website: Use Docusaurus Frontmatter for badges (#12893)

website/docs: Reduce redundant usage of badges. Move badge logic to components.

- Fix JSX class name warning.
- Remove duplicate titles.
- Flesh out `support_level` frontmatter.

website/docs/add-secure-apps/applications/index.md

@@ -6,12 +6,12 @@ Applications, as defined in authentik, are used to configure and separate the au
 
 When a user logs into authentik, they see a list of the applications for which authentik is configured to provide authentication and authorization (the applications that that they are authorized to use).
 
-Applications are the "other half" of providers. They typically exist in a 1-to-1 relationship; each application needs a provider and every provider can be used with one application. Applications can, however, use specific, additional providers to augment the functionality of the main provider. For more information, see [Backchannel providers](./manage_apps.md#backchannel-providers).
+Applications are the "other half" of providers. They typically exist in a 1-to-1 relationship; each application needs a provider and every provider can be used with one application. Applications can, however, use specific, additional providers to augment the functionality of the main provider. For more information, see [Backchannel providers](./manage_apps.mdx#backchannel-providers).
 
 Furthermore, the [RAC (Remote Access Control)](../providers/rac/index.md) feature uses a single application and a single provider, but multiple "endpoints". An endpoint defines each remote machine.
 
 :::info
-For information about creating and managing applications, refer to [Manage applications](./manage_apps.md).
+For information about creating and managing applications, refer to [Manage applications](./manage_apps.mdx).
 :::
 
 ## Appearance

website/docs/add-secure-apps/applications/manage_apps.mdx

@@ -10,7 +10,15 @@ Learn how to add new applications from our video or follow the instructions belo
 
 ### Video
 
-<iframe width="560" height="315" src="https://www.youtube.com/embed/broUAWrIWDI;start=22" title="YouTube video player" frameborder="0" allow="accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture; web-share" allowfullscreen></iframe>
+<iframe
+    width="560"
+    height="315"
+    src="https://www.youtube.com/embed/broUAWrIWDI;start=22"
+    title="YouTube video player"
+    frameborder="0"
+    allow="accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture; web-share"
+    allowfullscreen
+></iframe>
 
 ### Instructions
 
@@ -45,8 +53,12 @@ When multiple policies/groups/users are attached, you can configure the _Policy
 
 ## Application Entitlements
 
-<span class="badge badge--preview">Preview</span>
-<span class="badge badge--version">authentik 2024.12+</span>
+<p className="badge-group">
+
+:ak-version[2024.12]
+:ak-preview
+
+</p>
 
 Application entitlements can be used through authentik to manage authorization within an application (what areas of the app users or groups can access). Entitlements are scoped to a single application and can be bound to multiple users and/or groups (binding policies is not currently supported), giving them access to the entitlement. An application can either check for the name of the entitlement (via the `entitlements` scope), or via attributes stored in entitlements.
 

website/docs/add-secure-apps/flows-stages/bindings/index.md

@@ -24,7 +24,7 @@ A _policy binding_ connects a specific policy to a flow or to a stage. With the
 
 You can also bind groups and users to another component (a policy, a stage, a flow, etc.). For example, you can create a binding for a specific group, and then [bind that to a stage binding](../stages/index.md#bind-users-and-groups-to-a-flows-stage-binding), with the result that everyone in that group now will see that stage (and any policies bound to that stage) as part of their flow. Or more specifically, and going one step deeper, you can also _bind a binding to a binding_.
 
-Bindings are also used for [Application Entitlements](../../applications/manage_apps.md#application-entitlements), where you can bind specific users or groups to an application as a way to manage who has access to the application.
+Bindings are also used for [Application Entitlements](../../applications/manage_apps.mdx#application-entitlements), where you can bind specific users or groups to an application as a way to manage who has access to the application.
 
 It's important to remember that bindings are instantiated objects themselves, and conceptually can be considered as a "connector" between two components. This is why you might read about "binding a binding", because technically, a binding is "spliced" into another binding, in order to intercept and enforce the criteria defined in the second binding.
 

website/docs/add-secure-apps/flows-stages/bindings/work_with_bindings.md

@@ -8,6 +8,6 @@ For instructions to create a binding, refer to the documentation for the specifi
 
 - [Bind a stage to a flow](../stages/index.md#bind-a-stage-to-a-flow)
 - [Bind a policy to a flow or stage](../../../customize/policies/working_with_policies#bind-a-policy-to-a-flow-or-stage)
-- [Bind users or groups to a specific application with an Application Entitlement](../../applications/manage_apps.md#application-entitlements)
-- [Bind a policy to a specific application when you create a new app using the Wizard](../../applications/manage_apps.md#instructions)
+- [Bind users or groups to a specific application with an Application Entitlement](../../applications/manage_apps.mdx#application-entitlements)
+- [Bind a policy to a specific application when you create a new app using the Wizard](../../applications/manage_apps.mdx#instructions)
 - [Bind users and groups to a stage binding, to define whether or not that stage is shown](../stages/index.md#bind-users-and-groups-to-a-flows-stage-binding)

website/docs/add-secure-apps/flows-stages/flow/context/index.mdx

@@ -24,11 +24,11 @@ Keys prefixed with `goauthentik.io` are used internally by authentik and are sub
 
 ### Common keys
 
-#### `pending_user` ([User object](../../../../users-sources/user/user_ref.md#object-properties))
+#### `pending_user` ([User object](../../../../users-sources/user/user_ref.mdx#object-properties))
 
-`pending_user` is used by multiple stages. In the context of most flow executions, it represents the data of the user that is executing the flow. This value is not set automatically, it is set via the [Identification stage](../../stages/identification/index.md).
+`pending_user` is used by multiple stages. In the context of most flow executions, it represents the data of the user that is executing the flow. This value is not set automatically, it is set via the [Identification stage](../../stages/identification/index.mdx).
 
-Stages that require a user, such as the [Password stage](../../stages/password/index.md), the [Authenticator validation stage](../../stages/authenticator_validate/index.md) and others will use this value if it is set, and fallback to the request's users when possible.
+Stages that require a user, such as the [Password stage](../../stages/password/index.md), the [Authenticator validation stage](../../stages/authenticator_validate/index.mdx) and others will use this value if it is set, and fallback to the request's users when possible.
 
 #### `prompt_data` (Dictionary)
 
@@ -62,7 +62,7 @@ When an unauthenticated user attempts to access a secured resource, they are red
 
 When a user authenticates/enrolls via an external source, this will be set to the source they are using.
 
-#### `outpost` (dictionary) <span class="badge badge--version">authentik 2024.10+</span>
+#### `outpost` (dictionary):ak-version[2024.10]
 
 When a flow is executed by an Outpost (for example the [LDAP](../../../providers/ldap/index.md) or [RADIUS](../../../providers/radius/index.mdx)), this will be set to a dictionary containing the Outpost instance under the key `"instance"`.
 
@@ -76,7 +76,7 @@ This key is set to `True` when the flow is executed from an "SSO" context. For e
 
 This key is set when a flow execution is continued from a token. This happens for example when an [Email stage](../../stages/email/index.mdx) is used and the user clicks on the link within the email. The token object contains the key that was used to restore the flow execution.
 
-#### `is_redirected` (Flow object) <span class="badge badge--version">authentik 2024.12+</span>
+#### `is_redirected` (Flow object):ak-version[2024.12]
 
 This key is set when the current flow was reached through a [Redirect stage](../../stages/redirect/index.md) in Flow mode.
 
@@ -98,7 +98,7 @@ URL that the form will be submitted to.
 
 Key-value pairs of the data that is included in the form and will be submitted to `url`.
 
-#### Captcha stage <span class="badge badge--version">authentik 2024.6+</span>
+#### Captcha stage:ak-version[2024.6]
 
 ##### `captcha` (dictionary)
 
@@ -118,7 +118,7 @@ An optional list of all permissions that will be given to the application by gra
 
 #### Deny stage
 
-##### `deny_message` (string) <span class="badge badge--version">authentik 2023.10+</span>
+##### `deny_message` (string)
 
 Optionally overwrite the deny message shown, has a higher priority than the message configured in the stage.
 
@@ -134,7 +134,7 @@ If set, this must be a list of group objects and not group names.
 
 Path the `pending_user` will be written to. If not set in the flow, falls back to the value set in the user_write stage, and otherwise to the `users` path.
 
-##### `user_type` (string) <span class="badge badge--version">authentik 2023.10+</span>
+##### `user_type` (string)
 
 Type the `pending_user` will be created as. Must be one of `internal`, `external` or `service_account`.
 
@@ -146,7 +146,7 @@ Set by the [Password stage](../../stages/password/index.md) after successfully a
 
 ##### `auth_method` (string)
 
-Set by the [Password stage](../../stages/password/index.md), the [Authenticator validation stage](../../stages/authenticator_validate/index.md), the [OAuth2 Provider](../../../providers/oauth2/index.md), and the API authentication depending on which method was used to authenticate.
+Set by the [Password stage](../../stages/password/index.md), the [Authenticator validation stage](../../stages/authenticator_validate/index.mdx), the [OAuth2 Provider](../../../providers/oauth2/index.mdx), and the API authentication depending on which method was used to authenticate.
 
 Possible options:
 
@@ -155,7 +155,7 @@ Possible options:
 - `ldap` (Authenticated via LDAP bind from an LDAP source)
 - `auth_mfa` (Authentication via MFA device without password)
 - `auth_webauthn_pwl` (Passwordless authentication via WebAuthn)
-- `jwt` ([M2M](../../../providers/oauth2/client_credentials.md) authentication via an existing JWT)
+- `jwt` ([M2M](../../../providers/oauth2/client_credentials.mdx) authentication via an existing JWT)
 
 ##### `auth_method_args` (dictionary)
 
@@ -198,7 +198,7 @@ If _Show matched user_ is disabled, this key will be set to the user identifier
 
 #### Redirect stage
 
-##### `redirect_stage_target` (string) <span class="badge badge--version">authentik 2024.12+</span>
+##### `redirect_stage_target` (string):ak-version[2024.12]
 
 [Set this key](../../../../customize/policies/expression/managing_flow_context_keys.md) in an Expression Policy to override [Redirect stage](../../stages/redirect/index.md) to force it to redirect to a certain URL or flow. This is useful when a flow requires that the redirection target be decided dynamically.
 

website/docs/add-secure-apps/flows-stages/flow/examples/snippets.mdx

@@ -2,7 +2,7 @@
 title: Example policy snippets for flows
 ---
 
-### Redirect current flow to another URL <span class="badge badge--version">authentik 2022.7+</span>
+### Redirect current flow to another URL
 
 ```python
 plan = request.context.get("flow_plan")

website/docs/add-secure-apps/flows-stages/flow/executors/headless.md

@@ -6,6 +6,6 @@ The headless flow executor is used by clients that don't have access to the web
 
 The following stages are supported:
 
-- [**Identification stage**](../../stages/identification/index.md)
+- [**Identification stage**](../../stages/identification/index.mdx)
 - [**Password stage**](../../stages/password/index.md)
-- [**Authenticator Validation Stage**](../../stages/authenticator_validate/index.md)
+- [**Authenticator Validation Stage**](../../stages/authenticator_validate/index.mdx)

website/docs/add-secure-apps/flows-stages/flow/executors/sfe.md

@@ -1,9 +1,8 @@
 ---
 title: Simplified flow executor
+authentik_version: "2024.6.1"
 ---
 
-<span class="badge badge--version">authentik 2024.6.1+</span>
-
 A simplified web-based flow executor that authentik automatically uses for older browsers that do not support modern web technologies.
 
 Currently this flow executor is automatically used for the following browsers:
@@ -13,14 +12,14 @@ Currently this flow executor is automatically used for the following browsers:
 
 The following stages are supported:
 
-- [**Identification stage**](../../stages/identification/index.md)
+- [**Identification stage**](../../stages/identification/index.mdx)
 
     :::info
     Only user identifier and user identifier + password stage configurations are supported; sources and passwordless configurations are not supported.
     :::
 
 - [**Password stage**](../../stages/password/index.md)
-- [**Authenticator Validation Stage**](../../stages/authenticator_validate/index.md)
+- [**Authenticator Validation Stage**](../../stages/authenticator_validate/index.mdx)
 
 Compared to the [default flow executor](./if-flow.md), this flow executor does _not_ support the following features:
 

website/docs/add-secure-apps/flows-stages/flow/executors/user-settings.md

@@ -2,10 +2,6 @@
 title: User settings
 ---
 
-<span class="badge badge--version">authentik 2023.3+</span>
-
----
-
 The user interface (/if/user/) uses a specialized flow executor to allow individual users to customize their profile. A user's profile consists of key/value fields, so this executor only supports Prompt or User Write stages. If the configured flow contains another stage, a button will be shown to open the default executor.
 
 Because the stages in a flow can change during its execution, be awre that configuring this executor to use any stage type other than Prompt or User Write will automatically trigger a redirect to the standard executor.

website/docs/add-secure-apps/flows-stages/flow/flow_list/_defaultflowlist.mdx

@@ -6,7 +6,7 @@
 
 - **Invalidation**: designates a default flow to be used to invalidate a session. Use `default-invalidation-flow` for invalidation from authentik itself, or use `default-provider-invalidation-flow` to invalidate when the session of an application ends. When you use the `default-invalidation-flow` as a global invalidation flow, it should contain a [**User Logout**](../../stages/user_logout.md) stage. When you use the `default-provider-invalidation-flow` (supported with OIDC, SAML, Proxy, and RAC providers), you can configure this default flow to present users log-off options such as "log out of the app but remain logged in to authentik" or "return to the **My Applications** page", or "log out completely". (Alternatively, you can create a custom invalidation flow, with a branded background image.)
 
-- **Recovery**: designates a flow for recovery. This flow normally contains an [**Identification**](../../stages/identification/index.md) stage to find the user. It can also contain any amount of verification stages, such as [**Email**](../../stages/email/index.mdx) or [**CAPTCHA**](../../stages/captcha/index.md). Afterwards, use the [**Prompt**](../../stages/prompt/index.md) stage to ask the user for a new password and the [**User Write**](../../stages/user_write.md) stage to update the password.
+- **Recovery**: designates a flow for recovery. This flow normally contains an [**Identification**](../../stages/identification/index.mdx) stage to find the user. It can also contain any amount of verification stages, such as [**Email**](../../stages/email/index.mdx) or [**CAPTCHA**](../../stages/captcha/index.md). Afterwards, use the [**Prompt**](../../stages/prompt/index.md) stage to ask the user for a new password and the [**User Write**](../../stages/user_write.md) stage to update the password.
 
 - **Stage configuration**: designates a flow for general setup. This designation doesn't have any constraints in what you can do. For example, by default this designation is used to configure authenticators, like change a password and set up TOTP.
 

website/docs/add-secure-apps/flows-stages/flow/index.md

@@ -20,7 +20,7 @@ When these stages are successfully completed, authentik logs in the user.
 
 By default, policies are evaluated dynamically, right before the stage (to which a policy is bound) is presented to the user. This flexibility allows the login process to continue, change, or stop, based on the success or failure of each policy.
 
-This default behaviour can be altered by enabling the **Evaluate when flow is planned** option on the stage binding. With this setting a _flow plan_ containing all stages is generated upon flow execution. This means that all attached policies are evaluated upon execution. For more information about flow plans, read our [flow context documentation](./context/index.md).
+This default behaviour can be altered by enabling the **Evaluate when flow is planned** option on the stage binding. With this setting a _flow plan_ containing all stages is generated upon flow execution. This means that all attached policies are evaluated upon execution. For more information about flow plans, read our [flow context documentation](./context/index.mdx).
 
 ## Permissions
 

website/docs/add-secure-apps/flows-stages/flow/inspector.md

@@ -2,7 +2,7 @@
 title: Flow Inspector
 ---
 
-The flow inspector, introduced in 2021.10, allows administrators to visually determine how custom flows work, inspect the current [flow context](./context/index.md), and investigate issues.
+The flow inspector, introduced in 2021.10, allows administrators to visually determine how custom flows work, inspect the current [flow context](./context/index.mdx), and investigate issues.
 
 As shown in the screenshot below, the flow inspector displays next to the selected flow (in this case, "Change Password"), with [information](#flow-inspector-details) about that specific flow and flow context.
 

website/docs/add-secure-apps/flows-stages/stages/authenticator_duo/index.mdx

@@ -10,7 +10,7 @@ Copy all of the integration key, secret key and API hostname, and paste them in
 
 Devices created reference the stage they were created with, since the API credentials are needed to authenticate. This also means when the stage is deleted, all devices are removed.
 
-## Importing users <span class="badge badge--version">authentik 2022.9+</span>
+## Importing users
 
 :::info
 Due to the way the Duo API works, authentik can only automatically import existing Duo users when a Duo MFA or higher license is active.
@@ -20,7 +20,7 @@ To import a device, open the Stages list in the authentik Admin interface. On th
 
 The Duo username can be found by navigating to your Duo Admin dashboard and selecting _Users_ in the sidebar. Optionally if you have multiple users with the same username, you can click on a User and copy their ID from the URL, and use that to import the device.
 
-### Older versions <span class="badge badge--version">authentik 2021.9.1+</span>
+### Older versions
 
 You can call the `/api/v3/stages/authenticator/duo/{stage_uuid}/import_devices/` endpoint ([see here](https://goauthentik.io/api/#post-/stages/authenticator/duo/-stage_uuid-/import_devices/)) using the following parameters:
 

website/docs/add-secure-apps/flows-stages/stages/authenticator_endpoint_gdtc/index.md

@@ -1,11 +1,8 @@
 ---
 title: Endpoint Authenticator Google Device Trust Connector Stage
----
-
-<span class="badge badge--primary">Enterprise</span>
-<span class="badge badge--preview">Preview</span>
-<span class="badge badge--version">authentik 2024.10+</span>
-
+authentik_version: "2024.10"
+authentik_preview: true
+authentik_enterprise: true
 ---
 
 With this stage, authentik can validate users' Chrome browsers and ensure that users' devices are compliant and up-to-date.
@@ -18,10 +15,11 @@ This stage only works with Google Chrome, as it relies on the [Chrome Verified A
 
 The main steps to set up your Google workspace are as follows:
 
-1. [Create your Google Cloud Project](#create-a-google-cloud-project)
-2. [Create a service account](#create-a-service-account)
-3. [Set credentials for the service account](#set-credentials-for-the-service-account)
-4. [Define access and scope in the Admin Console](#set-credentials-for-the-service-account)
+- [Configuration](#configuration)
+    - [Create a Google cloud project](#create-a-google-cloud-project)
+    - [Create a service account](#create-a-service-account)
+    - [Set credentials for the service account](#set-credentials-for-the-service-account)
+    - [Create the stage](#create-the-stage)
 
 For detailed instructions, refer to Google documentation.
 
@@ -76,4 +74,4 @@ For detailed instructions, refer to Google documentation.
 
 4. Click **Finish**.
 
-After creating the stage, it can be used in any flow. Compared to other Authenticator stages, this stage does not require enrollment. Instead of adding an [Authenticator Validation Stage](../authenticator_validate/index.md), this stage only verifies the users' browser.
+After creating the stage, it can be used in any flow. Compared to other Authenticator stages, this stage does not require enrollment. Instead of adding an [Authenticator Validation Stage](../authenticator_validate/index.mdx), this stage only verifies the users' browser.

website/docs/add-secure-apps/flows-stages/stages/authenticator_sms/index.mdx

@@ -46,9 +46,9 @@ return {
 }
 ```
 
-## Verify only <span class="badge badge--version">authentik 2022.6+</span>
+## Verify only
 
-To only verify the validity of a users' phone number, without saving it in an easily accessible way, you can enable this option. Phone numbers from devices enrolled through this stage will only have their hashed phone number saved. These devices can also not be used with the [Authenticator validation](../authenticator_validate/index.md) stage.
+To only verify the validity of a users' phone number, without saving it in an easily accessible way, you can enable this option. Phone numbers from devices enrolled through this stage will only have their hashed phone number saved. These devices can also not be used with the [Authenticator validation](../authenticator_validate/index.mdx) stage.
 
 ## Limiting phone numbers
 

website/docs/add-secure-apps/flows-stages/stages/authenticator_validate/index.mdx

@@ -4,11 +4,11 @@ title: Authenticator validation stage
 
 This stage validates an already configured Authenticator Device. This device has to be configured using any of the other authenticator stages:
 
-- [Duo authenticator stage](../authenticator_duo/index.md)
-- [SMS authenticator stage](../authenticator_sms/index.md)
+- [Duo authenticator stage](../authenticator_duo/index.mdx)
+- [SMS authenticator stage](../authenticator_sms/index.mdx)
 - [Static authenticator stage](../authenticator_static/index.md)
 - [TOTP authenticator stage](../authenticator_totp/index.md)
-- [WebAuthn authenticator stage](../authenticator_webauthn/index.md)
+- [WebAuthn authenticator stage](../authenticator_webauthn/index.mdx)
 
 You can select which type of device classes are allowed.
 
@@ -23,11 +23,11 @@ Keep in mind that when using Code-based devices (TOTP, Static and SMS), values l
 
 ### Options
 
-#### Less-frequent validation <span class="badge badge--version">authentik 2022.5.1+</span>
+#### Less-frequent validation
 
 You can configure this stage to only ask for MFA validation if the user hasn't authenticated themselves within a defined time period. To configure this, set _Last validation threshold_ to any non-zero value. Any of the users devices within the selected classes are checked.
 
-#### Passwordless authentication <span class="badge badge--version">authentik 2021.12.4+</span>
+#### Passwordless authentication
 
 :::caution
 Firefox has some known issues regarding TouchID (see https://bugzilla.mozilla.org/show_bug.cgi?id=1536482)
@@ -68,7 +68,7 @@ Logins which used Passwordless authentication have the _auth_method_ context var
 }
 ```
 
-#### WebAuthn Device type restrictions <span class="badge badge--version">authentik 2024.4+</span>
+#### WebAuthn Device type restrictions:ak-version[2024.4]
 
 Optionally restrict which WebAuthn device types can be used to authenticate.
 

website/docs/add-secure-apps/flows-stages/stages/authenticator_webauthn/index.mdx

@@ -12,13 +12,13 @@ Configure if authentik should require, prefer or discourage user verification fo
 
 #### Resident key requirement
 
-Configure if the created authenticator is stored in the encrypted memory on the device or in persistent memory. When configuring [passwordless login](../identification/index.md#passwordless-flow), this should be set to either _Preferred_ or _Required_, otherwise the authenticator cannot be used for passwordless authentication.
+Configure if the created authenticator is stored in the encrypted memory on the device or in persistent memory. When configuring [passwordless login](../identification/index.mdx#passwordless-flow), this should be set to either _Preferred_ or _Required_, otherwise the authenticator cannot be used for passwordless authentication.
 
 #### Authenticator Attachment
 
 Configure if authentik will require either a removable device (like a YubiKey, Google Titan, etc) or a non-removable device (like Windows Hello, TouchID or password managers), or not send a requirement.
 
-#### Device type restrictions <span class="badge badge--version">authentik 2024.4+</span>
+#### Device type restrictions:ak-version[2024.4]
 
 Optionally restrict the types of devices allowed to be enrolled. This option can be used to ensure users are only able to enroll FIPS-compliant devices for example.
 

website/docs/add-secure-apps/flows-stages/stages/identification/index.mdx

@@ -30,13 +30,13 @@ To run a CAPTCHA process in the background while the user is entering their iden
 
 These fields specify if and which flows are linked on the form. The enrollment flow is linked as `Need an account? Sign up.`, and the recovery flow is linked as `Forgot username or password?`.
 
-## Pretend user exists <span class="badge badge--version">authentik 2024.2+</span>
+## Pretend user exists:ak-version[2024.2]
 
 When enabled, any user identifier will be accepted as valid (as long as they match the correct format, i.e. when [User fields](#user-fields) is set to only allow Emails, then the identifier still needs to be an Email). The stage will succeed and the flow will continue to the next stage. Stages like the [Password stage](../password/index.md) and [Email stage](../email/index.mdx) are aware of this "pretend" user and will behave the same as if the user would exist.
 
 ## Source settings
 
-Some sources (like the [OAuth Source](../../../../users-sources/sources/protocols/oauth/index.md) and [SAML Source](../../../../users-sources/sources/protocols/saml/index.md)) require user interaction. To make these sources available to users, they can be selected in the Identification stage settings, which will show them below the selected [user field](#user-fields).
+Some sources (like the [OAuth Source](../../../../users-sources/sources/protocols/oauth/index.mdx) and [SAML Source](../../../../users-sources/sources/protocols/saml/index.md)) require user interaction. To make these sources available to users, they can be selected in the Identification stage settings, which will show them below the selected [user field](#user-fields).
 
 By default, sources are only shown with their icon, which can be changed with the _Show sources' labels_ option.
 
@@ -50,7 +50,7 @@ Starting with authentik 2023.5, when no user fields are selected and only one so
 
 ### Passwordless flow
 
-See [Passwordless authentication](../authenticator_validate/index.md#passwordless-authentication-authentik-2021124).
+See [Passwordless authentication](../authenticator_validate/index.mdx#passwordless-authentication).
 
 ### Enrollment flow
 

website/docs/add-secure-apps/flows-stages/stages/password/index.md

@@ -6,7 +6,7 @@ This is a generic password prompt which authenticates the current `pending_user`
 
 ## Passwordless login
 
-There are two different ways to configure passwordless authentication; you can follow the instructions [here](../authenticator_validate/index.md#passwordless-authentication-authentik-2021124) to allow users to directly authenticate with their authenticator (only supported for WebAuthn devices), or dynamically skip the password stage depending on the users device, which is documented here.
+There are two different ways to configure passwordless authentication; you can follow the instructions [here](../authenticator_validate/index.mdx#passwordless-authentication) to allow users to directly authenticate with their authenticator (only supported for WebAuthn devices), or dynamically skip the password stage depending on the users device, which is documented here.
 
 Depending on what kind of device you want to require the user to have:
 

website/docs/add-secure-apps/flows-stages/stages/redirect/index.md

@@ -1,9 +1,6 @@
 ---
 title: Redirect stage
----
-
-<span class="badge badge--version">authentik 2024.12+</span>
-
+authentik_version: "2024.12"
 ---
 
 This stage's main purpose is to redirect the user to a new Flow while keeping flow context. For convenience, it can also redirect the user to a static URL.
@@ -16,6 +13,6 @@ When the user reaches this stage, they are redirected to a static URL.
 
 ### Flow mode
 
-When the user reaches this stage, they are redirected to a specified flow, retaining all [flow context](../../flow/context).
+When the user reaches this stage, they are redirected to a specified flow, retaining all [flow context](../../flow/context/index.mdx).
 
-Optionally, untoggle the "Keep flow context" switch. If this is untoggled, all flow context is cleared with the exception of the [is_redirected](../../flow/context#is_redirected-flow-object-authentik-202412) key.
+Optionally, untoggle the "Keep flow context" switch. If this is untoggled, all flow context is cleared with the exception of the [is_redirected](../../flow/context#is_redirected-flow-object) key.

website/docs/add-secure-apps/flows-stages/stages/source/index.md

@@ -1,13 +1,10 @@
 ---
 title: Source stage
+authentik_version: "2024.4"
+authentik_enterprise: true
 ---
 
-<span class="badge badge--primary">Enterprise</span>
-<span class="badge badge--version">authentik 2024.4+</span>
-
----
-
-The source stage injects an [OAuth](../../../../users-sources/sources/protocols/oauth/index.md) or [SAML](../../../../users-sources/sources/protocols/saml/index.md) Source into the flow execution. This allows for additional user verification, or to dynamically access different sources for different user identifiers (username, email address, etc).
+The source stage injects an [OAuth](../../../../users-sources/sources/protocols/oauth/index.mdx) or [SAML](../../../../users-sources/sources/protocols/saml/index.md) Source into the flow execution. This allows for additional user verification, or to dynamically access different sources for different user identifiers (username, email address, etc).
 
 ```mermaid
 sequenceDiagram
@@ -44,13 +41,13 @@ This stage can be used to leverage an external OAuth/SAML identity provider.
 
 For example, you can authenticate users by routing them through a custom device-health solution.
 
-Another use case is to route users to authenticate with your legacy (Okta, etc) IdP and then use the returned identity and attributes within authentik as part of an authorization flow, for example as part of an IdP migration. For authentication/enrollment this is also possible with an [OAuth](../../../../users-sources/sources/protocols/oauth/index.md)/[SAML](../../../../users-sources/sources/protocols/saml/index.md) source by itself.
+Another use case is to route users to authenticate with your legacy (Okta, etc) IdP and then use the returned identity and attributes within authentik as part of an authorization flow, for example as part of an IdP migration. For authentication/enrollment this is also possible with an [OAuth](../../../../users-sources/sources/protocols/oauth/index.mdx)/[SAML](../../../../users-sources/sources/protocols/saml/index.md) source by itself.
 
 ### Options
 
 #### Source
 
-The source the user is redirected to. Must be a web-based source, such as [OAuth](../../../../users-sources/sources/protocols/oauth/index.md) or [SAML](../../../../users-sources/sources/protocols/saml/index.md). Sources like [LDAP](../../../../users-sources/sources/protocols/ldap/index.md) are _not_ compatible.
+The source the user is redirected to. Must be a web-based source, such as [OAuth](../../../../users-sources/sources/protocols/oauth/index.mdx) or [SAML](../../../../users-sources/sources/protocols/saml/index.md). Sources like [LDAP](../../../../users-sources/sources/protocols/ldap/index.md) are _not_ compatible.
 
 #### Resume timeout
 

website/docs/add-secure-apps/providers/entra/add-entra-provider.md

@@ -1,9 +1,6 @@
 ---
 title: Add an Entra ID provider
----
-
-<span class="badge badge--primary">Enterprise</span>
-
+authentik_enterprise: true
 ---
 
 For more information about using an Entra ID provider, see the [Overview](./index.md) documentation.

website/docs/add-secure-apps/providers/entra/index.md

@@ -1,9 +1,6 @@
 ---
 title: Microsoft Entra ID provider
----
-
-<span class="badge badge--primary">Enterprise</span>
-
+authentik_enterprise: true
 ---
 
 With the Microsoft Entra ID provider, authentik serves as the single source of truth for all users and groups. Configuring Entra ID as a provider allows for auto-discovery of user and group accounts, on-going synchronization of user data such as email address, name, and status, and integrated data mapping of field names and values.

website/docs/add-secure-apps/providers/entra/setup-entra.md

@@ -1,9 +1,6 @@
 ---
 title: Configure Entra ID
----
-
-<span class="badge badge--primary">Enterprise</span>
-
+authentik_enterprise: true
 ---
 
 The configuration of your Microsoft Entra ID environment must be completed before you [add the new provider](./add-entra-provider.md) in authentik.

website/docs/add-secure-apps/providers/gws/add-gws-provider.md

@@ -1,9 +1,6 @@
 ---
 title: Create a Google Workspace provider
----
-
-<span class="badge badge--primary">Enterprise</span>
-
+authentik_enterprise: true
 ---
 
 For more information about using a Google Workspace provider, see the [Overview](./index.md) documentation.

website/docs/add-secure-apps/providers/gws/index.md

@@ -1,9 +1,6 @@
 ---
 title: Google Workspace provider
----
-
-<span class="badge badge--primary">Enterprise</span>
-
+authentik_enterprise: true
 ---
 
 With the Google Workspace provider, authentik serves as the single source of truth for all users and groups, when using Google products like Gmail.

website/docs/add-secure-apps/providers/gws/setup-gws.md

@@ -1,9 +1,6 @@
 ---
 title: Configure Google Workspace
----
-
-<span class="badge badge--primary">Enterprise</span>
-
+authentik_enterprise: true
 ---
 
 The configuration and set up of your Google Workspace must be completed before you [add the new provider](./add-gws-provider.md) in authentik.

website/docs/add-secure-apps/providers/index.mdx

@@ -9,9 +9,9 @@ A Provider is an authentication method, a service that is used by authentik to a
 
 Providers are the "other half" of [applications](../applications/index.md). They typically exist in a 1-to-1 relationship; each application needs a provider and every provider can be used with one application.
 
-Applications can use additional providers to augment the functionality of the main provider. For more information, see [Backchannel providers](../applications/manage_apps.md#backchannel-providers).
+Applications can use additional providers to augment the functionality of the main provider. For more information, see [Backchannel providers](../applications/manage_apps.mdx#backchannel-providers).
 
-You can create a new provider in the Admin interface, or you can use the [Application wizard](../applications/manage_apps.md#instructions) to create a new application and its provider at the same time.
+You can create a new provider in the Admin interface, or you can use the [Application wizard](../applications/manage_apps.mdx#instructions) to create a new application and its provider at the same time.
 
 When you create certain types of providers, you need to select specific [flows](../flows-stages/flow/index.md) to apply to users who access authentik via the provider. To learn more, refer to our [default flow documentation](../flows-stages/flow/examples/default_flows.md).
 

website/docs/add-secure-apps/providers/ldap/index.md

@@ -78,9 +78,9 @@ All bind modes rely on flows.
 
 The following stages are supported:
 
-- [Identification](../../flows-stages/stages/identification/index.md)
+- [Identification](../../flows-stages/stages/identification/index.mdx)
 - [Password](../../flows-stages/stages/password/index.md)
-- [Authenticator validation](../../flows-stages/stages/authenticator_validate/index.md)
+- [Authenticator validation](../../flows-stages/stages/authenticator_validate/index.mdx)
 
     Note: Authenticator validation currently only supports DUO, TOTP and static authenticators.
 

website/docs/add-secure-apps/providers/oauth2/client_credentials.mdx

@@ -30,7 +30,7 @@ In addition to that, with authentik 2024.4 it is also possible to pass the confi
 
 ### JWT-authentication
 
-#### Externally issued JWTs <span class="badge badge--version">authentik 2022.4+</span>
+#### Externally issued JWTs
 
 You can authenticate and get a token using an existing JWT. For readability we will refer to the JWT issued by the external issuer/platform as input JWT, and the resulting JWT from authentik as the output JWT.
 
@@ -59,7 +59,7 @@ To dynamically limit access based on the claims of the tokens, you can use _[Exp
 return request.context["oauth_jwt"]["iss"] == "https://my.issuer"
 ```
 
-#### authentik-issued JWTs <span class="badge badge--version">authentik 2024.12+</span>
+#### authentik-issued JWTs:ak-version[2024.12]
 
 To allow federation between providers, modify the provider settings of the application (whose token will be used for authentication) to select the provider of the application to which you want to federate.
 

website/docs/add-secure-apps/providers/oauth2/index.mdx

@@ -112,7 +112,7 @@ The Hybrid Flow is an OpenID Connect flow that incorporates traits of both the I
 
 The client credentials flow and grant types are typically implemented for server-to-server scenarios, when code in a web application invokes a web API.
 
-For more information, see [Machine-to-machine authentication](./client_credentials.md).
+For more information, see [Machine-to-machine authentication](./client_credentials.mdx).
 
 ### 3. Device code
 
@@ -176,6 +176,6 @@ When a _Signing Key_ is selected in the provider, the JWT will be signed asymmet
 
 When no _Signing Key_ is selected, the JWT will be signed symmetrically with the _Client secret_ of the provider, which can be seen in the provider settings.
 
-### Encryption <span class="badge badge--version">authentik 2024.10+</span>
+### Encryption:ak-version[2024.10]
 
 authentik can also encrypt JWTs (turning them into JWEs) it issues by selecting an _Encryption Key_ in the provider. When selected, all JWTs will be encrypted symmetrically using the selected certificate. authentik uses the `RSA-OAEP-256` algorithm with the `A256CBC-HS512` encryption method.

website/docs/add-secure-apps/providers/property-mappings/expression.mdx

@@ -6,7 +6,7 @@ The property mapping should return a value that is expected by the provider. Sup
 
 ## Available Functions
 
-import Functions from "../../../expressions/_functions.md";
+import Functions from "../../../expressions/_functions.mdx";
 
 <Functions />
 

website/docs/add-secure-apps/providers/proxy/_caddy_standalone.md

@@ -1,6 +1,6 @@
 Use the following configuration:
 
-```
+```apacheconf
 app.company {
     # directive execution order is only as stated if enclosed with route.
     route {
@@ -26,7 +26,7 @@ app.company {
 
 If you're trying to proxy to an upstream over HTTPS, you need to set the `Host` header to the value they expect for it to work correctly.
 
-```
+```conf
 reverse_proxy /outpost.goauthentik.io/* https://outpost.company {
     header_up Host {http.reverse_proxy.upstream.hostport}
 }

website/docs/add-secure-apps/providers/proxy/_nginx_proxy_manager.md

@@ -1,4 +1,4 @@
-```
+```nginx
 # Increase buffer size for large headers
 # This is needed only if you get 'upstream sent too big header while reading response
 # header from upstream' error when trying to access an application protected by goauthentik

website/docs/add-secure-apps/providers/proxy/_nginx_standalone.md

@@ -1,4 +1,4 @@
-```
+```nginx
 # Upgrade WebSocket if requested, otherwise use keepalive
 map $http_upgrade $connection_upgrade_keepalive {
     default upgrade;

website/docs/add-secure-apps/providers/proxy/header_authentication.mdx

@@ -25,9 +25,9 @@ By default, when _Intercept header authentication_ is enabled, authentik will in
 
 If the proxied application requires usage of the "Authorization" header, the setting should be disabled. When this setting is disabled, authentik will still attempt to interpret the "Authorization" header, and fall back to the default behaviour if it can't.
 
-### Receiving HTTP Basic authentication <span class="badge badge--version">authentik 2023.1+</span>
+### Receiving HTTP Basic authentication
 
-Proxy providers can receive HTTP basic authentication credentials. The password is expected to be an _App password_, as the credentials are used internally with the [OAuth2 machine-to-machine authentication flow](../oauth2/client_credentials.md).
+Proxy providers can receive HTTP basic authentication credentials. The password is expected to be an _App password_, as the credentials are used internally with the [OAuth2 machine-to-machine authentication flow](../oauth2/client_credentials.mdx).
 
 Access control is done with the policies bound to the application being accessed.
 
@@ -39,9 +39,9 @@ It is **strongly** recommended that the client sending requests with HTTP-Basic
 
 Starting with authentik 2023.2, logging in with the reserved username `goauthentik.io/token` will behave as if a bearer token was used. All the same options as below apply. This is to allow token-based authentication for applications which might only support basic authentication.
 
-### Receiving HTTP Bearer authentication <span class="badge badge--version">authentik 2023.1+</span>
+### Receiving HTTP Bearer authentication
 
-Proxy providers can receive HTTP bearer authentication credentials. The token is expected to be a JWT token issued for the proxy provider. This is described [here](../oauth2/client_credentials.md), using the _client_id_ value shown in the admin interface. Both static and JWT authentication methods are supported.
+Proxy providers can receive HTTP bearer authentication credentials. The token is expected to be a JWT token issued for the proxy provider. This is described [here](../oauth2/client_credentials.mdx), using the _client_id_ value shown in the admin interface. Both static and JWT authentication methods are supported.
 
 Access control is done with the policies bound to the application being accessed.
 

website/docs/add-secure-apps/providers/proxy/server_caddy.mdx

@@ -1,17 +1,14 @@
 ---
 title: Caddy
-hide_title: true
 ---
 
 import Tabs from "@theme/Tabs";
 import TabItem from "@theme/TabItem";
-
-# Caddy <span class="badge badge--version">authentik 2022.8+</span>
+import Placeholders from "./__placeholders.md";
+import CaddyStandalone from "./_caddy_standalone.md";
 
 The configuration template shown below apply to both single-application and domain-level forward auth.
 
-import Placeholders from "./__placeholders.md";
-
 <Placeholders />
 
 <Tabs
@@ -21,8 +18,6 @@ import Placeholders from "./__placeholders.md";
   ]}>
   <TabItem value="caddy-standalone">
 
-import CaddyStandalone from "./_caddy_standalone.md";
-
 <CaddyStandalone />
 
   </TabItem>

website/docs/add-secure-apps/providers/proxy/server_envoy.mdx

@@ -1,12 +1,13 @@
 ---
 title: Envoy
-hide_title: true
 ---
 
 import Tabs from "@theme/Tabs";
 import TabItem from "@theme/TabItem";
+import Placeholders from "./__placeholders.md";
+import EnvoyIstio from "./_envoy_istio.md";
 
-# Envoy <span class="badge badge--version">authentik 2022.6+</span>
+# Envoy
 
 The configuration template shown below apply to both single-application and domain-level forward auth.
 
@@ -14,20 +15,18 @@ The configuration template shown below apply to both single-application and doma
 If you are using Istio and Kubernetes, use the port number that is exposed for your cluster.
 :::
 
-import Placeholders from "./__placeholders.md";
-
 <Placeholders />
 
 <Tabs
-  defaultValue="envoy-istio"
-  values={[
-    {label: 'Envoy (Istio)', value: 'envoy-istio'},
-  ]}>
-  <TabItem value="envoy-istio">
-
-import EnvoyIstio from "./_envoy_istio.md";
-
-<EnvoyIstio />
-
-  </TabItem>
+    defaultValue="envoy-istio"
+    values={[
+        {
+            label: "Envoy (Istio)",
+            value: "envoy-istio",
+        },
+    ]}
+>
+    <TabItem value="envoy-istio">
+        <EnvoyIstio />
+    </TabItem>
 </Tabs>

website/docs/add-secure-apps/providers/rac/how-to-rac.md

@@ -26,7 +26,7 @@ The first step is to create the RAC app and provider.
 
 2. In the Admin interface, navigate to **Applications -> Applications**.
 
-3. Click **Create with Wizard**. Follow the [instructions](../../applications/manage_apps.md#instructions) to create your RAC application and provider.
+3. Click **Create with Wizard**. Follow the [instructions](../../applications/manage_apps.mdx#instructions) to create your RAC application and provider.
 
 ### Step 2. Create RAC property mapping
 

website/docs/add-secure-apps/providers/rac/index.md

@@ -1,9 +1,6 @@
 ---
 title: Remote Access Control (RAC) Provider
----
-
-<span class="badge badge--primary">Enterprise</span>
-
+authentik_enterprise: true
 ---
 
 :::info

website/docs/add-secure-apps/providers/radius/index.mdx

@@ -18,9 +18,9 @@ Authentication requests against the Radius Server use a flow in the background.
 
 The following stages are supported:
 
-- [Identification](../../flows-stages/stages/identification/index.md)
+- [Identification](../../flows-stages/stages/identification/index.mdx)
 - [Password](../../flows-stages/stages/password/index.md)
-- [Authenticator validation](../../flows-stages/stages/authenticator_validate/index.md)
+- [Authenticator validation](../../flows-stages/stages/authenticator_validate/index.mdx)
 
     Note: Authenticator validation currently only supports DUO, TOTP, and static authenticators.
 

website/docs/customize/blueprints/export.mdx

@@ -2,7 +2,7 @@
 title: Export
 ---
 
-## Global export <span class="badge badge--version">authentik 2022.8.2+</span>
+## Global export
 
 To migrate existing configurations to blueprints, run `ak export_blueprint` within any authentik Worker container. This will output a blueprint for most currently created objects. Some objects will not be exported as they might have dependencies on other things.
 

website/docs/customize/blueprints/index.mdx

@@ -2,10 +2,6 @@
 title: Blueprints
 ---
 
-<span class="badge badge--version">authentik 2022.8+</span>
-
----
-
 Blueprints offer a new way to template, automate and distribute authentik configuration. Blueprints can be used to automatically configure instances, manage config as code without any external tools, and to distribute application configs.
 
 ## Types
@@ -58,7 +54,7 @@ To push a blueprint to an OCI-compatible registry, [ORAS](https://oras.land/) ca
 oras push ghcr.io/<username>/blueprint/<blueprint name>:latest <yaml file>:application/vnd.goauthentik.blueprint.v1+yaml
 ```
 
-## Storage - Internal <span class="badge badge--version">authentik 2023.1+</span>
+## Storage - Internal
 
 Blueprints can be stored in authentik's database, which allows blueprints to be managed via external configuration management tools like Terraform.
 

website/docs/customize/blueprints/v1/models.mdx

@@ -4,7 +4,7 @@ Some models behave differently and allow for access to different API fields when
 
 ## `authentik_core.token`
 
-### `key` <span class="badge badge--version">authentik 2023.4+</span>
+### `key`
 
 Via the standard API, a token's key cannot be changed, it can only be rotated. This is to ensure a high entropy in it's key, and to prevent insecure data from being used. However, when provisioning tokens via a blueprint, it may be required to set a token to an existing value.
 
@@ -26,7 +26,7 @@ For example:
 
 ## `authentik_core.user`
 
-### `password` <span class="badge badge--version">authentik 2023.6+</span>
+### `password`
 
 Via the standard API, a user's password can only be set via the separate `/api/v3/core/users/<id>/set_password/` endpoint. In blueprints, the password of a user can be set using the `password` field.
 
@@ -45,7 +45,7 @@ For example:
       password: this-should-be-a-long-value
 ```
 
-### `permissions` <span class="badge badge--version">authentik 2024.8+</span>
+### `permissions`:ak-version[2024.8]
 
 The `permissions` field can be used to set global permissions for a user. A full list of possible permissions is included in the JSON schema for blueprints.
 
@@ -63,7 +63,7 @@ For example:
 
 ## `authentik_core.application`
 
-### `icon` <span class="badge badge--version">authentik 2023.5+</span>
+### `icon`
 
 Application icons can be directly set to URLs with the `icon` field.
 
@@ -81,7 +81,7 @@ For example:
 
 ## `authentik_sources_oauth.oauthsource`, `authentik_sources_saml.samlsource`, `authentik_sources_plex.plexsource`
 
-### `icon` <span class="badge badge--version">authentik 2023.5+</span>
+### `icon`
 
 Source icons can be directly set to URLs with the `icon` field.
 
@@ -99,7 +99,7 @@ For example:
 
 ## `authentik_flows.flow`
 
-### `icon` <span class="badge badge--version">authentik 2023.5+</span>
+### `icon`
 
 Flow backgrounds can be directly set to URLs with the `background` field.
 
@@ -119,7 +119,7 @@ For example:
 
 ## `authentik_rbac.role`
 
-### `permissions` <span class="badge badge--version">authentik 2024.8+</span>
+### `permissions`:ak-version[2024.8]
 
 The `permissions` field can be used to set global permissions for a role. A full list of possible permissions is included in the JSON schema for blueprints.
 

website/docs/customize/blueprints/v1/tags.mdx

@@ -4,7 +4,7 @@ To use the custom tags with your preferred editor, you must make the editor awar
 
 For VS Code, for example, add these entries to your `settings.json`:
 
-```
+```json
 {
     "yaml.customTags": [
         "!Condition sequence",
@@ -301,7 +301,7 @@ The above example will resolve to something like this:
     - "bar: (index: 2, letter: r)"
 ```
 
-#### `!AtIndex` <span class="badge badge--version">authentik 2024.12+</span>
+#### `!AtIndex`:ak-version[2024.12]
 
 Minimal example:
 

website/docs/customize/policies/expression.mdx

@@ -42,7 +42,7 @@ ak_message("Access denied")
 return False
 ```
 
-import Functions from "../../expressions/_functions.md";
+import Functions from "../../expressions/_functions.mdx";
 
 <Functions />
 
@@ -119,7 +119,7 @@ This includes the following:
 - `context['prompt_data']`: Data which has been saved from a prompt stage or an external source. (Optional)
 - `context['application']`: The application the user is in the process of authorizing. (Optional)
 - `context['source']`: The source the user is authenticating/enrolling with. (Optional)
-- `context['pending_user']`: The currently pending user, see [User](../../users-sources/user/user_ref.md)
+- `context['pending_user']`: The currently pending user, see [User](../../users-sources/user/user_ref.mdx)
 - `context['is_restored']`: Contains the flow token when the flow plan was restored from a link, for example the user clicked a link to a flow which was sent by an email stage. (Optional)
 - `context['auth_method']`: Authentication method (this value is set by password stages) (Optional)
 

website/docs/customize/policies/expression/managing_flow_context_keys.md

@@ -2,7 +2,7 @@
 title: Managing flow context keys
 ---
 
-[Flow context](../../../add-secure-apps/flows-stages/flow/context/index.md) can be managed in [Expression policies](../expression.mdx) via the `context['flow_plan'].context` variable.
+[Flow context](../../../add-secure-apps/flows-stages/flow/context/index.mdx) can be managed in [Expression policies](../expression.mdx) via the `context['flow_plan'].context` variable.
 
 Here's an example of setting a key in an Expression policy:
 

website/docs/customize/policies/working_with_policies.md

@@ -8,7 +8,7 @@ authentik provides several [standard policy types](./index.md#standard-policies)
 
 We also document how to use a policy to [whitelist email domains](./expression/whitelist_email.md) and to [ensure unique email addresses](./expression/unique_email.md).
 
-To learn more see also [bindings](../../add-secure-apps/flows-stages/bindings/index.md) and how to use the [authentik Wizard to bind policy bindings to the new application](../../add-secure-apps/applications/manage_apps.md#add-new-applications) (for example, to configure application-specific access).
+To learn more see also [bindings](../../add-secure-apps/flows-stages/bindings/index.md) and how to use the [authentik Wizard to bind policy bindings to the new application](../../add-secure-apps/applications/manage_apps.mdx#add-new-applications) (for example, to configure application-specific access).
 
 ## Create a policy
 

website/docs/enterprise/get-started.md

@@ -15,7 +15,7 @@ If this is a fresh install, refer to our [technical documentation](../install-co
 
 ## Access Enterprise
 
-Access your Enterprise features by first [purchasing a license](./manage-enterprise.md#buy-a-license) for the organization.
+Access your Enterprise features by first [purchasing a license](./manage-enterprise.mdx#buy-a-license) for the organization.
 
 To open the Customer Portal and buy a license, go to the Admin interface and in the left pane, navigate to **Enterprise -> Licenses**, and then click **Go to Customer Portal**.
 

website/docs/enterprise/index.md

@@ -7,7 +7,7 @@ The Enterprise release of authentik provides all of the functionality that we ha
 Refer to our Enterprise documentation for information about creating and managing your organization, purchasing and activating a license, support, and managing billing and organization members.
 
 - [Get started with Enterprise](./get-started.md)
-- [Manage your Enterprise account](./manage-enterprise.md)
+- [Manage your Enterprise account](./manage-enterprise.mdx)
 - [Support for Enterprise accounts](./entsupport.md)
 
 Our standard technical documentation covers how to configure, customize, and use authentik, whether the open source version that we have built our reputation on or our Enterprise version with dedicated support.

website/docs/enterprise/manage-enterprise.mdx

@@ -109,7 +109,7 @@ The following events occur when a license expires or the internal/external user
 
     - Users can authenticate and authorize applications
     - Licenses can be modified
-    - Users can be modified/deleted <span class="badge badge--version">authentik 2024.10.5+</span>
+    - Users can be modified/deleted:ak-version[2024.10.5]
 
     After the violation is corrected (either the user count returns to be within the limits of the license or the license is renewed), authentik will return to the standard read-write mode and the notification will disappear.
 

website/docs/expressions/_functions.mdx

@@ -29,7 +29,7 @@ user = list_flatten(["foo"])
 # user = "foo"
 ```
 
-### `ak_call_policy(name: str, **kwargs) -> PolicyResult` <span class="badge badge--version">authentik 2021.12+</span>
+### `ak_call_policy(name: str, **kwargs) -> PolicyResult`
 
 Call another policy with the name _name_. Current request is passed to policy. Key-word arguments
 can be used to modify the request's context.
@@ -70,7 +70,7 @@ Example:
 other_user = ak_user_by(username="other_user")
 ```
 
-### `ak_user_has_authenticator(user: User, device_type: Optional[str] = None) -> bool` <span class="badge badge--version">authentik 2022.9+</span>
+### `ak_user_has_authenticator(user: User, device_type: Optional[str] = None) -> bool`
 
 Check if a user has any authenticator devices. Only fully validated devices are counted.
 
@@ -87,7 +87,7 @@ Example:
 return ak_user_has_authenticator(request.user)
 ```
 
-### `ak_create_event(action: str, **kwargs) -> None` <span class="badge badge--version">authentik 2022.9+</span>
+### `ak_create_event(action: str, **kwargs) -> None`
 
 Create a new event with the action set to `action`. Any additional key-word parameters will be saved in the event context. Additionally, `context` will be set to the context in which this function is called.
 
@@ -101,7 +101,7 @@ Example:
 ak_create_event("my_custom_event", foo=request.user)
 ```
 
-### `ak_create_jwt(user: User, provider: OAuth2Provider | str, scopes: list[str], validity = "seconds=60") -> str | None` <span class="badge badge--version">authentik 2025.2+</span>
+### `ak_create_jwt(user: User, provider: OAuth2Provider | str, scopes: list[str], validity = "seconds=60") -> str | None`:ak-version[2025.2]
 
 Create a new JWT signed by the given `provider` for `user`.
 
@@ -136,7 +136,7 @@ ip_address('192.0.2.1') in ip_network('192.0.2.0/24')
 # evaluates to True
 ```
 
-## DNS resolution and reverse DNS lookups <span class="badge badge--version">authentik 2023.3+</span>
+## DNS resolution and reverse DNS lookups
 
 To resolve a hostname to a list of IP addresses, use the functions `resolve_dns(hostname)` and `resolve_dns(hostname, ip_version)`.
 

website/docs/expressions/_user.md

@@ -1,4 +1,4 @@
-- `user`: The current user. This may be `None` if there is no contextual user. See [User](../users-sources/user/user_ref.md#object-properties).
+- `user`: The current user. This may be `None` if there is no contextual user. See [User](../users-sources/user/user_ref.mdx#object-properties).
 
 Example:
 

website/docs/install-config/automated-install.mdx

@@ -8,30 +8,30 @@ To install authentik automatically (skipping the Out-of-box experience), you can
 
 Configure the default password for the `akadmin` user. Only read on the first startup. Can be used for any flow executor.
 
-### `AUTHENTIK_BOOTSTRAP_TOKEN` <span class="badge badge--version">authentik 2021.8+</span>
+### `AUTHENTIK_BOOTSTRAP_TOKEN`
 
 Create a token for the default `akadmin` user. Only read on the first startup. The string you specify for this variable is the token key you can use to authenticate yourself to the API.
 
-### `AUTHENTIK_BOOTSTRAP_EMAIL` <span class="badge badge--version">authentik 2023.3+</span>
+### `AUTHENTIK_BOOTSTRAP_EMAIL`
 
 Set the email address for the default `akadmin` user.
 
 ## Kubernetes
 
-In the Helm values, set the `akadmin`user password and token:
+In the Helm values, set the `akadmin` user password and token:
 
-```text
+```yaml
 authentik:
-  bootstrap_token: test
-  bootstrap_password: test
+    bootstrap_token: test
+    bootstrap_password: test
 ```
 
 To store the password and token in a secret, use:
 
-```text
+```yaml
 envFrom:
- - secretRef:
-     name: _some-secret_
+    - secretRef:
+          name: _some-secret_
 ```
 
 where _some-secret_ contains the environment variables as in the documentation above.

website/docs/install-config/configuration/configuration.mdx

@@ -82,7 +82,7 @@ To check if your config has been applied correctly, you can run the following co
 
 The PostgreSQL settings `HOST`, `PORT`, `USER`, and `PASSWORD` support hot-reloading. Adding and removing read replicas doesn't support hot-reloading.
 
-- `AUTHENTIK_POSTGRESQL__DEFAULT_SCHEMA` <span class="badge badge--version">authentik 2024.12+</span>
+- `AUTHENTIK_POSTGRESQL__DEFAULT_SCHEMA`:ak-version[2024.12]
 
     The name of the schema used by default in the database. Defaults to `public`.
 
@@ -151,7 +151,7 @@ Additionally, you can set `AUTHENTIK_POSTGRESQL__CONN_HEALTH_CHECK` to perform h
 - `AUTHENTIK_CACHE__TIMEOUT_REPUTATION`: Timeout for cached reputation until they expire in seconds, defaults to 300
 
     :::info
-    `AUTHENTIK_CACHE__TIMEOUT_REPUTATION` only applies to the cache expiry, see [`AUTHENTIK_REPUTATION__EXPIRY`](#authentik_reputation__expiry-authentik-202382) to control how long reputation is persisted for.
+    `AUTHENTIK_CACHE__TIMEOUT_REPUTATION` only applies to the cache expiry, see [`AUTHENTIK_REPUTATION__EXPIRY`](#authentik_reputation__expiry) to control how long reputation is persisted for.
     :::
 
 ## Channel Layer Settings (inter-instance communication)
@@ -164,7 +164,7 @@ Additionally, you can set `AUTHENTIK_POSTGRESQL__CONN_HEALTH_CHECK` to perform h
 - `AUTHENTIK_BROKER__TRANSPORT_OPTIONS`: Base64-encoded broker transport options
 
     :::info
-    `AUTHENTIK_REDIS__CACHE_TIMEOUT_REPUTATION` only applies to the cache expiry, see [`AUTHENTIK_REPUTATION__EXPIRY`](#authentik_reputation__expiry-authentik-202382) to control how long reputation is persisted for.
+    `AUTHENTIK_REDIS__CACHE_TIMEOUT_REPUTATION` only applies to the cache expiry, see [`AUTHENTIK_REPUTATION__EXPIRY`](#authentik_reputation__expiry) to control how long reputation is persisted for.
     :::
 
 ## Listen Settings
@@ -327,47 +327,47 @@ Disable the inbuilt update-checker. Defaults to `false`.
     - Kubeconfig
     - Existence of a docker socket
 
-### `AUTHENTIK_LDAP__TASK_TIMEOUT_HOURS` <span class="badge badge--version">authentik 2023.1+</span>
+### `AUTHENTIK_LDAP__TASK_TIMEOUT_HOURS`
 
 Timeout in hours for LDAP synchronization tasks.
 
 Defaults to `2`.
 
-### `AUTHENTIK_LDAP__PAGE_SIZE` <span class="badge badge--version">authentik 2023.6.1+</span>
+### `AUTHENTIK_LDAP__PAGE_SIZE`
 
 Page size for LDAP synchronization. Controls the number of objects created in a single task.
 
 Defaults to `50`.
 
-### `AUTHENTIK_LDAP__TLS__CIPHERS` <span class="badge badge--version">authentik 2022.7+</span>
+### `AUTHENTIK_LDAP__TLS__CIPHERS`
 
 Allows configuration of TLS Cliphers for LDAP connections used by LDAP sources. Setting applies to all sources.
 
 Defaults to `null`.
 
-### `AUTHENTIK_REPUTATION__EXPIRY` <span class="badge badge--version">authentik 2023.8.2+</span>
+### `AUTHENTIK_REPUTATION__EXPIRY`
 
 Configure how long reputation scores should be saved for in seconds. Note that this is different than [`AUTHENTIK_REDIS__CACHE_TIMEOUT_REPUTATION`](#redis-settings), as reputation is saved to the database every 5 minutes.
 
 Defaults to `86400`.
 
-### `AUTHENTIK_SESSION_STORAGE` <span class="badge badge--version">authentik 2024.4+</span>
+### `AUTHENTIK_SESSION_STORAGE`:ak-version[2024.4]
 
 Configure if the sessions are stored in the cache or the database. Defaults to `cache`. Allowed values are `cache` and `db`. Note that changing this value will invalidate all previous sessions.
 
-### `AUTHENTIK_WEB__WORKERS` <span class="badge badge--version">authentik 2022.9+</span>
+### `AUTHENTIK_WEB__WORKERS`
 
 Configure how many gunicorn worker processes should be started (see https://docs.gunicorn.org/en/stable/design.html).
 
 Defaults to 2. A value below 2 workers is not recommended. In environments where scaling with multiple replicas of the authentik server is not possible, this number can be increased to handle higher loads.
 
-### `AUTHENTIK_WEB__THREADS` <span class="badge badge--version">authentik 2022.9+</span>
+### `AUTHENTIK_WEB__THREADS`
 
 Configure how many gunicorn threads a worker processes should have (see https://docs.gunicorn.org/en/stable/design.html).
 
 Defaults to 4.
 
-### `AUTHENTIK_WORKER__CONCURRENCY` <span class="badge badge--version">authentik 2023.9+</span>
+### `AUTHENTIK_WORKER__CONCURRENCY`
 
 Configure Celery worker concurrency for authentik worker (see https://docs.celeryq.dev/en/latest/userguide/configuration.html#worker-concurrency). This essentially defines the number of worker processes spawned for a single worker.
 
@@ -383,7 +383,7 @@ Configure the path under which authentik is serverd. For example to access authe
 
 Defaults to `/`.
 
-## System settings <span class="badge badge--version">authentik 2024.2+</span>
+## System settings:ak-version[2024.2]
 
 Additional settings are configurable using the Admin interface, under **System** -> **Settings** or using the API.
 

website/docs/install-config/index.mdx

@@ -4,7 +4,7 @@ title: Installation and Configuration
 
 Everything you need to get authentik up and running!
 
-The installation process for our free open source version and our [Enterprise](../enterprise/index.md) version are exactly the same. For information about obtaining an Enterprise license, refer to [License management](../enterprise/manage-enterprise.md#license-management) documentation.
+The installation process for our free open source version and our [Enterprise](../enterprise/index.md) version are exactly the same. For information about obtaining an Enterprise license, refer to [License management](../enterprise/manage-enterprise.mdx#license-management) documentation.
 
 For information about upgrading to a new version, refer to the <b>Upgrade</b> section in the relevant [Release Notes](../releases) and to our [Upgrade authentik](./upgrade.mdx) documentation.
 

website/docs/releases/2022/v2022.3.md

@@ -11,7 +11,7 @@ User settings are now configured using flows and stages, allowing administrators
 
 ### `client_credentials` support
 
-authentik now supports the OAuth `client_credentials` grant for machine-to-machine authentication. See [OAuth2 Provider](../../add-secure-apps/providers/oauth2/index.md)
+authentik now supports the OAuth `client_credentials` grant for machine-to-machine authentication. See [OAuth2 Provider](../../add-secure-apps/providers/oauth2/index.mdx)
 
 ## Deprecations
 

website/docs/releases/2022/v2022.5.md

@@ -24,7 +24,7 @@ slug: "/releases/2022.5"
 - OAuth2: Add support for `form_post` response mode
 - Don't prompt users for MFA when they've authenticated themselves within a time period
 
-    You can now configure any [Authenticator Validation Stage](../../add-secure-apps/flows-stages/stages/authenticator_validate/index.md) stage to not ask for MFA validation if the user has previously authenticated themselves with an MFA device (of any of the selected classes) in the `Last validation threshold`.
+    You can now configure any [Authenticator Validation Stage](../../add-secure-apps/flows-stages/stages/authenticator_validate/index.mdx) stage to not ask for MFA validation if the user has previously authenticated themselves with an MFA device (of any of the selected classes) in the `Last validation threshold`.
 
 - Optimise bundling of web assets
 

website/docs/releases/2022/v2022.8.md

@@ -13,7 +13,7 @@ slug: "/releases/2022.8"
 
 - Blueprints
 
-    Blueprints allow for the configuration, automation and templating of authentik objects and configurations. They can be used to bootstrap new instances, configure them automatically without external tools, and to template configurations for sharing. See more [here](../../customize/blueprints/index.md).
+    Blueprints allow for the configuration, automation and templating of authentik objects and configurations. They can be used to bootstrap new instances, configure them automatically without external tools, and to template configurations for sharing. See more [here](../../customize/blueprints/index.mdx).
 
     For installations upgrading to 2022.8, if a single flow exists, then the default blueprints will not be activated, to not overwrite user modifications.
 

website/docs/releases/2022/v2022.9.md

@@ -5,7 +5,7 @@ slug: "/releases/2022.9"
 
 ## Breaking changes
 
-- `WORKERS` environment variable has been renamed to match other config options, see [Configuration](../../install-config/configuration/configuration.mdx#authentik_web__workers-authentik-20229)
+- `WORKERS` environment variable has been renamed to match other config options, see [Configuration](../../install-config/configuration/configuration.mdx#authentik_web__workers)
 
 ## New features
 
@@ -15,7 +15,7 @@ slug: "/releases/2022.9"
 
 - Duo Admin API integration
 
-    When using a Duo MFA, Duo Access or Duo Beyond plan, authentik can now automatically import devices from Duo into authentik. More info [here](../../add-secure-apps/flows-stages/stages/authenticator_duo/index.md).
+    When using a Duo MFA, Duo Access or Duo Beyond plan, authentik can now automatically import devices from Duo into authentik. More info [here](../../add-secure-apps/flows-stages/stages/authenticator_duo/index.mdx).
 
 ## API Changes
 

website/docs/releases/2023/v2023.1.md

@@ -17,7 +17,7 @@ slug: "/releases/2023.1"
 
 - Proxy provider now accepts HTTP Basic and Bearer authentication
 
-    See [Header authentication](../../add-secure-apps/providers/proxy/header_authentication.md).
+    See [Header authentication](../../add-secure-apps/providers/proxy/header_authentication.mdx).
 
 - LDAP provider now works with Code-based MFA stages
 

website/docs/releases/2024/v2024.12.md

@@ -46,7 +46,7 @@ slug: "/releases/2024.12"
 
 - **OAuth2 provider federation**
 
-    Configure [OAuth2 provider federation](../../add-secure-apps/providers/oauth2/client_credentials.md#authentik-issued-jwts-authentik-202412) to allow exchanging authentication tokens between multiple providers.
+    Configure [OAuth2 provider federation](../../add-secure-apps/providers/oauth2/client_credentials.mdx#authentik-issued-jwts) to allow exchanging authentication tokens between multiple providers.
 
 - **Silent authorization flow**
 

website/docs/releases/2024/v2024.4.md

@@ -43,7 +43,7 @@ slug: /releases/2024.4
 
     Configure which types of WebAuthn devices can be used to enroll and validate for different authorization levels.
 
-    For details refer to [WebAuthn authenticator setup stage](../../add-secure-apps/flows-stages/stages/authenticator_webauthn/index.md)
+    For details refer to [WebAuthn authenticator setup stage](../../add-secure-apps/flows-stages/stages/authenticator_webauthn/index.mdx)
 
 - **Revamped UI for log messages**
 

website/docs/releases/old/v0.10.md

@@ -73,4 +73,4 @@ This upgrade only applies if you are upgrading from a running 0.9 instance. auth
 
 Because this upgrade brings the new OAuth2 Provider, the old providers will be lost in the process. Make sure to take note of the providers you want to bring over.
 
-Another side-effect of this upgrade is the change of OAuth2 URLs, see [here](../../add-secure-apps/providers/oauth2/index.md).
+Another side-effect of this upgrade is the change of OAuth2 URLs, see [here](../../add-secure-apps/providers/oauth2/index.mdx).

website/docs/security/security-hardening.md

@@ -25,7 +25,7 @@ However, for further hardening, it is possible to prevent any user (even super-u
 - `/api/v3/propertymappings*`
 - `/api/v3/managed/blueprints*`
 
-With these restrictions in place, expressions can only be edited using [Blueprints on the file system](../customize/blueprints/index.md#storage---file). Take care to restrict access to the file system itself.
+With these restrictions in place, expressions can only be edited using [Blueprints on the file system](../customize/blueprints/index.mdx#storage---file). Take care to restrict access to the file system itself.
 
 ### Blueprints
 
@@ -35,7 +35,7 @@ To prevent any user from creating/editing blueprints, block API requests to this
 
 - `/api/v3/managed/blueprints*`
 
-With these restrictions in place, Blueprints can only be edited via [the file system](../customize/blueprints/index.md#storage---file).
+With these restrictions in place, Blueprints can only be edited via [the file system](../customize/blueprints/index.mdx#storage---file).
 
 ### CAPTCHA Stage
 
@@ -46,7 +46,7 @@ To prevent any user from creating/editing CAPTCHA stages block API requests to t
 - `/api/v3/stages/captcha*`
 - `/api/v3/managed/blueprints*`
 
-With these restrictions in place, CAPTCHA stages can only be edited using [Blueprints on the file system](../customize/blueprints/index.md#storage---file).
+With these restrictions in place, CAPTCHA stages can only be edited using [Blueprints on the file system](../customize/blueprints/index.mdx#storage---file).
 
 ### Content Security Policy (CSP)
 

website/docs/sys-mgmt/tenancy.md

@@ -1,9 +1,6 @@
 ---
 title: Tenancy
----
-
-<span class="badge badge--primary">Enterprise</span>
-
+authentik_enterprise: true
 ---
 
 ::::warning
@@ -32,7 +29,7 @@ For each additional tenant (beyond the default one), one or more licenses is req
 
 A single tenant and its corresponding installation can have multiple license keys. For example, a company might purchase one license for 50 users, and then later in the same year need to buy another license for 50 more users, due to company growth. Both licenses are associated to the one installation, the one tenant.
 
-Learn more in our documentation about [Enterprise licenses](../enterprise/manage-enterprise.md#license-management).
+Learn more in our documentation about [Enterprise licenses](../enterprise/manage-enterprise.mdx#license-management).
 
 ### Important considerations
 

website/docs/users-sources/groups/group_ref.md

@@ -13,4 +13,4 @@ The Group object has the following properties:
 
 ## Attributes
 
-See [the user reference](../user/user_ref.md#attributes) for well-known attributes.
+See [the user reference](../user/user_ref.mdx#attributes) for well-known attributes.

website/docs/users-sources/groups/index.mdx

@@ -3,7 +3,7 @@ title: About groups
 description: Learn about groups in authentik
 ---
 
-For information about creating and editing groups refer to [Manage groups](./manage_groups.md).
+For information about creating and editing groups refer to [Manage groups](./manage_groups.mdx).
 
 ## Hierarchy
 

website/docs/users-sources/groups/manage_groups.mdx

@@ -43,7 +43,7 @@ To delete a group, follow these steps:
 
 You can assign a role to a group, and then all users in the group inherit the permissions assigned to that role. For instructions and more information, see [Assign a role to a group](../roles/manage_roles.md#assign-a-role-to-a-group).
 
-## Delegating group member management <span class="badge badge--version">authentik 2024.4+</span>
+## Delegating group member management:ak-version[2024.4]
 
 To give a specific Role or User the ability to manage group members, the following permissions need to be granted on the matching Group object:
 

website/docs/users-sources/sources/directory-sync/active-directory/index.md

@@ -1,9 +1,8 @@
 ---
 title: Active Directory
+support_level: community
 ---
 
-<span class="badge badge--secondary">Support level: Community</span>
-
 ## Preparation
 
 The following placeholders are used in this guide:

website/docs/users-sources/sources/directory-sync/freeipa/index.md

@@ -1,9 +1,8 @@
 ---
 title: FreeIPA
+support_level: community
 ---
 
-<span class="badge badge--secondary">Support level: Community</span>
-
 ## Preparation
 
 The following placeholders are used in this guide:

website/docs/users-sources/sources/index.md

@@ -8,7 +8,7 @@ Sources allow you to connect authentik to an external user directory. Sources ca
 
 Sources are in the following general categories:
 
-- **Protocols** ([Kerberos](./protocols/kerberos/index.md), [LDAP](./protocols/ldap/index.md), [OAuth](./protocols/oauth/index.md), [SAML](./protocols/saml/index.md), and [SCIM](./protocols/scim/index.md))
+- **Protocols** ([Kerberos](./protocols/kerberos/index.md), [LDAP](./protocols/ldap/index.md), [OAuth](./protocols/oauth/index.mdx), [SAML](./protocols/saml/index.md), and [SCIM](./protocols/scim/index.md))
 - [**Property mappings**](./property-mappings/index.md) or how to import data from a source
 - **Directory synchronization** (Active Directory, FreeIPA)
 - **Social logins** (Apple, Discord, Twitch, Twitter, and many others)

website/docs/users-sources/sources/property-mappings/expressions.md

@@ -16,6 +16,6 @@ import Objects from "../../../expressions/\_objects.md";
 
 ## Available Functions
 
-import Functions from "../../../expressions/\_functions.md";
+import Functions from "../../../expressions/\_functions.mdx";
 
 <Functions />

website/docs/users-sources/sources/property-mappings/index.md

@@ -8,7 +8,7 @@ This page is an overview of how property mappings work. For information about sp
 
 - [Kerberos](../protocols/kerberos/#kerberos-source-property-mappings)
 - [LDAP](../protocols/ldap/index.md#ldap-source-property-mappings)
-- [OAuth](../protocols/oauth/index.md#oauth-source-property-mappings)
+- [OAuth](../protocols/oauth/index.mdx#oauth-source-property-mappings)
 - [SAML](../protocols/saml/index.md#saml-source-property-mappings)
 - [SCIM](../protocols/scim/index.md#scim-source-property-mappings)
 
@@ -36,7 +36,7 @@ return {
 }
 ```
 
-You can see that the expression returns a Python dictionary. The dictionary keys must match [User properties](../../user/user_ref.md#object-properties) or [Group properties](../../groups/group_ref.md#object-properties). Note that for users, `ak_groups` and `group_attributes` cannot be set.
+You can see that the expression returns a Python dictionary. The dictionary keys must match [User properties](../../user/user_ref.mdx#object-properties) or [Group properties](../../groups/group_ref.md#object-properties). Note that for users, `ak_groups` and `group_attributes` cannot be set.
 
 See each source documentation for a reference of the available data. See the authentik [expressions documentation](./expressions.md) for available data and functions.
 

website/docs/users-sources/sources/protocols/kerberos/index.md

@@ -1,10 +1,7 @@
 ---
 title: Kerberos
----
-
-<span class="badge badge--preview">Preview</span>
-<span class="badge badge--version">authentik 2024.10+</span>
-
+authentik_preview: true
+authentik_version: "2024.10"
 ---
 
 This source allows users to enroll themselves with an existing Kerberos identity.

website/docs/users-sources/sources/protocols/oauth/index.mdx

@@ -14,7 +14,7 @@ This source allows users to enroll themselves with an external OAuth-based Ident
 
     Starting with authentik 2022.10, the default scopes can be replaced by prefix the value for scopes with `*`.
 
-### OpenID Connect <span class="badge badge--version">authentik 2022.6+</span>
+### OpenID Connect
 
 #### Well-known
 

website/docs/users-sources/sources/social-logins/apple/index.md

@@ -1,9 +1,8 @@
 ---
 title: Apple
+support_level: authentik
 ---
 
-<span class="badge badge--primary">Support level: authentik</span>
-
 Allows users to authenticate using their Apple ID.
 
 ## Preparation

website/docs/users-sources/sources/social-logins/azure-ad/index.mdx

@@ -1,9 +1,8 @@
 ---
 title: Azure AD
+support_level: community
 ---
 
-<span class="badge badge--secondary">Support level: Community</span>
-
 ## Preparation
 
 The following placeholders are used in this guide:
@@ -112,9 +111,9 @@ return True
 
 Try to login with a **_new_** user. You should see no prompts and the user should have the correct information.
 
-### Machine-to-machine authentication <span class="badge badge--version">authentik 2024.12+</span>
+### Machine-to-machine authentication:ak-version[2024.12]
 
-If using [Machine-to-Machine](../../../../add-secure-apps/providers/oauth2/client_credentials.md#jwt-authentication) authentication, some specific steps need to be considered.
+If using [Machine-to-Machine](../../../../add-secure-apps/providers/oauth2/client_credentials.mdx#jwt-authentication) authentication, some specific steps need to be considered.
 
 When getting the JWT token from Azure AD, set the scope to the Application ID URI, and _not_ the Graph URL; otherwise the JWT will be in an invalid format.
 

website/docs/users-sources/sources/social-logins/discord/index.md

@@ -1,9 +1,8 @@
 ---
 title: Discord
+support_level: authentik
 ---
 
-<span class="badge badge--primary">Support level: authentik</span>
-
 Allows users to authenticate using their Discord credentials
 
 ## Preparation
@@ -162,13 +161,13 @@ Ensure that the Discord OAuth source in **Federation & Social login** has the ad
 :::
 
 :::info
-Any authentik role that you want to sync with a Discord role needs to have the **attribute** `discord_role_id` with a value of the Discord role's ID set.  
-This setting can be found under `Authentik > Admin Interface > Directory > Groups > YOUR_GROUP > Attributes`  
+Any authentik role that you want to sync with a Discord role needs to have the **attribute** `discord_role_id` with a value of the Discord role's ID set.
+This setting can be found under `Authentik > Admin Interface > Directory > Groups > YOUR_GROUP > Attributes`
 Example: `discord_role_id: "<ROLE ID>"`
 :::
 
-The following two policies allow you to synchronize roles in a Discord guild with roles in authentik.  
-Whenever a user enrolls or signs in to authentik via a Discord source, these policies will check the user's Discord roles and apply the user's authentik roles accordingly.  
+The following two policies allow you to synchronize roles in a Discord guild with roles in authentik.
+Whenever a user enrolls or signs in to authentik via a Discord source, these policies will check the user's Discord roles and apply the user's authentik roles accordingly.
 All roles with the attribute `discord_role_id` defined will be added or removed depending on whether the user is a member of the defined Discord role.
 
 Create a new **Expression Policy** with the content below, adjusting the variables where required.

website/docs/users-sources/sources/social-logins/facebook/index.md

@@ -1,9 +1,8 @@
 ---
 title: Facebook
+support_level: community
 ---
 
-<span class="badge badge--secondary">Support level: Community</span>
-
 Adding Facebook as a source allows users to authenticate through authentik using their Facebook credentials.
 
 ## Preparation

website/docs/users-sources/sources/social-logins/github/index.mdx

@@ -1,9 +1,8 @@
 ---
 title: Github
+support_level: authentik
 ---
 
-<span class="badge badge--primary">Support level: authentik</span>
-
 Allows users to authenticate using their Github credentials
 
 ## Preparation
@@ -50,7 +49,7 @@ Save, and you now have Github as a source.
 For more details on how-to have the new source display on the Login Page see [here](../../index.md#add-sources-to-default-login-page).
 :::
 
-### Checking for membership of a GitHub Organisation <span class="badge badge--version">authentik 2021.12.5.+</span>
+### Checking for membership of a GitHub Organisation
 
 To check if the user is member of an organisation, you can use the following policy on your flows:
 

website/docs/users-sources/sources/social-logins/google/cloud/index.md

@@ -2,10 +2,9 @@
 title: Google Cloud (with OAuth)
 sidebar_label: Google Cloud (OAuth)
 tags: [integration, oauth, google]
+support_level: community
 ---
 
-<span class="badge badge--secondary">Support level: Community</span>
-
 Allows users to authenticate using their Google credentials
 
 ## Preparation

website/docs/users-sources/sources/social-logins/google/workspace/index.md

@@ -2,10 +2,9 @@
 title: Google Workspace (with SAML)
 sidebar_label: Google Workspace (SAML)
 tags: [integration, saml, google]
+support_level: authentik
 ---
 
-<span className="badge badge--primary">Support level: authentik</span>
-
 This topic covers configuring authentik to authenticate users with their Google Workspace credentials.
 
 ## What is Google Workspace?

website/docs/users-sources/sources/social-logins/mailcow/index.md

@@ -1,9 +1,8 @@
 ---
 title: Mailcow
+support_level: community
 ---
 
-<span class="badge badge--secondary">Support level: Community</span>
-
 Allows users to authenticate using their Mailcow credentials
 
 ## Preparation

website/docs/users-sources/sources/social-logins/plex/index.md

@@ -1,9 +1,8 @@
 ---
 title: Plex
+support_level: community
 ---
 
-<span class="badge badge--secondary">Support level: Community</span>
-
 Allows users to authenticate using their Plex credentials
 
 ## Preparation

website/docs/users-sources/sources/social-logins/twitch/index.md

@@ -1,9 +1,8 @@
 ---
 title: Twitch
+support_level: community
 ---
 
-<span class="badge badge--secondary">Support level: Community</span>
-
 Allows users to authenticate using their Twitch credentials
 
 ## Preparation

website/docs/users-sources/sources/social-logins/twitter/index.md

@@ -1,9 +1,8 @@
 ---
 title: Twitter
+support_level: authentik
 ---
 
-<span class="badge badge--primary">Support level: authentik</span>
-
 Allows users to authenticate using their twitter credentials
 
 ## Preparation

website/docs/users-sources/user/index.mdx

@@ -6,7 +6,7 @@ import DocCardList from "@theme/DocCardList";
 
 In authentik you can create and manage users with fine-tuned access control, session and event details, group membership, super-user rights, impersonation, and password management and recovery.
 
-To learn more about Enterprise licenses with internal and external users, refer to our [Enterprise documentation](../../enterprise/manage-enterprise.md#about-users-and-licenses).
+To learn more about Enterprise licenses with internal and external users, refer to our [Enterprise documentation](../../enterprise/manage-enterprise.mdx#about-users-and-licenses).
 
 To learn more about working with users in authentik, refer to the following topics:
 

website/docs/users-sources/user/user_basic_operations.md

@@ -30,7 +30,7 @@ The following topics are for the basic management of users: how to create, modif
 You should see a confirmation pop-up on the top-right of the screen that the user has been created, and see the new user in the user list. You can directly click the username if you want to [modify your user](./user_basic_operations#modify-a-user).
 
 :::info
-To create a super-user, you need to add the user to a group that has super-user permissions. For more information, refer to [Create a Group](../groups/manage_groups.md#create-a-group).
+To create a super-user, you need to add the user to a group that has super-user permissions. For more information, refer to [Create a Group](../groups/manage_groups.mdx#create-a-group).
 :::
 
 ### View user details
@@ -48,7 +48,7 @@ To view details about a specific user:
 - **Session** shows the active sessions established by the user. If there is any need, you can clean up the connected devices for a user by selecting the device(s) and then clicking **Delete**. This forces the user to authenticate again on the deleted devices.
 - **Groups** allows you to manage the group membership of the user. You can find more details on [groups](../groups/index.mdx).
 - **User events** displays all the events generated by the user during a session, such as login, logout, application authorisation, password reset, user info update, etc.
-- **Explicit consent** lists all the permissions the user has given explicitly to an application. Entries will only appear if the user is validating an [explicit consent flow in an OAuth2 provider](../../add-secure-apps/providers/oauth2/index.md). If you want to delete the explicit consent (because the application is requiring new permissions, or the user has explicitly asked to reset his consent on third-party apps), select the applications and click **Delete**. The user will be asked to again give explicit consent to share information with the application.
+- **Explicit consent** lists all the permissions the user has given explicitly to an application. Entries will only appear if the user is validating an [explicit consent flow in an OAuth2 provider](../../add-secure-apps/providers/oauth2/index.mdx). If you want to delete the explicit consent (because the application is requiring new permissions, or the user has explicitly asked to reset his consent on third-party apps), select the applications and click **Delete**. The user will be asked to again give explicit consent to share information with the application.
 - **OAuth Refresh Tokens** lists all the OAuth tokens currently distributed. You can remove the tokens by selecting the applications and then clicking **Delete**.
 - **MFA Authenticators** shows all the authentications that the user has registered to their user profile. You can remove the tokens if the user has lost their authenticator and want to enroll a new one.
 

website/docs/users-sources/user/user_ref.mdx

@@ -14,7 +14,7 @@ The User object has the following properties:
 - `is_active` Boolean field if user is active.
 - `date_joined` Date user joined/was created.
 - `password_change_date` Date password was last changed.
-- `path` User's path, see [Path](#path-authentik-20227)
+- `path` User's path, see [Path](#path)
 - `attributes` Dynamic attributes, see [Attributes](#attributes)
 - `group_attributes()` Merged attributes of all groups the user is member of and the user's own attributes.
 - `ak_groups` This is a queryset of all the user's groups.
@@ -42,7 +42,7 @@ for group in user.ak_groups.all():
     yield group.name
 ```
 
-## Path <span class="badge badge--version">authentik 2022.7+</span>
+## Path
 
 Paths can be used to organize users into folders depending on which source created them or organizational structure. Paths may not start or end with a slash, but they can contain any other character as path segments. The paths are currently purely used for organization, it does not affect their permissions, group memberships, or anything else.