Altered directory

Merge remote-tracking branch 'origin/main' into website/docs--update-nginx-config
Language change
2025-06-12 18:26:04 +03:00 · 2025-06-12 17:58:42 +03:00 · 2025-06-12 17:58:29 +03:00 · 2025-06-12 14:24:03 +03:00
73 changed files with 7588 additions and 8564 deletions
--- a/2
+++ b/2
@ -75,7 +75,7 @@ RUN --mount=type=secret,id=GEOIPUPDATE_ACCOUNT_ID \
    /bin/sh -c "GEOIPUPDATE_LICENSE_KEY_FILE=/run/secrets/GEOIPUPDATE_LICENSE_KEY /usr/bin/entry.sh || echo 'Failed to get GeoIP database, disabling'; exit 0"
 # Stage 4: Download uv
-FROM ghcr.io/astral-sh/uv:0.7.13 AS uv
+FROM ghcr.io/astral-sh/uv:0.7.12 AS uv
 # Stage 5: Base python image
 FROM ghcr.io/goauthentik/fips-python:3.13.4-slim-bookworm-fips AS python-base
--- a/2
+++ b/2
@ -94,7 +94,7 @@ gen-build:  ## Extract the schema from the database
 	AUTHENTIK_DEBUG=true \
 		AUTHENTIK_TENANTS__ENABLED=true \
 		AUTHENTIK_OUTPOSTS__DISABLE_EMBEDDED_OUTPOST=true \
-		uv run ak make_blueprint_schema --file blueprints/schema.json
+		uv run ak make_blueprint_schema > blueprints/schema.json
 	AUTHENTIK_DEBUG=true \
 		AUTHENTIK_TENANTS__ENABLED=true \
 		AUTHENTIK_OUTPOSTS__DISABLE_EMBEDDED_OUTPOST=true \
--- a/authentik/blueprints/management/commands/make_blueprint_schema.py
+++ b/authentik/blueprints/management/commands/make_blueprint_schema.py
@ -72,33 +72,20 @@ class Command(BaseCommand):
                    "additionalProperties": True,
                },
                "entries": {
-                    "anyOf": [
+                    "type": "array",
-                        {
+                    "items": {
-                            "type": "array",
+                        "oneOf": [],
-                            "items": {"$ref": "#/$defs/blueprint_entry"},
+                    },
                        },
                        {
                            "type": "object",
                            "additionalProperties": {
                                "type": "array",
                                "items": {"$ref": "#/$defs/blueprint_entry"},
                            },
                        },
                    ],
                },
            },
-            "$defs": {"blueprint_entry": {"oneOf": []}},
+            "$defs": {},
        }
    def add_arguments(self, parser):
        parser.add_argument("--file", type=str)
    @no_translations
-    def handle(self, *args, file: str, **options):
+    def handle(self, *args, **options):
        """Generate JSON Schema for blueprints"""
        self.build()
-        with open(file, "w") as _schema:
+        self.stdout.write(dumps(self.schema, indent=4, default=Command.json_default))
            _schema.write(dumps(self.schema, indent=4, default=Command.json_default))
    @staticmethod
    def json_default(value: Any) -> Any:
@ -125,7 +112,7 @@ class Command(BaseCommand):
                }
            )
            model_path = f"{model._meta.app_label}.{model._meta.model_name}"
-            self.schema["$defs"]["blueprint_entry"]["oneOf"].append(
+            self.schema["properties"]["entries"]["items"]["oneOf"].append(
                self.template_entry(model_path, model, serializer)
            )
@ -147,7 +134,7 @@ class Command(BaseCommand):
                "id": {"type": "string"},
                "state": {
                    "type": "string",
-                    "enum": sorted([s.value for s in BlueprintEntryDesiredState]),
+                    "enum": [s.value for s in BlueprintEntryDesiredState],
                    "default": "present",
                },
                "conditions": {"type": "array", "items": {"type": "boolean"}},
@ -218,7 +205,7 @@ class Command(BaseCommand):
                "type": "object",
                "required": ["permission"],
                "properties": {
-                    "permission": {"type": "string", "enum": sorted(perms)},
+                    "permission": {"type": "string", "enum": perms},
                    "user": {"type": "integer"},
                    "role": {"type": "string"},
                },
--- a/authentik/blueprints/tests/fixtures/state_present.yaml
+++ b/authentik/blueprints/tests/fixtures/state_present.yaml
@ -1,11 +1,10 @@
 version: 1
 entries:
-  foo:
+    - identifiers:
-      - identifiers:
+          name: "%(id)s"
-            name: "%(id)s"
+          slug: "%(id)s"
-            slug: "%(id)s"
+      model: authentik_flows.flow
-        model: authentik_flows.flow
+      state: present
-        state: present
+      attrs:
-        attrs:
+          designation: stage_configuration
-            designation: stage_configuration
+          title: foo
            title: foo
--- a/authentik/blueprints/v1/common.py
+++ b/authentik/blueprints/v1/common.py
@ -191,18 +191,11 @@ class Blueprint:
    """Dataclass used for a full export"""
    version: int = field(default=1)
-    entries: list[BlueprintEntry] | dict[str, list[BlueprintEntry]] = field(default_factory=list)
+    entries: list[BlueprintEntry] = field(default_factory=list)
    context: dict = field(default_factory=dict)
    metadata: BlueprintMetadata | None = field(default=None)
    def iter_entries(self) -> Iterable[BlueprintEntry]:
        if isinstance(self.entries, dict):
            for _section, entries in self.entries.items():
                yield from entries
        else:
            yield from self.entries
 class YAMLTag:
    """Base class for all YAML Tags"""
@ -233,7 +226,7 @@ class KeyOf(YAMLTag):
        self.id_from = node.value
    def resolve(self, entry: BlueprintEntry, blueprint: Blueprint) -> Any:
-        for _entry in blueprint.iter_entries():
+        for _entry in blueprint.entries:
            if _entry.id == self.id_from and _entry._state.instance:
                # Special handling for PolicyBindingModels, as they'll have a different PK
                # which is used when creating policy bindings
--- a/authentik/blueprints/v1/importer.py
+++ b/authentik/blueprints/v1/importer.py
@ -384,7 +384,7 @@ class Importer:
    def _apply_models(self, raise_errors=False) -> bool:
        """Apply (create/update) models yaml"""
        self.__pk_map = {}
-        for entry in self._import.iter_entries():
+        for entry in self._import.entries:
            model_app_label, model_name = entry.get_model(self._import).split(".")
            try:
                model: type[SerializerModel] = registry.get_model(model_app_label, model_name)
--- a/authentik/blueprints/v1/meta/registry.py
+++ b/authentik/blueprints/v1/meta/registry.py
@ -47,7 +47,7 @@ class MetaModelRegistry:
        models = apps.get_models()
        for _, value in self.models.items():
            models.append(value)
-        return sorted(models, key=str)
+        return models
    def get_model(self, app_label: str, model_id: str) -> type[Model]:
        """Get model checks if any virtual models are registered, and falls back
--- a/authentik/outposts/tests/test_ws.py
+++ b/authentik/outposts/tests/test_ws.py
@ -1,9 +1,11 @@
 """Websocket tests"""
 from dataclasses import asdict
 from unittest.mock import patch
 from channels.routing import URLRouter
 from channels.testing import WebsocketCommunicator
 from django.contrib.contenttypes.models import ContentType
 from django.test import TransactionTestCase
 from authentik import __version__
@ -14,6 +16,12 @@ from authentik.providers.proxy.models import ProxyProvider
 from authentik.root import websocket
 def patched__get_ct_cached(app_label, codename):
    """Caches `ContentType` instances like its `QuerySet` does."""
    return ContentType.objects.get(app_label=app_label, permission__codename=codename)
@patch("guardian.shortcuts._get_ct_cached", patched__get_ct_cached)
 class TestOutpostWS(TransactionTestCase):
    """Websocket tests"""
--- a/authentik/providers/oauth2/errors.py
+++ b/authentik/providers/oauth2/errors.py
@ -15,7 +15,6 @@ class OAuth2Error(SentryIgnoredException):
    error: str
    description: str
    cause: str | None = None
    def create_dict(self):
        """Return error as dict for JSON Rendering"""
@ -35,10 +34,6 @@ class OAuth2Error(SentryIgnoredException):
            **kwargs,
        )
    def with_cause(self, cause: str):
        self.cause = cause
        return self
 class RedirectUriError(OAuth2Error):
    """The request fails due to a missing, invalid, or mismatching
--- a/authentik/providers/oauth2/tests/test_authorize.py
+++ b/authentik/providers/oauth2/tests/test_authorize.py
@ -12,7 +12,7 @@ from authentik.core.tests.utils import create_test_admin_user, create_test_flow
 from authentik.events.models import Event, EventAction
 from authentik.lib.generators import generate_id
 from authentik.lib.utils.time import timedelta_from_string
-from authentik.providers.oauth2.constants import SCOPE_OFFLINE_ACCESS, SCOPE_OPENID, TOKEN_TYPE
+from authentik.providers.oauth2.constants import TOKEN_TYPE
 from authentik.providers.oauth2.errors import AuthorizeError, ClientIdError, RedirectUriError
 from authentik.providers.oauth2.models import (
    AccessToken,
@ -43,7 +43,7 @@ class TestAuthorize(OAuthTestCase):
            authorization_flow=create_test_flow(),
            redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "http://local.invalid/Foo")],
        )
-        with self.assertRaises(AuthorizeError) as cm:
+        with self.assertRaises(AuthorizeError):
            request = self.factory.get(
                "/",
                data={
@ -53,7 +53,6 @@ class TestAuthorize(OAuthTestCase):
                },
            )
            OAuthAuthorizationParams.from_request(request)
        self.assertEqual(cm.exception.error, "unsupported_response_type")
    def test_invalid_client_id(self):
        """Test invalid client ID"""
@ -69,7 +68,7 @@ class TestAuthorize(OAuthTestCase):
            authorization_flow=create_test_flow(),
            redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "http://local.invalid/Foo")],
        )
-        with self.assertRaises(AuthorizeError) as cm:
+        with self.assertRaises(AuthorizeError):
            request = self.factory.get(
                "/",
                data={
@ -80,30 +79,19 @@ class TestAuthorize(OAuthTestCase):
                },
            )
            OAuthAuthorizationParams.from_request(request)
        self.assertEqual(cm.exception.error, "request_not_supported")
    def test_invalid_redirect_uri_missing(self):
        """test missing redirect URI"""
        OAuth2Provider.objects.create(
            name=generate_id(),
            client_id="test",
            authorization_flow=create_test_flow(),
            redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "http://local.invalid")],
        )
        with self.assertRaises(RedirectUriError) as cm:
            request = self.factory.get("/", data={"response_type": "code", "client_id": "test"})
            OAuthAuthorizationParams.from_request(request)
        self.assertEqual(cm.exception.cause, "redirect_uri_missing")
    def test_invalid_redirect_uri(self):
-        """test invalid redirect URI"""
+        """test missing/invalid redirect URI"""
        OAuth2Provider.objects.create(
            name=generate_id(),
            client_id="test",
            authorization_flow=create_test_flow(),
            redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "http://local.invalid")],
        )
-        with self.assertRaises(RedirectUriError) as cm:
+        with self.assertRaises(RedirectUriError):
            request = self.factory.get("/", data={"response_type": "code", "client_id": "test"})
            OAuthAuthorizationParams.from_request(request)
        with self.assertRaises(RedirectUriError):
            request = self.factory.get(
                "/",
                data={
@ -113,7 +101,6 @@ class TestAuthorize(OAuthTestCase):
                },
            )
            OAuthAuthorizationParams.from_request(request)
        self.assertEqual(cm.exception.cause, "redirect_uri_no_match")
    def test_blocked_redirect_uri(self):
        """test missing/invalid redirect URI"""
@ -121,9 +108,9 @@ class TestAuthorize(OAuthTestCase):
            name=generate_id(),
            client_id="test",
            authorization_flow=create_test_flow(),
-            redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "data:localhost")],
+            redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "data:local.invalid")],
        )
-        with self.assertRaises(RedirectUriError) as cm:
+        with self.assertRaises(RedirectUriError):
            request = self.factory.get(
                "/",
                data={
@ -133,7 +120,6 @@ class TestAuthorize(OAuthTestCase):
                },
            )
            OAuthAuthorizationParams.from_request(request)
        self.assertEqual(cm.exception.cause, "redirect_uri_forbidden_scheme")
    def test_invalid_redirect_uri_empty(self):
        """test missing/invalid redirect URI"""
@ -143,6 +129,9 @@ class TestAuthorize(OAuthTestCase):
            authorization_flow=create_test_flow(),
            redirect_uris=[],
        )
        with self.assertRaises(RedirectUriError):
            request = self.factory.get("/", data={"response_type": "code", "client_id": "test"})
            OAuthAuthorizationParams.from_request(request)
        request = self.factory.get(
            "/",
            data={
@ -161,9 +150,12 @@ class TestAuthorize(OAuthTestCase):
            name=generate_id(),
            client_id="test",
            authorization_flow=create_test_flow(),
-            redirect_uris=[RedirectURI(RedirectURIMatchingMode.REGEX, "http://local.invalid?")],
+            redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "http://local.invalid?")],
        )
-        with self.assertRaises(RedirectUriError) as cm:
+        with self.assertRaises(RedirectUriError):
            request = self.factory.get("/", data={"response_type": "code", "client_id": "test"})
            OAuthAuthorizationParams.from_request(request)
        with self.assertRaises(RedirectUriError):
            request = self.factory.get(
                "/",
                data={
@ -173,7 +165,6 @@ class TestAuthorize(OAuthTestCase):
                },
            )
            OAuthAuthorizationParams.from_request(request)
        self.assertEqual(cm.exception.cause, "redirect_uri_no_match")
    def test_redirect_uri_invalid_regex(self):
        """test missing/invalid redirect URI (invalid regex)"""
@ -181,9 +172,12 @@ class TestAuthorize(OAuthTestCase):
            name=generate_id(),
            client_id="test",
            authorization_flow=create_test_flow(),
-            redirect_uris=[RedirectURI(RedirectURIMatchingMode.REGEX, "+")],
+            redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "+")],
        )
-        with self.assertRaises(RedirectUriError) as cm:
+        with self.assertRaises(RedirectUriError):
            request = self.factory.get("/", data={"response_type": "code", "client_id": "test"})
            OAuthAuthorizationParams.from_request(request)
        with self.assertRaises(RedirectUriError):
            request = self.factory.get(
                "/",
                data={
@ -193,22 +187,23 @@ class TestAuthorize(OAuthTestCase):
                },
            )
            OAuthAuthorizationParams.from_request(request)
        self.assertEqual(cm.exception.cause, "redirect_uri_no_match")
-    def test_redirect_uri_regex(self):
+    def test_empty_redirect_uri(self):
-        """test valid redirect URI (regex)"""
+        """test empty redirect URI (configure in provider)"""
        OAuth2Provider.objects.create(
            name=generate_id(),
            client_id="test",
            authorization_flow=create_test_flow(),
            redirect_uris=[RedirectURI(RedirectURIMatchingMode.REGEX, ".+")],
        )
        with self.assertRaises(RedirectUriError):
            request = self.factory.get("/", data={"response_type": "code", "client_id": "test"})
            OAuthAuthorizationParams.from_request(request)
        request = self.factory.get(
            "/",
            data={
                "response_type": "code",
                "client_id": "test",
-                "redirect_uri": "http://foo.bar.baz",
+                "redirect_uri": "http://localhost",
            },
        )
        OAuthAuthorizationParams.from_request(request)
@ -263,7 +258,7 @@ class TestAuthorize(OAuthTestCase):
            GrantTypes.IMPLICIT,
        )
        # Implicit without openid scope
-        with self.assertRaises(AuthorizeError) as cm:
+        with self.assertRaises(AuthorizeError):
            request = self.factory.get(
                "/",
                data={
@ -290,7 +285,7 @@ class TestAuthorize(OAuthTestCase):
        self.assertEqual(
            OAuthAuthorizationParams.from_request(request).grant_type, GrantTypes.HYBRID
        )
-        with self.assertRaises(AuthorizeError) as cm:
+        with self.assertRaises(AuthorizeError):
            request = self.factory.get(
                "/",
                data={
@ -300,7 +295,6 @@ class TestAuthorize(OAuthTestCase):
                },
            )
            OAuthAuthorizationParams.from_request(request)
        self.assertEqual(cm.exception.error, "unsupported_response_type")
    def test_full_code(self):
        """Test full authorization"""
@ -621,54 +615,3 @@ class TestAuthorize(OAuthTestCase):
                },
            },
        )
    def test_openid_missing_invalid(self):
        """test request requiring an OpenID scope to be set"""
        OAuth2Provider.objects.create(
            name=generate_id(),
            client_id="test",
            authorization_flow=create_test_flow(),
            redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "http://localhost")],
        )
        request = self.factory.get(
            "/",
            data={
                "response_type": "id_token",
                "client_id": "test",
                "redirect_uri": "http://localhost",
                "scope": "",
            },
        )
        with self.assertRaises(AuthorizeError) as cm:
            OAuthAuthorizationParams.from_request(request)
        self.assertEqual(cm.exception.cause, "scope_openid_missing")
    @apply_blueprint("system/providers-oauth2.yaml")
    def test_offline_access_invalid(self):
        """test request for offline_access with invalid response type"""
        provider = OAuth2Provider.objects.create(
            name=generate_id(),
            client_id="test",
            authorization_flow=create_test_flow(),
            redirect_uris=[RedirectURI(RedirectURIMatchingMode.STRICT, "http://localhost")],
        )
        provider.property_mappings.set(
            ScopeMapping.objects.filter(
                managed__in=[
                    "goauthentik.io/providers/oauth2/scope-openid",
                    "goauthentik.io/providers/oauth2/scope-offline_access",
                ]
            )
        )
        request = self.factory.get(
            "/",
            data={
                "response_type": "id_token",
                "client_id": "test",
                "redirect_uri": "http://localhost",
                "scope": f"{SCOPE_OPENID} {SCOPE_OFFLINE_ACCESS}",
                "nonce": generate_id(),
            },
        )
        parsed = OAuthAuthorizationParams.from_request(request)
        self.assertNotIn(SCOPE_OFFLINE_ACCESS, parsed.scope)
--- a/authentik/providers/oauth2/views/authorize.py
+++ b/authentik/providers/oauth2/views/authorize.py
@ -190,7 +190,7 @@ class OAuthAuthorizationParams:
        allowed_redirect_urls = self.provider.redirect_uris
        if not self.redirect_uri:
            LOGGER.warning("Missing redirect uri.")
-            raise RedirectUriError("", allowed_redirect_urls).with_cause("redirect_uri_missing")
+            raise RedirectUriError("", allowed_redirect_urls)
        if len(allowed_redirect_urls) < 1:
            LOGGER.info("Setting redirect for blank redirect_uris", redirect=self.redirect_uri)
@ -219,14 +219,10 @@ class OAuthAuthorizationParams:
                        provider=self.provider,
                    )
        if not match_found:
-            raise RedirectUriError(self.redirect_uri, allowed_redirect_urls).with_cause(
+            raise RedirectUriError(self.redirect_uri, allowed_redirect_urls)
                "redirect_uri_no_match"
            )
        # Check against forbidden schemes
        if urlparse(self.redirect_uri).scheme in FORBIDDEN_URI_SCHEMES:
-            raise RedirectUriError(self.redirect_uri, allowed_redirect_urls).with_cause(
+            raise RedirectUriError(self.redirect_uri, allowed_redirect_urls)
                "redirect_uri_forbidden_scheme"
            )
    def check_scope(self, github_compat=False):
        """Ensure openid scope is set in Hybrid flows, or when requesting an id_token"""
@ -255,9 +251,7 @@ class OAuthAuthorizationParams:
            or self.response_type in [ResponseTypes.ID_TOKEN, ResponseTypes.ID_TOKEN_TOKEN]
        ):
            LOGGER.warning("Missing 'openid' scope.")
-            raise AuthorizeError(
+            raise AuthorizeError(self.redirect_uri, "invalid_scope", self.grant_type, self.state)
                self.redirect_uri, "invalid_scope", self.grant_type, self.state
            ).with_cause("scope_openid_missing")
        if SCOPE_OFFLINE_ACCESS in self.scope:
            # https://openid.net/specs/openid-connect-core-1_0.html#OfflineAccess
            # Don't explicitly request consent with offline_access, as the spec allows for
@ -292,9 +286,7 @@ class OAuthAuthorizationParams:
            return
        if not self.nonce:
            LOGGER.warning("Missing nonce for OpenID Request")
-            raise AuthorizeError(
+            raise AuthorizeError(self.redirect_uri, "invalid_request", self.grant_type, self.state)
                self.redirect_uri, "invalid_request", self.grant_type, self.state
            ).with_cause("none_missing")
    def check_code_challenge(self):
        """PKCE validation of the transformation method."""
@ -353,10 +345,10 @@ class AuthorizationFlowInitView(PolicyAccessView):
                self.request, github_compat=self.github_compat
            )
        except AuthorizeError as error:
-            LOGGER.warning(error.description, redirect_uri=error.redirect_uri, cause=error.cause)
+            LOGGER.warning(error.description, redirect_uri=error.redirect_uri)
            raise RequestValidationError(error.get_response(self.request)) from None
        except OAuth2Error as error:
-            LOGGER.warning(error.description, cause=error.cause)
+            LOGGER.warning(error.description)
            raise RequestValidationError(
                bad_request_message(self.request, error.description, title=error.error)
            ) from None
--- a/authentik/providers/rac/views.py
+++ b/authentik/providers/rac/views.py
@ -20,9 +20,6 @@ from authentik.lib.utils.time import timedelta_from_string
 from authentik.policies.engine import PolicyEngine
 from authentik.policies.views import PolicyAccessView
 from authentik.providers.rac.models import ConnectionToken, Endpoint, RACProvider
 from authentik.stages.prompt.stage import PLAN_CONTEXT_PROMPT
 PLAN_CONNECTION_SETTINGS = "connection_settings"
 class RACStartView(PolicyAccessView):
@ -112,15 +109,10 @@ class RACFinalStage(RedirectStage):
        return super().dispatch(request, *args, **kwargs)
    def get_challenge(self, *args, **kwargs) -> RedirectChallenge:
        settings = self.executor.plan.context.get(PLAN_CONNECTION_SETTINGS)
        if not settings:
            settings = self.executor.plan.context.get(PLAN_CONTEXT_PROMPT, {}).get(
                PLAN_CONNECTION_SETTINGS
            )
        token = ConnectionToken.objects.create(
            provider=self.provider,
            endpoint=self.endpoint,
-            settings=settings or {},
+            settings=self.executor.plan.context.get("connection_settings", {}),
            session=self.request.session["authenticatedsession"],
            expires=now() + timedelta_from_string(self.provider.connection_expiry),
            expiring=True,
--- a/authentik/root/test_runner.py
+++ b/authentik/root/test_runner.py
@ -3,38 +3,21 @@
 import os
 from argparse import ArgumentParser
 from unittest import TestCase
 from unittest.mock import patch
 import pytest
 from django.conf import settings
 from django.contrib.contenttypes.models import ContentType
 from django.test.runner import DiscoverRunner
 from structlog.stdlib import get_logger
 from authentik.lib.config import CONFIG
 from authentik.lib.sentry import sentry_init
 from authentik.root.signals import post_startup, pre_startup, startup
 from tests.e2e.utils import get_docker_tag
 # globally set maxDiff to none to show full assert error
 TestCase.maxDiff = None
 def get_docker_tag() -> str:
    """Get docker-tag based off of CI variables"""
    env_pr_branch = "GITHUB_HEAD_REF"
    default_branch = "GITHUB_REF"
    branch_name = os.environ.get(default_branch, "main")
    if os.environ.get(env_pr_branch, "") != "":
        branch_name = os.environ[env_pr_branch]
    branch_name = branch_name.replace("refs/heads/", "").replace("/", "-")
    return f"gh-{branch_name}"
 def patched__get_ct_cached(app_label, codename):
    """Caches `ContentType` instances like its `QuerySet` does."""
    return ContentType.objects.get(app_label=app_label, permission__codename=codename)
 class PytestTestRunner(DiscoverRunner):  # pragma: no cover
    """Runs pytest to discover and run tests."""
@ -166,9 +149,8 @@ class PytestTestRunner(DiscoverRunner):  # pragma: no cover
                return 1
        self.logger.info("Running tests", test_files=self.args)
-        with patch("guardian.shortcuts._get_ct_cached", patched__get_ct_cached):
+        try:
-            try:
+            return pytest.main(self.args)
-                return pytest.main(self.args)
+        except Exception as e:
-            except Exception as e:
+            self.logger.error("Error running tests", error=str(e), test_files=self.args)
-                self.logger.error("Error running tests", error=str(e), test_files=self.args)
+            return 1
                return 1
--- a/authentik/stages/authenticator_webauthn/mds/blob.jwt
+++ b/authentik/stages/authenticator_webauthn/mds/blob.jwt
--- a/blueprints/schema.json
+++ b/blueprints/schema.json
--- a/lifecycle/aws/package-lock.json
+++ b/lifecycle/aws/package-lock.json
@ -9,7 +9,7 @@
            "version": "0.0.0",
            "license": "MIT",
            "devDependencies": {
-                "aws-cdk": "^2.1018.1",
+                "aws-cdk": "^2.1018.0",
                "cross-env": "^7.0.3"
            },
            "engines": {
@ -17,9 +17,9 @@
            }
        },
        "node_modules/aws-cdk": {
-            "version": "2.1018.1",
+            "version": "2.1018.0",
-            "resolved": "https://registry.npmjs.org/aws-cdk/-/aws-cdk-2.1018.1.tgz",
+            "resolved": "https://registry.npmjs.org/aws-cdk/-/aws-cdk-2.1018.0.tgz",
-            "integrity": "sha512-kFPRox5kSm+ktJ451o0ng9rD+60p5Kt1CZIWw8kXnvqbsxN2xv6qbmyWSXw7sGVXVwqrRKVj+71/JeDr+LMAZw==",
+            "integrity": "sha512-sppVsNtFJTW4wawS/PBudHCSNHb8xwaZ2WX1mpsfwaPNyTWm0eSUVJsRbRiRBu9O/Us8pgrd4woUjfM1lgD7Kw==",
            "dev": true,
            "license": "Apache-2.0",
            "bin": {
--- a/lifecycle/aws/package.json
+++ b/lifecycle/aws/package.json
@ -10,7 +10,7 @@
        "node": ">=20"
    },
    "devDependencies": {
-        "aws-cdk": "^2.1018.1",
+        "aws-cdk": "^2.1018.0",
        "cross-env": "^7.0.3"
    }
 }
--- a/locale/es/LC_MESSAGES/django.po
+++ b/locale/es/LC_MESSAGES/django.po
@ -6,18 +6,18 @@
 # Translators:
 # jcamat, 2022
 # Angel, 2024
 # Iamanaws, 2024
 # Marcelo Elizeche Landó, 2025
 # Jens L. <jens@goauthentik.io>, 2025
 # Iamanaws, 2025
 # 
 #, fuzzy
 msgid ""
 msgstr ""
 "Project-Id-Version: PACKAGE VERSION\n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2025-06-04 00:12+0000\n"
+"POT-Creation-Date: 2025-05-28 11:25+0000\n"
 "PO-Revision-Date: 2022-09-26 16:47+0000\n"
-"Last-Translator: Iamanaws, 2025\n"
+"Last-Translator: Jens L. <jens@goauthentik.io>, 2025\n"
 "Language-Team: Spanish (https://app.transifex.com/authentik/teams/119923/es/)\n"
 "MIME-Version: 1.0\n"
 "Content-Type: text/plain; charset=UTF-8\n"
@ -111,7 +111,7 @@ msgstr "Certificado Web usado por el servidor web Core de authentik"
 #: authentik/brands/models.py
 msgid "Certificates used for client authentication."
-msgstr "Certificados utilizados para la autenticación del cliente."
+msgstr ""
 #: authentik/brands/models.py
 msgid "Brand"
@ -131,7 +131,7 @@ msgstr "Descripción adicional no disponible."
 #: authentik/core/api/groups.py
 msgid "Cannot set group as parent of itself."
-msgstr "No se puede establecer un grupo como su propio padre."
+msgstr "No se puede establecer el grupo como padre de sí mismo."
 #: authentik/core/api/providers.py
 msgid ""
@ -183,11 +183,11 @@ msgstr "Remueve usuario del grupo"
 #: authentik/core/models.py
 msgid "Enable superuser status"
-msgstr "Habilitar el estado de superusuario"
+msgstr "Habiliar estado de \"superusuario\""
 #: authentik/core/models.py
 msgid "Disable superuser status"
-msgstr "Deshabilitar el estado de superusuario"
+msgstr "Deshabiliar estado de \"superusuario\""
 #: authentik/core/models.py
 msgid "User's display name."
@ -241,7 +241,7 @@ msgstr "Flujo utilizado al autorizar a este proveedor."
 #: authentik/core/models.py
 msgid "Flow used ending the session from a provider."
-msgstr "Flujo utilizado para finalizar la sesión desde un proveedor."
+msgstr "Flujo usado para terminar la sesión de un proveedor."
 #: authentik/core/models.py
 msgid ""
@ -273,11 +273,11 @@ msgstr "Aplicaciones"
 #: authentik/core/models.py
 msgid "Application Entitlement"
-msgstr "Derecho de Aplicación"
+msgstr ""
 #: authentik/core/models.py
 msgid "Application Entitlements"
-msgstr "Derechos de Aplicación"
+msgstr ""
 #: authentik/core/models.py
 msgid "Use the source-specific identifier"
@ -288,9 +288,9 @@ msgid ""
 "Link to a user with identical email address. Can have security implications "
 "when a source doesn't validate email addresses."
 msgstr ""
-"Enlace a un usuario con la misma dirección de correo electrónico. Puede "
+"Apunta a un usuario con una dirección de correo electrónico idéntica. Puede "
-"tener implicaciones de seguridad cuando una fuente no valida las direcciones"
+"tener implicaciones de seguridad cuando una fuente no valida la dirección de"
-" de correo electrónico."
+" correo electrónico."
 #: authentik/core/models.py
 msgid ""
@ -305,8 +305,8 @@ msgid ""
 "Link to a user with identical username. Can have security implications when "
 "a username is used with another source."
 msgstr ""
-"Enlace a un usuario con el mismo nombre de usuario. Puede tener "
+"Enlace a un usuario con un nombre de usuario idéntico. Puede tener "
-"implicaciones de seguridad cuando un nombre de usuario se utiliza con otra "
+"implicaciones de seguridad cuando se usa un nombre de usuario con otra "
 "fuente."
 #: authentik/core/models.py
@ -322,8 +322,8 @@ msgid ""
 "Link to a group with identical name. Can have security implications when a "
 "group name is used with another source."
 msgstr ""
-"Enlace a un grupo con el mismo nombre. Puede tener implicaciones de "
+"Enlace a un grupo con un nombre idéntico. Puede tener implicaciones de "
-"seguridad cuando un nombre de grupo se utiliza con otra fuente."
+"seguridad cuando se utiliza un nombre de grupo con otra fuente."
 #: authentik/core/models.py
 msgid "Use the group name, but deny enrollment when the name already exists."
@ -385,7 +385,7 @@ msgstr "Asignaciones de Propiedades"
 #: authentik/core/models.py
 msgid "session data"
-msgstr "datos de sesión"
+msgstr ""
 #: authentik/core/models.py
 msgid "Session"
@ -424,7 +424,7 @@ msgstr "¡Autenticado exitosamente con {source}!"
 #: authentik/core/sources/flow_manager.py
 #, python-brace-format
 msgid "Successfully linked {source}!"
-msgstr "¡{source} enlazado correctamente!"
+msgstr "¡{source} vinculado exitosamente!"
 #: authentik/core/sources/flow_manager.py
 msgid "Source is not configured for enrollment."
@ -476,11 +476,11 @@ msgstr ""
 #: authentik/crypto/models.py
 msgid "Certificate-Key Pair"
-msgstr "Par Certificado-Clave"
+msgstr "Par de claves de certificado"
 #: authentik/crypto/models.py
 msgid "Certificate-Key Pairs"
-msgstr "Pares Certificado-Clave"
+msgstr "Pares de claves de certificado"
 #: authentik/enterprise/api.py
 msgid "Enterprise is required to create/update this object."
@ -511,7 +511,7 @@ msgstr ""
 #: authentik/enterprise/policies/unique_password/models.py
 msgid "Number of passwords to check against."
-msgstr "Número de contraseñas contra las que verificar."
+msgstr ""
 #: authentik/enterprise/policies/unique_password/models.py
 #: authentik/policies/password/models.py
@ -521,20 +521,18 @@ msgstr "La contraseña no se ha establecido en contexto"
 #: authentik/enterprise/policies/unique_password/models.py
 msgid "This password has been used previously. Please choose a different one."
 msgstr ""
 "Esta contraseña se ha utilizado anteriormente. Por favor, elija una "
 "diferente."
 #: authentik/enterprise/policies/unique_password/models.py
 msgid "Password Uniqueness Policy"
-msgstr "Política de Unicidad de Contraseñas"
+msgstr ""
 #: authentik/enterprise/policies/unique_password/models.py
 msgid "Password Uniqueness Policies"
-msgstr "Políticas de Unicidad de Contraseñas"
+msgstr ""
 #: authentik/enterprise/policies/unique_password/models.py
 msgid "User Password History"
-msgstr "Historial de Contraseñas del Usuario"
+msgstr ""
 #: authentik/enterprise/policy.py
 msgid "Enterprise required to access this feature."
@ -619,39 +617,39 @@ msgstr "Clave de firma"
 #: authentik/enterprise/providers/ssf/models.py
 msgid "Key used to sign the SSF Events."
-msgstr "Clave utilizada para firmar los eventos SSF."
+msgstr ""
 #: authentik/enterprise/providers/ssf/models.py
 msgid "Shared Signals Framework Provider"
-msgstr "Proveedor del Marco de Señales Compartidas"
+msgstr ""
 #: authentik/enterprise/providers/ssf/models.py
 msgid "Shared Signals Framework Providers"
-msgstr "Proveedores del Marco de Señales Compartidas"
+msgstr ""
 #: authentik/enterprise/providers/ssf/models.py
 msgid "Add stream to SSF provider"
-msgstr "Agregar flujo de datos al proveedor SSF"
+msgstr ""
 #: authentik/enterprise/providers/ssf/models.py
 msgid "SSF Stream"
-msgstr "Flujo de Datos SSF"
+msgstr ""
 #: authentik/enterprise/providers/ssf/models.py
 msgid "SSF Streams"
-msgstr "Flujos de Datos SSF"
+msgstr ""
 #: authentik/enterprise/providers/ssf/models.py
 msgid "SSF Stream Event"
-msgstr "Evento de Flujo de Datos SSF"
+msgstr ""
 #: authentik/enterprise/providers/ssf/models.py
 msgid "SSF Stream Events"
-msgstr "Eventos de Flujos de Datos SSF"
+msgstr ""
 #: authentik/enterprise/providers/ssf/tasks.py
 msgid "Failed to send request"
-msgstr "Error al enviar la solicitud"
+msgstr "Falló envio de petición"
 #: authentik/enterprise/stages/authenticator_endpoint_gdtc/models.py
 msgid "Endpoint Authenticator Google Device Trust Connector Stage"
@ -683,29 +681,26 @@ msgid ""
 "option has a higher priority than the `client_certificate` option on "
 "`Brand`."
 msgstr ""
 "Configura las autoridades certificadoras para validar el certificado. Esta "
 "opción tiene una prioridad mayor que la opción `client_certificate` en "
 "`Brand`."
 #: authentik/enterprise/stages/mtls/models.py
 msgid "Mutual TLS Stage"
-msgstr "Etapa de TLS mutuo"
+msgstr ""
 #: authentik/enterprise/stages/mtls/models.py
 msgid "Mutual TLS Stages"
-msgstr "Etapas de TLS mutuo"
+msgstr ""
 #: authentik/enterprise/stages/mtls/models.py
 msgid "Permissions to pass Certificates for outposts."
-msgstr "Permisos para pasar Certificados a los puestos avanzados."
+msgstr ""
 #: authentik/enterprise/stages/mtls/stage.py
 msgid "Certificate required but no certificate was given."
-msgstr "Se requiere certificado, pero no se proporcionó ninguno."
+msgstr ""
 #: authentik/enterprise/stages/mtls/stage.py
 msgid "No user found for certificate."
-msgstr "No se encontró usuario para el certificado."
+msgstr ""
 #: authentik/enterprise/stages/source/models.py
 msgid ""
@ -758,16 +753,12 @@ msgid ""
 "Customize the body of the request. Mapping should return data that is JSON-"
 "serializable."
 msgstr ""
 "Personaliza el cuerpo de la solicitud. El mapeo debe devolver datos que sean"
 " serializables en JSON."
 #: authentik/events/models.py
 msgid ""
 "Configure additional headers to be sent. Mapping should return a dictionary "
 "of key-value pairs"
 msgstr ""
 "Configura encabezados adicionales para enviar. El mapeo debe devolver un "
 "diccionario de pares clave-valor"
 #: authentik/events/models.py
 msgid ""
@ -795,7 +786,7 @@ msgstr "Transporte de notificaciones"
 #: authentik/events/models.py
 msgid "Notification Transports"
-msgstr "Medios de Notificación"
+msgstr "Transportes de notificación"
 #: authentik/events/models.py
 msgid "Notice"
@ -822,9 +813,9 @@ msgid ""
 "Select which transports should be used to notify the user. If none are "
 "selected, the notification will only be shown in the authentik UI."
 msgstr ""
-"Selecciona qué medios se deben usar para notificar al usuario. Si no se "
+"Seleccione qué transportes se deben usar para notificar al usuario. Si no se"
-"selecciona ninguno, la notificación solo se mostrará en la interfaz de "
+" selecciona ninguno, la notificación solo se mostrará en la interfaz de "
-"authentik."
+"usuario de authentik."
 #: authentik/events/models.py
 msgid "Controls which severity level the created notifications will have."
@ -996,7 +987,7 @@ msgstr "Evalúa políticas durante el proceso de planeación del Flujo."
 #: authentik/flows/models.py
 msgid "Evaluate policies when the Stage is presented to the user."
-msgstr "Evaluar las políticas cuando la Etapa se presenta al usuario."
+msgstr ""
 #: authentik/flows/models.py
 msgid ""
@ -1043,8 +1034,6 @@ msgid ""
 "When enabled, provider will not modify or create objects in the remote "
 "system."
 msgstr ""
 "Cuando está habilitado, el proveedor no modificará ni creará objetos en el "
 "sistema remoto."
 #: authentik/lib/sync/outgoing/tasks.py
 msgid "Starting full provider sync"
@ -1052,21 +1041,20 @@ msgstr "Iniciando sincronización completa de proveedor"
 #: authentik/lib/sync/outgoing/tasks.py
 msgid "Syncing users"
-msgstr "Sincronizando usuarios"
+msgstr ""
 #: authentik/lib/sync/outgoing/tasks.py
 msgid "Syncing groups"
-msgstr "Sincronizando grupos"
+msgstr ""
 #: authentik/lib/sync/outgoing/tasks.py
 #, python-brace-format
-msgid "Syncing page {page} of {object_type}"
+msgid "Syncing page {page} of groups"
-msgstr "Sincronizando página {page} de {object_type}"
+msgstr "Sincronizando página {page} de grupos"
 #: authentik/lib/sync/outgoing/tasks.py
 msgid "Dropping mutating request due to dry run"
 msgstr ""
 "Descartando solicitud de mutación debido a ejecución en modo de simulación"
 #: authentik/lib/sync/outgoing/tasks.py
 #, python-brace-format
@ -1245,7 +1233,7 @@ msgstr ""
 #: authentik/policies/expiry/models.py
 msgid "Password has expired."
-msgstr "La contraseña ha expirado."
+msgstr "La contraseña ha caducado."
 #: authentik/policies/expiry/models.py
 msgid "Password Expiry Policy"
@ -1283,7 +1271,7 @@ msgstr "La IP del cliente no está en un país permitido."
 #: authentik/policies/geoip/models.py
 msgid "Distance from previous authentication is larger than threshold."
-msgstr "La distancia desde la autenticación anterior es mayor que el umbral."
+msgstr "La distancia desde la autenticación previa es mayor que el límite."
 #: authentik/policies/geoip/models.py
 msgid "Distance is further than possible."
@ -1332,7 +1320,7 @@ msgstr "Vinculación de Políticas"
 #: authentik/policies/models.py
 msgid "Policy Bindings"
-msgstr "Vinculaciones de Políticas"
+msgstr "Vinculaciones de políticas"
 #: authentik/policies/models.py
 msgid ""
@ -1606,11 +1594,11 @@ msgstr "ES256 (Encriptación Asimétrica)"
 #: authentik/providers/oauth2/models.py
 msgid "ES384 (Asymmetric Encryption)"
-msgstr "ES384 (Encriptación Asimétrica)"
+msgstr ""
 #: authentik/providers/oauth2/models.py
 msgid "ES512 (Asymmetric Encryption)"
-msgstr "ES512 (Encriptación Asimétrica)"
+msgstr ""
 #: authentik/providers/oauth2/models.py
 msgid "Scope used by the client"
@ -1825,7 +1813,7 @@ msgstr "Valida Certificados SSL de servidores de origen"
 #: authentik/providers/proxy/models.py
 msgid "Internal host SSL Validation"
-msgstr "Validación SSL del host interno"
+msgstr "Validación SSL de host interno"
 #: authentik/providers/proxy/models.py
 msgid ""
@ -2039,7 +2027,7 @@ msgstr ""
 #: authentik/providers/saml/models.py
 msgid "AuthnContextClassRef Property Mapping"
-msgstr "Asignación de Propiedades de AuthnContextClassRef"
+msgstr ""
 #: authentik/providers/saml/models.py
 msgid ""
@ -2047,9 +2035,6 @@ msgid ""
 "empty, the AuthnContextClassRef will be set based on which authentication "
 "methods the user used to authenticate."
 msgstr ""
 "Configura cómo se creará el valor de AuthnContextClassRef. Si se deja vacío,"
 " el AuthnContextClassRef se establecerá según los métodos de autenticación "
 "que el usuario haya utilizado para autenticarse."
 #: authentik/providers/saml/models.py
 msgid ""
@ -2199,11 +2184,11 @@ msgstr "Predeterminado"
 #: authentik/providers/scim/models.py
 msgid "AWS"
-msgstr "AWS"
+msgstr ""
 #: authentik/providers/scim/models.py
 msgid "Slack"
-msgstr "Slack"
+msgstr ""
 #: authentik/providers/scim/models.py
 msgid "Base URL to SCIM requests, usually ends in /v2"
@ -2215,13 +2200,11 @@ msgstr "Token de Autenticación"
 #: authentik/providers/scim/models.py
 msgid "SCIM Compatibility Mode"
-msgstr "Modo de Compatibilidad SCIM"
+msgstr ""
 #: authentik/providers/scim/models.py
 msgid "Alter authentik behavior for vendor-specific SCIM implementations."
 msgstr ""
 "Modificar el comportamiento de authentik para implementaciones SCIM "
 "específicas de proveedores."
 #: authentik/providers/scim/models.py
 msgid "SCIM Provider"
@ -2249,7 +2232,7 @@ msgstr "Roles"
 #: authentik/rbac/models.py
 msgid "Initial Permissions"
-msgstr "Permisos Iniciales"
+msgstr ""
 #: authentik/rbac/models.py
 msgid "System permission"
@ -2287,7 +2270,7 @@ msgstr ""
 #: authentik/recovery/views.py
 msgid "Used recovery-link to authenticate."
-msgstr "Se utilizó un enlace de recuperación para autenticarse."
+msgstr "Se usó el enlace de recuperación para autenticarse."
 #: authentik/sources/kerberos/models.py
 msgid "Kerberos realm"
@ -2299,7 +2282,7 @@ msgstr "krb5.conf personalizado a usar. Usa el del sistema por defecto."
 #: authentik/sources/kerberos/models.py
 msgid "KAdmin server type"
-msgstr "Tipo de servidor KAdmin"
+msgstr ""
 #: authentik/sources/kerberos/models.py
 msgid "Sync users from Kerberos into authentik"
@ -2307,24 +2290,23 @@ msgstr "Sincronizar usuarios desde Kerberos hacia Authentik"
 #: authentik/sources/kerberos/models.py
 msgid "When a user changes their password, sync it back to Kerberos"
-msgstr ""
+msgstr "Cuando un usuario cambia su contraseña, sincronizarlo hacia Kerberos"
 "Cuando un usuario cambie su contraseña, sincronizarla de vuelta a Kerberos."
 #: authentik/sources/kerberos/models.py
 msgid "Principal to authenticate to kadmin for sync."
-msgstr "Principal para autenticarse en kadmin para la sincronización."
+msgstr "Principal para autenticarse como kadmin para la sincronización."
 #: authentik/sources/kerberos/models.py
 msgid "Password to authenticate to kadmin for sync"
-msgstr "Contraseña para autenticarse en kadmin para la sincronización"
+msgstr "Contraseña para autenticarse como kadmin para la sincronización"
 #: authentik/sources/kerberos/models.py
 msgid ""
 "Keytab to authenticate to kadmin for sync. Must be base64-encoded or in the "
 "form TYPE:residual"
 msgstr ""
-"Keytab para autenticarse en kadmin para la sincronización. Debe estar "
+"Keytab para autenticarse como kadmin para la sincronización. Debe estar "
-"codificado en base64 o en el formato TIPO:residuo"
+"codificado en base64 o en el formato TIPO:residual"
 #: authentik/sources/kerberos/models.py
 msgid ""
@ -2340,7 +2322,7 @@ msgid ""
 "HTTP@hostname"
 msgstr ""
 "Forzar el uso de un nombre de servidor específico para SPNEGO. Debe estar en"
-" el formato HTTP@nombre_de_host"
+" el formato HTTP@nombredelservidor"
 #: authentik/sources/kerberos/models.py
 msgid "SPNEGO keytab base64-encoded or path to keytab in the form FILE:path"
@ -2357,8 +2339,8 @@ msgid ""
 "If enabled, the authentik-stored password will be updated upon login with "
 "the Kerberos password backend"
 msgstr ""
-"Si está habilitado, la contraseña almacenada en authentik se actualizará al "
+"Si está habilitado, la contraseña almacenada por authentik será actualizada "
-"iniciar sesión con el backend de contraseñas de Kerberos."
+"al iniciar sesión con el backend de contraseñas Kerberos"
 #: authentik/sources/kerberos/models.py
 msgid "Kerberos Source"
@ -2406,7 +2388,7 @@ msgid ""
 msgstr ""
 "\n"
 "                    Asegúrate de que tienes entradas válidas\n"
-"                    (obtenibles mediante kinit) \n"
+"                    (se obtienen a través de kinit) \n"
 "                    y de haber configurado correctamente el navegador.\n"
 "                    Por favor, contacta a tu administrador.\n"
 "                "
@ -2471,10 +2453,6 @@ msgstr "DN de grupo de adición"
 msgid "Consider Objects matching this filter to be Users."
 msgstr "Considere que los objetos que coinciden con este filtro son usuarios."
 #: authentik/sources/ldap/models.py
 msgid "Attribute which matches the value of `group_membership_field`."
 msgstr "Atributo que coincide con el valor de `group_membership_field`."
 #: authentik/sources/ldap/models.py
 msgid "Field which contains members of a group."
 msgstr "Campo que contiene los miembros de un grupo."
@ -2507,17 +2485,12 @@ msgid ""
 "attribute. This allows nested group resolution on systems like FreeIPA and "
 "Active Directory"
 msgstr ""
 "Buscar la pertenencia a grupos basándose en un atributo del usuario en lugar"
 " de un atributo del grupo. Esto permite la resolución de grupos anidados en "
 "sistemas como FreeIPA y Active Directory"
 #: authentik/sources/ldap/models.py
 msgid ""
 "Delete authentik users and groups which were previously supplied by this "
 "source, but are now missing from it."
 msgstr ""
 "Eliminar usuarios y grupos de authentik que fueron proporcionados "
 "previamente por esta fuente, pero que ahora están ausentes."
 #: authentik/sources/ldap/models.py
 msgid "LDAP Source"
@ -2539,24 +2512,22 @@ msgstr "Asignaciones de Propiedades de Fuente de LDAP"
 msgid ""
 "Unique ID used while checking if this object still exists in the directory."
 msgstr ""
 "ID único utilizado para verificar si este objeto aún existe en el "
 "directorio."
 #: authentik/sources/ldap/models.py
 msgid "User LDAP Source Connection"
-msgstr "Conexión de Fuente LDAP de Usuario"
+msgstr ""
 #: authentik/sources/ldap/models.py
 msgid "User LDAP Source Connections"
-msgstr "Conexiones de Fuente LDAP de Usuario"
+msgstr ""
 #: authentik/sources/ldap/models.py
 msgid "Group LDAP Source Connection"
-msgstr "Conexión de Fuente LDAP de Grupo"
+msgstr ""
 #: authentik/sources/ldap/models.py
 msgid "Group LDAP Source Connections"
-msgstr "Conexiones de Fuente LDAP de Grupo"
+msgstr ""
 #: authentik/sources/ldap/signals.py
 msgid "Password does not match Active Directory Complexity."
@ -2568,11 +2539,11 @@ msgstr "No se recibió ningún token."
 #: authentik/sources/oauth/models.py
 msgid "HTTP Basic Authentication"
-msgstr "Autenticación Básica HTTP"
+msgstr ""
 #: authentik/sources/oauth/models.py
 msgid "Include the client ID and secret as request parameters"
-msgstr "Incluir el ID de cliente y el secreto como parámetros de la solicitud"
+msgstr ""
 #: authentik/sources/oauth/models.py
 msgid "Request Token URL"
@ -2619,8 +2590,6 @@ msgid ""
 "How to perform authentication during an authorization_code token request "
 "flow"
 msgstr ""
 "Cómo realizar la autenticación durante un flujo de solicitud de token con "
 "authorization_code"
 #: authentik/sources/oauth/models.py
 msgid "OAuth Source"
@ -2938,7 +2907,7 @@ msgstr "Conexiones de Fuente de SAML de Grupo"
 #: authentik/sources/saml/views.py
 #, python-brace-format
 msgid "Continue to {source_name}"
-msgstr "Continuar a {source_name}"
+msgstr ""
 #: authentik/sources/scim/models.py
 msgid "SCIM Source"
@ -2974,7 +2943,7 @@ msgstr "Dispositivos Duo"
 #: authentik/stages/authenticator_email/models.py
 msgid "Email OTP"
-msgstr "OTP por Correo Electrónico"
+msgstr ""
 #: authentik/stages/authenticator_email/models.py
 #: authentik/stages/email/models.py
@ -2995,11 +2964,11 @@ msgstr ""
 #: authentik/stages/authenticator_email/models.py
 msgid "Email Authenticator Setup Stage"
-msgstr "Etapa de Configuración del Autenticador de Correo Electrónico"
+msgstr ""
 #: authentik/stages/authenticator_email/models.py
 msgid "Email Authenticator Setup Stages"
-msgstr "Etapas de Configuración del Autenticador de Correo Electrónico"
+msgstr ""
 #: authentik/stages/authenticator_email/models.py
 #: authentik/stages/authenticator_email/stage.py
@ -3010,11 +2979,11 @@ msgstr ""
 #: authentik/stages/authenticator_email/models.py
 msgid "Email Device"
-msgstr "Dispositivo de correo electrónico"
+msgstr "Dispositivo de Email"
 #: authentik/stages/authenticator_email/models.py
 msgid "Email Devices"
-msgstr "Dispositivos de correo electrónico"
+msgstr "Dispositivos de Email"
 #: authentik/stages/authenticator_email/stage.py
 #: authentik/stages/authenticator_sms/stage.py
@ -3024,7 +2993,7 @@ msgstr "El código no coincide"
 #: authentik/stages/authenticator_email/stage.py
 msgid "Invalid email"
-msgstr "Correo electrónico inválido"
+msgstr "Email Inválido"
 #: authentik/stages/authenticator_email/templates/email/email_otp.html
 #: authentik/stages/email/templates/email/password_reset.html
@ -3044,9 +3013,6 @@ msgid ""
 "          Email MFA code.\n"
 "          "
 msgstr ""
 "\n"
 "          Código MFA por correo electrónico.\n"
 "          "
 #: authentik/stages/authenticator_email/templates/email/email_otp.html
 #, python-format
@ -3056,8 +3022,7 @@ msgid ""
 "    "
 msgstr ""
 "\n"
-"    Si no solicitaste este código, por favor ignora este correo. El código anterior es válido por %(expires)s.\n"
+"Si no solicitaste este código, por favor ignora este correo. El código anterior es válido por %(expires)s."
 "    "
 #: authentik/stages/authenticator_email/templates/email/email_otp.txt
 #: authentik/stages/email/templates/email/password_reset.txt
@ -3070,8 +3035,6 @@ msgid ""
 "\n"
 "Email MFA code\n"
 msgstr ""
 "\n"
 "Código MFA por correo electrónico\n"
 #: authentik/stages/authenticator_email/templates/email/email_otp.txt
 #, python-format
@ -3313,8 +3276,8 @@ msgstr "No se pudo validar el token"
 msgid ""
 "Offset after which consent expires. (Format: hours=1;minutes=2;seconds=3)."
 msgstr ""
-"Desfase después del cual expira el consentimiento. (Formato: "
+"Compensación después de la cual caduca el consentimiento. (Formato: horas = "
-"hours=1;minutes=2;seconds=3)."
+"1; minutos = 2; segundos = 3)."
 #: authentik/stages/consent/models.py
 msgid "Consent Stage"
@ -3334,7 +3297,7 @@ msgstr "Consentimientos del usuario"
 #: authentik/stages/consent/stage.py
 msgid "Invalid consent token, re-showing prompt"
-msgstr "Token de consentimiento inválido, mostrando el aviso nuevamente"
+msgstr ""
 #: authentik/stages/deny/models.py
 msgid "Deny Stage"
@ -3354,11 +3317,11 @@ msgstr "Etapas ficticias"
 #: authentik/stages/email/flow.py
 msgid "Continue to confirm this email address."
-msgstr "Continúa para confirmar esta dirección de correo electrónico."
+msgstr ""
 #: authentik/stages/email/flow.py
 msgid "Link was already used, please request a new link."
-msgstr "El enlace ya fue utilizado, por favor, solícita uno nuevo."
+msgstr ""
 #: authentik/stages/email/models.py
 msgid "Password Reset"
@ -3482,8 +3445,7 @@ msgid ""
 "    "
 msgstr ""
 "\n"
-"    Si no solicitaste un cambio de contraseña, por favor ignora este correo. El enlace anterior es válido por %(expires)s.\n"
+"Si no solicitaste un cambio de contraseña, por favor ignora este correo. El enlace anterior es válido por %(expires)s."
 "    "
 #: authentik/stages/email/templates/email/password_reset.txt
 msgid ""
@ -3567,26 +3529,24 @@ msgid ""
 "Show the user the 'Remember me on this device' toggle, allowing repeat users"
 " to skip straight to entering their password."
 msgstr ""
 "Mostrar al usuario la opción \"Recordarme en este dispositivo\", permitiendo"
 " que los usuarios recurrentes pasen directamente a ingresar su contraseña."
 #: authentik/stages/identification/models.py
 msgid "Optional enrollment flow, which is linked at the bottom of the page."
 msgstr ""
-"Flujo de inscripción opcional, que se enlaza en la parte inferior de la "
+"Flujo de inscripción opcional, que está vinculado en la parte inferior de la"
-"página."
+" página."
 #: authentik/stages/identification/models.py
 msgid "Optional recovery flow, which is linked at the bottom of the page."
 msgstr ""
-"Flujo de recuperación opcional, que se enlaza en la parte inferior de la "
+"Flujo de recuperación opcional, que está vinculado en la parte inferior de "
-"página."
+"la página."
 #: authentik/stages/identification/models.py
 msgid "Optional passwordless flow, which is linked at the bottom of the page."
 msgstr ""
-"Flujo opcional sin contraseña, que se enlaza en la parte inferior de la "
+"Flujo sin contraseña opcional, el cual está vinculado en la parte inferior "
-"página."
+"de la página."
 #: authentik/stages/identification/models.py
 msgid "Specify which sources should be shown."
@ -3820,11 +3780,11 @@ msgstr "Las contraseñas no coinciden."
 #: authentik/stages/redirect/api.py
 msgid "Target URL should be present when mode is Static."
-msgstr "La URL de destino debe estar presente cuando el modo es Estático."
+msgstr ""
 #: authentik/stages/redirect/api.py
 msgid "Target Flow should be present when mode is Flow."
-msgstr "El Flujo de Destino debe estar presente cuando el modo es Flujo."
+msgstr ""
 #: authentik/stages/redirect/models.py
 msgid "Redirect Stage"
@ -3881,6 +3841,10 @@ msgstr "Etapas de inicio de"
 msgid "No Pending user to login."
 msgstr "Ningún usuario pendiente para iniciar sesión."
 #: authentik/stages/user_login/stage.py
 msgid "Successfully logged in!"
 msgstr "¡Se ha iniciado sesión correctamente!"
 #: authentik/stages/user_logout/models.py
 msgid "User Logout Stage"
 msgstr "Etapa de cierre de sesión del usuario"
@ -3956,12 +3920,10 @@ msgstr ""
 #: authentik/tenants/models.py
 msgid "Reputation cannot decrease lower than this value. Zero or negative."
 msgstr ""
 "La reputación no puede disminuir por debajo de este valor. Cero o negativo."
 #: authentik/tenants/models.py
 msgid "Reputation cannot increase higher than this value. Zero or positive."
 msgstr ""
 "La reputación no puede aumentar por encima de este valor. Cero o positivo."
 #: authentik/tenants/models.py
 msgid "The option configures the footer links on the flow executor pages."
@ -3984,8 +3946,8 @@ msgstr "Personificación habilitada/deshabilitada globalmente."
 #: authentik/tenants/models.py
 msgid "Require administrators to provide a reason for impersonating a user."
 msgstr ""
-"Requerir que los administradores proporcionen una razón para personificar a "
+"Requerir a los administradores proporcionar una razón para suplantar un "
-"un usuario."
+"usuario."
 #: authentik/tenants/models.py
 msgid "Default token duration"
@ -3997,7 +3959,7 @@ msgstr "Longitud predeterminada del token"
 #: authentik/tenants/models.py
 msgid "Tenant"
-msgstr "Inquilino"
+msgstr "inquilino"
 #: authentik/tenants/models.py
 msgid "Tenants"
--- a/pyproject.toml
+++ b/pyproject.toml
@ -40,7 +40,7 @@ dependencies = [
    "gunicorn==23.0.0",
    "jsonpatch==1.33",
    "jwcrypto==1.5.6",
-    "kubernetes==33.1.0",
+    "kubernetes==32.0.1",
    "ldap3==2.9.1",
    "lxml==5.4.0",
    "msgraph-sdk==1.33.0",
@ -56,13 +56,13 @@ dependencies = [
    "pyyaml==6.0.2",
    "requests-oauthlib==2.0.0",
    "scim2-filter-parser==0.7.0",
-    "sentry-sdk==2.30.0",
+    "sentry-sdk==2.29.1",
    "service-identity==24.2.0",
    "setproctitle==1.3.6",
    "structlog==25.4.0",
    "swagger-spec-validator==3.0.4",
    "tenant-schemas-celery==3.0.0",
-    "twilio==9.6.3",
+    "twilio==9.6.2",
    "ua-parser==1.0.1",
    "unidecode==1.4.0",
    "urllib3<3",
--- a/tests/e2e/test_provider_ldap.py
+++ b/tests/e2e/test_provider_ldap.py
@ -2,6 +2,7 @@
 from dataclasses import asdict
 from time import sleep
 from unittest.mock import patch
 from guardian.shortcuts import assign_perm
 from ldap3 import ALL, ALL_ATTRIBUTES, ALL_OPERATIONAL_ATTRIBUTES, SUBTREE, Connection, Server
@ -15,10 +16,12 @@ from authentik.flows.models import Flow
 from authentik.lib.generators import generate_id
 from authentik.outposts.apps import MANAGED_OUTPOST
 from authentik.outposts.models import Outpost, OutpostConfig, OutpostType
 from authentik.outposts.tests.test_ws import patched__get_ct_cached
 from authentik.providers.ldap.models import APIAccessMode, LDAPProvider
 from tests.e2e.utils import SeleniumTestCase, retry
@patch("guardian.shortcuts._get_ct_cached", patched__get_ct_cached)
 class TestProviderLDAP(SeleniumTestCase):
    """LDAP and Outpost e2e tests"""
--- a/tests/e2e/test_provider_proxy.py
+++ b/tests/e2e/test_provider_proxy.py
@ -6,6 +6,7 @@ from json import loads
 from sys import platform
 from time import sleep
 from unittest.case import skip, skipUnless
 from unittest.mock import patch
 from channels.testing import ChannelsLiveServerTestCase
 from jwt import decode
@ -17,10 +18,12 @@ from authentik.flows.models import Flow
 from authentik.lib.generators import generate_id
 from authentik.outposts.models import DockerServiceConnection, Outpost, OutpostConfig, OutpostType
 from authentik.outposts.tasks import outpost_connection_discovery
 from authentik.outposts.tests.test_ws import patched__get_ct_cached
 from authentik.providers.proxy.models import ProxyProvider
 from tests.e2e.utils import SeleniumTestCase, retry
@patch("guardian.shortcuts._get_ct_cached", patched__get_ct_cached)
 class TestProviderProxy(SeleniumTestCase):
    """Proxy and Outpost e2e tests"""
--- a/tests/e2e/test_provider_proxy_forward.py
+++ b/tests/e2e/test_provider_proxy_forward.py
@ -4,6 +4,7 @@ from json import loads
 from pathlib import Path
 from time import sleep
 from unittest import skip
 from unittest.mock import patch
 from selenium.webdriver.common.by import By
@ -12,10 +13,12 @@ from authentik.core.models import Application
 from authentik.flows.models import Flow
 from authentik.lib.generators import generate_id
 from authentik.outposts.models import Outpost, OutpostType
 from authentik.outposts.tests.test_ws import patched__get_ct_cached
 from authentik.providers.proxy.models import ProxyMode, ProxyProvider
 from tests.e2e.utils import SeleniumTestCase, retry
@patch("guardian.shortcuts._get_ct_cached", patched__get_ct_cached)
 class TestProviderProxyForward(SeleniumTestCase):
    """Proxy and Outpost e2e tests"""
--- a/tests/e2e/test_provider_radius.py
+++ b/tests/e2e/test_provider_radius.py
@ -2,6 +2,7 @@
 from dataclasses import asdict
 from time import sleep
 from unittest.mock import patch
 from pyrad.client import Client
 from pyrad.dictionary import Dictionary
@ -12,10 +13,12 @@ from authentik.core.models import Application, User
 from authentik.flows.models import Flow
 from authentik.lib.generators import generate_id, generate_key
 from authentik.outposts.models import Outpost, OutpostConfig, OutpostType
 from authentik.outposts.tests.test_ws import patched__get_ct_cached
 from authentik.providers.radius.models import RadiusProvider
 from tests.e2e.utils import SeleniumTestCase, retry
@patch("guardian.shortcuts._get_ct_cached", patched__get_ct_cached)
 class TestProviderRadius(SeleniumTestCase):
    """Radius Outpost e2e tests"""
--- a/tests/e2e/utils.py
+++ b/tests/e2e/utils.py
@ -1,6 +1,7 @@
 """authentik e2e testing utilities"""
 import json
 import os
 import socket
 from collections.abc import Callable
 from functools import lru_cache, wraps
@ -36,12 +37,22 @@ from authentik.core.api.users import UserSerializer
 from authentik.core.models import User
 from authentik.core.tests.utils import create_test_admin_user
 from authentik.lib.generators import generate_id
 from authentik.root.test_runner import get_docker_tag
 IS_CI = "CI" in environ
 RETRIES = int(environ.get("RETRIES", "3")) if IS_CI else 1
 def get_docker_tag() -> str:
    """Get docker-tag based off of CI variables"""
    env_pr_branch = "GITHUB_HEAD_REF"
    default_branch = "GITHUB_REF"
    branch_name = os.environ.get(default_branch, "main")
    if os.environ.get(env_pr_branch, "") != "":
        branch_name = os.environ[env_pr_branch]
    branch_name = branch_name.replace("refs/heads/", "").replace("/", "-")
    return f"gh-{branch_name}"
 def get_local_ip() -> str:
    """Get the local machine's IP"""
    hostname = socket.gethostname()
--- a/uv.lock
+++ b/uv.lock
@ -301,7 +301,7 @@ requires-dist = [
    { name = "gunicorn", specifier = "==23.0.0" },
    { name = "jsonpatch", specifier = "==1.33" },
    { name = "jwcrypto", specifier = "==1.5.6" },
-    { name = "kubernetes", specifier = "==33.1.0" },
+    { name = "kubernetes", specifier = "==32.0.1" },
    { name = "ldap3", specifier = "==2.9.1" },
    { name = "lxml", specifier = "==5.4.0" },
    { name = "msgraph-sdk", specifier = "==1.33.0" },
@ -317,13 +317,13 @@ requires-dist = [
    { name = "pyyaml", specifier = "==6.0.2" },
    { name = "requests-oauthlib", specifier = "==2.0.0" },
    { name = "scim2-filter-parser", specifier = "==0.7.0" },
-    { name = "sentry-sdk", specifier = "==2.30.0" },
+    { name = "sentry-sdk", specifier = "==2.29.1" },
    { name = "service-identity", specifier = "==24.2.0" },
    { name = "setproctitle", specifier = "==1.3.6" },
    { name = "structlog", specifier = "==25.4.0" },
    { name = "swagger-spec-validator", specifier = "==3.0.4" },
    { name = "tenant-schemas-celery", specifier = "==3.0.0" },
-    { name = "twilio", specifier = "==9.6.3" },
+    { name = "twilio", specifier = "==9.6.2" },
    { name = "ua-parser", specifier = "==1.0.1" },
    { name = "unidecode", specifier = "==1.4.0" },
    { name = "urllib3", specifier = "<3" },
@ -1772,7 +1772,7 @@ wheels = [
 [[package]]
 name = "kubernetes"
-version = "33.1.0"
+version = "32.0.1"
 source = { registry = "https://pypi.org/simple" }
 dependencies = [
    { name = "certifi" },
@ -1787,9 +1787,9 @@ dependencies = [
    { name = "urllib3" },
    { name = "websocket-client" },
 ]
-sdist = { url = "https://files.pythonhosted.org/packages/ae/52/19ebe8004c243fdfa78268a96727c71e08f00ff6fe69a301d0b7fcbce3c2/kubernetes-33.1.0.tar.gz", hash = "sha256:f64d829843a54c251061a8e7a14523b521f2dc5c896cf6d65ccf348648a88993", size = 1036779, upload-time = "2025-06-09T21:57:58.521Z" }
+sdist = { url = "https://files.pythonhosted.org/packages/b7/e8/0598f0e8b4af37cd9b10d8b87386cf3173cb8045d834ab5f6ec347a758b3/kubernetes-32.0.1.tar.gz", hash = "sha256:42f43d49abd437ada79a79a16bd48a604d3471a117a8347e87db693f2ba0ba28", size = 946691, upload-time = "2025-02-18T21:06:34.148Z" }
 wheels = [
-    { url = "https://files.pythonhosted.org/packages/89/43/d9bebfc3db7dea6ec80df5cb2aad8d274dd18ec2edd6c4f21f32c237cbbb/kubernetes-33.1.0-py2.py3-none-any.whl", hash = "sha256:544de42b24b64287f7e0aa9513c93cb503f7f40eea39b20f66810011a86eabc5", size = 1941335, upload-time = "2025-06-09T21:57:56.327Z" },
+    { url = "https://files.pythonhosted.org/packages/08/10/9f8af3e6f569685ce3af7faab51c8dd9d93b9c38eba339ca31c746119447/kubernetes-32.0.1-py2.py3-none-any.whl", hash = "sha256:35282ab8493b938b08ab5526c7ce66588232df00ef5e1dbe88a419107dc10998", size = 1988070, upload-time = "2025-02-18T21:06:31.391Z" },
 ]
 [[package]]
@ -2931,15 +2931,15 @@ wheels = [
 [[package]]
 name = "sentry-sdk"
-version = "2.30.0"
+version = "2.29.1"
 source = { registry = "https://pypi.org/simple" }
 dependencies = [
    { name = "certifi" },
    { name = "urllib3" },
 ]
-sdist = { url = "https://files.pythonhosted.org/packages/04/4c/af31e0201b48469786ddeb1bf6fd3dfa3a291cc613a0fe6a60163a7535f9/sentry_sdk-2.30.0.tar.gz", hash = "sha256:436369b02afef7430efb10300a344fb61a11fe6db41c2b11f41ee037d2dd7f45", size = 326767, upload-time = "2025-06-12T10:34:34.733Z" }
+sdist = { url = "https://files.pythonhosted.org/packages/22/67/d552a5f8e5a6a56b2feea6529e2d8ccd54349084c84176d5a1f7295044bc/sentry_sdk-2.29.1.tar.gz", hash = "sha256:8d4a0206b95fa5fe85e5e7517ed662e3888374bdc342c00e435e10e6d831aa6d", size = 325518, upload-time = "2025-05-19T14:27:38.512Z" }
 wheels = [
-    { url = "https://files.pythonhosted.org/packages/5a/99/31ac6faaae33ea698086692638f58d14f121162a8db0039e68e94135e7f1/sentry_sdk-2.30.0-py2.py3-none-any.whl", hash = "sha256:59391db1550662f746ea09b483806a631c3ae38d6340804a1a4c0605044f6877", size = 343149, upload-time = "2025-06-12T10:34:32.896Z" },
+    { url = "https://files.pythonhosted.org/packages/f0/e5/da07b0bd832cefd52d16f2b9bbbe31624d57552602c06631686b93ccb1bd/sentry_sdk-2.29.1-py2.py3-none-any.whl", hash = "sha256:90862fe0616ded4572da6c9dadb363121a1ae49a49e21c418f0634e9d10b4c19", size = 341553, upload-time = "2025-05-19T14:27:36.882Z" },
 ]
 [[package]]
@ -3151,7 +3151,7 @@ wheels = [
 [[package]]
 name = "twilio"
-version = "9.6.3"
+version = "9.6.2"
 source = { registry = "https://pypi.org/simple" }
 dependencies = [
    { name = "aiohttp" },
@ -3159,9 +3159,9 @@ dependencies = [
    { name = "pyjwt" },
    { name = "requests" },
 ]
-sdist = { url = "https://files.pythonhosted.org/packages/fb/af/1b401bc4cfd3eb41c7e2a98d0040d2bcfd2ad3217f3163401121179b3fb3/twilio-9.6.3.tar.gz", hash = "sha256:16a8c2ab9550343c25c8a195f31db9e230d9b341eca31ebdd301109910fd9730", size = 1041494, upload-time = "2025-06-12T10:40:55.63Z" }
+sdist = { url = "https://files.pythonhosted.org/packages/fa/c9/441a07f6552f2b504812501d56c41bd85b02afeef6c23ab8baf41ed6c70e/twilio-9.6.2.tar.gz", hash = "sha256:5da13bb497e39ece34cb9f2b3bc911f3288928612748f7688b3bda262c2767a1", size = 1041300, upload-time = "2025-05-29T12:25:04.59Z" }
 wheels = [
-    { url = "https://files.pythonhosted.org/packages/c9/35/d61a3581eb223e5e1fc0add1c397d7bb60014b22790e8f89aa5eb4e41e04/twilio-9.6.3-py2.py3-none-any.whl", hash = "sha256:a9b2cf11b0718394f12c43585ca25b9094f12b82ff975f1561fcec7f0f6f49b2", size = 1909549, upload-time = "2025-06-12T10:40:53.67Z" },
+    { url = "https://files.pythonhosted.org/packages/67/91/382e83e5d205a7ae4325b66d40cd2fa6ce85526f2ed8fc553265e19abbe4/twilio-9.6.2-py2.py3-none-any.whl", hash = "sha256:8d4af6f42850734a921857df42940f7fed84e3e4a508d0d6bef5b9fb7dc08357", size = 1909253, upload-time = "2025-05-29T12:25:02.521Z" },
 ]
 [[package]]
--- a/web/package-lock.json
+++ b/web/package-lock.json
@ -31,8 +31,8 @@
                "@open-wc/lit-helpers": "^0.7.0",
                "@patternfly/elements": "^4.1.0",
                "@patternfly/patternfly": "^4.224.2",
-                "@sentry/browser": "^9.28.1",
+                "@sentry/browser": "^9.28.0",
-                "@spotlightjs/spotlight": "^3.0.0",
+                "@spotlightjs/spotlight": "^2.13.3",
                "@webcomponents/webcomponentsjs": "^2.8.0",
                "base64-js": "^1.5.1",
                "change-case": "^5.4.4",
@ -4478,75 +4478,75 @@
            "dev": true
        },
        "node_modules/@sentry-internal/browser-utils": {
-            "version": "9.28.1",
+            "version": "9.28.0",
-            "resolved": "https://registry.npmjs.org/@sentry-internal/browser-utils/-/browser-utils-9.28.1.tgz",
+            "resolved": "https://registry.npmjs.org/@sentry-internal/browser-utils/-/browser-utils-9.28.0.tgz",
-            "integrity": "sha512-P/FEZkT7UqTw9P/2n/Y4Aa1OtGP6dnCvyqzPPkjiRdVa7Ep7S5ElBJloGv7077TLLBtAfCsEUVRlM1F6/jQoaA==",
+            "integrity": "sha512-SqntPnIXudP3FoKj4mQ1BVPC1RNzo4CGtAxJnLpbIUpdT/khJVM6Q59zrGl2MgZ7URZCI986L5jXihQeferf6g==",
            "license": "MIT",
            "dependencies": {
-                "@sentry/core": "9.28.1"
+                "@sentry/core": "9.28.0"
            },
            "engines": {
                "node": ">=18"
            }
        },
        "node_modules/@sentry-internal/feedback": {
-            "version": "9.28.1",
+            "version": "9.28.0",
-            "resolved": "https://registry.npmjs.org/@sentry-internal/feedback/-/feedback-9.28.1.tgz",
+            "resolved": "https://registry.npmjs.org/@sentry-internal/feedback/-/feedback-9.28.0.tgz",
-            "integrity": "sha512-HOk/c26D3nlClO/xEefev8fIJzRA621PFQvNFPu/y0Z5HujEqSmIsrff0cXszPPYD95h4Mwk63E0ZYdspdeXcw==",
+            "integrity": "sha512-z2jShmVENsesmDnShEOv841Saw0zXe1tX6GHNgkK9f6NrUMbL970JvGKByBFTffhQH6uQ0WeNPnXJ5L/YKnfDg==",
            "license": "MIT",
            "dependencies": {
-                "@sentry/core": "9.28.1"
+                "@sentry/core": "9.28.0"
            },
            "engines": {
                "node": ">=18"
            }
        },
        "node_modules/@sentry-internal/replay": {
-            "version": "9.28.1",
+            "version": "9.28.0",
-            "resolved": "https://registry.npmjs.org/@sentry-internal/replay/-/replay-9.28.1.tgz",
+            "resolved": "https://registry.npmjs.org/@sentry-internal/replay/-/replay-9.28.0.tgz",
-            "integrity": "sha512-Tv9pkfAX+1bmhxF42TL0c4uTiK2+rp5LMYEPdz6JBfpfvG/Z1unPGsuB7fQmHYKyfHBQJmi92DZV+smljm7w/g==",
+            "integrity": "sha512-BVGVBlmcpJdT55d/vywjfK1u6zMC5ycjJBxU1wUCNgCU3cSKRDBnvmYgk/+Ay23bFryT28Q4hM1p5qBBAOfxjQ==",
            "license": "MIT",
            "dependencies": {
-                "@sentry-internal/browser-utils": "9.28.1",
+                "@sentry-internal/browser-utils": "9.28.0",
-                "@sentry/core": "9.28.1"
+                "@sentry/core": "9.28.0"
            },
            "engines": {
                "node": ">=18"
            }
        },
        "node_modules/@sentry-internal/replay-canvas": {
-            "version": "9.28.1",
+            "version": "9.28.0",
-            "resolved": "https://registry.npmjs.org/@sentry-internal/replay-canvas/-/replay-canvas-9.28.1.tgz",
+            "resolved": "https://registry.npmjs.org/@sentry-internal/replay-canvas/-/replay-canvas-9.28.0.tgz",
-            "integrity": "sha512-RtkogfcIpXLFCyV8CTnXmVTH2QauT/KwmUAXBbeOz3rRWsM19yjN1moHrsjxn7OdjTv+D4qWSCA8Ka1aKSpr7g==",
+            "integrity": "sha512-Bv4mbtUrRV3p6PpFQPseLv3+Uaen+3AlfX02Z6QHY1sMa4lpt+U8OHfRGLprnzb6Rarw6fK2LNVL5rnV9LNMwA==",
            "license": "MIT",
            "dependencies": {
-                "@sentry-internal/replay": "9.28.1",
+                "@sentry-internal/replay": "9.28.0",
-                "@sentry/core": "9.28.1"
+                "@sentry/core": "9.28.0"
            },
            "engines": {
                "node": ">=18"
            }
        },
        "node_modules/@sentry/browser": {
-            "version": "9.28.1",
+            "version": "9.28.0",
-            "resolved": "https://registry.npmjs.org/@sentry/browser/-/browser-9.28.1.tgz",
+            "resolved": "https://registry.npmjs.org/@sentry/browser/-/browser-9.28.0.tgz",
-            "integrity": "sha512-XAS46iQSq8lXTnv9udQP025JTf3PwSVRE9ePJVQhx25QBWxedqGhEOv5qqX9b1Ijf8KiZYXXhBWMQxBBXVzUaw==",
+            "integrity": "sha512-ttqiv3D9sIB43nZnJTTln1nXw1p4C5BDSh+sHmGUOiqdCH6ND3HByDITYMYIOz1lACSISTT4V+MEpqx0V25Tlw==",
            "license": "MIT",
            "dependencies": {
-                "@sentry-internal/browser-utils": "9.28.1",
+                "@sentry-internal/browser-utils": "9.28.0",
-                "@sentry-internal/feedback": "9.28.1",
+                "@sentry-internal/feedback": "9.28.0",
-                "@sentry-internal/replay": "9.28.1",
+                "@sentry-internal/replay": "9.28.0",
-                "@sentry-internal/replay-canvas": "9.28.1",
+                "@sentry-internal/replay-canvas": "9.28.0",
-                "@sentry/core": "9.28.1"
+                "@sentry/core": "9.28.0"
            },
            "engines": {
                "node": ">=18"
            }
        },
        "node_modules/@sentry/core": {
-            "version": "9.28.1",
+            "version": "9.28.0",
-            "resolved": "https://registry.npmjs.org/@sentry/core/-/core-9.28.1.tgz",
+            "resolved": "https://registry.npmjs.org/@sentry/core/-/core-9.28.0.tgz",
-            "integrity": "sha512-6q59r/71MeE+4StkvwdKAAyhBBNpWcii0HeiWBZ3l1gaFYQlb6bChjZJRZmxSzF5dnvkdF4duQbAC3JmjeIbPA==",
+            "integrity": "sha512-vzD9xhg9S864jxfCpq77feCE4y7iP2cZYsNMoTupl1vTUlmXlhp7XgF832fEMjEZq4vrPhaqCNsde7Sc3PAbaQ==",
            "license": "MIT",
            "engines": {
                "node": ">=18"
@ -4717,15 +4717,15 @@
            }
        },
        "node_modules/@spotlightjs/overlay": {
-            "version": "3.0.0",
+            "version": "2.15.1",
-            "resolved": "https://registry.npmjs.org/@spotlightjs/overlay/-/overlay-3.0.0.tgz",
+            "resolved": "https://registry.npmjs.org/@spotlightjs/overlay/-/overlay-2.15.1.tgz",
-            "integrity": "sha512-0b03WtsykqpcOKmjDRnRZf0GGfaEB6ZHGctLZZxFK4NHTDBNJ6BaQZjunr4XU35kKR5BT2OFp5E/DPKluih0Hg==",
+            "integrity": "sha512-5TpHWFRiTm8rrNINOQs9iFsqVnguFGHU1cK/bmhrysNzts4tYQT9d+kWvl++GlItKezIPbu5xPD9VoapO30cyw==",
            "license": "Apache-2.0"
        },
        "node_modules/@spotlightjs/sidecar": {
-            "version": "1.11.4",
+            "version": "1.11.3",
-            "resolved": "https://registry.npmjs.org/@spotlightjs/sidecar/-/sidecar-1.11.4.tgz",
+            "resolved": "https://registry.npmjs.org/@spotlightjs/sidecar/-/sidecar-1.11.3.tgz",
-            "integrity": "sha512-8uDJNhvt6uVNvIoBltjRBqb0a//SxkKoyPACtNjq9k9qMYSfFhE0RVtgqnJNBineXeJfxzK5uvzeG/X7pEhYeQ==",
+            "integrity": "sha512-2FNZjnvJH71pAsYlJA/LIaEZ0jdtjqrlD58F/xJ5ZhI7z6US5zIqE7DMrqaK/tvObFam71CyCncKHRG6M0l6Cg==",
            "license": "Apache-2.0",
            "dependencies": {
                "@jridgewell/trace-mapping": "^0.3.25",
@ -4741,21 +4741,21 @@
            }
        },
        "node_modules/@spotlightjs/spotlight": {
-            "version": "3.0.0",
+            "version": "2.13.3",
-            "resolved": "https://registry.npmjs.org/@spotlightjs/spotlight/-/spotlight-3.0.0.tgz",
+            "resolved": "https://registry.npmjs.org/@spotlightjs/spotlight/-/spotlight-2.13.3.tgz",
-            "integrity": "sha512-dkMineYpONLUmkHh7gvBhjf34ES8a08KDQXNem9/0JzAMy/bXSDlC95sqkX9wDfKWjq2rJKYjJulNtCuGHDaeA==",
+            "integrity": "sha512-wDnXJaSVexPC/+blgXXx2AYCk7S+5lT4TCJmu0HZAVtYd2sDgNub/wAOitsKYxvpRtIQnPe55IlvL4r1X7goSg==",
            "license": "Apache-2.0",
            "dependencies": {
                "@sentry/node": "^8.49.0",
-                "@spotlightjs/overlay": "3.0.0",
+                "@spotlightjs/overlay": "2.15.1",
-                "@spotlightjs/sidecar": "1.11.4",
+                "@spotlightjs/sidecar": "1.11.3",
                "import-meta-resolve": "^4.1.0"
            },
            "bin": {
                "spotlight": "bin/run.js"
            },
            "engines": {
-                "node": ">=20"
+                "node": ">=18"
            }
        },
        "node_modules/@stencil/core": {
@ -17143,9 +17143,9 @@
            }
        },
        "node_modules/import-in-the-middle": {
-            "version": "1.14.0",
+            "version": "1.13.2",
-            "resolved": "https://registry.npmjs.org/import-in-the-middle/-/import-in-the-middle-1.14.0.tgz",
+            "resolved": "https://registry.npmjs.org/import-in-the-middle/-/import-in-the-middle-1.13.2.tgz",
-            "integrity": "sha512-g5zLT0HaztRJWysayWYiUq/7E5H825QIiecMD2pI5QO7Wzr847l6GDvPvmZaDIdrDtS2w7qRczywxiK6SL5vRw==",
+            "integrity": "sha512-Yjp9X7s2eHSXvZYQ0aye6UvwYPrVB5C2k47fuXjFKnYinAByaDZjh4t9MT2wEga9775n6WaIqyHnQhBxYtX2mg==",
            "license": "Apache-2.0",
            "dependencies": {
                "acorn": "^8.14.0",
--- a/web/package.json
+++ b/web/package.json
@ -102,8 +102,8 @@
        "@open-wc/lit-helpers": "^0.7.0",
        "@patternfly/elements": "^4.1.0",
        "@patternfly/patternfly": "^4.224.2",
-        "@sentry/browser": "^9.28.1",
+        "@sentry/browser": "^9.28.0",
-        "@spotlightjs/spotlight": "^3.0.0",
+        "@spotlightjs/spotlight": "^2.13.3",
        "@webcomponents/webcomponentsjs": "^2.8.0",
        "base64-js": "^1.5.1",
        "change-case": "^5.4.4",
--- a/web/src/admin/crypto/CertificateKeyPairForm.ts
+++ b/web/src/admin/crypto/CertificateKeyPairForm.ts
@ -1,5 +1,5 @@
 import { DEFAULT_CONFIG } from "@goauthentik/common/api/config";
-import "@goauthentik/components/ak-secret-textarea-input.js";
+import "@goauthentik/components/ak-private-textarea-input.js";
 import "@goauthentik/elements/CodeMirror";
 import "@goauthentik/elements/forms/HorizontalFormElement";
 import { ModelForm } from "@goauthentik/elements/forms/ModelForm";
@ -46,7 +46,7 @@ export class CertificateKeyPairForm extends ModelForm<CertificateKeyPair, string
                    required
                />
            </ak-form-element-horizontal>
-            <ak-secret-textarea-input
+            <ak-private-textarea-input
                label=${msg("Certificate")}
                name="certificateData"
                input-hint="code"
@ -54,8 +54,8 @@ export class CertificateKeyPairForm extends ModelForm<CertificateKeyPair, string
                required
                ?revealed=${this.instance === undefined}
                help=${msg("PEM-encoded Certificate data.")}
-            ></ak-secret-textarea-input>
+            ></ak-private-textarea-input>
-            <ak-secret-textarea-input
+            <ak-private-textarea-input
                label=${msg("Private Key")}
                name="keyData"
                input-hint="code"
@ -63,7 +63,7 @@ export class CertificateKeyPairForm extends ModelForm<CertificateKeyPair, string
                help=${msg(
                    "Optional Private Key. If this is set, you can use this keypair for encryption.",
                )}
-            ></ak-secret-textarea-input>`;
+            ></ak-private-textarea-input>`;
    }
 }
--- a/web/src/admin/enterprise/EnterpriseLicenseForm.ts
+++ b/web/src/admin/enterprise/EnterpriseLicenseForm.ts
@ -1,6 +1,6 @@
 import { DEFAULT_CONFIG } from "@goauthentik/common/api/config";
 import { EVENT_REFRESH_ENTERPRISE } from "@goauthentik/common/constants";
-import "@goauthentik/components/ak-secret-textarea-input.js";
+import "@goauthentik/components/ak-private-textarea-input.js";
 import "@goauthentik/elements/CodeMirror";
 import "@goauthentik/elements/forms/HorizontalFormElement";
 import { ModelForm } from "@goauthentik/elements/forms/ModelForm";
@ -62,13 +62,13 @@ export class EnterpriseLicenseForm extends ModelForm<License, string> {
                    value="${ifDefined(this.installID)}"
                />
            </ak-form-element-horizontal>
-            <ak-secret-textarea-input
+            <ak-private-textarea-input
                name="key"
                ?revealed=${this.instance === undefined}
                label=${msg("License key")}
                input-hint="code"
            >
-            </ak-secret-textarea-input>`;
+            </ak-private-textarea-input>`;
    }
 }
--- a/web/src/admin/providers/microsoft_entra/MicrosoftEntraProviderForm.ts
+++ b/web/src/admin/providers/microsoft_entra/MicrosoftEntraProviderForm.ts
@ -4,7 +4,6 @@ import {
    propertyMappingsSelector,
 } from "@goauthentik/admin/providers/microsoft_entra/MicrosoftEntraProviderFormHelpers.js";
 import { DEFAULT_CONFIG } from "@goauthentik/common/api/config";
 import "@goauthentik/components/ak-hidden-text-input";
 import "@goauthentik/elements/ak-dual-select/ak-dual-select-dynamic-selected-provider.js";
 import "@goauthentik/elements/ak-dual-select/ak-dual-select-provider.js";
 import "@goauthentik/elements/forms/FormGroup";
@ -69,15 +68,21 @@ export class MicrosoftEntraProviderFormPage extends BaseProviderForm<MicrosoftEn
                            ${msg("Client ID for the app registration.")}
                        </p>
                    </ak-form-element-horizontal>
-                    <ak-hidden-text-input
+                    <ak-form-element-horizontal
                        name="clientSecret"
                        label=${msg("Client Secret")}
                        value="${this.instance?.clientSecret ?? ""}"
                        input-hint="code"
                        required
-                        .help=${msg("Client secret for the app registration.")}
+                        name="clientSecret"
                    >
-                    </ak-hidden-text-input>
+                        <input
                            type="text"
                            value="${this.instance?.clientSecret ?? ""}"
                            class="pf-c-form-control pf-m-monospace"
                            required
                        />
                        <p class="pf-c-form__helper-text">
                            ${msg("Client secret for the app registration.")}
                        </p>
                    </ak-form-element-horizontal>
                    <ak-form-element-horizontal label=${msg("Tenant ID")} required name="tenantId">
                        <input
                            type="text"
--- a/web/src/admin/providers/oauth2/OAuth2ProviderFormForm.ts
+++ b/web/src/admin/providers/oauth2/OAuth2ProviderFormForm.ts
@ -5,7 +5,6 @@ import {
    akOAuthRedirectURIInput,
 } from "@goauthentik/admin/providers/oauth2/OAuth2ProviderRedirectURI";
 import { ascii_letters, digits, randomString } from "@goauthentik/common/utils";
 import "@goauthentik/components/ak-hidden-text-input";
 import "@goauthentik/components/ak-radio-input";
 import "@goauthentik/components/ak-text-input";
 import "@goauthentik/components/ak-textarea-input";
@ -167,16 +166,17 @@ export function renderForm(
                    input-hint="code"
                >
                </ak-text-input>
-                <ak-hidden-text-input
+                <ak-text-input
                    name="clientSecret"
                    label=${msg("Client Secret")}
                    value="${provider?.clientSecret ?? randomString(128, ascii_letters + digits)}"
                    input-hint="code"
                    ?hidden=${!showClientSecret}
                >
-                </ak-hidden-text-input>
+                </ak-text-input>
                <ak-form-element-horizontal
                    label=${msg("Redirect URIs/Origins (RegEx)")}
                    required
                    name="redirectUris"
                >
                    <ak-array-input
--- a/web/src/admin/providers/radius/RadiusProviderFormForm.ts
+++ b/web/src/admin/providers/radius/RadiusProviderFormForm.ts
@ -1,8 +1,6 @@
 import "@goauthentik/admin/common/ak-flow-search/ak-branded-flow-search";
 import "@goauthentik/admin/common/ak-flow-search/ak-flow-search";
 import { ascii_letters, digits, randomString } from "@goauthentik/common/utils";
 import "@goauthentik/components/ak-hidden-text-input";
 import "@goauthentik/components/ak-text-input";
 import "@goauthentik/elements/forms/FormGroup";
 import "@goauthentik/elements/forms/HorizontalFormElement";
 import "@goauthentik/elements/forms/SearchSelect";
@ -76,14 +74,14 @@ export function renderForm(
        <ak-form-group expanded>
            <span slot="header"> ${msg("Protocol settings")} </span>
            <div slot="body" class="pf-c-form">
-                <ak-hidden-text-input
+                <ak-text-input
                    name="sharedSecret"
                    label=${msg("Shared secret")}
                    .errorMessages=${errors?.sharedSecret ?? []}
                    value=${provider?.sharedSecret ?? randomString(128, ascii_letters + digits)}
                    required
                    input-hint="code"
-                ></ak-hidden-text-input>
+                ></ak-text-input>
                <ak-text-input
                    name="clientNetworks"
                    label=${msg("Client Networks")}
--- a/web/src/admin/providers/scim/SCIMProviderFormForm.ts
+++ b/web/src/admin/providers/scim/SCIMProviderFormForm.ts
@ -1,5 +1,4 @@
 import { DEFAULT_CONFIG } from "@goauthentik/common/api/config";
 import "@goauthentik/components/ak-hidden-text-input";
 import "@goauthentik/elements/ak-dual-select/ak-dual-select-dynamic-selected-provider.js";
 import "@goauthentik/elements/forms/FormGroup";
 import "@goauthentik/elements/forms/HorizontalFormElement";
@ -51,7 +50,7 @@ export function renderForm(provider?: Partial<SCIMProvider>, errors: ValidationE
                >
                </ak-switch-input>
-                <ak-hidden-text-input
+                <ak-text-input
                    name="token"
                    label=${msg("Token")}
                    value="${provider?.token ?? ""}"
@ -61,7 +60,7 @@ export function renderForm(provider?: Partial<SCIMProvider>, errors: ValidationE
                        "Token to authenticate with. Currently only bearer authentication is supported.",
                    )}
                    input-hint="code"
-                ></ak-hidden-text-input>
+                ></ak-text-input>
                <ak-radio-input
                    name="compatibilityMode"
                    label=${msg("Compatibility Mode")}
--- a/web/src/admin/sources/kerberos/KerberosSourceForm.ts
+++ b/web/src/admin/sources/kerberos/KerberosSourceForm.ts
@ -7,8 +7,8 @@ import {
    UserMatchingModeToLabel,
 } from "@goauthentik/admin/sources/oauth/utils";
 import { DEFAULT_CONFIG, config } from "@goauthentik/common/api/config";
-import "@goauthentik/components/ak-secret-text-input.js";
+import "@goauthentik/components/ak-private-text-input.js";
-import "@goauthentik/components/ak-secret-textarea-input.js";
+import "@goauthentik/components/ak-private-textarea-input.js";
 import "@goauthentik/components/ak-switch-input";
 import "@goauthentik/components/ak-text-input";
 import "@goauthentik/components/ak-textarea-input";
@ -248,22 +248,22 @@ export class KerberosSourceForm extends WithCapabilitiesConfig(BaseSourceForm<Ke
                        value=${ifDefined(this.instance?.syncPrincipal)}
                        help=${msg("Principal used to authenticate to the KDC for syncing.")}
                    ></ak-text-input>
-                    <ak-secret-text-input
+                    <ak-private-text-input
                        name="syncPassword"
                        label=${msg("Sync password")}
                        ?revealed=${this.instance === undefined}
                        help=${msg(
                            "Password used to authenticate to the KDC for syncing. Optional if Sync keytab or Sync credentials cache is provided.",
                        )}
-                    ></ak-secret-text-input>
+                    ></ak-private-text-input>
-                    <ak-secret-textarea-input
+                    <ak-private-textarea-input
                        name="syncKeytab"
                        label=${msg("Sync keytab")}
                        ?revealed=${this.instance === undefined}
                        help=${msg(
                            "Keytab used to authenticate to the KDC for syncing. Optional if Sync password or Sync credentials cache is provided. Must be base64 encoded or in the form TYPE:residual.",
                        )}
-                    ></ak-secret-textarea-input>
+                    ></ak-private-textarea-input>
                    <ak-text-input
                        name="syncCcache"
                        label=${msg("Sync credentials cache")}
@ -285,14 +285,14 @@ export class KerberosSourceForm extends WithCapabilitiesConfig(BaseSourceForm<Ke
                            "Force the use of a specific server name for SPNEGO. Must be in the form HTTP@domain",
                        )}
                    ></ak-text-input>
-                    <ak-secret-textarea-input
+                    <ak-private-textarea-input
                        name="spnegoKeytab"
                        label=${msg("SPNEGO keytab")}
                        ?revealed=${this.instance === undefined}
                        help=${msg(
                            "Keytab used for SPNEGO. Optional if SPNEGO credentials cache is provided. Must be base64 encoded or in the form TYPE:residual.",
                        )}
-                    ></ak-secret-textarea-input>
+                    ></ak-private-textarea-input>
                    <ak-text-input
                        name="spnegoCcache"
                        label=${msg("SPNEGO credentials cache")}
--- a/web/src/admin/sources/ldap/LDAPSourceForm.ts
+++ b/web/src/admin/sources/ldap/LDAPSourceForm.ts
@ -2,7 +2,7 @@ import "@goauthentik/admin/common/ak-crypto-certificate-search";
 import { placeholderHelperText } from "@goauthentik/admin/helperText";
 import { BaseSourceForm } from "@goauthentik/admin/sources/BaseSourceForm";
 import { DEFAULT_CONFIG } from "@goauthentik/common/api/config";
-import "@goauthentik/components/ak-secret-text-input.js";
+import "@goauthentik/components/ak-private-text-input.js";
 import "@goauthentik/elements/ak-dual-select/ak-dual-select-dynamic-selected-provider.js";
 import "@goauthentik/elements/forms/FormGroup";
 import "@goauthentik/elements/forms/HorizontalFormElement";
@ -260,11 +260,11 @@ export class LDAPSourceForm extends BaseSourceForm<LDAPSource> {
                            class="pf-c-form-control"
                        />
                    </ak-form-element-horizontal>
-                    <ak-secret-text-input
+                    <ak-private-text-input
                        label=${msg("Bind Password")}
                        name="bindPassword"
                        ?revealed=${this.instance === undefined}
-                    ></ak-secret-text-input>
+                    ></ak-private-text-input>
                    <ak-form-element-horizontal label=${msg("Base DN")} required name="baseDn">
                        <input
                            type="text"
--- a/web/src/admin/sources/oauth/OAuthSourceForm.ts
+++ b/web/src/admin/sources/oauth/OAuthSourceForm.ts
@ -8,8 +8,8 @@ import {
    UserMatchingModeToLabel,
 } from "@goauthentik/admin/sources/oauth/utils";
 import { DEFAULT_CONFIG, config } from "@goauthentik/common/api/config";
 import "@goauthentik/components/ak-private-textarea-input.js";
 import "@goauthentik/components/ak-radio-input";
 import "@goauthentik/components/ak-secret-textarea-input.js";
 import "@goauthentik/elements/CodeMirror";
 import { CodeMirrorMode } from "@goauthentik/elements/CodeMirror";
 import "@goauthentik/elements/ak-dual-select/ak-dual-select-dynamic-selected-provider.js";
@ -441,14 +441,14 @@ export class OAuthSourceForm extends WithCapabilitiesConfig(BaseSourceForm<OAuth
                        />
                        <p class="pf-c-form__helper-text">${msg("Also known as Client ID.")}</p>
                    </ak-form-element-horizontal>
-                    <ak-secret-textarea-input
+                    <ak-private-textarea-input
                        label=${msg("Consumer secret")}
                        name="consumerSecret"
                        input-hint="code"
                        help=${msg("Also known as Client Secret.")}
                        required
                        ?revealed=${this.instance === undefined}
-                    ></ak-secret-textarea-input>
+                    ></ak-private-textarea-input>
                    <ak-form-element-horizontal label=${msg("Scopes")} name="additionalScopes">
                        <input
                            type="text"
--- a/web/src/admin/sources/plex/PlexSourceForm.ts
+++ b/web/src/admin/sources/plex/PlexSourceForm.ts
@ -128,7 +128,7 @@ export class PlexSourceForm extends WithCapabilitiesConfig(BaseSourceForm<PlexSo
                    this.doAuth();
                }}
            >
-                ${msg("Re-authenticate with Plex")}
+                ${msg("Re-authenticate with plex")}
            </button>
            <ak-form-element-horizontal name="allowFriends">
                <label class="pf-c-switch">
--- a/web/src/admin/stages/authenticator_duo/AuthenticatorDuoStageForm.ts
+++ b/web/src/admin/stages/authenticator_duo/AuthenticatorDuoStageForm.ts
@ -1,7 +1,7 @@
 import { RenderFlowOption } from "@goauthentik/admin/flows/utils";
 import { BaseStageForm } from "@goauthentik/admin/stages/BaseStageForm";
 import { DEFAULT_CONFIG } from "@goauthentik/common/api/config";
-import "@goauthentik/components/ak-secret-text-input.js";
+import "@goauthentik/components/ak-private-text-input.js";
 import "@goauthentik/elements/forms/FormGroup";
 import "@goauthentik/elements/forms/HorizontalFormElement";
 import "@goauthentik/elements/forms/SearchSelect";
@ -95,13 +95,13 @@ export class AuthenticatorDuoStageForm extends BaseStageForm<AuthenticatorDuoSta
                            required
                        />
                    </ak-form-element-horizontal>
-                    <ak-secret-text-input
+                    <ak-private-text-input
                        name="clientSecret"
                        label=${msg("Secret key")}
                        input-hint="code"
                        required
                        ?revealed=${this.instance === undefined}
-                    ></ak-secret-text-input>
+                    ></ak-private-text-input>
                </div>
            </ak-form-group>
            <ak-form-group>
@ -125,12 +125,12 @@ export class AuthenticatorDuoStageForm extends BaseStageForm<AuthenticatorDuoSta
                            spellcheck="false"
                        />
                    </ak-form-element-horizontal>
-                    <ak-secret-text-input
+                    <ak-private-text-input
                        name="adminSecretKey"
                        label=${msg("Secret key")}
                        input-hint="code"
                        ?revealed=${this.instance === undefined}
-                    ></ak-secret-text-input>
+                    ></ak-private-text-input>
                </div>
            </ak-form-group>
            <ak-form-group expanded>
--- a/web/src/admin/stages/authenticator_email/AuthenticatorEmailStageForm.ts
+++ b/web/src/admin/stages/authenticator_email/AuthenticatorEmailStageForm.ts
@ -1,7 +1,7 @@
 import { RenderFlowOption } from "@goauthentik/admin/flows/utils";
 import { BaseStageForm } from "@goauthentik/admin/stages/BaseStageForm";
 import { DEFAULT_CONFIG } from "@goauthentik/common/api/config";
-import "@goauthentik/components/ak-secret-text-input.js";
+import "@goauthentik/components/ak-private-text-input.js";
 import "@goauthentik/elements/forms/FormGroup";
 import "@goauthentik/elements/forms/HorizontalFormElement";
 import "@goauthentik/elements/forms/Radio";
@ -77,11 +77,11 @@ export class AuthenticatorEmailStageForm extends BaseStageForm<AuthenticatorEmai
                    />
                </ak-form-element-horizontal>
-                <ak-secret-text-input
+                <ak-private-text-input
                    name="password"
                    label=${msg("SMTP Password")}
                    ?revealed=${this.instance === undefined}
-                ></ak-secret-text-input>
+                ></ak-private-text-input>
                <ak-form-element-horizontal name="useTls">
                    <label class="pf-c-switch">
--- a/web/src/admin/stages/captcha/CaptchaStageForm.ts
+++ b/web/src/admin/stages/captcha/CaptchaStageForm.ts
@ -1,7 +1,7 @@
 import { BaseStageForm } from "@goauthentik/admin/stages/BaseStageForm";
 import { DEFAULT_CONFIG } from "@goauthentik/common/api/config";
 import "@goauthentik/components/ak-number-input";
-import "@goauthentik/components/ak-secret-text-input.js";
+import "@goauthentik/components/ak-private-text-input.js";
 import "@goauthentik/components/ak-switch-input";
 import "@goauthentik/elements/forms/FormGroup";
 import "@goauthentik/elements/forms/HorizontalFormElement";
@ -70,7 +70,7 @@ export class CaptchaStageForm extends BaseStageForm<CaptchaStage> {
                        </p>
                    </ak-form-element-horizontal>
-                    <ak-secret-text-input
+                    <ak-private-text-input
                        name="privateKey"
                        label=${msg("Private Key")}
                        input-hint="code"
@ -79,7 +79,7 @@ export class CaptchaStageForm extends BaseStageForm<CaptchaStage> {
                        help=${msg(
                            "Private key, acquired from https://www.google.com/recaptcha/intro/v3.html.",
                        )}
-                    ></ak-secret-text-input>
+                    ></ak-private-text-input>
                    <ak-switch-input
                        name="interactive"
--- a/web/src/admin/stages/email/EmailStageForm.ts
+++ b/web/src/admin/stages/email/EmailStageForm.ts
@ -1,6 +1,6 @@
 import { BaseStageForm } from "@goauthentik/admin/stages/BaseStageForm";
 import { DEFAULT_CONFIG } from "@goauthentik/common/api/config";
-import "@goauthentik/components/ak-secret-text-input.js";
+import "@goauthentik/components/ak-private-text-input.js";
 import "@goauthentik/elements/forms/FormGroup";
 import "@goauthentik/elements/forms/HorizontalFormElement";
 import "@goauthentik/elements/utils/TimeDeltaHelp";
@ -73,11 +73,11 @@ export class EmailStageForm extends BaseStageForm<EmailStage> {
                        class="pf-c-form-control"
                    />
                </ak-form-element-horizontal>
-                <ak-secret-text-input
+                <ak-private-text-input
                    label=${msg("SMTP Password")}
                    name="password"
                    ?revealed=${this.instance === undefined}
-                ></ak-secret-text-input>
+                ></ak-private-text-input>
                <ak-form-element-horizontal name="useTls">
                    <label class="pf-c-switch">
                        <input
--- a/web/src/admin/users/ServiceAccountForm.ts
+++ b/web/src/admin/users/ServiceAccountForm.ts
@ -1,6 +1,5 @@
 import { DEFAULT_CONFIG } from "@goauthentik/common/api/config";
 import { dateTimeLocal } from "@goauthentik/common/temporal";
 import "@goauthentik/components/ak-hidden-text-input";
 import { Form } from "@goauthentik/elements/forms/Form";
 import "@goauthentik/elements/forms/HorizontalFormElement";
 import { ModalForm } from "@goauthentik/elements/forms/ModalForm";
@ -125,14 +124,19 @@ export class ServiceAccountForm extends Form<UserServiceAccountRequest> {
                        class="pf-c-form-control"
                    />
                </ak-form-element-horizontal>
-                <ak-hidden-text-input
+                <ak-form-element-horizontal label=${msg("Password")}>
-                    label=${msg("Password")}
+                    <input
-                    value="${this.result?.token ?? ""}"
+                        type="text"
-                    .help=${msg(
+                        readonly
-                        "Valid for 360 days, after which the password will automatically rotate. You can copy the password from the Token List.",
+                        value=${ifDefined(this.result?.token)}
-                    )}
+                        class="pf-c-form-control"
-                >
+                    />
-                </ak-hidden-text-input>
+                    <p class="pf-c-form__helper-text">
                        ${msg(
                            "Valid for 360 days, after which the password will automatically rotate. You can copy the password from the Token List.",
                        )}
                    </p>
                </ak-form-element-horizontal>
            </form>`;
    }
--- a/web/src/components/HorizontalLightComponent.ts
+++ b/web/src/components/HorizontalLightComponent.ts
@ -1,4 +1,4 @@
-import { AKElement, type AKElementProps } from "@goauthentik/elements/Base";
+import { AKElement } from "@goauthentik/elements/Base";
 import "@goauthentik/elements/forms/HorizontalFormElement.js";
 import { TemplateResult, html, nothing } from "lit";
@ -6,19 +6,6 @@ import { property } from "lit/decorators.js";
 type HelpType = TemplateResult | typeof nothing;
 export interface HorizontalLightComponentProps<T> extends AKElementProps {
    name: string;
    label?: string;
    required?: boolean;
    help?: string;
    bighelp?: TemplateResult | TemplateResult[];
    hidden?: boolean;
    invalid?: boolean;
    errorMessages?: string[];
    value?: T;
    inputHint?: string;
 }
 export class HorizontalLightComponent<T> extends AKElement {
    // Render into the lightDOM. This effectively erases the shadowDOM nature of this component, but
    // we're not actually using that and, for the meantime, we need the form handlers to be able to
@ -31,81 +18,37 @@ export class HorizontalLightComponent<T> extends AKElement {
        return this;
    }
    /**
     * The name attribute for the form element
     * @property
     * @attribute
     */
    @property({ type: String, reflect: true })
    name!: string;
    /**
     * The label for the input control
     * @property
     * @attribute
     */
    @property({ type: String, reflect: true })
    label = "";
    /**
     * @property
     * @attribute
     */
    @property({ type: Boolean, reflect: true })
    required = false;
    /**
     * Help text to display below the form element. Optional
     * @property
     * @attribute
     */
    @property({ type: String, reflect: true })
    help = "";
    /**
     * Extended help content. Optional. Expects to be a TemplateResult
     * @property
     */
    @property({ type: Object })
    bighelp?: TemplateResult | TemplateResult[];
    /**
     * @property
     * @attribute
     */
    @property({ type: Boolean, reflect: true })
    hidden = false;
    /**
     * @property
     * @attribute
     */
    @property({ type: Boolean, reflect: true })
    invalid = false;
    /**
     * @property
     */
    @property({ attribute: false })
    errorMessages: string[] = [];
    /**
     * @attribute
     * @property
     */
    @property({ attribute: false })
    value?: T;
    /**
     * Input hint.
     *   - `code`: uses a monospace font and disables spellcheck & autocomplete
     * @property
     * @attribute
     */
    @property({ type: String, attribute: "input-hint" })
    inputHint = "";
-    protected renderControl() {
+    renderControl() {
        throw new Error("Must be implemented in a subclass");
    }
--- a/web/src/components/ak-hidden-text-input.ts
+++ b/web/src/components/ak-hidden-text-input.ts
@ -1,159 +0,0 @@
 import { bound } from "#elements/decorators/bound";
 import { msg } from "@lit/localize";
 import { css, html } from "lit";
 import { customElement, property, query } from "lit/decorators.js";
 import { classMap } from "lit/directives/class-map.js";
 import { ifDefined } from "lit/directives/if-defined.js";
 import {
    HorizontalLightComponent,
    HorizontalLightComponentProps,
 } from "./HorizontalLightComponent";
 import "./ak-visibility-toggle.js";
 import type { VisibilityToggleProps } from "./ak-visibility-toggle.js";
 type BaseProps = HorizontalLightComponentProps<string> &
    Pick<VisibilityToggleProps, "showMessage" | "hideMessage">;
 export interface AkHiddenTextInputProps extends BaseProps {
    revealed: boolean;
    placeholder?: string;
 }
 export type InputLike = HTMLTextAreaElement | HTMLInputElement;
 /**
 * @element ak-hidden-text-input
 * @class AkHiddenTextInput
 *
 * A text-input field with a visibility control, so you can show/hide sensitive fields.
 *
 * ## CSS Parts
 * @csspart container - The main container div
 * @csspart input - The input element
 * @csspart toggle - The visibility toggle button
 *
 */
@customElement("ak-hidden-text-input")
 export class AkHiddenTextInput<T extends InputLike = HTMLInputElement>
    extends HorizontalLightComponent<string>
    implements AkHiddenTextInputProps
 {
    public static get styles() {
        return [
            css`
                main {
                    display: flex;
                }
            `,
        ];
    }
    /**
     * @property
     * @attribute
     */
    @property({ type: String, reflect: true })
    public value = "";
    /**
     * @property
     * @attribute
     */
    @property({ type: Boolean, reflect: true })
    public revealed = false;
    /**
     * Text for when the input has no set value
     *
     * @property
     * @attribute
     */
    @property({ type: String })
    public placeholder?: string;
    /**
     * Specify kind of help the browser should try to provide
     *
     * @property
     * @attribute
     */
    @property({ type: String })
    public autocomplete?: "none" | AutoFill;
    /**
     * @property
     * @attribute
     */
    @property({ type: String, attribute: "show-message" })
    public showMessage = msg("Show field content");
    /**
     * @property
     * @attribute
     */
    @property({ type: String, attribute: "hide-message" })
    public hideMessage = msg("Hide field content");
    @query("#main > input")
    protected inputField!: T;
    @bound
    private handleToggleVisibility() {
        this.revealed = !this.revealed;
        // Maintain focus on input after toggle
        this.updateComplete.then(() => {
            if (this.inputField && document.activeElement === this) {
                this.inputField.focus();
            }
        });
    }
    // TODO: Because of the peculiarities of how HorizontalLightComponent works, keeping its content
    // in the LightDom so the inner components actually inherit styling, the normal `css` options
    // aren't available. Embedding styles is bad styling, and we'll fix it in the next style
    // refresh.
    protected renderInputField(setValue: (ev: InputEvent) => void, code: boolean) {
        return html` <input
            style="flex: 1 1 auto; min-width: 0;"
            part="input"
            type=${this.revealed ? "text" : "password"}
            @input=${setValue}
            value=${ifDefined(this.value)}
            placeholder=${ifDefined(this.placeholder)}
            class="${classMap({
                "pf-c-form-control": true,
                "pf-m-monospace": code,
            })}"
            spellcheck=${code ? "false" : "true"}
            ?required=${this.required}
        />`;
    }
    protected override renderControl() {
        const code = this.inputHint === "code";
        const setValue = (ev: InputEvent) => {
            this.value = (ev.target as T).value;
        };
        return html` <div style="display: flex; gap: 0.25rem">
            ${this.renderInputField(setValue, code)}
            <!-- -->
            <ak-visibility-toggle
                part="toggle"
                style="flex: 0 0 auto; align-self: flex-start"
                ?open=${this.revealed}
                show-message=${this.showMessage}
                hide-message=${this.hideMessage}
                @click=${() => (this.revealed = !this.revealed)}
            ></ak-visibility-toggle>
        </div>`;
    }
 }
 declare global {
    interface HTMLElementTagNameMap {
        "ak-hidden-text-input": AkHiddenTextInput;
    }
 }
--- a/web/src/components/ak-hidden-textarea-input.ts
+++ b/web/src/components/ak-hidden-textarea-input.ts
@ -1,128 +0,0 @@
 import { css, html } from "lit";
 import { customElement, property, query } from "lit/decorators.js";
 import { classMap } from "lit/directives/class-map.js";
 import { ifDefined } from "lit/directives/if-defined.js";
 import { AkHiddenTextInput, type AkHiddenTextInputProps } from "./ak-hidden-text-input.js";
 export interface AkHiddenTextAreaInputProps extends AkHiddenTextInputProps {
    /**
     * Number of visible text lines (rows)
     */
    rows?: number;
    /**
     * Number of visible character width (cols)
     */
    cols?: number;
    /**
     * How the textarea can be resized
     */
    resize?: "none" | "both" | "horizontal" | "vertical";
    /**
     * Whether text should wrap
     */
    wrap?: "soft" | "hard" | "off";
 }
 /**
 * @element ak-hidden-text-input
 * @class AkHiddenTextInput
 *
 * A text-input field with a visibility control, so you can show/hide sensitive fields.
 *
 * ## CSS Parts
 * @csspart container - The main container div
 * @csspart input - The input element
 * @csspart toggle - The visibility toggle button
 *
 */
@customElement("ak-hidden-textarea-input")
 export class AkHiddenTextAreaInput
    extends AkHiddenTextInput<HTMLTextAreaElement>
    implements AkHiddenTextAreaInputProps
 {
    /* These are mostly just forwarded to the textarea component. */
    /**
     * @property
     * @attribute
     */
    @property({ type: Number })
    rows?: number = 4;
    /**
     * @property
     * @attribute
     */
    @property({ type: Number })
    cols?: number;
    /**
     * @property
     * @attribute
     *
     * You want `resize=true` so that the resize value is visible in the component tag, activating
     * the CSS associated with these values.
     */
    @property({ type: String, reflect: true })
    resize?: "none" | "both" | "horizontal" | "vertical" = "vertical";
    /**
     * @property
     * @attribute
     */
    @property({ type: String })
    wrap?: "soft" | "hard" | "off" = "soft";
    @query("#main > textarea")
    protected inputField!: HTMLTextAreaElement;
    get displayValue() {
        const value = this.value ?? "";
        if (this.revealed) {
            return value;
        }
        return value
            .split("\n")
            .reduce((acc: string[], line: string) => [...acc, "*".repeat(line.length)], [])
            .join("\n");
    }
    // TODO: Because of the peculiarities of how HorizontalLightComponent works, keeping its content
    // in the LightDom so the inner components actually inherit styling, the normal `css` options
    // aren't available. Embedding styles is bad styling, and we'll fix it in the next style
    // refresh.
    protected override renderInputField(setValue: (ev: InputEvent) => void, code: boolean) {
        const wrap = this.revealed ? this.wrap : "soft";
        return html`
            <textarea
                style="flex: 1 1 auto; min-width: 0;"
                part="textarea"
                @input=${setValue}
                placeholder=${ifDefined(this.placeholder)}
                rows=${ifDefined(this.rows)}
                cols=${ifDefined(this.cols)}
                wrap=${ifDefined(wrap)}
                class=${classMap({
                    "pf-c-form-control": true,
                    "pf-m-monospace": code,
                })}
                spellcheck=${code ? "false" : "true"}
                ?required=${this.required}
            >
 ${this.displayValue}</textarea
            >
        `;
    }
 }
 declare global {
    interface HTMLElementTagNameMap {
        "ak-hidden-textarea-input": AkHiddenTextAreaInput;
    }
 }
--- a/web/src/components/ak-private-text-input.ts
+++ b/web/src/components/ak-private-text-input.ts
@ -8,8 +8,8 @@ import { ifDefined } from "lit/directives/if-defined.js";
 import { HorizontalLightComponent } from "./HorizontalLightComponent";
-@customElement("ak-secret-text-input")
+@customElement("ak-private-text-input")
-export class AkSecretTextInput extends HorizontalLightComponent<string> {
+export class AkPrivateTextInput extends HorizontalLightComponent<string> {
    @property({ type: String, reflect: true })
    public value = "";
@ -23,7 +23,7 @@ export class AkSecretTextInput extends HorizontalLightComponent<string> {
        this.revealed = true;
    }
-    #renderSecretInput() {
+    #renderPrivateInput() {
        return html`<div class="pf-c-form__horizontal-group" @click=${() => this.#onReveal()}>
            <input
                class="pf-c-form-control"
@ -60,14 +60,14 @@ export class AkSecretTextInput extends HorizontalLightComponent<string> {
    }
    public override renderControl() {
-        return this.revealed ? this.renderVisibleInput() : this.#renderSecretInput();
+        return this.revealed ? this.renderVisibleInput() : this.#renderPrivateInput();
    }
 }
-export default AkSecretTextInput;
+export default AkPrivateTextInput;
 declare global {
    interface HTMLElementTagNameMap {
-        "ak-secret-text-input": AkSecretTextInput;
+        "ak-private-text-input": AkPrivateTextInput;
    }
 }
--- a/web/src/components/ak-private-textarea-input.ts
+++ b/web/src/components/ak-private-textarea-input.ts
@ -5,10 +5,10 @@ import { customElement, property } from "lit/decorators.js";
 import { classMap } from "lit/directives/class-map.js";
 import { ifDefined } from "lit/directives/if-defined.js";
-import { AkSecretTextInput } from "./ak-secret-text-input.js";
+import { AkPrivateTextInput } from "./ak-private-text-input.js";
-@customElement("ak-secret-textarea-input")
+@customElement("ak-private-textarea-input")
-export class AkSecretTextAreaInput extends AkSecretTextInput {
+export class AkPrivateTextAreaInput extends AkPrivateTextInput {
    protected override renderVisibleInput() {
        const code = this.inputHint === "code";
        const setValue = (ev: InputEvent) => {
@ -34,10 +34,10 @@ export class AkSecretTextAreaInput extends AkSecretTextInput {
    }
 }
-export default AkSecretTextAreaInput;
+export default AkPrivateTextAreaInput;
 declare global {
    interface HTMLElementTagNameMap {
-        "ak-secret-textarea-input": AkSecretTextAreaInput;
+        "ak-private-textarea-input": AkPrivateTextAreaInput;
    }
 }
--- a/web/src/components/ak-visibility-toggle.ts
+++ b/web/src/components/ak-visibility-toggle.ts
@ -1,89 +0,0 @@
 import { AKElement } from "@goauthentik/elements/Base.js";
 import { msg } from "@lit/localize";
 import { html } from "lit";
 import { customElement, property } from "lit/decorators.js";
 import PFButton from "@patternfly/patternfly/components/Button/button.css";
 import PFBase from "@patternfly/patternfly/patternfly-base.css";
 export interface VisibilityToggleProps {
    open: boolean;
    disabled: boolean;
    showMessage: string;
    hideMessage: string;
 }
 /**
 * @component ak-visibility-toggle
 * @class VisibilityToggle
 *
 * A straightforward two-state iconic button we use in a few places as way of telling users to hide
 * or show something secret, such as a password or private key. Expects the client to manage its
 * state.
 *
 * @events
 * - click: when the toggle is clicked.
 */
@customElement("ak-visibility-toggle")
 export class VisibilityToggle extends AKElement implements VisibilityToggleProps {
    static get styles() {
        return [PFBase, PFButton];
    }
    /**
     * @property
     * @attribute
     */
    @property({ type: Boolean, reflect: true })
    open = false;
    /**
     * @property
     * @attribute
     */
    @property({ type: Boolean, reflect: true })
    disabled = false;
    /**
     * @property
     * @attribute
     */
    @property({ type: String, attribute: "show-message" })
    showMessage = msg("Show field content");
    /**
     * @property
     * @attribute
     */
    @property({ type: String, attribute: "hide-message" })
    hideMessage = msg("Hide field content");
    render() {
        const [label, icon] = this.open
            ? [this.hideMessage, "fa-eye"]
            : [this.showMessage, "fa-eye-slash"];
        const onClick = (ev: PointerEvent) => {
            ev.stopPropagation();
            this.dispatchEvent(new PointerEvent(ev.type, ev));
        };
        return html`<button
            aria-label=${label}
            title=${label}
            @click=${onClick}
            ?disabled=${this.disabled}
            class="pf-c-button pf-m-control"
            type="button"
        >
            <i class="fas ${icon}" aria-hidden="true"></i>
        </button>`;
    }
 }
 declare global {
    interface HTMLElementTagNameMap {
        "ak-visibility-toggle": VisibilityToggle;
    }
 }
--- a/web/src/components/stories/ak-hidden-text-input.stories.ts
+++ b/web/src/components/stories/ak-hidden-text-input.stories.ts
@ -1,93 +0,0 @@
 import type { Meta, StoryObj } from "@storybook/web-components";
 import { html, nothing } from "lit";
 import { ifDefined } from "lit/directives/if-defined.js";
 import "../ak-hidden-text-input";
 import { type AkHiddenTextInput, type AkHiddenTextInputProps } from "../ak-hidden-text-input.js";
 const metadata: Meta<AkHiddenTextInputProps> = {
    title: "Components / <ak-hidden-text-input>",
    component: "ak-hidden-text-input",
    tags: ["autodocs"],
    parameters: {
        docs: {
            description: {
                component: `
 # Hidden Text Input Component
 A text-input field with a visibility control, so you can show/hide sensitive fields.
 `,
            },
        },
        layout: "padded",
    },
    argTypes: {
        label: {
            control: "text",
            description: "Label text for the input field",
        },
        value: {
            control: "text",
            description: "Current value of the input",
        },
        revealed: {
            control: "boolean",
            description: "Whether the text is currently visible",
        },
        placeholder: {
            control: "text",
            description: "Placeholder text for the input",
        },
        required: {
            control: "boolean",
            description: "Whether the input is required",
        },
        inputHint: {
            control: "select",
            options: ["text", "code"],
            description: "Input type hint for styling and behavior",
        },
        showMessage: {
            control: "text",
            description: "Custom message for show action",
        },
        hideMessage: {
            control: "text",
            description: "Custom message for hide action",
        },
    },
 };
 export default metadata;
 type Story = StoryObj<AkHiddenTextInput>;
 const Template: Story = {
    args: {
        label: "Hidden Text Input",
        value: "",
        revealed: false,
    },
    render: (args) => html`
        <ak-hidden-text-input
            label=${ifDefined(args.label)}
            value=${ifDefined(args.value)}
            ?revealed=${args.revealed}
            placeholder=${ifDefined(args.placeholder)}
            ?required=${args.required}
            input-hint=${ifDefined(args.inputHint)}
            show-message=${ifDefined(args.showMessage)}
            hide-message=${ifDefined(args.hideMessage)}
        ></ak-hidden-text-input>
    `,
 };
 export const Password: Story = {
    ...Template,
    args: {
        label: "Password",
        placeholder: "Enter your password",
        required: true,
    },
 };
--- a/web/src/components/stories/ak-hidden-textarea-input.stories.ts
+++ b/web/src/components/stories/ak-hidden-textarea-input.stories.ts
@ -1,140 +0,0 @@
 import type { Meta, StoryObj } from "@storybook/web-components";
 import { html, nothing } from "lit";
 import { ifDefined } from "lit/directives/if-defined.js";
 import "../ak-hidden-textarea-input";
 import {
    type AkHiddenTextAreaInput,
    type AkHiddenTextAreaInputProps,
 } from "../ak-hidden-textarea-input.js";
 const metadata: Meta<AkHiddenTextAreaInputProps> = {
    title: "Components / <ak-hidden-textarea-input>",
    component: "ak-hidden-textarea-input",
    tags: ["autodocs"],
    parameters: {
        docs: {
            description: {
                component: `
 # Hidden Textarea Input Component
 A textarea input field with a visibility control, so you can show/hide sensitive fields.
 `,
            },
        },
        layout: "padded",
    },
    argTypes: {
        label: {
            control: "text",
            description: "Label text for the input field",
        },
        value: {
            control: "text",
            description: "Current value of the input",
        },
        revealed: {
            control: "boolean",
            description: "Whether the text is currently visible",
        },
        placeholder: {
            control: "text",
            description: "Placeholder text for the input",
        },
        required: {
            control: "boolean",
            description: "Whether the input is required",
        },
        inputHint: {
            control: "select",
            options: ["text", "code"],
            description: "Input type hint for styling and behavior",
        },
        showMessage: {
            control: "text",
            description: "Custom message for show action",
        },
        hideMessage: {
            control: "text",
            description: "Custom message for hide action",
        },
        rows: {
            control: { type: "number", min: 1, max: 50 },
            description: "Number of visible text lines",
        },
        cols: {
            control: { type: "number", min: 10, max: 200 },
            description: "Number of visible character width",
        },
        resize: {
            control: "select",
            options: ["none", "both", "horizontal", "vertical"],
            description: "How the textarea can be resized",
        },
        wrap: {
            control: "select",
            options: ["soft", "hard", "off"],
            description: "Text wrapping behavior",
        },
    },
 };
 export default metadata;
 type Story = StoryObj<AkHiddenTextAreaInput>;
 const Template: Story = {
    args: {
        label: "Hidden Textarea Input",
        value: "",
        revealed: false,
        rows: 4,
    },
    render: (args) => html`
        <ak-hidden-textarea-input
            label=${ifDefined(args.label)}
            value=${ifDefined(args.value)}
            ?revealed=${args.revealed}
            placeholder=${ifDefined(args.placeholder)}
            rows=${ifDefined(args.rows)}
            cols=${ifDefined(args.cols)}
            resize=${ifDefined(args.resize)}
            wrap=${ifDefined(args.wrap)}
            ?required=${args.required}
            input-hint=${ifDefined(args.inputHint)}
            show-message=${ifDefined(args.showMessage)}
            hide-message=${ifDefined(args.hideMessage)}
        ></ak-hidden-textarea-input>
    `,
 };
 export const SslCertificate: Story = {
    ...Template,
    args: {
        label: "SSL Certificate",
        value: `-----BEGIN CERTIFICATE-----
 MIIDXTCCAkWgAwIBAgIJAKoK/heBjcOuMA0GCSqGSIb3DQEBBQUAMEUxCzAJBgNV
 BAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYDVQQKDBhJbnRlcm5ldCBX
 aWRnaXRzIFB0eSBMdGQwHhcNMTcwNTEwMTk0MDA2WhcNMTgwNTEwMTk0MDA2WjBF
 MQswCQYDVQQGEwJBVTETMBEGA1UECAwKU29tZS1TdGF0ZTEhMB8GA1UECgwYSW50
 ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMB4XDTE3MDUxMDE5NDAwNloXDTE4MDUxMDE5
 NDAwNlowRTELMAkGA1UEBhMCQVUxEzARBgNVBAgMClNvbWUtU3RhdGUxITAfBgNV
 BAoMGEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDCCASIwDQYJKoZIhvcNAQEBBQAD
 ggEPADCCAQoCggEBALdUlNS31SzxwoFShahGfjHj6GgpcVbzL1Siq0Pqnf82T6M2
 EDuneMLzAgMBAAECggEBAJkPFn6jeMHyiq0Pqnf82T6M2EDuneMLzAgMBAAECggE
 BAJkPFn6jeMHyiq0Pqnf82T6M2EDuneMLzAgMBAAECggEBAJkPFn6jeMHyiq0Pqn
 f82T6M2EDuneMLzAgMBAAECggEBAJkPFn6jeMHyiq0Pqnf82T6M2EDuneMLzAgM
 BAAECggEBAJkPFn6jeMHyiq0Pqnf82T6M2EDuneMLzAgMBAAECggEBAJkPFn6jeM
 Hyiq0Pqnf82T6M2EDuneMLzAgMBAAECggEBAJkPFn6jeMHyiq0Pqnf82T6M2EDu
 neMLzAgMBAAECggEBAJkPFn6jeMHyiq0Pqnf82T6M2EDuneMLzAgMBAAECggEBAJ
 kPFn6jeMHyiq0Pqnf82T6M2EDuneMLzAgMBAAE=
 -----END CERTIFICATE-----`,
        inputHint: "code",
        rows: 15,
        resize: "vertical",
        showMessage: "Show certificate content",
        hideMessage: "Hide certificate content",
        autocomplete: "off",
    },
 };
--- a/web/src/components/stories/ak-visibility-toggle.stories.ts
+++ b/web/src/components/stories/ak-visibility-toggle.stories.ts
@ -1,121 +0,0 @@
 import type { Meta, StoryObj } from "@storybook/web-components";
 import { html, nothing } from "lit";
 import { ifDefined } from "lit/directives/if-defined.js";
 import "../ak-visibility-toggle";
 import { type VisibilityToggle, type VisibilityToggleProps } from "../ak-visibility-toggle.js";
 const metadata: Meta<VisibilityToggleProps> = {
    title: "Elements/<ak-visibility-toggle>",
    component: "ak-visibility-toggle",
    tags: ["autodocs"],
    parameters: {
        docs: {
            description: {
                component: `
 # Visibility Toggle Component
 A straightforward two-state iconic button for toggling the visibility of sensitive content such as passwords, private keys, or other secret information.
 - Use for sensitive content that users might want to temporarily reveal
 - There are default hide/show messages for screen readers, but they can be overridden
 - Clients always handle the state
 - The \`open\` state is false by default; we assume you want sensitive content hidden at start
 `,
            },
        },
        layout: "padded",
    },
    argTypes: {
        open: {
            control: "boolean",
            description: "Whether the toggle is in the 'show' state (true) or 'hide' state (false)",
        },
        showMessage: {
            control: "text",
            description:
                'Message for screen readers when in hide state (default: "Show field content")',
        },
        hideMessage: {
            control: "text",
            description:
                'Message for screen readers when in show state (default: "Hide field content")',
        },
        disabled: {
            control: "boolean",
            description: "Whether the button should be disabled (for demo purposes)",
        },
    },
 };
 export default metadata;
 type Story = StoryObj<VisibilityToggle>;
 const Template: Story = {
    args: {
        open: false,
        showMessage: "Show field content",
        hideMessage: "Hide field content",
    },
    render: (args) => html`
        <ak-visibility-toggle
            ?open=${args.open}
            show-message=${ifDefined(args.showMessage)}
            hide-message=${ifDefined(args.hideMessage)}
            @click=${(e: Event) => {
                const target = e.target as VisibilityToggle;
                target.open = !target.open;
                // In a real application, you would also toggle the visibility
                // of the associated content here
            }}
        ></ak-visibility-toggle>
    `,
 };
 // Password field integration example
 export const PasswordFieldExample: Story = {
    args: {
        showMessage: "Reveal password",
        hideMessage: "Conceal password",
    },
    render: () => {
        let isVisible = false;
        const toggleVisibility = (e: Event) => {
            isVisible = !isVisible;
            const toggle = e.target as VisibilityToggle;
            const passwordField = document.querySelector("#demo-password") as HTMLInputElement;
            toggle.open = isVisible;
            if (passwordField) {
                passwordField.type = isVisible ? "text" : "password";
            }
        };
        return html`
            <div style="display: flex; flex-direction: column; gap: 1rem; max-width: 300px;">
                <label for="demo-password" style="font-weight: bold;">Password:</label>
                <div style="display: flex; align-items: center; gap: 0.5rem;">
                    <input
                        id="demo-password"
                        type="password"
                        value="supersecretpassword123"
                        style="flex: 1; padding: 0.5rem; border: 1px solid #ccc; border-radius: 4px;"
                        readonly
                    />
                    <ak-visibility-toggle
                        ?open=${isVisible}
                        show-message="Show password"
                        hide-message="Hide password"
                        @click=${toggleVisibility}
                    ></ak-visibility-toggle>
                </div>
                <p style="font-size: 0.875rem; color: #666;">
                    Click the eye icon to toggle password visibility
                </p>
            </div>
        `;
    },
 };
--- a/web/src/elements/Base.ts
+++ b/web/src/elements/Base.ts
@ -16,12 +16,8 @@ import { property } from "lit/decorators.js";
 import { UiThemeEnum } from "@goauthentik/api";
 export interface AKElementProps {
    activeTheme: ResolvedUITheme;
 }
@localized()
-export class AKElement extends LitElement implements AKElementProps {
+export class AKElement extends LitElement {
    //#region Static Properties
    public static styles?: Array<CSSResult | CSSModule>;
--- a/web/src/elements/ak-dual-select/ak-dual-select.ts
+++ b/web/src/elements/ak-dual-select/ak-dual-select.ts
@ -33,7 +33,7 @@ import {
 function localeComparator(a: DualSelectPair, b: DualSelectPair) {
    const aSortBy = a[2] || a[0];
-    const bSortBy = b[2] || b[0];
+    const bSortBy = b[2] || a[0];
    return aSortBy.localeCompare(bSortBy);
 }
--- a/web/xliff/de.xlf
+++ b/web/xliff/de.xlf
@ -3001,6 +3001,11 @@ doesn't pass when either or both of the selected options are equal or above the
        <source>Load servers</source>
        <target>Server laden</target>
      </trans-unit>
      <trans-unit id="s24f405197ede5ebb">
        <source>Re-authenticate with plex</source>
        <target>Mit Plex erneut authentifizieren</target>
      </trans-unit>
      <trans-unit id="sc297b2e13c28ecf9">
        <source>Allow friends to authenticate via Plex, even if you don't share any servers</source>
@ -9236,15 +9241,6 @@ Bindings to groups/users are checked against the user of the event.</source>
 </trans-unit>
 <trans-unit id="sb3d5c0a0501669df">
  <source>Generate New Certificate-Key Pair</source>
 </trans-unit>
 <trans-unit id="sf9686d31d28fcf7d">
  <source>Show field content</source>
 </trans-unit>
 <trans-unit id="sb1b05a7573ab618c">
  <source>Hide field content</source>
 </trans-unit>
 <trans-unit id="s4f820625804ed29b">
  <source>Re-authenticate with Plex</source>
 </trans-unit>
    </body>
  </file>
--- a/web/xliff/en.xlf
+++ b/web/xliff/en.xlf
@ -2414,6 +2414,10 @@ doesn't pass when either or both of the selected options are equal or above the
        <source>Load servers</source>
        <target>Load servers</target>
      </trans-unit>
      <trans-unit id="s24f405197ede5ebb">
        <source>Re-authenticate with plex</source>
        <target>Re-authenticate with plex</target>
      </trans-unit>
      <trans-unit id="sc297b2e13c28ecf9">
        <source>Allow friends to authenticate via Plex, even if you don't share any servers</source>
        <target>Allow friends to authenticate via Plex, even if you don't share any servers</target>
@ -7744,15 +7748,6 @@ Bindings to groups/users are checked against the user of the event.</source>
 </trans-unit>
 <trans-unit id="sb3d5c0a0501669df">
  <source>Generate New Certificate-Key Pair</source>
 </trans-unit>
 <trans-unit id="sf9686d31d28fcf7d">
  <source>Show field content</source>
 </trans-unit>
 <trans-unit id="sb1b05a7573ab618c">
  <source>Hide field content</source>
 </trans-unit>
 <trans-unit id="s4f820625804ed29b">
  <source>Re-authenticate with Plex</source>
 </trans-unit>
    </body>
  </file>
--- a/web/xliff/es.xlf
+++ b/web/xliff/es.xlf
@ -2982,6 +2982,11 @@ no se aprueba cuando una o ambas de las opciones seleccionadas son iguales o sup
        <source>Load servers</source>
        <target>Servidores de carga</target>
      </trans-unit>
      <trans-unit id="s24f405197ede5ebb">
        <source>Re-authenticate with plex</source>
        <target>Vuelva a autenticarse con plex</target>
      </trans-unit>
      <trans-unit id="sc297b2e13c28ecf9">
        <source>Allow friends to authenticate via Plex, even if you don't share any servers</source>
@ -9296,15 +9301,6 @@ Las vinculaciones a grupos o usuarios se comparan con el usuario del evento.</ta
 </trans-unit>
 <trans-unit id="sb3d5c0a0501669df">
  <source>Generate New Certificate-Key Pair</source>
 </trans-unit>
 <trans-unit id="sf9686d31d28fcf7d">
  <source>Show field content</source>
 </trans-unit>
 <trans-unit id="sb1b05a7573ab618c">
  <source>Hide field content</source>
 </trans-unit>
 <trans-unit id="s4f820625804ed29b">
  <source>Re-authenticate with Plex</source>
 </trans-unit>
    </body>
  </file>
--- a/web/xliff/fr.xlf
+++ b/web/xliff/fr.xlf
@ -3010,6 +3010,11 @@ doesn't pass when either or both of the selected options are equal or above the
        <source>Load servers</source>
        <target>Charger les serveurs</target>
      </trans-unit>
      <trans-unit id="s24f405197ede5ebb">
        <source>Re-authenticate with plex</source>
        <target>Se ré-authentifier avec Plex</target>
      </trans-unit>
      <trans-unit id="sc297b2e13c28ecf9">
        <source>Allow friends to authenticate via Plex, even if you don't share any servers</source>
@ -9865,15 +9870,6 @@ Les liaisons avec les groupes/utilisateurs sont vérifiées par rapport à l'uti
 </trans-unit>
 <trans-unit id="sb3d5c0a0501669df">
  <source>Generate New Certificate-Key Pair</source>
 </trans-unit>
 <trans-unit id="sf9686d31d28fcf7d">
  <source>Show field content</source>
 </trans-unit>
 <trans-unit id="sb1b05a7573ab618c">
  <source>Hide field content</source>
 </trans-unit>
 <trans-unit id="s4f820625804ed29b">
  <source>Re-authenticate with Plex</source>
 </trans-unit>
    </body>
  </file>
--- a/web/xliff/it.xlf
+++ b/web/xliff/it.xlf
@ -3011,6 +3011,11 @@ doesn't pass when either or both of the selected options are equal or above the
        <source>Load servers</source>
        <target>Carico server</target>
      </trans-unit>
      <trans-unit id="s24f405197ede5ebb">
        <source>Re-authenticate with plex</source>
        <target>Riautenticarsi con plex</target>
      </trans-unit>
      <trans-unit id="sc297b2e13c28ecf9">
        <source>Allow friends to authenticate via Plex, even if you don't share any servers</source>
@ -9848,15 +9853,6 @@ Bindings to groups/users are checked against the user of the event.</source>
 </trans-unit>
 <trans-unit id="sb3d5c0a0501669df">
  <source>Generate New Certificate-Key Pair</source>
 </trans-unit>
 <trans-unit id="sf9686d31d28fcf7d">
  <source>Show field content</source>
 </trans-unit>
 <trans-unit id="sb1b05a7573ab618c">
  <source>Hide field content</source>
 </trans-unit>
 <trans-unit id="s4f820625804ed29b">
  <source>Re-authenticate with Plex</source>
 </trans-unit>
    </body>
  </file>
--- a/web/xliff/ko.xlf
+++ b/web/xliff/ko.xlf
@ -2973,6 +2973,11 @@ doesn't pass when either or both of the selected options are equal or above the
        <source>Load servers</source>
        <target>서버 로드</target>
      </trans-unit>
      <trans-unit id="s24f405197ede5ebb">
        <source>Re-authenticate with plex</source>
        <target>Plex로 다시 인증하기</target>
      </trans-unit>
      <trans-unit id="sc297b2e13c28ecf9">
        <source>Allow friends to authenticate via Plex, even if you don't share any servers</source>
@ -9204,15 +9209,6 @@ Bindings to groups/users are checked against the user of the event.</source>
 </trans-unit>
 <trans-unit id="sb3d5c0a0501669df">
  <source>Generate New Certificate-Key Pair</source>
 </trans-unit>
 <trans-unit id="sf9686d31d28fcf7d">
  <source>Show field content</source>
 </trans-unit>
 <trans-unit id="sb1b05a7573ab618c">
  <source>Hide field content</source>
 </trans-unit>
 <trans-unit id="s4f820625804ed29b">
  <source>Re-authenticate with Plex</source>
 </trans-unit>
    </body>
  </file>
--- a/web/xliff/nl.xlf
+++ b/web/xliff/nl.xlf
@ -2987,6 +2987,11 @@ slaagt niet wanneer een of beide geselecteerde opties gelijk zijn aan of boven d
        <source>Load servers</source>
        <target>Servers laden</target>
      </trans-unit>
      <trans-unit id="s24f405197ede5ebb">
        <source>Re-authenticate with plex</source>
        <target>Opnieuw authenticeren met Plex</target>
      </trans-unit>
      <trans-unit id="sc297b2e13c28ecf9">
        <source>Allow friends to authenticate via Plex, even if you don't share any servers</source>
@ -9108,15 +9113,6 @@ Bindingen naar groepen/gebruikers worden gecontroleerd tegen de gebruiker van de
 </trans-unit>
 <trans-unit id="sb3d5c0a0501669df">
  <source>Generate New Certificate-Key Pair</source>
 </trans-unit>
 <trans-unit id="sf9686d31d28fcf7d">
  <source>Show field content</source>
 </trans-unit>
 <trans-unit id="sb1b05a7573ab618c">
  <source>Hide field content</source>
 </trans-unit>
 <trans-unit id="s4f820625804ed29b">
  <source>Re-authenticate with Plex</source>
 </trans-unit>
    </body>
  </file>
--- a/web/xliff/pl.xlf
+++ b/web/xliff/pl.xlf
@ -3012,6 +3012,11 @@ nie przechodzi, gdy jedna lub obie wybrane opcje są równe lub wyższe od progu
        <source>Load servers</source>
        <target>Załaduj serwery</target>
      </trans-unit>
      <trans-unit id="s24f405197ede5ebb">
        <source>Re-authenticate with plex</source>
        <target>Ponowne uwierzytelnienie za pomocą plex</target>
      </trans-unit>
      <trans-unit id="sc297b2e13c28ecf9">
        <source>Allow friends to authenticate via Plex, even if you don't share any servers</source>
@ -9531,15 +9536,6 @@ Powiązania z grupami/użytkownikami są sprawdzane względem użytkownika zdarz
 </trans-unit>
 <trans-unit id="sb3d5c0a0501669df">
  <source>Generate New Certificate-Key Pair</source>
 </trans-unit>
 <trans-unit id="sf9686d31d28fcf7d">
  <source>Show field content</source>
 </trans-unit>
 <trans-unit id="sb1b05a7573ab618c">
  <source>Hide field content</source>
 </trans-unit>
 <trans-unit id="s4f820625804ed29b">
  <source>Re-authenticate with Plex</source>
 </trans-unit>
    </body>
  </file>
--- a/web/xliff/pseudo-LOCALE.xlf
+++ b/web/xliff/pseudo-LOCALE.xlf
@ -2990,6 +2990,11 @@ doesn't pass when either or both of the selected options are equal or above the
        <source>Load servers</source>
  <target>Ĺōàď śēŕvēŕś</target>
      </trans-unit>
      <trans-unit id="s24f405197ede5ebb">
        <source>Re-authenticate with plex</source>
  <target>Ŕē-àũţĥēńţĩćàţē ŵĩţĥ ƥĺēx</target>
      </trans-unit>
      <trans-unit id="sc297b2e13c28ecf9">
        <source>Allow friends to authenticate via Plex, even if you don't share any servers</source>
@ -9540,13 +9545,4 @@ Bindings to groups/users are checked against the user of the event.</source>
 <trans-unit id="sb3d5c0a0501669df">
  <source>Generate New Certificate-Key Pair</source>
 </trans-unit>
 <trans-unit id="sf9686d31d28fcf7d">
  <source>Show field content</source>
 </trans-unit>
 <trans-unit id="sb1b05a7573ab618c">
  <source>Hide field content</source>
 </trans-unit>
 <trans-unit id="s4f820625804ed29b">
  <source>Re-authenticate with Plex</source>
 </trans-unit>
 </body></file></xliff>
--- a/web/xliff/ru.xlf
+++ b/web/xliff/ru.xlf
@ -3011,6 +3011,11 @@ doesn't pass when either or both of the selected options are equal or above the
        <source>Load servers</source>
        <target>Загрузить серверы</target>
      </trans-unit>
      <trans-unit id="s24f405197ede5ebb">
        <source>Re-authenticate with plex</source>
        <target>Повторная аутентификация с помощью plex</target>
      </trans-unit>
      <trans-unit id="sc297b2e13c28ecf9">
        <source>Allow friends to authenticate via Plex, even if you don't share any servers</source>
@ -9623,15 +9628,6 @@ Bindings to groups/users are checked against the user of the event.</source>
 </trans-unit>
 <trans-unit id="sb3d5c0a0501669df">
  <source>Generate New Certificate-Key Pair</source>
 </trans-unit>
 <trans-unit id="sf9686d31d28fcf7d">
  <source>Show field content</source>
 </trans-unit>
 <trans-unit id="sb1b05a7573ab618c">
  <source>Hide field content</source>
 </trans-unit>
 <trans-unit id="s4f820625804ed29b">
  <source>Re-authenticate with Plex</source>
 </trans-unit>
    </body>
  </file>
--- a/web/xliff/tr.xlf
+++ b/web/xliff/tr.xlf
@ -2990,6 +2990,11 @@ Belirlenen seçeneklerden biri veya her ikisi de eşiğe eşit veya eşiğin üz
        <source>Load servers</source>
        <target>Sunucuları yükle</target>
      </trans-unit>
      <trans-unit id="s24f405197ede5ebb">
        <source>Re-authenticate with plex</source>
        <target>Plex ile yeniden kimlik doğrulama</target>
      </trans-unit>
      <trans-unit id="sc297b2e13c28ecf9">
        <source>Allow friends to authenticate via Plex, even if you don't share any servers</source>
@ -9595,15 +9600,6 @@ Gruplara/kullanıcılara yapılan bağlamalar, etkinliğin kullanıcısına kar
 </trans-unit>
 <trans-unit id="sb3d5c0a0501669df">
  <source>Generate New Certificate-Key Pair</source>
 </trans-unit>
 <trans-unit id="sf9686d31d28fcf7d">
  <source>Show field content</source>
 </trans-unit>
 <trans-unit id="sb1b05a7573ab618c">
  <source>Hide field content</source>
 </trans-unit>
 <trans-unit id="s4f820625804ed29b">
  <source>Re-authenticate with Plex</source>
 </trans-unit>
    </body>
  </file>
--- a/web/xliff/zh-CN.xlf
+++ b/web/xliff/zh-CN.xlf
@ -2128,6 +2128,9 @@ doesn't pass when either or both of the selected options are equal or above the
 <trans-unit id="s91f389c796720a81">
  <source>Load servers</source>
 </trans-unit>
 <trans-unit id="s24f405197ede5ebb">
  <source>Re-authenticate with plex</source>
 </trans-unit>
 <trans-unit id="sc297b2e13c28ecf9">
  <source>Allow friends to authenticate via Plex, even if you don't share any servers</source>
 </trans-unit>
@ -6359,15 +6362,6 @@ Bindings to groups/users are checked against the user of the event.</source>
 <trans-unit id="sb3d5c0a0501669df">
  <source>Generate New Certificate-Key Pair</source>
 </trans-unit>
 <trans-unit id="sf9686d31d28fcf7d">
  <source>Show field content</source>
 </trans-unit>
 <trans-unit id="sb1b05a7573ab618c">
  <source>Hide field content</source>
 </trans-unit>
 <trans-unit id="s4f820625804ed29b">
  <source>Re-authenticate with Plex</source>
 </trans-unit>
 </body>
 </file>
 </xliff>
--- a/web/xliff/zh-Hans.xlf
+++ b/web/xliff/zh-Hans.xlf
@ -1,4 +1,4 @@
-<?xml version="1.0"?><xliff xmlns="urn:oasis:names:tc:xliff:document:1.2" version="1.2">
+<?xml version="1.0" ?><xliff xmlns="urn:oasis:names:tc:xliff:document:1.2" version="1.2">
  <file target-language="zh-Hans" source-language="en" original="lit-localize-inputs" datatype="plaintext">
    <body>
      <trans-unit id="s4caed5b7a7e5d89b">
@ -596,9 +596,9 @@
      </trans-unit>
      <trans-unit id="saa0e2675da69651b">
-        <source>The URL "<x id="0" equiv-text="${this.url}"/>" was not found.</source>
+        <source>The URL &quot;<x id="0" equiv-text="${this.url}"/>&quot; was not found.</source>
-        <target>未找到 URL "
+        <target>未找到 URL &quot;
-        <x id="0" equiv-text="${this.url}"/>"。</target>
+        <x id="0" equiv-text="${this.url}"/>&quot;。</target>
      </trans-unit>
      <trans-unit id="s58cd9c2fe836d9c6">
@ -1709,8 +1709,8 @@
      </trans-unit>
      <trans-unit id="sa90b7809586c35ce">
-        <source>Either input a full URL, a relative path, or use 'fa://fa-test' to use the Font Awesome icon "fa-test".</source>
+        <source>Either input a full URL, a relative path, or use 'fa://fa-test' to use the Font Awesome icon &quot;fa-test&quot;.</source>
-        <target>输入完整 URL、相对路径，或者使用 'fa://fa-test' 来使用 Font Awesome 图标 "fa-test"。</target>
+        <target>输入完整 URL、相对路径，或者使用 'fa://fa-test' 来使用 Font Awesome 图标 &quot;fa-test&quot;。</target>
      </trans-unit>
      <trans-unit id="s0410779cb47de312">
@ -3011,6 +3011,11 @@ doesn't pass when either or both of the selected options are equal or above the
        <source>Load servers</source>
        <target>加载服务器</target>
      </trans-unit>
      <trans-unit id="s24f405197ede5ebb">
        <source>Re-authenticate with plex</source>
        <target>使用 Plex 重新验证身份</target>
      </trans-unit>
      <trans-unit id="sc297b2e13c28ecf9">
        <source>Allow friends to authenticate via Plex, even if you don't share any servers</source>
@ -3757,10 +3762,10 @@ doesn't pass when either or both of the selected options are equal or above the
      </trans-unit>
      <trans-unit id="sa95a538bfbb86111">
-        <source>Are you sure you want to update <x id="0" equiv-text="${this.objectLabel}"/> "<x id="1" equiv-text="${this.obj?.name}"/>"?</source>
+        <source>Are you sure you want to update <x id="0" equiv-text="${this.objectLabel}"/> &quot;<x id="1" equiv-text="${this.obj?.name}"/>&quot;?</source>
        <target>您确定要更新
-        <x id="0" equiv-text="${this.objectLabel}"/>"
+        <x id="0" equiv-text="${this.objectLabel}"/>&quot;
-        <x id="1" equiv-text="${this.obj?.name}"/>" 吗？</target>
+        <x id="1" equiv-text="${this.obj?.name}"/>&quot; 吗？</target>
      </trans-unit>
      <trans-unit id="sc92d7cfb6ee1fec6">
@ -4826,7 +4831,7 @@ doesn't pass when either or both of the selected options are equal or above the
      </trans-unit>
      <trans-unit id="sdf1d8edef27236f0">
-        <source>A "roaming" authenticator, like a YubiKey</source>
+        <source>A &quot;roaming&quot; authenticator, like a YubiKey</source>
        <target>像 YubiKey 这样的“漫游”身份验证器</target>
      </trans-unit>
@ -5185,7 +5190,7 @@ doesn't pass when either or both of the selected options are equal or above the
      </trans-unit>
      <trans-unit id="s1608b2f94fa0dbd4">
-        <source>If set to a duration above 0, the user will have the option to choose to "stay signed in", which will extend their session by the time specified here.</source>
+        <source>If set to a duration above 0, the user will have the option to choose to &quot;stay signed in&quot;, which will extend their session by the time specified here.</source>
        <target>如果设置时长大于 0，用户可以选择“保持登录”选项，这将使用户的会话延长此处设置的时间。</target>
      </trans-unit>
@ -7461,7 +7466,7 @@ Bindings to groups/users are checked against the user of the event.</source>
  <target>成功创建用户并添加到组 <x id="0" equiv-text="${this.group.name}"/></target>
 </trans-unit>
 <trans-unit id="s824e0943a7104668">
-  <source>This user will be added to the group "<x id="0" equiv-text="${this.targetGroup.name}"/>".</source>
+  <source>This user will be added to the group &quot;<x id="0" equiv-text="${this.targetGroup.name}"/>&quot;.</source>
  <target>此用户将会被添加到组 &amp;quot;<x id="0" equiv-text="${this.targetGroup.name}"/>&amp;quot;。</target>
 </trans-unit>
 <trans-unit id="s62e7f6ed7d9cb3ca">
@ -8743,7 +8748,7 @@ Bindings to groups/users are checked against the user of the event.</source>
  <target>同步组</target>
 </trans-unit>
 <trans-unit id="s2d5f69929bb7221d">
-  <source><x id="0" equiv-text="${p.name}"/> ("<x id="1" equiv-text="${p.fieldKey}"/>", of type <x id="2" equiv-text="${p.type}"/>)</source>
+  <source><x id="0" equiv-text="${p.name}"/> (&quot;<x id="1" equiv-text="${p.fieldKey}"/>&quot;, of type <x id="2" equiv-text="${p.type}"/>)</source>
  <target><x id="0" equiv-text="${p.name}"/>（&amp;quot;<x id="1" equiv-text="${p.fieldKey}"/>&amp;quot;，类型为 <x id="2" equiv-text="${p.type}"/>）</target>
 </trans-unit>
 <trans-unit id="s25bacc19d98b444e">
@ -8991,8 +8996,8 @@ Bindings to groups/users are checked against the user of the event.</source>
  <target>授权流程成功后有效的重定向 URI。还可以在此处为隐式流程指定任何来源。</target>
 </trans-unit>
 <trans-unit id="s4c49d27de60a532b">
-  <source>To allow any redirect URI, set the mode to Regex and the value to ".*". Be aware of the possible security implications this can have.</source>
+  <source>To allow any redirect URI, set the mode to Regex and the value to &quot;.*&quot;. Be aware of the possible security implications this can have.</source>
-  <target>要允许任何重定向 URI，请设置模式为正则表达式，并将此值设置为 ".*"。请注意这可能带来的安全影响。</target>
+  <target>要允许任何重定向 URI，请设置模式为正则表达式，并将此值设置为 &quot;.*&quot;。请注意这可能带来的安全影响。</target>
 </trans-unit>
 <trans-unit id="sa52bf79fe1ccb13e">
  <source>Federated OIDC Sources</source>
@ -9745,7 +9750,7 @@ Bindings to groups/users are checked against the user of the event.</source>
  <target>在 authorization_code 令牌请求流程期间，如何执行身份验证</target>
 </trans-unit>
 <trans-unit id="s844baf19a6c4a9b4">
-  <source>Enable "Remember me on this device"</source>
+  <source>Enable &quot;Remember me on this device&quot;</source>
  <target>启用“在此设备上记住我”</target>
 </trans-unit>
 <trans-unit id="sfa72bca733f40692">
@ -9875,16 +9880,7 @@ Bindings to groups/users are checked against the user of the event.</source>
 <trans-unit id="sb3d5c0a0501669df">
  <source>Generate New Certificate-Key Pair</source>
  <target>生成新的证书密钥对</target>
 </trans-unit>
 <trans-unit id="sf9686d31d28fcf7d">
  <source>Show field content</source>
 </trans-unit>
 <trans-unit id="sb1b05a7573ab618c">
  <source>Hide field content</source>
 </trans-unit>
 <trans-unit id="s4f820625804ed29b">
  <source>Re-authenticate with Plex</source>
 </trans-unit>
    </body>
  </file>
-</xliff>
+</xliff>
--- a/web/xliff/zh-Hant.xlf
+++ b/web/xliff/zh-Hant.xlf
@ -2290,6 +2290,10 @@ doesn't pass when either or both of the selected options are equal or above the
        <source>Load servers</source>
        <target>加载服务器</target>
      </trans-unit>
      <trans-unit id="s24f405197ede5ebb">
        <source>Re-authenticate with plex</source>
        <target>使用 plex 重新进行身份验证</target>
      </trans-unit>
      <trans-unit id="sc297b2e13c28ecf9">
        <source>Allow friends to authenticate via Plex, even if you don't share any servers</source>
        <target>允许好友通过Plex进行身份验证，即使您不共享任何服务器</target>
@ -7444,15 +7448,6 @@ Bindings to groups/users are checked against the user of the event.</source>
 </trans-unit>
 <trans-unit id="sb3d5c0a0501669df">
  <source>Generate New Certificate-Key Pair</source>
 </trans-unit>
 <trans-unit id="sf9686d31d28fcf7d">
  <source>Show field content</source>
 </trans-unit>
 <trans-unit id="sb1b05a7573ab618c">
  <source>Hide field content</source>
 </trans-unit>
 <trans-unit id="s4f820625804ed29b">
  <source>Re-authenticate with Plex</source>
 </trans-unit>
    </body>
  </file>
--- a/web/xliff/zh_CN.xlf
+++ b/web/xliff/zh_CN.xlf
@ -661,6 +661,12 @@
        <source>Apps with most usage</source>
        <target>使用率最高的应用</target>
      </trans-unit>
      <trans-unit id="sda5e1499f93146ad">
        <source><x id="0" equiv-text="${ago}"/> days ago</source>
        <target>
        <x id="0" equiv-text="${ago}"/>天前</target>
      </trans-unit>
      <trans-unit id="s51ea3a244c781b1f">
        <source>Objects created</source>
@ -6112,11 +6118,21 @@ Bindings to groups/users are checked against the user of the event.</source>
        <source>Download Private key</source>
        <target>下载私钥</target>
      </trans-unit>
      <trans-unit id="s3a5fec3d73ac9edc">
        <source>Create Certificate-Key Pair</source>
        <target>创建证书密钥对</target>
      </trans-unit>
      <trans-unit id="s45cb501abd43ba52">
        <source>Generate</source>
        <target>生成</target>
      </trans-unit>
      <trans-unit id="sf9bddaf910f4eea5">
        <source>Generate Certificate-Key Pair</source>
        <target>生成证书密钥对</target>
      </trans-unit>
      <trans-unit id="see2bcbc11bb91960">
        <source>Successfully updated instance.</source>
@ -7517,6 +7533,10 @@ Bindings to groups/users are checked against the user of the event.</source>
  <source>Configure SCIM Provider</source>
  <target>配置 SCIM 提供程序</target>
 </trans-unit>
 <trans-unit id="s7513372fe60f6387">
  <source>Event volume</source>
  <target>事件容量</target>
 </trans-unit>
 <trans-unit id="s3271da6c18c25b18">
  <source>Connection settings.</source>
  <target>连接设置。</target>
@ -9868,18 +9888,6 @@ Bindings to groups/users are checked against the user of the event.</source>
 <trans-unit id="s04bb32ec9f359507">
  <source>Additional Group DN</source>
  <target>额外的组 DN</target>
 </trans-unit>
 <trans-unit id="sb7af25ce6e30d61a">
  <source>The currently selected policy engine mode is <x id="0" equiv-text="${policyEngineMode.label}"/>:</source>
  <target>当前所选策略引擎模式为 <x id="0" equiv-text="${policyEngineMode.label}"/>：</target>
 </trans-unit>
 <trans-unit id="se1d2545eda4b1600">
  <source>Import Existing Certificate-Key Pair</source>
  <target>导入已有的证书密钥对</target>
 </trans-unit>
 <trans-unit id="sb3d5c0a0501669df">
  <source>Generate New Certificate-Key Pair</source>
  <target>生成新的证书密钥对</target>
 </trans-unit>
    </body>
  </file>
--- a/web/xliff/zh_TW.xlf
+++ b/web/xliff/zh_TW.xlf
@ -2972,6 +2972,11 @@ doesn't pass when either or both of the selected options are equal or above the
        <source>Load servers</source>
        <target>載入伺服器</target>
      </trans-unit>
      <trans-unit id="s24f405197ede5ebb">
        <source>Re-authenticate with plex</source>
        <target>使用 plex 重新身分認證</target>
      </trans-unit>
      <trans-unit id="sc297b2e13c28ecf9">
        <source>Allow friends to authenticate via Plex, even if you don't share any servers</source>
@ -9183,15 +9188,6 @@ Bindings to groups/users are checked against the user of the event.</source>
 </trans-unit>
 <trans-unit id="sb3d5c0a0501669df">
  <source>Generate New Certificate-Key Pair</source>
 </trans-unit>
 <trans-unit id="sf9686d31d28fcf7d">
  <source>Show field content</source>
 </trans-unit>
 <trans-unit id="sb1b05a7573ab618c">
  <source>Hide field content</source>
 </trans-unit>
 <trans-unit id="s4f820625804ed29b">
  <source>Re-authenticate with Plex</source>
 </trans-unit>
    </body>
  </file>
--- a/website/docs/add-secure-apps/providers/proxy/_nginx_standalone.md
+++ b/website/docs/add-secure-apps/providers/proxy/_nginx_standalone.md
@ -1,10 +1,15 @@
-```nginx
+Create a `http_top.conf` file in your nginx `conf.d` directory (`/nginx/conf.d/`) with the following content:
 # Upgrade WebSocket if requested, otherwise use keepalive
 map $http_upgrade $connection_upgrade_keepalive {
    default upgrade;
    ''      '';
 }
 ```nginx
 map $http_upgrade $connection_upgrade {
 		default upgrade;
 		  ''      close;
 }
 ```
 Use the following nginx template:
 ```nginx
 server {
    # SSL and VHost configuration
    listen                  443 ssl http2;
@ -20,13 +25,13 @@ server {
    proxy_buffer_size 32k;
    location / {
-        # Put your proxy_pass to your application here, and all the other statements you'll need
+        # Put your proxy_pass to your application here, and all the other statements you'll need.
        # proxy_pass http://localhost:5000;
        # proxy_set_header Host $host;
        # proxy_set_header ...
        # Support for websocket
        proxy_set_header Upgrade $http_upgrade;
-        proxy_set_header Connection $connection_upgrade_keepalive;
+        proxy_set_header Connection $connection_upgrade;
        ##############################
        # authentik-specific config
--- a/website/docs/install-config/configuration/configuration.mdx
+++ b/website/docs/install-config/configuration/configuration.mdx
@ -72,7 +72,7 @@ To check if your config has been applied correctly, you can run the following co
 - `AUTHENTIK_POSTGRESQL__PASSWORD`: Database password, defaults to the environment variable `POSTGRES_PASSWORD`
  {/* TODO: Temporarily deactivated feature, see https://github.com/goauthentik/authentik/issues/14320 */}
  {/* - `AUTHENTIK_POSTGRESQL__USE_POOL`: Use a [connection pool](https://docs.djangoproject.com/en/stable/ref/databases/#connection-pool) for PostgreSQL connections. Defaults to `false`. :ak-version[2025.4] */}
-  {/* - `AUTHENTIK_POSTGRESQL__POOL_OPTIONS`: Extra configuration to pass to the [ConnectionPool object](https://www.psycopg.org/psycopg3/docs/api/pool.html#psycopg_pool.ConnectionPool) when it is created. Must be a base64-encoded JSON dictionary. Ignored when `USE_POOL` is set to `false`. :ak-version[2025.4] */}
+- `AUTHENTIK_POSTGRESQL__POOL_OPTIONS`: Extra configuration to pass to the [ConnectionPool object](https://www.psycopg.org/psycopg3/docs/api/pool.html#psycopg_pool.ConnectionPool) when it is created. Must be a base64-encoded JSON dictionary. Ignored when `USE_POOL` is set to `false`. :ak-version[2025.4]
 - `AUTHENTIK_POSTGRESQL__USE_PGBOUNCER`: Adjust configuration to support connection to PgBouncer. Deprecated, see below
 - `AUTHENTIK_POSTGRESQL__USE_PGPOOL`: Adjust configuration to support connection to Pgpool. Deprecated, see below
 - `AUTHENTIK_POSTGRESQL__SSLMODE`: Strictness of ssl verification. Defaults to `"verify-ca"`
--- a/website/package-lock.json
+++ b/website/package-lock.json
@ -19,11 +19,11 @@
                "@goauthentik/docusaurus-config": "^1.1.0",
                "@goauthentik/tsconfig": "^1.0.4",
                "@mdx-js/react": "^3.1.0",
-                "@swc/html-linux-x64-gnu": "1.12.1",
+                "@swc/html-linux-x64-gnu": "1.12.0",
                "clsx": "^2.1.1",
                "docusaurus-plugin-openapi-docs": "^4.4.0",
                "docusaurus-theme-openapi-docs": "^4.4.0",
-                "postcss": "^8.5.5",
+                "postcss": "^8.5.4",
                "prism-react-renderer": "^2.4.1",
                "react": "^18.3.1",
                "react-before-after-slider-component": "^1.1.8",
@ -42,7 +42,7 @@
                "@goauthentik/tsconfig": "^1.0.4",
                "@trivago/prettier-plugin-sort-imports": "^5.2.2",
                "@types/lodash": "^4.17.17",
-                "@types/node": "^24.0.1",
+                "@types/node": "^24.0.0",
                "@types/postman-collection": "^3.5.11",
                "@types/react": "^18.3.22",
                "@types/semver": "^7.7.0",
@ -64,12 +64,12 @@
                "@rspack/binding-darwin-arm64": "1.3.15",
                "@rspack/binding-linux-arm64-gnu": "1.3.15",
                "@rspack/binding-linux-x64-gnu": "1.3.15",
-                "@swc/core-darwin-arm64": "1.12.1",
+                "@swc/core-darwin-arm64": "1.12.0",
-                "@swc/core-linux-arm64-gnu": "1.12.1",
+                "@swc/core-linux-arm64-gnu": "1.12.0",
-                "@swc/core-linux-x64-gnu": "1.12.1",
+                "@swc/core-linux-x64-gnu": "1.12.0",
-                "@swc/html-darwin-arm64": "1.12.1",
+                "@swc/html-darwin-arm64": "1.12.0",
-                "@swc/html-linux-arm64-gnu": "1.12.1",
+                "@swc/html-linux-arm64-gnu": "1.12.0",
-                "@swc/html-linux-x64-gnu": "1.12.1",
+                "@swc/html-linux-x64-gnu": "1.12.0",
                "lightningcss-darwin-arm64": "1.30.1",
                "lightningcss-linux-arm64-gnu": "1.30.1",
                "lightningcss-linux-x64-gnu": "1.30.1"
@ -5592,9 +5592,9 @@
            }
        },
        "node_modules/@swc/core-darwin-arm64": {
-            "version": "1.12.1",
+            "version": "1.12.0",
-            "resolved": "https://registry.npmjs.org/@swc/core-darwin-arm64/-/core-darwin-arm64-1.12.1.tgz",
+            "resolved": "https://registry.npmjs.org/@swc/core-darwin-arm64/-/core-darwin-arm64-1.12.0.tgz",
-            "integrity": "sha512-nUjWVcJ3YS2N40ZbKwYO2RJ4+o2tWYRzNOcIQp05FqW0+aoUCVMdAUUzQinPDynfgwVshDAXCKemY8X7nN5MaA==",
+            "integrity": "sha512-usLr8kC80GDv3pwH2zoEaS279kxtWY0MY3blbMFw7zA8fAjqxa8IDxm3WcgyNLNWckWn4asFfguEwz/Weem3nA==",
            "cpu": [
                "arm64"
            ],
@ -5640,9 +5640,9 @@
            }
        },
        "node_modules/@swc/core-linux-arm64-gnu": {
-            "version": "1.12.1",
+            "version": "1.12.0",
-            "resolved": "https://registry.npmjs.org/@swc/core-linux-arm64-gnu/-/core-linux-arm64-gnu-1.12.1.tgz",
+            "resolved": "https://registry.npmjs.org/@swc/core-linux-arm64-gnu/-/core-linux-arm64-gnu-1.12.0.tgz",
-            "integrity": "sha512-BxJDIJPq1+aCh9UsaSAN6wo3tuln8UhNXruOrzTI8/ElIig/3sAueDM6Eq7GvZSGGSA7ljhNATMJ0elD7lFatQ==",
+            "integrity": "sha512-Al0x33gUVxNY5tutEYpSyv7mze6qQS1ONa0HEwoRxcK9WXsX0NHLTiOSGZoCUS1SsXM37ONlbA6/Bsp1MQyP+g==",
            "cpu": [
                "arm64"
            ],
@ -5672,9 +5672,9 @@
            }
        },
        "node_modules/@swc/core-linux-x64-gnu": {
-            "version": "1.12.1",
+            "version": "1.12.0",
-            "resolved": "https://registry.npmjs.org/@swc/core-linux-x64-gnu/-/core-linux-x64-gnu-1.12.1.tgz",
+            "resolved": "https://registry.npmjs.org/@swc/core-linux-x64-gnu/-/core-linux-x64-gnu-1.12.0.tgz",
-            "integrity": "sha512-CrYnV8SZIgArQ9LKH0xEF95PKXzX9WkRSc5j55arOSBeDCeDUQk1Bg/iKdnDiuj5HC1hZpvzwMzSBJjv+Z70jA==",
+            "integrity": "sha512-ltIvqNi7H0c5pRawyqjeYSKEIfZP4vv/datT3mwT6BW7muJtd1+KIDCPFLMIQ4wm/h76YQwPocsin3fzmnFdNA==",
            "cpu": [
                "x64"
            ],
@ -5830,9 +5830,9 @@
            }
        },
        "node_modules/@swc/html-darwin-arm64": {
-            "version": "1.12.1",
+            "version": "1.12.0",
-            "resolved": "https://registry.npmjs.org/@swc/html-darwin-arm64/-/html-darwin-arm64-1.12.1.tgz",
+            "resolved": "https://registry.npmjs.org/@swc/html-darwin-arm64/-/html-darwin-arm64-1.12.0.tgz",
-            "integrity": "sha512-vbCqYgBBdoxlsnUe/G6irBJ69LUOrlLVXgdxWxDSZ3YcbnpVmwi5YEeaRvqf4vNzZ/nzBMd4DYl6KK2Qsi0prw==",
+            "integrity": "sha512-okpx8G7xGSPiSekxS4FQu3aR8k+q8nZJCfVKzanQxdZUaCm7YDVUci2Unqp9TvpgZJRA0GOWs1U3QMu2vdr0sQ==",
            "cpu": [
                "arm64"
            ],
@ -5878,9 +5878,9 @@
            }
        },
        "node_modules/@swc/html-linux-arm64-gnu": {
-            "version": "1.12.1",
+            "version": "1.12.0",
-            "resolved": "https://registry.npmjs.org/@swc/html-linux-arm64-gnu/-/html-linux-arm64-gnu-1.12.1.tgz",
+            "resolved": "https://registry.npmjs.org/@swc/html-linux-arm64-gnu/-/html-linux-arm64-gnu-1.12.0.tgz",
-            "integrity": "sha512-KbqPLtsPVt0/kjp7sUT1APfEtNQUqMam3S0RzJkvuMz9jB2F9DREvj5EG+DPnx2s/kxnDm4sh9vM2sG2xNHErQ==",
+            "integrity": "sha512-ImZLbghifCPqQhwbEprv2zojieD0j/RGJ+tkNpJ6DyGqcf5qVFfPgGDe/WDPEHCMbJlAodvp1iKTdLSAdTfaLg==",
            "cpu": [
                "arm64"
            ],
@ -5910,9 +5910,9 @@
            }
        },
        "node_modules/@swc/html-linux-x64-gnu": {
-            "version": "1.12.1",
+            "version": "1.12.0",
-            "resolved": "https://registry.npmjs.org/@swc/html-linux-x64-gnu/-/html-linux-x64-gnu-1.12.1.tgz",
+            "resolved": "https://registry.npmjs.org/@swc/html-linux-x64-gnu/-/html-linux-x64-gnu-1.12.0.tgz",
-            "integrity": "sha512-9QNCTgCZtyQVifLXqDTW7v4lgaC11v0/iL9OhsSZ19ycJrBmnxBmZtDIbuQrXAIzE1GD8mMOK/GLey2IeceoDQ==",
+            "integrity": "sha512-IVFXgsyn0/8e9nfVrQXAdGDFboom0nls7KSOJ/+oXMmdK917wrnYLDt7M4DyRT2c+xJmMxgR6tyaTW8KLAl02w==",
            "cpu": [
                "x64"
            ],
@ -6615,9 +6615,9 @@
            "license": "MIT"
        },
        "node_modules/@types/node": {
-            "version": "24.0.1",
+            "version": "24.0.0",
-            "resolved": "https://registry.npmjs.org/@types/node/-/node-24.0.1.tgz",
+            "resolved": "https://registry.npmjs.org/@types/node/-/node-24.0.0.tgz",
-            "integrity": "sha512-MX4Zioh39chHlDJbKmEgydJDS3tspMP/lnQC67G3SWsTnb9NeYVWOjkxpOSy4oMfPs4StcWHwBrvUb4ybfnuaw==",
+            "integrity": "sha512-yZQa2zm87aRVcqDyH5+4Hv9KYgSdgwX1rFnGvpbzMaC7YAljmhBET93TPiTd3ObwTL+gSpIzPKg5BqVxdCvxKg==",
            "license": "MIT",
            "dependencies": {
                "undici-types": "~7.8.0"
@ -20672,9 +20672,9 @@
            }
        },
        "node_modules/postcss": {
-            "version": "8.5.5",
+            "version": "8.5.4",
-            "resolved": "https://registry.npmjs.org/postcss/-/postcss-8.5.5.tgz",
+            "resolved": "https://registry.npmjs.org/postcss/-/postcss-8.5.4.tgz",
-            "integrity": "sha512-d/jtm+rdNT8tpXuHY5MMtcbJFBkhXE6593XVR9UoGCH8jSFGci7jGvMGH5RYd5PBJW+00NZQt6gf7CbagJCrhg==",
+            "integrity": "sha512-QSa9EBe+uwlGTFmHsPKokv3B/oEMQZxfqW0QqNCyhpa6mB1afzulwn8hihglqAb2pOw+BJgNlmXQ8la2VeHB7w==",
            "funding": [
                {
                    "type": "opencollective",
--- a/website/package.json
+++ b/website/package.json
@ -37,7 +37,7 @@
        "clsx": "^2.1.1",
        "docusaurus-plugin-openapi-docs": "^4.4.0",
        "docusaurus-theme-openapi-docs": "^4.4.0",
-        "postcss": "^8.5.5",
+        "postcss": "^8.5.4",
        "prism-react-renderer": "^2.4.1",
        "react": "^18.3.1",
        "react-before-after-slider-component": "^1.1.8",
@ -56,7 +56,7 @@
        "@goauthentik/tsconfig": "^1.0.4",
        "@trivago/prettier-plugin-sort-imports": "^5.2.2",
        "@types/lodash": "^4.17.17",
-        "@types/node": "^24.0.1",
+        "@types/node": "^24.0.0",
        "@types/postman-collection": "^3.5.11",
        "@types/react": "^18.3.22",
        "@types/semver": "^7.7.0",
@ -75,12 +75,12 @@
        "@rspack/binding-darwin-arm64": "1.3.15",
        "@rspack/binding-linux-arm64-gnu": "1.3.15",
        "@rspack/binding-linux-x64-gnu": "1.3.15",
-        "@swc/core-darwin-arm64": "1.12.1",
+        "@swc/core-darwin-arm64": "1.12.0",
-        "@swc/core-linux-arm64-gnu": "1.12.1",
+        "@swc/core-linux-arm64-gnu": "1.12.0",
-        "@swc/core-linux-x64-gnu": "1.12.1",
+        "@swc/core-linux-x64-gnu": "1.12.0",
-        "@swc/html-darwin-arm64": "1.12.1",
+        "@swc/html-darwin-arm64": "1.12.0",
-        "@swc/html-linux-arm64-gnu": "1.12.1",
+        "@swc/html-linux-arm64-gnu": "1.12.0",
-        "@swc/html-linux-x64-gnu": "1.12.1",
+        "@swc/html-linux-x64-gnu": "1.12.0",
        "lightningcss-darwin-arm64": "1.30.1",
        "lightningcss-linux-arm64-gnu": "1.30.1",
        "lightningcss-linux-x64-gnu": "1.30.1"
Author	SHA1	Message	Date
Dewi Roberts	c90456e53d	Altered directory	2025-06-12 18:26:04 +03:00
Dewi Roberts	95c5d3aa80	Merge remote-tracking branch 'origin/main' into website/docs--update-nginx-config	2025-06-12 17:58:42 +03:00
Dewi Roberts	3a23469dcc	Language change	2025-06-12 17:58:29 +03:00
Dewi Roberts	ab3bc89b22	Updates nginx config based on comment from user	2025-06-12 14:24:03 +03:00