root: deny unauthenticated websocket messages consumer

Signed-off-by: Marc 'risson' Schmitt <marc.schmitt@risson.space>
only send messages for stuff non-redirecting
2025-02-27 20:31:32 +01:00 · 2025-02-27 17:46:17 +01:00 · 2025-02-27 17:32:37 +01:00 · 2025-02-27 17:28:29 +01:00 · 2025-02-27 17:10:33 +01:00 · 2025-02-27 17:08:46 +01:00
122 changed files with 6350 additions and 779 deletions
--- a/.bumpversion.cfg
+++ b/.bumpversion.cfg
@ -1,16 +1,16 @@
 [bumpversion]
-current_version = 2024.12.3
+current_version = 2025.2.1
 tag = True
 commit = True
 parse = (?P<major>\d+)\.(?P<minor>\d+)\.(?P<patch>\d+)(?:-(?P<rc_t>[a-zA-Z-]+)(?P<rc_n>[1-9]\\d*))?
-serialize =
+serialize = 
 	{major}.{minor}.{patch}-{rc_t}{rc_n}
 	{major}.{minor}.{patch}
 message = release: {new_version}
 tag_name = version/{new_version}

 [bumpversion:part:rc_t]
-values =
+values = 
 	rc
 	final
 optional_value = final
--- a/.github/ISSUE_TEMPLATE/bug_report.md
+++ b/.github/ISSUE_TEMPLATE/bug_report.md
@ -28,7 +28,11 @@ Output of docker-compose logs or kubectl logs respectively

 **Version and Deployment (please complete the following information):**

-   authentik version: [e.g. 2021.8.5]
+<!--
+Notice: authentik supports installation via Docker, Kubernetes, and AWS CloudFormation only. Support is not available for other methods. For detailed installation and configuration instructions, please refer to the official documentation at https://docs.goauthentik.io/docs/install-config/.
+-->
+
+-   authentik version: [e.g. 2025.2.0]
 -   Deployment: [e.g. docker-compose, helm]

 **Additional context**
--- a/.github/ISSUE_TEMPLATE/question.md
+++ b/.github/ISSUE_TEMPLATE/question.md
@ -20,7 +20,12 @@ Output of docker-compose logs or kubectl logs respectively

 **Version and Deployment (please complete the following information):**

-   authentik version: [e.g. 2021.8.5]
+<!--
+Notice: authentik supports installation via Docker, Kubernetes, and AWS CloudFormation only. Support is not available for other methods. For detailed installation and configuration instructions, please refer to the official documentation at https://docs.goauthentik.io/docs/install-config/.
+-->
+
+
+-   authentik version: [e.g. 2025.2.0]
 -   Deployment: [e.g. docker-compose, helm]

 **Additional context**
--- a/.github/workflows/_reusable-docker-build-single.yaml
+++ b/.github/workflows/_reusable-docker-build-single.yaml
@ -40,7 +40,7 @@ jobs:
      attestations: write
    steps:
      - uses: actions/checkout@v4
-      - uses: docker/setup-qemu-action@v3.4.0
+      - uses: docker/setup-qemu-action@v3.5.0
      - uses: docker/setup-buildx-action@v3
      - name: prepare variables
        uses: ./.github/actions/docker-push-variables
--- a/.github/workflows/ci-outpost.yml
+++ b/.github/workflows/ci-outpost.yml
@ -82,7 +82,7 @@ jobs:
        with:
          ref: ${{ github.event.pull_request.head.sha }}
      - name: Set up QEMU
-        uses: docker/setup-qemu-action@v3.4.0
+        uses: docker/setup-qemu-action@v3.5.0
      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v3
      - name: prepare variables
--- a/.github/workflows/release-publish.yml
+++ b/.github/workflows/release-publish.yml
@ -42,7 +42,7 @@ jobs:
        with:
          go-version-file: "go.mod"
      - name: Set up QEMU
-        uses: docker/setup-qemu-action@v3.4.0
+        uses: docker/setup-qemu-action@v3.5.0
      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v3
      - name: prepare variables
--- a/.github/workflows/translation-extract-compile.yml
+++ b/.github/workflows/translation-extract-compile.yml
@ -1,9 +1,13 @@
 ---
-name: authentik-backend-translate-extract-compile
+name: authentik-translate-extract-compile
 on:
  schedule:
    - cron: "0 0 * * *" # every day at midnight
  workflow_dispatch:
+  pull_request:
+    branches:
+      - main
+      - version-*

 env:
  POSTGRES_DB: authentik
@ -15,15 +19,21 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - id: generate_token
+        if: ${{ github.event_name != 'pull_request' }}
        uses: tibdex/github-app-token@v2
        with:
          app_id: ${{ secrets.GH_APP_ID }}
          private_key: ${{ secrets.GH_APP_PRIVATE_KEY }}
      - uses: actions/checkout@v4
+        if: ${{ github.event_name != 'pull_request' }}
        with:
          token: ${{ steps.generate_token.outputs.token }}
+      - uses: actions/checkout@v4
+        if: ${{ github.event_name == 'pull_request' }}
      - name: Setup authentik env
        uses: ./.github/actions/setup
+      - name: Generate API
+        run: make gen-client-ts
      - name: run extract
        run: |
          poetry run make i18n-extract
@ -32,6 +42,7 @@ jobs:
          poetry run ak compilemessages
          make web-check-compile
      - name: Create Pull Request
+        if: ${{ github.event_name != 'pull_request' }}
        uses: peter-evans/create-pull-request@v7
        with:
          token: ${{ steps.generate_token.outputs.token }}
--- a/SECURITY.md
+++ b/SECURITY.md
@ -20,8 +20,8 @@ Even if the issue is not a CVE, we still greatly appreciate your help in hardeni

 | Version   | Supported |
 | --------- | --------- |
-| 2024.10.x | ✅        |
 | 2024.12.x | ✅        |
+| 2025.2.x  | ✅        |

 ## Reporting a Vulnerability

--- a/authentik/init.py
+++ b/authentik/init.py
@ -2,7 +2,7 @@

 from os import environ

-__version__ = "2024.12.3"
+__version__ = "2025.2.1"
 ENV_GIT_HASH_KEY = "GIT_BUILD_HASH"


--- a/authentik/core/templates/base/header_js.html
+++ b/authentik/core/templates/base/header_js.html
@ -11,6 +11,7 @@
        build: "{{ build }}",
        api: {
            base: "{{ base_url }}",
+            relBase: "{{ base_url_rel }}",
        },
    };
    window.addEventListener("DOMContentLoaded", function () {
--- a/authentik/core/templates/base/skeleton.html
+++ b/authentik/core/templates/base/skeleton.html
@ -8,6 +8,8 @@
    <head>
        <meta charset="UTF-8">
        <meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=1">
+        {# Darkreader breaks the site regardless of theme as its not compatible with webcomponents, and we default to a dark theme based on preferred colour-scheme #}
+        <meta name="darkreader-lock">
        <title>{% block title %}{% trans title|default:brand.branding_title %}{% endblock %}</title>
        <link rel="icon" href="{{ brand.branding_favicon_url }}">
        <link rel="shortcut icon" href="{{ brand.branding_favicon_url }}">
--- a/authentik/core/views/interface.py
+++ b/authentik/core/views/interface.py
@ -53,6 +53,7 @@ class InterfaceView(TemplateView):
        kwargs["build"] = get_build_hash()
        kwargs["url_kwargs"] = self.kwargs
        kwargs["base_url"] = self.request.build_absolute_uri(CONFIG.get("web.path", "/"))
+        kwargs["base_url_rel"] = CONFIG.get("web.path", "/")
        return super().get_context_data(**kwargs)


--- a/authentik/flows/challenge.py
+++ b/authentik/flows/challenge.py
@ -8,7 +8,13 @@ from uuid import UUID
 from django.core.serializers.json import DjangoJSONEncoder
 from django.db import models
 from django.http import JsonResponse
-from rest_framework.fields import BooleanField, CharField, ChoiceField, DictField
+from rest_framework.fields import (
+    BooleanField,
+    CharField,
+    ChoiceField,
+    DictField,
+    ListField,
+)
 from rest_framework.request import Request

 from authentik.core.api.utils import PassiveSerializer
@ -39,6 +45,12 @@ class ErrorDetailSerializer(PassiveSerializer):
    code = CharField()


+class MessageSerializer(PassiveSerializer):
+    message = CharField()
+    level = CharField()
+    tags = ListField(child=CharField())
+
+
 class ContextualFlowInfo(PassiveSerializer):
    """Contextual flow information for a challenge"""

@ -55,6 +67,7 @@ class Challenge(PassiveSerializer):
    flow_info = ContextualFlowInfo(required=False)
    component = CharField(default="")

+    messages = ListField(child=MessageSerializer(), allow_empty=True, required=False)
    response_errors = DictField(
        child=ErrorDetailSerializer(many=True), allow_empty=True, required=False
    )
@ -170,7 +183,6 @@ class FrameChallenge(Challenge):


 class FrameChallengeResponse(ChallengeResponse):
-
    component = CharField(default="xak-flow-frame")


--- a/authentik/flows/stage.py
+++ b/authentik/flows/stage.py
@ -4,6 +4,7 @@ from typing import TYPE_CHECKING

 from django.conf import settings
 from django.contrib.auth.models import AnonymousUser
+from django.contrib.messages import get_messages
 from django.http import HttpRequest
 from django.http.request import QueryDict
 from django.http.response import HttpResponse
@ -21,6 +22,7 @@ from authentik.flows.challenge import (
    ChallengeResponse,
    ContextualFlowInfo,
    HttpChallengeResponse,
+    MessageSerializer,
    RedirectChallenge,
    SessionEndChallenge,
    WithUserInfoChallenge,
@ -191,6 +193,22 @@ class ChallengeStageView(StageView):
                )
                flow_info.is_valid()
                challenge.initial_data["flow_info"] = flow_info.data
+            if "messages" not in challenge.initial_data and not isinstance(
+                challenge, RedirectStage
+            ):
+                messages = MessageSerializer(
+                    data=[
+                        {
+                            "message": message.message,
+                            "level": message.level_tag,
+                            "tags": message.tags,
+                        }
+                        for message in get_messages(self.request)
+                    ],
+                    many=True,
+                )
+                messages.is_valid()
+                challenge.initial_data["messages"] = messages.data
            if isinstance(challenge, WithUserInfoChallenge):
                # If there's a pending user, update the `username` field
                # this field is only used by password managers.
--- a/authentik/flows/tests/test_inspector.py
+++ b/authentik/flows/tests/test_inspector.py
@ -55,6 +55,7 @@ class TestFlowInspector(APITestCase):
                    "layout": "stacked",
                },
                "flow_designation": "authentication",
+                "messages": [],
                "password_fields": False,
                "primary_action": "Log in",
                "sources": [],
--- a/authentik/providers/oauth2/tests/test_device_init.py
+++ b/authentik/providers/oauth2/tests/test_device_init.py
@ -88,6 +88,7 @@ class TesOAuth2DeviceInit(OAuthTestCase):
                    "layout": "stacked",
                    "title": self.device_flow.title,
                },
+                "messages": [],
            },
        )

--- a/authentik/root/messages/consumer.py
+++ b/authentik/root/messages/consumer.py
@ -1,5 +1,6 @@
 """websocket Message consumer"""

+from channels.exceptions import DenyConnection
 from channels.generic.websocket import JsonWebsocketConsumer
 from django.core.cache import cache

@ -13,6 +14,8 @@ class MessageConsumer(JsonWebsocketConsumer):
    session_key: str

    def connect(self):
+        if not self.scope["user"].is_authenticated():
+            raise DenyConnection()
        self.accept()
        self.session_key = self.scope["session"].session_key
        if not self.session_key:
--- a/authentik/root/messages/storage.py
+++ b/authentik/root/messages/storage.py
@ -7,7 +7,6 @@ from django.contrib.messages.storage.session import SessionStorage
 from django.core.cache import cache
 from django.http.request import HttpRequest

-SESSION_KEY = "_messages"
 CACHE_PREFIX = "goauthentik.io/root/messages_"


--- a/authentik/stages/authenticator_email/tests.py
+++ b/authentik/stages/authenticator_email/tests.py
@ -300,9 +300,11 @@ class TestAuthenticatorEmailStage(FlowTestCase):
            )
            self.assertEqual(response.status_code, 200)
            self.assertTrue(device.confirmed)
-            # Session key should be removed after device is saved
-            device.save()
-            self.assertNotIn(SESSION_KEY_EMAIL_DEVICE, self.client.session)
+            # Get a fresh session to check if the key was removed
+            session = self.client.session
+            session.save()
+            session.load()
+            self.assertNotIn(SESSION_KEY_EMAIL_DEVICE, session)

    def test_model_properties_and_methods(self):
        """Test model properties"""
--- a/authentik/stages/email/stage.py
+++ b/authentik/stages/email/stage.py
@ -145,9 +145,9 @@ class EmailStageView(ChallengeStageView):
                user.save()
            return self.executor.stage_ok()
        if PLAN_CONTEXT_PENDING_USER not in self.executor.plan.context:
-            self.logger.debug("No pending user")
-            messages.error(self.request, _("No pending user."))
-            return self.executor.stage_invalid()
+            message = _("No pending user")
+            self.logger.debug(message)
+            return self.executor.stage_invalid(message)
        # Check if we've already sent the initial e-mail
        if PLAN_CONTEXT_EMAIL_SENT not in self.executor.plan.context:
            try:
--- a/authentik/stages/email/tasks.py
+++ b/authentik/stages/email/tasks.py
@ -12,6 +12,7 @@ from structlog.stdlib import get_logger

 from authentik.events.models import Event, EventAction, TaskStatus
 from authentik.events.system_tasks import SystemTask
+from authentik.lib.utils.reflection import class_to_path, path_to_class
 from authentik.root.celery import CELERY_APP
 from authentik.stages.authenticator_email.models import AuthenticatorEmailStage
 from authentik.stages.email.models import EmailStage
@ -32,9 +33,10 @@ def send_mails(
        Celery group promise for the email sending tasks
    """
    tasks = []
-    stage_class = stage.__class__
+    # Use the class path instead of the class itself for serialization
+    stage_class_path = class_to_path(stage.__class__)
    for message in messages:
-        tasks.append(send_mail.s(message.__dict__, stage_class, str(stage.pk)))
+        tasks.append(send_mail.s(message.__dict__, stage_class_path, str(stage.pk)))
    lazy_group = group(*tasks)
    promise = lazy_group()
    return promise
@ -61,7 +63,7 @@ def get_email_body(email: EmailMultiAlternatives) -> str:
 def send_mail(
    self: SystemTask,
    message: dict[Any, Any],
-    stage_class: EmailStage | AuthenticatorEmailStage = EmailStage,
+    stage_class_path: str | None = None,
    email_stage_pk: str | None = None,
 ):
    """Send Email for Email Stage. Retries are scheduled automatically."""
@ -69,9 +71,10 @@ def send_mail(
    message_id = make_msgid(domain=DNS_NAME)
    self.set_uid(slugify(message_id.replace(".", "_").replace("@", "_")))
    try:
-        if not email_stage_pk:
-            stage: EmailStage | AuthenticatorEmailStage = stage_class(use_global_settings=True)
+        if not stage_class_path or not email_stage_pk:
+            stage = EmailStage(use_global_settings=True)
        else:
+            stage_class = path_to_class(stage_class_path)
            stages = stage_class.objects.filter(pk=email_stage_pk)
            if not stages.exists():
                self.set_status(
--- a/authentik/stages/email/tests/test_tasks.py
+++ b/authentik/stages/email/tests/test_tasks.py
@ -0,0 +1,58 @@
+"""Test email stage tasks"""
+
+from unittest.mock import patch
+
+from django.core.mail import EmailMultiAlternatives
+from django.test import TestCase
+
+from authentik.core.tests.utils import create_test_admin_user
+from authentik.lib.utils.reflection import class_to_path
+from authentik.stages.authenticator_email.models import AuthenticatorEmailStage
+from authentik.stages.email.models import EmailStage
+from authentik.stages.email.tasks import get_email_body, send_mails
+
+
+class TestEmailTasks(TestCase):
+    """Test email stage tasks"""
+
+    def setUp(self):
+        self.user = create_test_admin_user()
+        self.stage = EmailStage.objects.create(
+            name="test-email",
+            use_global_settings=True,
+        )
+        self.auth_stage = AuthenticatorEmailStage.objects.create(
+            name="test-auth-email",
+            use_global_settings=True,
+        )
+
+    def test_get_email_body_html(self):
+        """Test get_email_body with HTML alternative"""
+        message = EmailMultiAlternatives()
+        message.body = "plain text"
+        message.attach_alternative("<p>html content</p>", "text/html")
+        self.assertEqual(get_email_body(message), "<p>html content</p>")
+
+    def test_get_email_body_plain(self):
+        """Test get_email_body with plain text only"""
+        message = EmailMultiAlternatives()
+        message.body = "plain text"
+        self.assertEqual(get_email_body(message), "plain text")
+
+    def test_send_mails_email_stage(self):
+        """Test send_mails with EmailStage"""
+        message = EmailMultiAlternatives()
+        with patch("authentik.stages.email.tasks.send_mail") as mock_send:
+            send_mails(self.stage, message)
+            mock_send.s.assert_called_once_with(
+                message.__dict__, class_to_path(EmailStage), str(self.stage.pk)
+            )
+
+    def test_send_mails_authenticator_stage(self):
+        """Test send_mails with AuthenticatorEmailStage"""
+        message = EmailMultiAlternatives()
+        with patch("authentik.stages.email.tasks.send_mail") as mock_send:
+            send_mails(self.auth_stage, message)
+            mock_send.s.assert_called_once_with(
+                message.__dict__, class_to_path(AuthenticatorEmailStage), str(self.auth_stage.pk)
+            )
--- a/authentik/stages/user_delete/stage.py
+++ b/authentik/stages/user_delete/stage.py
@ -1,6 +1,5 @@
 """Delete stage logic"""

-from django.contrib import messages
 from django.contrib.auth import logout
 from django.http import HttpRequest, HttpResponse
 from django.utils.translation import gettext as _
@ -17,9 +16,8 @@ class UserDeleteStageView(StageView):
        user = self.get_pending_user()
        if not user.is_authenticated:
            message = _("No Pending User.")
-            messages.error(request, message)
            self.logger.debug(message)
-            return self.executor.stage_invalid()
+            return self.executor.stage_invalid(message)
        logout(self.request)
        user.delete()
        self.logger.debug("Deleted user", user=user)
--- a/authentik/stages/user_login/stage.py
+++ b/authentik/stages/user_login/stage.py
@ -81,9 +81,8 @@ class UserLoginStageView(ChallengeStageView):
        """Attach the currently pending user to the current session"""
        if PLAN_CONTEXT_PENDING_USER not in self.executor.plan.context:
            message = _("No Pending user to login.")
-            messages.error(request, message)
            self.logger.debug(message)
-            return self.executor.stage_invalid()
+            return self.executor.stage_invalid(message)
        backend = self.executor.plan.context.get(
            PLAN_CONTEXT_AUTHENTICATION_BACKEND, BACKEND_INBUILT
        )
--- a/blueprints/schema.json
+++ b/blueprints/schema.json
@ -2,7 +2,7 @@
    "$schema": "http://json-schema.org/draft-07/schema",
    "$id": "https://goauthentik.io/blueprints/schema.json",
    "type": "object",
-    "title": "authentik 2024.12.3 Blueprint schema",
+    "title": "authentik 2025.2.1 Blueprint schema",
    "required": [
        "version",
        "entries"
--- a/docker-compose.yml
+++ b/docker-compose.yml
@ -31,7 +31,7 @@ services:
    volumes:
      - redis:/data
  server:
-    image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2024.12.3}
+    image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2025.2.1}
    restart: unless-stopped
    command: server
    environment:
@ -54,7 +54,7 @@ services:
      redis:
        condition: service_healthy
  worker:
-    image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2024.12.3}
+    image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2025.2.1}
    restart: unless-stopped
    command: worker
    environment:
--- a/go.mod
+++ b/go.mod
@ -1,8 +1,8 @@
 module goauthentik.io

-go 1.23
+go 1.23.0

-toolchain go1.23.0
+toolchain go1.24.0

 require (
 	beryju.io/ldap v0.1.0
@ -23,15 +23,15 @@ require (
 	github.com/nmcclain/asn1-ber v0.0.0-20170104154839-2661553a0484
 	github.com/pires/go-proxyproto v0.8.0
 	github.com/prometheus/client_golang v1.21.0
-	github.com/redis/go-redis/v9 v9.7.0
+	github.com/redis/go-redis/v9 v9.7.1
 	github.com/sethvargo/go-envconfig v1.1.1
 	github.com/sirupsen/logrus v1.9.3
 	github.com/spf13/cobra v1.9.1
 	github.com/stretchr/testify v1.10.0
 	github.com/wwt/guac v1.3.2
-	goauthentik.io/api/v3 v3.2024123.7
+	goauthentik.io/api/v3 v3.2025020.1
 	golang.org/x/exp v0.0.0-20230210204819-062eb4c674ab
-	golang.org/x/oauth2 v0.26.0
+	golang.org/x/oauth2 v0.27.0
 	golang.org/x/sync v0.11.0
 	gopkg.in/yaml.v2 v2.4.0
 	layeh.com/radius v0.0.0-20210819152912-ad72663a72ab
@ -48,7 +48,7 @@ require (
 	github.com/go-asn1-ber/asn1-ber v1.5.7 // indirect
 	github.com/go-http-utils/fresh v0.0.0-20161124030543-7231e26a4b27 // indirect
 	github.com/go-http-utils/headers v0.0.0-20181008091004-fed159eddc2a // indirect
-	github.com/go-jose/go-jose/v4 v4.0.2 // indirect
+	github.com/go-jose/go-jose/v4 v4.0.5 // indirect
 	github.com/go-logr/logr v1.4.1 // indirect
 	github.com/go-logr/stdr v1.2.2 // indirect
 	github.com/go-openapi/analysis v0.23.0 // indirect
@ -76,8 +76,8 @@ require (
 	go.opentelemetry.io/otel v1.24.0 // indirect
 	go.opentelemetry.io/otel/metric v1.24.0 // indirect
 	go.opentelemetry.io/otel/trace v1.24.0 // indirect
-	golang.org/x/crypto v0.31.0 // indirect
-	golang.org/x/sys v0.28.0 // indirect
+	golang.org/x/crypto v0.32.0 // indirect
+	golang.org/x/sys v0.29.0 // indirect
 	golang.org/x/text v0.21.0 // indirect
 	google.golang.org/protobuf v1.36.1 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
--- a/go.sum
+++ b/go.sum
@ -84,8 +84,8 @@ github.com/go-http-utils/fresh v0.0.0-20161124030543-7231e26a4b27 h1:O6yi4xa9b2D
 github.com/go-http-utils/fresh v0.0.0-20161124030543-7231e26a4b27/go.mod h1:AYvN8omj7nKLmbcXS2dyABYU6JB1Lz1bHmkkq1kf4I4=
 github.com/go-http-utils/headers v0.0.0-20181008091004-fed159eddc2a h1:v6zMvHuY9yue4+QkG/HQ/W67wvtQmWJ4SDo9aK/GIno=
 github.com/go-http-utils/headers v0.0.0-20181008091004-fed159eddc2a/go.mod h1:I79BieaU4fxrw4LMXby6q5OS9XnoR9UIKLOzDFjUmuw=
-github.com/go-jose/go-jose/v4 v4.0.2 h1:R3l3kkBds16bO7ZFAEEcofK0MkrAJt3jlJznWZG0nvk=
-github.com/go-jose/go-jose/v4 v4.0.2/go.mod h1:WVf9LFMHh/QVrmqrOfqun0C45tMe3RoiKJMPvgWwLfY=
+github.com/go-jose/go-jose/v4 v4.0.5 h1:M6T8+mKZl/+fNNuFHvGIzDz7BTLQPIounk/b9dw3AaE=
+github.com/go-jose/go-jose/v4 v4.0.5/go.mod h1:s3P1lRrkT8igV8D9OjyL4WRyHvjB6a4JSllnOrmmBOA=
 github.com/go-ldap/ldap/v3 v3.4.10 h1:ot/iwPOhfpNVgB1o+AVXljizWZ9JTp7YF5oeyONmcJU=
 github.com/go-ldap/ldap/v3 v3.4.10/go.mod h1:JXh4Uxgi40P6E9rdsYqpUtbW46D9UTjJ9QSwGRznplY=
 github.com/go-logr/logr v1.2.2/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A=
@ -248,8 +248,8 @@ github.com/prometheus/common v0.62.0 h1:xasJaQlnWAeyHdUBeGjXmutelfJHWMRr+Fg4QszZ
 github.com/prometheus/common v0.62.0/go.mod h1:vyBcEuLSvWos9B1+CyL7JZ2up+uFzXhkqml0W5zIY1I=
 github.com/prometheus/procfs v0.15.1 h1:YagwOFzUgYfKKHX6Dr+sHT7km/hxC76UB0learggepc=
 github.com/prometheus/procfs v0.15.1/go.mod h1:fB45yRUv8NstnjriLhBQLuOUt+WW4BsoGhij/e3PBqk=
-github.com/redis/go-redis/v9 v9.7.0 h1:HhLSs+B6O021gwzl+locl0zEDnyNkxMtf/Z3NNBMa9E=
-github.com/redis/go-redis/v9 v9.7.0/go.mod h1:f6zhXITC7JUJIlPEiBOTXxJgPLdZcA93GewI7inzyWw=
+github.com/redis/go-redis/v9 v9.7.1 h1:4LhKRCIduqXqtvCUlaq9c8bdHOkICjDMrr1+Zb3osAc=
+github.com/redis/go-redis/v9 v9.7.1/go.mod h1:f6zhXITC7JUJIlPEiBOTXxJgPLdZcA93GewI7inzyWw=
 github.com/rogpeppe/go-internal v1.3.0/go.mod h1:M8bDsm7K2OlrFYOpmOWEs/qY81heoFRclV5y23lUDJ4=
 github.com/rogpeppe/go-internal v1.11.0 h1:cWPaGQEPrBb5/AsnsZesgZZ9yb1OQ+GOISoDNXVBh4M=
 github.com/rogpeppe/go-internal v1.11.0/go.mod h1:ddIwULY96R17DhadqLgMfk9H9tvdUzkipdSkR5nkCZA=
@ -299,8 +299,8 @@ go.opentelemetry.io/otel/trace v1.24.0 h1:CsKnnL4dUAr/0llH9FKuc698G04IrpWV0MQA/Y
 go.opentelemetry.io/otel/trace v1.24.0/go.mod h1:HPc3Xr/cOApsBI154IU0OI0HJexz+aw5uPdbs3UCjNU=
 go.uber.org/goleak v1.3.0 h1:2K3zAYmnTNqV73imy9J1T3WC+gmCePx2hEGkimedGto=
 go.uber.org/goleak v1.3.0/go.mod h1:CoHD4mav9JJNrW/WLlf7HGZPjdw8EucARQHekz1X6bE=
-goauthentik.io/api/v3 v3.2024123.7 h1:vjmEnxXTHGFylJ9kTBFNYy4kcTrUM2hSIt3ja8gNVAY=
-goauthentik.io/api/v3 v3.2024123.7/go.mod h1:zz+mEZg8rY/7eEjkMGWJ2DnGqk+zqxuybGCGrR2O4Kw=
+goauthentik.io/api/v3 v3.2025020.1 h1:7922W4XiGif7lUCl2qlaeQJ3wSx1wDDDpXx8ryx0Hv0=
+goauthentik.io/api/v3 v3.2025020.1/go.mod h1:zz+mEZg8rY/7eEjkMGWJ2DnGqk+zqxuybGCGrR2O4Kw=
 golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
 golang.org/x/crypto v0.0.0-20190510104115-cbcb75029529/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
 golang.org/x/crypto v0.0.0-20190605123033-f99c8df09eb5/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
@ -312,8 +312,9 @@ golang.org/x/crypto v0.6.0/go.mod h1:OFC/31mSvZgRz0V1QTNCzfAI1aIRzbiufJtkMIlEp58
 golang.org/x/crypto v0.13.0/go.mod h1:y6Z2r+Rw4iayiXXAIxJIDAJ1zMW4yaTpebo8fPOliYc=
 golang.org/x/crypto v0.19.0/go.mod h1:Iy9bg/ha4yyC70EfRS8jz+B6ybOBKMaSxLj6P6oBDfU=
 golang.org/x/crypto v0.23.0/go.mod h1:CKFgDieR+mRhux2Lsu27y0fO304Db0wZe70UKqHu0v8=
-golang.org/x/crypto v0.31.0 h1:ihbySMvVjLAeSH1IbfcRTkD/iNscyz8rGzjF/E5hV6U=
 golang.org/x/crypto v0.31.0/go.mod h1:kDsLvtWBEx7MV9tJOj9bnXsPbxwJQ6csT/x4KIN4Ssk=
+golang.org/x/crypto v0.32.0 h1:euUpcYgM8WcP71gNpTqQCn6rC2t6ULUPiOzfWaXVVfc=
+golang.org/x/crypto v0.32.0/go.mod h1:ZnnJkOaASj8g0AjIduWNlq2NRxL0PlBrbKVyZ6V/Ugc=
 golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
 golang.org/x/exp v0.0.0-20190306152737-a1d7652674e8/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
 golang.org/x/exp v0.0.0-20190510132918-efd6b22b2522/go.mod h1:ZjyILWgesfNpC6sMxTJOJm9Kp84zZh5NQWvqDGG3Qr8=
@ -393,8 +394,8 @@ golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45/go.mod h1:gOpvHmFTYa4Iltr
 golang.org/x/oauth2 v0.0.0-20191202225959-858c2ad4c8b6/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
 golang.org/x/oauth2 v0.0.0-20200107190931-bf48bf16ab8d/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
 golang.org/x/oauth2 v0.0.0-20210218202405-ba52d332ba99/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A=
-golang.org/x/oauth2 v0.26.0 h1:afQXWNNaeC4nvZ0Ed9XvCCzXM6UHJG7iCg0W4fPqSBE=
-golang.org/x/oauth2 v0.26.0/go.mod h1:XYTD2NtWslqkgxebSiOHnXEap4TF09sJSc7H1sXbhtI=
+golang.org/x/oauth2 v0.27.0 h1:da9Vo7/tDv5RH/7nZDz1eMGS/q1Vv1N/7FCrBhI9I3M=
+golang.org/x/oauth2 v0.27.0/go.mod h1:onh5ek6nERTohokkhCD/y2cV4Do3fxFHFuAejCkRWT8=
 golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20181221193216-37e7f081c4d4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
@ -447,8 +448,9 @@ golang.org/x/sys v0.8.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.12.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.17.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 golang.org/x/sys v0.20.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
-golang.org/x/sys v0.28.0 h1:Fksou7UEQUWlKvIdsqzJmUmCX3cZuD2+P3XyyzwMhlA=
 golang.org/x/sys v0.28.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
+golang.org/x/sys v0.29.0 h1:TPYlXGxvx1MGTn2GiZDhnjPA9wZzZeGKHHmKhHYvgaU=
+golang.org/x/sys v0.29.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 golang.org/x/telemetry v0.0.0-20240228155512-f48c80bd79b2/go.mod h1:TeRTkGYfJXctD9OcfyVLyj2J3IxLnKwHJR8f4D8a3YE=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
 golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
--- a/internal/constants/constants.go
+++ b/internal/constants/constants.go
@ -29,4 +29,4 @@ func UserAgent() string {
 	return fmt.Sprintf("authentik@%s", FullVersion())
 }

-const VERSION = "2024.12.3"
+const VERSION = "2025.2.1"
--- a/lifecycle/aws/package-lock.json
+++ b/lifecycle/aws/package-lock.json
@ -9,7 +9,7 @@
            "version": "0.0.0",
            "license": "MIT",
            "devDependencies": {
-                "aws-cdk": "^2.1000.2",
+                "aws-cdk": "^2.1001.0",
                "cross-env": "^7.0.3"
            },
            "engines": {
@ -17,16 +17,16 @@
            }
        },
        "node_modules/aws-cdk": {
-            "version": "2.1000.2",
-            "resolved": "https://registry.npmjs.org/aws-cdk/-/aws-cdk-2.1000.2.tgz",
-            "integrity": "sha512-QsXqJhGWjHNqP7etgE3sHOTiDBXItmSKdFKgsm1qPMBabCMyFfmWZnEeUxfZ4sMaIoxvLpr3sqoWSNeLuUk4sg==",
+            "version": "2.1001.0",
+            "resolved": "https://registry.npmjs.org/aws-cdk/-/aws-cdk-2.1001.0.tgz",
+            "integrity": "sha512-Wp6fKNXcxBm+f8U1GkLV4gEgqq1pu5uwyDCMBg7ZB/6CtP+PsD/mPhuKyMULNWucDvYN8oy70XLOkMnxa3NWFw==",
            "dev": true,
            "license": "Apache-2.0",
            "bin": {
                "cdk": "bin/cdk"
            },
            "engines": {
-                "node": ">= 16.0.0"
+                "node": ">= 14.15.0"
            },
            "optionalDependencies": {
                "fsevents": "2.3.2"
--- a/lifecycle/aws/package.json
+++ b/lifecycle/aws/package.json
@ -10,7 +10,7 @@
        "node": ">=20"
    },
    "devDependencies": {
-        "aws-cdk": "^2.1000.2",
+        "aws-cdk": "^2.1001.0",
        "cross-env": "^7.0.3"
    }
 }
--- a/lifecycle/aws/template.yaml
+++ b/lifecycle/aws/template.yaml
@ -26,7 +26,7 @@ Parameters:
    Description: authentik Docker image
  AuthentikVersion:
    Type: String
-    Default: 2024.12.3
+    Default: 2025.2.1
    Description: authentik Docker image tag
  AuthentikServerCPU:
    Type: Number
--- a/locale/en/LC_MESSAGES/django.po
+++ b/locale/en/LC_MESSAGES/django.po
@ -8,7 +8,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: PACKAGE VERSION\n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2025-02-14 14:49+0000\n"
+"POT-Creation-Date: 2025-02-25 00:11+0000\n"
 "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
 "Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
 "Language-Team: LANGUAGE <LL@li.org>\n"
@ -109,6 +109,10 @@ msgstr ""
 msgid "Extra description not available"
 msgstr ""

+#: authentik/core/api/groups.py
+msgid "Cannot set group as parent of itself."
+msgstr ""
+
 #: authentik/core/api/providers.py
 msgid ""
 "When not set all providers are returned. When set to true, only backchannel "
@ -152,6 +156,14 @@ msgstr ""
 msgid "Remove user from group"
 msgstr ""

+#: authentik/core/models.py
+msgid "Enable superuser status"
+msgstr ""
+
+#: authentik/core/models.py
+msgid "Disable superuser status"
+msgstr ""
+
 #: authentik/core/models.py
 msgid "User's display name."
 msgstr ""
@ -500,57 +512,6 @@ msgstr ""
 msgid "Microsoft Entra Provider Mappings"
 msgstr ""

-#: authentik/enterprise/providers/rac/models.py
-#: authentik/stages/user_login/models.py
-msgid ""
-"Determines how long a session lasts. Default of 0 means that the sessions "
-"lasts until the browser is closed. (Format: hours=-1;minutes=-2;seconds=-3)"
-msgstr ""
-
-#: authentik/enterprise/providers/rac/models.py
-msgid "When set to true, connection tokens will be deleted upon disconnect."
-msgstr ""
-
-#: authentik/enterprise/providers/rac/models.py
-msgid "RAC Provider"
-msgstr ""
-
-#: authentik/enterprise/providers/rac/models.py
-msgid "RAC Providers"
-msgstr ""
-
-#: authentik/enterprise/providers/rac/models.py
-msgid "RAC Endpoint"
-msgstr ""
-
-#: authentik/enterprise/providers/rac/models.py
-msgid "RAC Endpoints"
-msgstr ""
-
-#: authentik/enterprise/providers/rac/models.py
-msgid "RAC Provider Property Mapping"
-msgstr ""
-
-#: authentik/enterprise/providers/rac/models.py
-msgid "RAC Provider Property Mappings"
-msgstr ""
-
-#: authentik/enterprise/providers/rac/models.py
-msgid "RAC Connection token"
-msgstr ""
-
-#: authentik/enterprise/providers/rac/models.py
-msgid "RAC Connection tokens"
-msgstr ""
-
-#: authentik/enterprise/providers/rac/views.py
-msgid "Maximum connection limit reached."
-msgstr ""
-
-#: authentik/enterprise/providers/rac/views.py
-msgid "(You are already connected in another tab/window)"
-msgstr ""
-
 #: authentik/enterprise/providers/ssf/models.py
 #: authentik/providers/oauth2/models.py
 msgid "Signing Key"
@ -651,7 +612,7 @@ msgstr ""
 msgid "Slack Webhook (Slack/Discord)"
 msgstr ""

-#: authentik/events/models.py
+#: authentik/events/models.py authentik/stages/authenticator_validate/models.py
 msgid "Email"
 msgstr ""

@ -1105,6 +1066,14 @@ msgstr ""
 msgid "Client IP is not in an allowed country."
 msgstr ""

+#: authentik/policies/geoip/models.py
+msgid "Distance from previous authentication is larger than threshold."
+msgstr ""
+
+#: authentik/policies/geoip/models.py
+msgid "Distance is further than possible."
+msgstr ""
+
 #: authentik/policies/geoip/models.py
 msgid "GeoIP Policy"
 msgstr ""
@ -1643,6 +1612,56 @@ msgstr ""
 msgid "Proxy Providers"
 msgstr ""

+#: authentik/providers/rac/models.py authentik/stages/user_login/models.py
+msgid ""
+"Determines how long a session lasts. Default of 0 means that the sessions "
+"lasts until the browser is closed. (Format: hours=-1;minutes=-2;seconds=-3)"
+msgstr ""
+
+#: authentik/providers/rac/models.py
+msgid "When set to true, connection tokens will be deleted upon disconnect."
+msgstr ""
+
+#: authentik/providers/rac/models.py
+msgid "RAC Provider"
+msgstr ""
+
+#: authentik/providers/rac/models.py
+msgid "RAC Providers"
+msgstr ""
+
+#: authentik/providers/rac/models.py
+msgid "RAC Endpoint"
+msgstr ""
+
+#: authentik/providers/rac/models.py
+msgid "RAC Endpoints"
+msgstr ""
+
+#: authentik/providers/rac/models.py
+msgid "RAC Provider Property Mapping"
+msgstr ""
+
+#: authentik/providers/rac/models.py
+msgid "RAC Provider Property Mappings"
+msgstr ""
+
+#: authentik/providers/rac/models.py
+msgid "RAC Connection token"
+msgstr ""
+
+#: authentik/providers/rac/models.py
+msgid "RAC Connection tokens"
+msgstr ""
+
+#: authentik/providers/rac/views.py
+msgid "Maximum connection limit reached."
+msgstr ""
+
+#: authentik/providers/rac/views.py
+msgid "(You are already connected in another tab/window)"
+msgstr ""
+
 #: authentik/providers/radius/models.py
 msgid "Shared secret between clients and server to hash packets."
 msgstr ""
@ -2486,6 +2505,98 @@ msgstr ""
 msgid "Duo Devices"
 msgstr ""

+#: authentik/stages/authenticator_email/models.py
+msgid "Email OTP"
+msgstr ""
+
+#: authentik/stages/authenticator_email/models.py
+#: authentik/stages/email/models.py
+msgid ""
+"When enabled, global Email connection settings will be used and connection "
+"settings below will be ignored."
+msgstr ""
+
+#: authentik/stages/authenticator_email/models.py
+msgid "Time the token sent is valid (Format: hours=3,minutes=17,seconds=300)."
+msgstr ""
+
+#: authentik/stages/authenticator_email/models.py
+msgid "Email Authenticator Setup Stage"
+msgstr ""
+
+#: authentik/stages/authenticator_email/models.py
+msgid "Email Authenticator Setup Stages"
+msgstr ""
+
+#: authentik/stages/authenticator_email/models.py
+#: authentik/stages/authenticator_email/stage.py
+#: authentik/stages/email/stage.py
+msgid "Exception occurred while rendering E-mail template"
+msgstr ""
+
+#: authentik/stages/authenticator_email/models.py
+msgid "Email Device"
+msgstr ""
+
+#: authentik/stages/authenticator_email/models.py
+msgid "Email Devices"
+msgstr ""
+
+#: authentik/stages/authenticator_email/stage.py
+#: authentik/stages/authenticator_sms/stage.py
+#: authentik/stages/authenticator_totp/stage.py
+msgid "Code does not match"
+msgstr ""
+
+#: authentik/stages/authenticator_email/stage.py
+msgid "Invalid email"
+msgstr ""
+
+#: authentik/stages/authenticator_email/templates/email/email_otp.html
+#: authentik/stages/email/templates/email/password_reset.html
+#, python-format
+msgid ""
+"\n"
+"      Hi %(username)s,\n"
+"      "
+msgstr ""
+
+#: authentik/stages/authenticator_email/templates/email/email_otp.html
+msgid ""
+"\n"
+"          Email MFA code.\n"
+"          "
+msgstr ""
+
+#: authentik/stages/authenticator_email/templates/email/email_otp.html
+#, python-format
+msgid ""
+"\n"
+"    If you did not request this code, please ignore this email. The code "
+"above is valid for %(expires)s.\n"
+"    "
+msgstr ""
+
+#: authentik/stages/authenticator_email/templates/email/email_otp.txt
+#: authentik/stages/email/templates/email/password_reset.txt
+#, python-format
+msgid "Hi %(username)s,"
+msgstr ""
+
+#: authentik/stages/authenticator_email/templates/email/email_otp.txt
+msgid ""
+"\n"
+"Email MFA code\n"
+msgstr ""
+
+#: authentik/stages/authenticator_email/templates/email/email_otp.txt
+#, python-format
+msgid ""
+"\n"
+"If you did not request this code, please ignore this email. The code above "
+"is valid for %(expires)s.\n"
+msgstr ""
+
 #: authentik/stages/authenticator_sms/models.py
 msgid ""
 "When enabled, the Phone number is only used during enrollment to verify the "
@ -2518,11 +2629,6 @@ msgstr ""
 msgid "SMS Devices"
 msgstr ""

-#: authentik/stages/authenticator_sms/stage.py
-#: authentik/stages/authenticator_totp/stage.py
-msgid "Code does not match"
-msgstr ""
-
 #: authentik/stages/authenticator_sms/stage.py
 msgid "Invalid phone number"
 msgstr ""
@ -2745,12 +2851,6 @@ msgstr ""
 msgid "Account Confirmation"
 msgstr ""

-#: authentik/stages/email/models.py
-msgid ""
-"When enabled, global Email connection settings will be used and connection "
-"settings below will be ignored."
-msgstr ""
-
 #: authentik/stages/email/models.py
 msgid "Activate users upon completion of stage."
 msgstr ""
@ -2767,10 +2867,6 @@ msgstr ""
 msgid "Email Stages"
 msgstr ""

-#: authentik/stages/email/stage.py
-msgid "Exception occurred while rendering E-mail template"
-msgstr ""
-
 #: authentik/stages/email/stage.py
 msgid "Successfully verified Email."
 msgstr ""
@ -2845,14 +2941,6 @@ msgid ""
 "This email was sent from the notification transport %(name)s.\n"
 msgstr ""

-#: authentik/stages/email/templates/email/password_reset.html
-#, python-format
-msgid ""
-"\n"
-"      Hi %(username)s,\n"
-"      "
-msgstr ""
-
 #: authentik/stages/email/templates/email/password_reset.html
 msgid ""
 "\n"
@ -2870,11 +2958,6 @@ msgid ""
 "    "
 msgstr ""

-#: authentik/stages/email/templates/email/password_reset.txt
-#, python-format
-msgid "Hi %(username)s,"
-msgstr ""
-
 #: authentik/stages/email/templates/email/password_reset.txt
 msgid ""
 "\n"
--- a/locale/fr/LC_MESSAGES/django.po
+++ b/locale/fr/LC_MESSAGES/django.po
@ -19,7 +19,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: PACKAGE VERSION\n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2025-02-14 14:49+0000\n"
+"POT-Creation-Date: 2025-02-25 00:11+0000\n"
 "PO-Revision-Date: 2022-09-26 16:47+0000\n"
 "Last-Translator: Marc Schmitt, 2025\n"
 "Language-Team: French (https://app.transifex.com/authentik/teams/119923/fr/)\n"
@ -129,6 +129,10 @@ msgstr "L'utilisateur n'a pas accès à l'application."
 msgid "Extra description not available"
 msgstr "Description supplémentaire indisponible"

+#: authentik/core/api/groups.py
+msgid "Cannot set group as parent of itself."
+msgstr "Impossible de définir le groupe en tant que parent de lui-même."
+
 #: authentik/core/api/providers.py
 msgid ""
 "When not set all providers are returned. When set to true, only backchannel "
@ -177,6 +181,14 @@ msgstr "Ajouter un utilisateur au groupe"
 msgid "Remove user from group"
 msgstr "Retirer l'utilisateur du groupe"

+#: authentik/core/models.py
+msgid "Enable superuser status"
+msgstr "Activer le statut super-utilisateur"
+
+#: authentik/core/models.py
+msgid "Disable superuser status"
+msgstr "Désactiver le statut super-utilisateur"
+
 #: authentik/core/models.py
 msgid "User's display name."
 msgstr "Nom d'affichage de l'utilisateur"
@ -553,61 +565,6 @@ msgstr "Mappage de propriété Microsoft Entra"
 msgid "Microsoft Entra Provider Mappings"
 msgstr "Mappages de propriété Microsoft Entra"

-#: authentik/enterprise/providers/rac/models.py
-#: authentik/stages/user_login/models.py
-msgid ""
-"Determines how long a session lasts. Default of 0 means that the sessions "
-"lasts until the browser is closed. (Format: hours=-1;minutes=-2;seconds=-3)"
-msgstr ""
-"Détermine la durée de la session. La valeur par défaut de 0 signifie que la "
-"session dure jusqu'à la fermeture du navigateur. (Format : "
-"hours=-1;minutes=-2;seconds=-3)"
-
-#: authentik/enterprise/providers/rac/models.py
-msgid "When set to true, connection tokens will be deleted upon disconnect."
-msgstr ""
-"Si activé, les jetons de connexion seront supprimés lors de la déconnexion."
-
-#: authentik/enterprise/providers/rac/models.py
-msgid "RAC Provider"
-msgstr "Fournisseur RAC"
-
-#: authentik/enterprise/providers/rac/models.py
-msgid "RAC Providers"
-msgstr "Fournisseurs RAC"
-
-#: authentik/enterprise/providers/rac/models.py
-msgid "RAC Endpoint"
-msgstr "Point de terminaison RAC"
-
-#: authentik/enterprise/providers/rac/models.py
-msgid "RAC Endpoints"
-msgstr "Points de terminaison RAC"
-
-#: authentik/enterprise/providers/rac/models.py
-msgid "RAC Provider Property Mapping"
-msgstr "Mappage de propriété fournisseur RAC"
-
-#: authentik/enterprise/providers/rac/models.py
-msgid "RAC Provider Property Mappings"
-msgstr "Mappages de propriété fournisseur RAC"
-
-#: authentik/enterprise/providers/rac/models.py
-msgid "RAC Connection token"
-msgstr "Jeton de connexion RAC"
-
-#: authentik/enterprise/providers/rac/models.py
-msgid "RAC Connection tokens"
-msgstr "Jeton de connexions RAC"
-
-#: authentik/enterprise/providers/rac/views.py
-msgid "Maximum connection limit reached."
-msgstr "Limite maximum de connection atteinte."
-
-#: authentik/enterprise/providers/rac/views.py
-msgid "(You are already connected in another tab/window)"
-msgstr "(Vous êtes déjà connecté dans un autre onglet/une autre fenêtre)"
-
 #: authentik/enterprise/providers/ssf/models.py
 #: authentik/providers/oauth2/models.py
 msgid "Signing Key"
@ -715,6 +672,7 @@ msgid "Slack Webhook (Slack/Discord)"
 msgstr "Webhook Slack (ou Discord)"

 #: authentik/events/models.py
+#: authentik/stages/authenticator_validate/models.py
 msgid "Email"
 msgstr "Courriel"

@ -1219,6 +1177,16 @@ msgstr ""
 msgid "Client IP is not in an allowed country."
 msgstr "L'IP du client ne fait pas partie d'un pays autorisé."

+#: authentik/policies/geoip/models.py
+msgid "Distance from previous authentication is larger than threshold."
+msgstr ""
+"La distance par rapport à l'authentification précédente est supérieure au "
+"seuil."
+
+#: authentik/policies/geoip/models.py
+msgid "Distance is further than possible."
+msgstr "La distance est plus grande que possible."
+
 #: authentik/policies/geoip/models.py
 msgid "GeoIP Policy"
 msgstr "Politique GeoIP"
@ -1825,6 +1793,60 @@ msgstr "Fournisseur Proxy"
 msgid "Proxy Providers"
 msgstr "Fournisseur de Proxy"

+#: authentik/providers/rac/models.py authentik/stages/user_login/models.py
+msgid ""
+"Determines how long a session lasts. Default of 0 means that the sessions "
+"lasts until the browser is closed. (Format: hours=-1;minutes=-2;seconds=-3)"
+msgstr ""
+"Détermine la durée de la session. La valeur par défaut de 0 signifie que la "
+"session dure jusqu'à la fermeture du navigateur. (Format : "
+"hours=-1;minutes=-2;seconds=-3)"
+
+#: authentik/providers/rac/models.py
+msgid "When set to true, connection tokens will be deleted upon disconnect."
+msgstr ""
+"Si activé, les jetons de connexion seront supprimés lors de la déconnexion."
+
+#: authentik/providers/rac/models.py
+msgid "RAC Provider"
+msgstr "Fournisseur RAC"
+
+#: authentik/providers/rac/models.py
+msgid "RAC Providers"
+msgstr "Fournisseurs RAC"
+
+#: authentik/providers/rac/models.py
+msgid "RAC Endpoint"
+msgstr "Point de terminaison RAC"
+
+#: authentik/providers/rac/models.py
+msgid "RAC Endpoints"
+msgstr "Points de terminaison RAC"
+
+#: authentik/providers/rac/models.py
+msgid "RAC Provider Property Mapping"
+msgstr "Mappage de propriété fournisseur RAC"
+
+#: authentik/providers/rac/models.py
+msgid "RAC Provider Property Mappings"
+msgstr "Mappages de propriété fournisseur RAC"
+
+#: authentik/providers/rac/models.py
+msgid "RAC Connection token"
+msgstr "Jeton de connexion RAC"
+
+#: authentik/providers/rac/models.py
+msgid "RAC Connection tokens"
+msgstr "Jeton de connexions RAC"
+
+#: authentik/providers/rac/views.py
+msgid "Maximum connection limit reached."
+msgstr "Limite maximum de connection atteinte."
+
+#: authentik/providers/rac/views.py
+msgid "(You are already connected in another tab/window)"
+msgstr "(Vous êtes déjà connecté dans un autre onglet/une autre fenêtre)"
+
 #: authentik/providers/radius/models.py
 msgid "Shared secret between clients and server to hash packets."
 msgstr ""
@ -2741,6 +2763,112 @@ msgstr "Appareil Duo"
 msgid "Duo Devices"
 msgstr "Appareils Duo"

+#: authentik/stages/authenticator_email/models.py
+msgid "Email OTP"
+msgstr "OTP Courriel"
+
+#: authentik/stages/authenticator_email/models.py
+#: authentik/stages/email/models.py
+msgid ""
+"When enabled, global Email connection settings will be used and connection "
+"settings below will be ignored."
+msgstr ""
+"Si activé, les paramètres globaux de connexion courriel seront utilisés et "
+"les paramètres de connexion ci-dessous seront ignorés."
+
+#: authentik/stages/authenticator_email/models.py
+msgid "Time the token sent is valid (Format: hours=3,minutes=17,seconds=300)."
+msgstr ""
+"Durée de validité du jeton envoyé (Format : hours=3,minutes=17,seconds=300)."
+
+#: authentik/stages/authenticator_email/models.py
+msgid "Email Authenticator Setup Stage"
+msgstr "Étape de configuration de l'authentificateur courriel"
+
+#: authentik/stages/authenticator_email/models.py
+msgid "Email Authenticator Setup Stages"
+msgstr "Étapes de configuration de l'authentificateur courriel"
+
+#: authentik/stages/authenticator_email/models.py
+#: authentik/stages/authenticator_email/stage.py
+#: authentik/stages/email/stage.py
+msgid "Exception occurred while rendering E-mail template"
+msgstr "Une erreur s'est produite lors de la modélisation du couriel"
+
+#: authentik/stages/authenticator_email/models.py
+msgid "Email Device"
+msgstr "Équipement courriel"
+
+#: authentik/stages/authenticator_email/models.py
+msgid "Email Devices"
+msgstr "Équipements courriel"
+
+#: authentik/stages/authenticator_email/stage.py
+#: authentik/stages/authenticator_sms/stage.py
+#: authentik/stages/authenticator_totp/stage.py
+msgid "Code does not match"
+msgstr "Le Code ne correspond pas"
+
+#: authentik/stages/authenticator_email/stage.py
+msgid "Invalid email"
+msgstr "Courriel invalide"
+
+#: authentik/stages/authenticator_email/templates/email/email_otp.html
+#: authentik/stages/email/templates/email/password_reset.html
+#, python-format
+msgid ""
+"\n"
+"      Hi %(username)s,\n"
+"      "
+msgstr ""
+"\n"
+"      Salut %(username)s,\n"
+"     "
+
+#: authentik/stages/authenticator_email/templates/email/email_otp.html
+msgid ""
+"\n"
+"          Email MFA code.\n"
+"          "
+msgstr ""
+"\n"
+"          Code MFA envoyé par courriel.\n"
+"          "
+
+#: authentik/stages/authenticator_email/templates/email/email_otp.html
+#, python-format
+msgid ""
+"\n"
+"    If you did not request this code, please ignore this email. The code above is valid for %(expires)s.\n"
+"    "
+msgstr ""
+"\n"
+"    Si vous n'avez pas demandé ce code, veuillez ignorer ce courriel. Le code ci-dessus est valid pendant %(expires)s.\n"
+"    "
+
+#: authentik/stages/authenticator_email/templates/email/email_otp.txt
+#: authentik/stages/email/templates/email/password_reset.txt
+#, python-format
+msgid "Hi %(username)s,"
+msgstr "Bonjour %(username)s,"
+
+#: authentik/stages/authenticator_email/templates/email/email_otp.txt
+msgid ""
+"\n"
+"Email MFA code\n"
+msgstr ""
+"\n"
+"Code MFA envoyé par e-mail\n"
+
+#: authentik/stages/authenticator_email/templates/email/email_otp.txt
+#, python-format
+msgid ""
+"\n"
+"If you did not request this code, please ignore this email. The code above is valid for %(expires)s.\n"
+msgstr ""
+"\n"
+"Si vous n'avez pas demandé ce code, veuillez ignorer ce courriel. Le code ci-dessus est valid pendant %(expires)s.\n"
+
 #: authentik/stages/authenticator_sms/models.py
 msgid ""
 "When enabled, the Phone number is only used during enrollment to verify the "
@ -2778,11 +2906,6 @@ msgstr "Appareil SMS"
 msgid "SMS Devices"
 msgstr "Appareils SMS"

-#: authentik/stages/authenticator_sms/stage.py
-#: authentik/stages/authenticator_totp/stage.py
-msgid "Code does not match"
-msgstr "Le Code ne correspond pas"
-
 #: authentik/stages/authenticator_sms/stage.py
 msgid "Invalid phone number"
 msgstr "Numéro de téléphone invalide"
@ -3021,14 +3144,6 @@ msgstr "Réinitialiser le Mot de Passe"
 msgid "Account Confirmation"
 msgstr "Confirmation du Compte"

-#: authentik/stages/email/models.py
-msgid ""
-"When enabled, global Email connection settings will be used and connection "
-"settings below will be ignored."
-msgstr ""
-"Si activé, les paramètres globaux de connexion courriel seront utilisés et "
-"les paramètres de connexion ci-dessous seront ignorés."
-
 #: authentik/stages/email/models.py
 msgid "Activate users upon completion of stage."
 msgstr "Activer les utilisateurs à la complétion de l'étape."
@ -3045,10 +3160,6 @@ msgstr "Étape Email"
 msgid "Email Stages"
 msgstr "Étape Email"

-#: authentik/stages/email/stage.py
-msgid "Exception occurred while rendering E-mail template"
-msgstr "Une erreur s'est produite lors de la modélisation du couriel"
-
 #: authentik/stages/email/stage.py
 msgid "Successfully verified Email."
 msgstr "Email vérifié avec succès."
@ -3133,17 +3244,6 @@ msgstr ""
 "\n"
 "Cet email a été envoyé depuis le transport de notification %(name)s.\n"

-#: authentik/stages/email/templates/email/password_reset.html
-#, python-format
-msgid ""
-"\n"
-"      Hi %(username)s,\n"
-"      "
-msgstr ""
-"\n"
-"      Salut %(username)s,\n"
-"     "
-
 #: authentik/stages/email/templates/email/password_reset.html
 msgid ""
 "\n"
@ -3165,11 +3265,6 @@ msgstr ""
 "    Si vous n'avez pas requis de changement de mot de passe, veuillez ignorer cet e-mail. Le lien ci-dessus est valide pendant %(expires)s.\n"
 "    "

-#: authentik/stages/email/templates/email/password_reset.txt
-#, python-format
-msgid "Hi %(username)s,"
-msgstr "Bonjour %(username)s,"
-
 #: authentik/stages/email/templates/email/password_reset.txt
 msgid ""
 "\n"
--- a/locale/ru/LC_MESSAGES/django.mo
+++ b/locale/ru/LC_MESSAGES/django.mo
--- a/locale/zh-Hans/LC_MESSAGES/django.po
+++ b/locale/zh-Hans/LC_MESSAGES/django.po
@ -15,7 +15,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: PACKAGE VERSION\n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2025-02-14 14:49+0000\n"
+"POT-Creation-Date: 2025-02-25 00:11+0000\n"
 "PO-Revision-Date: 2022-09-26 16:47+0000\n"
 "Last-Translator: deluxghost, 2025\n"
 "Language-Team: Chinese Simplified (https://app.transifex.com/authentik/teams/119923/zh-Hans/)\n"
@ -118,6 +118,10 @@ msgstr "用户没有访问此应用程序的权限。"
 msgid "Extra description not available"
 msgstr "额外描述不可用"

+#: authentik/core/api/groups.py
+msgid "Cannot set group as parent of itself."
+msgstr "无法设置组自身为父级。"
+
 #: authentik/core/api/providers.py
 msgid ""
 "When not set all providers are returned. When set to true, only backchannel "
@ -162,6 +166,14 @@ msgstr "添加用户到组"
 msgid "Remove user from group"
 msgstr "从组中删除用户"

+#: authentik/core/models.py
+msgid "Enable superuser status"
+msgstr "启用超级用户状态"
+
+#: authentik/core/models.py
+msgid "Disable superuser status"
+msgstr "禁用超级用户状态"
+
 #: authentik/core/models.py
 msgid "User's display name."
 msgstr "用户的显示名称。"
@ -510,57 +522,6 @@ msgstr "Microsoft Entra 提供程序映射"
 msgid "Microsoft Entra Provider Mappings"
 msgstr "Microsoft Entra 提供程序映射"

-#: authentik/enterprise/providers/rac/models.py
-#: authentik/stages/user_login/models.py
-msgid ""
-"Determines how long a session lasts. Default of 0 means that the sessions "
-"lasts until the browser is closed. (Format: hours=-1;minutes=-2;seconds=-3)"
-msgstr "确定会话持续多长时间。默认值为 0 表示会话持续到浏览器关闭为止。（格式：hours=-1;minutes=-2;seconds=-3）"
-
-#: authentik/enterprise/providers/rac/models.py
-msgid "When set to true, connection tokens will be deleted upon disconnect."
-msgstr "启用时，连接令牌将会在断开连接时被删除。"
-
-#: authentik/enterprise/providers/rac/models.py
-msgid "RAC Provider"
-msgstr "RAC 提供程序"
-
-#: authentik/enterprise/providers/rac/models.py
-msgid "RAC Providers"
-msgstr "RAC 提供程序"
-
-#: authentik/enterprise/providers/rac/models.py
-msgid "RAC Endpoint"
-msgstr "RAC 端点"
-
-#: authentik/enterprise/providers/rac/models.py
-msgid "RAC Endpoints"
-msgstr "RAC 端点"
-
-#: authentik/enterprise/providers/rac/models.py
-msgid "RAC Provider Property Mapping"
-msgstr "RAC 提供程序属性映射"
-
-#: authentik/enterprise/providers/rac/models.py
-msgid "RAC Provider Property Mappings"
-msgstr "RAC 提供程序属性映射"
-
-#: authentik/enterprise/providers/rac/models.py
-msgid "RAC Connection token"
-msgstr "RAC 连接令牌"
-
-#: authentik/enterprise/providers/rac/models.py
-msgid "RAC Connection tokens"
-msgstr "RAC 连接令牌"
-
-#: authentik/enterprise/providers/rac/views.py
-msgid "Maximum connection limit reached."
-msgstr "已达到最大连接数。"
-
-#: authentik/enterprise/providers/rac/views.py
-msgid "(You are already connected in another tab/window)"
-msgstr "（您已经在另一个标签页/窗口连接了）"
-
 #: authentik/enterprise/providers/ssf/models.py
 #: authentik/providers/oauth2/models.py
 msgid "Signing Key"
@ -662,6 +623,7 @@ msgid "Slack Webhook (Slack/Discord)"
 msgstr "Slack Webhook（Slack/Discord）"

 #: authentik/events/models.py
+#: authentik/stages/authenticator_validate/models.py
 msgid "Email"
 msgstr "电子邮箱"

@ -1119,6 +1081,14 @@ msgstr "GeoIP：无法在城市数据库中找到客户端 IP。"
 msgid "Client IP is not in an allowed country."
 msgstr "客户端 IP 不在受允许的地区。"

+#: authentik/policies/geoip/models.py
+msgid "Distance from previous authentication is larger than threshold."
+msgstr "与上一次身份验证的距离超过阈值。"
+
+#: authentik/policies/geoip/models.py
+msgid "Distance is further than possible."
+msgstr "距离大幅超过可能值。"
+
 #: authentik/policies/geoip/models.py
 msgid "GeoIP Policy"
 msgstr "GeoIP 策略"
@ -1668,6 +1638,56 @@ msgstr "代理提供程序"
 msgid "Proxy Providers"
 msgstr "代理提供程序"

+#: authentik/providers/rac/models.py authentik/stages/user_login/models.py
+msgid ""
+"Determines how long a session lasts. Default of 0 means that the sessions "
+"lasts until the browser is closed. (Format: hours=-1;minutes=-2;seconds=-3)"
+msgstr "确定会话持续多长时间。默认值为 0 表示会话持续到浏览器关闭为止。（格式：hours=-1;minutes=-2;seconds=-3）"
+
+#: authentik/providers/rac/models.py
+msgid "When set to true, connection tokens will be deleted upon disconnect."
+msgstr "启用时，连接令牌将会在断开连接时被删除。"
+
+#: authentik/providers/rac/models.py
+msgid "RAC Provider"
+msgstr "RAC 提供程序"
+
+#: authentik/providers/rac/models.py
+msgid "RAC Providers"
+msgstr "RAC 提供程序"
+
+#: authentik/providers/rac/models.py
+msgid "RAC Endpoint"
+msgstr "RAC 端点"
+
+#: authentik/providers/rac/models.py
+msgid "RAC Endpoints"
+msgstr "RAC 端点"
+
+#: authentik/providers/rac/models.py
+msgid "RAC Provider Property Mapping"
+msgstr "RAC 提供程序属性映射"
+
+#: authentik/providers/rac/models.py
+msgid "RAC Provider Property Mappings"
+msgstr "RAC 提供程序属性映射"
+
+#: authentik/providers/rac/models.py
+msgid "RAC Connection token"
+msgstr "RAC 连接令牌"
+
+#: authentik/providers/rac/models.py
+msgid "RAC Connection tokens"
+msgstr "RAC 连接令牌"
+
+#: authentik/providers/rac/views.py
+msgid "Maximum connection limit reached."
+msgstr "已达到最大连接数。"
+
+#: authentik/providers/rac/views.py
+msgid "(You are already connected in another tab/window)"
+msgstr "（您已经在另一个标签页/窗口连接了）"
+
 #: authentik/providers/radius/models.py
 msgid "Shared secret between clients and server to hash packets."
 msgstr "用于哈希处理数据包的客户端服务端共享密钥。"
@ -2521,6 +2541,109 @@ msgstr "Duo 设备"
 msgid "Duo Devices"
 msgstr "Duo 设备"

+#: authentik/stages/authenticator_email/models.py
+msgid "Email OTP"
+msgstr "电子邮件 OTP"
+
+#: authentik/stages/authenticator_email/models.py
+#: authentik/stages/email/models.py
+msgid ""
+"When enabled, global Email connection settings will be used and connection "
+"settings below will be ignored."
+msgstr "启用后，将使用全局电子邮件连接设置，下面的连接设置将被忽略。"
+
+#: authentik/stages/authenticator_email/models.py
+msgid "Time the token sent is valid (Format: hours=3,minutes=17,seconds=300)."
+msgstr "发出令牌有效的时间（格式：hours=3,minutes=17,seconds=300）。"
+
+#: authentik/stages/authenticator_email/models.py
+msgid "Email Authenticator Setup Stage"
+msgstr "电子邮件身份验证器设置阶段"
+
+#: authentik/stages/authenticator_email/models.py
+msgid "Email Authenticator Setup Stages"
+msgstr "电子邮件身份验证器设置阶段"
+
+#: authentik/stages/authenticator_email/models.py
+#: authentik/stages/authenticator_email/stage.py
+#: authentik/stages/email/stage.py
+msgid "Exception occurred while rendering E-mail template"
+msgstr "渲染电子邮件模板时发生异常"
+
+#: authentik/stages/authenticator_email/models.py
+msgid "Email Device"
+msgstr "电子邮件设备"
+
+#: authentik/stages/authenticator_email/models.py
+msgid "Email Devices"
+msgstr "电子邮件设备"
+
+#: authentik/stages/authenticator_email/stage.py
+#: authentik/stages/authenticator_sms/stage.py
+#: authentik/stages/authenticator_totp/stage.py
+msgid "Code does not match"
+msgstr "代码不匹配"
+
+#: authentik/stages/authenticator_email/stage.py
+msgid "Invalid email"
+msgstr "无效电子邮件"
+
+#: authentik/stages/authenticator_email/templates/email/email_otp.html
+#: authentik/stages/email/templates/email/password_reset.html
+#, python-format
+msgid ""
+"\n"
+"      Hi %(username)s,\n"
+"      "
+msgstr ""
+"\n"
+"      %(username)s 您好，\n"
+"      "
+
+#: authentik/stages/authenticator_email/templates/email/email_otp.html
+msgid ""
+"\n"
+"          Email MFA code.\n"
+"          "
+msgstr ""
+"\n"
+"          电子邮件 MFA 代码。\n"
+"          "
+
+#: authentik/stages/authenticator_email/templates/email/email_otp.html
+#, python-format
+msgid ""
+"\n"
+"    If you did not request this code, please ignore this email. The code above is valid for %(expires)s.\n"
+"    "
+msgstr ""
+"\n"
+"    如果您没有请求此代码，请忽略此电子邮件。上面的代码在 %(expires)s 内有效。\n"
+"    "
+
+#: authentik/stages/authenticator_email/templates/email/email_otp.txt
+#: authentik/stages/email/templates/email/password_reset.txt
+#, python-format
+msgid "Hi %(username)s,"
+msgstr "您好 %(username)s，"
+
+#: authentik/stages/authenticator_email/templates/email/email_otp.txt
+msgid ""
+"\n"
+"Email MFA code\n"
+msgstr ""
+"\n"
+"电子邮件 MFA 代码\n"
+
+#: authentik/stages/authenticator_email/templates/email/email_otp.txt
+#, python-format
+msgid ""
+"\n"
+"If you did not request this code, please ignore this email. The code above is valid for %(expires)s.\n"
+msgstr ""
+"\n"
+"如果您没有请求此代码，请忽略此电子邮件。上面的代码在 %(expires)s 内有效。\n"
+
 #: authentik/stages/authenticator_sms/models.py
 msgid ""
 "When enabled, the Phone number is only used during enrollment to verify the "
@ -2553,11 +2676,6 @@ msgstr "短信设备"
 msgid "SMS Devices"
 msgstr "短信设备"

-#: authentik/stages/authenticator_sms/stage.py
-#: authentik/stages/authenticator_totp/stage.py
-msgid "Code does not match"
-msgstr "代码不匹配"
-
 #: authentik/stages/authenticator_sms/stage.py
 msgid "Invalid phone number"
 msgstr "无效电话号码"
@ -2780,12 +2898,6 @@ msgstr "密码重置"
 msgid "Account Confirmation"
 msgstr "账户确认"

-#: authentik/stages/email/models.py
-msgid ""
-"When enabled, global Email connection settings will be used and connection "
-"settings below will be ignored."
-msgstr "启用后，将使用全局电子邮件连接设置，下面的连接设置将被忽略。"
-
 #: authentik/stages/email/models.py
 msgid "Activate users upon completion of stage."
 msgstr "完成阶段后激活用户。"
@ -2802,10 +2914,6 @@ msgstr "电子邮件阶段"
 msgid "Email Stages"
 msgstr "电子邮件阶段"

-#: authentik/stages/email/stage.py
-msgid "Exception occurred while rendering E-mail template"
-msgstr "渲染电子邮件模板时发生异常"
-
 #: authentik/stages/email/stage.py
 msgid "Successfully verified Email."
 msgstr "已成功验证电子邮件。"
@ -2886,17 +2994,6 @@ msgstr ""
 "\n"
 "此邮件由通知递送 %(name)s 发送。\n"

-#: authentik/stages/email/templates/email/password_reset.html
-#, python-format
-msgid ""
-"\n"
-"      Hi %(username)s,\n"
-"      "
-msgstr ""
-"\n"
-"      %(username)s 您好，\n"
-"      "
-
 #: authentik/stages/email/templates/email/password_reset.html
 msgid ""
 "\n"
@ -2918,11 +3015,6 @@ msgstr ""
 "    如果您没有请求更改密码，请忽略此电子邮件。上面的链接在 %(expires)s 内有效。\n"
 "    "

-#: authentik/stages/email/templates/email/password_reset.txt
-#, python-format
-msgid "Hi %(username)s,"
-msgstr "您好 %(username)s，"
-
 #: authentik/stages/email/templates/email/password_reset.txt
 msgid ""
 "\n"
--- a/locale/zh_CN/LC_MESSAGES/django.po
+++ b/locale/zh_CN/LC_MESSAGES/django.po
@ -14,7 +14,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: PACKAGE VERSION\n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2025-02-14 14:49+0000\n"
+"POT-Creation-Date: 2025-02-25 00:11+0000\n"
 "PO-Revision-Date: 2022-09-26 16:47+0000\n"
 "Last-Translator: deluxghost, 2025\n"
 "Language-Team: Chinese (China) (https://app.transifex.com/authentik/teams/119923/zh_CN/)\n"
@ -117,6 +117,10 @@ msgstr "用户没有访问此应用程序的权限。"
 msgid "Extra description not available"
 msgstr "额外描述不可用"

+#: authentik/core/api/groups.py
+msgid "Cannot set group as parent of itself."
+msgstr "无法设置组自身为父级。"
+
 #: authentik/core/api/providers.py
 msgid ""
 "When not set all providers are returned. When set to true, only backchannel "
@ -161,6 +165,14 @@ msgstr "添加用户到组"
 msgid "Remove user from group"
 msgstr "从组中删除用户"

+#: authentik/core/models.py
+msgid "Enable superuser status"
+msgstr "启用超级用户状态"
+
+#: authentik/core/models.py
+msgid "Disable superuser status"
+msgstr "禁用超级用户状态"
+
 #: authentik/core/models.py
 msgid "User's display name."
 msgstr "用户的显示名称。"
@ -509,57 +521,6 @@ msgstr "Microsoft Entra 提供程序映射"
 msgid "Microsoft Entra Provider Mappings"
 msgstr "Microsoft Entra 提供程序映射"

-#: authentik/enterprise/providers/rac/models.py
-#: authentik/stages/user_login/models.py
-msgid ""
-"Determines how long a session lasts. Default of 0 means that the sessions "
-"lasts until the browser is closed. (Format: hours=-1;minutes=-2;seconds=-3)"
-msgstr "确定会话持续多长时间。默认值为 0 表示会话持续到浏览器关闭为止。（格式：hours=-1;minutes=-2;seconds=-3）"
-
-#: authentik/enterprise/providers/rac/models.py
-msgid "When set to true, connection tokens will be deleted upon disconnect."
-msgstr "启用时，连接令牌将会在断开连接时被删除。"
-
-#: authentik/enterprise/providers/rac/models.py
-msgid "RAC Provider"
-msgstr "RAC 提供程序"
-
-#: authentik/enterprise/providers/rac/models.py
-msgid "RAC Providers"
-msgstr "RAC 提供程序"
-
-#: authentik/enterprise/providers/rac/models.py
-msgid "RAC Endpoint"
-msgstr "RAC 端点"
-
-#: authentik/enterprise/providers/rac/models.py
-msgid "RAC Endpoints"
-msgstr "RAC 端点"
-
-#: authentik/enterprise/providers/rac/models.py
-msgid "RAC Provider Property Mapping"
-msgstr "RAC 提供程序属性映射"
-
-#: authentik/enterprise/providers/rac/models.py
-msgid "RAC Provider Property Mappings"
-msgstr "RAC 提供程序属性映射"
-
-#: authentik/enterprise/providers/rac/models.py
-msgid "RAC Connection token"
-msgstr "RAC 连接令牌"
-
-#: authentik/enterprise/providers/rac/models.py
-msgid "RAC Connection tokens"
-msgstr "RAC 连接令牌"
-
-#: authentik/enterprise/providers/rac/views.py
-msgid "Maximum connection limit reached."
-msgstr "已达到最大连接数。"
-
-#: authentik/enterprise/providers/rac/views.py
-msgid "(You are already connected in another tab/window)"
-msgstr "（您已经在另一个标签页/窗口连接了）"
-
 #: authentik/enterprise/providers/ssf/models.py
 #: authentik/providers/oauth2/models.py
 msgid "Signing Key"
@ -661,6 +622,7 @@ msgid "Slack Webhook (Slack/Discord)"
 msgstr "Slack Webhook（Slack/Discord）"

 #: authentik/events/models.py
+#: authentik/stages/authenticator_validate/models.py
 msgid "Email"
 msgstr "电子邮箱"

@ -1118,6 +1080,14 @@ msgstr "GeoIP：无法在城市数据库中找到客户端 IP。"
 msgid "Client IP is not in an allowed country."
 msgstr "客户端 IP 不在受允许的地区。"

+#: authentik/policies/geoip/models.py
+msgid "Distance from previous authentication is larger than threshold."
+msgstr "与上一次身份验证的距离超过阈值。"
+
+#: authentik/policies/geoip/models.py
+msgid "Distance is further than possible."
+msgstr "距离大幅超过可能值。"
+
 #: authentik/policies/geoip/models.py
 msgid "GeoIP Policy"
 msgstr "GeoIP 策略"
@ -1667,6 +1637,56 @@ msgstr "代理提供程序"
 msgid "Proxy Providers"
 msgstr "代理提供程序"

+#: authentik/providers/rac/models.py authentik/stages/user_login/models.py
+msgid ""
+"Determines how long a session lasts. Default of 0 means that the sessions "
+"lasts until the browser is closed. (Format: hours=-1;minutes=-2;seconds=-3)"
+msgstr "确定会话持续多长时间。默认值为 0 表示会话持续到浏览器关闭为止。（格式：hours=-1;minutes=-2;seconds=-3）"
+
+#: authentik/providers/rac/models.py
+msgid "When set to true, connection tokens will be deleted upon disconnect."
+msgstr "启用时，连接令牌将会在断开连接时被删除。"
+
+#: authentik/providers/rac/models.py
+msgid "RAC Provider"
+msgstr "RAC 提供程序"
+
+#: authentik/providers/rac/models.py
+msgid "RAC Providers"
+msgstr "RAC 提供程序"
+
+#: authentik/providers/rac/models.py
+msgid "RAC Endpoint"
+msgstr "RAC 端点"
+
+#: authentik/providers/rac/models.py
+msgid "RAC Endpoints"
+msgstr "RAC 端点"
+
+#: authentik/providers/rac/models.py
+msgid "RAC Provider Property Mapping"
+msgstr "RAC 提供程序属性映射"
+
+#: authentik/providers/rac/models.py
+msgid "RAC Provider Property Mappings"
+msgstr "RAC 提供程序属性映射"
+
+#: authentik/providers/rac/models.py
+msgid "RAC Connection token"
+msgstr "RAC 连接令牌"
+
+#: authentik/providers/rac/models.py
+msgid "RAC Connection tokens"
+msgstr "RAC 连接令牌"
+
+#: authentik/providers/rac/views.py
+msgid "Maximum connection limit reached."
+msgstr "已达到最大连接数。"
+
+#: authentik/providers/rac/views.py
+msgid "(You are already connected in another tab/window)"
+msgstr "（您已经在另一个标签页/窗口连接了）"
+
 #: authentik/providers/radius/models.py
 msgid "Shared secret between clients and server to hash packets."
 msgstr "在客户端和服务端之间共享密钥以哈希数据包。"
@ -2520,6 +2540,109 @@ msgstr "Duo 设备"
 msgid "Duo Devices"
 msgstr "Duo 设备"

+#: authentik/stages/authenticator_email/models.py
+msgid "Email OTP"
+msgstr "电子邮件 OTP"
+
+#: authentik/stages/authenticator_email/models.py
+#: authentik/stages/email/models.py
+msgid ""
+"When enabled, global Email connection settings will be used and connection "
+"settings below will be ignored."
+msgstr "启用后，将使用全局电子邮件连接设置，下面的连接设置将被忽略。"
+
+#: authentik/stages/authenticator_email/models.py
+msgid "Time the token sent is valid (Format: hours=3,minutes=17,seconds=300)."
+msgstr "发出令牌有效的时间（格式：hours=3,minutes=17,seconds=300）。"
+
+#: authentik/stages/authenticator_email/models.py
+msgid "Email Authenticator Setup Stage"
+msgstr "电子邮件身份验证器设置阶段"
+
+#: authentik/stages/authenticator_email/models.py
+msgid "Email Authenticator Setup Stages"
+msgstr "电子邮件身份验证器设置阶段"
+
+#: authentik/stages/authenticator_email/models.py
+#: authentik/stages/authenticator_email/stage.py
+#: authentik/stages/email/stage.py
+msgid "Exception occurred while rendering E-mail template"
+msgstr "渲染电子邮件模板时发生异常"
+
+#: authentik/stages/authenticator_email/models.py
+msgid "Email Device"
+msgstr "电子邮件设备"
+
+#: authentik/stages/authenticator_email/models.py
+msgid "Email Devices"
+msgstr "电子邮件设备"
+
+#: authentik/stages/authenticator_email/stage.py
+#: authentik/stages/authenticator_sms/stage.py
+#: authentik/stages/authenticator_totp/stage.py
+msgid "Code does not match"
+msgstr "代码不匹配"
+
+#: authentik/stages/authenticator_email/stage.py
+msgid "Invalid email"
+msgstr "无效电子邮件"
+
+#: authentik/stages/authenticator_email/templates/email/email_otp.html
+#: authentik/stages/email/templates/email/password_reset.html
+#, python-format
+msgid ""
+"\n"
+"      Hi %(username)s,\n"
+"      "
+msgstr ""
+"\n"
+"      %(username)s 您好，\n"
+"      "
+
+#: authentik/stages/authenticator_email/templates/email/email_otp.html
+msgid ""
+"\n"
+"          Email MFA code.\n"
+"          "
+msgstr ""
+"\n"
+"          电子邮件 MFA 代码。\n"
+"          "
+
+#: authentik/stages/authenticator_email/templates/email/email_otp.html
+#, python-format
+msgid ""
+"\n"
+"    If you did not request this code, please ignore this email. The code above is valid for %(expires)s.\n"
+"    "
+msgstr ""
+"\n"
+"    如果您没有请求此代码，请忽略此电子邮件。上面的代码在 %(expires)s 内有效。\n"
+"    "
+
+#: authentik/stages/authenticator_email/templates/email/email_otp.txt
+#: authentik/stages/email/templates/email/password_reset.txt
+#, python-format
+msgid "Hi %(username)s,"
+msgstr "您好 %(username)s，"
+
+#: authentik/stages/authenticator_email/templates/email/email_otp.txt
+msgid ""
+"\n"
+"Email MFA code\n"
+msgstr ""
+"\n"
+"电子邮件 MFA 代码\n"
+
+#: authentik/stages/authenticator_email/templates/email/email_otp.txt
+#, python-format
+msgid ""
+"\n"
+"If you did not request this code, please ignore this email. The code above is valid for %(expires)s.\n"
+msgstr ""
+"\n"
+"如果您没有请求此代码，请忽略此电子邮件。上面的代码在 %(expires)s 内有效。\n"
+
 #: authentik/stages/authenticator_sms/models.py
 msgid ""
 "When enabled, the Phone number is only used during enrollment to verify the "
@ -2552,11 +2675,6 @@ msgstr "短信设备"
 msgid "SMS Devices"
 msgstr "短信设备"

-#: authentik/stages/authenticator_sms/stage.py
-#: authentik/stages/authenticator_totp/stage.py
-msgid "Code does not match"
-msgstr "代码不匹配"
-
 #: authentik/stages/authenticator_sms/stage.py
 msgid "Invalid phone number"
 msgstr "无效电话号码"
@ -2779,12 +2897,6 @@ msgstr "密码重置"
 msgid "Account Confirmation"
 msgstr "账户确认"

-#: authentik/stages/email/models.py
-msgid ""
-"When enabled, global Email connection settings will be used and connection "
-"settings below will be ignored."
-msgstr "启用后，将使用全局电子邮件连接设置，下面的连接设置将被忽略。"
-
 #: authentik/stages/email/models.py
 msgid "Activate users upon completion of stage."
 msgstr "完成阶段后激活用户。"
@ -2801,10 +2913,6 @@ msgstr "电子邮件阶段"
 msgid "Email Stages"
 msgstr "电子邮件阶段"

-#: authentik/stages/email/stage.py
-msgid "Exception occurred while rendering E-mail template"
-msgstr "渲染电子邮件模板时发生异常"
-
 #: authentik/stages/email/stage.py
 msgid "Successfully verified Email."
 msgstr "已成功验证电子邮件。"
@ -2885,17 +2993,6 @@ msgstr ""
 "\n"
 "此邮件由通知递送 %(name)s 发送。\n"

-#: authentik/stages/email/templates/email/password_reset.html
-#, python-format
-msgid ""
-"\n"
-"      Hi %(username)s,\n"
-"      "
-msgstr ""
-"\n"
-"      %(username)s 您好，\n"
-"      "
-
 #: authentik/stages/email/templates/email/password_reset.html
 msgid ""
 "\n"
@ -2917,11 +3014,6 @@ msgstr ""
 "    如果您没有请求更改密码，请忽略此电子邮件。上面的链接在 %(expires)s 内有效。\n"
 "    "

-#: authentik/stages/email/templates/email/password_reset.txt
-#, python-format
-msgid "Hi %(username)s,"
-msgstr "您好 %(username)s，"
-
 #: authentik/stages/email/templates/email/password_reset.txt
 msgid ""
 "\n"
--- a/package.json
+++ b/package.json
@ -1,5 +1,5 @@
 {
    "name": "@goauthentik/authentik",
-    "version": "2024.12.3",
+    "version": "2025.2.1",
    "private": true
 }
--- a/poetry.lock
+++ b/poetry.lock
@ -392,13 +392,13 @@ typeguard = ">=2.13.3,<4.3.0"

 [[package]]
 name = "aws-cdk-lib"
-version = "2.179.0"
+version = "2.181.0"
 description = "Version 2 of the AWS Cloud Development Kit library"
 optional = false
 python-versions = "~=3.8"
 files = [
-    {file = "aws_cdk_lib-2.179.0-py3-none-any.whl", hash = "sha256:1d7b88ee69067b8d58dac9eeb6697bbaf5d5c032a3070898389c41e7c4f3e3d7"},
-    {file = "aws_cdk_lib-2.179.0.tar.gz", hash = "sha256:b653a55754f4020a4b36e4ae183d213e76e27b18b842cbf9e430e9eccb700550"},
+    {file = "aws_cdk_lib-2.181.0-py3-none-any.whl", hash = "sha256:717b1c9fab00924b3c6ef1a6febb4d8816b822e07879da2dd0422c3339436219"},
+    {file = "aws_cdk_lib-2.181.0.tar.gz", hash = "sha256:f532acd18ba209727fdde7c6f12bc1e3265b59dd0d24de8b6efb743e541504a2"},
 ]

 [package.dependencies]
@ -1944,13 +1944,13 @@ grpcio-gcp = ["grpcio-gcp (>=0.2.2,<1.0.dev0)"]

 [[package]]
 name = "google-api-python-client"
-version = "2.161.0"
+version = "2.162.0"
 description = "Google API Client Library for Python"
 optional = false
 python-versions = ">=3.7"
 files = [
-    {file = "google_api_python_client-2.161.0-py2.py3-none-any.whl", hash = "sha256:9476a5a4f200bae368140453df40f9cda36be53fa7d0e9a9aac4cdb859a26448"},
-    {file = "google_api_python_client-2.161.0.tar.gz", hash = "sha256:324c0cce73e9ea0a0d2afd5937e01b7c2d6a4d7e2579cdb6c384f9699d6c9f37"},
+    {file = "google_api_python_client-2.162.0-py2.py3-none-any.whl", hash = "sha256:49365fa4f7795fe81a747f5544d6528ea94314fa59664e0ea1005f603facf1ec"},
+    {file = "google_api_python_client-2.162.0.tar.gz", hash = "sha256:5f8bc934a5b6eea73a7d12d999e6585c1823179f48340234acb385e2502e735a"},
 ]

 [package.dependencies]
@ -3126,13 +3126,13 @@ dev = ["bumpver", "isort", "mypy", "pylint", "pytest", "yapf"]

 [[package]]
 name = "msgraph-sdk"
-version = "1.21.0"
+version = "1.22.0"
 description = "The Microsoft Graph Python SDK"
 optional = false
 python-versions = ">=3.9"
 files = [
-    {file = "msgraph_sdk-1.21.0-py3-none-any.whl", hash = "sha256:d8564b3d76a0c76960af94b916fc6ab3af2d11d2263ab08fafb136c334f66c0e"},
-    {file = "msgraph_sdk-1.21.0.tar.gz", hash = "sha256:f45db4c1bffb22e0b54876defd06d582291f7ca2e737f0ab519e43a18cf90df4"},
+    {file = "msgraph_sdk-1.22.0-py3-none-any.whl", hash = "sha256:6fc6a8c230750d1fa4a91c862f02f526000725294c3d756a18438c0e5d4be365"},
+    {file = "msgraph_sdk-1.22.0.tar.gz", hash = "sha256:4c3e91091c4ac1a90d6babc0226ed6b15afb2d9ae12121ded632877ab29e8ac8"},
 ]

 [package.dependencies]
@ -3717,36 +3717,36 @@ files = [

 [[package]]
 name = "psycopg"
-version = "3.2.4"
+version = "3.2.5"
 description = "PostgreSQL database adapter for Python"
 optional = false
 python-versions = ">=3.8"
 files = [
-    {file = "psycopg-3.2.4-py3-none-any.whl", hash = "sha256:43665368ccd48180744cab26b74332f46b63b7e06e8ce0775547a3533883d381"},
-    {file = "psycopg-3.2.4.tar.gz", hash = "sha256:f26f1346d6bf1ef5f5ef1714dd405c67fb365cfd1c6cea07de1792747b167b92"},
+    {file = "psycopg-3.2.5-py3-none-any.whl", hash = "sha256:b782130983e5b3de30b4c529623d3687033b4dafa05bb661fc6bf45837ca5879"},
+    {file = "psycopg-3.2.5.tar.gz", hash = "sha256:f5f750611c67cb200e85b408882f29265c66d1de7f813add4f8125978bfd70e8"},
 ]

 [package.dependencies]
-psycopg-c = {version = "3.2.4", optional = true, markers = "implementation_name != \"pypy\" and extra == \"c\""}
+psycopg-c = {version = "3.2.5", optional = true, markers = "implementation_name != \"pypy\" and extra == \"c\""}
 typing-extensions = {version = ">=4.6", markers = "python_version < \"3.13\""}
 tzdata = {version = "*", markers = "sys_platform == \"win32\""}

 [package.extras]
-binary = ["psycopg-binary (==3.2.4)"]
-c = ["psycopg-c (==3.2.4)"]
-dev = ["ast-comments (>=1.1.2)", "black (>=24.1.0)", "codespell (>=2.2)", "dnspython (>=2.1)", "flake8 (>=4.0)", "mypy (>=1.14)", "pre-commit (>=4.0.1)", "types-setuptools (>=57.4)", "wheel (>=0.37)"]
+binary = ["psycopg-binary (==3.2.5)"]
+c = ["psycopg-c (==3.2.5)"]
+dev = ["ast-comments (>=1.1.2)", "black (>=24.1.0)", "codespell (>=2.2)", "dnspython (>=2.1)", "flake8 (>=4.0)", "isort-psycopg", "isort[colors] (>=6.0)", "mypy (>=1.14)", "pre-commit (>=4.0.1)", "types-setuptools (>=57.4)", "wheel (>=0.37)"]
 docs = ["Sphinx (>=5.0)", "furo (==2022.6.21)", "sphinx-autobuild (>=2021.3.14)", "sphinx-autodoc-typehints (>=1.12)"]
 pool = ["psycopg-pool"]
 test = ["anyio (>=4.0)", "mypy (>=1.14)", "pproxy (>=2.7)", "pytest (>=6.2.5)", "pytest-cov (>=3.0)", "pytest-randomly (>=3.5)"]

 [[package]]
 name = "psycopg-c"
-version = "3.2.4"
+version = "3.2.5"
 description = "PostgreSQL database adapter for Python -- C optimisation distribution"
 optional = false
 python-versions = ">=3.8"
 files = [
-    {file = "psycopg_c-3.2.4.tar.gz", hash = "sha256:22097a04263efb2efd2cc8b00a51fa90e23f9cd4a2e09903fe4d9c6923dac17a"},
+    {file = "psycopg_c-3.2.5.tar.gz", hash = "sha256:57ad4cfd28de278c424aaceb1f2ad5c7910466e315dfe84e403f3c7a0a2ce81b"},
 ]

 [[package]]
@ -4707,96 +4707,96 @@ tests = ["coverage[toml] (>=5.0.2)", "pytest"]

 [[package]]
 name = "setproctitle"
-version = "1.3.4"
+version = "1.3.5"
 description = "A Python module to customize the process title"
 optional = false
 python-versions = ">=3.8"
 files = [
-    {file = "setproctitle-1.3.4-cp310-cp310-macosx_10_9_universal2.whl", hash = "sha256:0f6661a69c68349172ba7b4d5dd65fec2b0917abc99002425ad78c3e58cf7595"},
-    {file = "setproctitle-1.3.4-cp310-cp310-macosx_11_0_arm64.whl", hash = "sha256:754bac5e470adac7f7ec2239c485cd0b75f8197ca8a5b86ffb20eb3a3676cc42"},
-    {file = "setproctitle-1.3.4-cp310-cp310-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:f7bc7088c15150745baf66db62a4ced4507d44419eb66207b609f91b64a682af"},
-    {file = "setproctitle-1.3.4-cp310-cp310-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:a46ef3ecf61e4840fbc1145fdd38acf158d0da7543eda7b773ed2b30f75c2830"},
-    {file = "setproctitle-1.3.4-cp310-cp310-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:ffcb09d5c0ffa043254ec9a734a73f3791fec8bf6333592f906bb2e91ed2af1a"},
-    {file = "setproctitle-1.3.4-cp310-cp310-manylinux_2_5_x86_64.manylinux1_x86_64.manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:06c16b7a91cdc5d700271899e4383384a61aae83a3d53d0e2e5a266376083342"},
-    {file = "setproctitle-1.3.4-cp310-cp310-musllinux_1_2_aarch64.whl", hash = "sha256:9f9732e59863eaeedd3feef94b2b216cb86d40dda4fad2d0f0aaec3b31592716"},
-    {file = "setproctitle-1.3.4-cp310-cp310-musllinux_1_2_i686.whl", hash = "sha256:e152f4ab9ea1632b5fecdd87cee354f2b2eb6e2dfc3aceb0eb36a01c1e12f94c"},
-    {file = "setproctitle-1.3.4-cp310-cp310-musllinux_1_2_ppc64le.whl", hash = "sha256:020ea47a79b2bbd7bd7b94b85ca956ba7cb026e82f41b20d2e1dac4008cead25"},
-    {file = "setproctitle-1.3.4-cp310-cp310-musllinux_1_2_x86_64.whl", hash = "sha256:8c52b12b10e4057fc302bd09cb3e3f28bb382c30c044eb3396e805179a8260e4"},
-    {file = "setproctitle-1.3.4-cp310-cp310-win32.whl", hash = "sha256:a65a147f545f3fac86f11acb2d0b316d3e78139a9372317b7eb50561b2817ba0"},
-    {file = "setproctitle-1.3.4-cp310-cp310-win_amd64.whl", hash = "sha256:66821fada6426998762a3650a37fba77e814a249a95b1183011070744aff47f6"},
-    {file = "setproctitle-1.3.4-cp311-cp311-macosx_10_9_universal2.whl", hash = "sha256:f0f749f07002c2d6fecf37cedc43207a88e6c651926a470a5f229070cf791879"},
-    {file = "setproctitle-1.3.4-cp311-cp311-macosx_11_0_arm64.whl", hash = "sha256:90ea8d302a5d30b948451d146e94674a3c5b020cc0ced9a1c28f8ddb0f203a5d"},
-    {file = "setproctitle-1.3.4-cp311-cp311-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:f859c88193ed466bee4eb9d45fbc29d2253e6aa3ccd9119c9a1d8d95f409a60d"},
-    {file = "setproctitle-1.3.4-cp311-cp311-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:b3afa5a0ed08a477ded239c05db14c19af585975194a00adf594d48533b23701"},
-    {file = "setproctitle-1.3.4-cp311-cp311-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:10a78fce9018cc3e9a772b6537bbe3fe92380acf656c9f86db2f45e685af376e"},
-    {file = "setproctitle-1.3.4-cp311-cp311-manylinux_2_5_x86_64.manylinux1_x86_64.manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:5d758e2eed2643afac5f2881542fbb5aa97640b54be20d0a5ed0691d02f0867d"},
-    {file = "setproctitle-1.3.4-cp311-cp311-musllinux_1_2_aarch64.whl", hash = "sha256:ef133a1a2ee378d549048a12d56f4ef0e2b9113b0b25b6b77821e9af94d50634"},
-    {file = "setproctitle-1.3.4-cp311-cp311-musllinux_1_2_i686.whl", hash = "sha256:1d2a154b79d5fb42d1eff06e05e22f0e8091261d877dd47b37d31352b74ecc37"},
-    {file = "setproctitle-1.3.4-cp311-cp311-musllinux_1_2_ppc64le.whl", hash = "sha256:202eae632815571297833876a0f407d0d9c7ad9d843b38adbe687fe68c5192ee"},
-    {file = "setproctitle-1.3.4-cp311-cp311-musllinux_1_2_x86_64.whl", hash = "sha256:2b0080819859e80a7776ac47cf6accb4b7ad313baf55fabac89c000480dcd103"},
-    {file = "setproctitle-1.3.4-cp311-cp311-win32.whl", hash = "sha256:9c9d7d1267dee8c6627963d9376efa068858cfc8f573c083b1b6a2d297a8710f"},
-    {file = "setproctitle-1.3.4-cp311-cp311-win_amd64.whl", hash = "sha256:475986ddf6df65d619acd52188336a20f616589403f5a5ceb3fc70cdc137037a"},
-    {file = "setproctitle-1.3.4-cp312-cp312-macosx_10_13_universal2.whl", hash = "sha256:d06990dcfcd41bb3543c18dd25c8476fbfe1f236757f42fef560f6aa03ac8dfc"},
-    {file = "setproctitle-1.3.4-cp312-cp312-macosx_11_0_arm64.whl", hash = "sha256:317218c9d8b17a010ab2d2f0851e8ef584077a38b1ba2b7c55c9e44e79a61e73"},
-    {file = "setproctitle-1.3.4-cp312-cp312-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:cb5fefb53b9d9f334a5d9ec518a36b92a10b936011ac8a6b6dffd60135f16459"},
-    {file = "setproctitle-1.3.4-cp312-cp312-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:0855006261635e8669646c7c304b494b6df0a194d2626683520103153ad63cc9"},
-    {file = "setproctitle-1.3.4-cp312-cp312-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:1a88e466fcaee659679c1d64dcb2eddbcb4bfadffeb68ba834d9c173a25b6184"},
-    {file = "setproctitle-1.3.4-cp312-cp312-manylinux_2_5_x86_64.manylinux1_x86_64.manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:f963b6ed8ba33eda374a98d979e8a0eaf21f891b6e334701693a2c9510613c4c"},
-    {file = "setproctitle-1.3.4-cp312-cp312-musllinux_1_2_aarch64.whl", hash = "sha256:122c2e05697fa91f5d23f00bbe98a9da1bd457b32529192e934095fadb0853f1"},
-    {file = "setproctitle-1.3.4-cp312-cp312-musllinux_1_2_i686.whl", hash = "sha256:1bba0a866f5895d5b769d8c36b161271c7fd407e5065862ab80ff91c29fbe554"},
-    {file = "setproctitle-1.3.4-cp312-cp312-musllinux_1_2_ppc64le.whl", hash = "sha256:97f1f861998e326e640708488c442519ad69046374b2c3fe9bcc9869b387f23c"},
-    {file = "setproctitle-1.3.4-cp312-cp312-musllinux_1_2_x86_64.whl", hash = "sha256:726aee40357d4bdb70115442cb85ccc8e8bc554fc0bbbaa3a57cbe81df42287d"},
-    {file = "setproctitle-1.3.4-cp312-cp312-win32.whl", hash = "sha256:04d6ba8b816dbb0bfd62000b0c3e583160893e6e8c4233e1dca1a9ae4d95d924"},
-    {file = "setproctitle-1.3.4-cp312-cp312-win_amd64.whl", hash = "sha256:9c76e43cb351ba8887371240b599925cdf3ecececc5dfb7125c71678e7722c55"},
-    {file = "setproctitle-1.3.4-cp313-cp313-macosx_10_13_universal2.whl", hash = "sha256:d6e3b177e634aa6bbbfbf66d097b6d1cdb80fc60e912c7d8bace2e45699c07dd"},
-    {file = "setproctitle-1.3.4-cp313-cp313-macosx_11_0_arm64.whl", hash = "sha256:6b17655a5f245b416e127e02087ea6347a48821cc4626bc0fd57101bfcd88afc"},
-    {file = "setproctitle-1.3.4-cp313-cp313-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:fa5057a86df920faab8ee83960b724bace01a3231eb8e3f2c93d78283504d598"},
-    {file = "setproctitle-1.3.4-cp313-cp313-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:149fdfb8a26a555780c4ce53c92e6d3c990ef7b30f90a675eca02e83c6d5f76d"},
-    {file = "setproctitle-1.3.4-cp313-cp313-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:ded03546938a987f463c68ab98d683af87a83db7ac8093bbc179e77680be5ba2"},
-    {file = "setproctitle-1.3.4-cp313-cp313-manylinux_2_5_x86_64.manylinux1_x86_64.manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:8ab9f5b7f2bbc1754bc6292d9a7312071058e5a891b0391e6d13b226133f36aa"},
-    {file = "setproctitle-1.3.4-cp313-cp313-musllinux_1_2_aarch64.whl", hash = "sha256:0b19813c852566fa031902124336fa1f080c51e262fc90266a8c3d65ca47b74c"},
-    {file = "setproctitle-1.3.4-cp313-cp313-musllinux_1_2_i686.whl", hash = "sha256:db78b645dc63c0ccffca367a498f3b13492fb106a2243a1e998303ba79c996e2"},
-    {file = "setproctitle-1.3.4-cp313-cp313-musllinux_1_2_ppc64le.whl", hash = "sha256:b669aaac70bd9f03c070270b953f78d9ee56c4af6f0ff9f9cd3e6d1878c10b40"},
-    {file = "setproctitle-1.3.4-cp313-cp313-musllinux_1_2_x86_64.whl", hash = "sha256:6dc3d656702791565994e64035a208be56b065675a5bc87b644c657d6d9e2232"},
-    {file = "setproctitle-1.3.4-cp313-cp313-win32.whl", hash = "sha256:091f682809a4d12291cf0205517619d2e7014986b7b00ebecfde3d76f8ae5a8f"},
-    {file = "setproctitle-1.3.4-cp313-cp313-win_amd64.whl", hash = "sha256:adcd6ba863a315702184d92d3d3bbff290514f24a14695d310f02ae5e28bd1f7"},
-    {file = "setproctitle-1.3.4-cp38-cp38-macosx_10_9_universal2.whl", hash = "sha256:acf41cf91bbc5a36d1fa4455a818bb02bf2a4ccfed2f892ba166ba2fcbb0ec8a"},
-    {file = "setproctitle-1.3.4-cp38-cp38-macosx_11_0_arm64.whl", hash = "sha256:ceb3ce3262b0e8e088e4117175591b7a82b3bdc5e52e33b1e74778b5fb53fd38"},
-    {file = "setproctitle-1.3.4-cp38-cp38-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:2b2ef636a6a25fe7f3d5a064bea0116b74a4c8c7df9646b17dc7386c439a26cf"},
-    {file = "setproctitle-1.3.4-cp38-cp38-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:28b8614de08679ae95bc4e8d6daaef6b61afdf027fa0d23bf13d619000286b3c"},
-    {file = "setproctitle-1.3.4-cp38-cp38-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:24f3c8be826a7d44181eac2269b15b748b76d98cd9a539d4c69f09321dcb5c12"},
-    {file = "setproctitle-1.3.4-cp38-cp38-manylinux_2_5_x86_64.manylinux1_x86_64.manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:fc9d79b1bf833af63b7c720a6604eb16453ac1ad4e718eb8b59d1f97d986b98c"},
-    {file = "setproctitle-1.3.4-cp38-cp38-musllinux_1_2_aarch64.whl", hash = "sha256:fb693000b65842c85356b667d057ae0d0bac6519feca7e1c437cc2cfeb0afc59"},
-    {file = "setproctitle-1.3.4-cp38-cp38-musllinux_1_2_i686.whl", hash = "sha256:a166251b8fbc6f2755e2ce9d3c11e9edb0c0c7d2ed723658ff0161fbce26ac1c"},
-    {file = "setproctitle-1.3.4-cp38-cp38-musllinux_1_2_ppc64le.whl", hash = "sha256:0361428e6378911a378841509c56ba472d991cbed1a7e3078ec0cacc103da44a"},
-    {file = "setproctitle-1.3.4-cp38-cp38-musllinux_1_2_x86_64.whl", hash = "sha256:62d66e0423e3bd520b4c897063506b309843a8d07343fbfad04197e91a4edd28"},
-    {file = "setproctitle-1.3.4-cp38-cp38-win32.whl", hash = "sha256:5edd01909348f3b0b2da329836d6b5419cd4869fec2e118e8ff3275b38af6267"},
-    {file = "setproctitle-1.3.4-cp38-cp38-win_amd64.whl", hash = "sha256:59e0dda9ad245921af0328035a961767026e1fa94bb65957ab0db0a0491325d6"},
-    {file = "setproctitle-1.3.4-cp39-cp39-macosx_10_9_universal2.whl", hash = "sha256:bdaaa81a6e95a0a19fba0285f10577377f3503ae4e9988b403feba79da3e2f80"},
-    {file = "setproctitle-1.3.4-cp39-cp39-macosx_11_0_arm64.whl", hash = "sha256:4ee5b19a2d794463bcc19153dfceede7beec784b4cf7967dec0bc0fc212ab3a3"},
-    {file = "setproctitle-1.3.4-cp39-cp39-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:3058a1bb0c767b3a6ccbb38b27ef870af819923eb732e21e44a3f300370fe159"},
-    {file = "setproctitle-1.3.4-cp39-cp39-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:5a97d37ee4fe0d1c6e87d2a97229c27a88787a8f4ebfbdeee95f91b818e52efe"},
-    {file = "setproctitle-1.3.4-cp39-cp39-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:6e61dd7d05da11fc69bb86d51f1e0ee08f74dccf3ecf884c94de41135ffdc75d"},
-    {file = "setproctitle-1.3.4-cp39-cp39-manylinux_2_5_x86_64.manylinux1_x86_64.manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:1eb115d53dc2a1299ae72f1119c96a556db36073bacb6da40c47ece5db0d9587"},
-    {file = "setproctitle-1.3.4-cp39-cp39-musllinux_1_2_aarch64.whl", hash = "sha256:342570716e2647a51ea859b8a9126da9dc1a96a0153c9c0a3514effd60ab57ad"},
-    {file = "setproctitle-1.3.4-cp39-cp39-musllinux_1_2_i686.whl", hash = "sha256:0ad212ae2b03951367a69584af034579b34e1e4199a75d377ef9f8e08ee299b1"},
-    {file = "setproctitle-1.3.4-cp39-cp39-musllinux_1_2_ppc64le.whl", hash = "sha256:4afcb38e22122465013f4621b7e9ff8d42a7a48ae0ffeb94133a806cb91b4aad"},
-    {file = "setproctitle-1.3.4-cp39-cp39-musllinux_1_2_x86_64.whl", hash = "sha256:30bb223e6c3f95ad9e9bb2a113292759e947d1cfd60dbd4adb55851c370006b2"},
-    {file = "setproctitle-1.3.4-cp39-cp39-win32.whl", hash = "sha256:5f0521ed3bb9f02e9486573ea95e2062cd6bf036fa44e640bd54a06f22d85f35"},
-    {file = "setproctitle-1.3.4-cp39-cp39-win_amd64.whl", hash = "sha256:0baadeb27f9e97e65922b4151f818b19c311d30b9efdb62af0e53b3db4006ce2"},
-    {file = "setproctitle-1.3.4-pp310-pypy310_pp73-macosx_11_0_arm64.whl", hash = "sha256:939d364a187b2adfbf6ae488664277e717d56c7951a4ddeb4f23b281bc50bfe5"},
-    {file = "setproctitle-1.3.4-pp310-pypy310_pp73-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:cb8a6a19be0cbf6da6fcbf3698b76c8af03fe83e4bd77c96c3922be3b88bf7da"},
-    {file = "setproctitle-1.3.4-pp310-pypy310_pp73-manylinux_2_5_x86_64.manylinux1_x86_64.manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:779006f9e1aade9522a40e8d9635115ab15dd82b7af8e655967162e9c01e2573"},
-    {file = "setproctitle-1.3.4-pp310-pypy310_pp73-win_amd64.whl", hash = "sha256:5519f2a7b8c535b0f1f77b30441476571373add72008230c81211ee17b423b57"},
-    {file = "setproctitle-1.3.4-pp38-pypy38_pp73-macosx_11_0_arm64.whl", hash = "sha256:743836d484151334ebba1490d6907ca9e718fe815dcd5756f2a01bc3067d099c"},
-    {file = "setproctitle-1.3.4-pp38-pypy38_pp73-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:abda20aff8d1751e48d7967fa8945fef38536b82366c49be39b83678d4be3893"},
-    {file = "setproctitle-1.3.4-pp38-pypy38_pp73-manylinux_2_5_x86_64.manylinux1_x86_64.manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:1a2041b5788ce52f218b5be94af458e04470f997ab46fdebd57cf0b8374cc20e"},
-    {file = "setproctitle-1.3.4-pp38-pypy38_pp73-win_amd64.whl", hash = "sha256:2c3b1ce68746557aa6e6f4547e76883925cdc7f8d7c7a9f518acd203f1265ca5"},
-    {file = "setproctitle-1.3.4-pp39-pypy39_pp73-macosx_11_0_arm64.whl", hash = "sha256:0b6a4cbabf024cb263a45bdef425760f14470247ff223f0ec51699ca9046c0fe"},
-    {file = "setproctitle-1.3.4-pp39-pypy39_pp73-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:3e55d7ecc68bdc80de5a553691a3ed260395d5362c19a266cf83cbb4e046551f"},
-    {file = "setproctitle-1.3.4-pp39-pypy39_pp73-manylinux_2_5_x86_64.manylinux1_x86_64.manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:02ca3802902d91a89957f79da3ec44b25b5804c88026362cb85eea7c1fbdefd1"},
-    {file = "setproctitle-1.3.4-pp39-pypy39_pp73-win_amd64.whl", hash = "sha256:47669fc8ed8b27baa2d698104732234b5389f6a59c37c046f6bcbf9150f7a94e"},
-    {file = "setproctitle-1.3.4.tar.gz", hash = "sha256:3b40d32a3e1f04e94231ed6dfee0da9e43b4f9c6b5450d53e6dd7754c34e0c50"},
+    {file = "setproctitle-1.3.5-cp310-cp310-macosx_10_9_universal2.whl", hash = "sha256:02870e0cb0de7f68a7a8a5b23c2bc0ce63821cab3d9b126f9be80bb6cd674c80"},
+    {file = "setproctitle-1.3.5-cp310-cp310-macosx_11_0_arm64.whl", hash = "sha256:55b278135be742b8901067479626d909f6613bd2d2c4fd0de6bb46f80e07a919"},
+    {file = "setproctitle-1.3.5-cp310-cp310-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:53fc971f7bf7a674f571a23cdec70f2f0ac88152c59c06aa0808d0be6d834046"},
+    {file = "setproctitle-1.3.5-cp310-cp310-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:fb0500e1bc6f00b8ba696c3743ddff14c8679e3c2ca9d292c008ac51488d17cf"},
+    {file = "setproctitle-1.3.5-cp310-cp310-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:995b3ac1b5fe510f4e1d1c19ebf19f4bceb448f2d6e8d99ea23f33cb6f1a277e"},
+    {file = "setproctitle-1.3.5-cp310-cp310-manylinux_2_5_x86_64.manylinux1_x86_64.manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:a5a05e2c3fdfbda32b9c9da72d0506398d1efb5bd2c5981b9e12d3622eb3d4f9"},
+    {file = "setproctitle-1.3.5-cp310-cp310-musllinux_1_2_aarch64.whl", hash = "sha256:310c7f4ca4c8476a9840b2cd4b22ee602a49a3c902fdcd2dd8284685abd10a9a"},
+    {file = "setproctitle-1.3.5-cp310-cp310-musllinux_1_2_i686.whl", hash = "sha256:867af4a5c3d85484fbcc50ea88bcd375acf709cff88a3259575361849c0da351"},
+    {file = "setproctitle-1.3.5-cp310-cp310-musllinux_1_2_ppc64le.whl", hash = "sha256:8ec0a7fe9f1ba90900144489bc93ce7dd4dec3f3df1e7f188c9e58364fe4a4c5"},
+    {file = "setproctitle-1.3.5-cp310-cp310-musllinux_1_2_x86_64.whl", hash = "sha256:aaee7acba2733a14a886488b7495bfec4a8d6407124c04a0946dbde1684230a3"},
+    {file = "setproctitle-1.3.5-cp310-cp310-win32.whl", hash = "sha256:bd2cccd972e4282af4ce2c13cd9ebdf07be157eabafd8ce648fffdc8ae6fbe28"},
+    {file = "setproctitle-1.3.5-cp310-cp310-win_amd64.whl", hash = "sha256:81f2328ac34c9584e1e5f87eea916c0bc48476a06606a07debae07acdd7ab5ea"},
+    {file = "setproctitle-1.3.5-cp311-cp311-macosx_10_9_universal2.whl", hash = "sha256:1c8dcc250872385f2780a5ea58050b58cbc8b6a7e8444952a5a65c359886c593"},
+    {file = "setproctitle-1.3.5-cp311-cp311-macosx_11_0_arm64.whl", hash = "sha256:ca82fae9eb4800231dd20229f06e8919787135a5581da245b8b05e864f34cc8b"},
+    {file = "setproctitle-1.3.5-cp311-cp311-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:0424e1d33232322541cb36fb279ea5242203cd6f20de7b4fb2a11973d8e8c2ce"},
+    {file = "setproctitle-1.3.5-cp311-cp311-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:fec8340ab543144d04a9d805d80a0aad73fdeb54bea6ff94e70d39a676ea4ec0"},
+    {file = "setproctitle-1.3.5-cp311-cp311-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:eab441c89f181271ab749077dcc94045a423e51f2fb0b120a1463ef9820a08d0"},
+    {file = "setproctitle-1.3.5-cp311-cp311-manylinux_2_5_x86_64.manylinux1_x86_64.manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:d2c371550a2288901a0dcd84192691ebd3197a43c95f3e0b396ed6d1cedf5c6c"},
+    {file = "setproctitle-1.3.5-cp311-cp311-musllinux_1_2_aarch64.whl", hash = "sha256:78288ff5f9c415c56595b2257ad218936dd9fa726b36341b373b31ca958590fe"},
+    {file = "setproctitle-1.3.5-cp311-cp311-musllinux_1_2_i686.whl", hash = "sha256:f1f13a25fc46731acab518602bb1149bfd8b5fabedf8290a7c0926d61414769d"},
+    {file = "setproctitle-1.3.5-cp311-cp311-musllinux_1_2_ppc64le.whl", hash = "sha256:1534d6cd3854d035e40bf4c091984cbdd4d555d7579676d406c53c8f187c006f"},
+    {file = "setproctitle-1.3.5-cp311-cp311-musllinux_1_2_x86_64.whl", hash = "sha256:62a01c76708daac78b9688ffb95268c57cb57fa90b543043cda01358912fe2db"},
+    {file = "setproctitle-1.3.5-cp311-cp311-win32.whl", hash = "sha256:ea07f29735d839eaed985990a0ec42c8aecefe8050da89fec35533d146a7826d"},
+    {file = "setproctitle-1.3.5-cp311-cp311-win_amd64.whl", hash = "sha256:ab3ae11e10d13d514d4a5a15b4f619341142ba3e18da48c40e8614c5a1b5e3c3"},
+    {file = "setproctitle-1.3.5-cp312-cp312-macosx_10_13_universal2.whl", hash = "sha256:523424b9be4dea97d95b8a584b183f35c7bab2d0a3d995b01febf5b8a8de90e4"},
+    {file = "setproctitle-1.3.5-cp312-cp312-macosx_11_0_arm64.whl", hash = "sha256:b6ec1d86c1b4d7b5f2bdceadf213310cf24696b82480a2a702194b8a0bfbcb47"},
+    {file = "setproctitle-1.3.5-cp312-cp312-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:ea6c505264275a43e9b2acd2acfc11ac33caf52bc3167c9fced4418a810f6b1c"},
+    {file = "setproctitle-1.3.5-cp312-cp312-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:0b91e68e6685998e6353f296100ecabc313a6cb3e413d66a03d74b988b61f5ff"},
+    {file = "setproctitle-1.3.5-cp312-cp312-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:bc1fda208ae3a2285ad27aeab44c41daf2328abe58fa3270157a739866779199"},
+    {file = "setproctitle-1.3.5-cp312-cp312-manylinux_2_5_x86_64.manylinux1_x86_64.manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:828727d220e46f048b82289018300a64547b46aaed96bf8810c05fe105426b41"},
+    {file = "setproctitle-1.3.5-cp312-cp312-musllinux_1_2_aarch64.whl", hash = "sha256:83b016221cf80028b2947be20630faa14e3e72a403e35f0ba29550b4e856767b"},
+    {file = "setproctitle-1.3.5-cp312-cp312-musllinux_1_2_i686.whl", hash = "sha256:6d8a411e752e794d052434139ca4234ffeceeb8d8d8ddc390a9051d7942b2726"},
+    {file = "setproctitle-1.3.5-cp312-cp312-musllinux_1_2_ppc64le.whl", hash = "sha256:50cfbf86b9c63a2c2903f1231f0a58edeb775e651ae1af84eec8430b0571f29b"},
+    {file = "setproctitle-1.3.5-cp312-cp312-musllinux_1_2_x86_64.whl", hash = "sha256:f3b5e2eacd572444770026c9dd3ddc7543ce427cdf452d40a408d1e95beefb30"},
+    {file = "setproctitle-1.3.5-cp312-cp312-win32.whl", hash = "sha256:cf4e3ded98027de2596c6cc5bbd3302adfb3ca315c848f56516bb0b7e88de1e9"},
+    {file = "setproctitle-1.3.5-cp312-cp312-win_amd64.whl", hash = "sha256:f7a8c01ffd013dda2bed6e7d5cb59fbb609e72f805abf3ee98360f38f7758d9b"},
+    {file = "setproctitle-1.3.5-cp313-cp313-macosx_10_13_universal2.whl", hash = "sha256:162fd76781f57f42ddf27c475e5fef6a8df4fdd69b28dd554e53e2eb2bfe0f95"},
+    {file = "setproctitle-1.3.5-cp313-cp313-macosx_11_0_arm64.whl", hash = "sha256:4969d996bdfbe23bbd023cd0bae6c73a27371615c4ec5296a60cecce268659ef"},
+    {file = "setproctitle-1.3.5-cp313-cp313-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:bd70c95a94473216e7c7a7a1f7d8ecbaca5b16d4ba93ddbfd32050fc485a8451"},
+    {file = "setproctitle-1.3.5-cp313-cp313-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:7a887582bfdb6dcbc482db0ef9e630ad23ca95875806ef2b444bf6fbd7b7d7ca"},
+    {file = "setproctitle-1.3.5-cp313-cp313-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:755671c39a9e70834eeec6dc6b61e344399c49881d2e7ea3534a1c69669dd9cc"},
+    {file = "setproctitle-1.3.5-cp313-cp313-manylinux_2_5_x86_64.manylinux1_x86_64.manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:9ab52b4c2ce056a1b60d439991a81ca90f019488d4b4f64b2779e6badd3677e6"},
+    {file = "setproctitle-1.3.5-cp313-cp313-musllinux_1_2_aarch64.whl", hash = "sha256:36178b944019ec7fc52bb967ffeee296a11d373734a7be276755bedb3db5c141"},
+    {file = "setproctitle-1.3.5-cp313-cp313-musllinux_1_2_i686.whl", hash = "sha256:269d41cd4f085b69821d1ee6599124f02dbbc79962b256e260b6c9021d037994"},
+    {file = "setproctitle-1.3.5-cp313-cp313-musllinux_1_2_ppc64le.whl", hash = "sha256:d880630fd81d1b3bde121c352ca7ea2f2ff507ef40c3c011d0928ed491f912c9"},
+    {file = "setproctitle-1.3.5-cp313-cp313-musllinux_1_2_x86_64.whl", hash = "sha256:8a7fed67ab49f60bd51f3b4cffff3f8d754d1bb0a40e42869911301ec6519b65"},
+    {file = "setproctitle-1.3.5-cp313-cp313-win32.whl", hash = "sha256:e9c0d0cfcf715631b10d5950d04a9978f63bc46535724ef7c2eaf1dca9988642"},
+    {file = "setproctitle-1.3.5-cp313-cp313-win_amd64.whl", hash = "sha256:e1d28eb98c91fbebd3e443a45c7da5d84974959851ef304c330eabd654a386f1"},
+    {file = "setproctitle-1.3.5-cp38-cp38-macosx_10_9_universal2.whl", hash = "sha256:8995a1217b52d11d92bafd069961a47c5e13d8751ca976a32b3ecbbd471eaf9b"},
+    {file = "setproctitle-1.3.5-cp38-cp38-macosx_11_0_arm64.whl", hash = "sha256:ae2ce64ea87837c4e3e65a7a232ff80cf09aa7d916e74cb34a245c47fcd87981"},
+    {file = "setproctitle-1.3.5-cp38-cp38-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:20b84de1780bbb0adc67560a113a0ea57e6ecfce2325680de8efe6c2a2f781ac"},
+    {file = "setproctitle-1.3.5-cp38-cp38-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:1b1d2628ac9868f960d7e87b3a9b2bb337104c3644b699e52e01efd7e106e4fe"},
+    {file = "setproctitle-1.3.5-cp38-cp38-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:fa912c4d08c66afda30dd5af8f2e9c59065dfc36a51edbd5419c3a7c962875aa"},
+    {file = "setproctitle-1.3.5-cp38-cp38-manylinux_2_5_x86_64.manylinux1_x86_64.manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:dc4f783e100f8b451cd92fcabd3b831edfb1f7cb02be4a79b972f138e0001885"},
+    {file = "setproctitle-1.3.5-cp38-cp38-musllinux_1_2_aarch64.whl", hash = "sha256:8ca56e39d10b6758046694a84950e5c5570a034c409ef3337595f64fc2cfa94d"},
+    {file = "setproctitle-1.3.5-cp38-cp38-musllinux_1_2_i686.whl", hash = "sha256:8915d69260ba6a6aaf9a48f6b53dbf9f8e4dc0cb4ae25bc5edb16a1666b6e47c"},
+    {file = "setproctitle-1.3.5-cp38-cp38-musllinux_1_2_ppc64le.whl", hash = "sha256:7edd4fbb9fd17ed0e5a7f8bde9fa61c3987a34372084c45bab4eab6a2e554762"},
+    {file = "setproctitle-1.3.5-cp38-cp38-musllinux_1_2_x86_64.whl", hash = "sha256:d0b19fd76d46b8096a463724739c3b09cf5ce38317f559f56f424f6ce7158de3"},
+    {file = "setproctitle-1.3.5-cp38-cp38-win32.whl", hash = "sha256:53ce572cdbd43a0bed2aa24299cd823ebf233a7fa720cc7f8634728c213679c0"},
+    {file = "setproctitle-1.3.5-cp38-cp38-win_amd64.whl", hash = "sha256:a58f00f35d6038ce1e8a9e5f87cb5ecce13ce118c5977a603566ad1fccc8d2cb"},
+    {file = "setproctitle-1.3.5-cp39-cp39-macosx_10_9_universal2.whl", hash = "sha256:c4b299b5bbadf00034978b8d741c85af25173146747eb9dab22596ec805a52d6"},
+    {file = "setproctitle-1.3.5-cp39-cp39-macosx_11_0_arm64.whl", hash = "sha256:d57e7626329d4fb138da5ce15270b08a91326969956fb19c7a8fec2639066704"},
+    {file = "setproctitle-1.3.5-cp39-cp39-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:4272295721cf1fd2acf960b674d6dc09bec87f2a1e48995817b4ec4a3d483faf"},
+    {file = "setproctitle-1.3.5-cp39-cp39-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:f8305b6e6c203222c61318f338f1de08269ec66c247bf251593c215ff1fbeaf9"},
+    {file = "setproctitle-1.3.5-cp39-cp39-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:becc9f3f605936506d2bd63d9cf817b7ee66b10d204184c4a633064dbed579d6"},
+    {file = "setproctitle-1.3.5-cp39-cp39-manylinux_2_5_x86_64.manylinux1_x86_64.manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:4629de80c47155a26e8d87a0a92d9428aa8d79ccfe2c20fd18888580619704e1"},
+    {file = "setproctitle-1.3.5-cp39-cp39-musllinux_1_2_aarch64.whl", hash = "sha256:f1af1d310b5b6cda692da52bd862a9833086c0a3f8380fa92505dd23857dcf60"},
+    {file = "setproctitle-1.3.5-cp39-cp39-musllinux_1_2_i686.whl", hash = "sha256:3bb6ea3d6e690677619508050bc681d86223723bdf67e4e8a8dffc3d04ca3044"},
+    {file = "setproctitle-1.3.5-cp39-cp39-musllinux_1_2_ppc64le.whl", hash = "sha256:322067ef1ffe70d297b00bee8a3862fed96021aa4318e3bce2d7c3bfa7a8d1e7"},
+    {file = "setproctitle-1.3.5-cp39-cp39-musllinux_1_2_x86_64.whl", hash = "sha256:1b58d49c32a46c48dcc2812635a89e6bee31139b03818da49a0bbaeaf01edef9"},
+    {file = "setproctitle-1.3.5-cp39-cp39-win32.whl", hash = "sha256:707c23d4a88f5e66f1005d93558bf84eb45fc0fb0c4f33480a0c7d0895e8e848"},
+    {file = "setproctitle-1.3.5-cp39-cp39-win_amd64.whl", hash = "sha256:c64199a73d442a06d372b5286942229a43e86fa41bf36f317dcc60c036aff0bb"},
+    {file = "setproctitle-1.3.5-pp310-pypy310_pp73-macosx_11_0_arm64.whl", hash = "sha256:dc66b84beb0d5eb03abf0c3140c6d2cbe3d67ae9f0824a09dfa8c6ff164319a6"},
+    {file = "setproctitle-1.3.5-pp310-pypy310_pp73-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:31dc9b330e7cac7685bdef790747c07914081c11ee1066eb0c597303dfb52010"},
+    {file = "setproctitle-1.3.5-pp310-pypy310_pp73-manylinux_2_5_x86_64.manylinux1_x86_64.manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:4028639b511f5e641d116b3b54ad70c637ebd1b4baac0948283daf11b104119f"},
+    {file = "setproctitle-1.3.5-pp310-pypy310_pp73-win_amd64.whl", hash = "sha256:6bddef4e27d0ed74e44b58bf050bc3108591bf17d20d461fc59cd141282f849c"},
+    {file = "setproctitle-1.3.5-pp38-pypy38_pp73-macosx_11_0_arm64.whl", hash = "sha256:9996be1d1df399c3cdc6d72ce0064e46bc74fc6e29fe16a328511a303dd4d418"},
+    {file = "setproctitle-1.3.5-pp38-pypy38_pp73-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:5cefc2dbdc48121022c3c05644cd3706f08e0b3c0ce07814d3c04daba0617936"},
+    {file = "setproctitle-1.3.5-pp38-pypy38_pp73-manylinux_2_5_x86_64.manylinux1_x86_64.manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:cef63879c79a570aabf7c158f453bf8d1285f0fda4b6b9b7a52d64b49c084d40"},
+    {file = "setproctitle-1.3.5-pp38-pypy38_pp73-win_amd64.whl", hash = "sha256:a863296a31fb578726c570314cb78ff3a3fddb65963dc01ea33731760f20a92c"},
+    {file = "setproctitle-1.3.5-pp39-pypy39_pp73-macosx_11_0_arm64.whl", hash = "sha256:b63bda3cb4b6526720dc7c6940b891c593f41771d119aeb8763875801ce2296d"},
+    {file = "setproctitle-1.3.5-pp39-pypy39_pp73-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:95913af603da5b4c7635bf1fb67ecc5df7c18360b6cfb6740fd743bb150a6e17"},
+    {file = "setproctitle-1.3.5-pp39-pypy39_pp73-manylinux_2_5_x86_64.manylinux1_x86_64.manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:36b130cf8fe76dc05ad1d48cc9ff3699eb1f0d8edbf6f46a3ce46a7041e49d7b"},
+    {file = "setproctitle-1.3.5-pp39-pypy39_pp73-win_amd64.whl", hash = "sha256:fe3bfd5e51c24349d022e062a96c316a1b8862ea9a0cf5ea2a8b2ae008b77cec"},
+    {file = "setproctitle-1.3.5.tar.gz", hash = "sha256:1e6eaeaf8a734d428a95d8c104643b39af7d247d604f40a7bebcf3960a853c5e"},
 ]

 [package.extras]
--- a/pyproject.toml
+++ b/pyproject.toml
@ -1,6 +1,6 @@
 [tool.poetry]
 name = "authentik"
-version = "2024.12.3"
+version = "2025.2.1"
 description = ""
 authors = ["authentik Team <hello@goauthentik.io>"]

--- a/schema.yml
+++ b/schema.yml
@ -1,7 +1,7 @@
 openapi: 3.0.3
 info:
  title: authentik
-  version: 2024.12.3
+  version: 2025.2.1
  description: Making authentication simple.
  contact:
    email: hello@goauthentik.io
@ -39432,6 +39432,10 @@ components:
        component:
          type: string
          default: ak-stage-access-denied
+        messages:
+          type: array
+          items:
+            $ref: '#/components/schemas/Message'
        response_errors:
          type: object
          additionalProperties:
@ -39546,6 +39550,10 @@ components:
        component:
          type: string
          default: ak-source-oauth-apple
+        messages:
+          type: array
+          items:
+            $ref: '#/components/schemas/Message'
        response_errors:
          type: object
          additionalProperties:
@ -39873,6 +39881,10 @@ components:
        component:
          type: string
          default: ak-stage-authenticator-duo
+        messages:
+          type: array
+          items:
+            $ref: '#/components/schemas/Message'
        response_errors:
          type: object
          additionalProperties:
@ -40032,6 +40044,10 @@ components:
        component:
          type: string
          default: ak-stage-authenticator-email
+        messages:
+          type: array
+          items:
+            $ref: '#/components/schemas/Message'
        response_errors:
          type: object
          additionalProperties:
@ -40288,6 +40304,10 @@ components:
        component:
          type: string
          default: ak-stage-authenticator-sms
+        messages:
+          type: array
+          items:
+            $ref: '#/components/schemas/Message'
        response_errors:
          type: object
          additionalProperties:
@ -40451,6 +40471,10 @@ components:
        component:
          type: string
          default: ak-stage-authenticator-static
+        messages:
+          type: array
+          items:
+            $ref: '#/components/schemas/Message'
        response_errors:
          type: object
          additionalProperties:
@ -40572,6 +40596,10 @@ components:
        component:
          type: string
          default: ak-stage-authenticator-totp
+        messages:
+          type: array
+          items:
+            $ref: '#/components/schemas/Message'
        response_errors:
          type: object
          additionalProperties:
@ -40799,6 +40827,10 @@ components:
        component:
          type: string
          default: ak-stage-authenticator-validate
+        messages:
+          type: array
+          items:
+            $ref: '#/components/schemas/Message'
        response_errors:
          type: object
          additionalProperties:
@ -40852,6 +40884,10 @@ components:
        component:
          type: string
          default: ak-stage-authenticator-webauthn
+        messages:
+          type: array
+          items:
+            $ref: '#/components/schemas/Message'
        response_errors:
          type: object
          additionalProperties:
@ -41001,6 +41037,10 @@ components:
        component:
          type: string
          default: ak-stage-autosubmit
+        messages:
+          type: array
+          items:
+            $ref: '#/components/schemas/Message'
        response_errors:
          type: object
          additionalProperties:
@ -41264,6 +41304,10 @@ components:
        component:
          type: string
          default: ak-stage-captcha
+        messages:
+          type: array
+          items:
+            $ref: '#/components/schemas/Message'
        response_errors:
          type: object
          additionalProperties:
@ -41663,6 +41707,10 @@ components:
        component:
          type: string
          default: ak-stage-consent
+        messages:
+          type: array
+          items:
+            $ref: '#/components/schemas/Message'
        response_errors:
          type: object
          additionalProperties:
@ -42464,6 +42512,10 @@ components:
        component:
          type: string
          default: ak-stage-dummy
+        messages:
+          type: array
+          items:
+            $ref: '#/components/schemas/Message'
        response_errors:
          type: object
          additionalProperties:
@ -42666,6 +42718,10 @@ components:
        component:
          type: string
          default: ak-stage-email
+        messages:
+          type: array
+          items:
+            $ref: '#/components/schemas/Message'
        response_errors:
          type: object
          additionalProperties:
@ -43593,6 +43649,10 @@ components:
        component:
          type: string
          default: ak-stage-flow-error
+        messages:
+          type: array
+          items:
+            $ref: '#/components/schemas/Message'
        response_errors:
          type: object
          additionalProperties:
@ -43921,6 +43981,10 @@ components:
        component:
          type: string
          default: xak-flow-frame
+        messages:
+          type: array
+          items:
+            $ref: '#/components/schemas/Message'
        response_errors:
          type: object
          additionalProperties:
@ -44731,6 +44795,10 @@ components:
        component:
          type: string
          default: ak-stage-identification
+        messages:
+          type: array
+          items:
+            $ref: '#/components/schemas/Message'
        response_errors:
          type: object
          additionalProperties:
@ -46324,6 +46392,22 @@ components:
      - strict
      - regex
      type: string
+    Message:
+      type: object
+      description: Base serializer class which doesn't implement create/update methods
+      properties:
+        message:
+          type: string
+        level:
+          type: string
+        tags:
+          type: array
+          items:
+            type: string
+      required:
+      - level
+      - message
+      - tags
    Metadata:
      type: object
      description: Serializer for blueprint metadata
@ -47209,6 +47293,10 @@ components:
        component:
          type: string
          default: ak-provider-oauth2-device-code
+        messages:
+          type: array
+          items:
+            $ref: '#/components/schemas/Message'
        response_errors:
          type: object
          additionalProperties:
@ -47237,6 +47325,10 @@ components:
        component:
          type: string
          default: ak-provider-oauth2-device-code-finish
+        messages:
+          type: array
+          items:
+            $ref: '#/components/schemas/Message'
        response_errors:
          type: object
          additionalProperties:
@ -49387,6 +49479,10 @@ components:
        component:
          type: string
          default: ak-stage-password
+        messages:
+          type: array
+          items:
+            $ref: '#/components/schemas/Message'
        response_errors:
          type: object
          additionalProperties:
@ -52942,6 +53038,10 @@ components:
        component:
          type: string
          default: ak-source-plex
+        messages:
+          type: array
+          items:
+            $ref: '#/components/schemas/Message'
        response_errors:
          type: object
          additionalProperties:
@ -53467,6 +53567,10 @@ components:
        component:
          type: string
          default: ak-stage-prompt
+        messages:
+          type: array
+          items:
+            $ref: '#/components/schemas/Message'
        response_errors:
          type: object
          additionalProperties:
@ -54663,6 +54767,10 @@ components:
        component:
          type: string
          default: xak-flow-redirect
+        messages:
+          type: array
+          items:
+            $ref: '#/components/schemas/Message'
        response_errors:
          type: object
          additionalProperties:
@ -56528,6 +56636,10 @@ components:
        component:
          type: string
          default: ak-stage-session-end
+        messages:
+          type: array
+          items:
+            $ref: '#/components/schemas/Message'
        response_errors:
          type: object
          additionalProperties:
@ -56662,6 +56774,10 @@ components:
        component:
          type: string
          default: xak-flow-shell
+        messages:
+          type: array
+          items:
+            $ref: '#/components/schemas/Message'
        response_errors:
          type: object
          additionalProperties:
@ -57943,6 +58059,10 @@ components:
        component:
          type: string
          default: ak-stage-user-login
+        messages:
+          type: array
+          items:
+            $ref: '#/components/schemas/Message'
        response_errors:
          type: object
          additionalProperties:
--- a/web/package-lock.json
+++ b/web/package-lock.json
@ -23,7 +23,7 @@
                "@floating-ui/dom": "^1.6.11",
                "@formatjs/intl-listformat": "^7.5.7",
                "@fortawesome/fontawesome-free": "^6.6.0",
-                "@goauthentik/api": "^2024.12.3-1739965710",
+                "@goauthentik/api": "^2025.2.1-1740653734",
                "@lit-labs/ssr": "^3.2.2",
                "@lit/context": "^1.1.2",
                "@lit/localize": "^0.12.2",
@ -1814,9 +1814,9 @@
            }
        },
        "node_modules/@goauthentik/api": {
-            "version": "2024.12.3-1739965710",
-            "resolved": "https://registry.npmjs.org/@goauthentik/api/-/api-2024.12.3-1739965710.tgz",
-            "integrity": "sha512-16zoQWeJhAFSwttvqLRoXoQA43tMW1ZXDEihW6r8rtWtlxqPh7n36RtcWYraYiLcjmJskI90zdgz6k1kmY5AXw=="
+            "version": "2025.2.1-1740653734",
+            "resolved": "https://registry.npmjs.org/@goauthentik/api/-/api-2025.2.1-1740653734.tgz",
+            "integrity": "sha512-GRxBt52lgZOvEu7l9DN1lj0L2Q9KUiftrC9MWfaz3dIlw1s+kKzic/NTTlB7AaEsRqw7+i10aI6GkiKAErw2VA=="
        },
        "node_modules/@goauthentik/web": {
            "resolved": "",
--- a/web/package.json
+++ b/web/package.json
@ -11,7 +11,7 @@
        "@floating-ui/dom": "^1.6.11",
        "@formatjs/intl-listformat": "^7.5.7",
        "@fortawesome/fontawesome-free": "^6.6.0",
-        "@goauthentik/api": "^2024.12.3-1739965710",
+        "@goauthentik/api": "^2025.2.1-1740653734",
        "@lit-labs/ssr": "^3.2.2",
        "@lit/context": "^1.1.2",
        "@lit/localize": "^0.12.2",
--- a/web/src/admin/policies/BoundPoliciesList.ts
+++ b/web/src/admin/policies/BoundPoliciesList.ts
@ -31,9 +31,9 @@ export class BoundPoliciesList extends Table<PolicyBinding> {

    @property({ type: Array })
    allowedTypes: PolicyBindingCheckTarget[] = [
+        PolicyBindingCheckTarget.policy,
        PolicyBindingCheckTarget.group,
        PolicyBindingCheckTarget.user,
-        PolicyBindingCheckTarget.policy,
    ];

    @property({ type: Array })
--- a/web/src/admin/policies/PolicyBindingForm.ts
+++ b/web/src/admin/policies/PolicyBindingForm.ts
@ -58,9 +58,9 @@ export class PolicyBindingForm extends ModelForm<PolicyBinding, string> {

    @property({ type: Array })
    allowedTypes: PolicyBindingCheckTarget[] = [
+        PolicyBindingCheckTarget.policy,
        PolicyBindingCheckTarget.group,
        PolicyBindingCheckTarget.user,
-        PolicyBindingCheckTarget.policy,
    ];

    @property({ type: Array })
--- a/web/src/admin/providers/proxy/ProxyProviderViewPage.ts
+++ b/web/src/admin/providers/proxy/ProxyProviderViewPage.ts
@ -118,7 +118,7 @@ export class ProxyProviderViewPage extends AKElement {
    }

    renderConfig(): TemplateResult {
-        const serves = [
+        const servers = [
            {
                label: msg("Nginx (Ingress)"),
                md: MDNginxIngress,
@ -184,7 +184,7 @@ export class ProxyProviderViewPage extends AKElement {
            },
        ];
        return html`<ak-tabs pageIdentifier="proxy-setup">
-            ${serves.map((server) => {
+            ${servers.map((server) => {
                return html`<section
                    slot="page-${convertToSlug(server.label)}"
                    data-tab-title="${server.label}"
--- a/web/src/assets/images/flow_background.jpg
+++ b/web/src/assets/images/flow_background.jpg
--- a/web/src/common/constants.ts
+++ b/web/src/common/constants.ts
@ -3,7 +3,7 @@ export const SUCCESS_CLASS = "pf-m-success";
 export const ERROR_CLASS = "pf-m-danger";
 export const PROGRESS_CLASS = "pf-m-in-progress";
 export const CURRENT_CLASS = "pf-m-current";
-export const VERSION = "2024.12.3";
+export const VERSION = "2025.2.1";
 export const TITLE_DEFAULT = "authentik";
 export const ROUTE_SEPARATOR = ";";

--- a/web/src/flow/FlowExecutor.ts
+++ b/web/src/flow/FlowExecutor.ts
@ -5,15 +5,16 @@ import {
    TITLE_DEFAULT,
 } from "@goauthentik/common/constants";
 import { globalAK } from "@goauthentik/common/global";
-import { purify } from "@goauthentik/common/purify";
+import { MessageLevel } from "@goauthentik/common/messages";
 import { configureSentry } from "@goauthentik/common/sentry";
 import { first } from "@goauthentik/common/utils";
-import { WebsocketClient } from "@goauthentik/common/ws";
 import { Interface } from "@goauthentik/elements/Interface";
 import "@goauthentik/elements/LoadingOverlay";
 import "@goauthentik/elements/ak-locale-context";
+import { showMessage } from "@goauthentik/elements/messages/MessageContainer";
 import { DefaultBrand } from "@goauthentik/elements/sidebar/SidebarBrand";
 import { themeImage } from "@goauthentik/elements/utils/images";
+import "@goauthentik/flow/components/ak-brand-footer";
 import "@goauthentik/flow/sources/apple/AppleLoginInit";
 import "@goauthentik/flow/sources/plex/PlexLoginInit";
 import "@goauthentik/flow/stages/FlowErrorStage";
@ -44,6 +45,7 @@ import {
    FlowErrorChallenge,
    FlowLayoutEnum,
    FlowsApi,
+    Message,
    ResponseError,
    ShellChallenge,
    UiThemeEnum,
@ -83,8 +85,6 @@ export class FlowExecutor extends Interface implements StageHost {
    @state()
    flowInfo?: ContextualFlowInfo;

-    ws: WebsocketClient;
-
    static get styles(): CSSResult[] {
        return [PFBase, PFLogin, PFDrawer, PFButton, PFTitle, PFList, PFBackgroundImage].concat(css`
            :host {
@ -174,7 +174,6 @@ export class FlowExecutor extends Interface implements StageHost {

    constructor() {
        super();
-        this.ws = new WebsocketClient();
        const inspector = new URL(window.location.toString()).searchParams.get("inspector");
        if (inspector === "" || inspector === "open") {
            this.inspectorOpen = true;
@ -233,6 +232,7 @@ export class FlowExecutor extends Interface implements StageHost {
            if (this.challenge.flowInfo) {
                this.flowInfo = this.challenge.flowInfo;
            }
+            this.showMessages(this.challenge.messages);
            return !this.challenge.responseErrors;
        } catch (exc: unknown) {
            this.errorMessage(exc as Error | ResponseError | FetchError);
@ -265,6 +265,7 @@ export class FlowExecutor extends Interface implements StageHost {
            if (this.challenge.flowInfo) {
                this.flowInfo = this.challenge.flowInfo;
            }
+            this.showMessages(this.challenge.messages);
        } catch (exc: unknown) {
            // Catch JSON or Update errors
            this.errorMessage(exc as Error | ResponseError | FetchError);
@ -273,6 +274,15 @@ export class FlowExecutor extends Interface implements StageHost {
        }
    }

+    showMessages(messages: Array<Message> | undefined) {
+        for (const message of (messages ??= [])) {
+            showMessage({
+                level: message.level as MessageLevel,
+                message: message.message,
+            });
+        }
+    }
+
    async errorMessage(error: Error | ResponseError | FetchError): Promise<void> {
        let body = "";
        if (error instanceof FetchError) {
@ -537,27 +547,10 @@ export class FlowExecutor extends Interface implements StageHost {
                                            </div>
                                            ${until(this.renderChallenge())}
                                        </div>
-                                        <footer class="pf-c-login__footer">
-                                            <ul class="pf-c-list pf-m-inline">
-                                                ${this.brand?.uiFooterLinks?.map((link) => {
-                                                    if (link.href) {
-                                                        return html`${purify(
-                                                            html`<li>
-                                                                <a href="${link.href}"
-                                                                    >${link.name}</a
-                                                                >
-                                                            </li>`,
-                                                        )}`;
-                                                    }
-                                                    return html`<li>
-                                                        <span>${link.name}</span>
-                                                    </li>`;
-                                                })}
-                                                <li>
-                                                    <span>${msg("Powered by authentik")}</span>
-                                                </li>
-                                            </ul>
-                                        </footer>
+                                        <ak-brand-links
+                                            class="pf-c-login__footer"
+                                            .links=${this.brand?.uiFooterLinks ?? []}
+                                        ></ak-brand-links>
                                    </div>
                                </div>
                            </div>
--- a/web/src/flow/FlowInterface.ts
+++ b/web/src/flow/FlowInterface.ts
@ -1,4 +1,3 @@
-import "@goauthentik/elements/messages/MessageContainer";
 import "@goauthentik/flow/FlowExecutor";
 // Statically import some stages to speed up load speed
 import "@goauthentik/flow/stages/access_denied/AccessDeniedStage";
--- a/web/src/flow/components/ak-brand-footer.ts
+++ b/web/src/flow/components/ak-brand-footer.ts
@ -0,0 +1,51 @@
+import { purify } from "@goauthentik/common/purify";
+import { AKElement } from "@goauthentik/elements/Base.js";
+
+import { msg } from "@lit/localize";
+import { css, html } from "lit";
+import { customElement, property } from "lit/decorators.js";
+import { map } from "lit/directives/map.js";
+
+import PFList from "@patternfly/patternfly/components/List/list.css";
+import PFBase from "@patternfly/patternfly/patternfly-base.css";
+
+import { FooterLink } from "@goauthentik/api";
+
+const styles = css`
+    .pf-c-list a {
+        color: unset;
+    }
+    ul.pf-c-list.pf-m-inline {
+        justify-content: center;
+        padding: calc(var(--pf-global--spacer--xs) / 2) 0px;
+    }
+`;
+
+const poweredBy: FooterLink = { name: msg("Powered by authentik"), href: null };
+
+@customElement("ak-brand-links")
+export class BrandLinks extends AKElement {
+    static get styles() {
+        return [PFBase, PFList, styles];
+    }
+
+    @property({ type: Array, attribute: false })
+    links: FooterLink[] = [];
+
+    render() {
+        const links = [...(this.links ?? []), poweredBy];
+        return html` <ul class="pf-c-list pf-m-inline">
+            ${map(links, (link) =>
+                link.href
+                    ? purify(html`<li><a href="${link.href}">${link.name}</a></li>`)
+                    : html`<li><span>${link.name}</span></li>`,
+            )}
+        </ul>`;
+    }
+}
+
+declare global {
+    interface HTMLElementTagNameMap {
+        "ak-brand-links": BrandLinks;
+    }
+}
--- a/web/src/flow/components/ak-flow-password-input.ts
+++ b/web/src/flow/components/ak-flow-password-input.ts
@ -193,6 +193,9 @@ export class InputPassword extends AKElement {
     * the `autofocus` attribute isn't enough, due to timing within shadow doms and such.
     */
    observeInputFocus(): void {
+        if (!this.grabFocus) {
+            return;
+        }
        this.inputFocusIntervalID = setInterval(() => {
            const input = this.inputRef.value;

@ -219,7 +222,9 @@ export class InputPassword extends AKElement {
    }

    disconnectedCallback() {
-        clearInterval(this.inputFocusIntervalID);
+        if (this.inputFocusIntervalID) {
+            clearInterval(this.inputFocusIntervalID);
+        }

        super.disconnectedCallback();

@ -264,7 +269,7 @@ export class InputPassword extends AKElement {

        toggleElement.setAttribute(
            "aria-label",
-            msg(masked ? Visibility.Reveal.label : Visibility.Mask.label),
+            masked ? Visibility.Reveal.label : Visibility.Mask.label,
        );

        const iconElement = toggleElement.querySelector("i")!;
@ -280,7 +285,7 @@ export class InputPassword extends AKElement {

        return html`<button
            ${ref(this.toggleVisibilityRef)}
-            aria-label=${msg(label)}
+            aria-label=${label}
            @click=${this.togglePasswordVisibility}
            class="pf-c-button pf-m-control"
            type="button"
--- a/web/src/flow/stages/authenticator_validate/AuthenticatorValidateStageCode.ts
+++ b/web/src/flow/stages/authenticator_validate/AuthenticatorValidateStageCode.ts
@ -3,7 +3,7 @@ import "@goauthentik/elements/forms/FormElement";
 import { BaseDeviceStage } from "@goauthentik/flow/stages/authenticator_validate/base";
 import { PasswordManagerPrefill } from "@goauthentik/flow/stages/identification/IdentificationStage";

-import { msg } from "@lit/localize";
+import { msg, str } from "@lit/localize";
 import { CSSResult, TemplateResult, css, html } from "lit";
 import { customElement } from "lit/decorators.js";

@ -35,7 +35,7 @@ export class AuthenticatorValidateStageWebCode extends BaseDeviceStage<
        switch (this.deviceChallenge?.deviceClass) {
            case DeviceClassesEnum.Email: {
                const email = this.deviceChallenge.challenge?.email;
-                return msg(`A code has been sent to you via email${email ? ` ${email}` : ""}`);
+                return msg(str`A code has been sent to you via email${email ? ` ${email}` : ""}`);
            }
            case DeviceClassesEnum.Sms:
                return msg("A code has been sent to you via SMS.");
--- a/web/src/user/LibraryApplication/index.ts
+++ b/web/src/user/LibraryApplication/index.ts
@ -97,9 +97,7 @@ export class LibraryApplication extends AKElement {
            return html``;
        }
        if (this.application?.launchUrl === "goauthentik.io://providers/rac/launch") {
-            return html`<ak-library-rac-endpoint-launch .app=${this.application}>
-                </ak-library-rac-endpoint-launch>
-                <div class="pf-c-card__header">
+            return html`<div class="pf-c-card__header">
                    <a
                        @click=${() => {
                            this.racEndpointLaunch?.onClick();
@ -120,7 +118,9 @@ export class LibraryApplication extends AKElement {
                    >
                        ${this.application.name}
                    </a>
-                </div>`;
+                </div>
+                <ak-library-rac-endpoint-launch .app=${this.application}>
+                </ak-library-rac-endpoint-launch>`;
        }
        return html`<div class="pf-c-card__header">
                <a
--- a/web/xliff/de.xlf
+++ b/web/xliff/de.xlf
@ -8600,7 +8600,7 @@ Bindings to groups/users are checked against the user of the event.</source>
  <source>This option configures the footer links on the flow executor pages. The URL is limited to web and mail addresses. If the name is left blank, the URL will be shown.</source>
 </trans-unit>
 <trans-unit id="s66f572bec2bde9c4">
-  <source>External applications that use <x id="0" equiv-text="${this.brand.brandingTitle || &quot;authentik&quot;}"/> as an identity provider via protocols like OAuth2 and SAML. All applications are shown here, even ones you cannot access.</source>
+  <source>External applications that use <x id="0" equiv-text="${this.brand?.brandingTitle ?? &quot;authentik&quot;}"/> as an identity provider via protocols like OAuth2 and SAML. All applications are shown here, even ones you cannot access.</source>
 </trans-unit>
 <trans-unit id="s58bec0ecd4f3ccd4">
  <source>Strict</source>
@ -8926,6 +8926,96 @@ Bindings to groups/users are checked against the user of the event.</source>
 </trans-unit>
 <trans-unit id="s47b7ce63a543564c">
  <source>Fewer details</source>
+</trans-unit>
+<trans-unit id="s140111d464591e6b">
+  <source>Create a new application and configure a provider for it.</source>
+</trans-unit>
+<trans-unit id="s5e0c81c05565bf42">
+  <source>Using this form will only create an Application. In order to authenticate with the application, you will have to manually pair it with a Provider.</source>
+</trans-unit>
+<trans-unit id="s035bfd9c5f97e4d3">
+  <source>Distance settings</source>
+</trans-unit>
+<trans-unit id="s207e6f8a8b3515fd">
+  <source>Check historical distance of logins</source>
+</trans-unit>
+<trans-unit id="s8158f4b3e5c869be">
+  <source>When this option enabled, the GeoIP data of the policy request is compared to the specified number of historical logins.</source>
+</trans-unit>
+<trans-unit id="sb8b7450c8515894c">
+  <source>Maximum distance</source>
+</trans-unit>
+<trans-unit id="s40cdbaa532bc9899">
+  <source>Maximum distance a login attempt is allowed from in kilometers.</source>
+</trans-unit>
+<trans-unit id="seef852b5c0f8a529">
+  <source>Distance tolerance</source>
+</trans-unit>
+<trans-unit id="sce567ced300aeb8a">
+  <source>Tolerance in checking for distances in kilometers.</source>
+</trans-unit>
+<trans-unit id="s9ea9cdabd74f8f97">
+  <source>Historical Login Count</source>
+</trans-unit>
+<trans-unit id="s27aec4c2de1ae777">
+  <source>Amount of previous login events to check against.</source>
+</trans-unit>
+<trans-unit id="s48611ce6e85874dc">
+  <source>Check impossible travel</source>
+</trans-unit>
+<trans-unit id="s8cf926e8311f8065">
+  <source>When this option enabled, the GeoIP data of the policy request is compared to the specified number of historical logins and if the travel would have been possible in the amount of time since the previous event.</source>
+</trans-unit>
+<trans-unit id="sa963d05af436770b">
+  <source>Impossible travel tolerance</source>
+</trans-unit>
+<trans-unit id="s5760cd97ca42a238">
+  <source>Static rule settings</source>
+</trans-unit>
+<trans-unit id="s8fec035fa1737294">
+  <source>Create with Provider</source>
+</trans-unit>
+<trans-unit id="sca2487321ec12bd6">
+  <source>Email address the verification email will be sent from.</source>
+</trans-unit>
+<trans-unit id="s24a8fdfc73e8137f">
+  <source>Stage used to configure an email-based authenticator.</source>
+</trans-unit>
+<trans-unit id="sea0da186a814a212">
+  <source>Use global connection settings</source>
+</trans-unit>
+<trans-unit id="s7754fa56a4439de4">
+  <source>When enabled, global email connection settings will be used and connection settings below will be ignored.</source>
+</trans-unit>
+<trans-unit id="s7e2bcca51126ec9c">
+  <source>Subject of the verification email.</source>
+</trans-unit>
+<trans-unit id="sc12c90b1da0f3a47">
+  <source>Token expiration</source>
+</trans-unit>
+<trans-unit id="sc264a82f9c710f14">
+  <source>Time the token sent is valid (Format: hours=3,minutes=17,seconds=300).</source>
+</trans-unit>
+<trans-unit id="s15986693bfc99fb7">
+  <source>Email-based Authenticators</source>
+</trans-unit>
+<trans-unit id="s6bb30c61df4cf486">
+  <source>Caps Lock is enabled.</source>
+</trans-unit>
+<trans-unit id="s3f8a07912545e72e">
+  <source>Configure your email</source>
+</trans-unit>
+<trans-unit id="scedf77e8b75cad5a">
+  <source>Please enter your email address.</source>
+</trans-unit>
+<trans-unit id="s7cdd62c100b6b17b">
+  <source>Please enter the code you received via email</source>
+</trans-unit>
+<trans-unit id="s1d64dba9bb8b284d">
+  <source>A code has been sent to you via email<x id="0" equiv-text="${email ? ` ${email}` : &quot;&quot;}"/></source>
+</trans-unit>
+<trans-unit id="s833cfe815918c143">
+  <source>Tokens sent via email.</source>
 </trans-unit>
    </body>
  </file>
--- a/web/xliff/en.xlf
+++ b/web/xliff/en.xlf
@ -7128,7 +7128,7 @@ Bindings to groups/users are checked against the user of the event.</source>
  <source>This option configures the footer links on the flow executor pages. The URL is limited to web and mail addresses. If the name is left blank, the URL will be shown.</source>
 </trans-unit>
 <trans-unit id="s66f572bec2bde9c4">
-  <source>External applications that use <x id="0" equiv-text="${this.brand.brandingTitle || &quot;authentik&quot;}"/> as an identity provider via protocols like OAuth2 and SAML. All applications are shown here, even ones you cannot access.</source>
+  <source>External applications that use <x id="0" equiv-text="${this.brand?.brandingTitle ?? &quot;authentik&quot;}"/> as an identity provider via protocols like OAuth2 and SAML. All applications are shown here, even ones you cannot access.</source>
 </trans-unit>
 <trans-unit id="s58bec0ecd4f3ccd4">
  <source>Strict</source>
@ -7453,6 +7453,96 @@ Bindings to groups/users are checked against the user of the event.</source>
 </trans-unit>
 <trans-unit id="s47b7ce63a543564c">
  <source>Fewer details</source>
+</trans-unit>
+<trans-unit id="s140111d464591e6b">
+  <source>Create a new application and configure a provider for it.</source>
+</trans-unit>
+<trans-unit id="s5e0c81c05565bf42">
+  <source>Using this form will only create an Application. In order to authenticate with the application, you will have to manually pair it with a Provider.</source>
+</trans-unit>
+<trans-unit id="s035bfd9c5f97e4d3">
+  <source>Distance settings</source>
+</trans-unit>
+<trans-unit id="s207e6f8a8b3515fd">
+  <source>Check historical distance of logins</source>
+</trans-unit>
+<trans-unit id="s8158f4b3e5c869be">
+  <source>When this option enabled, the GeoIP data of the policy request is compared to the specified number of historical logins.</source>
+</trans-unit>
+<trans-unit id="sb8b7450c8515894c">
+  <source>Maximum distance</source>
+</trans-unit>
+<trans-unit id="s40cdbaa532bc9899">
+  <source>Maximum distance a login attempt is allowed from in kilometers.</source>
+</trans-unit>
+<trans-unit id="seef852b5c0f8a529">
+  <source>Distance tolerance</source>
+</trans-unit>
+<trans-unit id="sce567ced300aeb8a">
+  <source>Tolerance in checking for distances in kilometers.</source>
+</trans-unit>
+<trans-unit id="s9ea9cdabd74f8f97">
+  <source>Historical Login Count</source>
+</trans-unit>
+<trans-unit id="s27aec4c2de1ae777">
+  <source>Amount of previous login events to check against.</source>
+</trans-unit>
+<trans-unit id="s48611ce6e85874dc">
+  <source>Check impossible travel</source>
+</trans-unit>
+<trans-unit id="s8cf926e8311f8065">
+  <source>When this option enabled, the GeoIP data of the policy request is compared to the specified number of historical logins and if the travel would have been possible in the amount of time since the previous event.</source>
+</trans-unit>
+<trans-unit id="sa963d05af436770b">
+  <source>Impossible travel tolerance</source>
+</trans-unit>
+<trans-unit id="s5760cd97ca42a238">
+  <source>Static rule settings</source>
+</trans-unit>
+<trans-unit id="s8fec035fa1737294">
+  <source>Create with Provider</source>
+</trans-unit>
+<trans-unit id="sca2487321ec12bd6">
+  <source>Email address the verification email will be sent from.</source>
+</trans-unit>
+<trans-unit id="s24a8fdfc73e8137f">
+  <source>Stage used to configure an email-based authenticator.</source>
+</trans-unit>
+<trans-unit id="sea0da186a814a212">
+  <source>Use global connection settings</source>
+</trans-unit>
+<trans-unit id="s7754fa56a4439de4">
+  <source>When enabled, global email connection settings will be used and connection settings below will be ignored.</source>
+</trans-unit>
+<trans-unit id="s7e2bcca51126ec9c">
+  <source>Subject of the verification email.</source>
+</trans-unit>
+<trans-unit id="sc12c90b1da0f3a47">
+  <source>Token expiration</source>
+</trans-unit>
+<trans-unit id="sc264a82f9c710f14">
+  <source>Time the token sent is valid (Format: hours=3,minutes=17,seconds=300).</source>
+</trans-unit>
+<trans-unit id="s15986693bfc99fb7">
+  <source>Email-based Authenticators</source>
+</trans-unit>
+<trans-unit id="s6bb30c61df4cf486">
+  <source>Caps Lock is enabled.</source>
+</trans-unit>
+<trans-unit id="s3f8a07912545e72e">
+  <source>Configure your email</source>
+</trans-unit>
+<trans-unit id="scedf77e8b75cad5a">
+  <source>Please enter your email address.</source>
+</trans-unit>
+<trans-unit id="s7cdd62c100b6b17b">
+  <source>Please enter the code you received via email</source>
+</trans-unit>
+<trans-unit id="s1d64dba9bb8b284d">
+  <source>A code has been sent to you via email<x id="0" equiv-text="${email ? ` ${email}` : &quot;&quot;}"/></source>
+</trans-unit>
+<trans-unit id="s833cfe815918c143">
+  <source>Tokens sent via email.</source>
 </trans-unit>
    </body>
  </file>
--- a/web/xliff/es.xlf
+++ b/web/xliff/es.xlf
@ -8688,7 +8688,7 @@ Las vinculaciones a grupos o usuarios se comparan con el usuario del evento.</ta
  <source>This option configures the footer links on the flow executor pages. The URL is limited to web and mail addresses. If the name is left blank, the URL will be shown.</source>
 </trans-unit>
 <trans-unit id="s66f572bec2bde9c4">
-  <source>External applications that use <x id="0" equiv-text="${this.brand.brandingTitle || &quot;authentik&quot;}"/> as an identity provider via protocols like OAuth2 and SAML. All applications are shown here, even ones you cannot access.</source>
+  <source>External applications that use <x id="0" equiv-text="${this.brand?.brandingTitle ?? &quot;authentik&quot;}"/> as an identity provider via protocols like OAuth2 and SAML. All applications are shown here, even ones you cannot access.</source>
  <target>Aplicaciones externas que utilizan <x id="0" equiv-text="${this.brand.brandingTitle || &quot;authentik&quot;}"/> como proveedor de identidad a través de protocolos como OAuth2 y SAML. Aquí se muestran todas las aplicaciones, incluso aquellas a las que no puede acceder.</target>
 </trans-unit>
 <trans-unit id="s58bec0ecd4f3ccd4">
@ -9019,6 +9019,96 @@ Las vinculaciones a grupos o usuarios se comparan con el usuario del evento.</ta
 </trans-unit>
 <trans-unit id="s47b7ce63a543564c">
  <source>Fewer details</source>
+</trans-unit>
+<trans-unit id="s140111d464591e6b">
+  <source>Create a new application and configure a provider for it.</source>
+</trans-unit>
+<trans-unit id="s5e0c81c05565bf42">
+  <source>Using this form will only create an Application. In order to authenticate with the application, you will have to manually pair it with a Provider.</source>
+</trans-unit>
+<trans-unit id="s035bfd9c5f97e4d3">
+  <source>Distance settings</source>
+</trans-unit>
+<trans-unit id="s207e6f8a8b3515fd">
+  <source>Check historical distance of logins</source>
+</trans-unit>
+<trans-unit id="s8158f4b3e5c869be">
+  <source>When this option enabled, the GeoIP data of the policy request is compared to the specified number of historical logins.</source>
+</trans-unit>
+<trans-unit id="sb8b7450c8515894c">
+  <source>Maximum distance</source>
+</trans-unit>
+<trans-unit id="s40cdbaa532bc9899">
+  <source>Maximum distance a login attempt is allowed from in kilometers.</source>
+</trans-unit>
+<trans-unit id="seef852b5c0f8a529">
+  <source>Distance tolerance</source>
+</trans-unit>
+<trans-unit id="sce567ced300aeb8a">
+  <source>Tolerance in checking for distances in kilometers.</source>
+</trans-unit>
+<trans-unit id="s9ea9cdabd74f8f97">
+  <source>Historical Login Count</source>
+</trans-unit>
+<trans-unit id="s27aec4c2de1ae777">
+  <source>Amount of previous login events to check against.</source>
+</trans-unit>
+<trans-unit id="s48611ce6e85874dc">
+  <source>Check impossible travel</source>
+</trans-unit>
+<trans-unit id="s8cf926e8311f8065">
+  <source>When this option enabled, the GeoIP data of the policy request is compared to the specified number of historical logins and if the travel would have been possible in the amount of time since the previous event.</source>
+</trans-unit>
+<trans-unit id="sa963d05af436770b">
+  <source>Impossible travel tolerance</source>
+</trans-unit>
+<trans-unit id="s5760cd97ca42a238">
+  <source>Static rule settings</source>
+</trans-unit>
+<trans-unit id="s8fec035fa1737294">
+  <source>Create with Provider</source>
+</trans-unit>
+<trans-unit id="sca2487321ec12bd6">
+  <source>Email address the verification email will be sent from.</source>
+</trans-unit>
+<trans-unit id="s24a8fdfc73e8137f">
+  <source>Stage used to configure an email-based authenticator.</source>
+</trans-unit>
+<trans-unit id="sea0da186a814a212">
+  <source>Use global connection settings</source>
+</trans-unit>
+<trans-unit id="s7754fa56a4439de4">
+  <source>When enabled, global email connection settings will be used and connection settings below will be ignored.</source>
+</trans-unit>
+<trans-unit id="s7e2bcca51126ec9c">
+  <source>Subject of the verification email.</source>
+</trans-unit>
+<trans-unit id="sc12c90b1da0f3a47">
+  <source>Token expiration</source>
+</trans-unit>
+<trans-unit id="sc264a82f9c710f14">
+  <source>Time the token sent is valid (Format: hours=3,minutes=17,seconds=300).</source>
+</trans-unit>
+<trans-unit id="s15986693bfc99fb7">
+  <source>Email-based Authenticators</source>
+</trans-unit>
+<trans-unit id="s6bb30c61df4cf486">
+  <source>Caps Lock is enabled.</source>
+</trans-unit>
+<trans-unit id="s3f8a07912545e72e">
+  <source>Configure your email</source>
+</trans-unit>
+<trans-unit id="scedf77e8b75cad5a">
+  <source>Please enter your email address.</source>
+</trans-unit>
+<trans-unit id="s7cdd62c100b6b17b">
+  <source>Please enter the code you received via email</source>
+</trans-unit>
+<trans-unit id="s1d64dba9bb8b284d">
+  <source>A code has been sent to you via email<x id="0" equiv-text="${email ? ` ${email}` : &quot;&quot;}"/></source>
+</trans-unit>
+<trans-unit id="s833cfe815918c143">
+  <source>Tokens sent via email.</source>
 </trans-unit>
    </body>
  </file>
--- a/web/xliff/fr.xlf
+++ b/web/xliff/fr.xlf
@ -6572,7 +6572,7 @@ Les liaisons avec les groupes/utilisateurs sont vérifiées par rapport à l'uti
      </trans-unit>
      <trans-unit id="s0e516232f2ab4e04">
        <source>Tokens sent via SMS.</source>
-        <target>Jeton envoyé par SMS</target>
+        <target>Jetons envoyés par SMS.</target>
        
      </trans-unit>
      <trans-unit id="s6ae0d087036e6d6d">
@ -9046,8 +9046,8 @@ Les liaisons avec les groupes/utilisateurs sont vérifiées par rapport à l'uti
  <target>Cette option configure les liens affichés en bas de page sur l’exécuteur de flux. L'URL est limitée à des addresses web et courriel. Si le nom est laissé vide, l'URL sera affichée.</target>
 </trans-unit>
 <trans-unit id="s66f572bec2bde9c4">
-  <source>External applications that use <x id="0" equiv-text="${this.brand.brandingTitle || &quot;authentik&quot;}"/> as an identity provider via protocols like OAuth2 and SAML. All applications are shown here, even ones you cannot access.</source>
-  <target>Applications externes qui utilisent <x id="0" equiv-text="${this.brand.brandingTitle || &quot;authentik&quot;}"/> comme fournisseur d'identité en utilisant des protocoles comme OAuth2 et SAML. Toutes les applications sont affichées ici, même celles auxquelles vous n'avez pas accès.</target>
+  <source>External applications that use <x id="0" equiv-text="${this.brand?.brandingTitle ?? &quot;authentik&quot;}"/> as an identity provider via protocols like OAuth2 and SAML. All applications are shown here, even ones you cannot access.</source>
+  <target>Applications externes qui utilisent <x id="0" equiv-text="${this.brand?.brandingTitle ?? &quot;authentik&quot;}"/> comme fournisseur d'identité en utilisant des protocoles comme OAuth2 et SAML. Toutes les applications sont affichées ici, même celles auxquelles vous n'avez pas accès.</target>
 </trans-unit>
 <trans-unit id="s58bec0ecd4f3ccd4">
  <source>Strict</source>
@ -9482,6 +9482,126 @@ Les liaisons avec les groupes/utilisateurs sont vérifiées par rapport à l'uti
 <trans-unit id="s47b7ce63a543564c">
  <source>Fewer details</source>
  <target>Moins de détails</target>
+</trans-unit>
+<trans-unit id="s140111d464591e6b">
+  <source>Create a new application and configure a provider for it.</source>
+  <target>Créer une nouvelle application et configurer un fournisseur pour celle-ci.</target>
+</trans-unit>
+<trans-unit id="s5e0c81c05565bf42">
+  <source>Using this form will only create an Application. In order to authenticate with the application, you will have to manually pair it with a Provider.</source>
+  <target>L'utilisation de ce formulaire ne créera qu'une application. Afin de vous authentifier auprès de l'application, vous devrez l'associer manuellement à un fournisseur.</target>
+</trans-unit>
+<trans-unit id="s035bfd9c5f97e4d3">
+  <source>Distance settings</source>
+  <target>Réglages de distance</target>
+</trans-unit>
+<trans-unit id="s207e6f8a8b3515fd">
+  <source>Check historical distance of logins</source>
+  <target>Vérifier l'historique de distance des connexions</target>
+</trans-unit>
+<trans-unit id="s8158f4b3e5c869be">
+  <source>When this option enabled, the GeoIP data of the policy request is compared to the specified number of historical logins.</source>
+  <target>Lorsque cette option est activée, les données GeoIP de la demande de politique sont comparées au nombre spécifié de connexions historiques.</target>
+</trans-unit>
+<trans-unit id="sb8b7450c8515894c">
+  <source>Maximum distance</source>
+  <target>Distance maximale</target>
+</trans-unit>
+<trans-unit id="s40cdbaa532bc9899">
+  <source>Maximum distance a login attempt is allowed from in kilometers.</source>
+  <target>Distance maximale autorisée pour une tentative de connexion en kilomètres.</target>
+</trans-unit>
+<trans-unit id="seef852b5c0f8a529">
+  <source>Distance tolerance</source>
+  <target>Tolérance de distance</target>
+</trans-unit>
+<trans-unit id="sce567ced300aeb8a">
+  <source>Tolerance in checking for distances in kilometers.</source>
+  <target>Tolérance de vérification des distances en kilomètres.</target>
+</trans-unit>
+<trans-unit id="s9ea9cdabd74f8f97">
+  <source>Historical Login Count</source>
+  <target>Nombre de connexions historiques</target>
+</trans-unit>
+<trans-unit id="s27aec4c2de1ae777">
+  <source>Amount of previous login events to check against.</source>
+  <target>Nombre d'événements de connexion précédents à vérifier.</target>
+</trans-unit>
+<trans-unit id="s48611ce6e85874dc">
+  <source>Check impossible travel</source>
+  <target>Vérifier les déplacements impossibles</target>
+</trans-unit>
+<trans-unit id="s8cf926e8311f8065">
+  <source>When this option enabled, the GeoIP data of the policy request is compared to the specified number of historical logins and if the travel would have been possible in the amount of time since the previous event.</source>
+  <target>Lorsque cette option est activée, les données GeoIP de la demande de politique sont comparées au nombre spécifié de connexions historiques et si le voyage aurait été possible dans le laps de temps écoulé depuis l'événement précédent.</target>
+</trans-unit>
+<trans-unit id="sa963d05af436770b">
+  <source>Impossible travel tolerance</source>
+  <target>Tolérance de déplacement impossible</target>
+</trans-unit>
+<trans-unit id="s5760cd97ca42a238">
+  <source>Static rule settings</source>
+  <target>Paramètres de règle statique</target>
+</trans-unit>
+<trans-unit id="s8fec035fa1737294">
+  <source>Create with Provider</source>
+  <target>Créer avec un fournisseur</target>
+</trans-unit>
+<trans-unit id="sca2487321ec12bd6">
+  <source>Email address the verification email will be sent from.</source>
+  <target>Adresse courriel depuis laquelle le courriel de vérification sera envoyé.</target>
+</trans-unit>
+<trans-unit id="s24a8fdfc73e8137f">
+  <source>Stage used to configure an email-based authenticator.</source>
+  <target>Étape utilisée pour configurer un authentificateur courriel.</target>
+</trans-unit>
+<trans-unit id="sea0da186a814a212">
+  <source>Use global connection settings</source>
+  <target>Utiliser les paramètres de connexion globaux</target>
+</trans-unit>
+<trans-unit id="s7754fa56a4439de4">
+  <source>When enabled, global email connection settings will be used and connection settings below will be ignored.</source>
+  <target>Si activé, les paramètres globaux de connexion courriel seront utilisés et les paramètres de connexion ci-dessous seront ignorés.</target>
+</trans-unit>
+<trans-unit id="s7e2bcca51126ec9c">
+  <source>Subject of the verification email.</source>
+  <target>Objet du courriel de vérification.</target>
+</trans-unit>
+<trans-unit id="sc12c90b1da0f3a47">
+  <source>Token expiration</source>
+  <target>Expiration du jeton</target>
+</trans-unit>
+<trans-unit id="sc264a82f9c710f14">
+  <source>Time the token sent is valid (Format: hours=3,minutes=17,seconds=300).</source>
+  <target>Durée de validité du jeton envoyé (Format : hours=3,minutes=17,seconds=300).</target>
+</trans-unit>
+<trans-unit id="s15986693bfc99fb7">
+  <source>Email-based Authenticators</source>
+  <target>Authenticatificateurs basé sur courriel</target>
+</trans-unit>
+<trans-unit id="s6bb30c61df4cf486">
+  <source>Caps Lock is enabled.</source>
+  <target>La touche Verr Maj est activée.</target>
+</trans-unit>
+<trans-unit id="s3f8a07912545e72e">
+  <source>Configure your email</source>
+  <target>Configurer votre courriel</target>
+</trans-unit>
+<trans-unit id="scedf77e8b75cad5a">
+  <source>Please enter your email address.</source>
+  <target>Veuillez entrer votre adresse courriel.</target>
+</trans-unit>
+<trans-unit id="s7cdd62c100b6b17b">
+  <source>Please enter the code you received via email</source>
+  <target>Veuillez entrer le code que vous avez reçu par courriel</target>
+</trans-unit>
+<trans-unit id="s1d64dba9bb8b284d">
+  <source>A code has been sent to you via email<x id="0" equiv-text="${email ? ` ${email}` : &quot;&quot;}"/></source>
+  <target>Un code vous a été envoyé par courriel<x id="0" equiv-text="${email ? ` ${email}` : &quot;&quot;}"/></target>
+</trans-unit>
+<trans-unit id="s833cfe815918c143">
+  <source>Tokens sent via email.</source>
+  <target>Jetons envoyés par courriel.</target>
 </trans-unit>
    </body>
  </file>
--- a/web/xliff/it.xlf
+++ b/web/xliff/it.xlf
@ -9015,7 +9015,7 @@ Bindings to groups/users are checked against the user of the event.</source>
  <target>Questo opzione configura il link in basso nel flusso delle pagine di esecuzione. L'URL e' limitato a web e indirizzo mail-Se il nome viene lasciato vuoto, verra' visualizzato l'URL</target>
 </trans-unit>
 <trans-unit id="s66f572bec2bde9c4">
-  <source>External applications that use <x id="0" equiv-text="${this.brand.brandingTitle || &quot;authentik&quot;}"/> as an identity provider via protocols like OAuth2 and SAML. All applications are shown here, even ones you cannot access.</source>
+  <source>External applications that use <x id="0" equiv-text="${this.brand?.brandingTitle ?? &quot;authentik&quot;}"/> as an identity provider via protocols like OAuth2 and SAML. All applications are shown here, even ones you cannot access.</source>
  <target>Applicazioni esterne che usano <x id="0" equiv-text="${this.brand.brandingTitle || &quot;authentik&quot;}"/> come identity provider tramite protocolli come OAuth2 e SAML. Sono mostrate tutte le applicazioni, anche quelle alle quali non hai accesso.</target>
 </trans-unit>
 <trans-unit id="s58bec0ecd4f3ccd4">
@ -9370,6 +9370,96 @@ Bindings to groups/users are checked against the user of the event.</source>
 </trans-unit>
 <trans-unit id="s47b7ce63a543564c">
  <source>Fewer details</source>
+</trans-unit>
+<trans-unit id="s140111d464591e6b">
+  <source>Create a new application and configure a provider for it.</source>
+</trans-unit>
+<trans-unit id="s5e0c81c05565bf42">
+  <source>Using this form will only create an Application. In order to authenticate with the application, you will have to manually pair it with a Provider.</source>
+</trans-unit>
+<trans-unit id="s035bfd9c5f97e4d3">
+  <source>Distance settings</source>
+</trans-unit>
+<trans-unit id="s207e6f8a8b3515fd">
+  <source>Check historical distance of logins</source>
+</trans-unit>
+<trans-unit id="s8158f4b3e5c869be">
+  <source>When this option enabled, the GeoIP data of the policy request is compared to the specified number of historical logins.</source>
+</trans-unit>
+<trans-unit id="sb8b7450c8515894c">
+  <source>Maximum distance</source>
+</trans-unit>
+<trans-unit id="s40cdbaa532bc9899">
+  <source>Maximum distance a login attempt is allowed from in kilometers.</source>
+</trans-unit>
+<trans-unit id="seef852b5c0f8a529">
+  <source>Distance tolerance</source>
+</trans-unit>
+<trans-unit id="sce567ced300aeb8a">
+  <source>Tolerance in checking for distances in kilometers.</source>
+</trans-unit>
+<trans-unit id="s9ea9cdabd74f8f97">
+  <source>Historical Login Count</source>
+</trans-unit>
+<trans-unit id="s27aec4c2de1ae777">
+  <source>Amount of previous login events to check against.</source>
+</trans-unit>
+<trans-unit id="s48611ce6e85874dc">
+  <source>Check impossible travel</source>
+</trans-unit>
+<trans-unit id="s8cf926e8311f8065">
+  <source>When this option enabled, the GeoIP data of the policy request is compared to the specified number of historical logins and if the travel would have been possible in the amount of time since the previous event.</source>
+</trans-unit>
+<trans-unit id="sa963d05af436770b">
+  <source>Impossible travel tolerance</source>
+</trans-unit>
+<trans-unit id="s5760cd97ca42a238">
+  <source>Static rule settings</source>
+</trans-unit>
+<trans-unit id="s8fec035fa1737294">
+  <source>Create with Provider</source>
+</trans-unit>
+<trans-unit id="sca2487321ec12bd6">
+  <source>Email address the verification email will be sent from.</source>
+</trans-unit>
+<trans-unit id="s24a8fdfc73e8137f">
+  <source>Stage used to configure an email-based authenticator.</source>
+</trans-unit>
+<trans-unit id="sea0da186a814a212">
+  <source>Use global connection settings</source>
+</trans-unit>
+<trans-unit id="s7754fa56a4439de4">
+  <source>When enabled, global email connection settings will be used and connection settings below will be ignored.</source>
+</trans-unit>
+<trans-unit id="s7e2bcca51126ec9c">
+  <source>Subject of the verification email.</source>
+</trans-unit>
+<trans-unit id="sc12c90b1da0f3a47">
+  <source>Token expiration</source>
+</trans-unit>
+<trans-unit id="sc264a82f9c710f14">
+  <source>Time the token sent is valid (Format: hours=3,minutes=17,seconds=300).</source>
+</trans-unit>
+<trans-unit id="s15986693bfc99fb7">
+  <source>Email-based Authenticators</source>
+</trans-unit>
+<trans-unit id="s6bb30c61df4cf486">
+  <source>Caps Lock is enabled.</source>
+</trans-unit>
+<trans-unit id="s3f8a07912545e72e">
+  <source>Configure your email</source>
+</trans-unit>
+<trans-unit id="scedf77e8b75cad5a">
+  <source>Please enter your email address.</source>
+</trans-unit>
+<trans-unit id="s7cdd62c100b6b17b">
+  <source>Please enter the code you received via email</source>
+</trans-unit>
+<trans-unit id="s1d64dba9bb8b284d">
+  <source>A code has been sent to you via email<x id="0" equiv-text="${email ? ` ${email}` : &quot;&quot;}"/></source>
+</trans-unit>
+<trans-unit id="s833cfe815918c143">
+  <source>Tokens sent via email.</source>
 </trans-unit>
    </body>
  </file>
--- a/web/xliff/ko.xlf
+++ b/web/xliff/ko.xlf
@ -8600,7 +8600,7 @@ Bindings to groups/users are checked against the user of the event.</source>
  <source>This option configures the footer links on the flow executor pages. The URL is limited to web and mail addresses. If the name is left blank, the URL will be shown.</source>
 </trans-unit>
 <trans-unit id="s66f572bec2bde9c4">
-  <source>External applications that use <x id="0" equiv-text="${this.brand.brandingTitle || &quot;authentik&quot;}"/> as an identity provider via protocols like OAuth2 and SAML. All applications are shown here, even ones you cannot access.</source>
+  <source>External applications that use <x id="0" equiv-text="${this.brand?.brandingTitle ?? &quot;authentik&quot;}"/> as an identity provider via protocols like OAuth2 and SAML. All applications are shown here, even ones you cannot access.</source>
 </trans-unit>
 <trans-unit id="s58bec0ecd4f3ccd4">
  <source>Strict</source>
@ -8926,6 +8926,96 @@ Bindings to groups/users are checked against the user of the event.</source>
 </trans-unit>
 <trans-unit id="s47b7ce63a543564c">
  <source>Fewer details</source>
+</trans-unit>
+<trans-unit id="s140111d464591e6b">
+  <source>Create a new application and configure a provider for it.</source>
+</trans-unit>
+<trans-unit id="s5e0c81c05565bf42">
+  <source>Using this form will only create an Application. In order to authenticate with the application, you will have to manually pair it with a Provider.</source>
+</trans-unit>
+<trans-unit id="s035bfd9c5f97e4d3">
+  <source>Distance settings</source>
+</trans-unit>
+<trans-unit id="s207e6f8a8b3515fd">
+  <source>Check historical distance of logins</source>
+</trans-unit>
+<trans-unit id="s8158f4b3e5c869be">
+  <source>When this option enabled, the GeoIP data of the policy request is compared to the specified number of historical logins.</source>
+</trans-unit>
+<trans-unit id="sb8b7450c8515894c">
+  <source>Maximum distance</source>
+</trans-unit>
+<trans-unit id="s40cdbaa532bc9899">
+  <source>Maximum distance a login attempt is allowed from in kilometers.</source>
+</trans-unit>
+<trans-unit id="seef852b5c0f8a529">
+  <source>Distance tolerance</source>
+</trans-unit>
+<trans-unit id="sce567ced300aeb8a">
+  <source>Tolerance in checking for distances in kilometers.</source>
+</trans-unit>
+<trans-unit id="s9ea9cdabd74f8f97">
+  <source>Historical Login Count</source>
+</trans-unit>
+<trans-unit id="s27aec4c2de1ae777">
+  <source>Amount of previous login events to check against.</source>
+</trans-unit>
+<trans-unit id="s48611ce6e85874dc">
+  <source>Check impossible travel</source>
+</trans-unit>
+<trans-unit id="s8cf926e8311f8065">
+  <source>When this option enabled, the GeoIP data of the policy request is compared to the specified number of historical logins and if the travel would have been possible in the amount of time since the previous event.</source>
+</trans-unit>
+<trans-unit id="sa963d05af436770b">
+  <source>Impossible travel tolerance</source>
+</trans-unit>
+<trans-unit id="s5760cd97ca42a238">
+  <source>Static rule settings</source>
+</trans-unit>
+<trans-unit id="s8fec035fa1737294">
+  <source>Create with Provider</source>
+</trans-unit>
+<trans-unit id="sca2487321ec12bd6">
+  <source>Email address the verification email will be sent from.</source>
+</trans-unit>
+<trans-unit id="s24a8fdfc73e8137f">
+  <source>Stage used to configure an email-based authenticator.</source>
+</trans-unit>
+<trans-unit id="sea0da186a814a212">
+  <source>Use global connection settings</source>
+</trans-unit>
+<trans-unit id="s7754fa56a4439de4">
+  <source>When enabled, global email connection settings will be used and connection settings below will be ignored.</source>
+</trans-unit>
+<trans-unit id="s7e2bcca51126ec9c">
+  <source>Subject of the verification email.</source>
+</trans-unit>
+<trans-unit id="sc12c90b1da0f3a47">
+  <source>Token expiration</source>
+</trans-unit>
+<trans-unit id="sc264a82f9c710f14">
+  <source>Time the token sent is valid (Format: hours=3,minutes=17,seconds=300).</source>
+</trans-unit>
+<trans-unit id="s15986693bfc99fb7">
+  <source>Email-based Authenticators</source>
+</trans-unit>
+<trans-unit id="s6bb30c61df4cf486">
+  <source>Caps Lock is enabled.</source>
+</trans-unit>
+<trans-unit id="s3f8a07912545e72e">
+  <source>Configure your email</source>
+</trans-unit>
+<trans-unit id="scedf77e8b75cad5a">
+  <source>Please enter your email address.</source>
+</trans-unit>
+<trans-unit id="s7cdd62c100b6b17b">
+  <source>Please enter the code you received via email</source>
+</trans-unit>
+<trans-unit id="s1d64dba9bb8b284d">
+  <source>A code has been sent to you via email<x id="0" equiv-text="${email ? ` ${email}` : &quot;&quot;}"/></source>
+</trans-unit>
+<trans-unit id="s833cfe815918c143">
+  <source>Tokens sent via email.</source>
 </trans-unit>
    </body>
  </file>
--- a/web/xliff/nl.xlf
+++ b/web/xliff/nl.xlf
@ -8501,7 +8501,7 @@ Bindingen naar groepen/gebruikers worden gecontroleerd tegen de gebruiker van de
  <source>This option configures the footer links on the flow executor pages. The URL is limited to web and mail addresses. If the name is left blank, the URL will be shown.</source>
 </trans-unit>
 <trans-unit id="s66f572bec2bde9c4">
-  <source>External applications that use <x id="0" equiv-text="${this.brand.brandingTitle || &quot;authentik&quot;}"/> as an identity provider via protocols like OAuth2 and SAML. All applications are shown here, even ones you cannot access.</source>
+  <source>External applications that use <x id="0" equiv-text="${this.brand?.brandingTitle ?? &quot;authentik&quot;}"/> as an identity provider via protocols like OAuth2 and SAML. All applications are shown here, even ones you cannot access.</source>
 </trans-unit>
 <trans-unit id="s58bec0ecd4f3ccd4">
  <source>Strict</source>
@ -8827,6 +8827,96 @@ Bindingen naar groepen/gebruikers worden gecontroleerd tegen de gebruiker van de
 </trans-unit>
 <trans-unit id="s47b7ce63a543564c">
  <source>Fewer details</source>
+</trans-unit>
+<trans-unit id="s140111d464591e6b">
+  <source>Create a new application and configure a provider for it.</source>
+</trans-unit>
+<trans-unit id="s5e0c81c05565bf42">
+  <source>Using this form will only create an Application. In order to authenticate with the application, you will have to manually pair it with a Provider.</source>
+</trans-unit>
+<trans-unit id="s035bfd9c5f97e4d3">
+  <source>Distance settings</source>
+</trans-unit>
+<trans-unit id="s207e6f8a8b3515fd">
+  <source>Check historical distance of logins</source>
+</trans-unit>
+<trans-unit id="s8158f4b3e5c869be">
+  <source>When this option enabled, the GeoIP data of the policy request is compared to the specified number of historical logins.</source>
+</trans-unit>
+<trans-unit id="sb8b7450c8515894c">
+  <source>Maximum distance</source>
+</trans-unit>
+<trans-unit id="s40cdbaa532bc9899">
+  <source>Maximum distance a login attempt is allowed from in kilometers.</source>
+</trans-unit>
+<trans-unit id="seef852b5c0f8a529">
+  <source>Distance tolerance</source>
+</trans-unit>
+<trans-unit id="sce567ced300aeb8a">
+  <source>Tolerance in checking for distances in kilometers.</source>
+</trans-unit>
+<trans-unit id="s9ea9cdabd74f8f97">
+  <source>Historical Login Count</source>
+</trans-unit>
+<trans-unit id="s27aec4c2de1ae777">
+  <source>Amount of previous login events to check against.</source>
+</trans-unit>
+<trans-unit id="s48611ce6e85874dc">
+  <source>Check impossible travel</source>
+</trans-unit>
+<trans-unit id="s8cf926e8311f8065">
+  <source>When this option enabled, the GeoIP data of the policy request is compared to the specified number of historical logins and if the travel would have been possible in the amount of time since the previous event.</source>
+</trans-unit>
+<trans-unit id="sa963d05af436770b">
+  <source>Impossible travel tolerance</source>
+</trans-unit>
+<trans-unit id="s5760cd97ca42a238">
+  <source>Static rule settings</source>
+</trans-unit>
+<trans-unit id="s8fec035fa1737294">
+  <source>Create with Provider</source>
+</trans-unit>
+<trans-unit id="sca2487321ec12bd6">
+  <source>Email address the verification email will be sent from.</source>
+</trans-unit>
+<trans-unit id="s24a8fdfc73e8137f">
+  <source>Stage used to configure an email-based authenticator.</source>
+</trans-unit>
+<trans-unit id="sea0da186a814a212">
+  <source>Use global connection settings</source>
+</trans-unit>
+<trans-unit id="s7754fa56a4439de4">
+  <source>When enabled, global email connection settings will be used and connection settings below will be ignored.</source>
+</trans-unit>
+<trans-unit id="s7e2bcca51126ec9c">
+  <source>Subject of the verification email.</source>
+</trans-unit>
+<trans-unit id="sc12c90b1da0f3a47">
+  <source>Token expiration</source>
+</trans-unit>
+<trans-unit id="sc264a82f9c710f14">
+  <source>Time the token sent is valid (Format: hours=3,minutes=17,seconds=300).</source>
+</trans-unit>
+<trans-unit id="s15986693bfc99fb7">
+  <source>Email-based Authenticators</source>
+</trans-unit>
+<trans-unit id="s6bb30c61df4cf486">
+  <source>Caps Lock is enabled.</source>
+</trans-unit>
+<trans-unit id="s3f8a07912545e72e">
+  <source>Configure your email</source>
+</trans-unit>
+<trans-unit id="scedf77e8b75cad5a">
+  <source>Please enter your email address.</source>
+</trans-unit>
+<trans-unit id="s7cdd62c100b6b17b">
+  <source>Please enter the code you received via email</source>
+</trans-unit>
+<trans-unit id="s1d64dba9bb8b284d">
+  <source>A code has been sent to you via email<x id="0" equiv-text="${email ? ` ${email}` : &quot;&quot;}"/></source>
+</trans-unit>
+<trans-unit id="s833cfe815918c143">
+  <source>Tokens sent via email.</source>
 </trans-unit>
    </body>
  </file>
--- a/web/xliff/pl.xlf
+++ b/web/xliff/pl.xlf
@ -8930,7 +8930,7 @@ Powiązania z grupami/użytkownikami są sprawdzane względem użytkownika zdarz
  <source>This option configures the footer links on the flow executor pages. The URL is limited to web and mail addresses. If the name is left blank, the URL will be shown.</source>
 </trans-unit>
 <trans-unit id="s66f572bec2bde9c4">
-  <source>External applications that use <x id="0" equiv-text="${this.brand.brandingTitle || &quot;authentik&quot;}"/> as an identity provider via protocols like OAuth2 and SAML. All applications are shown here, even ones you cannot access.</source>
+  <source>External applications that use <x id="0" equiv-text="${this.brand?.brandingTitle ?? &quot;authentik&quot;}"/> as an identity provider via protocols like OAuth2 and SAML. All applications are shown here, even ones you cannot access.</source>
 </trans-unit>
 <trans-unit id="s58bec0ecd4f3ccd4">
  <source>Strict</source>
@ -9256,6 +9256,96 @@ Powiązania z grupami/użytkownikami są sprawdzane względem użytkownika zdarz
 </trans-unit>
 <trans-unit id="s47b7ce63a543564c">
  <source>Fewer details</source>
+</trans-unit>
+<trans-unit id="s140111d464591e6b">
+  <source>Create a new application and configure a provider for it.</source>
+</trans-unit>
+<trans-unit id="s5e0c81c05565bf42">
+  <source>Using this form will only create an Application. In order to authenticate with the application, you will have to manually pair it with a Provider.</source>
+</trans-unit>
+<trans-unit id="s035bfd9c5f97e4d3">
+  <source>Distance settings</source>
+</trans-unit>
+<trans-unit id="s207e6f8a8b3515fd">
+  <source>Check historical distance of logins</source>
+</trans-unit>
+<trans-unit id="s8158f4b3e5c869be">
+  <source>When this option enabled, the GeoIP data of the policy request is compared to the specified number of historical logins.</source>
+</trans-unit>
+<trans-unit id="sb8b7450c8515894c">
+  <source>Maximum distance</source>
+</trans-unit>
+<trans-unit id="s40cdbaa532bc9899">
+  <source>Maximum distance a login attempt is allowed from in kilometers.</source>
+</trans-unit>
+<trans-unit id="seef852b5c0f8a529">
+  <source>Distance tolerance</source>
+</trans-unit>
+<trans-unit id="sce567ced300aeb8a">
+  <source>Tolerance in checking for distances in kilometers.</source>
+</trans-unit>
+<trans-unit id="s9ea9cdabd74f8f97">
+  <source>Historical Login Count</source>
+</trans-unit>
+<trans-unit id="s27aec4c2de1ae777">
+  <source>Amount of previous login events to check against.</source>
+</trans-unit>
+<trans-unit id="s48611ce6e85874dc">
+  <source>Check impossible travel</source>
+</trans-unit>
+<trans-unit id="s8cf926e8311f8065">
+  <source>When this option enabled, the GeoIP data of the policy request is compared to the specified number of historical logins and if the travel would have been possible in the amount of time since the previous event.</source>
+</trans-unit>
+<trans-unit id="sa963d05af436770b">
+  <source>Impossible travel tolerance</source>
+</trans-unit>
+<trans-unit id="s5760cd97ca42a238">
+  <source>Static rule settings</source>
+</trans-unit>
+<trans-unit id="s8fec035fa1737294">
+  <source>Create with Provider</source>
+</trans-unit>
+<trans-unit id="sca2487321ec12bd6">
+  <source>Email address the verification email will be sent from.</source>
+</trans-unit>
+<trans-unit id="s24a8fdfc73e8137f">
+  <source>Stage used to configure an email-based authenticator.</source>
+</trans-unit>
+<trans-unit id="sea0da186a814a212">
+  <source>Use global connection settings</source>
+</trans-unit>
+<trans-unit id="s7754fa56a4439de4">
+  <source>When enabled, global email connection settings will be used and connection settings below will be ignored.</source>
+</trans-unit>
+<trans-unit id="s7e2bcca51126ec9c">
+  <source>Subject of the verification email.</source>
+</trans-unit>
+<trans-unit id="sc12c90b1da0f3a47">
+  <source>Token expiration</source>
+</trans-unit>
+<trans-unit id="sc264a82f9c710f14">
+  <source>Time the token sent is valid (Format: hours=3,minutes=17,seconds=300).</source>
+</trans-unit>
+<trans-unit id="s15986693bfc99fb7">
+  <source>Email-based Authenticators</source>
+</trans-unit>
+<trans-unit id="s6bb30c61df4cf486">
+  <source>Caps Lock is enabled.</source>
+</trans-unit>
+<trans-unit id="s3f8a07912545e72e">
+  <source>Configure your email</source>
+</trans-unit>
+<trans-unit id="scedf77e8b75cad5a">
+  <source>Please enter your email address.</source>
+</trans-unit>
+<trans-unit id="s7cdd62c100b6b17b">
+  <source>Please enter the code you received via email</source>
+</trans-unit>
+<trans-unit id="s1d64dba9bb8b284d">
+  <source>A code has been sent to you via email<x id="0" equiv-text="${email ? ` ${email}` : &quot;&quot;}"/></source>
+</trans-unit>
+<trans-unit id="s833cfe815918c143">
+  <source>Tokens sent via email.</source>
 </trans-unit>
    </body>
  </file>
--- a/web/xliff/pseudo-LOCALE.xlf
+++ b/web/xliff/pseudo-LOCALE.xlf
@ -8937,7 +8937,7 @@ Bindings to groups/users are checked against the user of the event.</source>
  <source>This option configures the footer links on the flow executor pages. The URL is limited to web and mail addresses. If the name is left blank, the URL will be shown.</source>
 </trans-unit>
 <trans-unit id="s66f572bec2bde9c4">
-  <source>External applications that use <x id="0" equiv-text="${this.brand.brandingTitle || &quot;authentik&quot;}"/> as an identity provider via protocols like OAuth2 and SAML. All applications are shown here, even ones you cannot access.</source>
+  <source>External applications that use <x id="0" equiv-text="${this.brand?.brandingTitle ?? &quot;authentik&quot;}"/> as an identity provider via protocols like OAuth2 and SAML. All applications are shown here, even ones you cannot access.</source>
 </trans-unit>
 <trans-unit id="s58bec0ecd4f3ccd4">
  <source>Strict</source>
@ -9263,4 +9263,94 @@ Bindings to groups/users are checked against the user of the event.</source>
 <trans-unit id="s47b7ce63a543564c">
  <source>Fewer details</source>
 </trans-unit>
+<trans-unit id="s140111d464591e6b">
+  <source>Create a new application and configure a provider for it.</source>
+</trans-unit>
+<trans-unit id="s5e0c81c05565bf42">
+  <source>Using this form will only create an Application. In order to authenticate with the application, you will have to manually pair it with a Provider.</source>
+</trans-unit>
+<trans-unit id="s035bfd9c5f97e4d3">
+  <source>Distance settings</source>
+</trans-unit>
+<trans-unit id="s207e6f8a8b3515fd">
+  <source>Check historical distance of logins</source>
+</trans-unit>
+<trans-unit id="s8158f4b3e5c869be">
+  <source>When this option enabled, the GeoIP data of the policy request is compared to the specified number of historical logins.</source>
+</trans-unit>
+<trans-unit id="sb8b7450c8515894c">
+  <source>Maximum distance</source>
+</trans-unit>
+<trans-unit id="s40cdbaa532bc9899">
+  <source>Maximum distance a login attempt is allowed from in kilometers.</source>
+</trans-unit>
+<trans-unit id="seef852b5c0f8a529">
+  <source>Distance tolerance</source>
+</trans-unit>
+<trans-unit id="sce567ced300aeb8a">
+  <source>Tolerance in checking for distances in kilometers.</source>
+</trans-unit>
+<trans-unit id="s9ea9cdabd74f8f97">
+  <source>Historical Login Count</source>
+</trans-unit>
+<trans-unit id="s27aec4c2de1ae777">
+  <source>Amount of previous login events to check against.</source>
+</trans-unit>
+<trans-unit id="s48611ce6e85874dc">
+  <source>Check impossible travel</source>
+</trans-unit>
+<trans-unit id="s8cf926e8311f8065">
+  <source>When this option enabled, the GeoIP data of the policy request is compared to the specified number of historical logins and if the travel would have been possible in the amount of time since the previous event.</source>
+</trans-unit>
+<trans-unit id="sa963d05af436770b">
+  <source>Impossible travel tolerance</source>
+</trans-unit>
+<trans-unit id="s5760cd97ca42a238">
+  <source>Static rule settings</source>
+</trans-unit>
+<trans-unit id="s8fec035fa1737294">
+  <source>Create with Provider</source>
+</trans-unit>
+<trans-unit id="sca2487321ec12bd6">
+  <source>Email address the verification email will be sent from.</source>
+</trans-unit>
+<trans-unit id="s24a8fdfc73e8137f">
+  <source>Stage used to configure an email-based authenticator.</source>
+</trans-unit>
+<trans-unit id="sea0da186a814a212">
+  <source>Use global connection settings</source>
+</trans-unit>
+<trans-unit id="s7754fa56a4439de4">
+  <source>When enabled, global email connection settings will be used and connection settings below will be ignored.</source>
+</trans-unit>
+<trans-unit id="s7e2bcca51126ec9c">
+  <source>Subject of the verification email.</source>
+</trans-unit>
+<trans-unit id="sc12c90b1da0f3a47">
+  <source>Token expiration</source>
+</trans-unit>
+<trans-unit id="sc264a82f9c710f14">
+  <source>Time the token sent is valid (Format: hours=3,minutes=17,seconds=300).</source>
+</trans-unit>
+<trans-unit id="s15986693bfc99fb7">
+  <source>Email-based Authenticators</source>
+</trans-unit>
+<trans-unit id="s6bb30c61df4cf486">
+  <source>Caps Lock is enabled.</source>
+</trans-unit>
+<trans-unit id="s3f8a07912545e72e">
+  <source>Configure your email</source>
+</trans-unit>
+<trans-unit id="scedf77e8b75cad5a">
+  <source>Please enter your email address.</source>
+</trans-unit>
+<trans-unit id="s7cdd62c100b6b17b">
+  <source>Please enter the code you received via email</source>
+</trans-unit>
+<trans-unit id="s1d64dba9bb8b284d">
+  <source>A code has been sent to you via email<x id="0" equiv-text="${email ? ` ${email}` : &quot;&quot;}"/></source>
+</trans-unit>
+<trans-unit id="s833cfe815918c143">
+  <source>Tokens sent via email.</source>
+</trans-unit>
 </body></file></xliff>
--- a/web/xliff/ru.xlf
+++ b/web/xliff/ru.xlf
@ -8963,7 +8963,7 @@ Bindings to groups/users are checked against the user of the event.</source>
  <source>This option configures the footer links on the flow executor pages. The URL is limited to web and mail addresses. If the name is left blank, the URL will be shown.</source>
 </trans-unit>
 <trans-unit id="s66f572bec2bde9c4">
-  <source>External applications that use <x id="0" equiv-text="${this.brand.brandingTitle || &quot;authentik&quot;}"/> as an identity provider via protocols like OAuth2 and SAML. All applications are shown here, even ones you cannot access.</source>
+  <source>External applications that use <x id="0" equiv-text="${this.brand?.brandingTitle ?? &quot;authentik&quot;}"/> as an identity provider via protocols like OAuth2 and SAML. All applications are shown here, even ones you cannot access.</source>
 </trans-unit>
 <trans-unit id="s58bec0ecd4f3ccd4">
  <source>Strict</source>
@ -9289,6 +9289,96 @@ Bindings to groups/users are checked against the user of the event.</source>
 </trans-unit>
 <trans-unit id="s47b7ce63a543564c">
  <source>Fewer details</source>
+</trans-unit>
+<trans-unit id="s140111d464591e6b">
+  <source>Create a new application and configure a provider for it.</source>
+</trans-unit>
+<trans-unit id="s5e0c81c05565bf42">
+  <source>Using this form will only create an Application. In order to authenticate with the application, you will have to manually pair it with a Provider.</source>
+</trans-unit>
+<trans-unit id="s035bfd9c5f97e4d3">
+  <source>Distance settings</source>
+</trans-unit>
+<trans-unit id="s207e6f8a8b3515fd">
+  <source>Check historical distance of logins</source>
+</trans-unit>
+<trans-unit id="s8158f4b3e5c869be">
+  <source>When this option enabled, the GeoIP data of the policy request is compared to the specified number of historical logins.</source>
+</trans-unit>
+<trans-unit id="sb8b7450c8515894c">
+  <source>Maximum distance</source>
+</trans-unit>
+<trans-unit id="s40cdbaa532bc9899">
+  <source>Maximum distance a login attempt is allowed from in kilometers.</source>
+</trans-unit>
+<trans-unit id="seef852b5c0f8a529">
+  <source>Distance tolerance</source>
+</trans-unit>
+<trans-unit id="sce567ced300aeb8a">
+  <source>Tolerance in checking for distances in kilometers.</source>
+</trans-unit>
+<trans-unit id="s9ea9cdabd74f8f97">
+  <source>Historical Login Count</source>
+</trans-unit>
+<trans-unit id="s27aec4c2de1ae777">
+  <source>Amount of previous login events to check against.</source>
+</trans-unit>
+<trans-unit id="s48611ce6e85874dc">
+  <source>Check impossible travel</source>
+</trans-unit>
+<trans-unit id="s8cf926e8311f8065">
+  <source>When this option enabled, the GeoIP data of the policy request is compared to the specified number of historical logins and if the travel would have been possible in the amount of time since the previous event.</source>
+</trans-unit>
+<trans-unit id="sa963d05af436770b">
+  <source>Impossible travel tolerance</source>
+</trans-unit>
+<trans-unit id="s5760cd97ca42a238">
+  <source>Static rule settings</source>
+</trans-unit>
+<trans-unit id="s8fec035fa1737294">
+  <source>Create with Provider</source>
+</trans-unit>
+<trans-unit id="sca2487321ec12bd6">
+  <source>Email address the verification email will be sent from.</source>
+</trans-unit>
+<trans-unit id="s24a8fdfc73e8137f">
+  <source>Stage used to configure an email-based authenticator.</source>
+</trans-unit>
+<trans-unit id="sea0da186a814a212">
+  <source>Use global connection settings</source>
+</trans-unit>
+<trans-unit id="s7754fa56a4439de4">
+  <source>When enabled, global email connection settings will be used and connection settings below will be ignored.</source>
+</trans-unit>
+<trans-unit id="s7e2bcca51126ec9c">
+  <source>Subject of the verification email.</source>
+</trans-unit>
+<trans-unit id="sc12c90b1da0f3a47">
+  <source>Token expiration</source>
+</trans-unit>
+<trans-unit id="sc264a82f9c710f14">
+  <source>Time the token sent is valid (Format: hours=3,minutes=17,seconds=300).</source>
+</trans-unit>
+<trans-unit id="s15986693bfc99fb7">
+  <source>Email-based Authenticators</source>
+</trans-unit>
+<trans-unit id="s6bb30c61df4cf486">
+  <source>Caps Lock is enabled.</source>
+</trans-unit>
+<trans-unit id="s3f8a07912545e72e">
+  <source>Configure your email</source>
+</trans-unit>
+<trans-unit id="scedf77e8b75cad5a">
+  <source>Please enter your email address.</source>
+</trans-unit>
+<trans-unit id="s7cdd62c100b6b17b">
+  <source>Please enter the code you received via email</source>
+</trans-unit>
+<trans-unit id="s1d64dba9bb8b284d">
+  <source>A code has been sent to you via email<x id="0" equiv-text="${email ? ` ${email}` : &quot;&quot;}"/></source>
+</trans-unit>
+<trans-unit id="s833cfe815918c143">
+  <source>Tokens sent via email.</source>
 </trans-unit>
    </body>
  </file>
--- a/web/xliff/tr.xlf
+++ b/web/xliff/tr.xlf
@ -8993,7 +8993,7 @@ Gruplara/kullanıcılara yapılan bağlamalar, etkinliğin kullanıcısına kar
  <source>This option configures the footer links on the flow executor pages. The URL is limited to web and mail addresses. If the name is left blank, the URL will be shown.</source>
 </trans-unit>
 <trans-unit id="s66f572bec2bde9c4">
-  <source>External applications that use <x id="0" equiv-text="${this.brand.brandingTitle || &quot;authentik&quot;}"/> as an identity provider via protocols like OAuth2 and SAML. All applications are shown here, even ones you cannot access.</source>
+  <source>External applications that use <x id="0" equiv-text="${this.brand?.brandingTitle ?? &quot;authentik&quot;}"/> as an identity provider via protocols like OAuth2 and SAML. All applications are shown here, even ones you cannot access.</source>
 </trans-unit>
 <trans-unit id="s58bec0ecd4f3ccd4">
  <source>Strict</source>
@ -9319,6 +9319,96 @@ Gruplara/kullanıcılara yapılan bağlamalar, etkinliğin kullanıcısına kar
 </trans-unit>
 <trans-unit id="s47b7ce63a543564c">
  <source>Fewer details</source>
+</trans-unit>
+<trans-unit id="s140111d464591e6b">
+  <source>Create a new application and configure a provider for it.</source>
+</trans-unit>
+<trans-unit id="s5e0c81c05565bf42">
+  <source>Using this form will only create an Application. In order to authenticate with the application, you will have to manually pair it with a Provider.</source>
+</trans-unit>
+<trans-unit id="s035bfd9c5f97e4d3">
+  <source>Distance settings</source>
+</trans-unit>
+<trans-unit id="s207e6f8a8b3515fd">
+  <source>Check historical distance of logins</source>
+</trans-unit>
+<trans-unit id="s8158f4b3e5c869be">
+  <source>When this option enabled, the GeoIP data of the policy request is compared to the specified number of historical logins.</source>
+</trans-unit>
+<trans-unit id="sb8b7450c8515894c">
+  <source>Maximum distance</source>
+</trans-unit>
+<trans-unit id="s40cdbaa532bc9899">
+  <source>Maximum distance a login attempt is allowed from in kilometers.</source>
+</trans-unit>
+<trans-unit id="seef852b5c0f8a529">
+  <source>Distance tolerance</source>
+</trans-unit>
+<trans-unit id="sce567ced300aeb8a">
+  <source>Tolerance in checking for distances in kilometers.</source>
+</trans-unit>
+<trans-unit id="s9ea9cdabd74f8f97">
+  <source>Historical Login Count</source>
+</trans-unit>
+<trans-unit id="s27aec4c2de1ae777">
+  <source>Amount of previous login events to check against.</source>
+</trans-unit>
+<trans-unit id="s48611ce6e85874dc">
+  <source>Check impossible travel</source>
+</trans-unit>
+<trans-unit id="s8cf926e8311f8065">
+  <source>When this option enabled, the GeoIP data of the policy request is compared to the specified number of historical logins and if the travel would have been possible in the amount of time since the previous event.</source>
+</trans-unit>
+<trans-unit id="sa963d05af436770b">
+  <source>Impossible travel tolerance</source>
+</trans-unit>
+<trans-unit id="s5760cd97ca42a238">
+  <source>Static rule settings</source>
+</trans-unit>
+<trans-unit id="s8fec035fa1737294">
+  <source>Create with Provider</source>
+</trans-unit>
+<trans-unit id="sca2487321ec12bd6">
+  <source>Email address the verification email will be sent from.</source>
+</trans-unit>
+<trans-unit id="s24a8fdfc73e8137f">
+  <source>Stage used to configure an email-based authenticator.</source>
+</trans-unit>
+<trans-unit id="sea0da186a814a212">
+  <source>Use global connection settings</source>
+</trans-unit>
+<trans-unit id="s7754fa56a4439de4">
+  <source>When enabled, global email connection settings will be used and connection settings below will be ignored.</source>
+</trans-unit>
+<trans-unit id="s7e2bcca51126ec9c">
+  <source>Subject of the verification email.</source>
+</trans-unit>
+<trans-unit id="sc12c90b1da0f3a47">
+  <source>Token expiration</source>
+</trans-unit>
+<trans-unit id="sc264a82f9c710f14">
+  <source>Time the token sent is valid (Format: hours=3,minutes=17,seconds=300).</source>
+</trans-unit>
+<trans-unit id="s15986693bfc99fb7">
+  <source>Email-based Authenticators</source>
+</trans-unit>
+<trans-unit id="s6bb30c61df4cf486">
+  <source>Caps Lock is enabled.</source>
+</trans-unit>
+<trans-unit id="s3f8a07912545e72e">
+  <source>Configure your email</source>
+</trans-unit>
+<trans-unit id="scedf77e8b75cad5a">
+  <source>Please enter your email address.</source>
+</trans-unit>
+<trans-unit id="s7cdd62c100b6b17b">
+  <source>Please enter the code you received via email</source>
+</trans-unit>
+<trans-unit id="s1d64dba9bb8b284d">
+  <source>A code has been sent to you via email<x id="0" equiv-text="${email ? ` ${email}` : &quot;&quot;}"/></source>
+</trans-unit>
+<trans-unit id="s833cfe815918c143">
+  <source>Tokens sent via email.</source>
 </trans-unit>
    </body>
  </file>
--- a/web/xliff/zh-CN.xlf
+++ b/web/xliff/zh-CN.xlf
@ -5730,7 +5730,7 @@ Bindings to groups/users are checked against the user of the event.</source>
  <source>This option configures the footer links on the flow executor pages. The URL is limited to web and mail addresses. If the name is left blank, the URL will be shown.</source>
 </trans-unit>
 <trans-unit id="s66f572bec2bde9c4">
-  <source>External applications that use <x id="0" equiv-text="${this.brand.brandingTitle || &quot;authentik&quot;}"/> as an identity provider via protocols like OAuth2 and SAML. All applications are shown here, even ones you cannot access.</source>
+  <source>External applications that use <x id="0" equiv-text="${this.brand?.brandingTitle ?? &quot;authentik&quot;}"/> as an identity provider via protocols like OAuth2 and SAML. All applications are shown here, even ones you cannot access.</source>
 </trans-unit>
 <trans-unit id="s58bec0ecd4f3ccd4">
  <source>Strict</source>
@ -6056,6 +6056,96 @@ Bindings to groups/users are checked against the user of the event.</source>
 <trans-unit id="s47b7ce63a543564c">
  <source>Fewer details</source>
 </trans-unit>
+<trans-unit id="s140111d464591e6b">
+  <source>Create a new application and configure a provider for it.</source>
+</trans-unit>
+<trans-unit id="s5e0c81c05565bf42">
+  <source>Using this form will only create an Application. In order to authenticate with the application, you will have to manually pair it with a Provider.</source>
+</trans-unit>
+<trans-unit id="s035bfd9c5f97e4d3">
+  <source>Distance settings</source>
+</trans-unit>
+<trans-unit id="s207e6f8a8b3515fd">
+  <source>Check historical distance of logins</source>
+</trans-unit>
+<trans-unit id="s8158f4b3e5c869be">
+  <source>When this option enabled, the GeoIP data of the policy request is compared to the specified number of historical logins.</source>
+</trans-unit>
+<trans-unit id="sb8b7450c8515894c">
+  <source>Maximum distance</source>
+</trans-unit>
+<trans-unit id="s40cdbaa532bc9899">
+  <source>Maximum distance a login attempt is allowed from in kilometers.</source>
+</trans-unit>
+<trans-unit id="seef852b5c0f8a529">
+  <source>Distance tolerance</source>
+</trans-unit>
+<trans-unit id="sce567ced300aeb8a">
+  <source>Tolerance in checking for distances in kilometers.</source>
+</trans-unit>
+<trans-unit id="s9ea9cdabd74f8f97">
+  <source>Historical Login Count</source>
+</trans-unit>
+<trans-unit id="s27aec4c2de1ae777">
+  <source>Amount of previous login events to check against.</source>
+</trans-unit>
+<trans-unit id="s48611ce6e85874dc">
+  <source>Check impossible travel</source>
+</trans-unit>
+<trans-unit id="s8cf926e8311f8065">
+  <source>When this option enabled, the GeoIP data of the policy request is compared to the specified number of historical logins and if the travel would have been possible in the amount of time since the previous event.</source>
+</trans-unit>
+<trans-unit id="sa963d05af436770b">
+  <source>Impossible travel tolerance</source>
+</trans-unit>
+<trans-unit id="s5760cd97ca42a238">
+  <source>Static rule settings</source>
+</trans-unit>
+<trans-unit id="s8fec035fa1737294">
+  <source>Create with Provider</source>
+</trans-unit>
+<trans-unit id="sca2487321ec12bd6">
+  <source>Email address the verification email will be sent from.</source>
+</trans-unit>
+<trans-unit id="s24a8fdfc73e8137f">
+  <source>Stage used to configure an email-based authenticator.</source>
+</trans-unit>
+<trans-unit id="sea0da186a814a212">
+  <source>Use global connection settings</source>
+</trans-unit>
+<trans-unit id="s7754fa56a4439de4">
+  <source>When enabled, global email connection settings will be used and connection settings below will be ignored.</source>
+</trans-unit>
+<trans-unit id="s7e2bcca51126ec9c">
+  <source>Subject of the verification email.</source>
+</trans-unit>
+<trans-unit id="sc12c90b1da0f3a47">
+  <source>Token expiration</source>
+</trans-unit>
+<trans-unit id="sc264a82f9c710f14">
+  <source>Time the token sent is valid (Format: hours=3,minutes=17,seconds=300).</source>
+</trans-unit>
+<trans-unit id="s15986693bfc99fb7">
+  <source>Email-based Authenticators</source>
+</trans-unit>
+<trans-unit id="s6bb30c61df4cf486">
+  <source>Caps Lock is enabled.</source>
+</trans-unit>
+<trans-unit id="s3f8a07912545e72e">
+  <source>Configure your email</source>
+</trans-unit>
+<trans-unit id="scedf77e8b75cad5a">
+  <source>Please enter your email address.</source>
+</trans-unit>
+<trans-unit id="s7cdd62c100b6b17b">
+  <source>Please enter the code you received via email</source>
+</trans-unit>
+<trans-unit id="s1d64dba9bb8b284d">
+  <source>A code has been sent to you via email<x id="0" equiv-text="${email ? ` ${email}` : &quot;&quot;}"/></source>
+</trans-unit>
+<trans-unit id="s833cfe815918c143">
+  <source>Tokens sent via email.</source>
+</trans-unit>
 </body>
 </file>
 </xliff>
--- a/web/xliff/zh-Hans.xlf
+++ b/web/xliff/zh-Hans.xlf
@ -1,4 +1,4 @@
-<?xml version="1.0"?><xliff xmlns="urn:oasis:names:tc:xliff:document:1.2" version="1.2">
+<?xml version="1.0" ?><xliff xmlns="urn:oasis:names:tc:xliff:document:1.2" version="1.2">
  <file target-language="zh-Hans" source-language="en" original="lit-localize-inputs" datatype="plaintext">
    <body>
      <trans-unit id="s4caed5b7a7e5d89b">
@ -596,9 +596,9 @@
        
      </trans-unit>
      <trans-unit id="saa0e2675da69651b">
-        <source>The URL "<x id="0" equiv-text="${this.url}"/>" was not found.</source>
-        <target>未找到 URL "
-        <x id="0" equiv-text="${this.url}"/>"。</target>
+        <source>The URL &quot;<x id="0" equiv-text="${this.url}"/>&quot; was not found.</source>
+        <target>未找到 URL &quot;
+        <x id="0" equiv-text="${this.url}"/>&quot;。</target>
        
      </trans-unit>
      <trans-unit id="s58cd9c2fe836d9c6">
@ -1715,8 +1715,8 @@
        
      </trans-unit>
      <trans-unit id="sa90b7809586c35ce">
-        <source>Either input a full URL, a relative path, or use 'fa://fa-test' to use the Font Awesome icon "fa-test".</source>
-        <target>输入完整 URL、相对路径，或者使用 'fa://fa-test' 来使用 Font Awesome 图标 "fa-test"。</target>
+        <source>Either input a full URL, a relative path, or use 'fa://fa-test' to use the Font Awesome icon &quot;fa-test&quot;.</source>
+        <target>输入完整 URL、相对路径，或者使用 'fa://fa-test' 来使用 Font Awesome 图标 &quot;fa-test&quot;。</target>
        
      </trans-unit>
      <trans-unit id="s0410779cb47de312">
@ -2864,8 +2864,8 @@ doesn't pass when either or both of the selected options are equal or above the
        
      </trans-unit>
      <trans-unit id="s76768bebabb7d543">
-        <source>Field which contains members of a group. Note that if using the "memberUid" field, the value is assumed to contain a relative distinguished name. e.g. 'memberUid=some-user' instead of 'memberUid=cn=some-user,ou=groups,...'</source>
-        <target>包含组成员的字段。请注意，如果使用 "memberUid" 字段，则假定该值包含相对可分辨名称。例如，'memberUid=some-user' 而不是 'memberUid=cn=some-user,ou=groups,...'</target>
+        <source>Field which contains members of a group. Note that if using the &quot;memberUid&quot; field, the value is assumed to contain a relative distinguished name. e.g. 'memberUid=some-user' instead of 'memberUid=cn=some-user,ou=groups,...'</source>
+        <target>包含组成员的字段。请注意，如果使用 &quot;memberUid&quot; 字段，则假定该值包含相对可分辨名称。例如，'memberUid=some-user' 而不是 'memberUid=cn=some-user,ou=groups,...'</target>
        
      </trans-unit>
      <trans-unit id="s026555347e589f0e">
@ -3783,10 +3783,10 @@ doesn't pass when either or both of the selected options are equal or above the
        
      </trans-unit>
      <trans-unit id="sa95a538bfbb86111">
-        <source>Are you sure you want to update <x id="0" equiv-text="${this.objectLabel}"/> "<x id="1" equiv-text="${this.obj?.name}"/>"?</source>
+        <source>Are you sure you want to update <x id="0" equiv-text="${this.objectLabel}"/> &quot;<x id="1" equiv-text="${this.obj?.name}"/>&quot;?</source>
        <target>您确定要更新
-        <x id="0" equiv-text="${this.objectLabel}"/>"
-        <x id="1" equiv-text="${this.obj?.name}"/>" 吗？</target>
+        <x id="0" equiv-text="${this.objectLabel}"/>&quot;
+        <x id="1" equiv-text="${this.obj?.name}"/>&quot; 吗？</target>
        
      </trans-unit>
      <trans-unit id="sc92d7cfb6ee1fec6">
@ -4857,7 +4857,7 @@ doesn't pass when either or both of the selected options are equal or above the
        
      </trans-unit>
      <trans-unit id="sdf1d8edef27236f0">
-        <source>A "roaming" authenticator, like a YubiKey</source>
+        <source>A &quot;roaming&quot; authenticator, like a YubiKey</source>
        <target>像 YubiKey 这样的“漫游”身份验证器</target>
        
      </trans-unit>
@ -5226,7 +5226,7 @@ doesn't pass when either or both of the selected options are equal or above the
        
      </trans-unit>
      <trans-unit id="s1608b2f94fa0dbd4">
-        <source>If set to a duration above 0, the user will have the option to choose to "stay signed in", which will extend their session by the time specified here.</source>
+        <source>If set to a duration above 0, the user will have the option to choose to &quot;stay signed in&quot;, which will extend their session by the time specified here.</source>
        <target>如果设置时长大于 0，用户可以选择“保持登录”选项，这将使用户的会话延长此处设置的时间。</target>
        
      </trans-unit>
@ -7521,7 +7521,7 @@ Bindings to groups/users are checked against the user of the event.</source>
  <target>成功创建用户并添加到组 <x id="0" equiv-text="${this.group.name}"/></target>
 </trans-unit>
 <trans-unit id="s824e0943a7104668">
-  <source>This user will be added to the group "<x id="0" equiv-text="${this.targetGroup.name}"/>".</source>
+  <source>This user will be added to the group &quot;<x id="0" equiv-text="${this.targetGroup.name}"/>&quot;.</source>
  <target>此用户将会被添加到组 &amp;quot;<x id="0" equiv-text="${this.targetGroup.name}"/>&amp;quot;。</target>
 </trans-unit>
 <trans-unit id="s62e7f6ed7d9cb3ca">
@ -8815,7 +8815,7 @@ Bindings to groups/users are checked against the user of the event.</source>
  <target>同步组</target>
 </trans-unit>
 <trans-unit id="s2d5f69929bb7221d">
-  <source><x id="0" equiv-text="${p.name}"/> ("<x id="1" equiv-text="${p.fieldKey}"/>", of type <x id="2" equiv-text="${p.type}"/>)</source>
+  <source><x id="0" equiv-text="${p.name}"/> (&quot;<x id="1" equiv-text="${p.fieldKey}"/>&quot;, of type <x id="2" equiv-text="${p.type}"/>)</source>
  <target><x id="0" equiv-text="${p.name}"/>（&amp;quot;<x id="1" equiv-text="${p.fieldKey}"/>&amp;quot;，类型为 <x id="2" equiv-text="${p.type}"/>）</target>
 </trans-unit>
 <trans-unit id="s25bacc19d98b444e">
@ -9047,8 +9047,8 @@ Bindings to groups/users are checked against the user of the event.</source>
  <target>此选项配置流程执行器页面上的页脚链接。URL 限为 Web 和电子邮件地址。如果名称留空，则显示 URL 自身。</target>
 </trans-unit>
 <trans-unit id="s66f572bec2bde9c4">
-  <source>External applications that use <x id="0" equiv-text="${this.brand.brandingTitle || &quot;authentik&quot;}"/> as an identity provider via protocols like OAuth2 and SAML. All applications are shown here, even ones you cannot access.</source>
-  <target>通过 OAuth2 和 SAML 等协议，使用 <x id="0" equiv-text="${this.brand.brandingTitle || &quot;authentik&quot;}"/> 作为身份提供程序的外部应用程序。此处显示了所有应用程序，即使您无法访问的也包括在内。</target>
+  <source>External applications that use <x id="0" equiv-text="${this.brand?.brandingTitle ?? &quot;authentik&quot;}"/> as an identity provider via protocols like OAuth2 and SAML. All applications are shown here, even ones you cannot access.</source>
+  <target>通过 OAuth2 和 SAML 等协议，使用 <x id="0" equiv-text="${this.brand?.brandingTitle ?? &quot;authentik&quot;}"/> 作为身份提供程序的外部应用程序。此处显示了所有应用程序，即使您无法访问的也包括在内。</target>
 </trans-unit>
 <trans-unit id="s58bec0ecd4f3ccd4">
  <source>Strict</source>
@ -9063,8 +9063,8 @@ Bindings to groups/users are checked against the user of the event.</source>
  <target>授权流程成功后有效的重定向 URI。还可以在此处为隐式流程指定任何来源。</target>
 </trans-unit>
 <trans-unit id="s4c49d27de60a532b">
-  <source>To allow any redirect URI, set the mode to Regex and the value to ".*". Be aware of the possible security implications this can have.</source>
-  <target>要允许任何重定向 URI，请设置模式为正则表达式，并将此值设置为 ".*"。请注意这可能带来的安全影响。</target>
+  <source>To allow any redirect URI, set the mode to Regex and the value to &quot;.*&quot;. Be aware of the possible security implications this can have.</source>
+  <target>要允许任何重定向 URI，请设置模式为正则表达式，并将此值设置为 &quot;.*&quot;。请注意这可能带来的安全影响。</target>
 </trans-unit>
 <trans-unit id="sa52bf79fe1ccb13e">
  <source>Federated OIDC Sources</source>
@ -9483,7 +9483,127 @@ Bindings to groups/users are checked against the user of the event.</source>
 <trans-unit id="s47b7ce63a543564c">
  <source>Fewer details</source>
  <target>显示更少</target>
+</trans-unit>
+<trans-unit id="s140111d464591e6b">
+  <source>Create a new application and configure a provider for it.</source>
+  <target>创建一个应用程序并为它配置提供程序。</target>
+</trans-unit>
+<trans-unit id="s5e0c81c05565bf42">
+  <source>Using this form will only create an Application. In order to authenticate with the application, you will have to manually pair it with a Provider.</source>
+  <target>此表单只会创建应用程序。要设置此应用程序的身份验证，您需要手动为它配对一个提供程序。</target>
+</trans-unit>
+<trans-unit id="s035bfd9c5f97e4d3">
+  <source>Distance settings</source>
+  <target>距离设置</target>
+</trans-unit>
+<trans-unit id="s207e6f8a8b3515fd">
+  <source>Check historical distance of logins</source>
+  <target>检查历史登录距离</target>
+</trans-unit>
+<trans-unit id="s8158f4b3e5c869be">
+  <source>When this option enabled, the GeoIP data of the policy request is compared to the specified number of historical logins.</source>
+  <target>启用此选项时，策略请求的 GeoIP 数据会用来与指定数量的历史登录比较。</target>
+</trans-unit>
+<trans-unit id="sb8b7450c8515894c">
+  <source>Maximum distance</source>
+  <target>最大距离</target>
+</trans-unit>
+<trans-unit id="s40cdbaa532bc9899">
+  <source>Maximum distance a login attempt is allowed from in kilometers.</source>
+  <target>允许登录请求的最大距离，单位为千米。</target>
+</trans-unit>
+<trans-unit id="seef852b5c0f8a529">
+  <source>Distance tolerance</source>
+  <target>距离误差</target>
+</trans-unit>
+<trans-unit id="sce567ced300aeb8a">
+  <source>Tolerance in checking for distances in kilometers.</source>
+  <target>检查距离时允许的误差，单位为千米。</target>
+</trans-unit>
+<trans-unit id="s9ea9cdabd74f8f97">
+  <source>Historical Login Count</source>
+  <target>历史登录次数</target>
+</trans-unit>
+<trans-unit id="s27aec4c2de1ae777">
+  <source>Amount of previous login events to check against.</source>
+  <target>检查指定次数的历史登录事件。</target>
+</trans-unit>
+<trans-unit id="s48611ce6e85874dc">
+  <source>Check impossible travel</source>
+  <target>检查不可能的行程</target>
+</trans-unit>
+<trans-unit id="s8cf926e8311f8065">
+  <source>When this option enabled, the GeoIP data of the policy request is compared to the specified number of historical logins and if the travel would have been possible in the amount of time since the previous event.</source>
+  <target>启用此选项时，策略请求的 GeoIP 数据会用来与指定数量的历史登录比较，以及自上次活动以来移动的距离是否可能在该时段内完成。</target>
+</trans-unit>
+<trans-unit id="sa963d05af436770b">
+  <source>Impossible travel tolerance</source>
+  <target>不可能行程的误差</target>
+</trans-unit>
+<trans-unit id="s5760cd97ca42a238">
+  <source>Static rule settings</source>
+  <target>静态规则设置</target>
+</trans-unit>
+<trans-unit id="s8fec035fa1737294">
+  <source>Create with Provider</source>
+  <target>以提供程序创建</target>
+</trans-unit>
+<trans-unit id="sca2487321ec12bd6">
+  <source>Email address the verification email will be sent from.</source>
+  <target>用于发送验证邮件的电子邮件地址。</target>
+</trans-unit>
+<trans-unit id="s24a8fdfc73e8137f">
+  <source>Stage used to configure an email-based authenticator.</source>
+  <target>用来配置基于电子邮件的身份验证器的阶段。</target>
+</trans-unit>
+<trans-unit id="sea0da186a814a212">
+  <source>Use global connection settings</source>
+  <target>使用全局连接设置</target>
+</trans-unit>
+<trans-unit id="s7754fa56a4439de4">
+  <source>When enabled, global email connection settings will be used and connection settings below will be ignored.</source>
+  <target>启用后，将使用全局电子邮件连接设置，下面的连接设置将被忽略。</target>
+</trans-unit>
+<trans-unit id="s7e2bcca51126ec9c">
+  <source>Subject of the verification email.</source>
+  <target>验证邮件的主题。</target>
+</trans-unit>
+<trans-unit id="sc12c90b1da0f3a47">
+  <source>Token expiration</source>
+  <target>令牌过期时间</target>
+</trans-unit>
+<trans-unit id="sc264a82f9c710f14">
+  <source>Time the token sent is valid (Format: hours=3,minutes=17,seconds=300).</source>
+  <target>发出令牌有效的时间（格式：hours=3,minutes=17,seconds=300）。</target>
+</trans-unit>
+<trans-unit id="s15986693bfc99fb7">
+  <source>Email-based Authenticators</source>
+  <target>基于电子邮件的身份验证器</target>
+</trans-unit>
+<trans-unit id="s6bb30c61df4cf486">
+  <source>Caps Lock is enabled.</source>
+  <target>大写锁定已启用。</target>
+</trans-unit>
+<trans-unit id="s3f8a07912545e72e">
+  <source>Configure your email</source>
+  <target>配置您的电子邮件</target>
+</trans-unit>
+<trans-unit id="scedf77e8b75cad5a">
+  <source>Please enter your email address.</source>
+  <target>请输入您的电子邮件地址。</target>
+</trans-unit>
+<trans-unit id="s7cdd62c100b6b17b">
+  <source>Please enter the code you received via email</source>
+  <target>请输入您通过电子邮件收到的代码</target>
+</trans-unit>
+<trans-unit id="s1d64dba9bb8b284d">
+  <source>A code has been sent to you via email<x id="0" equiv-text="${email ? ` ${email}` : &quot;&quot;}"/></source>
+  <target>一份代码已通过电子邮件地址 <x id="0" equiv-text="${email ? ` ${email}` : &quot;&quot;}"/> 发送给您</target>
+</trans-unit>
+<trans-unit id="s833cfe815918c143">
+  <source>Tokens sent via email.</source>
+  <target>通过电子邮件发送的令牌。</target>
 </trans-unit>
    </body>
  </file>
-</xliff>
+</xliff>
--- a/web/xliff/zh-Hant.xlf
+++ b/web/xliff/zh-Hant.xlf
@ -6828,7 +6828,7 @@ Bindings to groups/users are checked against the user of the event.</source>
  <source>This option configures the footer links on the flow executor pages. The URL is limited to web and mail addresses. If the name is left blank, the URL will be shown.</source>
 </trans-unit>
 <trans-unit id="s66f572bec2bde9c4">
-  <source>External applications that use <x id="0" equiv-text="${this.brand.brandingTitle || &quot;authentik&quot;}"/> as an identity provider via protocols like OAuth2 and SAML. All applications are shown here, even ones you cannot access.</source>
+  <source>External applications that use <x id="0" equiv-text="${this.brand?.brandingTitle ?? &quot;authentik&quot;}"/> as an identity provider via protocols like OAuth2 and SAML. All applications are shown here, even ones you cannot access.</source>
 </trans-unit>
 <trans-unit id="s58bec0ecd4f3ccd4">
  <source>Strict</source>
@ -7153,6 +7153,96 @@ Bindings to groups/users are checked against the user of the event.</source>
 </trans-unit>
 <trans-unit id="s47b7ce63a543564c">
  <source>Fewer details</source>
+</trans-unit>
+<trans-unit id="s140111d464591e6b">
+  <source>Create a new application and configure a provider for it.</source>
+</trans-unit>
+<trans-unit id="s5e0c81c05565bf42">
+  <source>Using this form will only create an Application. In order to authenticate with the application, you will have to manually pair it with a Provider.</source>
+</trans-unit>
+<trans-unit id="s035bfd9c5f97e4d3">
+  <source>Distance settings</source>
+</trans-unit>
+<trans-unit id="s207e6f8a8b3515fd">
+  <source>Check historical distance of logins</source>
+</trans-unit>
+<trans-unit id="s8158f4b3e5c869be">
+  <source>When this option enabled, the GeoIP data of the policy request is compared to the specified number of historical logins.</source>
+</trans-unit>
+<trans-unit id="sb8b7450c8515894c">
+  <source>Maximum distance</source>
+</trans-unit>
+<trans-unit id="s40cdbaa532bc9899">
+  <source>Maximum distance a login attempt is allowed from in kilometers.</source>
+</trans-unit>
+<trans-unit id="seef852b5c0f8a529">
+  <source>Distance tolerance</source>
+</trans-unit>
+<trans-unit id="sce567ced300aeb8a">
+  <source>Tolerance in checking for distances in kilometers.</source>
+</trans-unit>
+<trans-unit id="s9ea9cdabd74f8f97">
+  <source>Historical Login Count</source>
+</trans-unit>
+<trans-unit id="s27aec4c2de1ae777">
+  <source>Amount of previous login events to check against.</source>
+</trans-unit>
+<trans-unit id="s48611ce6e85874dc">
+  <source>Check impossible travel</source>
+</trans-unit>
+<trans-unit id="s8cf926e8311f8065">
+  <source>When this option enabled, the GeoIP data of the policy request is compared to the specified number of historical logins and if the travel would have been possible in the amount of time since the previous event.</source>
+</trans-unit>
+<trans-unit id="sa963d05af436770b">
+  <source>Impossible travel tolerance</source>
+</trans-unit>
+<trans-unit id="s5760cd97ca42a238">
+  <source>Static rule settings</source>
+</trans-unit>
+<trans-unit id="s8fec035fa1737294">
+  <source>Create with Provider</source>
+</trans-unit>
+<trans-unit id="sca2487321ec12bd6">
+  <source>Email address the verification email will be sent from.</source>
+</trans-unit>
+<trans-unit id="s24a8fdfc73e8137f">
+  <source>Stage used to configure an email-based authenticator.</source>
+</trans-unit>
+<trans-unit id="sea0da186a814a212">
+  <source>Use global connection settings</source>
+</trans-unit>
+<trans-unit id="s7754fa56a4439de4">
+  <source>When enabled, global email connection settings will be used and connection settings below will be ignored.</source>
+</trans-unit>
+<trans-unit id="s7e2bcca51126ec9c">
+  <source>Subject of the verification email.</source>
+</trans-unit>
+<trans-unit id="sc12c90b1da0f3a47">
+  <source>Token expiration</source>
+</trans-unit>
+<trans-unit id="sc264a82f9c710f14">
+  <source>Time the token sent is valid (Format: hours=3,minutes=17,seconds=300).</source>
+</trans-unit>
+<trans-unit id="s15986693bfc99fb7">
+  <source>Email-based Authenticators</source>
+</trans-unit>
+<trans-unit id="s6bb30c61df4cf486">
+  <source>Caps Lock is enabled.</source>
+</trans-unit>
+<trans-unit id="s3f8a07912545e72e">
+  <source>Configure your email</source>
+</trans-unit>
+<trans-unit id="scedf77e8b75cad5a">
+  <source>Please enter your email address.</source>
+</trans-unit>
+<trans-unit id="s7cdd62c100b6b17b">
+  <source>Please enter the code you received via email</source>
+</trans-unit>
+<trans-unit id="s1d64dba9bb8b284d">
+  <source>A code has been sent to you via email<x id="0" equiv-text="${email ? ` ${email}` : &quot;&quot;}"/></source>
+</trans-unit>
+<trans-unit id="s833cfe815918c143">
+  <source>Tokens sent via email.</source>
 </trans-unit>
    </body>
  </file>
--- a/web/xliff/zh_CN.xlf
+++ b/web/xliff/zh_CN.xlf
@ -9047,8 +9047,8 @@ Bindings to groups/users are checked against the user of the event.</source>
  <target>此选项配置流程执行器页面上的页脚链接。URL 限为 Web 和电子邮件地址。如果名称留空，则显示 URL 自身。</target>
 </trans-unit>
 <trans-unit id="s66f572bec2bde9c4">
-  <source>External applications that use <x id="0" equiv-text="${this.brand.brandingTitle || &quot;authentik&quot;}"/> as an identity provider via protocols like OAuth2 and SAML. All applications are shown here, even ones you cannot access.</source>
-  <target>通过 OAuth2 和 SAML 等协议，使用 <x id="0" equiv-text="${this.brand.brandingTitle || &quot;authentik&quot;}"/> 作为身份提供程序的外部应用程序。此处显示了所有应用程序，即使您无法访问的也包括在内。</target>
+  <source>External applications that use <x id="0" equiv-text="${this.brand?.brandingTitle ?? &quot;authentik&quot;}"/> as an identity provider via protocols like OAuth2 and SAML. All applications are shown here, even ones you cannot access.</source>
+  <target>通过 OAuth2 和 SAML 等协议，使用 <x id="0" equiv-text="${this.brand?.brandingTitle ?? &quot;authentik&quot;}"/> 作为身份提供程序的外部应用程序。此处显示了所有应用程序，即使您无法访问的也包括在内。</target>
 </trans-unit>
 <trans-unit id="s58bec0ecd4f3ccd4">
  <source>Strict</source>
@ -9483,6 +9483,126 @@ Bindings to groups/users are checked against the user of the event.</source>
 <trans-unit id="s47b7ce63a543564c">
  <source>Fewer details</source>
  <target>显示更少</target>
+</trans-unit>
+<trans-unit id="s140111d464591e6b">
+  <source>Create a new application and configure a provider for it.</source>
+  <target>创建一个应用程序并为它配置提供程序。</target>
+</trans-unit>
+<trans-unit id="s5e0c81c05565bf42">
+  <source>Using this form will only create an Application. In order to authenticate with the application, you will have to manually pair it with a Provider.</source>
+  <target>此表单只会创建应用程序。要设置此应用程序的身份验证，您需要手动为它配对一个提供程序。</target>
+</trans-unit>
+<trans-unit id="s035bfd9c5f97e4d3">
+  <source>Distance settings</source>
+  <target>距离设置</target>
+</trans-unit>
+<trans-unit id="s207e6f8a8b3515fd">
+  <source>Check historical distance of logins</source>
+  <target>检查历史登录距离</target>
+</trans-unit>
+<trans-unit id="s8158f4b3e5c869be">
+  <source>When this option enabled, the GeoIP data of the policy request is compared to the specified number of historical logins.</source>
+  <target>启用此选项时，策略请求的 GeoIP 数据会用来与指定数量的历史登录比较。</target>
+</trans-unit>
+<trans-unit id="sb8b7450c8515894c">
+  <source>Maximum distance</source>
+  <target>最大距离</target>
+</trans-unit>
+<trans-unit id="s40cdbaa532bc9899">
+  <source>Maximum distance a login attempt is allowed from in kilometers.</source>
+  <target>允许登录请求的最大距离，单位为千米。</target>
+</trans-unit>
+<trans-unit id="seef852b5c0f8a529">
+  <source>Distance tolerance</source>
+  <target>距离误差</target>
+</trans-unit>
+<trans-unit id="sce567ced300aeb8a">
+  <source>Tolerance in checking for distances in kilometers.</source>
+  <target>检查距离时允许的误差，单位为千米。</target>
+</trans-unit>
+<trans-unit id="s9ea9cdabd74f8f97">
+  <source>Historical Login Count</source>
+  <target>历史登录次数</target>
+</trans-unit>
+<trans-unit id="s27aec4c2de1ae777">
+  <source>Amount of previous login events to check against.</source>
+  <target>检查指定次数的历史登录事件。</target>
+</trans-unit>
+<trans-unit id="s48611ce6e85874dc">
+  <source>Check impossible travel</source>
+  <target>检查不可能的行程</target>
+</trans-unit>
+<trans-unit id="s8cf926e8311f8065">
+  <source>When this option enabled, the GeoIP data of the policy request is compared to the specified number of historical logins and if the travel would have been possible in the amount of time since the previous event.</source>
+  <target>启用此选项时，策略请求的 GeoIP 数据会用来与指定数量的历史登录比较，以及自上次活动以来移动的距离是否可能在该时段内完成。</target>
+</trans-unit>
+<trans-unit id="sa963d05af436770b">
+  <source>Impossible travel tolerance</source>
+  <target>不可能行程的误差</target>
+</trans-unit>
+<trans-unit id="s5760cd97ca42a238">
+  <source>Static rule settings</source>
+  <target>静态规则设置</target>
+</trans-unit>
+<trans-unit id="s8fec035fa1737294">
+  <source>Create with Provider</source>
+  <target>以提供程序创建</target>
+</trans-unit>
+<trans-unit id="sca2487321ec12bd6">
+  <source>Email address the verification email will be sent from.</source>
+  <target>用于发送验证邮件的电子邮件地址。</target>
+</trans-unit>
+<trans-unit id="s24a8fdfc73e8137f">
+  <source>Stage used to configure an email-based authenticator.</source>
+  <target>用来配置基于电子邮件的身份验证器的阶段。</target>
+</trans-unit>
+<trans-unit id="sea0da186a814a212">
+  <source>Use global connection settings</source>
+  <target>使用全局连接设置</target>
+</trans-unit>
+<trans-unit id="s7754fa56a4439de4">
+  <source>When enabled, global email connection settings will be used and connection settings below will be ignored.</source>
+  <target>启用后，将使用全局电子邮件连接设置，下面的连接设置将被忽略。</target>
+</trans-unit>
+<trans-unit id="s7e2bcca51126ec9c">
+  <source>Subject of the verification email.</source>
+  <target>验证邮件的主题。</target>
+</trans-unit>
+<trans-unit id="sc12c90b1da0f3a47">
+  <source>Token expiration</source>
+  <target>令牌过期时间</target>
+</trans-unit>
+<trans-unit id="sc264a82f9c710f14">
+  <source>Time the token sent is valid (Format: hours=3,minutes=17,seconds=300).</source>
+  <target>发出令牌有效的时间（格式：hours=3,minutes=17,seconds=300）。</target>
+</trans-unit>
+<trans-unit id="s15986693bfc99fb7">
+  <source>Email-based Authenticators</source>
+  <target>基于电子邮件的身份验证器</target>
+</trans-unit>
+<trans-unit id="s6bb30c61df4cf486">
+  <source>Caps Lock is enabled.</source>
+  <target>大写锁定已启用。</target>
+</trans-unit>
+<trans-unit id="s3f8a07912545e72e">
+  <source>Configure your email</source>
+  <target>配置您的电子邮件</target>
+</trans-unit>
+<trans-unit id="scedf77e8b75cad5a">
+  <source>Please enter your email address.</source>
+  <target>请输入您的电子邮件地址。</target>
+</trans-unit>
+<trans-unit id="s7cdd62c100b6b17b">
+  <source>Please enter the code you received via email</source>
+  <target>请输入您通过电子邮件收到的代码</target>
+</trans-unit>
+<trans-unit id="s1d64dba9bb8b284d">
+  <source>A code has been sent to you via email<x id="0" equiv-text="${email ? ` ${email}` : &quot;&quot;}"/></source>
+  <target>一份代码已通过电子邮件地址 <x id="0" equiv-text="${email ? ` ${email}` : &quot;&quot;}"/> 发送给您</target>
+</trans-unit>
+<trans-unit id="s833cfe815918c143">
+  <source>Tokens sent via email.</source>
+  <target>通过电子邮件发送的令牌。</target>
 </trans-unit>
    </body>
  </file>
--- a/web/xliff/zh_TW.xlf
+++ b/web/xliff/zh_TW.xlf
@ -8577,7 +8577,7 @@ Bindings to groups/users are checked against the user of the event.</source>
  <source>This option configures the footer links on the flow executor pages. The URL is limited to web and mail addresses. If the name is left blank, the URL will be shown.</source>
 </trans-unit>
 <trans-unit id="s66f572bec2bde9c4">
-  <source>External applications that use <x id="0" equiv-text="${this.brand.brandingTitle || &quot;authentik&quot;}"/> as an identity provider via protocols like OAuth2 and SAML. All applications are shown here, even ones you cannot access.</source>
+  <source>External applications that use <x id="0" equiv-text="${this.brand?.brandingTitle ?? &quot;authentik&quot;}"/> as an identity provider via protocols like OAuth2 and SAML. All applications are shown here, even ones you cannot access.</source>
 </trans-unit>
 <trans-unit id="s58bec0ecd4f3ccd4">
  <source>Strict</source>
@ -8903,6 +8903,96 @@ Bindings to groups/users are checked against the user of the event.</source>
 </trans-unit>
 <trans-unit id="s47b7ce63a543564c">
  <source>Fewer details</source>
+</trans-unit>
+<trans-unit id="s140111d464591e6b">
+  <source>Create a new application and configure a provider for it.</source>
+</trans-unit>
+<trans-unit id="s5e0c81c05565bf42">
+  <source>Using this form will only create an Application. In order to authenticate with the application, you will have to manually pair it with a Provider.</source>
+</trans-unit>
+<trans-unit id="s035bfd9c5f97e4d3">
+  <source>Distance settings</source>
+</trans-unit>
+<trans-unit id="s207e6f8a8b3515fd">
+  <source>Check historical distance of logins</source>
+</trans-unit>
+<trans-unit id="s8158f4b3e5c869be">
+  <source>When this option enabled, the GeoIP data of the policy request is compared to the specified number of historical logins.</source>
+</trans-unit>
+<trans-unit id="sb8b7450c8515894c">
+  <source>Maximum distance</source>
+</trans-unit>
+<trans-unit id="s40cdbaa532bc9899">
+  <source>Maximum distance a login attempt is allowed from in kilometers.</source>
+</trans-unit>
+<trans-unit id="seef852b5c0f8a529">
+  <source>Distance tolerance</source>
+</trans-unit>
+<trans-unit id="sce567ced300aeb8a">
+  <source>Tolerance in checking for distances in kilometers.</source>
+</trans-unit>
+<trans-unit id="s9ea9cdabd74f8f97">
+  <source>Historical Login Count</source>
+</trans-unit>
+<trans-unit id="s27aec4c2de1ae777">
+  <source>Amount of previous login events to check against.</source>
+</trans-unit>
+<trans-unit id="s48611ce6e85874dc">
+  <source>Check impossible travel</source>
+</trans-unit>
+<trans-unit id="s8cf926e8311f8065">
+  <source>When this option enabled, the GeoIP data of the policy request is compared to the specified number of historical logins and if the travel would have been possible in the amount of time since the previous event.</source>
+</trans-unit>
+<trans-unit id="sa963d05af436770b">
+  <source>Impossible travel tolerance</source>
+</trans-unit>
+<trans-unit id="s5760cd97ca42a238">
+  <source>Static rule settings</source>
+</trans-unit>
+<trans-unit id="s8fec035fa1737294">
+  <source>Create with Provider</source>
+</trans-unit>
+<trans-unit id="sca2487321ec12bd6">
+  <source>Email address the verification email will be sent from.</source>
+</trans-unit>
+<trans-unit id="s24a8fdfc73e8137f">
+  <source>Stage used to configure an email-based authenticator.</source>
+</trans-unit>
+<trans-unit id="sea0da186a814a212">
+  <source>Use global connection settings</source>
+</trans-unit>
+<trans-unit id="s7754fa56a4439de4">
+  <source>When enabled, global email connection settings will be used and connection settings below will be ignored.</source>
+</trans-unit>
+<trans-unit id="s7e2bcca51126ec9c">
+  <source>Subject of the verification email.</source>
+</trans-unit>
+<trans-unit id="sc12c90b1da0f3a47">
+  <source>Token expiration</source>
+</trans-unit>
+<trans-unit id="sc264a82f9c710f14">
+  <source>Time the token sent is valid (Format: hours=3,minutes=17,seconds=300).</source>
+</trans-unit>
+<trans-unit id="s15986693bfc99fb7">
+  <source>Email-based Authenticators</source>
+</trans-unit>
+<trans-unit id="s6bb30c61df4cf486">
+  <source>Caps Lock is enabled.</source>
+</trans-unit>
+<trans-unit id="s3f8a07912545e72e">
+  <source>Configure your email</source>
+</trans-unit>
+<trans-unit id="scedf77e8b75cad5a">
+  <source>Please enter your email address.</source>
+</trans-unit>
+<trans-unit id="s7cdd62c100b6b17b">
+  <source>Please enter the code you received via email</source>
+</trans-unit>
+<trans-unit id="s1d64dba9bb8b284d">
+  <source>A code has been sent to you via email<x id="0" equiv-text="${email ? ` ${email}` : &quot;&quot;}"/></source>
+</trans-unit>
+<trans-unit id="s833cfe815918c143">
+  <source>Tokens sent via email.</source>
 </trans-unit>
    </body>
  </file>
--- a/website/docs/add-secure-apps/applications/manage_apps.mdx
+++ b/website/docs/add-secure-apps/applications/manage_apps.mdx
@ -4,37 +4,21 @@ title: Manage applications

 Managing the applications that your team uses involves several tasks, from initially adding the application and provider, to controlling access and visibility of the application, to providing access URLs.

-## Add new applications
-
-Learn how to add new applications from our video or follow the instructions below.
-
-### Video
-
-<iframe
-    width="560"
-    height="315"
-    src="https://www.youtube.com/embed/broUAWrIWDI;start=22"
-    title="YouTube video player"
-    frameborder="0"
-    allow="accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture; web-share"
-    allowfullscreen
-></iframe>
-
 ### Instructions

-To add an application to authentik and have it display on users' **My applications** page, you can use the Application Wizard, which creates both the new application and the required provider at the same time.
+To add an application to authentik and have it display on users' **My applications** page, follow these steps:

-1. Log into authentik as an admin, and navigate to **Applications --> Applications**.
+1. Log in to authentik as an admin, and open the authentik Admin interface.

-2. Click **Create with Wizard**. (Alternatively, use our legacy process and click **Create**. The legacy process requires that the application and its authentication provider be configured separately.)
+2. Navigate to **Applications -> Applications** and click **Create with Provider** to create an application and provider pair. (Alternatively you can create only an application, without a provider, by clicking **Create.)**

-3. In the **New application** wizard, define the application details, the provider type, bindings for the application.
+3. In the **New application** box, define the application details, the provider type and configuration settings, and bindings for the application.

    - **Application**: provide a name, an optional group for the type of application, the policy engine mode, and optional UI settings.

    - **Choose a Provider**: select the provider types for this application.

-    - **Configure a Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and any additional required configurations.
+    - **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and any additional required configurations.

    - **Configure Bindings**: to manage the listing and access to applications on a user's **My applications** page, you can optionally create a [binding](../flows-stages/bindings/index.md) between the application and a specific policy, group, or user. Note that if you do not define any bindings, then all users have access to the application. For more information about user access, refer to our documentation about [authorization](#policy-driven-authorization) and [hiding an application](#hide-applications).

@ -95,8 +79,8 @@ return {
 3. Click the **Application entitlements** tab at the top of the page, and then click **Create entitlement**. Provide a name for the entitlement, enter any optional **Attributes**, and then click **Create**.
 4. In the list locate the entitlement to which you want to bind a user or group, and then **click the caret (>) to expand the entitlement details.**
 5. In the expanded area, click **Bind existing Group/User**.
-6. In the **Create Binding** modal box, select either the tab for **Group** or **User**, and then in the drop-down list, select the group or user.
-7. Optionally, configure additional settings for the binding, and then click **Create** to create the binding and close the modal box.
+6. In the **Create Binding** box, select either the tab for **Group** or **User**, and then in the drop-down list, select the group or user.
+7. Optionally, configure additional settings for the binding, and then click **Create** to create the binding and close the box.

 ## Hide applications

--- a/website/docs/add-secure-apps/flows-stages/bindings/work_with_bindings.md
+++ b/website/docs/add-secure-apps/flows-stages/bindings/work_with_bindings.md
@ -9,5 +9,5 @@ For instructions to create a binding, refer to the documentation for the specifi
 - [Bind a stage to a flow](../stages/index.md#bind-a-stage-to-a-flow)
 - [Bind a policy to a flow or stage](../../../customize/policies/working_with_policies#bind-a-policy-to-a-flow-or-stage)
 - [Bind users or groups to a specific application with an Application Entitlement](../../applications/manage_apps.mdx#application-entitlements)
- [Bind a policy to a specific application when you create a new app using the Wizard](../../applications/manage_apps.mdx#instructions)
+- [Bind a policy to a specific application when you create a new application and provider](../../applications/manage_apps.mdx#instructions)
 - [Bind users and groups to a stage binding, to define whether or not that stage is shown](../stages/index.md#bind-users-and-groups-to-a-flows-stage-binding)
--- a/website/docs/add-secure-apps/flows-stages/flow/context/index.mdx
+++ b/website/docs/add-secure-apps/flows-stages/flow/context/index.mdx
@ -154,7 +154,7 @@ Possible options:
 - `token` (Authenticated via API token)
 - `ldap` (Authenticated via LDAP bind from an LDAP source)
 - `auth_mfa` (Authentication via MFA device without password)
- `auth_webauthn_pwl` (Passwordless authentication via WebAuthn)
+- `auth_webauthn_pwl` (Passwordless authentication via WebAuthn with Passkeys)
 - `jwt` ([M2M](../../../providers/oauth2/client_credentials.mdx) authentication via an existing JWT)

 ##### `auth_method_args` (dictionary)
--- a/website/docs/add-secure-apps/flows-stages/stages/authenticator_duo/index.mdx
+++ b/website/docs/add-secure-apps/flows-stages/stages/authenticator_duo/index.mdx
@ -1,5 +1,5 @@
 ---
-title: Duo authenticator setup stage
+title: Duo Authenticator Setup stage
 ---

 This stage configures a Duo authenticator. To get the API Credentials for this stage, open your Duo Admin dashboard.
--- a/website/docs/add-secure-apps/flows-stages/stages/authenticator_email/index.md
+++ b/website/docs/add-secure-apps/flows-stages/stages/authenticator_email/index.md
@ -0,0 +1,48 @@
+---
+title: Email Authenticator Setup stage
+---
+
+<span class="badge badge--version">authentik 2025.2+</span>
+
+This stage configures an email-based authenticator that sends a one-time code to a user's email address for authentication.
+
+When a user goes through a flow that includes this stage, they are prompted for their email address (if not already set). The user then receives an email with a one-time code, which they enter into the authentik Login panel.
+
+The email address will be saved and can be used with the [Authenticator validation](../authenticator_validate/index.mdx) stage for future authentications.
+
+## Flow integration
+
+To use the Email Authenticator Setup stage in a flow, follow these steps:
+
+1. [Create](../../flow/index.md#create-a-custom-flow) a new flow or edit an existing one.
+2. On the flow's **Stage Bindings** tab, click **Create and bind stage** to create and add the Email Authenticator Setup stage. (If the stage already exists, click **Bind existing stage**.)
+3. Configure the stage settings as described below.
+
+    - **Name**: provide a descriptive name, such as Email Authenticator Setup.
+    - **Authenticator type name**: define the display name for this stage.
+    - **Use global connection settings**: the stage can be configured in two ways: global settings or stage-specific settings.
+
+        - Enable (toggle on) the **Use global connection settings** option to use authentik's global email configuration. Note that you must already have configured your environment variables to use the global settings. See instructions for [Docker Compose](../../../../install-config/install/docker-compose#email-configuration-optional-but-recommended) and for [Kubernetes](../../../../install-config/install/kubernetes#optional-step-configure-global-email-credentials).
+
+        - If you need different email settings for this stage, disable (toggle off) **Use global connection settings** and configure the following options:
+
+        - **Connection settings**:
+
+            - **SMTP Host**: SMTP server hostname (default: localhost)
+            - **SMTP Port**: SMTP server port number(default: 25)
+            - **SMTP Username**: SMTP authentication username (optional)
+            - **SMTP Password**: SMTP authentication password (optional)
+                - **Use TLS**: Enable TLS encryption
+                - **Use SSL**: Enable SSL encryption
+            - **Timeout**: Connection timeout in seconds (default: 10)
+            - **From Address**: Email address that messages are sent from (default: system@authentik.local)
+
+        - **Stage-specific settings**:
+
+            - **Subject**: Email subject line (default: "authentik Sign-in code")
+            - **Token Expiration**: Time in minutes that the sent token is valid (default: 30)
+            - **Configuration flow**: select the flow to which you are binding this stage.
+
+4. Click **Update** to complete the creation and binding of the stage to the flow.
+
+The new Email Authenticator Setup stage now appears on the **Stage Bindings** tab for the flow.
--- a/website/docs/add-secure-apps/flows-stages/stages/authenticator_endpoint_gdtc/index.md
+++ b/website/docs/add-secure-apps/flows-stages/stages/authenticator_endpoint_gdtc/index.md
@ -26,7 +26,7 @@ For detailed instructions, refer to Google documentation.
 ### Create a Google cloud project

 1. Open the Google Cloud Console (https://cloud.google.com/cloud-console).
-2. In upper left, click the drop-down box to open the **Select a project** modal box, and then select **New Project**.
+2. In upper left, click the drop-down box to open the **Select a project** box, and then select **New Project**.
 3. Create a new project and give it a name like "authentik GWS".
 4. Use the search bar at the top of your new project page to search for "API Library".
 5. On the **API Library** page, use the search bar again to find "Chrome Verified Access API".
@ -47,7 +47,7 @@ For detailed instructions, refer to Google documentation.

 1. On the **Service accounts** page, click the account that you just created.
 2. Click the **Keys** tab at top of the page, the click **Add Key -> Create new key**.
-3. In the Create modal box, select JSON as the key type, and then click **Create**.
+3. In the Create box, select JSON as the key type, and then click **Create**.
   A pop-up displays with the private key, and the key is saved to your computer as a JSON file.
   Later, when you create the stage in authentik, you will add this key in the **Credentials** field.
 4. On the service account page, click the **Details** tab, and expand the **Advanced settings** area.
@ -64,7 +64,7 @@ For detailed instructions, refer to Google documentation.

 2. In the Admin interface, navigate to **Flows -> Stages**.

-3. Click **Create**, and select **Endpoint Authenticator Google Device Trust Connector Stage**, and in the **New stage** modal box, define the following fields:
+3. Click **Create**, and select **Endpoint Authenticator Google Device Trust Connector Stage**, and in the **New stage** box, define the following fields:

    - **Name**: define a descriptive name, such as "chrome-device-trust".

--- a/website/docs/add-secure-apps/flows-stages/stages/authenticator_sms/index.mdx
+++ b/website/docs/add-secure-apps/flows-stages/stages/authenticator_sms/index.mdx
@ -1,5 +1,5 @@
 ---
-title: SMS authenticator setup stage
+title: SMS Authenticator Setup stage
 ---

 This stage configures an SMS-based authenticator using either Twilio, or a generic HTTP endpoint.
--- a/website/docs/add-secure-apps/flows-stages/stages/authenticator_static/index.md
+++ b/website/docs/add-secure-apps/flows-stages/stages/authenticator_static/index.md
@ -1,5 +1,5 @@
 ---
-title: Static authenticator setup stage
+title: Static Authenticator Setup stage
 ---

 This stage configures static Tokens, which can be used as a backup method to time-based OTP tokens.
--- a/website/docs/add-secure-apps/flows-stages/stages/authenticator_totp/index.md
+++ b/website/docs/add-secure-apps/flows-stages/stages/authenticator_totp/index.md
@ -1,5 +1,5 @@
 ---
-title: TOTP authenticator setup stage
+title: TOTP Authenticator Setup stage
 ---

 This stage configures a time-based OTP Device, such as Google Authenticator or Authy.
--- a/website/docs/add-secure-apps/flows-stages/stages/authenticator_validate/index.mdx
+++ b/website/docs/add-secure-apps/flows-stages/stages/authenticator_validate/index.mdx
@ -1,10 +1,11 @@
 ---
-title: Authenticator validation stage
+title: Authenticator Validation stage
 ---

 This stage validates an already configured Authenticator Device. This device has to be configured using any of the other authenticator stages:

 - [Duo authenticator stage](../authenticator_duo/index.mdx)
+- [Email authenticator stage](../authenticator_email/index.md)
 - [SMS authenticator stage](../authenticator_sms/index.mdx)
 - [Static authenticator stage](../authenticator_static/index.md)
 - [TOTP authenticator stage](../authenticator_totp/index.md)
@ -33,7 +34,7 @@ You can configure this stage to only ask for MFA validation if the user hasn't a
 Firefox has some known issues regarding TouchID (see https://bugzilla.mozilla.org/show_bug.cgi?id=1536482)
 :::

-Passwordless authentication currently only supports WebAuthn devices, like security keys and biometrics. For an alternate passwordless setup, see [Password stage](../password/index.md#passwordless-login), which supports other types.
+Passwordless authentication currently only supports WebAuthn devices, which provides for the use of passkeys, security keys and biometrics. For an alternate passwordless setup, see [Password stage](../password/index.md#passwordless-login), which supports other types.

 To configure passwordless authentication, create a new Flow with the designation set to _Authentication_.

--- a/website/docs/add-secure-apps/flows-stages/stages/authenticator_webauthn/index.mdx
+++ b/website/docs/add-secure-apps/flows-stages/stages/authenticator_webauthn/index.mdx
@ -1,7 +1,9 @@
 ---
-title: WebAuthn authenticator setup stage
+title: WebAuthn / Passkeys Authenticator setup stage
 ---

+<span class="badge badge--version">authentik 2021.3.1+</span>
+
 This stage configures a WebAuthn-based Authenticator. This can either be a browser, biometrics or a Security stick like a YubiKey.

 ### Options
--- a/website/docs/add-secure-apps/flows-stages/stages/index.md
+++ b/website/docs/add-secure-apps/flows-stages/stages/index.md
@ -70,8 +70,8 @@ To bind a user or a group to a stage binding for a specific flow, follow these s
 ![](./edit_stage_binding.png)

 6. In the expanded area, click **Bind existing policy/group/user**.
-7. In the **Create Binding** modal box, select either the tab for **Group** or **User**.
+7. In the **Create Binding** box, select either the tab for **Group** or **User**.
 8. In the drop-down list, select the group or user.
-9. Optionally, configure additional settings for the binding, and then click **Create** to create the binding and close the modal box.
+9. Optionally, configure additional settings for the binding, and then click **Create** to create the binding and close the box.

 Learn more about [bindings](../bindings/index.md) and [working with them](../bindings/work_with_bindings.md).
--- a/website/docs/add-secure-apps/outposts/index.mdx
+++ b/website/docs/add-secure-apps/outposts/index.mdx
@ -35,7 +35,7 @@ Any change made to the outpost's associated app or provider immediately triggers
    - **Applications**: select the applications that you want the outpost to serve
    - **Advanced settings** (*optional*): For further optional configuration settings, refer to [Configuration](#configuration) below.

-    4. Click **Create** to save your new outpost settings and close the modal.
+    4. Click **Create** to save your new outpost settings and close the box.

 Upon creation, a service account and a token is generated. The service account only has permissions to read the outpost and provider configuration. This token is used by the outpost to connect to authentik.

--- a/website/docs/add-secure-apps/providers/entra/add-entra-provider.md
+++ b/website/docs/add-secure-apps/providers/entra/add-entra-provider.md
@ -17,7 +17,7 @@ As detailed in the steps below, when you add an Entra ID provider in authentik y

 1.  Log in as an admin to authentik, and go to the Admin interface.
 2.  In the Admin interface, navigate to **Applications -> Providers**.
-3.  Click **Create**, and in the **New provider** modal box select **Microsoft Entra Provider** as the type and click **Next**.
+3.  Click **Create**, and in the **New provider** box select **Microsoft Entra Provider** as the type and click **Next**.
 4.  Define the following fields:

    - **Name**: define a descriptive name, such as "Entra provider".
@ -46,7 +46,7 @@ As detailed in the steps below, when you add an Entra ID provider in authentik y

 1. Log in as an admin to authentik, and go to the Admin interface.
 2. In the Admin interface, navigate to **Applications -> Applications**.
-3. Click **Create**, and in the **Create Application** modal box define the following fields:
+3. Click **Create**, and define the following fields:

    - **Name**: provide a descriptive name.
    - **Slug**: enter the name of the app as you want it to appear in the URL.
--- a/website/docs/add-secure-apps/providers/gws/add-gws-provider.md
+++ b/website/docs/add-secure-apps/providers/gws/add-gws-provider.md
@ -19,7 +19,7 @@ When adding the Google Workspace provider in authentik, you must define the **Ba

 2. In the Admin interface, navigate to **Applications -> Providers**.

-3. Click **Create**, and select **Google Workspace Provider**, and in the **New provider** modal box, define the following fields:
+3. Click **Create**, and select **Google Workspace Provider**, and in the **New provider** box, define the following fields:

    - **Name**: define a descriptive name, such as "GWS provider".

@ -50,7 +50,7 @@ When adding the Google Workspace provider in authentik, you must define the **Ba
   :::info
   If you have also configured Google Workspace to log in using authentik following [these](https://docs.goauthentik.io/integrations/services/google/index), then this configuration can be done on the same app by adding this new provider as a backchannel provider on the existing app instead of creating a new app.
   :::
-3. Click **Create**, and in the **New provider** modal box, and define the following fields:
+3. Click **Create**, and in the **New provider** box, and define the following fields:

    - **Slug**: enter the name of the app as you want it to appear in the URL.
    - **Provider**: when _not_ used in conjunction with the Google SAML configuration should be left empty.
--- a/website/docs/add-secure-apps/providers/gws/setup-gws.md
+++ b/website/docs/add-secure-apps/providers/gws/setup-gws.md
@ -20,7 +20,7 @@ For detailed instructions, refer to Google documentation.
 ### Create a Google cloud project

 1. Open the Google Cloud Console (https://cloud.google.com/cloud-console).
-2. In upper left, click the drop-down box to open the **Select a project** modal box, and then select **New Project**.
+2. In upper left, click the drop-down box to open the **Select a project** box, and then select **New Project**.
 3. Create a new project and give it a name like "authentik GWS"
 4. Use the search bar at the top of your new project page to search for "API Library".
 5. On the **API Library** page, use the search bar again to find "Admin SDK API".
@ -41,7 +41,7 @@ For detailed instructions, refer to Google documentation.

 1. On the **Service accounts** page, click the account that you just created.
 2. Click the **Keys** tab at top of the page, the click **Add Key -> Create new key**.
-3. In the Create modal box, select JSON as the key type, and then click **Create**.
+3. In the Create box, select JSON as the key type, and then click **Create**.
   A pop-up displays with the private key, and the key is saved to your computer as a JSON file.
   Later, when you create your authentik provider for Google Workspace, you will add this key in the **Credentials** field.
 4. On the service account page, click the **Details** tab, and expand the **Advanced settings** area.
@ -49,7 +49,7 @@ For detailed instructions, refer to Google documentation.
 6. Log in to the Admin Console, and then navigate to **Security -> Access and data control -> API controls**.
 7. On the **API controls** page, click **Manage Domain Wide Delegation**.
 8. On the **Domain Wide Delegation** page, click **Add new**.
-9. In the **Add a new client ID** modal box, paste in the Client ID that you copied from the Admin console earlier (the value from the downloaded JSON file) and paste in the following scope documents:
+9. In the **Add a new client ID** box, paste in the Client ID that you copied from the Admin console earlier (the value from the downloaded JSON file) and paste in the following scope documents:
    - `https://www.googleapis.com/auth/admin.directory.user`
    - `https://www.googleapis.com/auth/admin.directory.group`
    - `https://www.googleapis.com/auth/admin.directory.group.member`
--- a/website/docs/add-secure-apps/providers/index.mdx
+++ b/website/docs/add-secure-apps/providers/index.mdx
@ -11,7 +11,7 @@ Providers are the "other half" of [applications](../applications/index.md). They

 Applications can use additional providers to augment the functionality of the main provider. For more information, see [Backchannel providers](../applications/manage_apps.mdx#backchannel-providers).

-You can create a new provider in the Admin interface, or you can use the [Application wizard](../applications/manage_apps.mdx#instructions) to create a new application and its provider at the same time.
+You can create a new provider in the Admin interface, or you can use the [**Create with provider** option](../applications/manage_apps.mdx#instructions) to create a new application and its provider at the same time.

 When you create certain types of providers, you need to select specific [flows](../flows-stages/flow/index.md) to apply to users who access authentik via the provider. To learn more, refer to our [default flow documentation](../flows-stages/flow/examples/default_flows.md).

--- a/website/docs/add-secure-apps/providers/ldap/generic_setup.md
+++ b/website/docs/add-secure-apps/providers/ldap/generic_setup.md
@ -9,7 +9,7 @@ title: Create an LDAP provider
    Note the DN of this user will be `cn=ldapservice,ou=users,dc=ldap,dc=goauthentik,dc=io`

 :::info
-Note: The `default-authentication-flow` validates MFA by default, and currently everything but SMS-based devices and WebAuthn devices are supported by LDAP. If you plan to use only dedicated service accounts to bind to LDAP, or don't use SMS-based authenticators, then you can use the default flow and skip the extra steps below and continue at [Create LDAP Application & Provider](#create-ldap-application--provider)
+Note: The `default-authentication-flow` validates MFA by default, and currently everything but SMS-based devices and WebAuthn (which enables passkey-based authentication) devices are supported by LDAP. If you plan to use only dedicated service accounts to bind to LDAP, or don't use SMS-based authenticators, then you can use the default flow and skip the extra steps below and continue at [Create LDAP Application & Provider](#create-ldap-application--provider)
 :::

 ### LDAP Flow
@ -46,7 +46,7 @@ Note: The `default-authentication-flow` validates MFA by default, and currently

 ### Create LDAP Application & Provider

-1. Create the LDAP Application under _Applications_ -> _Applications_ -> _Create With Wizard_ and name it `LDAP`.
+1. Create the LDAP Application under _Applications_ -> _Applications_ -> _Create With provider_ and name it `LDAP`.
   ![](./general_setup14.png)
   ![](./general_setup15.png)

@ -55,7 +55,7 @@ Note: The `default-authentication-flow` validates MFA by default, and currently
 1. Navigate to the LDAP Provider under _Applications_ -> _Providers_ -> `Provider for LDAP`.
 2. Switch to the _Permissions_ tab.
 3. Click the _Assign to new user_ button to select a user to assign the full directory search permission to.
-4. Select the `ldapservice` user in the modal by typing in its username. Select the _Search full LDAP directory_ permission and click _Assign_
+4. Select the `ldapservice` user typing in its username. Select the _Search full LDAP directory_ permission and click _Assign_

 ### Create LDAP Outpost

--- a/website/docs/add-secure-apps/providers/ldap/index.md
+++ b/website/docs/add-secure-apps/providers/ldap/index.md
@ -64,7 +64,7 @@ Starting with 2023.3, periods and slashes in custom attributes will be sanitized

 You can also configure SSL for your LDAP Providers by selecting a certificate and a server name in the provider settings.

-Starting with authentik 2023.6, StartTLS is supported, and the provider will pick the correct certificate based on the configured _TLS Server name_ field. The certificate is not picked based on the Bind DN, as the StartTLS operation should happen be the bind request to ensure bind credentials are transmitted over TLS.
+Starting with authentik 2023.6, StartTLS is supported, and the provider will pick the correct certificate based on the configured _TLS Server name_ field. The certificate is not picked based on the Bind DN, as the StartTLS operation should happen before the bind request to ensure bind credentials are transmitted over TLS.

 This enables you to bind on port 636 using LDAPS.

--- a/website/docs/add-secure-apps/providers/oauth2/create-oauth2-provider.md
+++ b/website/docs/add-secure-apps/providers/oauth2/create-oauth2-provider.md
@ -2,13 +2,13 @@
 title: Create an OAuth2 provider
 ---

-To add a provider (and the application that uses the provider for authentication) use the Application Wizard, which creates both the new application and the required provider at the same time. For typical scenarios, authentik recommends that you use the Wizard to create both the application and the provider together. (Alternatively, use our legacy process: navigate to **Applications --> Providers**, and then click **Create**.)
+To add a provider (and the application that uses the provider for authentication) use the ** Create with provider** option, which creates both the new application and the required provider at the same time. For typical scenarios, authentik recommends that you create both the application and the provider together. (Alternatively, use our legacy process: navigate to **Applications --> Providers**, and then click **Create**.)

-1. Log into authentik as an admin, and navigate to **Applications --> Applications**.
+1. Log in to authentik as an admin, and open the authentik Admin interface.

-2. Click **Create with Wizard**.
+2. Navigate to **Applications -> Applications** and click **Create with provider** to create an application and provider pair. (Alternatively you can create only an application, without a provider, by clicking **Create**.)

-3. In the **New application** wizard, define the application details, and then click **Next**.
+3. In the **New application** box, define the application details, and then click **Next**.

 4. Select the **Provider Type** of **OAuth2/OIDC**, and then click **Next**.

--- a/website/docs/add-secure-apps/providers/rac/how-to-rac.md
+++ b/website/docs/add-secure-apps/providers/rac/how-to-rac.md
@ -26,7 +26,7 @@ The first step is to create the RAC app and provider.

 2. In the Admin interface, navigate to **Applications -> Applications**.

-3. Click **Create with Wizard**. Follow the [instructions](../../applications/manage_apps.mdx#instructions) to create your RAC application and provider.
+3. Click **Create with provider**. Follow the [instructions](../../applications/manage_apps.mdx#instructions) to create your RAC application and provider.

 ### Step 2. Create RAC property mapping

@ -36,7 +36,7 @@ Next, you need to add a property mapping for each of the remote machines you wan

 2. On the **Property Mappings** page, click **Create**.

-3. On the **New property mapping** modal, set the following:
+3. On the **New property mapping** box, set the following:

    - **Select Type**: RAC Property Mappings
    - **Create RAC Property Mapping**:
@ -52,7 +52,7 @@ Next, you need to add a property mapping for each of the remote machines you wan
        - Advanced settings:
            - **Expressions**: optional, using Python you can define custom [expressions](../property-mappings/expression.mdx).

-4. Click **Finish** to save your settings and close the modal.
+4. Click **Finish** to save your settings and close the box.

 ### Step 3. Create Endpoints for the Provider

@ -64,7 +64,7 @@ Finally, you need to create an endpoint for each remote machine. Endpoints are d

 3. On the Provider page, under **Endpoints**, click **Create**.

-4. On the **Create Endpoint** modal, provide the following settings:
+4. On the **Create Endpoint** box, provide the following settings:

    - **Name**: define a name for the endpoint, perhaps include the type of connection (RDP, SSH, VNC)
    - **Protocol**: select the appropriate protocol
@ -73,7 +73,7 @@ Finally, you need to create an endpoint for each remote machine. Endpoints are d
    - **Property mapping**: select either the property mapping that you created in Step 2, or use one of the default settings.
    - **Advance settings**: optional

-5. Click **Create** to save your settings and close the modal.
+5. Click **Create** to save your settings and close the box.

 ### Access the remote machine

--- a/website/docs/add-secure-apps/providers/rac/index.md
+++ b/website/docs/add-secure-apps/providers/rac/index.md
@ -1,6 +1,5 @@
 ---
 title: Remote Access Control (RAC) Provider
-authentik_enterprise: true
 ---

 :::info
--- a/website/docs/add-secure-apps/providers/ssf/create-ssf-provider.md
+++ b/website/docs/add-secure-apps/providers/ssf/create-ssf-provider.md
@ -0,0 +1,54 @@
+---
+title: Configure an SSF provider
+authentik_version: "2025.2.0"
+authentik_enterprise: true
+authentik_preview: true
+---
+
+The workflow to implement an SSF provider as a [backchannel provider](../../applications/manage_apps#backchannel-providers) for an application/provider pair is as follows:
+
+1. Create the SSF provider (which serves as the backchannel provider).
+2. Create an OIDC provider (which serves as the protocol provider for the application).
+3. Create the application, and assign both the OIDC provider and the SSF provider.
+
+## Create the SSF provider
+
+1. Log in to authentik as an admin, and in the Admin interface navigate to **Applications -> Providers**.
+
+2. Click **Create**.
+
+3. In the modal, select the **Provider Type** of **SSF**, and then click **Next**.
+
+4. On the **New provider** page, provide the configuration settings. Be sure to select a **Signing Key**.
+
+5. Click **Finish** to create and save the provider.
+
+## Create the OIDC provider
+
+1. Log in to authentik as an admin, and in the Admin interface navigate to **Applications -> Providers**.
+
+2. Click **Create**.
+
+3. In the modal, select the **Provider Type** of **OIDC**, and then click **Next**.
+
+4. Define the settings for the provider, and then click **Finish** to save the new provider.
+
+## Create the application
+
+1. Log in to authentik as an admin, and in the Admin interface navigate to **Applications -> Applications**.
+
+2. Click **Create**.
+
+3. Define the settings for the application:
+
+    - **Name**: define a descriptive name ofr the application.
+    - **Slug**: optionally define the internal application name used in URLs.
+    - **Group**: optionally select a group that you want to have access to this application.
+    - **Provider**: select the OIDC provider that you created.
+    - **Backchannel Providers**: select the SSF provider you created.
+    - **Policy engine mode**: define policy-based access.
+    - **UI Settings**: optionally define a launch URL, an icon, and other UI elements.
+
+4. Click **Create** to save the new application.
+
+The new application, with its OIDC provider and the backchannel SFF provider, should now appear in your list of Applications.
--- a/website/docs/add-secure-apps/providers/ssf/index.md
+++ b/website/docs/add-secure-apps/providers/ssf/index.md
@ -0,0 +1,47 @@
+---
+title: Shared Signals Framework (SSF) Provider
+sidebar_label: SSF Provider
+authentik_version: "2025.2.0"
+authentik_enterprise: true
+authentik_preview: true
+---
+
+Shared Signals Framework (SSF) is a common standard for sharing asynchronous real-time security signals and events across multiple applications and an identity provider. The framework is a collection of standards and communication processes, documented in a [specification](https://openid.net/specs/openid-sharedsignals-framework-1_0-ID3.html). SSF leverages the APIs of the application and the IdP, using privacy-protected, secure webhooks.
+
+## About Shared Signals Framework
+
+In authentik, an SSF provider allows applications to subscribe to certain types of security signals (which are then translated into SETs, or Security Event Tokens) that are captured by authentik (the IdP), and then the application can respond to each event. In this scenario, authentik acts as the _transmitter_ and the application acts as the _receiver_ of the events.
+
+Events in authentik that are tracked via SSF include when an MFA device is added or removed, logouts, sessions being revoked by Admin or user clicking logout, or credentials changed.
+
+## Example use cases
+
+A common use case for SSF is when an Admin wants to know if a user logs out of authentik, so that the user is then also automaticlaly logged out of all other work-focused applications.
+
+Another example use case is when an application uses SSF to subscribe to authorization events because the application needs to know if a user changed their password in authentik. If a user did change their password, then the application receives a POST request to write the fact that the password was changed.
+
+## About using SSF in authentik
+
+Let's look at a few details about using SSF in authentik.
+
+The SSF provider in authentik serves as a [backchannel provider](../../applications/manage_apps#backchannel-providers). Backchannel providers are used to augment the functionality of the main provider for an application. Thus you will still need to [create a typical application/provider pair](../../applications/manage_apps#instructions) (using an OIDC provider), and when creating the application, assign the SSF provider as a backchannel provider.
+
+When an authentik Admin [creates an SSF provider](./create-ssf-provider), they need to configure both the application (the receiver) and authentik (the IdP and the transmitter).
+
+### The application (the receiver)
+
+Within the application, the admin creates an SSF stream (which comprises all the signals that the app wants to subscribe to) and defines the audience, called `aud` in the specification (the URL that identifies the stream). A stream is basically an API request to authentik, which asks for a POST of all events. How that request is sent varies from application to application. An application can change or delete the stream.
+
+Note that authentik doesn't specify which events to subscribe to; instead the application defines which they want to listen for.
+
+### authentik (the transmitter)
+
+To configure authentik as a shared signals transmitter, the authentik Admin [creates a new provider](./create-ssf-provider), selecting the type "SSF", to serve as the backchannelprovider for the application.
+
+When creating the SSF provider you will need to select a signing key. This is the key that the Security Event Tokens (SET) is signed with.
+
+Optionally, you can specify a event retention time period: this value determines how long events are stored for. If an event could not be sent correctly, and retries occur, the event's expiration is also increased by this duration.
+
+:::info
+Be aware that the SET events are different events than those displayed in the authentik Admin interface under **Events**.
+:::
--- a/website/docs/customize/policies/expression.mdx
+++ b/website/docs/customize/policies/expression.mdx
@ -145,7 +145,7 @@ This includes the following:
        }
        ```

-    - `auth_webauthn_pwl`: Password-less WebAuthn login
+    - `auth_webauthn_pwl`: Password-less WebAuthn with Passkeys login
    - `jwt`: OAuth Machine-to-machine login via external JWT
    - `app_password`: App password (token)

--- a/website/docs/customize/policies/index.md
+++ b/website/docs/customize/policies/index.md
@ -26,6 +26,22 @@ See [Expression Policy](./expression.mdx).

 Use this policy for simple GeoIP lookups, such as country or ASN matching. (For a more advanced GeoIP lookup, use an [Expression policy](./expression.mdx).)

+With the GeoIP policy, you can use the **Distance Settings** options to set travel "expectations" and control login attempts based on GeoIP location. The GeoIP policy calculates the values defined for travel distances (in kilometers), and then either passes or fails based on the results. If the GeoIP policy failed, the current login attempt is not allowed.
+
+    -   **Maximum distance**: define the allowed maximum distance  between a login's initial GeoIP location and the GeoIP location of a subsequent login attempt.
+
+    -   **Distance tolerance**: optionally, add an additional "tolerance" distance. This value is added to the **Maximum distance** value, then the total is used in the calculations that determine if the policy fails or passes.
+
+    -   **Historical Login Count**: define the number of login events that you want to use for the distance calculations. For example, with the default value of 5, the policy will check the distance between each of the past 5 login attempts, and if any of those distances exceed the **Maximum distance** PLUS the **Distance tolerance**, then the policy will fail and the current login attempt will not be allowed.
+
+    -   **Check impossible travel**: this option, when enabled, provides an additional layer of calculations to the policy. With Impossible travel, a built-in value of 1,000 kilometers is used as the base distance. This distance, PLUS the value defined for **Impossible travel tolerance**, is the maximum allowed distance for the policy to pass. Note that the value defined in **Historical Login Count** (the number of login events to check) is also used for Impossible travel calculations.
+
+    -   **Impossible travel tolerance**: optionally, you can add an additional "tolerance" distance. This value is added to the built-in allowance of 1000 kilometers per hour, then the total is used in the calculations that run against each of the login events (to determine if the travel would have been possible in the amount of time since the previous login event) to determine if the policy fails or passes.
+
+:::info
+GeoIP is included in every release of authentik and does not require any additional setup for creating GeoIP policies. For information about advanced uses (configuring your own database, etc.) and system management of GeoIP data, refer to our [GeoIP documentation](../../sys-mgmt/ops/geoip.mdx).
+:::
+
 ### Password-Expiry Policy

 This policy can enforce regular password rotation by expiring set passwords after a finite amount of time. This forces users to set a new password.
--- a/website/docs/customize/policies/working_with_policies.md
+++ b/website/docs/customize/policies/working_with_policies.md
@ -8,7 +8,7 @@ authentik provides several [standard policy types](./index.md#standard-policies)

 We also document how to use a policy to [whitelist email domains](./expression/whitelist_email.md) and to [ensure unique email addresses](./expression/unique_email.md).

-To learn more see also [bindings](../../add-secure-apps/flows-stages/bindings/index.md) and how to use the [authentik Wizard to bind policy bindings to the new application](../../add-secure-apps/applications/manage_apps.mdx#add-new-applications) (for example, to configure application-specific access).
+To learn more see also [bindings](../../add-secure-apps/flows-stages/bindings/index.md) and how to [bind policy bindings to a new application when yo create the application](../../add-secure-apps/applications/manage_apps.mdx#instructions) (for example, to configure application-specific access).

 ## Create a policy

--- a/website/docs/developer-docs/index.md
+++ b/website/docs/developer-docs/index.md
@ -73,7 +73,7 @@ authentik
 │   ├── authenticator_static - Configure TOTP backup keys
 │   ├── authenticator_totp - Configure a TOTP authenticator
 │   ├── authenticator_validate - Validate any authenticator
-│   ├── authenticator_webauthn - Configure a WebAuthn authenticator
+│   ├── authenticator_webauthn - Configure a WebAuthn / Passkeys authenticator
 │   ├── captcha - Make the user pass a captcha
 │   ├── consent - Let the user decide if they want to consent to an action
 │   ├── deny - Static deny, can be used with policies
--- a/website/docs/developer-docs/setup/debug_vscode.png
+++ b/website/docs/developer-docs/setup/debug_vscode.png
--- a/website/docs/developer-docs/setup/debugging.md
+++ b/website/docs/developer-docs/setup/debugging.md
@ -0,0 +1,53 @@
+---
+title: Debugging authentik
+---
+
+This page describes how to debug different components of an authentik instance, running either in production or in a development setup. To learn more about the structure of authentik, refer to our [architecture documentation](../../core/architecture).
+
+## authentik Server & Worker (Python)
+
+The majority of the authentik codebase is in Python, running in Gunicorn for the server and Celery for the worker. These instructions show how this code can be debugged/inspected. The local debugging setup requires a setup as described in [Full development environment](./full-dev-environment.mdx)
+
+Note that authentik uses [debugpy](https://github.com/microsoft/debugpy), which relies on the "Debug Adapter Protocol" (DAP). These instructions demonstrate debugging using [Visual Studio Code](https://code.visualstudio.com/), however they should be adaptable to other editors that support DAP.
+
+To enable the debugging server, set the environment variable `AUTHENTIK_DEBUGGER` to `true`. This will launch the debugging server (by default on port _9901_).
+
+With this setup in place, you can set Breakpoints in VS Code. To connect to the debugging server, run the command `> Debug: Start Debugging" in VS Code.
+
+![](./debug_vscode.png)
+
+:::info
+Note that due to the Python debugger for VS Code, when a Python file in authentik is saved and the Django process restarts, you must manually reconnect the Debug session. Automatic re-connection is not supported for the Python debugger (see [here](https://github.com/microsoft/vscode-python/issues/19998) and [here](https://github.com/microsoft/vscode-python/issues/1182)).
+:::
+
+#### Debugging in containers
+
+When debugging an authentik instance running in containers, there are some additional steps that need to be taken in addition to the steps above.
+
+A local clone of the authentik repository is required to be able to set breakpoints in the code. The locally checked out repository must be on the same version/commit as the authentik version running in the containers. To checkout version 2024.12.3 for example, you can run `git checkout version/2024.12.3`.
+
+The debug port needs to be accessible on the local machine. By default, this is port 9901. Additionally, the container being debugged must be started as `root`, because additional dependencies need to be installed on startup.
+
+When running in Docker Compose, a file `docker-compose.override.yml` can be created next to the authentik docker-compose.yml file to expose the port, change the user, and enable debug mode.
+
+```yaml
+services:
+    # Replace `server` with `worker` to debug the worker container.
+    server:
+        user: root
+        healthcheck:
+            disable: true
+        environment:
+            AUTHENTIK_DEBUGGER: "true"
+            AUTHENTIK_LOG_LEVEL: "debug"
+        ports:
+            - 9901:9901
+```
+
+After re-creating the containers with `AUTHENTIK_DEBUGGER` set to `true` and the port mapped, the steps are identical to the steps above.
+
+If the authentik instance is running on a remote server, the `.vscode/launch.json` file needs to be adjusted to point to the IP of the remote server. Alternatively, it is also possible to forward the debug port via an SSH tunnel, using `-L 9901:127.0.0.1:9901`.
+
+## authentik Server / Outposts (Golang)
+
+Outposts, as well as some auxiliary code of the authentik server, are written in Go. These components can be debugged using standard Golang tooling, such as [Delve](https://github.com/go-delve/delve).
--- a/Show More
+++ b/Show More