# Models

Some models behave differently and allow for access to different API fields when created via blueprint.

## `authentik_core.token`

### `key`

Via the standard API, a token's key cannot be changed, it can only be rotated. This is to ensure a high entropy in its key, and to prevent insecure data from being used. However, when provisioning tokens via a blueprint, it may be required to set a token to an existing value.

With blueprints, the field `key` can be set, to set the token's key to any value.

For example:

```yaml
# [...]
- model: authentik_core.token
  state: present
  identifiers:
      identifier: my-token
  attrs:
      key: this-should-be-a-long-value
      user: !KeyOf my-user
      intent: api
```

## `authentik_core.user`

### `password`

Via the standard API, a user's password can only be set via the separate `/api/v3/core/users/<id>/set_password/` endpoint. In blueprints, the password of a user can be set using the `password` field.

Keep in mind that if an LDAP Source is configured and the user maps to an LDAP user, this password change will be propagated to the LDAP server.

For example:

```yaml
# [...]
- model: authentik_core.user
  state: present
  identifiers:
      username: test-user
  attrs:
      name: test user
      password: this-should-be-a-long-value
```

### `permissions`

The `permissions` field can be used to set global permissions for a user. A full list of possible permissions is included in the JSON schema for blueprints.

For example:

```yaml
# [...]
- model: authentik_core.user
  identifiers:
      username: test-user
  attrs:
      permissions:
          - authentik_blueprints.view_blueprintinstance
```

## `authentik_core.application`

### `icon`

Application icons can be directly set to URLs with the `icon` field.

For example:

```yaml
# [...]
- model: authentik_core.application
  identifiers:
      slug: my-app
  attrs:
      name: My App
      icon: https://goauthentik.io/img/icon.png
```

## `authentik_sources_oauth.oauthsource`, `authentik_sources_saml.samlsource`, `authentik_sources_plex.plexsource`

### `icon`

Source icons can be directly set to URLs with the `icon` field.

For example:

```yaml
# [...]
- model: authentik_sources_oauth.oauthsource
  identifiers:
      slug: my-source
  attrs:
      name: My source
      icon: https://goauthentik.io/img/icon.png
```

## `authentik_flows.flow`

### `icon`

Flow backgrounds can be directly set to URLs with the `background` field.

For example:

```yaml
# [...]
- model: authentik_flows.flow
  identifiers:
      slug: my-flow
  attrs:
      name: my-flow
      title: My flow
      designation: authentication
      background: https://goauthentik.io/img/icon.png
```

## `authentik_rbac.role`

### `permissions`

The `permissions` field can be used to set global permissions for a role. A full list of possible permissions is included in the JSON schema for blueprints.

For example:

```yaml
# [...]
- model: authentik_rbac.role
  identifiers:
      name: test-role
  attrs:
      permissions:
          - authentik_blueprints.view_blueprintinstance
```

## `authentik_stages_invitation.invitation`:ak-version[2025.12]

The `created_by` field can be set to a user. If no value is given, the internal hidden anonymous user is used.

For example:

```yaml
# [...]
- model: authentik_stages_invitation.invitation
  identifiers:
      name: test-invitation
  attrs:
      created_by: !Find [authentik_core.user, [username, "my-admin-user"]]
```

## `authentik_policies.policybinding`

### Required fields

Each PolicyBinding entry must have **exactly one** of the following set in `attrs`:

- `policy`: Reference to a Policy object
- `group`: Reference to a Group object
- `user`: Reference to a User object

Setting none or multiple in a single binding will cause validation errors. However, you can create multiple separate bindings to the same target with different `order` values.

Example with multiple bindings to the same application:

```yaml
# Bind a policy
- model: authentik_policies.policybinding
  identifiers:
      target: !Find [authentik_core.application, [slug, my-app]]
      order: 0
  attrs:
      policy: !Find [authentik_policies.expression.expressionpolicy, [name, my-policy]]

# Bind a group to the same application
- model: authentik_policies.policybinding
  identifiers:
      target: !Find [authentik_core.application, [slug, my-app]]
      order: 1
  attrs:
      group: !Find [authentik_core.group, [name, admins]]
```

## `authentik_endpoints_connectors_agent.enrollmenttoken`

### `key`

Via the standard API, a token's key cannot be changed, it can only be rotated. This is to ensure a high entropy in its key, and to prevent insecure data from being used. However, when provisioning enrollment tokens via a blueprint, it may be required to set a token to an existing value.

With blueprints, the field `key` can be set, to set the enrollment token's key to any value.

For example:

```yaml
# [...]
- model: authentik_endpoints_connectors_agent.enrollmenttoken
  state: present
  identifiers:
      name: my-token
  attrs:
      key: this-should-be-a-long-value
      connector: !KeyOf connector
```