairViewSet(UsedByMixin, ModelViewSet):
                required=False,
                description="Only return certificate-key pairs with keys",
            ),
+            OpenApiParameter(
+                "key_type",
+                OpenApiTypes.STR,
+                required=False,
+                many=True,
+                enum=[choice[0] for choice in KeyType.choices],
+                description=(
+                    "Filter by key algorithm type (RSA, EC, DSA, etc). "
+                    "Can be specified multiple times (e.g. '?key_type=rsa&key_type=ec')"
+                ),
+            ),
            OpenApiParameter("include_details", bool, default=True),
        ]
    )
@@ -243,17 +277,16 @@ class CertificateKeyPairViewSet(UsedByMixin, ModelViewSet):
        },
    )
    @action(detail=False, methods=["POST"])
-    def generate(self, request: Request) -> Response:
+    @validate(CertificateGenerationSerializer)
+    def generate(self, request: Request, body: CertificateGenerationSerializer) -> Response:
        """Generate a new, self-signed certificate-key pair"""
-        data = CertificateGenerationSerializer(data=request.data)
-        data.is_valid(raise_exception=True)
-        raw_san = data.validated_data.get("subject_alt_name", "")
+        raw_san = body.validated_data.get("subject_alt_name", "")
        sans = raw_san.split(",") if raw_san != "" else []
-        builder = CertificateBuilder(data.validated_data["name"])
-        builder.alg = data.validated_data["alg"]
+        builder = CertificateBuilder(body.validated_data["name"])
+        builder.alg = body.validated_data["alg"]
        builder.build(
            subject_alt_names=sans,
-            validity_days=int(data.validated_data["validity_days"]),
+            validity_days=int(body.validated_data["validity_days"]),
        )
        instance = builder.save()
        serializer = self.get_serializer(instance)
--- a/authentik/crypto/apps.py
+++ b/authentik/crypto/apps.py
@@ -1,6 +1,6 @@
 """authentik crypto app config"""

-from datetime import UTC, datetime
+from dramatiq.broker import get_broker

 from authentik.blueprints.apps import ManagedAppConfig
 from authentik.lib.generators import generate_id
@@ -45,10 +45,7 @@ class AuthentikCryptoConfig(ManagedAppConfig):
        cert: CertificateKeyPair | None = CertificateKeyPair.objects.filter(
            managed=MANAGED_KEY
        ).first()
-        now = datetime.now(tz=UTC)
-        if not cert or (
-            now < cert.certificate.not_valid_after_utc or now > cert.certificate.not_valid_after_utc
-        ):
+        if not cert:
            self._create_update_cert()

    @ManagedAppConfig.reconcile_tenant
@@ -70,6 +67,12 @@ class AuthentikCryptoConfig(ManagedAppConfig):
            },
        )

+    @ManagedAppConfig.reconcile_global
+    def tasks_middlewares(self):
+        from authentik.crypto.tasks import CertificateWatcherMiddleware
+
+        get_broker().add_middleware(CertificateWatcherMiddleware())
+
    @property
    def tenant_schedule_specs(self) -> list[ScheduleSpec]:
        from authentik.crypto.tasks import certificate_discovery
--- a/authentik/crypto/models.py
+++ b/authentik/crypto/models.py
@@ -6,6 +6,11 @@ from uuid import uuid4

 from cryptography.hazmat.backends import default_backend
 from cryptography.hazmat.primitives import hashes
+from cryptography.hazmat.primitives.asymmetric.dsa import DSAPublicKey
+from cryptography.hazmat.primitives.asymmetric.ec import EllipticCurvePublicKey
+from cryptography.hazmat.primitives.asymmetric.ed448 import Ed448PublicKey
+from cryptography.hazmat.primitives.asymmetric.ed25519 import Ed25519PublicKey
+from cryptography.hazmat.primitives.asymmetric.rsa import RSAPublicKey
 from cryptography.hazmat.primitives.asymmetric.types import PrivateKeyTypes, PublicKeyTypes
 from cryptography.hazmat.primitives.serialization import load_pem_private_key
 from cryptography.x509 import Certificate, load_pem_x509_certificate
@@ -20,6 +25,16 @@ from authentik.lib.models import CreatedUpdatedModel, SerializerModel
 LOGGER = get_logger()


+class KeyType(models.TextChoices):
+    """Cryptographic key algorithm types"""
+
+    RSA = "rsa", _("RSA")
+    EC = "ec", _("Elliptic Curve")
+    DSA = "dsa", _("DSA")
+    ED25519 = "ed25519", _("Ed25519")
+    ED448 = "ed448", _("Ed448")
+
+
 def fingerprint_sha256(cert: Certificate) -> str:
    """Get SHA256 Fingerprint of certificate"""
    return hexlify(cert.fingerprint(hashes.SHA256()), ":").decode("utf-8")
@@ -103,6 +118,22 @@ class CertificateKeyPair(SerializerModel, ManagedModel, CreatedUpdatedModel):
            else ""
        )  # nosec

+    @property
+    def key_type(self) -> str | None:
+        """Get the key algorithm type from the certificate's public key"""
+        public_key = self.certificate.public_key()
+        if isinstance(public_key, RSAPublicKey):
+            return KeyType.RSA
+        if isinstance(public_key, EllipticCurvePublicKey):
+            return KeyType.EC
+        if isinstance(public_key, DSAPublicKey):
+            return KeyType.DSA
+        if isinstance(public_key, Ed25519PublicKey):
+            return KeyType.ED25519
+        if isinstance(public_key, Ed448PublicKey):
+            return KeyType.ED448
+        return None
+
    def __str__(self) -> str:
        return f"Certificate-Key Pair {self.name}"

--- a/authentik/crypto/tasks.py
+++ b/authentik/crypto/tasks.py
@@ -2,17 +2,29 @@

 from glob import glob
 from pathlib import Path
+from sys import platform

 from cryptography.hazmat.backends import default_backend
 from cryptography.hazmat.primitives.serialization import load_pem_private_key
 from cryptography.x509.base import load_pem_x509_certificate
+from django.conf import settings
 from django.utils.translation import gettext_lazy as _
 from dramatiq.actor import actor
+from dramatiq.middleware import Middleware
 from structlog.stdlib import get_logger
+from watchdog.events import (
+    FileCreatedEvent,
+    FileModifiedEvent,
+    FileSystemEvent,
+    FileSystemEventHandler,
+)
+from watchdog.observers import Observer

 from authentik.crypto.models import CertificateKeyPair
 from authentik.lib.config import CONFIG
 from authentik.tasks.middleware import CurrentTask
+from authentik.tasks.schedules.models import Schedule
+from authentik.tenants.models import Tenant

 LOGGER = get_logger()

@@ -35,6 +47,65 @@ def ensure_certificate_valid(body: str):
    return body


+class CertificateWatcherMiddleware(Middleware):
+    """Middleware to start certificate file watcher"""
+
+    def start_certificate_watcher(self):
+        """Start certificate file watcher"""
+        observer = Observer()
+        kwargs = {}
+        if platform.startswith("linux"):
+            kwargs["event_filter"] = (FileCreatedEvent, FileModifiedEvent)
+        observer.schedule(
+            CertificateEventHandler(),
+            CONFIG.get("cert_discovery_dir"),
+            recursive=True,
+            **kwargs,
+        )
+        observer.start()
+
+    def after_worker_boot(self, broker, worker):
+        if not settings.TEST:
+            self.start_certificate_watcher()
+
+
+class CertificateEventHandler(FileSystemEventHandler):
+    """Event handler for certificate file events"""
+
+    # We only ever get creation and modification events.
+    # See the creation of the Observer instance above for the event filtering.
+
+    # Even though we filter to only get file events, we might still get
+    # directory events as some implementations such as inotify do not support
+    # filtering on file/directory.
+
+    def dispatch(self, event: FileSystemEvent) -> None:
+        """Call specific event handler method. Ignores directory changes."""
+        if event.is_directory:
+            return None
+        return super().dispatch(event)
+
+    def on_created(self, event: FileSystemEvent):
+        """Process certificate file creation"""
+        LOGGER.debug(
+            "Certificate file created, triggering discovery",
+            file=event.src_path,
+        )
+        for tenant in Tenant.objects.filter(ready=True):
+            with tenant:
+                Schedule.dispatch_by_actor(certificate_discovery)
+
+    def on_modified(self, event: FileSystemEvent):
+        """Process certificate file modification"""
+        LOGGER.debug(
+            "Certificate file modified, triggering discovery",
+            file=event.src_path,
+        )
+        for tenant in Tenant.objects.filter(ready=True):
+            with tenant:
+                Schedule.dispatch_by_actor(certificate_discovery)
+
+
@actor(description=_("Discover, import and update certificates from the filesystem."))
 def certificate_discovery():
    self = CurrentTask.get_task()
@@ -66,12 +137,35 @@ def certificate_discovery():
        except (OSError, ValueError) as exc:
            LOGGER.warning("Failed to open file or invalid format", exc=exc, file=path)
    for name, cert_data in certs.items():
+        # First, try to find by filename-based managed field
        cert = CertificateKeyPair.objects.filter(managed=MANAGED_DISCOVERED % name).first()
+
+        # If not found by filename and we have a private key, check for existing key match
+        if not cert and name in private_keys:
+            existing_with_key = (
+                CertificateKeyPair.objects.filter(
+                    managed__startswith="goauthentik.io/crypto/discovered/",
+                    key_data=private_keys[name],
+                )
+                .exclude(key_data="")
+                .first()
+            )
+            if existing_with_key:
+                cert = existing_with_key
+                # Update name and managed field to reflect the new filename
+                if cert.name != name:
+                    cert.name = name
+                    cert.managed = MANAGED_DISCOVERED % name
+                    cert.save()
+
+        # Create new certificate if not found
        if not cert:
            cert = CertificateKeyPair(
                name=name,
                managed=MANAGED_DISCOVERED % name,
            )
+
+        # Update certificate data if changed
        dirty = False
        if cert.certificate_data != cert_data:
            cert.certificate_data = cert_data
--- a/authentik/crypto/tests.py
+++ b/authentik/crypto/tests.py
@@ -2,6 +2,7 @@

 from json import loads
 from os import makedirs
+from pathlib import Path
 from tempfile import TemporaryDirectory

 from cryptography.x509.extensions import SubjectAlternativeName
@@ -319,6 +320,8 @@ class TestCrypto(APITestCase):

    def test_discovery(self):
        """Test certificate discovery"""
+        # This test generates 2 separate cert/key combinations
+        # and verifies they both import properly
        name = generate_id()
        builder = CertificateBuilder(name)
        with self.assertRaises(ValueError):
@@ -327,6 +330,15 @@ class TestCrypto(APITestCase):
            subject_alt_names=[],
            validity_days=3,
        )
+
+        name2 = generate_id()
+        builder2 = CertificateBuilder(name2)
+        with self.assertRaises(ValueError):
+            builder2.save()
+        builder2.build(
+            subject_alt_names=[],
+            validity_days=3,
+        )
        with TemporaryDirectory() as temp_dir:
            with open(f"{temp_dir}/foo.pem", "w+", encoding="utf-8") as _cert:
                _cert.write(builder.certificate)
@@ -334,9 +346,9 @@ class TestCrypto(APITestCase):
                _key.write(builder.private_key)
            makedirs(f"{temp_dir}/foo.bar", exist_ok=True)
            with open(f"{temp_dir}/foo.bar/fullchain.pem", "w+", encoding="utf-8") as _cert:
-                _cert.write(builder.certificate)
+                _cert.write(builder2.certificate)
            with open(f"{temp_dir}/foo.bar/privkey.pem", "w+", encoding="utf-8") as _key:
-                _key.write(builder.private_key)
+                _key.write(builder2.private_key)
            with CONFIG.patch("cert_discovery_dir", temp_dir):
                certificate_discovery.send()
        keypair: CertificateKeyPair = CertificateKeyPair.objects.filter(
@@ -348,3 +360,58 @@ class TestCrypto(APITestCase):
        self.assertTrue(
            CertificateKeyPair.objects.filter(managed=MANAGED_DISCOVERED % "foo.bar").exists()
        )
+
+    def test_discovery_updating_same_private_key(self):
+        """Test certificate discovery updating certs with matching private keys"""
+        name = generate_id()
+        builder = CertificateBuilder(name)
+        builder.build(
+            subject_alt_names=[],
+            validity_days=3,
+        )
+
+        with TemporaryDirectory() as temp_dir:
+            # First discovery: write cert as "original"
+            with open(f"{temp_dir}/original.pem", "w+", encoding="utf-8") as _cert:
+                _cert.write(builder.certificate)
+            with open(f"{temp_dir}/original.key", "w+", encoding="utf-8") as _key:
+                _key.write(builder.private_key)
+
+            with CONFIG.patch("cert_discovery_dir", temp_dir):
+                certificate_discovery.send()
+
+            # Verify "original" cert was created
+            original = CertificateKeyPair.objects.filter(
+                managed=MANAGED_DISCOVERED % "original"
+            ).first()
+            self.assertIsNotNone(original)
+            self.assertEqual(original.name, "original")
+            self.assertIsNotNone(original.private_key)
+
+            # Second discovery: write same cert/key as "renamed"
+            Path(f"{temp_dir}/original.pem").unlink()
+            Path(f"{temp_dir}/original.key").unlink()
+
+            with open(f"{temp_dir}/renamed.pem", "w+", encoding="utf-8") as _cert:
+                _cert.write(builder.certificate)
+            with open(f"{temp_dir}/renamed.key", "w+", encoding="utf-8") as _key:
+                _key.write(builder.private_key)
+
+            with CONFIG.patch("cert_discovery_dir", temp_dir):
+                certificate_discovery.send()
+
+            # Verify the cert was updated
+            renamed = CertificateKeyPair.objects.filter(
+                managed=MANAGED_DISCOVERED % "renamed"
+            ).first()
+            self.assertIsNotNone(renamed, "Renamed certificate should exist")
+            self.assertEqual(renamed.name, "renamed")
+            self.assertEqual(renamed.pk, original.pk, "Should be same database object")
+
+            # Verify no new cert was created
+            final_count = CertificateKeyPair.objects.filter(
+                managed__startswith="goauthentik.io/crypto/discovered/"
+            ).count()
+            self.assertEqual(
+                1, final_count, "Should not create duplicate cert for same private key"
+            )
--- a/authentik/endpoints/init.py
+++ b/authentik/endpoints/init.py
--- a/authentik/endpoints/api/init.py
+++ b/authentik/endpoints/api/init.py
--- a/authentik/endpoints/api/connectors.py
+++ b/authentik/endpoints/api/connectors.py
@@ -0,0 +1,51 @@
+from rest_framework import mixins
+from rest_framework.fields import SerializerMethodField
+from rest_framework.viewsets import GenericViewSet
+
+from authentik.core.api.object_types import TypesMixin
+from authentik.core.api.used_by import UsedByMixin
+from authentik.core.api.utils import MetaNameSerializer, ModelSerializer
+from authentik.endpoints.models import Connector
+
+
+class ConnectorSerializer(ModelSerializer, MetaNameSerializer):
+
+    component = SerializerMethodField()
+
+    def get_component(self, obj: Connector) -> str:  # pragma: no cover
+        """Get object component so that we know how to edit the object"""
+        if obj.__class__ == Connector:
+            return ""
+        return obj.component
+
+    class Meta:
+        model = Connector
+        fields = [
+            "connector_uuid",
+            "name",
+            "enabled",
+            "component",
+            "verbose_name",
+            "verbose_name_plural",
+            "meta_model_name",
+        ]
+
+
+class ConnectorViewSet(
+    TypesMixin,
+    mixins.RetrieveModelMixin,
+    mixins.DestroyModelMixin,
+    UsedByMixin,
+    mixins.ListModelMixin,
+    GenericViewSet,
+):
+    """Connector Viewset"""
+
+    queryset = Connector.objects.none()
+    serializer_class = ConnectorSerializer
+    search_fields = [
+        "name",
+    ]
+
+    def get_queryset(self):  # pragma: no cover
+        return Connector.objects.select_subclasses()
--- a/authentik/endpoints/api/device_access_group.py
+++ b/authentik/endpoints/api/device_access_group.py
@@ -0,0 +1,31 @@
+from rest_framework.viewsets import ModelViewSet
+
+from authentik.core.api.used_by import UsedByMixin
+from authentik.core.api.utils import ModelSerializer
+from authentik.endpoints.models import DeviceAccessGroup
+
+
+class DeviceAccessGroupSerializer(ModelSerializer):
+
+    class Meta:
+        model = DeviceAccessGroup
+        fields = [
+            "pbm_uuid",
+            "name",
+        ]
+
+
+class DeviceAccessGroupViewSet(UsedByMixin, ModelViewSet):
+    """DeviceAccessGroup Viewset"""
+
+    queryset = DeviceAccessGroup.objects.all()
+    serializer_class = DeviceAccessGroupSerializer
+    search_fields = [
+        "pbm_uuid",
+        "name",
+    ]
+    filterset_fields = [
+        "pbm_uuid",
+        "name",
+    ]
+    ordering = ["name"]
--- a/authentik/endpoints/api/device_connections.py
+++ b/authentik/endpoints/api/device_connections.py
@@ -0,0 +1,27 @@
+from rest_framework.fields import SerializerMethodField
+
+from authentik.core.api.utils import ModelSerializer
+from authentik.endpoints.api.connectors import ConnectorSerializer
+from authentik.endpoints.api.device_fact_snapshots import DeviceFactSnapshotSerializer
+from authentik.endpoints.models import DeviceConnection
+
+
+class DeviceConnectionSerializer(ModelSerializer):
+
+    connector_obj = ConnectorSerializer(source="connector", read_only=True)
+    latest_snapshot = SerializerMethodField(allow_null=True)
+
+    def get_latest_snapshot(self, instance: DeviceConnection) -> DeviceFactSnapshotSerializer:
+        snapshot = instance.devicefactsnapshot_set.order_by("-created").first()
+        if not snapshot:
+            return None
+        return DeviceFactSnapshotSerializer(snapshot).data
+
+    class Meta:
+        model = DeviceConnection
+        fields = [
+            "device",
+            "connector",
+            "connector_obj",
+            "latest_snapshot",
+        ]
--- a/authentik/endpoints/api/device_fact_snapshots.py
+++ b/authentik/endpoints/api/device_fact_snapshots.py
@@ -0,0 +1,21 @@
+from authentik.core.api.utils import ModelSerializer
+from authentik.endpoints.facts import DeviceFacts
+from authentik.endpoints.models import DeviceFactSnapshot
+
+
+class DeviceFactSnapshotSerializer(ModelSerializer):
+
+    data = DeviceFacts()
+
+    class Meta:
+        model = DeviceFactSnapshot
+        fields = [
+            "data",
+            "connection",
+            "created",
+            "expires",
+        ]
+        extra_kwargs = {
+            "created": {"read_only": True},
+            "expires": {"read_only": True},
+        }
--- a/authentik/endpoints/api/device_user_bindings.py
+++ b/authentik/endpoints/api/device_user_bindings.py
@@ -0,0 +1,27 @@
+from authentik.endpoints.api.connectors import ConnectorSerializer
+from authentik.endpoints.models import DeviceUserBinding
+from authentik.policies.api.bindings import PolicyBindingSerializer, PolicyBindingViewSet
+
+
+class DeviceUserBindingSerializer(PolicyBindingSerializer):
+
+    connector_obj = ConnectorSerializer(source="connector", read_only=True)
+
+    class Meta:
+        model = DeviceUserBinding
+        fields = PolicyBindingSerializer.Meta.fields + [
+            "is_primary",
+            "connector",
+            "connector_obj",
+        ]
+        extra_kwargs = {"connector": {"read_only": True}}
+
+
+class DeviceUserBindingViewSet(PolicyBindingViewSet):
+    """PolicyBinding Viewset"""
+
+    queryset = (
+        DeviceUserBinding.objects.all()
+        .select_related("target", "group", "user")
+        .prefetch_related("policy")
+    )  # prefetching policy so we resolve the subclass
--- a/authentik/endpoints/api/devices.py
+++ b/authentik/endpoints/api/devices.py
@@ -0,0 +1,78 @@
+from rest_framework import mixins
+from rest_framework.fields import SerializerMethodField
+from rest_framework.viewsets import GenericViewSet
+
+from authentik.core.api.used_by import UsedByMixin
+from authentik.core.api.utils import ModelSerializer
+from authentik.endpoints.api.device_access_group import DeviceAccessGroupSerializer
+from authentik.endpoints.api.device_connections import DeviceConnectionSerializer
+from authentik.endpoints.api.device_fact_snapshots import DeviceFactSnapshotSerializer
+from authentik.endpoints.models import Device
+
+
+class EndpointDeviceSerializer(ModelSerializer):
+
+    access_group_obj = DeviceAccessGroupSerializer(source="access_group", required=False)
+
+    facts = SerializerMethodField()
+
+    def get_facts(self, instance: Device) -> DeviceFactSnapshotSerializer:
+        return DeviceFactSnapshotSerializer(instance.cached_facts).data
+
+    class Meta:
+        model = Device
+        fields = [
+            "device_uuid",
+            "pbm_uuid",
+            "name",
+            "access_group",
+            "access_group_obj",
+            "expiring",
+            "expires",
+            "facts",
+            "attributes",
+        ]
+
+
+class EndpointDeviceDetailsSerializer(EndpointDeviceSerializer):
+
+    connections_obj = DeviceConnectionSerializer(many=True, source="deviceconnection_set")
+
+    def get_facts(self, instance: Device) -> DeviceFactSnapshotSerializer:
+        return DeviceFactSnapshotSerializer(instance.facts).data
+
+    class Meta(EndpointDeviceSerializer.Meta):
+        fields = EndpointDeviceSerializer.Meta.fields + [
+            "connections_obj",
+            "policies",
+            "connections",
+        ]
+
+
+class DeviceViewSet(
+    UsedByMixin,
+    mixins.RetrieveModelMixin,
+    mixins.UpdateModelMixin,
+    mixins.DestroyModelMixin,
+    mixins.ListModelMixin,
+    GenericViewSet,
+):
+
+    queryset = Device.objects.all().select_related("access_group")
+    serializer_class = EndpointDeviceSerializer
+    search_fields = [
+        "name",
+        "identifier",
+    ]
+    ordering = ["identifier"]
+    filterset_fields = ["name", "identifier"]
+
+    def get_serializer_class(self):
+        if self.action == "retrieve":
+            return EndpointDeviceDetailsSerializer
+        return super().get_serializer_class()
+
+    def get_queryset(self):
+        if self.action == "retrieve":
+            return super().get_queryset().prefetch_related("connections")
+        return super().get_queryset()
--- a/authentik/endpoints/api/stages.py
+++ b/authentik/endpoints/api/stages.py
@@ -0,0 +1,32 @@
+from rest_framework.viewsets import ModelViewSet
+
+from authentik.core.api.used_by import UsedByMixin
+from authentik.endpoints.api.connectors import ConnectorSerializer
+from authentik.endpoints.models import EndpointStage
+from authentik.enterprise.api import EnterpriseRequiredMixin
+from authentik.flows.api.stages import StageSerializer
+
+
+class EndpointStageSerializer(EnterpriseRequiredMixin, StageSerializer):
+    """EndpointStage Serializer"""
+
+    connector_obj = ConnectorSerializer(source="connector", read_only=True)
+
+    class Meta:
+        model = EndpointStage
+        fields = StageSerializer.Meta.fields + [
+            "connector",
+            "connector_obj",
+        ]
+
+
+class EndpointStageViewSet(UsedByMixin, ModelViewSet):
+    """EndpointStage Viewset"""
+
+    queryset = EndpointStage.objects.all()
+    serializer_class = EndpointStageSerializer
+    filterset_fields = [
+        "name",
+    ]
+    search_fields = ["name"]
+    ordering = ["name"]
--- a/authentik/endpoints/apps.py
+++ b/authentik/endpoints/apps.py
@@ -0,0 +1,12 @@
+"""authentik endpoints app config"""
+
+from authentik.blueprints.apps import ManagedAppConfig
+
+
+class AuthentikEndpointsConfig(ManagedAppConfig):
+    """authentik endpoints app config"""
+
+    name = "authentik.endpoints"
+    label = "authentik_endpoints"
+    verbose_name = "authentik Endpoints"
+    default = True
--- a/authentik/endpoints/connectors/init.py
+++ b/authentik/endpoints/connectors/init.py
--- a/authentik/endpoints/connectors/agent/init.py
+++ b/authentik/endpoints/connectors/agent/init.py
--- a/authentik/endpoints/connectors/agent/api/init.py
+++ b/authentik/endpoints/connectors/agent/api/init.py
--- a/authentik/endpoints/connectors/agent/api/agent.py
+++ b/authentik/endpoints/connectors/agent/api/agent.py
@@ -0,0 +1,66 @@
+from rest_framework.fields import (
+    BooleanField,
+    CharField,
+    IntegerField,
+    SerializerMethodField,
+)
+
+from authentik.api.v3.config import ConfigSerializer, ConfigView
+from authentik.core.api.utils import PassiveSerializer
+from authentik.crypto.apps import MANAGED_KEY
+from authentik.crypto.models import CertificateKeyPair
+from authentik.endpoints.connectors.agent.models import AgentConnector
+from authentik.endpoints.models import Device
+from authentik.lib.utils.time import timedelta_from_string
+from authentik.providers.oauth2.views.jwks import JWKSView
+
+
+class AgentConfigSerializer(PassiveSerializer):
+
+    device_id = SerializerMethodField()
+    refresh_interval = SerializerMethodField()
+
+    authorization_flow = SerializerMethodField()
+    jwks = SerializerMethodField()
+
+    nss_uid_offset = IntegerField()
+    nss_gid_offset = IntegerField()
+    auth_terminate_session_on_expiry = BooleanField()
+
+    system_config = SerializerMethodField()
+
+    def get_device_id(self, instance: AgentConnector) -> str:
+        device: Device = self.context["device"]
+        return device.pk
+
+    def get_refresh_interval(self, instance: AgentConnector) -> int:
+        return int(timedelta_from_string(instance.refresh_interval).total_seconds())
+
+    def get_authorization_flow(self, instance: AgentConnector) -> str | None:
+        if not instance.authorization_flow:
+            return None
+        return instance.authorization_flow.slug
+
+    def get_jwks(self, instance: AgentConnector) -> dict:
+        kp = CertificateKeyPair.objects.filter(managed=MANAGED_KEY).first()
+        return {"keys": [JWKSView.get_jwk_for_key(kp, "sig")]}
+
+    def get_system_config(self, instance: AgentConnector) -> ConfigSerializer:
+        return ConfigView.get_config(self.context["request"]).data
+
+
+class EnrollSerializer(PassiveSerializer):
+
+    device_serial = CharField(required=True)
+    device_name = CharField(required=True)
+
+
+class AgentTokenResponseSerializer(PassiveSerializer):
+
+    token = CharField(required=True)
+    expires_in = IntegerField(required=0)
+
+
+class AgentAuthenticationResponse(PassiveSerializer):
+
+    url = CharField()
--- a/authentik/endpoints/connectors/agent/api/connectors.py
+++ b/authentik/endpoints/connectors/agent/api/connectors.py
@@ -0,0 +1,169 @@
+from typing import cast
+
+from django.utils.translation import gettext_lazy as _
+from drf_spectacular.types import OpenApiTypes
+from drf_spectacular.utils import OpenApiResponse, extend_schema
+from rest_framework.decorators import action
+from rest_framework.exceptions import PermissionDenied, ValidationError
+from rest_framework.fields import (
+    CharField,
+    ChoiceField,
+)
+from rest_framework.relations import PrimaryKeyRelatedField
+from rest_framework.request import Request
+from rest_framework.response import Response
+from rest_framework.viewsets import ModelViewSet
+
+from authentik.core.api.used_by import UsedByMixin
+from authentik.core.api.utils import PassiveSerializer
+from authentik.endpoints.api.connectors import ConnectorSerializer
+from authentik.endpoints.connectors.agent.api.agent import (
+    AgentConfigSerializer,
+    AgentTokenResponseSerializer,
+    EnrollSerializer,
+)
+from authentik.endpoints.connectors.agent.auth import (
+    AgentAuth,
+    AgentEnrollmentAuth,
+)
+from authentik.endpoints.connectors.agent.models import (
+    AgentConnector,
+    AgentDeviceConnection,
+    DeviceToken,
+    EnrollmentToken,
+)
+from authentik.endpoints.facts import DeviceFacts, OSFamily
+from authentik.endpoints.models import Device
+from authentik.lib.utils.reflection import ConditionalInheritance
+
+
+class AgentConnectorSerializer(ConnectorSerializer):
+
+    class Meta(ConnectorSerializer.Meta):
+        model = AgentConnector
+        fields = ConnectorSerializer.Meta.fields + [
+            "snapshot_expiry",
+            "auth_session_duration",
+            "auth_terminate_session_on_expiry",
+            "refresh_interval",
+            "authorization_flow",
+            "nss_uid_offset",
+            "nss_gid_offset",
+            "challenge_key",
+            "jwt_federation_providers",
+        ]
+
+
+class MDMConfigSerializer(PassiveSerializer):
+
+    platform = ChoiceField(choices=OSFamily.choices)
+    enrollment_token = PrimaryKeyRelatedField(queryset=EnrollmentToken.objects.all())
+
+    def validate_platform(self, platform: OSFamily) -> OSFamily:
+        if platform not in [OSFamily.iOS, OSFamily.macOS, OSFamily.windows]:
+            raise ValidationError(_("Selected platform not supported"))
+        return platform
+
+    def validate_enrollment_token(self, token: EnrollmentToken) -> EnrollmentToken:
+        if token.is_expired:
+            raise ValidationError(_("Token is expired"))
+        if token.connector != self.context["connector"]:
+            raise ValidationError(_("Invalid token for connector"))
+        return token
+
+
+class MDMConfigResponseSerializer(PassiveSerializer):
+
+    config = CharField(required=True)
+
+
+class AgentConnectorViewSet(
+    ConditionalInheritance(
+        "authentik.enterprise.endpoints.connectors.agent.api.connectors.AgentConnectorViewSetMixin"
+    ),
+    UsedByMixin,
+    ModelViewSet,
+):
+
+    queryset = AgentConnector.objects.all()
+    serializer_class = AgentConnectorSerializer
+    search_fields = ["name"]
+    ordering = ["name"]
+    filterset_fields = ["name", "enabled"]
+
+    @extend_schema(
+        request=MDMConfigSerializer(),
+        responses=MDMConfigResponseSerializer(),
+    )
+    @action(methods=["POST"], detail=True)
+    def mdm_config(self, request: Request, pk) -> Response:
+        """Generate configuration for MDM systems to deploy authentik Agent"""
+        connector = cast(AgentConnector, self.get_object())
+        data = MDMConfigSerializer(data=request.data, context={"connector": connector})
+        data.is_valid(raise_exception=True)
+        token = data.validated_data["enrollment_token"]
+        if not request.user.has_perm("view_enrollment_token_key", token):
+            raise PermissionDenied()
+        ctrl = connector.controller(connector)
+        payload = ctrl.generate_mdm_config(data.validated_data["platform"], request, token)
+        return Response({"config": payload})
+
+    @extend_schema(
+        request=EnrollSerializer(),
+        responses={200: AgentTokenResponseSerializer},
+    )
+    @action(
+        methods=["POST"],
+        detail=False,
+        authentication_classes=[AgentEnrollmentAuth],
+    )
+    def enroll(self, request: Request):
+        token: EnrollmentToken = request.auth
+        data = EnrollSerializer(data=request.data)
+        data.is_valid(raise_exception=True)
+        device, _ = Device.objects.get_or_create(
+            identifier=data.validated_data["device_serial"],
+            defaults={
+                "name": data.validated_data["device_name"],
+                "expiring": False,
+                "access_group": token.device_group,
+            },
+        )
+        connection, _ = AgentDeviceConnection.objects.update_or_create(
+            device=device,
+            connector=token.connector,
+        )
+        token = DeviceToken.objects.create(device=connection, expiring=False)
+        return Response(
+            {
+                "token": token.key,
+                "expires_in": 0,
+            }
+        )
+
+    @extend_schema(
+        request=OpenApiTypes.NONE,
+        responses=AgentConfigSerializer(),
+    )
+    @action(methods=["GET"], detail=False, authentication_classes=[AgentAuth])
+    def agent_config(self, request: Request):
+        token: DeviceToken = request.auth
+        connector: AgentConnector = token.device.connector.agentconnector
+        return Response(
+            AgentConfigSerializer(
+                connector, context={"request": request, "device": token.device.device}
+            ).data
+        )
+
+    @extend_schema(
+        request=DeviceFacts(),
+        responses={204: OpenApiResponse(description="Successfully checked in")},
+    )
+    @action(methods=["POST"], detail=False, authentication_classes=[AgentAuth])
+    def check_in(self, request: Request):
+        token: DeviceToken = request.auth
+        data = DeviceFacts(data=request.data)
+        data.is_valid(raise_exception=True)
+        connection: AgentDeviceConnection = token.device
+        connection.create_snapshot(data.validated_data)
+        return Response(status=204)
--- a/Show More
+++ b/Show More