website: release notes for 2025.6 (#14703)

* release notes for 2025.6: first pass

* release notes for 2025.6: second pass

* list new integration docs

* reword LDAP forward deletions

Co-authored-by: Dominic R <dominic@sdko.org>
Signed-off-by: Simonyi Gergő <28359278+gergosimonyi@users.noreply.github.com>

* fix typo

Co-authored-by: Dewi Roberts <dewi@goauthentik.io>
Signed-off-by: Simonyi Gergő <28359278+gergosimonyi@users.noreply.github.com>

* add Komodo

Co-authored-by: Dewi Roberts <dewi@goauthentik.io>
Signed-off-by: Simonyi Gergő <28359278+gergosimonyi@users.noreply.github.com>

* don't do sidebar stuff just yet

whoops

* generate boilerplate

* release notes for 2025.6: third pass

* add CloudFormation

Co-authored-by: Tana M Berry <tanamarieberry@yahoo.com>
Signed-off-by: Simonyi Gergő <28359278+gergosimonyi@users.noreply.github.com>

---------

Signed-off-by: Simonyi Gergő <28359278+gergosimonyi@users.noreply.github.com>
Co-authored-by: Dominic R <dominic@sdko.org>
Co-authored-by: Dewi Roberts <dewi@goauthentik.io>
Co-authored-by: Tana M Berry <tanamarieberry@yahoo.com>

website/docs/releases/2025/v2025.6.md

@@ -0,0 +1,595 @@
+---
+title: Release 2025.6
+slug: "/releases/2025.6"
+---
+
+:::note
+2025.6 has not been released yet! We're publishing these release notes as a preview of what's to come, and for our awesome beta testers trying out release candidates.
+
+To try out the release candidate, replace your Docker image tag with the latest release candidate number, such as 2025.6.0-rc1. You can find the latest one in [the latest releases on GitHub](https://github.com/goauthentik/authentik/releases). If you don't find any, it means we haven't released one yet.
+:::
+
+Authentik Security is happy to announce our 2025.6 release. Read on for details about the new features, any changes you need to be aware of, and then when you're ready to upgrade refer to our [Upgrade instructions](../install-config/upgrade) for Docker, Kubernetes, and AWS CloudFormation.
+
+## Highlights
+
+- **mTLS Stage**: :ak-enterprise The Mutual TLS stage provides support for mTLS, a standard protocol that uses certificates for mutual authentication between a client and a server.
+
+- **Email verification compatibility with link scanners**: We have improved compatibility for environments that have automated scanning software that inadvertently invalidated one-time links sent by authentik.
+
+- **LDAP source sync forward deletions**: This option synchronizes the deletion of users (those created by LDAP sources) in authentik when they are removed in the LDAP source.
+
+## Breaking changes
+
+- **Helm chart dependencies upgrades**:
+
+    - The PostgreSQL chart has been updated to version 16.7.4. The PostgreSQL image is no longer pinned in authentik's default values and has been upgraded from version 15 to 17. Follow our [PostgreSQL upgrade instructions](../../troubleshooting/postgres/upgrade_kubernetes.md) to update to the latest PostgreSQL version.
+    - The Redis chart has been updated to version 21.1.6. There are no breaking changes and Redis has been upgraded from version 7 to 8.
+
+- **Deprecated and frozen `:latest` container image tag after 2025.2**
+
+    Using the `:latest` tag with container images is not recommended as it can lead to unintentional updates and potentially broken setups. The tag will not be removed, however it will also not be updated past 2025.2. We strongly recommended the use of a specific version tag for authentik instances' container images, such as `:2025.6`.
+
+- **CSS**: We’ve made some improvements to our theming system. If your authentik instance uses custom CSS, you might need to review flow and user interfaces for any visual changes.
+
+## New features and improvements
+
+- **mTLS stage**: :ak-enterprise The Mutual TLS stage enables authentik to use client certificates to enroll and authenticate users. These certificates can be local to the device or available via PIV Smart Cards, Yubikeys, etc. For environments where certificates are already rolled out, this can make authentication a lot more seamless. Refer to our [technical documentation](../add-secure-apps/flows-stages/stages/mtls/) for more information.
+- **Email verification compatibility with link scanners**: We have improved compatibility for environments with automated scanning software that inadvertently invalidated one-time links sent by authentik.
+- **LDAP source sync forward deletions**: With this option enabled, users who were created in authentik via LDAP sources will also be removed from authentik if they are deleted from the LDAP source. For more information, please refer to our [LDAP source documentation](../users-sources/sources/protocols/ldap/).
+- **Provider sync performance**: We have implemented parallel scheduling for outgoing syncs to provide faster synchronization.
+- **Branding**: Custom branding should now be more consistent on initial load, without flickering.
+- **Remote Access Control (RAC) improved documentation**: Adds content about how to authenticate using a public key and improves the wording and formatting throughout the topic.
+
+## New integration guides
+
+An integration is how authentik connects to third-party applications, directories, and other identity providers. The following integration guides were recently added.
+
+- [Pangolin](../../../integrations/services/pangolin/)
+- [Stripe](../../../integrations/services/stripe/)
+- [FileRise](../../../integrations/services/filerise/)
+- [Push Security](../../../integrations/services/push-security/)
+- [Atlassian Cloud (Jira, Confluence, etc)](../../../integrations/services/atlassian/)
+- [Coder](../../../integrations/services/coder/)
+- [YouTrack](../../../integrations/services/youtrack/)
+- [Komodo](../../../integrations/services/komodo/)
+
+## Upgrading
+
+This release does not introduce any new requirements. You can follow the upgrade instructions below; for more detailed information about upgrading authentik, refer to our [Upgrade documentation](../../install-config/upgrade.mdx).
+
+:::warning
+When you upgrade, be aware that the version of the authentik instance and of any outposts must be the same. We recommended that you always upgrade any outposts at the same time you upgrade your authentik instance.
+:::
+
+### Docker Compose
+
+To upgrade, download the new docker-compose file and update the Docker stack with the new version, using these commands:
+
+```shell
+wget -O docker-compose.yml https://goauthentik.io/version/2025.6/docker-compose.yml
+docker compose up -d
+```
+
+The `-O` flag retains the downloaded file's name, overwriting any existing local file with the same name.
+
+### Kubernetes
+
+Upgrade the Helm Chart to the new version, using the following commands:
+
+```shell
+helm repo update
+helm upgrade authentik authentik/authentik -f values.yaml --version ^2025.6
+```
+
+## Minor changes/fixes
+
+- brands: fix CSS Migration not updating brands (#14306)
+- ci: add dependencies label to generated PRs (#14569)
+- ci: cleanup post uv migration (#13538)
+- ci: test with postgres 17 (#13967)
+- ci: Update packages-npm-publish.yml (#14701)
+- ci: use dependabot for compose correctly? (#14340)
+- ci: use dependabot for docker-compose files (#14336)
+- core: fix session migration when old session can't be loaded (#14466)
+- core: fix unable to create group if no enable_group_superuser permission is given (#14510)
+- core: Migrate permissions before deleting OldAuthenticatedSession (#14788)
+- core: Publish web packages. (#14648)
+- core: remove `OldAuthenticatedSession` content type (#14507)
+- enterprise: fix expired license's users being counted (#14451)
+- enterprise/stages: Add MTLS stage (#14296)
+- enterprise/stages/mtls: improve certificate validation (#14582)
+- enterprise/stages/mtls: update go & web client, fix py client generation (#14576)
+- ESBuild Plugin: Setup and usage docs. (#14720)
+- esbuild-plugin-live-reload: Publish. (#14624)
+- lib/sync/outgoing: reduce number of db queries made (#14177)
+- lib/sync/outgoing: sync in parallel (#14697)
+- lifecycle: fix ak dump_config (#14445)
+- lifecycle: fix test-all in docker (#14244)
+- outposts: fix tmpdir in containers not being set (#14444)
+- providers/ldap: retain binder and update users instead of re-creating (#14735)
+- providers/proxy: kubernetes outpost: fix reconcile when ingress class name changed (#14612)
+- rbac: add `name` to Permissions search (#14269)
+- rbac: fix RoleObjectPermissionTable not showing `add_user_to_group` (#14312)
+- root: backport SFE Build fix (#14495)
+- root: do not use /bin/bash directly (#14698)
+- root: improve sentry distributed tracing (#14468)
+- root: move forked dependencies to goauthentik org (#14590)
+- root: pin package version in pyproject for dependabot (#14469)
+- root: readme: use right contribution guide link (#14250)
+- root: replace raw.githubusercontent.com by checking out repo (#14567)
+- root: temporarily deactivate database pool option (#14443)
+- sources/kerberos: resolve logger warnings (#14540)
+- sources/ldap: add forward deletion option (#14718)
+- stages/email: fix email scanner voiding token (#14325)
+- tests/e2e: Add E2E tests for Flow SFE (#14484)
+- tests/e2e: add test for authentication flow in compatibility mode (#14392)
+- tests/e2e: fix flaky SAML Source test (#14708)
+- web, website: update browserslist (#14386)
+- web: (ESLint) Consistent use of triple-equals. (#14554)
+- web: (ESLint) No else return (#14558)
+- web: (ESLint) Use dot notation. (#14557)
+- web: Add specific Storybook dependency. (#14719)
+- web: Clean up browser-only module imports that crash WebDriverIO. (#14330)
+- web: cleanup/loading attribute always true (#14288)
+- web: Controller refinements, error handling (#14700)
+- Web: Controllers cleanup (#14616)
+- web: fix bug that was causing charts to be too tall (#14253)
+- web: fix description for signing responses in SAML provider (#14573)
+- web: Fix issue where dual select type is not specific. (#14783)
+- web: Fix issue where Storybook cannot resolve styles. (#14553)
+- web: Fix missing Enterprise sidebar entries. (#14615)
+- web: fix regression in subpath support (#14646)
+- web: NPM workspaces (#14274)
+- web: Type Tidy (#14647)
+- web: Use engine available on Github Actions. (#14699)
+- web: Use monorepo package utilities to build packages (#14159)
+- web/admin: Dual select state management, custom event dispatching. (#14490)
+- web/admin: fix enterprise menu display (#14447)
+- web/admin: fix permissions modal button missing for PolicyBindings and FlowStageBindings (#14619)
+- web/admin: Fix sidebar toggle synchronization. (#14487)
+- web/admin: prevent default logo flashing in admin interface (#13960)
+- web/flows: update default flow background (#14769)
+- web/flows/sfe: fix global background image not being loaded (#14442)
+- web/NPM Workspaces: ESbuild version cleanup (#14541)
+- web/NPM Workspaces: Prep ESBuild plugin for publish. (#14552)
+- web/NPM Workspaces: TypeScript API Client TSConfig. (#14555)
+
+## API Changes
+
+#### What's New
+
+---
+
+##### `GET` /stages/mtls/
+
+##### `POST` /stages/mtls/
+
+##### `GET` /stages/mtls/{stage_uuid}/
+
+##### `PUT` /stages/mtls/{stage_uuid}/
+
+##### `DELETE` /stages/mtls/{stage_uuid}/
+
+##### `PATCH` /stages/mtls/{stage_uuid}/
+
+##### `GET` /stages/mtls/{stage_uuid}/used_by/
+
+#### What's Changed
+
+---
+
+##### `GET` /core/brands/{brand_uuid}/
+
+###### Return Type:
+
+Changed response : **200 OK**
+
+- Changed content type : `application/json`
+
+    - Added property `client_certificates` (array)
+
+        > Certificates used for client authentication.
+
+        Items (string):
+
+##### `PUT` /core/brands/{brand_uuid}/
+
+###### Request:
+
+Changed content type : `application/json`
+
+- Added property `client_certificates` (array)
+    > Certificates used for client authentication.
+
+###### Return Type:
+
+Changed response : **200 OK**
+
+- Changed content type : `application/json`
+
+    - Added property `client_certificates` (array)
+        > Certificates used for client authentication.
+
+##### `PATCH` /core/brands/{brand_uuid}/
+
+###### Request:
+
+Changed content type : `application/json`
+
+- Added property `client_certificates` (array)
+    > Certificates used for client authentication.
+
+###### Return Type:
+
+Changed response : **200 OK**
+
+- Changed content type : `application/json`
+
+    - Added property `client_certificates` (array)
+        > Certificates used for client authentication.
+
+##### `GET` /policies/event_matcher/{policy_uuid}/
+
+###### Return Type:
+
+Changed response : **200 OK**
+
+- Changed content type : `application/json`
+
+    - Changed property `app` (string)
+
+        > Match events created by selected application. When left empty, all applications are matched.
+
+        Added enum value:
+
+        - `authentik.enterprise.stages.mtls`
+
+    - Changed property `model` (string)
+
+        > Match events created by selected model. When left empty, all models are matched. When an app is selected, all the application's models are matched.
+
+        Added enum value:
+
+        - `authentik_stages_mtls.mutualtlsstage`
+
+##### `PUT` /policies/event_matcher/{policy_uuid}/
+
+###### Request:
+
+Changed content type : `application/json`
+
+- Changed property `app` (string)
+
+    > Match events created by selected application. When left empty, all applications are matched.
+
+    Added enum value:
+
+    - `authentik.enterprise.stages.mtls`
+
+- Changed property `model` (string)
+
+    > Match events created by selected model. When left empty, all models are matched. When an app is selected, all the application's models are matched.
+
+    Added enum value:
+
+    - `authentik_stages_mtls.mutualtlsstage`
+
+###### Return Type:
+
+Changed response : **200 OK**
+
+- Changed content type : `application/json`
+
+    - Changed property `app` (string)
+
+        > Match events created by selected application. When left empty, all applications are matched.
+
+        Added enum value:
+
+        - `authentik.enterprise.stages.mtls`
+
+    - Changed property `model` (string)
+
+        > Match events created by selected model. When left empty, all models are matched. When an app is selected, all the application's models are matched.
+
+        Added enum value:
+
+        - `authentik_stages_mtls.mutualtlsstage`
+
+##### `PATCH` /policies/event_matcher/{policy_uuid}/
+
+###### Request:
+
+Changed content type : `application/json`
+
+- Changed property `app` (string)
+
+    > Match events created by selected application. When left empty, all applications are matched.
+
+    Added enum value:
+
+    - `authentik.enterprise.stages.mtls`
+
+- Changed property `model` (string)
+
+    > Match events created by selected model. When left empty, all models are matched. When an app is selected, all the application's models are matched.
+
+    Added enum value:
+
+    - `authentik_stages_mtls.mutualtlsstage`
+
+###### Return Type:
+
+Changed response : **200 OK**
+
+- Changed content type : `application/json`
+
+    - Changed property `app` (string)
+
+        > Match events created by selected application. When left empty, all applications are matched.
+
+        Added enum value:
+
+        - `authentik.enterprise.stages.mtls`
+
+    - Changed property `model` (string)
+
+        > Match events created by selected model. When left empty, all models are matched. When an app is selected, all the application's models are matched.
+
+        Added enum value:
+
+        - `authentik_stages_mtls.mutualtlsstage`
+
+##### `POST` /core/brands/
+
+###### Request:
+
+Changed content type : `application/json`
+
+- Added property `client_certificates` (array)
+    > Certificates used for client authentication.
+
+###### Return Type:
+
+Changed response : **201 Created**
+
+- Changed content type : `application/json`
+
+    - Added property `client_certificates` (array)
+        > Certificates used for client authentication.
+
+##### `GET` /core/brands/
+
+###### Parameters:
+
+Added: `client_certificates` in `query`
+
+###### Return Type:
+
+Changed response : **200 OK**
+
+- Changed content type : `application/json`
+
+    - Changed property `results` (array)
+
+        Changed items (object): > Brand Serializer
+
+        - Added property `client_certificates` (array)
+            > Certificates used for client authentication.
+
+##### `POST` /policies/event_matcher/
+
+###### Request:
+
+Changed content type : `application/json`
+
+- Changed property `app` (string)
+
+    > Match events created by selected application. When left empty, all applications are matched.
+
+    Added enum value:
+
+    - `authentik.enterprise.stages.mtls`
+
+- Changed property `model` (string)
+
+    > Match events created by selected model. When left empty, all models are matched. When an app is selected, all the application's models are matched.
+
+    Added enum value:
+
+    - `authentik_stages_mtls.mutualtlsstage`
+
+###### Return Type:
+
+Changed response : **201 Created**
+
+- Changed content type : `application/json`
+
+    - Changed property `app` (string)
+
+        > Match events created by selected application. When left empty, all applications are matched.
+
+        Added enum value:
+
+        - `authentik.enterprise.stages.mtls`
+
+    - Changed property `model` (string)
+
+        > Match events created by selected model. When left empty, all models are matched. When an app is selected, all the application's models are matched.
+
+        Added enum value:
+
+        - `authentik_stages_mtls.mutualtlsstage`
+
+##### `GET` /policies/event_matcher/
+
+###### Return Type:
+
+Changed response : **200 OK**
+
+- Changed content type : `application/json`
+
+    - Changed property `results` (array)
+
+        Changed items (object): > Event Matcher Policy Serializer
+
+        - Changed property `app` (string)
+
+            > Match events created by selected application. When left empty, all applications are matched.
+
+            Added enum value:
+
+            - `authentik.enterprise.stages.mtls`
+
+        - Changed property `model` (string)
+
+            > Match events created by selected model. When left empty, all models are matched. When an app is selected, all the application's models are matched.
+
+            Added enum value:
+
+            - `authentik_stages_mtls.mutualtlsstage`
+
+##### `POST` /rbac/permissions/assigned_by_roles/{uuid}/assign/
+
+###### Request:
+
+Changed content type : `application/json`
+
+- Changed property `model` (string)
+
+    Added enum value:
+
+    - `authentik_stages_mtls.mutualtlsstage`
+
+##### `PATCH` /rbac/permissions/assigned_by_roles/{uuid}/unassign/
+
+###### Request:
+
+Changed content type : `application/json`
+
+- Changed property `model` (string)
+
+    Added enum value:
+
+    - `authentik_stages_mtls.mutualtlsstage`
+
+##### `POST` /rbac/permissions/assigned_by_users/{id}/assign/
+
+###### Request:
+
+Changed content type : `application/json`
+
+- Changed property `model` (string)
+
+    Added enum value:
+
+    - `authentik_stages_mtls.mutualtlsstage`
+
+##### `PATCH` /rbac/permissions/assigned_by_users/{id}/unassign/
+
+###### Request:
+
+Changed content type : `application/json`
+
+- Changed property `model` (string)
+
+    Added enum value:
+
+    - `authentik_stages_mtls.mutualtlsstage`
+
+##### `GET` /sources/ldap/{slug}/
+
+###### Return Type:
+
+Changed response : **200 OK**
+
+- Changed content type : `application/json`
+
+    - Added property `delete_not_found_objects` (boolean)
+        > Delete authentik users and groups which were previously supplied by this source, but are now missing from it.
+
+##### `PUT` /sources/ldap/{slug}/
+
+###### Request:
+
+Changed content type : `application/json`
+
+- Added property `delete_not_found_objects` (boolean)
+    > Delete authentik users and groups which were previously supplied by this source, but are now missing from it.
+
+###### Return Type:
+
+Changed response : **200 OK**
+
+- Changed content type : `application/json`
+
+    - Added property `delete_not_found_objects` (boolean)
+        > Delete authentik users and groups which were previously supplied by this source, but are now missing from it.
+
+##### `PATCH` /sources/ldap/{slug}/
+
+###### Request:
+
+Changed content type : `application/json`
+
+- Added property `delete_not_found_objects` (boolean)
+    > Delete authentik users and groups which were previously supplied by this source, but are now missing from it.
+
+###### Return Type:
+
+Changed response : **200 OK**
+
+- Changed content type : `application/json`
+
+    - Added property `delete_not_found_objects` (boolean)
+        > Delete authentik users and groups which were previously supplied by this source, but are now missing from it.
+
+##### `GET` /rbac/permissions/assigned_by_roles/
+
+###### Parameters:
+
+Changed: `model` in `query`
+
+##### `GET` /rbac/permissions/assigned_by_users/
+
+###### Parameters:
+
+Changed: `model` in `query`
+
+##### `POST` /sources/ldap/
+
+###### Request:
+
+Changed content type : `application/json`
+
+- Added property `delete_not_found_objects` (boolean)
+    > Delete authentik users and groups which were previously supplied by this source, but are now missing from it.
+
+###### Return Type:
+
+Changed response : **201 Created**
+
+- Changed content type : `application/json`
+
+    - Added property `delete_not_found_objects` (boolean)
+        > Delete authentik users and groups which were previously supplied by this source, but are now missing from it.
+
+##### `GET` /sources/ldap/
+
+###### Parameters:
+
+Added: `delete_not_found_objects` in `query`
+
+###### Return Type:
+
+Changed response : **200 OK**
+
+- Changed content type : `application/json`
+
+    - Changed property `results` (array)
+
+        Changed items (object): > LDAP Source Serializer
+
+        - Added property `delete_not_found_objects` (boolean)
+            > Delete authentik users and groups which were previously supplied by this source, but are now missing from it.