argh

tweak
final tweaks
2025-04-30 17:53:59 -05:00 · 2025-04-30 17:43:06 -05:00 · 2025-04-30 17:23:48 -05:00 · 2025-04-30 17:17:34 -05:00 · 2025-04-30 17:16:48 -05:00 · 2025-04-30 17:16:48 -05:00
122 changed files with 12939 additions and 6821 deletions
--- a/.bumpversion.cfg
+++ b/.bumpversion.cfg
@ -1,5 +1,5 @@
 [bumpversion]
-current_version = 2025.2.4
+current_version = 2025.4.0
 tag = True
 commit = True
 parse = (?P<major>\d+)\.(?P<minor>\d+)\.(?P<patch>\d+)(?:-(?P<rc_t>[a-zA-Z-]+)(?P<rc_n>[1-9]\\d*))?
--- a/.github/workflows/ci-main.yml
+++ b/.github/workflows/ci-main.yml
@ -70,22 +70,18 @@ jobs:
      - name: checkout stable
        run: |
          # Copy current, latest config to local
-          # Temporarly comment the .github backup while migrating to uv
          cp authentik/lib/default.yml local.env.yml
-          # cp -R .github ..
+          cp -R .github ..
          cp -R scripts ..
          git checkout $(git tag --sort=version:refname | grep '^version/' | grep -vE -- '-rc[0-9]+$' | tail -n1)
-          # rm -rf .github/ scripts/
-          # mv ../.github ../scripts .
-          rm -rf scripts/
-          mv ../scripts .
+          rm -rf .github/ scripts/
+          mv ../.github ../scripts .
      - name: Setup authentik env (stable)
        uses: ./.github/actions/setup
        with:
          postgresql_version: ${{ matrix.psql }}
-        continue-on-error: true
      - name: run migrations to stable
-        run: poetry run python -m lifecycle.migrate
+        run: uv run python -m lifecycle.migrate
      - name: checkout current code
        run: |
          set -x
--- a/.github/workflows/packages-npm-publish.yml
+++ b/.github/workflows/packages-npm-publish.yml
@ -3,10 +3,10 @@ on:
  push:
    branches: [main]
    paths:
-      - packages/docusaurus-config
-      - packages/eslint-config
-      - packages/prettier-config
-      - packages/tsconfig
+      - packages/docusaurus-config/**
+      - packages/eslint-config/**
+      - packages/prettier-config/**
+      - packages/tsconfig/**
  workflow_dispatch:
 jobs:
  publish:
--- a/2
+++ b/2
@ -94,7 +94,7 @@ RUN --mount=type=secret,id=GEOIPUPDATE_ACCOUNT_ID \
    /bin/sh -c "/usr/bin/entry.sh || echo 'Failed to get GeoIP database, disabling'; exit 0"

 # Stage 5: Download uv
-FROM ghcr.io/astral-sh/uv:0.6.16 AS uv
+FROM ghcr.io/astral-sh/uv:0.7.0 AS uv
 # Stage 6: Base python image
 FROM ghcr.io/goauthentik/fips-python:3.12.10-slim-bookworm-fips AS python-base

--- a/SECURITY.md
+++ b/SECURITY.md
@ -20,8 +20,8 @@ Even if the issue is not a CVE, we still greatly appreciate your help in hardeni

 | Version   | Supported |
 | --------- | --------- |
-| 2024.12.x | ✅        |
 | 2025.2.x  | ✅        |
+| 2025.4.x  | ✅        |

 ## Reporting a Vulnerability

--- a/authentik/init.py
+++ b/authentik/init.py
@ -2,7 +2,7 @@

 from os import environ

-__version__ = "2025.2.4"
+__version__ = "2025.4.0"
 ENV_GIT_HASH_KEY = "GIT_BUILD_HASH"


--- a/authentik/brands/migrations/0008_brand_branding_custom_css.py
+++ b/authentik/brands/migrations/0008_brand_branding_custom_css.py
@ -16,7 +16,7 @@ def migrate_custom_css(apps: Apps, schema_editor: BaseDatabaseSchemaEditor):
    if not path.exists():
        return
    css = path.read_text()
-    Brand.objects.using(db_alias).update(branding_custom_css=css)
+    Brand.objects.using(db_alias).all().update(branding_custom_css=css)


 class Migration(migrations.Migration):
--- a/authentik/outposts/models.py
+++ b/authentik/outposts/models.py
@ -74,6 +74,8 @@ class OutpostConfig:
    kubernetes_ingress_annotations: dict[str, str] = field(default_factory=dict)
    kubernetes_ingress_secret_name: str = field(default="authentik-outpost-tls")
    kubernetes_ingress_class_name: str | None = field(default=None)
+    kubernetes_httproute_annotations: dict[str, str] = field(default_factory=dict)
+    kubernetes_httproute_parent_refs: list[dict[str, str]] = field(default_factory=list)
    kubernetes_service_type: str = field(default="ClusterIP")
    kubernetes_disabled_components: list[str] = field(default_factory=list)
    kubernetes_image_pull_secrets: list[str] = field(default_factory=list)
--- a/authentik/providers/proxy/controllers/k8s/httproute.py
+++ b/authentik/providers/proxy/controllers/k8s/httproute.py
@ -0,0 +1,234 @@
+from dataclasses import asdict, dataclass, field
+from typing import TYPE_CHECKING
+from urllib.parse import urlparse
+
+from dacite.core import from_dict
+from kubernetes.client import ApiextensionsV1Api, CustomObjectsApi, V1ObjectMeta
+
+from authentik.outposts.controllers.base import FIELD_MANAGER
+from authentik.outposts.controllers.k8s.base import KubernetesObjectReconciler
+from authentik.outposts.controllers.k8s.triggers import NeedsUpdate
+from authentik.outposts.controllers.kubernetes import KubernetesController
+from authentik.providers.proxy.models import ProxyMode, ProxyProvider
+
+if TYPE_CHECKING:
+    from authentik.outposts.controllers.kubernetes import KubernetesController
+
+
+@dataclass(slots=True)
+class RouteBackendRef:
+    name: str
+    port: int
+
+
+@dataclass(slots=True)
+class RouteSpecParentRefs:
+    name: str
+    sectionName: str | None = None
+    port: int | None = None
+    namespace: str | None = None
+    kind: str = "Gateway"
+    group: str = "gateway.networking.k8s.io"
+
+
+@dataclass(slots=True)
+class HTTPRouteSpecRuleMatchPath:
+    type: str
+    value: str
+
+
+@dataclass(slots=True)
+class HTTPRouteSpecRuleMatchHeader:
+    name: str
+    value: str
+    type: str = "Exact"
+
+
+@dataclass(slots=True)
+class HTTPRouteSpecRuleMatch:
+    path: HTTPRouteSpecRuleMatchPath
+    headers: list[HTTPRouteSpecRuleMatchHeader]
+
+
+@dataclass(slots=True)
+class HTTPRouteSpecRule:
+    backendRefs: list[RouteBackendRef]
+    matches: list[HTTPRouteSpecRuleMatch]
+
+
+@dataclass(slots=True)
+class HTTPRouteSpec:
+    parentRefs: list[RouteSpecParentRefs]
+    hostnames: list[str]
+    rules: list[HTTPRouteSpecRule]
+
+
+@dataclass(slots=True)
+class HTTPRouteMetadata:
+    name: str
+    namespace: str
+    annotations: dict = field(default_factory=dict)
+    labels: dict = field(default_factory=dict)
+
+
+@dataclass(slots=True)
+class HTTPRoute:
+    apiVersion: str
+    kind: str
+    metadata: HTTPRouteMetadata
+    spec: HTTPRouteSpec
+
+
+class HTTPRouteReconciler(KubernetesObjectReconciler):
+    """Kubernetes Gateway API HTTPRoute Reconciler"""
+
+    def __init__(self, controller: "KubernetesController") -> None:
+        super().__init__(controller)
+        self.api_ex = ApiextensionsV1Api(controller.client)
+        self.api = CustomObjectsApi(controller.client)
+        self.crd_group = "gateway.networking.k8s.io"
+        self.crd_version = "v1"
+        self.crd_plural = "httproutes"
+
+    @staticmethod
+    def reconciler_name() -> str:
+        return "httproute"
+
+    @property
+    def noop(self) -> bool:
+        if not self.crd_exists():
+            self.logger.debug("CRD doesn't exist")
+            return True
+        if not self.controller.outpost.config.kubernetes_httproute_parent_refs:
+            self.logger.debug("HTTPRoute parentRefs not set.")
+            return True
+        return False
+
+    def crd_exists(self) -> bool:
+        """Check if the Gateway API resources exists"""
+        return bool(
+            len(
+                self.api_ex.list_custom_resource_definition(
+                    field_selector=f"metadata.name={self.crd_plural}.{self.crd_group}"
+                ).items
+            )
+        )
+
+    def reconcile(self, current: HTTPRoute, reference: HTTPRoute):
+        super().reconcile(current, reference)
+        if current.metadata.annotations != reference.metadata.annotations:
+            raise NeedsUpdate()
+        if current.spec.parentRefs != reference.spec.parentRefs:
+            raise NeedsUpdate()
+        if current.spec.hostnames != reference.spec.hostnames:
+            raise NeedsUpdate()
+        if current.spec.rules != reference.spec.rules:
+            raise NeedsUpdate()
+
+    def get_object_meta(self, **kwargs) -> V1ObjectMeta:
+        return super().get_object_meta(
+            **kwargs,
+        )
+
+    def get_reference_object(self) -> HTTPRoute:
+        hostnames = []
+        rules = []
+
+        for proxy_provider in ProxyProvider.objects.filter(outpost__in=[self.controller.outpost]):
+            proxy_provider: ProxyProvider
+            external_host_name = urlparse(proxy_provider.external_host)
+            if proxy_provider.mode in [ProxyMode.FORWARD_SINGLE, ProxyMode.FORWARD_DOMAIN]:
+                rule = HTTPRouteSpecRule(
+                    backendRefs=[RouteBackendRef(name=self.name, port=9000)],
+                    matches=[
+                        HTTPRouteSpecRuleMatch(
+                            headers=[
+                                HTTPRouteSpecRuleMatchHeader(
+                                    name="Host",
+                                    value=external_host_name.hostname,
+                                )
+                            ],
+                            path=HTTPRouteSpecRuleMatchPath(
+                                type="PathPrefix", value="/outpost.goauthentik.io"
+                            ),
+                        )
+                    ],
+                )
+            else:
+                rule = HTTPRouteSpecRule(
+                    backendRefs=[RouteBackendRef(name=self.name, port=9000)],
+                    matches=[
+                        HTTPRouteSpecRuleMatch(
+                            headers=[
+                                HTTPRouteSpecRuleMatchHeader(
+                                    name="Host",
+                                    value=external_host_name.hostname,
+                                )
+                            ],
+                            path=HTTPRouteSpecRuleMatchPath(type="PathPrefix", value="/"),
+                        )
+                    ],
+                )
+            hostnames.append(external_host_name.hostname)
+            rules.append(rule)
+
+        return HTTPRoute(
+            apiVersion=f"{self.crd_group}/{self.crd_version}",
+            kind="HTTPRoute",
+            metadata=HTTPRouteMetadata(
+                name=self.name,
+                namespace=self.namespace,
+                annotations=self.controller.outpost.config.kubernetes_httproute_annotations,
+                labels=self.get_object_meta().labels,
+            ),
+            spec=HTTPRouteSpec(
+                parentRefs=[
+                    from_dict(RouteSpecParentRefs, spec)
+                    for spec in self.controller.outpost.config.kubernetes_httproute_parent_refs
+                ],
+                hostnames=hostnames,
+                rules=rules,
+            ),
+        )
+
+    def create(self, reference: HTTPRoute):
+        return self.api.create_namespaced_custom_object(
+            group=self.crd_group,
+            version=self.crd_version,
+            plural=self.crd_plural,
+            namespace=self.namespace,
+            body=asdict(reference),
+            field_manager=FIELD_MANAGER,
+        )
+
+    def delete(self, reference: HTTPRoute):
+        return self.api.delete_namespaced_custom_object(
+            group=self.crd_group,
+            version=self.crd_version,
+            plural=self.crd_plural,
+            namespace=self.namespace,
+            name=self.name,
+        )
+
+    def retrieve(self) -> HTTPRoute:
+        return from_dict(
+            HTTPRoute,
+            self.api.get_namespaced_custom_object(
+                group=self.crd_group,
+                version=self.crd_version,
+                plural=self.crd_plural,
+                namespace=self.namespace,
+                name=self.name,
+            ),
+        )
+
+    def update(self, current: HTTPRoute, reference: HTTPRoute):
+        return self.api.patch_namespaced_custom_object(
+            group=self.crd_group,
+            version=self.crd_version,
+            plural=self.crd_plural,
+            namespace=self.namespace,
+            name=self.name,
+            body=asdict(reference),
+            field_manager=FIELD_MANAGER,
+        )
--- a/authentik/providers/proxy/controllers/kubernetes.py
+++ b/authentik/providers/proxy/controllers/kubernetes.py
@ -3,6 +3,7 @@
 from authentik.outposts.controllers.base import DeploymentPort
 from authentik.outposts.controllers.kubernetes import KubernetesController
 from authentik.outposts.models import KubernetesServiceConnection, Outpost
+from authentik.providers.proxy.controllers.k8s.httproute import HTTPRouteReconciler
 from authentik.providers.proxy.controllers.k8s.ingress import IngressReconciler
 from authentik.providers.proxy.controllers.k8s.traefik import TraefikMiddlewareReconciler

@ -18,8 +19,10 @@ class ProxyKubernetesController(KubernetesController):
            DeploymentPort(9443, "https", "tcp"),
        ]
        self.reconcilers[IngressReconciler.reconciler_name()] = IngressReconciler
+        self.reconcilers[HTTPRouteReconciler.reconciler_name()] = HTTPRouteReconciler
        self.reconcilers[TraefikMiddlewareReconciler.reconciler_name()] = (
            TraefikMiddlewareReconciler
        )
        self.reconcile_order.append(IngressReconciler.reconciler_name())
+        self.reconcile_order.append(HTTPRouteReconciler.reconciler_name())
        self.reconcile_order.append(TraefikMiddlewareReconciler.reconciler_name())
--- a/authentik/rbac/api/rbac.py
+++ b/authentik/rbac/api/rbac.py
@ -99,6 +99,7 @@ class RBACPermissionViewSet(ReadOnlyModelViewSet):
    filterset_class = PermissionFilter
    permission_classes = [IsAuthenticated]
    search_fields = [
+        "name",
        "codename",
        "content_type__model",
        "content_type__app_label",
--- a/authentik/stages/authenticator_webauthn/mds/blob.jwt
+++ b/authentik/stages/authenticator_webauthn/mds/blob.jwt
--- a/blueprints/schema.json
+++ b/blueprints/schema.json
@ -2,7 +2,7 @@
    "$schema": "http://json-schema.org/draft-07/schema",
    "$id": "https://goauthentik.io/blueprints/schema.json",
    "type": "object",
-    "title": "authentik 2025.2.4 Blueprint schema",
+    "title": "authentik 2025.4.0 Blueprint schema",
    "required": [
        "version",
        "entries"
--- a/docker-compose.yml
+++ b/docker-compose.yml
@ -31,7 +31,7 @@ services:
    volumes:
      - redis:/data
  server:
-    image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2025.2.4}
+    image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2025.4.0}
    restart: unless-stopped
    command: server
    environment:
@ -55,7 +55,7 @@ services:
      redis:
        condition: service_healthy
  worker:
-    image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2025.2.4}
+    image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2025.4.0}
    restart: unless-stopped
    command: worker
    environment:
--- a/go.mod
+++ b/go.mod
@ -27,7 +27,7 @@ require (
 	github.com/spf13/cobra v1.9.1
 	github.com/stretchr/testify v1.10.0
 	github.com/wwt/guac v1.3.2
-	goauthentik.io/api/v3 v3.2025024.8
+	goauthentik.io/api/v3 v3.2025024.9
 	golang.org/x/exp v0.0.0-20230210204819-062eb4c674ab
 	golang.org/x/oauth2 v0.29.0
 	golang.org/x/sync v0.13.0
--- a/go.sum
+++ b/go.sum
@ -290,8 +290,8 @@ go.opentelemetry.io/otel/trace v1.24.0 h1:CsKnnL4dUAr/0llH9FKuc698G04IrpWV0MQA/Y
 go.opentelemetry.io/otel/trace v1.24.0/go.mod h1:HPc3Xr/cOApsBI154IU0OI0HJexz+aw5uPdbs3UCjNU=
 go.uber.org/goleak v1.3.0 h1:2K3zAYmnTNqV73imy9J1T3WC+gmCePx2hEGkimedGto=
 go.uber.org/goleak v1.3.0/go.mod h1:CoHD4mav9JJNrW/WLlf7HGZPjdw8EucARQHekz1X6bE=
-goauthentik.io/api/v3 v3.2025024.8 h1:2mG4CqGSsmZq2CtRehxpDjsER43U/JQSoTOn5VC1ui4=
-goauthentik.io/api/v3 v3.2025024.8/go.mod h1:zz+mEZg8rY/7eEjkMGWJ2DnGqk+zqxuybGCGrR2O4Kw=
+goauthentik.io/api/v3 v3.2025024.9 h1:i3tbkyotE32ZpJ729BsPWTuLQUdtZ54Li4aP1amZzsM=
+goauthentik.io/api/v3 v3.2025024.9/go.mod h1:zz+mEZg8rY/7eEjkMGWJ2DnGqk+zqxuybGCGrR2O4Kw=
 golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
 golang.org/x/crypto v0.0.0-20190510104115-cbcb75029529/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
 golang.org/x/crypto v0.0.0-20190605123033-f99c8df09eb5/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
--- a/internal/constants/constants.go
+++ b/internal/constants/constants.go
@ -29,4 +29,4 @@ func UserAgent() string {
 	return fmt.Sprintf("authentik@%s", FullVersion())
 }

-const VERSION = "2025.2.4"
+const VERSION = "2025.4.0"
--- a/lifecycle/ak
+++ b/lifecycle/ak
@ -62,7 +62,8 @@ function prepare_debug {
    export DEBIAN_FRONTEND=noninteractive
    apt-get update
    apt-get install -y --no-install-recommends krb5-kdc krb5-user krb5-admin-server libkrb5-dev gcc
-    VIRTUAL_ENV=/ak-root/.venv uv sync --frozen
+    source "${VENV_PATH}/bin/activate"
+    uv sync --active --frozen
    touch /unittest.xml
    chown authentik:authentik /unittest.xml
 }
--- a/lifecycle/aws/package-lock.json
+++ b/lifecycle/aws/package-lock.json
@ -9,7 +9,7 @@
            "version": "0.0.0",
            "license": "MIT",
            "devDependencies": {
-                "aws-cdk": "^2.1010.0",
+                "aws-cdk": "^2.1012.0",
                "cross-env": "^7.0.3"
            },
            "engines": {
@ -17,9 +17,9 @@
            }
        },
        "node_modules/aws-cdk": {
-            "version": "2.1010.0",
-            "resolved": "https://registry.npmjs.org/aws-cdk/-/aws-cdk-2.1010.0.tgz",
-            "integrity": "sha512-kYNzBXVUZoRrTuYxRRA2Loz/Uvay0MqHobg8KPZaWylIbw/meUDgtoATRNt+stOdJ9PHODTjWmlDKI+2/KoF+w==",
+            "version": "2.1012.0",
+            "resolved": "https://registry.npmjs.org/aws-cdk/-/aws-cdk-2.1012.0.tgz",
+            "integrity": "sha512-C6jSWkqP0hkY2Cs300VJHjspmTXDTMfB813kwZvRbd/OsKBfTBJBbYU16VoLAp1LVEOnQMf8otSlaSgzVF0X9A==",
            "dev": true,
            "license": "Apache-2.0",
            "bin": {
--- a/lifecycle/aws/package.json
+++ b/lifecycle/aws/package.json
@ -10,7 +10,7 @@
        "node": ">=20"
    },
    "devDependencies": {
-        "aws-cdk": "^2.1010.0",
+        "aws-cdk": "^2.1012.0",
        "cross-env": "^7.0.3"
    }
 }
--- a/lifecycle/aws/template.yaml
+++ b/lifecycle/aws/template.yaml
@ -26,7 +26,7 @@ Parameters:
    Description: authentik Docker image
  AuthentikVersion:
    Type: String
-    Default: 2025.2.4
+    Default: 2025.4.0
    Description: authentik Docker image tag
  AuthentikServerCPU:
    Type: Number
--- a/lifecycle/system_migrations/tenant_to_brand.py
+++ b/lifecycle/system_migrations/tenant_to_brand.py
@ -3,7 +3,7 @@ from lifecycle.migrate import BaseMigration

 SQL_STATEMENT = """
 BEGIN TRANSACTION;
-ALTER TABLE authentik_tenants_tenant RENAME TO authentik_brands_brand;
+ALTER TABLE IF EXISTS authentik_tenants_tenant RENAME TO authentik_brands_brand;
 UPDATE django_migrations SET app = replace(app, 'authentik_tenants', 'authentik_brands');
 UPDATE django_content_type SET app_label = replace(app_label, 'authentik_tenants', 'authentik_brands');
 COMMIT;
--- a/locale/de/LC_MESSAGES/django.mo
+++ b/locale/de/LC_MESSAGES/django.mo
--- a/locale/de/LC_MESSAGES/django.po
+++ b/locale/de/LC_MESSAGES/django.po
@ -8,7 +8,6 @@
 # Jens L. <jens@goauthentik.io>, 2022
 # Lars Lehmann <lars@lars-lehmann.net>, 2023
 # Johannes —/—, 2023
-# Dominic Wagner <mail@dominic-wagner.de>, 2023
 # fde4f289d99ed356ff5cfdb762dc44aa_a8a971d, 2023
 # Christian Foellmann <foellmann@foe-services.de>, 2023
 # kidhab, 2023
@ -30,17 +29,18 @@
 # Alexander Möbius, 2025
 # Jonas, 2025
 # Niklas Kroese, 2025
-# 97cce0ae0cad2a2cc552d3165d04643e_de3d740, 2025
 # datenschmutz, 2025
+# 97cce0ae0cad2a2cc552d3165d04643e_de3d740, 2025
+# Dominic Wagner <mail@dominic-wagner.de>, 2025
 # 
 #, fuzzy
 msgid ""
 msgstr ""
 "Project-Id-Version: PACKAGE VERSION\n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2025-04-11 00:10+0000\n"
+"POT-Creation-Date: 2025-04-23 09:00+0000\n"
 "PO-Revision-Date: 2022-09-26 16:47+0000\n"
-"Last-Translator: datenschmutz, 2025\n"
+"Last-Translator: Dominic Wagner <mail@dominic-wagner.de>, 2025\n"
 "Language-Team: German (https://app.transifex.com/authentik/teams/119923/de/)\n"
 "MIME-Version: 1.0\n"
 "Content-Type: text/plain; charset=UTF-8\n"
@ -214,6 +214,7 @@ msgid "User's display name."
 msgstr "Anzeigename"

 #: authentik/core/models.py authentik/providers/oauth2/models.py
+#: authentik/rbac/models.py
 msgid "User"
 msgstr "Benutzer"

@ -402,6 +403,18 @@ msgstr "Eigenschaft"
 msgid "Property Mappings"
 msgstr "Eigenschaften"

+#: authentik/core/models.py
+msgid "session data"
+msgstr ""
+
+#: authentik/core/models.py
+msgid "Session"
+msgstr "Sitzung"
+
+#: authentik/core/models.py
+msgid "Sessions"
+msgstr "Sitzungen"
+
 #: authentik/core/models.py
 msgid "Authenticated Session"
 msgstr "Authentifizierte Sitzung"
@ -511,6 +524,38 @@ msgstr "Lizenzverwendung"
 msgid "License Usage Records"
 msgstr "Lizenzverwendung Aufzeichnungen"

+#: authentik/enterprise/policies/unique_password/models.py
+#: authentik/policies/password/models.py
+msgid "Field key to check, field keys defined in Prompt stages are available."
+msgstr ""
+"Zu prüfender Feldschlüssel, die in den Aufforderungsstufen definierten "
+"Feldschlüssel sind verfügbar."
+
+#: authentik/enterprise/policies/unique_password/models.py
+msgid "Number of passwords to check against."
+msgstr ""
+
+#: authentik/enterprise/policies/unique_password/models.py
+#: authentik/policies/password/models.py
+msgid "Password not set in context"
+msgstr "Passwort nicht im Kontext festgelegt"
+
+#: authentik/enterprise/policies/unique_password/models.py
+msgid "This password has been used previously. Please choose a different one."
+msgstr ""
+
+#: authentik/enterprise/policies/unique_password/models.py
+msgid "Password Uniqueness Policy"
+msgstr ""
+
+#: authentik/enterprise/policies/unique_password/models.py
+msgid "Password Uniqueness Policies"
+msgstr ""
+
+#: authentik/enterprise/policies/unique_password/models.py
+msgid "User Password History"
+msgstr ""
+
 #: authentik/enterprise/policy.py
 msgid "Enterprise required to access this feature."
 msgstr "Enterprise ist erforderlich, um auf diese Funktion zuzugreifen."
@ -1303,12 +1348,6 @@ msgstr "Richtlinien Cache Metriken anzeigen"
 msgid "Clear Policy's cache metrics"
 msgstr "Richtlinien Cache Metriken löschen"

-#: authentik/policies/password/models.py
-msgid "Field key to check, field keys defined in Prompt stages are available."
-msgstr ""
-"Zu prüfender Feldschlüssel, die in den Aufforderungsstufen definierten "
-"Feldschlüssel sind verfügbar."
-
 #: authentik/policies/password/models.py
 msgid "How many times the password hash is allowed to be on haveibeenpwned"
 msgstr "Wie häufig der Passwort-Hash auf haveibeenpwned vertreten sein darf"
@ -1320,10 +1359,6 @@ msgstr ""
 "Die Richtlinie wird verweigert, wenn die zxcvbn-Bewertung gleich oder "
 "kleiner diesem Wert ist."

-#: authentik/policies/password/models.py
-msgid "Password not set in context"
-msgstr "Passwort nicht im Kontext festgelegt"
-
 #: authentik/policies/password/models.py
 msgid "Invalid password."
 msgstr "Ungültiges Passwort."
@ -1365,20 +1400,6 @@ msgstr "Reputationswert"
 msgid "Reputation Scores"
 msgstr "Reputationswert"

-#: authentik/policies/templates/policies/buffer.html
-msgid "Waiting for authentication..."
-msgstr ""
-
-#: authentik/policies/templates/policies/buffer.html
-msgid ""
-"You're already authenticating in another tab. This page will refresh once "
-"authentication is completed."
-msgstr ""
-
-#: authentik/policies/templates/policies/buffer.html
-msgid "Authenticate in this tab"
-msgstr ""
-
 #: authentik/policies/templates/policies/denied.html
 msgid "Permission denied"
 msgstr "Erlaubnis verweigert"
@ -2208,6 +2229,10 @@ msgstr "Rolle"
 msgid "Roles"
 msgstr "Rollen"

+#: authentik/rbac/models.py
+msgid "Initial Permissions"
+msgstr ""
+
 #: authentik/rbac/models.py
 msgid "System permission"
 msgstr "Systemberechtigung"
@ -2478,6 +2503,22 @@ msgstr "LDAP Quelle Eigenschafts-Zuordnung"
 msgid "LDAP Source Property Mappings"
 msgstr "LDAP Quelle Eigenschafts-Zuordnungen"

+#: authentik/sources/ldap/models.py
+msgid "User LDAP Source Connection"
+msgstr ""
+
+#: authentik/sources/ldap/models.py
+msgid "User LDAP Source Connections"
+msgstr ""
+
+#: authentik/sources/ldap/models.py
+msgid "Group LDAP Source Connection"
+msgstr ""
+
+#: authentik/sources/ldap/models.py
+msgid "Group LDAP Source Connections"
+msgstr ""
+
 #: authentik/sources/ldap/signals.py
 msgid "Password does not match Active Directory Complexity."
 msgstr ""
@ -2487,6 +2528,14 @@ msgstr ""
 msgid "No token received."
 msgstr "Kein Token empfangen."

+#: authentik/sources/oauth/models.py
+msgid "HTTP Basic Authentication"
+msgstr ""
+
+#: authentik/sources/oauth/models.py
+msgid "Include the client ID and secret as request parameters"
+msgstr ""
+
 #: authentik/sources/oauth/models.py
 msgid "Request Token URL"
 msgstr "Token-URL anfordern"
@ -2528,6 +2577,12 @@ msgstr ""
 msgid "Additional Scopes"
 msgstr "zusätzliche Scopes"

+#: authentik/sources/oauth/models.py
+msgid ""
+"How to perform authentication during an authorization_code token request "
+"flow"
+msgstr ""
+
 #: authentik/sources/oauth/models.py
 msgid "OAuth Source"
 msgstr "Outh Quelle"
@ -3434,6 +3489,12 @@ msgstr ""
 "Wenn aktiviert, wird die Phase auch dann erfolgreich abgeschlossen und "
 "fortgesetzt, wenn falsche Benutzerdaten eingegeben wurden."

+#: authentik/stages/identification/models.py
+msgid ""
+"Show the user the 'Remember me on this device' toggle, allowing repeat users"
+" to skip straight to entering their password."
+msgstr ""
+
 #: authentik/stages/identification/models.py
 msgid "Optional enrollment flow, which is linked at the bottom of the page."
 msgstr "Optionaler Registrierungs-Flow, der unten auf der Seite verlinkt ist."
@ -3826,6 +3887,14 @@ msgstr ""
 "Die Ereignisse werden nach dieser Dauer gelöscht (Format: "
 "Wochen=3;Tage=2;Stunden=3,Sekunden=2)."

+#: authentik/tenants/models.py
+msgid "Reputation cannot decrease lower than this value. Zero or negative."
+msgstr ""
+
+#: authentik/tenants/models.py
+msgid "Reputation cannot increase higher than this value. Zero or positive."
+msgstr ""
+
 #: authentik/tenants/models.py
 msgid "The option configures the footer links on the flow executor pages."
 msgstr ""
--- a/locale/en/LC_MESSAGES/django.po
+++ b/locale/en/LC_MESSAGES/django.po
@ -8,7 +8,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: PACKAGE VERSION\n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2025-04-22 13:40+0000\n"
+"POT-Creation-Date: 2025-04-23 09:00+0000\n"
 "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
 "Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
 "Language-Team: LANGUAGE <LL@li.org>\n"
@ -1255,20 +1255,6 @@ msgstr ""
 msgid "Reputation Scores"
 msgstr ""

-#: authentik/policies/templates/policies/buffer.html
-msgid "Waiting for authentication..."
-msgstr ""
-
-#: authentik/policies/templates/policies/buffer.html
-msgid ""
-"You're already authenticating in another tab. This page will refresh once "
-"authentication is completed."
-msgstr ""
-
-#: authentik/policies/templates/policies/buffer.html
-msgid "Authenticate in this tab"
-msgstr ""
-
 #: authentik/policies/templates/policies/denied.html
 msgid "Permission denied"
 msgstr ""
--- a/locale/es/LC_MESSAGES/django.mo
+++ b/locale/es/LC_MESSAGES/django.mo
--- a/locale/es/LC_MESSAGES/django.po
+++ b/locale/es/LC_MESSAGES/django.po
@ -15,7 +15,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: PACKAGE VERSION\n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2025-04-11 00:10+0000\n"
+"POT-Creation-Date: 2025-04-23 09:00+0000\n"
 "PO-Revision-Date: 2022-09-26 16:47+0000\n"
 "Last-Translator: Jens L. <jens@goauthentik.io>, 2025\n"
 "Language-Team: Spanish (https://app.transifex.com/authentik/teams/119923/es/)\n"
@ -190,6 +190,7 @@ msgid "User's display name."
 msgstr "Nombre para mostrar del usuario."

 #: authentik/core/models.py authentik/providers/oauth2/models.py
+#: authentik/rbac/models.py
 msgid "User"
 msgstr "Usuario"

@ -378,6 +379,18 @@ msgstr "Asignación de Propiedades"
 msgid "Property Mappings"
 msgstr "Asignaciones de Propiedades"

+#: authentik/core/models.py
+msgid "session data"
+msgstr ""
+
+#: authentik/core/models.py
+msgid "Session"
+msgstr "Sesión"
+
+#: authentik/core/models.py
+msgid "Sessions"
+msgstr "Sesiones"
+
 #: authentik/core/models.py
 msgid "Authenticated Session"
 msgstr "Sesión autenticada"
@ -485,6 +498,38 @@ msgstr "Uso de Licencias"
 msgid "License Usage Records"
 msgstr "Registro de Uso de Licencias"

+#: authentik/enterprise/policies/unique_password/models.py
+#: authentik/policies/password/models.py
+msgid "Field key to check, field keys defined in Prompt stages are available."
+msgstr ""
+"Clave de campo a verificar, las claves de campo definidas en las etapas de "
+"Solicitud están disponibles."
+
+#: authentik/enterprise/policies/unique_password/models.py
+msgid "Number of passwords to check against."
+msgstr ""
+
+#: authentik/enterprise/policies/unique_password/models.py
+#: authentik/policies/password/models.py
+msgid "Password not set in context"
+msgstr "La contraseña no se ha establecido en contexto"
+
+#: authentik/enterprise/policies/unique_password/models.py
+msgid "This password has been used previously. Please choose a different one."
+msgstr ""
+
+#: authentik/enterprise/policies/unique_password/models.py
+msgid "Password Uniqueness Policy"
+msgstr ""
+
+#: authentik/enterprise/policies/unique_password/models.py
+msgid "Password Uniqueness Policies"
+msgstr ""
+
+#: authentik/enterprise/policies/unique_password/models.py
+msgid "User Password History"
+msgstr ""
+
 #: authentik/enterprise/policy.py
 msgid "Enterprise required to access this feature."
 msgstr "Se requiere de Enterprise para acceder esta característica."
@ -1268,12 +1313,6 @@ msgstr "Ver las métricas de caché de la Política"
 msgid "Clear Policy's cache metrics"
 msgstr "Borrar las métricas de caché de la Política"

-#: authentik/policies/password/models.py
-msgid "Field key to check, field keys defined in Prompt stages are available."
-msgstr ""
-"Clave de campo a verificar, las claves de campo definidas en las etapas de "
-"Solicitud están disponibles."
-
 #: authentik/policies/password/models.py
 msgid "How many times the password hash is allowed to be on haveibeenpwned"
 msgstr ""
@ -1287,10 +1326,6 @@ msgstr ""
 "Si la puntuación zxcvbn es igual o menor que este valor, la política "
 "fallará."

-#: authentik/policies/password/models.py
-msgid "Password not set in context"
-msgstr "La contraseña no se ha establecido en contexto"
-
 #: authentik/policies/password/models.py
 msgid "Invalid password."
 msgstr "Contraseña inválida."
@ -1332,20 +1367,6 @@ msgstr "Puntuación de Reputacion"
 msgid "Reputation Scores"
 msgstr "Puntuaciones de Reputacion"

-#: authentik/policies/templates/policies/buffer.html
-msgid "Waiting for authentication..."
-msgstr ""
-
-#: authentik/policies/templates/policies/buffer.html
-msgid ""
-"You're already authenticating in another tab. This page will refresh once "
-"authentication is completed."
-msgstr ""
-
-#: authentik/policies/templates/policies/buffer.html
-msgid "Authenticate in this tab"
-msgstr ""
-
 #: authentik/policies/templates/policies/denied.html
 msgid "Permission denied"
 msgstr "Permiso denegado"
@ -2175,6 +2196,10 @@ msgstr "Rol"
 msgid "Roles"
 msgstr "Roles"

+#: authentik/rbac/models.py
+msgid "Initial Permissions"
+msgstr ""
+
 #: authentik/rbac/models.py
 msgid "System permission"
 msgstr "Permiso de sistema"
@ -2443,6 +2468,22 @@ msgstr "Asignación de Propiedades de Fuente de LDAP"
 msgid "LDAP Source Property Mappings"
 msgstr "Asignaciones de Propiedades de Fuente de LDAP"

+#: authentik/sources/ldap/models.py
+msgid "User LDAP Source Connection"
+msgstr ""
+
+#: authentik/sources/ldap/models.py
+msgid "User LDAP Source Connections"
+msgstr ""
+
+#: authentik/sources/ldap/models.py
+msgid "Group LDAP Source Connection"
+msgstr ""
+
+#: authentik/sources/ldap/models.py
+msgid "Group LDAP Source Connections"
+msgstr ""
+
 #: authentik/sources/ldap/signals.py
 msgid "Password does not match Active Directory Complexity."
 msgstr "La contraseña no coincide con la complejidad de Active Directory."
@ -2451,6 +2492,14 @@ msgstr "La contraseña no coincide con la complejidad de Active Directory."
 msgid "No token received."
 msgstr "No se recibió ningún token."

+#: authentik/sources/oauth/models.py
+msgid "HTTP Basic Authentication"
+msgstr ""
+
+#: authentik/sources/oauth/models.py
+msgid "Include the client ID and secret as request parameters"
+msgstr ""
+
 #: authentik/sources/oauth/models.py
 msgid "Request Token URL"
 msgstr "Solicitar URL de token"
@ -2491,6 +2540,12 @@ msgstr "URL utilizada por authentik para obtener información del usuario."
 msgid "Additional Scopes"
 msgstr "Alcances Adicionales"

+#: authentik/sources/oauth/models.py
+msgid ""
+"How to perform authentication during an authorization_code token request "
+"flow"
+msgstr ""
+
 #: authentik/sources/oauth/models.py
 msgid "OAuth Source"
 msgstr "Fuente de OAuth"
@ -3407,6 +3462,12 @@ msgstr ""
 "Cuando está habilitado, la etapa tendrá éxito y continuará incluso cuando se"
 " ingrese información de usuario incorrecta."

+#: authentik/stages/identification/models.py
+msgid ""
+"Show the user the 'Remember me on this device' toggle, allowing repeat users"
+" to skip straight to entering their password."
+msgstr ""
+
 #: authentik/stages/identification/models.py
 msgid "Optional enrollment flow, which is linked at the bottom of the page."
 msgstr ""
@ -3794,6 +3855,14 @@ msgstr ""
 "Los Eventos serán eliminados después de este periodo. (Formato: "
 "weeks=3;days=2;hours=3,seconds=2)."

+#: authentik/tenants/models.py
+msgid "Reputation cannot decrease lower than this value. Zero or negative."
+msgstr ""
+
+#: authentik/tenants/models.py
+msgid "Reputation cannot increase higher than this value. Zero or positive."
+msgstr ""
+
 #: authentik/tenants/models.py
 msgid "The option configures the footer links on the flow executor pages."
 msgstr ""
--- a/locale/fi/LC_MESSAGES/django.mo
+++ b/locale/fi/LC_MESSAGES/django.mo
--- a/locale/fi/LC_MESSAGES/django.po
+++ b/locale/fi/LC_MESSAGES/django.po
@ -15,7 +15,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: PACKAGE VERSION\n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2025-04-11 00:10+0000\n"
+"POT-Creation-Date: 2025-04-23 09:00+0000\n"
 "PO-Revision-Date: 2022-09-26 16:47+0000\n"
 "Last-Translator: Ville Ranki, 2025\n"
 "Language-Team: Finnish (https://app.transifex.com/authentik/teams/119923/fi/)\n"
@ -186,6 +186,7 @@ msgid "User's display name."
 msgstr "Käyttäjän näytettävä nimi"

 #: authentik/core/models.py authentik/providers/oauth2/models.py
+#: authentik/rbac/models.py
 msgid "User"
 msgstr "Käyttäjä"

@ -371,6 +372,18 @@ msgstr "Ominaisuuskytkentä"
 msgid "Property Mappings"
 msgstr "Ominaisuuskytkennät"

+#: authentik/core/models.py
+msgid "session data"
+msgstr ""
+
+#: authentik/core/models.py
+msgid "Session"
+msgstr "Istunto"
+
+#: authentik/core/models.py
+msgid "Sessions"
+msgstr ""
+
 #: authentik/core/models.py
 msgid "Authenticated Session"
 msgstr "Autentikoitu istunto"
@ -478,6 +491,38 @@ msgstr "Lisenssin käyttö"
 msgid "License Usage Records"
 msgstr "Lisenssin käyttötiedot"

+#: authentik/enterprise/policies/unique_password/models.py
+#: authentik/policies/password/models.py
+msgid "Field key to check, field keys defined in Prompt stages are available."
+msgstr ""
+"Kentän avain, joka tarkistetaan. Kysymysvaiheissa määritellyt kenttien "
+"avaimet ovat käytettävissä."
+
+#: authentik/enterprise/policies/unique_password/models.py
+msgid "Number of passwords to check against."
+msgstr ""
+
+#: authentik/enterprise/policies/unique_password/models.py
+#: authentik/policies/password/models.py
+msgid "Password not set in context"
+msgstr "Salasanaa ei ole asetettu kontekstissa"
+
+#: authentik/enterprise/policies/unique_password/models.py
+msgid "This password has been used previously. Please choose a different one."
+msgstr ""
+
+#: authentik/enterprise/policies/unique_password/models.py
+msgid "Password Uniqueness Policy"
+msgstr ""
+
+#: authentik/enterprise/policies/unique_password/models.py
+msgid "Password Uniqueness Policies"
+msgstr ""
+
+#: authentik/enterprise/policies/unique_password/models.py
+msgid "User Password History"
+msgstr ""
+
 #: authentik/enterprise/policy.py
 msgid "Enterprise required to access this feature."
 msgstr "Tämän ominaisuuden käyttöön tarvitaan Enterprise-versiota."
@ -1251,12 +1296,6 @@ msgstr "Näytä käytäntövälimuistitilastot"
 msgid "Clear Policy's cache metrics"
 msgstr "Tyhjennä käytäntövälimuistitilastot"

-#: authentik/policies/password/models.py
-msgid "Field key to check, field keys defined in Prompt stages are available."
-msgstr ""
-"Kentän avain, joka tarkistetaan. Kysymysvaiheissa määritellyt kenttien "
-"avaimet ovat käytettävissä."
-
 #: authentik/policies/password/models.py
 msgid "How many times the password hash is allowed to be on haveibeenpwned"
 msgstr ""
@ -1269,10 +1308,6 @@ msgstr ""
 "Jos zxcvbn-pistemäärä on tämä arvo tai pienempi, käytännön suorittaminen "
 "epäonnistuu."

-#: authentik/policies/password/models.py
-msgid "Password not set in context"
-msgstr "Salasanaa ei ole asetettu kontekstissa"
-
 #: authentik/policies/password/models.py
 msgid "Invalid password."
 msgstr "Virheellinen salasana."
@ -1314,20 +1349,6 @@ msgstr "Mainepistemäärä"
 msgid "Reputation Scores"
 msgstr "Mainepistemäärät"

-#: authentik/policies/templates/policies/buffer.html
-msgid "Waiting for authentication..."
-msgstr ""
-
-#: authentik/policies/templates/policies/buffer.html
-msgid ""
-"You're already authenticating in another tab. This page will refresh once "
-"authentication is completed."
-msgstr ""
-
-#: authentik/policies/templates/policies/buffer.html
-msgid "Authenticate in this tab"
-msgstr ""
-
 #: authentik/policies/templates/policies/denied.html
 msgid "Permission denied"
 msgstr "Käyttö evätty"
@ -2155,6 +2176,10 @@ msgstr "Rooli"
 msgid "Roles"
 msgstr "Roolit"

+#: authentik/rbac/models.py
+msgid "Initial Permissions"
+msgstr ""
+
 #: authentik/rbac/models.py
 msgid "System permission"
 msgstr "Järjestelmän käyttöoikeus"
@ -2420,6 +2445,22 @@ msgstr "LDAP-lähteen ominaisuuskytkentä"
 msgid "LDAP Source Property Mappings"
 msgstr "LDAP-lähteen ominaisuuskytkennät"

+#: authentik/sources/ldap/models.py
+msgid "User LDAP Source Connection"
+msgstr ""
+
+#: authentik/sources/ldap/models.py
+msgid "User LDAP Source Connections"
+msgstr ""
+
+#: authentik/sources/ldap/models.py
+msgid "Group LDAP Source Connection"
+msgstr ""
+
+#: authentik/sources/ldap/models.py
+msgid "Group LDAP Source Connections"
+msgstr ""
+
 #: authentik/sources/ldap/signals.py
 msgid "Password does not match Active Directory Complexity."
 msgstr "Salasana ei vastaa Active Directoryn monimutkaisuusmääritystä."
@ -2428,6 +2469,14 @@ msgstr "Salasana ei vastaa Active Directoryn monimutkaisuusmääritystä."
 msgid "No token received."
 msgstr "Tunnistetta ei saatu."

+#: authentik/sources/oauth/models.py
+msgid "HTTP Basic Authentication"
+msgstr ""
+
+#: authentik/sources/oauth/models.py
+msgid "Include the client ID and secret as request parameters"
+msgstr ""
+
 #: authentik/sources/oauth/models.py
 msgid "Request Token URL"
 msgstr "Pyyntötunnisteen URL"
@ -2468,6 +2517,12 @@ msgstr "URL, jota authentik käyttää käyttäjätiedon hakemiseksi."
 msgid "Additional Scopes"
 msgstr "Lisäkäyttöalueet"

+#: authentik/sources/oauth/models.py
+msgid ""
+"How to perform authentication during an authorization_code token request "
+"flow"
+msgstr ""
+
 #: authentik/sources/oauth/models.py
 msgid "OAuth Source"
 msgstr "OAuth-lähde"
@ -3377,6 +3432,12 @@ msgstr ""
 "Kun tämä on käytössä, vaihe onnistuu ja suoritus jatkuu, vaikka olisi "
 "syötetty virheelliset käyttäjätiedot."

+#: authentik/stages/identification/models.py
+msgid ""
+"Show the user the 'Remember me on this device' toggle, allowing repeat users"
+" to skip straight to entering their password."
+msgstr ""
+
 #: authentik/stages/identification/models.py
 msgid "Optional enrollment flow, which is linked at the bottom of the page."
 msgstr ""
@ -3754,6 +3815,14 @@ msgstr ""
 "Tapahtumat poistetaan tämän ajan jälkeen. (Muoto: "
 "weeks=3;days=2;hours=3;seconds=2)."

+#: authentik/tenants/models.py
+msgid "Reputation cannot decrease lower than this value. Zero or negative."
+msgstr ""
+
+#: authentik/tenants/models.py
+msgid "Reputation cannot increase higher than this value. Zero or positive."
+msgstr ""
+
 #: authentik/tenants/models.py
 msgid "The option configures the footer links on the flow executor pages."
 msgstr ""
--- a/locale/fr/LC_MESSAGES/django.mo
+++ b/locale/fr/LC_MESSAGES/django.mo
--- a/locale/fr/LC_MESSAGES/django.po
+++ b/locale/fr/LC_MESSAGES/django.po
@ -9,8 +9,8 @@
 # Kyllian Delaye-Maillot, 2023
 # Manuel Viens, 2023
 # Mordecai, 2023
+# Tina, 2024
 # Charles Leclerc, 2025
-# Tina, 2025
 # nerdinator <florian.dupret@gmail.com>, 2025
 # Marc Schmitt, 2025
 # 
@ -19,7 +19,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: PACKAGE VERSION\n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2025-04-17 00:09+0000\n"
+"POT-Creation-Date: 2025-04-23 09:00+0000\n"
 "PO-Revision-Date: 2022-09-26 16:47+0000\n"
 "Last-Translator: Marc Schmitt, 2025\n"
 "Language-Team: French (https://app.transifex.com/authentik/teams/119923/fr/)\n"
@ -502,6 +502,38 @@ msgstr "Utilisation de la licence"
 msgid "License Usage Records"
 msgstr "Registre d'utilisation de la licence"

+#: authentik/enterprise/policies/unique_password/models.py
+#: authentik/policies/password/models.py
+msgid "Field key to check, field keys defined in Prompt stages are available."
+msgstr ""
+"Clé de champ à vérifier ; les clés de champ définies dans les étapes de "
+"d'invite sont disponibles."
+
+#: authentik/enterprise/policies/unique_password/models.py
+msgid "Number of passwords to check against."
+msgstr "Nombre de mots de passe à vérifier."
+
+#: authentik/enterprise/policies/unique_password/models.py
+#: authentik/policies/password/models.py
+msgid "Password not set in context"
+msgstr "Mot de passe non défini dans le contexte"
+
+#: authentik/enterprise/policies/unique_password/models.py
+msgid "This password has been used previously. Please choose a different one."
+msgstr "Ce mot de passe a déjà été utilisé. Veuillez en choisir un autre."
+
+#: authentik/enterprise/policies/unique_password/models.py
+msgid "Password Uniqueness Policy"
+msgstr "Politique d'unicité des mots de passe"
+
+#: authentik/enterprise/policies/unique_password/models.py
+msgid "Password Uniqueness Policies"
+msgstr "Politiques d'unicité des mots de passe"
+
+#: authentik/enterprise/policies/unique_password/models.py
+msgid "User Password History"
+msgstr "Historique des mots de passe utilisateur"
+
 #: authentik/enterprise/policy.py
 msgid "Enterprise required to access this feature."
 msgstr "Entreprise est requis pour accéder à cette fonctionnalité."
@ -1296,12 +1328,6 @@ msgstr "Voir les métriques de cache de la politique"
 msgid "Clear Policy's cache metrics"
 msgstr "Nettoyer les métriques de cache de la politique"

-#: authentik/policies/password/models.py
-msgid "Field key to check, field keys defined in Prompt stages are available."
-msgstr ""
-"Clé de champ à vérifier ; les clés de champ définies dans les étapes de "
-"d'invite sont disponibles."
-
 #: authentik/policies/password/models.py
 msgid "How many times the password hash is allowed to be on haveibeenpwned"
 msgstr ""
@ -1315,10 +1341,6 @@ msgstr ""
 "Si le score zxcvbn est égal ou inférieur à cette valeur, la politique "
 "échouera."

-#: authentik/policies/password/models.py
-msgid "Password not set in context"
-msgstr "Mot de passe non défini dans le contexte"
-
 #: authentik/policies/password/models.py
 msgid "Invalid password."
 msgstr "Mot de passe invalide."
@ -1360,22 +1382,6 @@ msgstr "Score de Réputation"
 msgid "Reputation Scores"
 msgstr "Scores de Réputation"

-#: authentik/policies/templates/policies/buffer.html
-msgid "Waiting for authentication..."
-msgstr "En attente de l'authentification..."
-
-#: authentik/policies/templates/policies/buffer.html
-msgid ""
-"You're already authenticating in another tab. This page will refresh once "
-"authentication is completed."
-msgstr ""
-"Vous êtes déjà en cours d'authentification dans un autre onglet. Cette page "
-"se rafraîchira lorsque l'authentification sera terminée."
-
-#: authentik/policies/templates/policies/buffer.html
-msgid "Authenticate in this tab"
-msgstr "S'authentifier dans cet onglet"
-
 #: authentik/policies/templates/policies/denied.html
 msgid "Permission denied"
 msgstr "Permission refusée"
@ -3485,6 +3491,15 @@ msgstr ""
 "Lorsqu'activé, l'étape réussira et continuera même lorsque les informations "
 "utilisateurs entrées sont invalides."

+#: authentik/stages/identification/models.py
+msgid ""
+"Show the user the 'Remember me on this device' toggle, allowing repeat users"
+" to skip straight to entering their password."
+msgstr ""
+"Afficher à l'utilisateur l'option \"Se souvenir de moi sur cet appareil\", "
+"afin de permettre aux utilisateurs réguliers de passer directement à la "
+"saisie de leur mot de passe."
+
 #: authentik/stages/identification/models.py
 msgid "Optional enrollment flow, which is linked at the bottom of the page."
 msgstr "Flux d'inscription facultatif, qui sera accessible en bas de page."
--- a/locale/it/LC_MESSAGES/django.po
+++ b/locale/it/LC_MESSAGES/django.po
@ -12,17 +12,17 @@
 # tmassimi, 2024
 # Marc Schmitt, 2024
 # albanobattistella <albanobattistella@gmail.com>, 2024
-# Matteo Piccina <altermatte@gmail.com>, 2025
 # Kowalski Dragon (kowalski7cc) <kowalski.7cc@gmail.com>, 2025
+# Matteo Piccina <altermatte@gmail.com>, 2025
 # 
 #, fuzzy
 msgid ""
 msgstr ""
 "Project-Id-Version: PACKAGE VERSION\n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2025-04-11 00:10+0000\n"
+"POT-Creation-Date: 2025-04-23 09:00+0000\n"
 "PO-Revision-Date: 2022-09-26 16:47+0000\n"
-"Last-Translator: Kowalski Dragon (kowalski7cc) <kowalski.7cc@gmail.com>, 2025\n"
+"Last-Translator: Matteo Piccina <altermatte@gmail.com>, 2025\n"
 "Language-Team: Italian (https://app.transifex.com/authentik/teams/119923/it/)\n"
 "MIME-Version: 1.0\n"
 "Content-Type: text/plain; charset=UTF-8\n"
@ -194,6 +194,7 @@ msgid "User's display name."
 msgstr "Nome visualizzato dell'utente."

 #: authentik/core/models.py authentik/providers/oauth2/models.py
+#: authentik/rbac/models.py
 msgid "User"
 msgstr "Utente"

@ -380,6 +381,18 @@ msgstr "Mappatura della proprietà"
 msgid "Property Mappings"
 msgstr "Mappatura delle proprietà"

+#: authentik/core/models.py
+msgid "session data"
+msgstr ""
+
+#: authentik/core/models.py
+msgid "Session"
+msgstr "Sessione"
+
+#: authentik/core/models.py
+msgid "Sessions"
+msgstr "Sessioni"
+
 #: authentik/core/models.py
 msgid "Authenticated Session"
 msgstr "Sessione Autenticata"
@ -487,6 +500,38 @@ msgstr "Utilizzo della licenza"
 msgid "License Usage Records"
 msgstr "Registri sull'utilizzo della licenza"

+#: authentik/enterprise/policies/unique_password/models.py
+#: authentik/policies/password/models.py
+msgid "Field key to check, field keys defined in Prompt stages are available."
+msgstr ""
+"Chiave di campo da verificare, sono disponibili le chiavi di campo definite "
+"nelle fasi Richiesta."
+
+#: authentik/enterprise/policies/unique_password/models.py
+msgid "Number of passwords to check against."
+msgstr ""
+
+#: authentik/enterprise/policies/unique_password/models.py
+#: authentik/policies/password/models.py
+msgid "Password not set in context"
+msgstr "Password non impostata nel contesto"
+
+#: authentik/enterprise/policies/unique_password/models.py
+msgid "This password has been used previously. Please choose a different one."
+msgstr ""
+
+#: authentik/enterprise/policies/unique_password/models.py
+msgid "Password Uniqueness Policy"
+msgstr ""
+
+#: authentik/enterprise/policies/unique_password/models.py
+msgid "Password Uniqueness Policies"
+msgstr ""
+
+#: authentik/enterprise/policies/unique_password/models.py
+msgid "User Password History"
+msgstr ""
+
 #: authentik/enterprise/policy.py
 msgid "Enterprise required to access this feature."
 msgstr "Versione Enterprise richiesta per accedere a questa funzione"
@ -1274,12 +1319,6 @@ msgstr "Visualizza le metriche della cache della Policy"
 msgid "Clear Policy's cache metrics"
 msgstr "Cancellare le metriche della cache della Policy"

-#: authentik/policies/password/models.py
-msgid "Field key to check, field keys defined in Prompt stages are available."
-msgstr ""
-"Chiave di campo da verificare, sono disponibili le chiavi di campo definite "
-"nelle fasi Richiesta."
-
 #: authentik/policies/password/models.py
 msgid "How many times the password hash is allowed to be on haveibeenpwned"
 msgstr ""
@ -1292,10 +1331,6 @@ msgstr ""
 "Se il punteggio zxcvbn è inferiore o uguale a questo valore, il criterio non"
 " verrà soddisfatto."

-#: authentik/policies/password/models.py
-msgid "Password not set in context"
-msgstr "Password non impostata nel contesto"
-
 #: authentik/policies/password/models.py
 msgid "Invalid password."
 msgstr "Password invalida."
@ -1337,22 +1372,6 @@ msgstr "Punteggio di reputazione"
 msgid "Reputation Scores"
 msgstr "Punteggi di reputazione"

-#: authentik/policies/templates/policies/buffer.html
-msgid "Waiting for authentication..."
-msgstr "In attesa di autenticazione..."
-
-#: authentik/policies/templates/policies/buffer.html
-msgid ""
-"You're already authenticating in another tab. This page will refresh once "
-"authentication is completed."
-msgstr ""
-"Ti stai già autenticando in un'altra scheda. Questa pagina si aggiornerà una"
-" volta completata l'autenticazione."
-
-#: authentik/policies/templates/policies/buffer.html
-msgid "Authenticate in this tab"
-msgstr "Autenticati in questa scheda"
-
 #: authentik/policies/templates/policies/denied.html
 msgid "Permission denied"
 msgstr "Permesso negato"
@ -2182,6 +2201,10 @@ msgstr "Ruolo"
 msgid "Roles"
 msgstr "Ruoli"

+#: authentik/rbac/models.py
+msgid "Initial Permissions"
+msgstr ""
+
 #: authentik/rbac/models.py
 msgid "System permission"
 msgstr "Autorizzazione di sistema"
@ -2452,6 +2475,22 @@ msgstr "Mappatura delle proprietà sorgente LDAP"
 msgid "LDAP Source Property Mappings"
 msgstr "Mappature delle proprietà della sorgente LDAP"

+#: authentik/sources/ldap/models.py
+msgid "User LDAP Source Connection"
+msgstr ""
+
+#: authentik/sources/ldap/models.py
+msgid "User LDAP Source Connections"
+msgstr ""
+
+#: authentik/sources/ldap/models.py
+msgid "Group LDAP Source Connection"
+msgstr ""
+
+#: authentik/sources/ldap/models.py
+msgid "Group LDAP Source Connections"
+msgstr ""
+
 #: authentik/sources/ldap/signals.py
 msgid "Password does not match Active Directory Complexity."
 msgstr "La password non soddisfa la complessità Active Directory."
@ -2460,6 +2499,14 @@ msgstr "La password non soddisfa la complessità Active Directory."
 msgid "No token received."
 msgstr "Nessun token ricevuto."

+#: authentik/sources/oauth/models.py
+msgid "HTTP Basic Authentication"
+msgstr ""
+
+#: authentik/sources/oauth/models.py
+msgid "Include the client ID and secret as request parameters"
+msgstr ""
+
 #: authentik/sources/oauth/models.py
 msgid "Request Token URL"
 msgstr "URL di Richiesta Token"
@ -2500,6 +2547,12 @@ msgstr "URL utilizzato da authentik per ottenere le informazioni dell'utente."
 msgid "Additional Scopes"
 msgstr "Ambiti aggiuntivi"

+#: authentik/sources/oauth/models.py
+msgid ""
+"How to perform authentication during an authorization_code token request "
+"flow"
+msgstr ""
+
 #: authentik/sources/oauth/models.py
 msgid "OAuth Source"
 msgstr "Sorgente OAuth"
@ -3426,6 +3479,12 @@ msgstr ""
 "Quando abilitato, la fase avrà successo e continuerà anche quando vengono "
 "inserite informazioni utente errate."

+#: authentik/stages/identification/models.py
+msgid ""
+"Show the user the 'Remember me on this device' toggle, allowing repeat users"
+" to skip straight to entering their password."
+msgstr ""
+
 #: authentik/stages/identification/models.py
 msgid "Optional enrollment flow, which is linked at the bottom of the page."
 msgstr "Flusso di iscrizione opzionale, che è collegato in fondo alla pagina."
@ -3812,6 +3871,14 @@ msgstr ""
 "Gli eventi saranno cancellati dopo questa durata. (Formato: "
 "weeks=3;days=2;hours=3,seconds=2)."

+#: authentik/tenants/models.py
+msgid "Reputation cannot decrease lower than this value. Zero or negative."
+msgstr ""
+
+#: authentik/tenants/models.py
+msgid "Reputation cannot increase higher than this value. Zero or positive."
+msgstr ""
+
 #: authentik/tenants/models.py
 msgid "The option configures the footer links on the flow executor pages."
 msgstr ""
--- a/locale/ko/LC_MESSAGES/django.mo
+++ b/locale/ko/LC_MESSAGES/django.mo
--- a/locale/ko/LC_MESSAGES/django.po
+++ b/locale/ko/LC_MESSAGES/django.po
@ -12,7 +12,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: PACKAGE VERSION\n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2025-03-31 00:10+0000\n"
+"POT-Creation-Date: 2025-04-23 09:00+0000\n"
 "PO-Revision-Date: 2022-09-26 16:47+0000\n"
 "Last-Translator: NavyStack, 2023\n"
 "Language-Team: Korean (https://app.transifex.com/authentik/teams/119923/ko/)\n"
@ -176,6 +176,7 @@ msgid "User's display name."
 msgstr "사용자의 표시 이름"

 #: authentik/core/models.py authentik/providers/oauth2/models.py
+#: authentik/rbac/models.py
 msgid "User"
 msgstr "사용자"

@ -344,6 +345,18 @@ msgstr "속성 매핑"
 msgid "Property Mappings"
 msgstr "속성 매핑"

+#: authentik/core/models.py
+msgid "session data"
+msgstr ""
+
+#: authentik/core/models.py
+msgid "Session"
+msgstr ""
+
+#: authentik/core/models.py
+msgid "Sessions"
+msgstr ""
+
 #: authentik/core/models.py
 msgid "Authenticated Session"
 msgstr "인증된 세션"
@ -447,6 +460,36 @@ msgstr "라이선스 사용"
 msgid "License Usage Records"
 msgstr "라이선스 사용 기록"

+#: authentik/enterprise/policies/unique_password/models.py
+#: authentik/policies/password/models.py
+msgid "Field key to check, field keys defined in Prompt stages are available."
+msgstr "확인하려는 필드 키, 프롬프트 스테이지에서 정의된 필드 키를 사용할 수 있습니다."
+
+#: authentik/enterprise/policies/unique_password/models.py
+msgid "Number of passwords to check against."
+msgstr ""
+
+#: authentik/enterprise/policies/unique_password/models.py
+#: authentik/policies/password/models.py
+msgid "Password not set in context"
+msgstr "비밀번호가 컨텍스트에 설정되지 않음"
+
+#: authentik/enterprise/policies/unique_password/models.py
+msgid "This password has been used previously. Please choose a different one."
+msgstr ""
+
+#: authentik/enterprise/policies/unique_password/models.py
+msgid "Password Uniqueness Policy"
+msgstr ""
+
+#: authentik/enterprise/policies/unique_password/models.py
+msgid "Password Uniqueness Policies"
+msgstr ""
+
+#: authentik/enterprise/policies/unique_password/models.py
+msgid "User Password History"
+msgstr ""
+
 #: authentik/enterprise/policy.py
 msgid "Enterprise required to access this feature."
 msgstr ""
@ -1182,10 +1225,6 @@ msgstr "정책의 캐시 메트릭 보기"
 msgid "Clear Policy's cache metrics"
 msgstr "정책의 캐시 메트릭 삭제"

-#: authentik/policies/password/models.py
-msgid "Field key to check, field keys defined in Prompt stages are available."
-msgstr "확인하려는 필드 키, 프롬프트 스테이지에서 정의된 필드 키를 사용할 수 있습니다."
-
 #: authentik/policies/password/models.py
 msgid "How many times the password hash is allowed to be on haveibeenpwned"
 msgstr "비밀번호 해시가 허용되는 해시 횟수"
@ -1195,10 +1234,6 @@ msgid ""
 "If the zxcvbn score is equal or less than this value, the policy will fail."
 msgstr "만약 zxcvbn 점수가 이 값과 같거나 이 값보다 작다면, 정책이 실패합니다."

-#: authentik/policies/password/models.py
-msgid "Password not set in context"
-msgstr "비밀번호가 컨텍스트에 설정되지 않음"
-
 #: authentik/policies/password/models.py
 msgid "Invalid password."
 msgstr ""
@ -1240,20 +1275,6 @@ msgstr "평판 점수"
 msgid "Reputation Scores"
 msgstr "평판 점수"

-#: authentik/policies/templates/policies/buffer.html
-msgid "Waiting for authentication..."
-msgstr ""
-
-#: authentik/policies/templates/policies/buffer.html
-msgid ""
-"You're already authenticating in another tab. This page will refresh once "
-"authentication is completed."
-msgstr ""
-
-#: authentik/policies/templates/policies/buffer.html
-msgid "Authenticate in this tab"
-msgstr ""
-
 #: authentik/policies/templates/policies/denied.html
 msgid "Permission denied"
 msgstr "권한 거부됨"
@ -2013,6 +2034,10 @@ msgstr "역할"
 msgid "Roles"
 msgstr "역할"

+#: authentik/rbac/models.py
+msgid "Initial Permissions"
+msgstr ""
+
 #: authentik/rbac/models.py
 msgid "System permission"
 msgstr "시스템 권한"
@ -2231,6 +2256,13 @@ msgid ""
 "enabled on a single LDAP source."
 msgstr "사용자가 비밀번호를 변경하면 LDAP로 다시 동기화합니다. 이 기능은 단일의 LDAP 소스에서만 활성화할 수 있습니다."

+#: authentik/sources/ldap/models.py
+msgid ""
+"Lookup group membership based on a user attribute instead of a group "
+"attribute. This allows nested group resolution on systems like FreeIPA and "
+"Active Directory"
+msgstr ""
+
 #: authentik/sources/ldap/models.py
 msgid "LDAP Source"
 msgstr "LDAP 소스"
@ -2247,6 +2279,22 @@ msgstr ""
 msgid "LDAP Source Property Mappings"
 msgstr ""

+#: authentik/sources/ldap/models.py
+msgid "User LDAP Source Connection"
+msgstr ""
+
+#: authentik/sources/ldap/models.py
+msgid "User LDAP Source Connections"
+msgstr ""
+
+#: authentik/sources/ldap/models.py
+msgid "Group LDAP Source Connection"
+msgstr ""
+
+#: authentik/sources/ldap/models.py
+msgid "Group LDAP Source Connections"
+msgstr ""
+
 #: authentik/sources/ldap/signals.py
 msgid "Password does not match Active Directory Complexity."
 msgstr "비밀번호가 Active Directory 복잡도와 일치하지 않습니다."
@ -2255,6 +2303,14 @@ msgstr "비밀번호가 Active Directory 복잡도와 일치하지 않습니다.
 msgid "No token received."
 msgstr "수신된 토큰이 없습니다."

+#: authentik/sources/oauth/models.py
+msgid "HTTP Basic Authentication"
+msgstr ""
+
+#: authentik/sources/oauth/models.py
+msgid "Include the client ID and secret as request parameters"
+msgstr ""
+
 #: authentik/sources/oauth/models.py
 msgid "Request Token URL"
 msgstr "토큰 요청 URL"
@ -2293,6 +2349,12 @@ msgstr "사용자 정보를 가져오기 위해 authentik에서 사용하는 URL
 msgid "Additional Scopes"
 msgstr "추가 스코프"

+#: authentik/sources/oauth/models.py
+msgid ""
+"How to perform authentication during an authorization_code token request "
+"flow"
+msgstr ""
+
 #: authentik/sources/oauth/models.py
 msgid "OAuth Source"
 msgstr "OAuth 소스"
@ -3149,6 +3211,12 @@ msgid ""
 "info is entered."
 msgstr "활성화되면 잘못된 사용자 정보가 입력되더라도 단계가 성공하고 계속됩니다."

+#: authentik/stages/identification/models.py
+msgid ""
+"Show the user the 'Remember me on this device' toggle, allowing repeat users"
+" to skip straight to entering their password."
+msgstr ""
+
 #: authentik/stages/identification/models.py
 msgid "Optional enrollment flow, which is linked at the bottom of the page."
 msgstr "페이지 하단에 링크된,  선택적 등록 플로우를 참조하세요."
@ -3500,6 +3568,14 @@ msgid ""
 "weeks=3;days=2;hours=3,seconds=2)."
 msgstr "이 기간이 지나면 이벤트가 삭제됩니다. (서식: hours=-1;minutes=-2;seconds=-3)"

+#: authentik/tenants/models.py
+msgid "Reputation cannot decrease lower than this value. Zero or negative."
+msgstr ""
+
+#: authentik/tenants/models.py
+msgid "Reputation cannot increase higher than this value. Zero or positive."
+msgstr ""
+
 #: authentik/tenants/models.py
 msgid "The option configures the footer links on the flow executor pages."
 msgstr ""
--- a/locale/pl/LC_MESSAGES/django.po
+++ b/locale/pl/LC_MESSAGES/django.po
@ -7,18 +7,18 @@
 # Bartosz Karpiński, 2023
 # Michał Jastrzębski, 2024
 # Tomci 12 <drizztes@gmail.com>, 2024
+# Darek “NeroPcStation” NeroPcStation <dareknowacki2001@gmail.com>, 2024
 # Marc Schmitt, 2025
 # Jens L. <jens@goauthentik.io>, 2025
-# Darek “NeroPcStation” NeroPcStation <dareknowacki2001@gmail.com>, 2025
 # 
 #, fuzzy
 msgid ""
 msgstr ""
 "Project-Id-Version: PACKAGE VERSION\n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2025-04-11 00:10+0000\n"
+"POT-Creation-Date: 2025-04-23 09:00+0000\n"
 "PO-Revision-Date: 2022-09-26 16:47+0000\n"
-"Last-Translator: Darek “NeroPcStation” NeroPcStation <dareknowacki2001@gmail.com>, 2025\n"
+"Last-Translator: Jens L. <jens@goauthentik.io>, 2025\n"
 "Language-Team: Polish (https://app.transifex.com/authentik/teams/119923/pl/)\n"
 "MIME-Version: 1.0\n"
 "Content-Type: text/plain; charset=UTF-8\n"
@ -189,6 +189,7 @@ msgid "User's display name."
 msgstr "Wyświetlana nazwa użytkownika."

 #: authentik/core/models.py authentik/providers/oauth2/models.py
+#: authentik/rbac/models.py
 msgid "User"
 msgstr "Użytkownik"

@ -371,6 +372,18 @@ msgstr "Mapowanie właściwości"
 msgid "Property Mappings"
 msgstr "Mapowanie właściwości"

+#: authentik/core/models.py
+msgid "session data"
+msgstr ""
+
+#: authentik/core/models.py
+msgid "Session"
+msgstr "Sesja"
+
+#: authentik/core/models.py
+msgid "Sessions"
+msgstr "Sesje"
+
 #: authentik/core/models.py
 msgid "Authenticated Session"
 msgstr "Sesja uwierzytelniona"
@ -479,6 +492,38 @@ msgstr "Wykorzystanie licencji"
 msgid "License Usage Records"
 msgstr "Rejestr wykorzystania licencji"

+#: authentik/enterprise/policies/unique_password/models.py
+#: authentik/policies/password/models.py
+msgid "Field key to check, field keys defined in Prompt stages are available."
+msgstr ""
+"Klucz pola do sprawdzenia, dostępne są klucze pola zdefiniowane w etapach "
+"monitu."
+
+#: authentik/enterprise/policies/unique_password/models.py
+msgid "Number of passwords to check against."
+msgstr ""
+
+#: authentik/enterprise/policies/unique_password/models.py
+#: authentik/policies/password/models.py
+msgid "Password not set in context"
+msgstr "Hasło nie jest ustawione w kontekście"
+
+#: authentik/enterprise/policies/unique_password/models.py
+msgid "This password has been used previously. Please choose a different one."
+msgstr ""
+
+#: authentik/enterprise/policies/unique_password/models.py
+msgid "Password Uniqueness Policy"
+msgstr ""
+
+#: authentik/enterprise/policies/unique_password/models.py
+msgid "Password Uniqueness Policies"
+msgstr ""
+
+#: authentik/enterprise/policies/unique_password/models.py
+msgid "User Password History"
+msgstr ""
+
 #: authentik/enterprise/policy.py
 msgid "Enterprise required to access this feature."
 msgstr "Wymagane jest konto Enterprise, aby uzyskać dostęp do tej funkcji."
@ -1257,12 +1302,6 @@ msgstr "Wyświetl metryki pamięci podręcznej Zasady"
 msgid "Clear Policy's cache metrics"
 msgstr "Wyczyść metryki pamięci podręcznej Zasady"

-#: authentik/policies/password/models.py
-msgid "Field key to check, field keys defined in Prompt stages are available."
-msgstr ""
-"Klucz pola do sprawdzenia, dostępne są klucze pola zdefiniowane w etapach "
-"monitu."
-
 #: authentik/policies/password/models.py
 msgid "How many times the password hash is allowed to be on haveibeenpwned"
 msgstr "Ile razy skrót hasła może być na haveibeenpwned"
@ -1274,10 +1313,6 @@ msgstr ""
 "Jeśli wynik zxcvbn jest równy lub mniejszy od tej wartości, zasada zakończy "
 "się niepowodzeniem."

-#: authentik/policies/password/models.py
-msgid "Password not set in context"
-msgstr "Hasło nie jest ustawione w kontekście"
-
 #: authentik/policies/password/models.py
 msgid "Invalid password."
 msgstr ""
@ -1319,20 +1354,6 @@ msgstr "Punkty reputacji"
 msgid "Reputation Scores"
 msgstr "Punkty reputacji"

-#: authentik/policies/templates/policies/buffer.html
-msgid "Waiting for authentication..."
-msgstr "Oczekiwanie na uwierzytelnienie..."
-
-#: authentik/policies/templates/policies/buffer.html
-msgid ""
-"You're already authenticating in another tab. This page will refresh once "
-"authentication is completed."
-msgstr ""
-
-#: authentik/policies/templates/policies/buffer.html
-msgid "Authenticate in this tab"
-msgstr ""
-
 #: authentik/policies/templates/policies/denied.html
 msgid "Permission denied"
 msgstr "Odmowa uprawnień"
@ -2141,6 +2162,10 @@ msgstr "Rola"
 msgid "Roles"
 msgstr "Role"

+#: authentik/rbac/models.py
+msgid "Initial Permissions"
+msgstr ""
+
 #: authentik/rbac/models.py
 msgid "System permission"
 msgstr "Uprawnienie systemowe"
@ -2390,6 +2415,22 @@ msgstr ""
 msgid "LDAP Source Property Mappings"
 msgstr ""

+#: authentik/sources/ldap/models.py
+msgid "User LDAP Source Connection"
+msgstr ""
+
+#: authentik/sources/ldap/models.py
+msgid "User LDAP Source Connections"
+msgstr ""
+
+#: authentik/sources/ldap/models.py
+msgid "Group LDAP Source Connection"
+msgstr ""
+
+#: authentik/sources/ldap/models.py
+msgid "Group LDAP Source Connections"
+msgstr ""
+
 #: authentik/sources/ldap/signals.py
 msgid "Password does not match Active Directory Complexity."
 msgstr "Hasło nie pasuje do złożoności usługi Active Directory."
@ -2398,6 +2439,14 @@ msgstr "Hasło nie pasuje do złożoności usługi Active Directory."
 msgid "No token received."
 msgstr "Nie otrzymano tokena."

+#: authentik/sources/oauth/models.py
+msgid "HTTP Basic Authentication"
+msgstr ""
+
+#: authentik/sources/oauth/models.py
+msgid "Include the client ID and secret as request parameters"
+msgstr ""
+
 #: authentik/sources/oauth/models.py
 msgid "Request Token URL"
 msgstr "URL żądania tokena"
@ -2440,6 +2489,12 @@ msgstr "URL używany przez authentik do uzyskania informacji o użytkowniku."
 msgid "Additional Scopes"
 msgstr "Dodatkowe zakresy"

+#: authentik/sources/oauth/models.py
+msgid ""
+"How to perform authentication during an authorization_code token request "
+"flow"
+msgstr ""
+
 #: authentik/sources/oauth/models.py
 msgid "OAuth Source"
 msgstr "Źródło OAuth"
@ -3344,6 +3399,12 @@ msgstr ""
 "Po włączeniu tej opcji etap zakończy się powodzeniem i będzie kontynuowany "
 "nawet po wprowadzeniu nieprawidłowych danych użytkownika."

+#: authentik/stages/identification/models.py
+msgid ""
+"Show the user the 'Remember me on this device' toggle, allowing repeat users"
+" to skip straight to entering their password."
+msgstr ""
+
 #: authentik/stages/identification/models.py
 msgid "Optional enrollment flow, which is linked at the bottom of the page."
 msgstr ""
@ -3727,6 +3788,14 @@ msgstr ""
 "Zdarzenia zostaną usunięte po upływie tego czasu. (Format: "
 "weeks=3;days=2;hours=3,seconds=2)."

+#: authentik/tenants/models.py
+msgid "Reputation cannot decrease lower than this value. Zero or negative."
+msgstr ""
+
+#: authentik/tenants/models.py
+msgid "Reputation cannot increase higher than this value. Zero or positive."
+msgstr ""
+
 #: authentik/tenants/models.py
 msgid "The option configures the footer links on the flow executor pages."
 msgstr "Opcja ta konfiguruje łącza stopki na stronach wykonawców przepływu."
--- a/locale/pt_BR/LC_MESSAGES/django.po
+++ b/locale/pt_BR/LC_MESSAGES/django.po
@ -18,7 +18,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: PACKAGE VERSION\n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2025-04-11 00:10+0000\n"
+"POT-Creation-Date: 2025-04-23 09:00+0000\n"
 "PO-Revision-Date: 2022-09-26 16:47+0000\n"
 "Last-Translator: Gil Poiares-Oliveira, 2025\n"
 "Language-Team: Portuguese (Brazil) (https://app.transifex.com/authentik/teams/119923/pt_BR/)\n"
@ -192,6 +192,7 @@ msgid "User's display name."
 msgstr "Nome de exibição do usuário."

 #: authentik/core/models.py authentik/providers/oauth2/models.py
+#: authentik/rbac/models.py
 msgid "User"
 msgstr "Usuário"

@ -376,6 +377,18 @@ msgstr "Mapeamento de propriedades"
 msgid "Property Mappings"
 msgstr "Mapeamentos de propriedades"

+#: authentik/core/models.py
+msgid "session data"
+msgstr ""
+
+#: authentik/core/models.py
+msgid "Session"
+msgstr ""
+
+#: authentik/core/models.py
+msgid "Sessions"
+msgstr ""
+
 #: authentik/core/models.py
 msgid "Authenticated Session"
 msgstr "Sessão Autenticada"
@ -483,6 +496,38 @@ msgstr "Uso de licença"
 msgid "License Usage Records"
 msgstr "Registros de uso de licença"

+#: authentik/enterprise/policies/unique_password/models.py
+#: authentik/policies/password/models.py
+msgid "Field key to check, field keys defined in Prompt stages are available."
+msgstr ""
+"Chave de campo para verificar, as chaves de campo definidas nos estágios de "
+"prompt estão disponíveis."
+
+#: authentik/enterprise/policies/unique_password/models.py
+msgid "Number of passwords to check against."
+msgstr ""
+
+#: authentik/enterprise/policies/unique_password/models.py
+#: authentik/policies/password/models.py
+msgid "Password not set in context"
+msgstr "Senha não definida no contexto"
+
+#: authentik/enterprise/policies/unique_password/models.py
+msgid "This password has been used previously. Please choose a different one."
+msgstr ""
+
+#: authentik/enterprise/policies/unique_password/models.py
+msgid "Password Uniqueness Policy"
+msgstr ""
+
+#: authentik/enterprise/policies/unique_password/models.py
+msgid "Password Uniqueness Policies"
+msgstr ""
+
+#: authentik/enterprise/policies/unique_password/models.py
+msgid "User Password History"
+msgstr ""
+
 #: authentik/enterprise/policy.py
 msgid "Enterprise required to access this feature."
 msgstr "Entrerprise é necessário para acessar essa funcionalidade"
@ -1252,12 +1297,6 @@ msgstr ""
 msgid "Clear Policy's cache metrics"
 msgstr ""

-#: authentik/policies/password/models.py
-msgid "Field key to check, field keys defined in Prompt stages are available."
-msgstr ""
-"Chave de campo para verificar, as chaves de campo definidas nos estágios de "
-"prompt estão disponíveis."
-
 #: authentik/policies/password/models.py
 msgid "How many times the password hash is allowed to be on haveibeenpwned"
 msgstr "Quantas vezes o hash da senha pode estar em haveibeenpwned"
@ -1268,10 +1307,6 @@ msgid ""
 msgstr ""
 "Se a pontuação zxcvbn for igual ou menor que esse valor, a política falhará."

-#: authentik/policies/password/models.py
-msgid "Password not set in context"
-msgstr "Senha não definida no contexto"
-
 #: authentik/policies/password/models.py
 msgid "Invalid password."
 msgstr ""
@ -1313,20 +1348,6 @@ msgstr "Pontuação de reputação"
 msgid "Reputation Scores"
 msgstr "Pontuações de reputação"

-#: authentik/policies/templates/policies/buffer.html
-msgid "Waiting for authentication..."
-msgstr ""
-
-#: authentik/policies/templates/policies/buffer.html
-msgid ""
-"You're already authenticating in another tab. This page will refresh once "
-"authentication is completed."
-msgstr ""
-
-#: authentik/policies/templates/policies/buffer.html
-msgid "Authenticate in this tab"
-msgstr ""
-
 #: authentik/policies/templates/policies/denied.html
 msgid "Permission denied"
 msgstr "Permissão negada"
@ -2141,6 +2162,10 @@ msgstr ""
 msgid "Roles"
 msgstr ""

+#: authentik/rbac/models.py
+msgid "Initial Permissions"
+msgstr ""
+
 #: authentik/rbac/models.py
 msgid "System permission"
 msgstr "Permissão do sistema"
@ -2387,6 +2412,22 @@ msgstr ""
 msgid "LDAP Source Property Mappings"
 msgstr ""

+#: authentik/sources/ldap/models.py
+msgid "User LDAP Source Connection"
+msgstr ""
+
+#: authentik/sources/ldap/models.py
+msgid "User LDAP Source Connections"
+msgstr ""
+
+#: authentik/sources/ldap/models.py
+msgid "Group LDAP Source Connection"
+msgstr ""
+
+#: authentik/sources/ldap/models.py
+msgid "Group LDAP Source Connections"
+msgstr ""
+
 #: authentik/sources/ldap/signals.py
 msgid "Password does not match Active Directory Complexity."
 msgstr "A senha não corresponde à complexidade do Active Directory."
@ -2395,6 +2436,14 @@ msgstr "A senha não corresponde à complexidade do Active Directory."
 msgid "No token received."
 msgstr "Nenhum token recebido."

+#: authentik/sources/oauth/models.py
+msgid "HTTP Basic Authentication"
+msgstr ""
+
+#: authentik/sources/oauth/models.py
+msgid "Include the client ID and secret as request parameters"
+msgstr ""
+
 #: authentik/sources/oauth/models.py
 msgid "Request Token URL"
 msgstr "URL do token de solicitação"
@ -2435,6 +2484,12 @@ msgstr "URL usado pelo authentik para obter informações do usuário."
 msgid "Additional Scopes"
 msgstr "Escopos Adicionais"

+#: authentik/sources/oauth/models.py
+msgid ""
+"How to perform authentication during an authorization_code token request "
+"flow"
+msgstr ""
+
 #: authentik/sources/oauth/models.py
 msgid "OAuth Source"
 msgstr "Fonte OAuth"
@ -3318,6 +3373,12 @@ msgid ""
 "info is entered."
 msgstr ""

+#: authentik/stages/identification/models.py
+msgid ""
+"Show the user the 'Remember me on this device' toggle, allowing repeat users"
+" to skip straight to entering their password."
+msgstr ""
+
 #: authentik/stages/identification/models.py
 msgid "Optional enrollment flow, which is linked at the bottom of the page."
 msgstr "Optional enrollment flow, which is linked at the bottom of the page."
@ -3678,6 +3739,14 @@ msgstr ""
 "Os eventos serão excluídos após esta duração.(Formato: "
 "semanas=3;dias=2;horas=3,segundos=2)."

+#: authentik/tenants/models.py
+msgid "Reputation cannot decrease lower than this value. Zero or negative."
+msgstr ""
+
+#: authentik/tenants/models.py
+msgid "Reputation cannot increase higher than this value. Zero or positive."
+msgstr ""
+
 #: authentik/tenants/models.py
 msgid "The option configures the footer links on the flow executor pages."
 msgstr ""
--- a/locale/ru/LC_MESSAGES/django.po
+++ b/locale/ru/LC_MESSAGES/django.po
@ -18,7 +18,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: PACKAGE VERSION\n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2025-04-11 00:10+0000\n"
+"POT-Creation-Date: 2025-04-23 09:00+0000\n"
 "PO-Revision-Date: 2022-09-26 16:47+0000\n"
 "Last-Translator: Marc Schmitt, 2025\n"
 "Language-Team: Russian (https://app.transifex.com/authentik/teams/119923/ru/)\n"
@ -191,6 +191,7 @@ msgid "User's display name."
 msgstr "Отображаемое имя пользователя."

 #: authentik/core/models.py authentik/providers/oauth2/models.py
+#: authentik/rbac/models.py
 msgid "User"
 msgstr "Пользователь"

@ -379,6 +380,18 @@ msgstr "Сопоставление свойств"
 msgid "Property Mappings"
 msgstr "Сопоставление свойств"

+#: authentik/core/models.py
+msgid "session data"
+msgstr ""
+
+#: authentik/core/models.py
+msgid "Session"
+msgstr ""
+
+#: authentik/core/models.py
+msgid "Sessions"
+msgstr ""
+
 #: authentik/core/models.py
 msgid "Authenticated Session"
 msgstr "Аутентифицированная Сессия"
@ -487,6 +500,37 @@ msgstr "Использование лицензии"
 msgid "License Usage Records"
 msgstr "Записи использования лицензии"

+#: authentik/enterprise/policies/unique_password/models.py
+#: authentik/policies/password/models.py
+msgid "Field key to check, field keys defined in Prompt stages are available."
+msgstr ""
+"Ключ поля для проверки, доступны ключи поля, определенные в этапах запроса."
+
+#: authentik/enterprise/policies/unique_password/models.py
+msgid "Number of passwords to check against."
+msgstr ""
+
+#: authentik/enterprise/policies/unique_password/models.py
+#: authentik/policies/password/models.py
+msgid "Password not set in context"
+msgstr "Пароль не задан в контексте"
+
+#: authentik/enterprise/policies/unique_password/models.py
+msgid "This password has been used previously. Please choose a different one."
+msgstr ""
+
+#: authentik/enterprise/policies/unique_password/models.py
+msgid "Password Uniqueness Policy"
+msgstr ""
+
+#: authentik/enterprise/policies/unique_password/models.py
+msgid "Password Uniqueness Policies"
+msgstr ""
+
+#: authentik/enterprise/policies/unique_password/models.py
+msgid "User Password History"
+msgstr ""
+
 #: authentik/enterprise/policy.py
 msgid "Enterprise required to access this feature."
 msgstr "Для доступа к этой функции требуется Enterprise."
@ -1267,11 +1311,6 @@ msgstr "Просмотр показателей кэша политики"
 msgid "Clear Policy's cache metrics"
 msgstr "Очистка показателей кэша политики"

-#: authentik/policies/password/models.py
-msgid "Field key to check, field keys defined in Prompt stages are available."
-msgstr ""
-"Ключ поля для проверки, доступны ключи поля, определенные в этапах запроса."
-
 #: authentik/policies/password/models.py
 msgid "How many times the password hash is allowed to be on haveibeenpwned"
 msgstr "Как часто хэш пароля может быть представлен на haveibeenpwned"
@ -1283,10 +1322,6 @@ msgstr ""
 "Если показатель zxcvbn равен или меньше этого значения, политика будет "
 "провалена."

-#: authentik/policies/password/models.py
-msgid "Password not set in context"
-msgstr "Пароль не задан в контексте"
-
 #: authentik/policies/password/models.py
 msgid "Invalid password."
 msgstr "Неправильный пароль"
@ -1328,20 +1363,6 @@ msgstr "Оценка репутации"
 msgid "Reputation Scores"
 msgstr "Оценка репутации"

-#: authentik/policies/templates/policies/buffer.html
-msgid "Waiting for authentication..."
-msgstr ""
-
-#: authentik/policies/templates/policies/buffer.html
-msgid ""
-"You're already authenticating in another tab. This page will refresh once "
-"authentication is completed."
-msgstr ""
-
-#: authentik/policies/templates/policies/buffer.html
-msgid "Authenticate in this tab"
-msgstr ""
-
 #: authentik/policies/templates/policies/denied.html
 msgid "Permission denied"
 msgstr "Доступ запрещен"
@ -2164,6 +2185,10 @@ msgstr "Роль"
 msgid "Roles"
 msgstr "Роли"

+#: authentik/rbac/models.py
+msgid "Initial Permissions"
+msgstr ""
+
 #: authentik/rbac/models.py
 msgid "System permission"
 msgstr "Системное разрешение"
@ -2421,6 +2446,22 @@ msgstr "Сопоставление свойства LDAP источника"
 msgid "LDAP Source Property Mappings"
 msgstr "Сопоставление свойств LDAP источника"

+#: authentik/sources/ldap/models.py
+msgid "User LDAP Source Connection"
+msgstr ""
+
+#: authentik/sources/ldap/models.py
+msgid "User LDAP Source Connections"
+msgstr ""
+
+#: authentik/sources/ldap/models.py
+msgid "Group LDAP Source Connection"
+msgstr ""
+
+#: authentik/sources/ldap/models.py
+msgid "Group LDAP Source Connections"
+msgstr ""
+
 #: authentik/sources/ldap/signals.py
 msgid "Password does not match Active Directory Complexity."
 msgstr "Пароль не соответствует сложности Active Directory."
@ -2429,6 +2470,14 @@ msgstr "Пароль не соответствует сложности Active D
 msgid "No token received."
 msgstr "Токен не был получен."

+#: authentik/sources/oauth/models.py
+msgid "HTTP Basic Authentication"
+msgstr ""
+
+#: authentik/sources/oauth/models.py
+msgid "Include the client ID and secret as request parameters"
+msgstr ""
+
 #: authentik/sources/oauth/models.py
 msgid "Request Token URL"
 msgstr "URL-адрес запроса токена"
@ -2471,6 +2520,12 @@ msgstr ""
 msgid "Additional Scopes"
 msgstr "Дополнительные области"

+#: authentik/sources/oauth/models.py
+msgid ""
+"How to perform authentication during an authorization_code token request "
+"flow"
+msgstr ""
+
 #: authentik/sources/oauth/models.py
 msgid "OAuth Source"
 msgstr "Источник OAuth"
@ -3376,6 +3431,12 @@ msgstr ""
 "При включении этап будет завершаться успешно и продолжаться даже в случае "
 "ввода неправильной информации о пользователе."

+#: authentik/stages/identification/models.py
+msgid ""
+"Show the user the 'Remember me on this device' toggle, allowing repeat users"
+" to skip straight to entering their password."
+msgstr ""
+
 #: authentik/stages/identification/models.py
 msgid "Optional enrollment flow, which is linked at the bottom of the page."
 msgstr ""
@ -3767,6 +3828,14 @@ msgstr ""
 "По истечении этого времени события будут удалены. (Формат: недели=3; дни=2; "
 "часы=3, секунды=2)."

+#: authentik/tenants/models.py
+msgid "Reputation cannot decrease lower than this value. Zero or negative."
+msgstr ""
+
+#: authentik/tenants/models.py
+msgid "Reputation cannot increase higher than this value. Zero or positive."
+msgstr ""
+
 #: authentik/tenants/models.py
 msgid "The option configures the footer links on the flow executor pages."
 msgstr ""
--- a/locale/tr/LC_MESSAGES/django.mo
+++ b/locale/tr/LC_MESSAGES/django.mo
--- a/locale/tr/LC_MESSAGES/django.po
+++ b/locale/tr/LC_MESSAGES/django.po
@ -13,7 +13,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: PACKAGE VERSION\n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2025-03-31 00:10+0000\n"
+"POT-Creation-Date: 2025-04-23 09:00+0000\n"
 "PO-Revision-Date: 2022-09-26 16:47+0000\n"
 "Last-Translator: Jens L. <jens@goauthentik.io>, 2025\n"
 "Language-Team: Turkish (https://app.transifex.com/authentik/teams/119923/tr/)\n"
@ -187,6 +187,7 @@ msgid "User's display name."
 msgstr "Kullanıcının görünen adı."

 #: authentik/core/models.py authentik/providers/oauth2/models.py
+#: authentik/rbac/models.py
 msgid "User"
 msgstr "Kullanıcı"

@ -372,6 +373,18 @@ msgstr "Özellik Eşleme"
 msgid "Property Mappings"
 msgstr "Özellik Eşlemeleri"

+#: authentik/core/models.py
+msgid "session data"
+msgstr ""
+
+#: authentik/core/models.py
+msgid "Session"
+msgstr "Oturum"
+
+#: authentik/core/models.py
+msgid "Sessions"
+msgstr "Oturumlar"
+
 #: authentik/core/models.py
 msgid "Authenticated Session"
 msgstr "Kimliği Doğrulanmış Oturum"
@ -479,6 +492,38 @@ msgstr "Lisans Kullanımı"
 msgid "License Usage Records"
 msgstr "Lisans Kullanım Kayıtları"

+#: authentik/enterprise/policies/unique_password/models.py
+#: authentik/policies/password/models.py
+msgid "Field key to check, field keys defined in Prompt stages are available."
+msgstr ""
+"Alan tuşu kontrol etmek için, İstem aşamalarında tanımlanan alan tuşları "
+"mevcuttur."
+
+#: authentik/enterprise/policies/unique_password/models.py
+msgid "Number of passwords to check against."
+msgstr ""
+
+#: authentik/enterprise/policies/unique_password/models.py
+#: authentik/policies/password/models.py
+msgid "Password not set in context"
+msgstr "Parola bağlam içinde ayarlanmamış"
+
+#: authentik/enterprise/policies/unique_password/models.py
+msgid "This password has been used previously. Please choose a different one."
+msgstr ""
+
+#: authentik/enterprise/policies/unique_password/models.py
+msgid "Password Uniqueness Policy"
+msgstr ""
+
+#: authentik/enterprise/policies/unique_password/models.py
+msgid "Password Uniqueness Policies"
+msgstr ""
+
+#: authentik/enterprise/policies/unique_password/models.py
+msgid "User Password History"
+msgstr ""
+
 #: authentik/enterprise/policy.py
 msgid "Enterprise required to access this feature."
 msgstr "Bu özelliğe erişmek için Kurumsal Paket gereklidir."
@ -1253,12 +1298,6 @@ msgstr "İlke'nin önbellek ölçümlerini görüntüleme"
 msgid "Clear Policy's cache metrics"
 msgstr "İlke'nin önbellek ölçümlerini temizleyin"

-#: authentik/policies/password/models.py
-msgid "Field key to check, field keys defined in Prompt stages are available."
-msgstr ""
-"Alan tuşu kontrol etmek için, İstem aşamalarında tanımlanan alan tuşları "
-"mevcuttur."
-
 #: authentik/policies/password/models.py
 msgid "How many times the password hash is allowed to be on haveibeenpwned"
 msgstr ""
@ -1271,10 +1310,6 @@ msgstr ""
 "Eğer zxcvbn puanı bu değere eşit veya daha az ise, politika başarısız "
 "olacaktır."

-#: authentik/policies/password/models.py
-msgid "Password not set in context"
-msgstr "Parola bağlam içinde ayarlanmamış"
-
 #: authentik/policies/password/models.py
 msgid "Invalid password."
 msgstr ""
@ -1316,20 +1351,6 @@ msgstr "İtibar Puanı"
 msgid "Reputation Scores"
 msgstr "İtibar Puanları"

-#: authentik/policies/templates/policies/buffer.html
-msgid "Waiting for authentication..."
-msgstr ""
-
-#: authentik/policies/templates/policies/buffer.html
-msgid ""
-"You're already authenticating in another tab. This page will refresh once "
-"authentication is completed."
-msgstr ""
-
-#: authentik/policies/templates/policies/buffer.html
-msgid "Authenticate in this tab"
-msgstr ""
-
 #: authentik/policies/templates/policies/denied.html
 msgid "Permission denied"
 msgstr "İzin reddedildi"
@ -2155,6 +2176,10 @@ msgstr "Rol"
 msgid "Roles"
 msgstr "Roller"

+#: authentik/rbac/models.py
+msgid "Initial Permissions"
+msgstr ""
+
 #: authentik/rbac/models.py
 msgid "System permission"
 msgstr "Sistem yetkisi"
@ -2398,6 +2423,13 @@ msgstr ""
 "Bir kullanıcı parolasını değiştirdiğinde, parolayı LDAP ile geri eşitleyin. "
 "Bu yalnızca tek bir LDAP kaynağında etkinleştirilebilir."

+#: authentik/sources/ldap/models.py
+msgid ""
+"Lookup group membership based on a user attribute instead of a group "
+"attribute. This allows nested group resolution on systems like FreeIPA and "
+"Active Directory"
+msgstr ""
+
 #: authentik/sources/ldap/models.py
 msgid "LDAP Source"
 msgstr "LDAP Kaynağı"
@ -2414,6 +2446,22 @@ msgstr "LDAP Kaynak Özellik Eşlemesi"
 msgid "LDAP Source Property Mappings"
 msgstr "LDAP Kaynak Özellik Eşlemeleri"

+#: authentik/sources/ldap/models.py
+msgid "User LDAP Source Connection"
+msgstr ""
+
+#: authentik/sources/ldap/models.py
+msgid "User LDAP Source Connections"
+msgstr ""
+
+#: authentik/sources/ldap/models.py
+msgid "Group LDAP Source Connection"
+msgstr ""
+
+#: authentik/sources/ldap/models.py
+msgid "Group LDAP Source Connections"
+msgstr ""
+
 #: authentik/sources/ldap/signals.py
 msgid "Password does not match Active Directory Complexity."
 msgstr "Parola Active Directory Karmaşıklığıyla eşleşmiyor."
@ -2422,6 +2470,14 @@ msgstr "Parola Active Directory Karmaşıklığıyla eşleşmiyor."
 msgid "No token received."
 msgstr "Jeton alınmadı."

+#: authentik/sources/oauth/models.py
+msgid "HTTP Basic Authentication"
+msgstr ""
+
+#: authentik/sources/oauth/models.py
+msgid "Include the client ID and secret as request parameters"
+msgstr ""
+
 #: authentik/sources/oauth/models.py
 msgid "Request Token URL"
 msgstr "Jeton URL'si İste"
@ -2462,6 +2518,12 @@ msgstr "Kullanıcı bilgilerini almak için authentik tarafından kullanılan UR
 msgid "Additional Scopes"
 msgstr "Ek Kapsamlar"

+#: authentik/sources/oauth/models.py
+msgid ""
+"How to perform authentication during an authorization_code token request "
+"flow"
+msgstr ""
+
 #: authentik/sources/oauth/models.py
 msgid "OAuth Source"
 msgstr "OAuth Kaynağı"
@ -3360,6 +3422,12 @@ msgstr ""
 "Etkinleştirildiğinde, yanlış kullanıcı bilgisi girilse bile aşama başarılı "
 "olur ve devam eder."

+#: authentik/stages/identification/models.py
+msgid ""
+"Show the user the 'Remember me on this device' toggle, allowing repeat users"
+" to skip straight to entering their password."
+msgstr ""
+
 #: authentik/stages/identification/models.py
 msgid "Optional enrollment flow, which is linked at the bottom of the page."
 msgstr "Sayfanın alt kısmında bağlanan isteğe bağlı kayıt akışı."
@ -3734,6 +3802,14 @@ msgstr ""
 "Olaylar bu süreden sonra silinecektir (Format: "
 "weeks=3;days=2;hours=3,seconds=2)."

+#: authentik/tenants/models.py
+msgid "Reputation cannot decrease lower than this value. Zero or negative."
+msgstr ""
+
+#: authentik/tenants/models.py
+msgid "Reputation cannot increase higher than this value. Zero or positive."
+msgstr ""
+
 #: authentik/tenants/models.py
 msgid "The option configures the footer links on the flow executor pages."
 msgstr ""
--- a/locale/zh-Hans/LC_MESSAGES/django.mo
+++ b/locale/zh-Hans/LC_MESSAGES/django.mo
--- a/locale/zh-Hans/LC_MESSAGES/django.po
+++ b/locale/zh-Hans/LC_MESSAGES/django.po
@ -15,7 +15,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: PACKAGE VERSION\n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2025-04-18 00:09+0000\n"
+"POT-Creation-Date: 2025-04-23 09:00+0000\n"
 "PO-Revision-Date: 2022-09-26 16:47+0000\n"
 "Last-Translator: deluxghost, 2025\n"
 "Language-Team: Chinese Simplified (https://app.transifex.com/authentik/teams/119923/zh-Hans/)\n"
@ -461,6 +461,36 @@ msgstr "许可证使用情况"
 msgid "License Usage Records"
 msgstr "许可证使用情况记录"

+#: authentik/enterprise/policies/unique_password/models.py
+#: authentik/policies/password/models.py
+msgid "Field key to check, field keys defined in Prompt stages are available."
+msgstr "要检查的字段键，可以使用输入阶段中定义的字段键。"
+
+#: authentik/enterprise/policies/unique_password/models.py
+msgid "Number of passwords to check against."
+msgstr "检查指定数量的密码。"
+
+#: authentik/enterprise/policies/unique_password/models.py
+#: authentik/policies/password/models.py
+msgid "Password not set in context"
+msgstr "未在上下文中设置密码"
+
+#: authentik/enterprise/policies/unique_password/models.py
+msgid "This password has been used previously. Please choose a different one."
+msgstr "此密码被使用过。请选择其他密码。"
+
+#: authentik/enterprise/policies/unique_password/models.py
+msgid "Password Uniqueness Policy"
+msgstr "密码唯一性策略"
+
+#: authentik/enterprise/policies/unique_password/models.py
+msgid "Password Uniqueness Policies"
+msgstr "密码唯一性策略"
+
+#: authentik/enterprise/policies/unique_password/models.py
+msgid "User Password History"
+msgstr "用户密码历史记录"
+
 #: authentik/enterprise/policy.py
 msgid "Enterprise required to access this feature."
 msgstr "访问此功能需要企业版。"
@ -1190,10 +1220,6 @@ msgstr "查看策略缓存指标"
 msgid "Clear Policy's cache metrics"
 msgstr "清除策略缓存指标"

-#: authentik/policies/password/models.py
-msgid "Field key to check, field keys defined in Prompt stages are available."
-msgstr "要检查的字段键，可以使用输入阶段中定义的字段键。"
-
 #: authentik/policies/password/models.py
 msgid "How many times the password hash is allowed to be on haveibeenpwned"
 msgstr "密码哈希允许出现在 HaveIBeenPwned 中多少次"
@ -1203,10 +1229,6 @@ msgid ""
 "If the zxcvbn score is equal or less than this value, the policy will fail."
 msgstr "如果 zxcvbn 分数小于等于此值，则策略失败。"

-#: authentik/policies/password/models.py
-msgid "Password not set in context"
-msgstr "未在上下文中设置密码"
-
 #: authentik/policies/password/models.py
 msgid "Invalid password."
 msgstr "无效密码。"
@ -1248,20 +1270,6 @@ msgstr "信誉分数"
 msgid "Reputation Scores"
 msgstr "信誉分数"

-#: authentik/policies/templates/policies/buffer.html
-msgid "Waiting for authentication..."
-msgstr "正在等待身份验证…"
-
-#: authentik/policies/templates/policies/buffer.html
-msgid ""
-"You're already authenticating in another tab. This page will refresh once "
-"authentication is completed."
-msgstr "您正在另一个标签页中验证身份。身份验证完成后，此页面会刷新。"
-
-#: authentik/policies/templates/policies/buffer.html
-msgid "Authenticate in this tab"
-msgstr "在此标签页中验证身份"
-
 #: authentik/policies/templates/policies/denied.html
 msgid "Permission denied"
 msgstr "权限被拒绝"
--- a/locale/zh_CN/LC_MESSAGES/django.mo
+++ b/locale/zh_CN/LC_MESSAGES/django.mo
--- a/locale/zh_CN/LC_MESSAGES/django.po
+++ b/locale/zh_CN/LC_MESSAGES/django.po
@ -14,7 +14,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: PACKAGE VERSION\n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2025-04-18 00:09+0000\n"
+"POT-Creation-Date: 2025-04-23 09:00+0000\n"
 "PO-Revision-Date: 2022-09-26 16:47+0000\n"
 "Last-Translator: deluxghost, 2025\n"
 "Language-Team: Chinese (China) (https://app.transifex.com/authentik/teams/119923/zh_CN/)\n"
@ -460,6 +460,36 @@ msgstr "许可证使用情况"
 msgid "License Usage Records"
 msgstr "许可证使用情况记录"

+#: authentik/enterprise/policies/unique_password/models.py
+#: authentik/policies/password/models.py
+msgid "Field key to check, field keys defined in Prompt stages are available."
+msgstr "要检查的字段键，可以使用输入阶段中定义的字段键。"
+
+#: authentik/enterprise/policies/unique_password/models.py
+msgid "Number of passwords to check against."
+msgstr "检查指定数量的密码。"
+
+#: authentik/enterprise/policies/unique_password/models.py
+#: authentik/policies/password/models.py
+msgid "Password not set in context"
+msgstr "未在上下文中设置密码"
+
+#: authentik/enterprise/policies/unique_password/models.py
+msgid "This password has been used previously. Please choose a different one."
+msgstr "此密码被使用过。请选择其他密码。"
+
+#: authentik/enterprise/policies/unique_password/models.py
+msgid "Password Uniqueness Policy"
+msgstr "密码唯一性策略"
+
+#: authentik/enterprise/policies/unique_password/models.py
+msgid "Password Uniqueness Policies"
+msgstr "密码唯一性策略"
+
+#: authentik/enterprise/policies/unique_password/models.py
+msgid "User Password History"
+msgstr "用户密码历史记录"
+
 #: authentik/enterprise/policy.py
 msgid "Enterprise required to access this feature."
 msgstr "访问此功能需要企业版。"
@ -1189,10 +1219,6 @@ msgstr "查看策略缓存指标"
 msgid "Clear Policy's cache metrics"
 msgstr "清除策略缓存指标"

-#: authentik/policies/password/models.py
-msgid "Field key to check, field keys defined in Prompt stages are available."
-msgstr "要检查的字段键，可以使用输入阶段中定义的字段键。"
-
 #: authentik/policies/password/models.py
 msgid "How many times the password hash is allowed to be on haveibeenpwned"
 msgstr "密码哈希允许出现在 HaveIBeenPwned 中多少次"
@ -1202,10 +1228,6 @@ msgid ""
 "If the zxcvbn score is equal or less than this value, the policy will fail."
 msgstr "如果 zxcvbn 分数小于等于此值，则策略失败。"

-#: authentik/policies/password/models.py
-msgid "Password not set in context"
-msgstr "未在上下文中设置密码"
-
 #: authentik/policies/password/models.py
 msgid "Invalid password."
 msgstr "无效密码。"
@ -1247,20 +1269,6 @@ msgstr "信誉分数"
 msgid "Reputation Scores"
 msgstr "信誉分数"

-#: authentik/policies/templates/policies/buffer.html
-msgid "Waiting for authentication..."
-msgstr "正在等待身份验证…"
-
-#: authentik/policies/templates/policies/buffer.html
-msgid ""
-"You're already authenticating in another tab. This page will refresh once "
-"authentication is completed."
-msgstr "您正在另一个标签页中验证身份。身份验证完成后，此页面会刷新。"
-
-#: authentik/policies/templates/policies/buffer.html
-msgid "Authenticate in this tab"
-msgstr "在此标签页中验证身份"
-
 #: authentik/policies/templates/policies/denied.html
 msgid "Permission denied"
 msgstr "权限被拒绝"
--- a/locale/zh_TW/LC_MESSAGES/django.po
+++ b/locale/zh_TW/LC_MESSAGES/django.po
@ -14,7 +14,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: PACKAGE VERSION\n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2025-04-11 00:10+0000\n"
+"POT-Creation-Date: 2025-04-23 09:00+0000\n"
 "PO-Revision-Date: 2022-09-26 16:47+0000\n"
 "Last-Translator: 刘松, 2025\n"
 "Language-Team: Chinese (Taiwan) (https://app.transifex.com/authentik/teams/119923/zh_TW/)\n"
@ -178,6 +178,7 @@ msgid "User's display name."
 msgstr "使用者的顯示名稱。"

 #: authentik/core/models.py authentik/providers/oauth2/models.py
+#: authentik/rbac/models.py
 msgid "User"
 msgstr "使用者"

@ -344,6 +345,18 @@ msgstr "屬性對應"
 msgid "Property Mappings"
 msgstr "屬性對應"

+#: authentik/core/models.py
+msgid "session data"
+msgstr ""
+
+#: authentik/core/models.py
+msgid "Session"
+msgstr "会话"
+
+#: authentik/core/models.py
+msgid "Sessions"
+msgstr "会话"
+
 #: authentik/core/models.py
 msgid "Authenticated Session"
 msgstr "已認證會談"
@ -447,6 +460,36 @@ msgstr "授權使用情況"
 msgid "License Usage Records"
 msgstr "授權使用紀錄"

+#: authentik/enterprise/policies/unique_password/models.py
+#: authentik/policies/password/models.py
+msgid "Field key to check, field keys defined in Prompt stages are available."
+msgstr "要檢查的欄位鍵，在提示階段中有可用的已定義欄位鍵。"
+
+#: authentik/enterprise/policies/unique_password/models.py
+msgid "Number of passwords to check against."
+msgstr ""
+
+#: authentik/enterprise/policies/unique_password/models.py
+#: authentik/policies/password/models.py
+msgid "Password not set in context"
+msgstr "未在上下文中設定密碼"
+
+#: authentik/enterprise/policies/unique_password/models.py
+msgid "This password has been used previously. Please choose a different one."
+msgstr ""
+
+#: authentik/enterprise/policies/unique_password/models.py
+msgid "Password Uniqueness Policy"
+msgstr ""
+
+#: authentik/enterprise/policies/unique_password/models.py
+msgid "Password Uniqueness Policies"
+msgstr ""
+
+#: authentik/enterprise/policies/unique_password/models.py
+msgid "User Password History"
+msgstr ""
+
 #: authentik/enterprise/policy.py
 msgid "Enterprise required to access this feature."
 msgstr "企業版才能存取此功能。"
@ -1176,10 +1219,6 @@ msgstr "檢視原則的快取指標"
 msgid "Clear Policy's cache metrics"
 msgstr "清除原則的快取指標"

-#: authentik/policies/password/models.py
-msgid "Field key to check, field keys defined in Prompt stages are available."
-msgstr "要檢查的欄位鍵，在提示階段中有可用的已定義欄位鍵。"
-
 #: authentik/policies/password/models.py
 msgid "How many times the password hash is allowed to be on haveibeenpwned"
 msgstr "密碼雜湊在 haveibeenpwned 上允許出現的次數"
@ -1189,10 +1228,6 @@ msgid ""
 "If the zxcvbn score is equal or less than this value, the policy will fail."
 msgstr "如果 zxcvbn 分數等於或小於此值，則該政策將失敗。"

-#: authentik/policies/password/models.py
-msgid "Password not set in context"
-msgstr "未在上下文中設定密碼"
-
 #: authentik/policies/password/models.py
 msgid "Invalid password."
 msgstr ""
@ -1234,20 +1269,6 @@ msgstr "信譽分數"
 msgid "Reputation Scores"
 msgstr "信譽分數"

-#: authentik/policies/templates/policies/buffer.html
-msgid "Waiting for authentication..."
-msgstr ""
-
-#: authentik/policies/templates/policies/buffer.html
-msgid ""
-"You're already authenticating in another tab. This page will refresh once "
-"authentication is completed."
-msgstr ""
-
-#: authentik/policies/templates/policies/buffer.html
-msgid "Authenticate in this tab"
-msgstr ""
-
 #: authentik/policies/templates/policies/denied.html
 msgid "Permission denied"
 msgstr "權限不足。"
@ -1999,6 +2020,10 @@ msgstr "角色"
 msgid "Roles"
 msgstr "角色"

+#: authentik/rbac/models.py
+msgid "Initial Permissions"
+msgstr ""
+
 #: authentik/rbac/models.py
 msgid "System permission"
 msgstr "系統權限"
@ -2240,6 +2265,22 @@ msgstr ""
 msgid "LDAP Source Property Mappings"
 msgstr ""

+#: authentik/sources/ldap/models.py
+msgid "User LDAP Source Connection"
+msgstr ""
+
+#: authentik/sources/ldap/models.py
+msgid "User LDAP Source Connections"
+msgstr ""
+
+#: authentik/sources/ldap/models.py
+msgid "Group LDAP Source Connection"
+msgstr ""
+
+#: authentik/sources/ldap/models.py
+msgid "Group LDAP Source Connections"
+msgstr ""
+
 #: authentik/sources/ldap/signals.py
 msgid "Password does not match Active Directory Complexity."
 msgstr "密碼不符合 Active Directory 的複雜性要求。"
@ -2248,6 +2289,14 @@ msgstr "密碼不符合 Active Directory 的複雜性要求。"
 msgid "No token received."
 msgstr "未收到權杖。"

+#: authentik/sources/oauth/models.py
+msgid "HTTP Basic Authentication"
+msgstr ""
+
+#: authentik/sources/oauth/models.py
+msgid "Include the client ID and secret as request parameters"
+msgstr ""
+
 #: authentik/sources/oauth/models.py
 msgid "Request Token URL"
 msgstr "請求權杖的網址"
@ -2286,6 +2335,12 @@ msgstr "authentik 用來擷取使用者資訊的網址。"
 msgid "Additional Scopes"
 msgstr "附加範圍"

+#: authentik/sources/oauth/models.py
+msgid ""
+"How to perform authentication during an authorization_code token request "
+"flow"
+msgstr ""
+
 #: authentik/sources/oauth/models.py
 msgid "OAuth Source"
 msgstr "OAuth 來源"
@ -3137,6 +3192,12 @@ msgid ""
 "info is entered."
 msgstr ""

+#: authentik/stages/identification/models.py
+msgid ""
+"Show the user the 'Remember me on this device' toggle, allowing repeat users"
+" to skip straight to entering their password."
+msgstr ""
+
 #: authentik/stages/identification/models.py
 msgid "Optional enrollment flow, which is linked at the bottom of the page."
 msgstr "可選的註冊流程，連結在頁面的底部。"
@ -3481,6 +3542,14 @@ msgid ""
 "weeks=3;days=2;hours=3,seconds=2)."
 msgstr "事件將在此期間後刪除。（格式：weeks=3;days=2;hours=3,seconds=2）"

+#: authentik/tenants/models.py
+msgid "Reputation cannot decrease lower than this value. Zero or negative."
+msgstr ""
+
+#: authentik/tenants/models.py
+msgid "Reputation cannot increase higher than this value. Zero or positive."
+msgstr ""
+
 #: authentik/tenants/models.py
 msgid "The option configures the footer links on the flow executor pages."
 msgstr ""
--- a/package.json
+++ b/package.json
@ -1,5 +1,5 @@
 {
    "name": "@goauthentik/authentik",
-    "version": "2025.2.4",
+    "version": "2025.4.0",
    "private": true
 }
--- a/packages/docusaurus-config/css/badges.css
+++ b/packages/docusaurus-config/css/badges.css
@ -18,9 +18,7 @@
 }

 .badge--support-community {
-    --ifm-badge-background-color: var(
-        --ifm-color-secondary-contrast-foreground
-    );
+    --ifm-badge-background-color: var(--ifm-color-secondary-contrast-foreground);
    --ifm-badge-border-color: var(--ifm-color-secondary-dark);
    --ifm-badge-color: var(--ifm-color-secondary-contrast-background);
 }
--- a/packages/docusaurus-config/css/fonts.css
+++ b/packages/docusaurus-config/css/fonts.css
@ -1,12 +1,12 @@
 :root {
    --ifm-font-family-base:
-        RedHatVF, system-ui, -apple-system, Segoe UI, Roboto, Ubuntu, Cantarell,
-        Noto Sans, sans-serif, BlinkMacSystemFont, "Segoe UI", Helvetica, Arial,
-        sans-serif, "Apple Color Emoji", "Segoe UI Emoji", "Segoe UI Symbol";
+        RedHatVF, system-ui, -apple-system, Segoe UI, Roboto, Ubuntu, Cantarell, Noto Sans,
+        sans-serif, BlinkMacSystemFont, "Segoe UI", Helvetica, Arial, sans-serif,
+        "Apple Color Emoji", "Segoe UI Emoji", "Segoe UI Symbol";

    --ifm-font-family-monospace:
-        RedHatMonoVF, SFMono-Regular, Menlo, Monaco, Consolas,
-        "Liberation Mono", "Courier New", monospace;
+        RedHatMonoVF, SFMono-Regular, Menlo, Monaco, Consolas, "Liberation Mono", "Courier New",
+        monospace;

    --ifm-heading-font-family: RedHatDisplayVF, var(--ifm-font-family-base);

--- a/packages/docusaurus-config/css/homepage.css
+++ b/packages/docusaurus-config/css/homepage.css
@ -7,11 +7,7 @@
 }

 .homepage_hero__subtitle p {
-    font-size: clamp(
-        1.125rem,
-        0.9946rem + 0.6522vi,
-        1.5rem
-    ); /* Adjust font as page scales */
+    font-size: clamp(1.125rem, 0.9946rem + 0.6522vi, 1.5rem); /* Adjust font as page scales */
    max-width: 28ch; /* Apply a maximum to keep everything in the box */
    text-wrap: balance; /* Prevent widows, orphans, and runts. Doesn't work in Safari */
 }
--- a/packages/docusaurus-config/css/menu.css
+++ b/packages/docusaurus-config/css/menu.css
@ -1,5 +1,5 @@
 :root {
-    --ifm-menu-link-padding-vertical: 1em;
+    --ifm-menu-link-padding-vertical: 0.5em;
 }

 .menu__list-item {
--- a/packages/docusaurus-config/css/navbar.css
+++ b/packages/docusaurus-config/css/navbar.css
@ -75,17 +75,14 @@
        --ifm-navbar-item-padding-horizontal: 1rem;
    }

-    .docs-wrapper .navbar {
+    .navbar {
        margin: 0;
        padding-inline-start: 0;
    }

    .navbar__brand {
        justify-content: center;
-    }
-
-    .docs-wrapper .navbar__brand {
-        width: var(--doc-sidebar-width);
+        width: var(--doc-sidebar-width, 300px);
        margin: 0;
    }

@ -122,12 +119,8 @@

        @media (min-width: 999px) {
            border-inline-start: 1px solid var(--ifm-hover-overlay);
-            margin-inline-start: calc(
-                var(--ifm-navbar-item-padding-horizontal) / 2
-            );
-            padding-inline-start: calc(
-                var(--ifm-navbar-item-padding-horizontal) / 2
-            );
+            margin-inline-start: calc(var(--ifm-navbar-item-padding-horizontal) / 2);
+            padding-inline-start: calc(var(--ifm-navbar-item-padding-horizontal) / 2);
        }
    }

@ -151,19 +144,14 @@
        hsl(236.84deg 34.55% 10.78%)
    );
    --docsearch-key-shadow:
-        inset 0 -2px 0 0 hsl(233.33deg 36% 24.51%),
-        inset 0 0 1px 1px hsl(232.11deg 34.86% 57.25%),
+        inset 0 -2px 0 0 hsl(233.33deg 36% 24.51%), inset 0 0 1px 1px hsl(232.11deg 34.86% 57.25%),
        0 2px 2px 0 rgba(3, 4, 9, 0.3);
    --docsearch-key-pressed-shadow:
-        inset 0 -2px 0 0 #282d55,
-        inset 0 0 1px 1px hsl(231.82deg 21.36% 40.39%),
+        inset 0 -2px 0 0 #282d55, inset 0 0 1px 1px hsl(231.82deg 21.36% 40.39%),
        0 1px 1px 0 hsl(230deg 50% 2.35% / 30.2%);

-    padding: var(--ifm-navbar-item-padding-vertical)
-        var(--ifm-navbar-item-padding-horizontal) !important;
-    padding-inline-end: calc(
-        var(--ifm-navbar-item-padding-horizontal) * 1.25
-    ) !important;
+    padding: var(--ifm-navbar-item-padding-vertical) var(--ifm-navbar-item-padding-horizontal) !important;
+    padding-inline-end: calc(var(--ifm-navbar-item-padding-horizontal) * 1.25) !important;

    .DocSearch-Button-Placeholder {
        font-family: var(--ifm-heading-font-family);
--- a/packages/docusaurus-config/css/root.css
+++ b/packages/docusaurus-config/css/root.css
@ -13,7 +13,3 @@

    --ifm-color-content: hsl(216 35% 3%);
 }
-
-body {
-    overscroll-behavior-x: none;
-}
--- a/packages/docusaurus-config/lib/common.js
+++ b/packages/docusaurus-config/lib/common.js
@ -4,8 +4,8 @@
 * @import { Config as DocusaurusConfig } from "@docusaurus/types"
 * @import { UserThemeConfig } from "./theme.js"
 */
-
 import { deepmerge } from "deepmerge-ts";
+
 import { createThemeConfig } from "./theme.js";

 //#region Types
--- a/packages/docusaurus-config/lib/theme.js
+++ b/packages/docusaurus-config/lib/theme.js
@ -4,7 +4,6 @@
 * @import { UserThemeConfig as UserThemeConfigCommon } from "@docusaurus/theme-common";
 * @import { UserThemeConfig as UserThemeConfigAlgolia } from "@docusaurus/theme-search-algolia";
 */
-
 import { deepmerge } from "deepmerge-ts";
 import { themes as prismThemes } from "prism-react-renderer";

--- a/packages/docusaurus-config/package-lock.json
+++ b/packages/docusaurus-config/package-lock.json
@ -1,12 +1,12 @@
 {
    "name": "@goauthentik/docusaurus-config",
-    "version": "1.0.2",
+    "version": "1.0.5",
    "lockfileVersion": 3,
    "requires": true,
    "packages": {
        "": {
            "name": "@goauthentik/docusaurus-config",
-            "version": "1.0.2",
+            "version": "1.0.5",
            "license": "MIT",
            "dependencies": {
                "deepmerge-ts": "^7.1.5",
--- a/packages/docusaurus-config/package.json
+++ b/packages/docusaurus-config/package.json
@ -1,6 +1,6 @@
 {
    "name": "@goauthentik/docusaurus-config",
-    "version": "1.0.4",
+    "version": "1.0.5",
    "description": "authentik's Docusaurus config",
    "license": "MIT",
    "scripts": {
--- a/pyproject.toml
+++ b/pyproject.toml
@ -1,6 +1,6 @@
 [project]
 name = "authentik"
-version = "2025.2.4"
+version = "2025.4.0"
 description = ""
 authors = [{ name = "authentik Team", email = "hello@goauthentik.io" }]
 requires-python = "==3.12.*"
--- a/schema.yml
+++ b/schema.yml
@ -1,7 +1,7 @@
 openapi: 3.0.3
 info:
  title: authentik
-  version: 2025.2.4
+  version: 2025.4.0
  description: Making authentication simple.
  contact:
    email: hello@goauthentik.io
--- a/uv.lock
+++ b/uv.lock
@ -165,7 +165,7 @@ wheels = [

 [[package]]
 name = "authentik"
-version = "2025.2.4"
+version = "2025.4.0"
 source = { editable = "." }
 dependencies = [
    { name = "argon2-cffi" },
--- a/web/package-lock.json
+++ b/web/package-lock.json
--- a/web/package.json
+++ b/web/package.json
@ -12,7 +12,8 @@
        "@floating-ui/dom": "^1.6.11",
        "@formatjs/intl-listformat": "^7.5.7",
        "@fortawesome/fontawesome-free": "^6.6.0",
-        "@goauthentik/api": "^2025.2.4-1745325566",
+        "@goauthentik/api": "^2025.4.0-1746018955",
+        "@lit-labs/ssr": "3.2.2",
        "@lit/context": "^1.1.2",
        "@lit/localize": "^0.12.2",
        "@lit/reactive-element": "^2.0.4",
@ -53,7 +54,6 @@
        "remark-gfm": "^4.0.1",
        "remark-mdx-frontmatter": "^5.0.0",
        "style-mod": "^4.1.2",
-        "trusted-types": "^2.0.0",
        "ts-pattern": "^5.4.0",
        "unist-util-visit": "^5.0.0",
        "webcomponent-qr-code": "^1.2.0",
--- a/web/src/admin/AdminInterface/AdminInterface.ts
+++ b/web/src/admin/AdminInterface/AdminInterface.ts
@ -4,17 +4,13 @@ import { ROUTES } from "@goauthentik/admin/Routes";
 import {
    EVENT_API_DRAWER_TOGGLE,
    EVENT_NOTIFICATION_DRAWER_TOGGLE,
-    EVENT_SIDEBAR_TOGGLE,
 } from "@goauthentik/common/constants";
 import { configureSentry } from "@goauthentik/common/sentry";
 import { me } from "@goauthentik/common/users";
 import { WebsocketClient } from "@goauthentik/common/ws";
 import { AuthenticatedInterface } from "@goauthentik/elements/Interface";
-import { WithLicenseSummary } from "@goauthentik/elements/Interface/licenseSummaryProvider.js";
 import "@goauthentik/elements/ak-locale-context";
 import "@goauthentik/elements/banner/EnterpriseStatusBanner";
-import "@goauthentik/elements/banner/EnterpriseStatusBanner";
-import "@goauthentik/elements/banner/VersionBanner";
 import "@goauthentik/elements/banner/VersionBanner";
 import "@goauthentik/elements/messages/MessageContainer";
 import "@goauthentik/elements/messages/MessageContainer";
@ -25,32 +21,25 @@ import "@goauthentik/elements/router/RouterOutlet";
 import "@goauthentik/elements/sidebar/Sidebar";
 import "@goauthentik/elements/sidebar/SidebarItem";

-import { CSSResult, TemplateResult, css, html, nothing } from "lit";
+import { CSSResult, TemplateResult, css, html } from "lit";
 import { customElement, property, query, state } from "lit/decorators.js";
 import { classMap } from "lit/directives/class-map.js";

 import PFButton from "@patternfly/patternfly/components/Button/button.css";
 import PFDrawer from "@patternfly/patternfly/components/Drawer/drawer.css";
-import PFNav from "@patternfly/patternfly/components/Nav/nav.css";
 import PFPage from "@patternfly/patternfly/components/Page/page.css";
 import PFBase from "@patternfly/patternfly/patternfly-base.css";

-import { LicenseSummaryStatusEnum, SessionUser, UiThemeEnum } from "@goauthentik/api";
+import { SessionUser, UiThemeEnum } from "@goauthentik/api";

-import {
-    AdminSidebarEnterpriseEntries,
-    AdminSidebarEntries,
-    renderSidebarItems,
-} from "./AdminSidebar.js";
+import "./AdminSidebar";

 if (process.env.NODE_ENV === "development") {
    await import("@goauthentik/esbuild-plugin-live-reload/client");
 }

@customElement("ak-interface-admin")
-export class AdminInterface extends WithLicenseSummary(AuthenticatedInterface) {
-    //#region Properties
-
+export class AdminInterface extends AuthenticatedInterface {
    @property({ type: Boolean })
    notificationDrawerOpen = getURLParam("notificationDrawerOpen", false);

@ -65,24 +54,12 @@ export class AdminInterface extends WithLicenseSummary(AuthenticatedInterface) {
    @query("ak-about-modal")
    aboutModal?: AboutModal;

-    @property({ type: Boolean, reflect: true })
-    public sidebarOpen = true;
-
-    #toggleSidebar = () => {
-        this.sidebarOpen = !this.sidebarOpen;
-    };
-
-    //#endregion
-
-    //#region Styles
-
    static get styles(): CSSResult[] {
        return [
            PFBase,
            PFPage,
            PFButton,
            PFDrawer,
-            PFNav,
            css`
                .pf-c-page__main,
                .pf-c-drawer__content,
@ -90,30 +67,23 @@ export class AdminInterface extends WithLicenseSummary(AuthenticatedInterface) {
                    z-index: auto !important;
                    background-color: transparent;
                }
-
                .display-none {
                    display: none;
                }
-
                .pf-c-page {
                    background-color: var(--pf-c-page--BackgroundColor) !important;
                }
-
-                :host([theme="dark"]) {
-                    /* Global page background colour */
-                    .pf-c-page {
-                        --pf-c-page--BackgroundColor: var(--ak-dark-background);
-                    }
+                /* Global page background colour */
+                :host([theme="dark"]) .pf-c-page {
+                    --pf-c-page--BackgroundColor: var(--ak-dark-background);
                }
-
-                ak-page-navbar {
+                ak-enterprise-status,
+                ak-version-banner {
                    grid-area: header;
                }
-
-                .ak-sidebar {
+                ak-admin-sidebar {
                    grid-area: nav;
                }
-
                .pf-c-drawer__panel {
                    z-index: var(--pf-global--ZIndex--xl);
                }
@ -121,19 +91,9 @@ export class AdminInterface extends WithLicenseSummary(AuthenticatedInterface) {
        ];
    }

-    //#endregion
-
-    //#region Lifecycle
-
    constructor() {
        super();
        this.ws = new WebsocketClient();
-    }
-
-    public connectedCallback(): void {
-        super.connectedCallback();
-
-        window.addEventListener(EVENT_SIDEBAR_TOGGLE, this.#toggleSidebar);

        window.addEventListener(EVENT_NOTIFICATION_DRAWER_TOGGLE, () => {
            this.notificationDrawerOpen = !this.notificationDrawerOpen;
@ -150,11 +110,6 @@ export class AdminInterface extends WithLicenseSummary(AuthenticatedInterface) {
        });
    }

-    public disconnectedCallback(): void {
-        super.disconnectedCallback();
-        window.removeEventListener(EVENT_SIDEBAR_TOGGLE, this.#toggleSidebar);
-    }
-
    async firstUpdated(): Promise<void> {
        configureSentry(true);
        this.user = await me();
@ -163,7 +118,6 @@ export class AdminInterface extends WithLicenseSummary(AuthenticatedInterface) {
            this.user.user.isSuperuser ||
            // TODO: somehow add `access_admin_interface` to the API schema
            this.user.user.systemPermissions.includes("access_admin_interface");
-
        if (!canAccessAdmin && this.user.user.pk > 0) {
            window.location.assign("/if/user/");
        }
@ -171,14 +125,10 @@ export class AdminInterface extends WithLicenseSummary(AuthenticatedInterface) {

    render(): TemplateResult {
        const sidebarClasses = {
-            "pf-c-page__sidebar": true,
            "pf-m-light": this.activeTheme === UiThemeEnum.Light,
-            "pf-m-expanded": this.sidebarOpen,
-            "pf-m-collapsed": !this.sidebarOpen,
        };

        const drawerOpen = this.notificationDrawerOpen || this.apiDrawerOpen;
-
        const drawerClasses = {
            "pf-m-expanded": drawerOpen,
            "pf-m-collapsed": !drawerOpen,
@ -186,18 +136,11 @@ export class AdminInterface extends WithLicenseSummary(AuthenticatedInterface) {

        return html` <ak-locale-context>
            <div class="pf-c-page">
-                <ak-page-navbar>
-                    <ak-version-banner></ak-version-banner>
-                    <ak-enterprise-status interface="admin"></ak-enterprise-status>
-                </ak-page-navbar>
-
-                <ak-sidebar class="${classMap(sidebarClasses)}">
-                    ${renderSidebarItems(AdminSidebarEntries)}
-                    ${this.licenseSummary?.status !== LicenseSummaryStatusEnum.Unlicensed
-                        ? renderSidebarItems(AdminSidebarEnterpriseEntries)
-                        : nothing}
-                </ak-sidebar>
-
+                <ak-enterprise-status interface="admin"></ak-enterprise-status>
+                <ak-version-banner></ak-version-banner>
+                <ak-admin-sidebar
+                    class="pf-c-page__sidebar ${classMap(sidebarClasses)}"
+                ></ak-admin-sidebar>
                <div class="pf-c-page__drawer">
                    <div class="pf-c-drawer ${classMap(drawerClasses)}">
                        <div class="pf-c-drawer__main">
--- a/web/src/admin/AdminInterface/AdminSidebar.ts
+++ b/web/src/admin/AdminInterface/AdminSidebar.ts
@ -1,98 +1,186 @@
+import { EVENT_SIDEBAR_TOGGLE } from "@goauthentik/common/constants";
+import { me } from "@goauthentik/common/users";
+import { AKElement } from "@goauthentik/elements/Base";
+import {
+    CapabilitiesEnum,
+    WithCapabilitiesConfig,
+} from "@goauthentik/elements/Interface/capabilitiesProvider";
+import { WithVersion } from "@goauthentik/elements/Interface/versionProvider";
 import { ID_REGEX, SLUG_REGEX, UUID_REGEX } from "@goauthentik/elements/router/Route";
+import { getRootStyle } from "@goauthentik/elements/utils/getRootStyle";
 import { spread } from "@open-wc/lit-helpers";

 import { msg } from "@lit/localize";
 import { TemplateResult, html, nothing } from "lit";
-import { repeat } from "lit/directives/repeat.js";
+import { customElement, property, state } from "lit/decorators.js";
+import { map } from "lit/directives/map.js";

-// The second attribute type is of string[] to help with the 'activeWhen' control, which was
-// commonplace and singular enough to merit its own handler.
-type SidebarEntry = [
-    path: string | null,
-    label: string,
-    attributes?: Record<string, any> | string[] | null, // eslint-disable-line
-    children?: SidebarEntry[],
-];
+import { UiThemeEnum } from "@goauthentik/api";
+import type { SessionUser, UserSelf } from "@goauthentik/api";

-/**
- * Recursively renders a sidebar entry.
- */
-export function renderSidebarItem([
-    path,
-    label,
-    attributes,
-    children,
-]: SidebarEntry): TemplateResult {
-    const properties = Array.isArray(attributes)
-        ? { ".activeWhen": attributes }
-        : (attributes ?? {});
+@customElement("ak-admin-sidebar")
+export class AkAdminSidebar extends WithCapabilitiesConfig(WithVersion(AKElement)) {
+    @property({ type: Boolean, reflect: true })
+    open = true;

-    if (path) {
-        properties.path = path;
+    @state()
+    impersonation: UserSelf["username"] | null = null;
+
+    constructor() {
+        super();
+        me().then((user: SessionUser) => {
+            this.impersonation = user.original ? user.user.username : null;
+        });
+        this.toggleOpen = this.toggleOpen.bind(this);
+        this.checkWidth = this.checkWidth.bind(this);
    }

-    return html`<ak-sidebar-item ${spread(properties)}>
-        ${label ? html`<span slot="label">${label}</span>` : nothing}
-        ${children ? renderSidebarItems(children) : nothing}
-    </ak-sidebar-item>`;
+    // This has to be a bound method so the event listener can be removed on disconnection as
+    // needed.
+    toggleOpen() {
+        this.open = !this.open;
+    }
+
+    checkWidth() {
+        // This works just fine, but it assumes that the `--ak-sidebar--minimum-auto-width` is in
+        // REMs. If that changes, this code will have to be adjusted as well.
+        const minWidth =
+            parseFloat(getRootStyle("--ak-sidebar--minimum-auto-width")) *
+            parseFloat(getRootStyle("font-size"));
+        this.open = window.innerWidth >= minWidth;
+    }
+
+    connectedCallback() {
+        super.connectedCallback();
+        window.addEventListener(EVENT_SIDEBAR_TOGGLE, this.toggleOpen);
+        window.addEventListener("resize", this.checkWidth);
+        // After connecting to the DOM, we can now perform this check to see if the sidebar should
+        // be open by default.
+        this.checkWidth();
+    }
+
+    // The symmetry (☟, ☝) here is critical in that you want to start adding these handlers after
+    // connection, and removing them before disconnection.
+
+    disconnectedCallback() {
+        window.removeEventListener(EVENT_SIDEBAR_TOGGLE, this.toggleOpen);
+        window.removeEventListener("resize", this.checkWidth);
+        super.disconnectedCallback();
+    }
+
+    render() {
+        return html`
+            <ak-sidebar
+                class="pf-c-page__sidebar ${this.open ? "pf-m-expanded" : "pf-m-collapsed"} ${this
+                    .activeTheme === UiThemeEnum.Light
+                    ? "pf-m-light"
+                    : ""}"
+            >
+                ${this.renderSidebarItems()}
+            </ak-sidebar>
+        `;
+    }
+
+    updated() {
+        // This is permissible as`:host.classList` is not one of the properties Lit uses as a
+        // scheduling trigger. This sort of shenanigans can trigger an loop, in that it will trigger
+        // a browser reflow, which may trigger some other styling the application is monitoring,
+        // triggering a re-render which triggers a browser reflow, ad infinitum. But we've been
+        // living with that since jQuery, and it's both well-known and fortunately rare.
+
+        // eslint-disable-next-line wc/no-self-class
+        this.classList.remove("pf-m-expanded", "pf-m-collapsed");
+        // eslint-disable-next-line wc/no-self-class
+        this.classList.add(this.open ? "pf-m-expanded" : "pf-m-collapsed");
+    }
+
+    renderSidebarItems(): TemplateResult {
+        // The second attribute type is of string[] to help with the 'activeWhen' control, which was
+        // commonplace and singular enough to merit its own handler.
+        type SidebarEntry = [
+            path: string | null,
+            label: string,
+            attributes?: Record<string, any> | string[] | null, // eslint-disable-line
+            children?: SidebarEntry[],
+        ];
+
+        // prettier-ignore
+        const sidebarContent: SidebarEntry[] = [
+            [null, msg("Dashboards"), { "?expanded": true }, [
+                ["/administration/overview", msg("Overview")],
+                ["/administration/dashboard/users", msg("User Statistics")],
+                ["/administration/system-tasks", msg("System Tasks")]]],
+            [null, msg("Applications"), null, [
+                ["/core/applications", msg("Applications"), [`^/core/applications/(?<slug>${SLUG_REGEX})$`]],
+                ["/core/providers", msg("Providers"), [`^/core/providers/(?<id>${ID_REGEX})$`]],
+                ["/outpost/outposts", msg("Outposts")]]],
+            [null, msg("Events"), null, [
+                ["/events/log", msg("Logs"), [`^/events/log/(?<id>${UUID_REGEX})$`]],
+                ["/events/rules", msg("Notification Rules")],
+                ["/events/transports", msg("Notification Transports")]]],
+            [null, msg("Customization"), null, [
+                ["/policy/policies", msg("Policies")],
+                ["/core/property-mappings", msg("Property Mappings")],
+                ["/blueprints/instances", msg("Blueprints")],
+                ["/policy/reputation", msg("Reputation scores")]]],
+            [null, msg("Flows and Stages"), null, [
+                ["/flow/flows", msg("Flows"), [`^/flow/flows/(?<slug>${SLUG_REGEX})$`]],
+                ["/flow/stages", msg("Stages")],
+                ["/flow/stages/prompts", msg("Prompts")]]],
+            [null, msg("Directory"), null, [
+                ["/identity/users", msg("Users"), [`^/identity/users/(?<id>${ID_REGEX})$`]],
+                ["/identity/groups", msg("Groups"), [`^/identity/groups/(?<id>${UUID_REGEX})$`]],
+                ["/identity/roles", msg("Roles"), [`^/identity/roles/(?<id>${UUID_REGEX})$`]],
+                ["/identity/initial-permissions", msg("Initial Permissions"), [`^/identity/initial-permissions/(?<id>${ID_REGEX})$`]],
+                ["/core/sources", msg("Federation and Social login"), [`^/core/sources/(?<slug>${SLUG_REGEX})$`]],
+                ["/core/tokens", msg("Tokens and App passwords")],
+                ["/flow/stages/invitations", msg("Invitations")]]],
+            [null, msg("System"), null, [
+                ["/core/brands", msg("Brands")],
+                ["/crypto/certificates", msg("Certificates")],
+                ["/outpost/integrations", msg("Outpost Integrations")],
+                ["/admin/settings", msg("Settings")]]],
+        ];
+
+        // Typescript requires the type here to correctly type the recursive path
+        type SidebarRenderer = (_: SidebarEntry) => TemplateResult;
+
+        const renderOneSidebarItem: SidebarRenderer = ([path, label, attributes, children]) => {
+            const properties = Array.isArray(attributes)
+                ? { ".activeWhen": attributes }
+                : (attributes ?? {});
+            if (path) {
+                properties.path = path;
+            }
+            return html`<ak-sidebar-item ${spread(properties)}>
+                ${label ? html`<span slot="label">${label}</span>` : nothing}
+                ${map(children, renderOneSidebarItem)}
+            </ak-sidebar-item>`;
+        };
+
+        // prettier-ignore
+        return html`
+            ${map(sidebarContent, renderOneSidebarItem)}
+            ${this.renderEnterpriseMenu()}
+        `;
+    }
+
+    renderEnterpriseMenu() {
+        return this.can(CapabilitiesEnum.IsEnterprise)
+            ? html`
+                  <ak-sidebar-item>
+                      <span slot="label">${msg("Enterprise")}</span>
+                      <ak-sidebar-item path="/enterprise/licenses">
+                          <span slot="label">${msg("Licenses")}</span>
+                      </ak-sidebar-item>
+                  </ak-sidebar-item>
+              `
+            : nothing;
+    }
 }

-/**
- * Recursively renders a collection of sidebar entries.
- */
-export function renderSidebarItems(entries: readonly SidebarEntry[]) {
-    console.debug("authentik/sidebar: Rendering sidebar items", entries);
-    return repeat(entries, ([path, label]) => path || label, renderSidebarItem);
+declare global {
+    interface HTMLElementTagNameMap {
+        "ak-admin-sidebar": AkAdminSidebar;
+    }
 }
-
-// prettier-ignore
-export const AdminSidebarEntries: readonly SidebarEntry[] = [
-    [null, msg("Dashboards"), { "?expanded": true }, [
-        ["/administration/overview", msg("Overview")],
-        ["/administration/dashboard/users", msg("User Statistics")],
-        ["/administration/system-tasks", msg("System Tasks")]]
-    ],
-    [null, msg("Applications"), null, [
-        ["/core/applications", msg("Applications"), [`^/core/applications/(?<slug>${SLUG_REGEX})$`]],
-        ["/core/providers", msg("Providers"), [`^/core/providers/(?<id>${ID_REGEX})$`]],
-        ["/outpost/outposts", msg("Outposts")]]
-    ],
-    [null, msg("Events"), null, [
-        ["/events/log", msg("Logs"), [`^/events/log/(?<id>${UUID_REGEX})$`]],
-        ["/events/rules", msg("Notification Rules")],
-        ["/events/transports", msg("Notification Transports")]]
-    ],
-    [null, msg("Customization"), null, [
-        ["/policy/policies", msg("Policies")],
-        ["/core/property-mappings", msg("Property Mappings")],
-        ["/blueprints/instances", msg("Blueprints")],
-        ["/policy/reputation", msg("Reputation scores")]]
-    ],
-    [null, msg("Flows and Stages"), null, [
-        ["/flow/flows", msg("Flows"), [`^/flow/flows/(?<slug>${SLUG_REGEX})$`]],
-        ["/flow/stages", msg("Stages")],
-        ["/flow/stages/prompts", msg("Prompts")]]
-    ],
-    [null, msg("Directory"), null, [
-        ["/identity/users", msg("Users"), [`^/identity/users/(?<id>${ID_REGEX})$`]],
-        ["/identity/groups", msg("Groups"), [`^/identity/groups/(?<id>${UUID_REGEX})$`]],
-        ["/identity/roles", msg("Roles"), [`^/identity/roles/(?<id>${UUID_REGEX})$`]],
-        ["/identity/initial-permissions", msg("Initial Permissions"), [`^/identity/initial-permissions/(?<id>${ID_REGEX})$`]],
-        ["/core/sources", msg("Federation and Social login"), [`^/core/sources/(?<slug>${SLUG_REGEX})$`]],
-        ["/core/tokens", msg("Tokens and App passwords")],
-        ["/flow/stages/invitations", msg("Invitations")]]
-    ],
-    [null, msg("System"), null, [
-        ["/core/brands", msg("Brands")],
-        ["/crypto/certificates", msg("Certificates")],
-        ["/outpost/integrations", msg("Outpost Integrations")],
-        ["/admin/settings", msg("Settings")]]
-    ],
-];
-
-// prettier-ignore
-export const AdminSidebarEnterpriseEntries: readonly SidebarEntry[] = [
-    [null, msg("Enterprise"), null, [
-        ["/enterprise/licenses", msg("Licenses"), null]
-    ],
-]]
--- a/web/src/admin/admin-overview/AdminOverviewPage.ts
+++ b/web/src/admin/admin-overview/AdminOverviewPage.ts
@ -58,6 +58,9 @@ export class AdminOverviewPage extends AdminOverviewBase {
            PFContent,
            PFDivider,
            css`
+                .pf-l-grid__item {
+                    height: 100%;
+                }
                .pf-l-grid__item.big-graph-container {
                    height: 35em;
                }
@ -71,10 +74,6 @@ export class AdminOverviewPage extends AdminOverviewBase {
                    line-height: normal;
                    font-size: var(--pf-global--icon--FontSize--sm);
                }
-
-                .chart-item {
-                    aspect-ratio: 2 / 1;
-                }
            `,
        ];
    }
@ -95,31 +94,22 @@ export class AdminOverviewPage extends AdminOverviewBase {
    }

    render(): TemplateResult {
-        const username = this.user?.user.name || this.user?.user.username;
+        const name = this.user?.user.name ?? this.user?.user.username;

-        return html` <ak-page-header
-                header=${msg(str`Welcome, ${username || ""}.`)}
-                description=${msg("General system status")}
-                ?hasIcon=${false}
-            >
+        return html`<ak-page-header description=${msg("General system status")} ?hasIcon=${false}>
+                <span slot="header"> ${msg(str`Welcome, ${name || ""}.`)} </span>
            </ak-page-header>
            <section class="pf-c-page__main-section">
                <div class="pf-l-grid pf-m-gutter">
-                    <div class="pf-l-grid__item pf-m-12-col pf-m-2-row pf-m-9-col-on-xl">
-                        <ak-recent-events pageSize="6"></ak-recent-events>
-                    </div>
-                    <div class="pf-l-grid__item pf-m-12-col pf-m-6-col-on-sm pf-m-3-col-on-xl">
-                        <ak-quick-actions-card .actions=${this.quickActions}>
-                        </ak-quick-actions-card>
-                    </div>
-
-                    <div class="pf-l-grid__item pf-m-12-col pf-m-6-col-on-sm pf-m-3-col-on-xl">
-                        <ak-admin-status-version> </ak-admin-status-version>
-                    </div>
-                    <div class="pf-l-grid pf-l-grid__item pf-m-12-col pf-m-gutter">
-                        ${this.renderSecondaryRow()}
-
-                        <div class="pf-l-grid__item pf-m-12-col pf-m-6-col-on-md chart-item">
+                    <!-- row 1 -->
+                    <div
+                        class="pf-l-grid__item pf-m-12-col pf-m-6-col-on-xl pf-m-6-col-on-2xl pf-l-grid pf-m-gutter"
+                    >
+                        <div class="pf-l-grid__item pf-m-12-col pf-m-6-col-on-xl pf-m-4-col-on-2xl">
+                            <ak-quick-actions-card .actions=${this.quickActions}>
+                            </ak-quick-actions-card>
+                        </div>
+                        <div class="pf-l-grid__item pf-m-12-col pf-m-6-col-on-xl pf-m-4-col-on-2xl">
                            <ak-aggregate-card
                                icon="pf-icon pf-icon-zone"
                                header=${msg("Outpost status")}
@ -128,13 +118,24 @@ export class AdminOverviewPage extends AdminOverviewBase {
                                <ak-admin-status-chart-outpost></ak-admin-status-chart-outpost>
                            </ak-aggregate-card>
                        </div>
-                        <div class="pf-l-grid__item pf-m-12-col pf-m-6-col-on-md chart-item">
+                        <div
+                            class="pf-l-grid__item pf-m-12-col pf-m-12-col-on-xl pf-m-4-col-on-2xl"
+                        >
                            <ak-aggregate-card icon="fa fa-sync-alt" header=${msg("Sync status")}>
                                <ak-admin-status-chart-sync></ak-admin-status-chart-sync>
                            </ak-aggregate-card>
                        </div>
+                        <div class="pf-l-grid__item pf-m-12-col">
+                            <hr class="pf-c-divider" />
+                        </div>
+                        ${this.renderCards()}
+                    </div>
+                    <div class="pf-l-grid__item pf-m-12-col pf-m-6-col-on-xl">
+                        <ak-recent-events pageSize="6"></ak-recent-events>
+                    </div>
+                    <div class="pf-l-grid__item pf-m-12-col">
+                        <hr class="pf-c-divider" />
                    </div>
-
                    <!-- row 3 -->
                    <div
                        class="pf-l-grid__item pf-m-12-col pf-m-6-col-on-xl pf-m-8-col-on-2xl big-graph-container"
@ -162,34 +163,32 @@ export class AdminOverviewPage extends AdminOverviewBase {
            </section>`;
    }

-    renderSecondaryRow() {
+    renderCards() {
        const isEnterprise = this.hasEnterpriseLicense;
-        const colSpan = isEnterprise ? 4 : 6;
-
        const classes = {
            "card-container": true,
            "pf-l-grid__item": true,
-            [`pf-m-12-col`]: true,
-            [`pf-m-${colSpan}-col-on-md`]: true,
+            "pf-m-6-col": true,
+            "pf-m-4-col-on-md": !isEnterprise,
+            "pf-m-4-col-on-xl": !isEnterprise,
+            "pf-m-3-col-on-md": isEnterprise,
+            "pf-m-3-col-on-xl": isEnterprise,
        };

-        return html`
-            <div class=${classMap(classes)}>
+        return html`<div class=${classMap(classes)}>
                <ak-admin-status-system> </ak-admin-status-system>
            </div>
-
+            <div class=${classMap(classes)}>
+                <ak-admin-status-version> </ak-admin-status-version>
+            </div>
            <div class=${classMap(classes)}>
                <ak-admin-status-card-workers> </ak-admin-status-card-workers>
            </div>
-
            ${isEnterprise
-                ? html`
-                      <div class=${classMap(classes)}>
-                          <ak-admin-fips-status-system> </ak-admin-fips-status-system>
-                      </div>
-                  `
-                : nothing}
-        `;
+                ? html` <div class=${classMap(classes)}>
+                      <ak-admin-fips-status-system> </ak-admin-fips-status-system>
+                  </div>`
+                : nothing} `;
    }

    renderActions() {
--- a/web/src/admin/admin-settings/AdminSettingsPage.ts
+++ b/web/src/admin/admin-settings/AdminSettingsPage.ts
@ -83,10 +83,13 @@ export class AdminSettingsPage extends AKElement {
    }

    render() {
-        if (!this.settings) return nothing;
-
+        if (!this.settings) {
+            return nothing;
+        }
        return html`
-            <ak-page-header icon="fa fa-cog" header="${msg("System settings")}"> </ak-page-header>
+            <ak-page-header icon="fa fa-cog" header="" description="">
+                <span slot="header"> ${msg("System settings")} </span>
+            </ak-page-header>
            <section class="pf-c-page__main-section pf-m-no-padding-mobile pf-l-grid pf-m-gutter">
                <div class="pf-c-card">
                    <div class="pf-c-card__body">
--- a/web/src/common/constants.ts
+++ b/web/src/common/constants.ts
@ -3,7 +3,7 @@ export const SUCCESS_CLASS = "pf-m-success";
 export const ERROR_CLASS = "pf-m-danger";
 export const PROGRESS_CLASS = "pf-m-in-progress";
 export const CURRENT_CLASS = "pf-m-current";
-export const VERSION = "2025.2.4";
+export const VERSION = "2025.4.0";
 export const TITLE_DEFAULT = "authentik";
 export const ROUTE_SEPARATOR = ";";

--- a/web/src/common/purify.ts
+++ b/web/src/common/purify.ts
@ -1,110 +1,26 @@
 import type { Config as DOMPurifyConfig } from "dompurify";
 import DOMPurify from "dompurify";
-import { trustedTypes } from "trusted-types";

-import { render } from "lit";
+import { render } from "@lit-labs/ssr";
+import { collectResult } from "@lit-labs/ssr/lib/render-result.js";
+import { TemplateResult, html } from "lit";
 import { unsafeHTML } from "lit/directives/unsafe-html.js";
+import { until } from "lit/directives/until.js";

-/**
- * Trusted types policy that escapes HTML content in place.
- *
- * @see {@linkcode SanitizedTrustPolicy} to strip HTML content.
- *
- * @returns {TrustedHTML} All HTML content, escaped.
- */
-export const EscapeTrustPolicy = trustedTypes.createPolicy("authentik-escape", {
-    createHTML: (untrustedHTML: string) => {
-        return DOMPurify.sanitize(untrustedHTML, {
-            RETURN_TRUSTED_TYPE: false,
-        });
-    },
-});
-
-/**
- * Trusted types policy, stripping all HTML content.
- *
- * @returns {TrustedHTML} Text content only, all HTML tags stripped.
- */
-export const SanitizedTrustPolicy = trustedTypes.createPolicy("authentik-sanitize", {
-    createHTML: (untrustedHTML: string) => {
-        return DOMPurify.sanitize(untrustedHTML, {
-            RETURN_TRUSTED_TYPE: false,
-            ALLOWED_TAGS: ["#text"],
-        });
-    },
-});
-
-/**
- * Trusted types policy, allowing a minimal set of _safe_ HTML tags supplied by
- * a trusted source, such as the brand API.
- */
-export const BrandedHTMLPolicy = trustedTypes.createPolicy("authentik-restrict", {
-    createHTML: (untrustedHTML: string) => {
-        return DOMPurify.sanitize(untrustedHTML, {
-            RETURN_TRUSTED_TYPE: false,
-            FORBID_TAGS: [
-                "script",
-                "style",
-                "iframe",
-                "link",
-                "object",
-                "embed",
-                "applet",
-                "meta",
-                "base",
-                "form",
-                "input",
-                "textarea",
-                "select",
-                "button",
-            ],
-            FORBID_ATTR: [
-                "onerror",
-                "onclick",
-                "onload",
-                "onmouseover",
-                "onmouseout",
-                "onmouseup",
-                "onmousedown",
-                "onfocus",
-                "onblur",
-                "onsubmit",
-            ],
-        });
-    },
-});
-
-export type AuthentikTrustPolicy =
-    | typeof EscapeTrustPolicy
-    | typeof SanitizedTrustPolicy
-    | typeof BrandedHTMLPolicy;
-
-/**
- * Sanitize an untrusted HTML string using a trusted types policy.
- */
-export function sanitizeHTML(trustPolicy: AuthentikTrustPolicy, untrustedHTML: string) {
-    return unsafeHTML(trustPolicy.createHTML(untrustedHTML).toString());
-}
-
-/**
- * DOMPurify configuration for strict sanitization.
- *
- * This configuration only allows text nodes and disallows all HTML tags.
- */
 export const DOM_PURIFY_STRICT = {
    ALLOWED_TAGS: ["#text"],
 } as const satisfies DOMPurifyConfig;

-/**
- * Render untrusted HTML to a string without escaping it.
- *
- * @returns {string} The rendered HTML string.
- */
-export function renderStaticHTMLUnsafe(untrustedHTML: unknown): string {
-    const container = document.createElement("html");
-    render(untrustedHTML, container);
-
-    const result = container.innerHTML;
-
-    return result;
+export async function renderStatic(input: TemplateResult): Promise<string> {
+    return await collectResult(render(input));
+}
+
+export function purify(input: TemplateResult): TemplateResult {
+    return html`${until(
+        (async () => {
+            const rendered = await renderStatic(input);
+            const purified = DOMPurify.sanitize(rendered);
+            return html`${unsafeHTML(purified)}`;
+        })(),
+    )}`;
 }
--- a/web/src/common/styles/authentik.css
+++ b/web/src/common/styles/authentik.css
@ -17,13 +17,6 @@

    /* Minimum width after which the sidebar becomes automatic */
    --ak-sidebar--minimum-auto-width: 80rem;
-
-    /**
-     * The height of the navbar and branded sidebar.
-     * @todo This shouldn't be necessary. The sidebar can instead use a grid layout
-     * ensuring they share the same height.
-     */
-    --ak-navbar--height: 7rem;
 }

@supports selector(::-webkit-scrollbar) {
--- a/web/src/components/ak-nav-buttons.ts
+++ b/web/src/components/ak-nav-buttons.ts
@ -67,12 +67,6 @@ export class NavigationButtons extends AKElement {
                :host([theme="light"]) .pf-c-page__header-tools-group .pf-c-button {
                    color: var(--ak-global--Color--100) !important;
                }
-
-                @media (max-width: 768px) {
-                    .pf-c-avatar {
-                        display: none;
-                    }
-                }
            `,
        ];
    }
@ -162,7 +156,9 @@ export class NavigationButtons extends AKElement {
    }

    renderImpersonation() {
-        if (!this.me?.original) return nothing;
+        if (!this.me?.original) {
+            return nothing;
+        }

        const onClick = async () => {
            await new CoreApi(DEFAULT_CONFIG).coreUsersImpersonateEndRetrieve();
@ -179,14 +175,6 @@ export class NavigationButtons extends AKElement {
            </div>`;
    }

-    renderAvatar() {
-        return html`<img
-            class="pf-c-avatar"
-            src=${ifDefined(this.me?.user.avatar)}
-            alt="${msg("Avatar image")}"
-        />`;
-    }
-
    get userDisplayName() {
        return match<UserDisplay | undefined, string | undefined>(this.uiConfig?.navbar.userDisplay)
            .with(UserDisplay.username, () => this.me?.user.username)
@ -224,7 +212,11 @@ export class NavigationButtons extends AKElement {
                      </div>
                  </div>`
                : nothing}
-            ${this.renderAvatar()}
+            <img
+                class="pf-c-avatar"
+                src=${ifDefined(this.me?.user.avatar)}
+                alt="${msg("Avatar image")}"
+            />
        </div>`;
    }
 }
--- a/web/src/elements/PageHeader.ts
+++ b/web/src/elements/PageHeader.ts
@ -5,23 +5,20 @@ import {
 } from "@goauthentik/common/constants";
 import { globalAK } from "@goauthentik/common/global";
 import { currentInterface } from "@goauthentik/common/sentry";
-import { UIConfig, UserDisplay, getConfigForUser } from "@goauthentik/common/ui/config";
+import { UIConfig, UserDisplay, uiConfig } from "@goauthentik/common/ui/config";
 import { me } from "@goauthentik/common/users";
 import "@goauthentik/components/ak-nav-buttons";
 import { AKElement } from "@goauthentik/elements/Base";
 import { WithBrandConfig } from "@goauthentik/elements/Interface/brandProvider";
-import { DefaultBrand } from "@goauthentik/elements/sidebar/SidebarBrand";
-import { themeImage } from "@goauthentik/elements/utils/images";
 import "@patternfly/elements/pf-tooltip/pf-tooltip.js";

 import { msg } from "@lit/localize";
-import { CSSResult, LitElement, TemplateResult, css, html, nothing } from "lit";
+import { CSSResult, TemplateResult, css, html, nothing } from "lit";
 import { customElement, property, state } from "lit/decorators.js";

 import PFAvatar from "@patternfly/patternfly/components/Avatar/avatar.css";
 import PFButton from "@patternfly/patternfly/components/Button/button.css";
 import PFContent from "@patternfly/patternfly/components/Content/content.css";
-import PFDrawer from "@patternfly/patternfly/components/Drawer/drawer.css";
 import PFDropdown from "@patternfly/patternfly/components/Dropdown/dropdown.css";
 import PFNotificationBadge from "@patternfly/patternfly/components/NotificationBadge/notification-badge.css";
 import PFPage from "@patternfly/patternfly/components/Page/page.css";
@ -29,52 +26,34 @@ import PFBase from "@patternfly/patternfly/patternfly-base.css";

 import { SessionUser } from "@goauthentik/api";

-//#region Page Navbar
-
-export interface PageNavbarDetails {
-    header?: string;
-    description?: string;
+@customElement("ak-page-header")
+export class PageHeader extends WithBrandConfig(AKElement) {
+    @property()
    icon?: string;
-    iconImage?: boolean;
-}

-/**
- * A global navbar component at the top of the page.
- *
- * Internally, this component listens for the `ak-page-header` event, which is
- * dispatched by the `ak-page-header` component.
- */
-@customElement("ak-page-navbar")
-export class AKPageNavbar extends WithBrandConfig(AKElement) implements PageNavbarDetails {
-    //#region Static Properties
+    @property({ type: Boolean })
+    iconImage = false;

-    private static elementRef: AKPageNavbar | null = null;
+    @property()
+    header = "";

-    static readonly setNavbarDetails = (detail: Partial<PageNavbarDetails>): void => {
-        const { elementRef } = AKPageNavbar;
-        if (!elementRef) {
-            console.debug(
-                `ak-page-header: Could not find ak-page-navbar, skipping event dispatch.`,
-            );
-            return;
-        }
+    @property()
+    description?: string;

-        const { header, description, icon, iconImage } = detail;
+    @property({ type: Boolean })
+    hasIcon = true;

-        elementRef.header = header;
-        elementRef.description = description;
-        elementRef.icon = icon;
-        elementRef.iconImage = iconImage || false;
-        elementRef.hasIcon = !!icon;
-    };
+    @state()
+    me?: SessionUser;
+
+    @state()
+    uiConfig!: UIConfig;

    static get styles(): CSSResult[] {
        return [
            PFBase,
            PFButton,
            PFPage,
-            PFDrawer,
-
            PFNotificationBadge,
            PFContent,
            PFAvatar,
@ -84,392 +63,143 @@ export class AKPageNavbar extends WithBrandConfig(AKElement) implements PageNavb
                    position: sticky;
                    top: 0;
                    z-index: var(--pf-global--ZIndex--lg);
-                    --pf-c-page__header-tools--MarginRight: 0;
-                    --ak-brand-logo-height: var(--pf-global--FontSize--4xl, 2.25rem);
-                    --ak-brand-background-color: var(
-                        --pf-c-page__sidebar--m-light--BackgroundColor
-                    );
                }
-
-                :host([theme="dark"]) {
-                    --ak-brand-background-color: var(--pf-c-page__sidebar--BackgroundColor);
-                    --pf-c-page__sidebar--BackgroundColor: var(--ak-dark-background-light);
-                    color: var(--ak-dark-foreground);
-                }
-
-                navbar {
+                .bar {
                    border-bottom: var(--pf-global--BorderWidth--sm);
                    border-bottom-style: solid;
                    border-bottom-color: var(--pf-global--BorderColor--100);
-                    background-color: var(--pf-c-page--BackgroundColor);
-
                    display: flex;
                    flex-direction: row;
-                    min-height: 6rem;
-
-                    display: grid;
-                    row-gap: var(--pf-global--spacer--sm);
-                    column-gap: var(--pf-global--spacer--sm);
-                    grid-template-columns: [brand] auto [toggle] auto [primary] 1fr [secondary] auto;
-                    grid-template-rows: auto auto;
-                    grid-template-areas:
-                        "brand toggle primary secondary"
-                        "brand toggle description secondary";
-
-                    @media (max-width: 768px) {
-                        row-gap: var(--pf-global--spacer--xs);
-
-                        align-items: center;
-                        grid-template-areas:
-                            "toggle primary secondary"
-                            "toggle description description";
-                        justify-content: space-between;
-                        width: 100%;
-                    }
+                    min-height: 114px;
+                    max-height: 114px;
+                    background-color: var(--pf-c-page--BackgroundColor);
                }
-
-                .items {
-                    display: block;
-
-                    &.primary {
-                        grid-column: primary;
-                        grid-row: primary / description;
-
-                        align-content: center;
-                        padding-block: var(--pf-global--spacer--md);
-
-                        @media (min-width: 426px) {
-                            &.block-sibling {
-                                padding-block-end: 0;
-                                grid-row: primary;
-                            }
-                        }
-
-                        @media (max-width: 768px) {
-                            padding-block: var(--pf-global--spacer--sm);
-                        }
-
-                        .accent-icon {
-                            height: 1em;
-                            width: 1em;
-
-                            @media (max-width: 768px) {
-                                display: none;
-                            }
-                        }
-                    }
-
-                    &.page-description {
-                        grid-area: description;
-                        padding-block-end: var(--pf-global--spacer--md);
-
-                        @media (max-width: 425px) {
-                            display: none;
-                        }
-
-                        @media (min-width: 769px) {
-                            text-wrap: balance;
-                        }
-                    }
-
-                    &.secondary {
-                        grid-area: secondary;
-                        flex: 0 0 auto;
-                        justify-self: end;
-                        padding-block: var(--pf-global--spacer--sm);
-                        padding-inline-end: var(--pf-global--spacer--sm);
-
-                        @media (min-width: 769px) {
-                            align-content: center;
-                            padding-block: var(--pf-global--spacer--md);
-                            padding-inline-end: var(--pf-global--spacer--xl);
-                        }
-                    }
+                .pf-c-page__main-section.pf-m-light {
+                    background-color: transparent;
                }
-
-                .brand {
-                    grid-area: brand;
-                    background-color: var(--ak-brand-background-color);
-                    height: 100%;
-                    width: var(--pf-c-page__sidebar--Width);
-                    align-items: center;
-                    padding-inline: var(--pf-global--spacer--sm);
-
+                .pf-c-page__main-section {
+                    flex-grow: 1;
+                    flex-shrink: 1;
                    display: flex;
+                    flex-direction: column;
                    justify-content: center;
-
-                    &.pf-m-collapsed {
-                        display: none;
-                    }
-
-                    @media (max-width: 1279px) {
-                        display: none;
-                    }
                }
-
-                .sidebar-trigger {
-                    grid-area: toggle;
-                    height: 100%;
+                img.pf-icon {
+                    max-height: 24px;
                }
-
-                .logo {
-                    flex: 0 0 auto;
-                    height: var(--ak-brand-logo-height);
-
-                    & img {
-                        height: 100%;
-                    }
-                }
-
                .sidebar-trigger,
                .notification-trigger {
-                    font-size: 1.5rem;
+                    font-size: 24px;
                }
-
                .notification-trigger.has-notifications {
                    color: var(--pf-global--active-color--100);
                }
-
-                .page-title {
-                    display: flex;
-                    gap: var(--pf-global--spacer--xs);
-                }
-
                h1 {
                    display: flex;
                    flex-direction: row;
                    align-items: center !important;
                }
-            `,
-        ];
-    }
-
-    //#endregion
-
-    //#region Properties
-
-    @property({ type: String })
-    icon?: string;
-
-    @property({ type: Boolean })
-    iconImage = false;
-
-    @property({ type: String })
-    header?: string;
-
-    @property({ type: String })
-    description?: string;
-
-    @property({ type: Boolean })
-    hasIcon = true;
-
-    @property({ type: Boolean })
-    open = true;
-
-    @state()
-    session?: SessionUser;
-
-    @state()
-    uiConfig!: UIConfig;
-
-    //#endregion
-
-    //#region Private Methods
-
-    #setTitle(header?: string) {
-        const currentIf = currentInterface();
-        let title = this.brand?.brandingTitle || TITLE_DEFAULT;
-
-        if (currentIf === "admin") {
-            title = `${msg("Admin")} - ${title}`;
-        }
-        // Prepend the header to the title
-        if (header) {
-            title = `${header} - ${title}`;
-        }
-        document.title = title;
-    }
-
-    #toggleSidebar() {
-        this.open = !this.open;
-
-        this.dispatchEvent(
-            new CustomEvent(EVENT_SIDEBAR_TOGGLE, {
-                bubbles: true,
-                composed: true,
-            }),
-        );
-    }
-
-    //#endregion
-
-    //#region Lifecycle
-
-    public connectedCallback(): void {
-        super.connectedCallback();
-        AKPageNavbar.elementRef = this;
-
-        window.addEventListener(EVENT_WS_MESSAGE, () => {
-            this.firstUpdated();
-        });
-    }
-
-    public disconnectedCallback(): void {
-        super.disconnectedCallback();
-        AKPageNavbar.elementRef = null;
-    }
-
-    public async firstUpdated() {
-        this.session = await me();
-        this.uiConfig = getConfigForUser(this.session.user);
-        this.uiConfig.navbar.userDisplay = UserDisplay.none;
-    }
-
-    willUpdate() {
-        // Always update title, even if there's no header value set,
-        // as in that case we still need to return to the generic title
-        this.#setTitle(this.header);
-    }
-
-    //#endregion
-
-    //#region Render
-
-    renderIcon() {
-        if (this.icon) {
-            if (this.iconImage && !this.icon.startsWith("fa://")) {
-                return html`<img class="accent-icon pf-icon" src="${this.icon}" alt="page icon" />`;
-            }
-
-            const icon = this.icon.replaceAll("fa://", "fa ");
-
-            return html`<i class="accent-icon ${icon}"></i>`;
-        }
-        return nothing;
-    }
-
-    render(): TemplateResult {
-        return html`<navbar aria-label="Main" class="navbar">
-                <aside class="brand ${this.open ? "" : "pf-m-collapsed"}">
-                    <a href="#/">
-                        <div class="logo">
-                            <img
-                                src=${themeImage(
-                                    this.brand?.brandingLogo ?? DefaultBrand.brandingLogo,
-                                )}
-                                alt="${msg("authentik Logo")}"
-                                loading="lazy"
-                            />
-                        </div>
-                    </a>
-                </aside>
-                <button
-                    class="sidebar-trigger pf-c-button pf-m-plain"
-                    @click=${this.#toggleSidebar}
-                    aria-label=${msg("Toggle sidebar")}
-                    aria-expanded=${this.open ? "true" : "false"}
-                >
-                    <i class="fas fa-bars"></i>
-                </button>
-
-                <section
-                    class="items primary pf-c-content ${this.description ? "block-sibling" : ""}"
-                >
-                    <h1 class="page-title">
-                        ${this.hasIcon
-                            ? html`<slot name="icon">${this.renderIcon()}</slot>`
-                            : nothing}
-                        ${this.header}
-                    </h1>
-                </section>
-                ${this.description
-                    ? html`<section class="items page-description pf-c-content">
-                          <p>${this.description}</p>
-                      </section>`
-                    : nothing}
-
-                <section class="items secondary">
-                    <div class="pf-c-page__header-tools-group">
-                        <ak-nav-buttons .uiConfig=${this.uiConfig} .me=${this.session}>
-                            <a
-                                class="pf-c-button pf-m-secondary pf-m-small pf-u-display-none pf-u-display-block-on-md"
-                                href="${globalAK().api.base}if/user/"
-                                slot="extra"
-                            >
-                                ${msg("User interface")}
-                            </a>
-                        </ak-nav-buttons>
-                    </div>
-                </section>
-            </navbar>
-            <slot></slot>`;
-    }
-
-    //#endregion
-}
-
-//#endregion
-
-//#region Page Header
-
-/**
- * A page header component, used to display the page title and description.
- *
- * Internally, this component dispatches the `ak-page-header` event, which is
- * listened to by the `ak-page-navbar` component.
- *
- * @singleton
- */
-@customElement("ak-page-header")
-export class AKPageHeader extends LitElement implements PageNavbarDetails {
-    @property({ type: String })
-    header?: string;
-
-    @property({ type: String })
-    description?: string;
-
-    @property({ type: String })
-    icon?: string;
-
-    @property({ type: Boolean })
-    iconImage = false;
-
-    static get styles(): CSSResult[] {
-        return [
-            css`
-                :host {
-                    display: none;
+                .pf-c-page__header-tools {
+                    flex-shrink: 0;
+                }
+                .pf-c-page__header-tools-group {
+                    height: 100%;
+                }
+                :host([theme="dark"]) .pf-c-page__header-tools {
+                    color: var(--ak-dark-foreground) !important;
                }
            `,
        ];
    }

-    connectedCallback(): void {
-        super.connectedCallback();
-
-        AKPageNavbar.setNavbarDetails({
-            header: this.header,
-            description: this.description,
-            icon: this.icon,
-            iconImage: this.iconImage,
+    constructor() {
+        super();
+        window.addEventListener(EVENT_WS_MESSAGE, () => {
+            this.firstUpdated();
        });
    }

-    updated(): void {
-        AKPageNavbar.setNavbarDetails({
-            header: this.header,
-            description: this.description,
-            icon: this.icon,
-            iconImage: this.iconImage,
-        });
+    async firstUpdated() {
+        this.me = await me();
+        this.uiConfig = await uiConfig();
+        this.uiConfig.navbar.userDisplay = UserDisplay.none;
+    }
+
+    setTitle(header?: string) {
+        const currentIf = currentInterface();
+        let title = this.brand?.brandingTitle || TITLE_DEFAULT;
+        if (currentIf === "admin") {
+            title = `${msg("Admin")} - ${title}`;
+        }
+        // Prepend the header to the title
+        if (header !== undefined && header !== "") {
+            title = `${header} - ${title}`;
+        }
+        document.title = title;
+    }
+
+    willUpdate() {
+        // Always update title, even if there's no header value set,
+        // as in that case we still need to return to the generic title
+        this.setTitle(this.header);
+    }
+
+    renderIcon() {
+        if (this.icon) {
+            if (this.iconImage && !this.icon.startsWith("fa://")) {
+                return html`<img class="pf-icon" src="${this.icon}" alt="page icon" />`;
+            }
+            const icon = this.icon.replaceAll("fa://", "fa ");
+            return html`<i class=${icon}></i>`;
+        }
+        return nothing;
+    }
+
+    render(): TemplateResult {
+        return html`<div class="bar">
+            <button
+                class="sidebar-trigger pf-c-button pf-m-plain"
+                @click=${() => {
+                    this.dispatchEvent(
+                        new CustomEvent(EVENT_SIDEBAR_TOGGLE, {
+                            bubbles: true,
+                            composed: true,
+                        }),
+                    );
+                }}
+            >
+                <i class="fas fa-bars"></i>
+            </button>
+            <section class="pf-c-page__main-section pf-m-light">
+                <div class="pf-c-content">
+                    <h1>
+                        ${this.hasIcon
+                            ? html`<slot name="icon">${this.renderIcon()}</slot>&nbsp;`
+                            : nothing}
+                        <slot name="header">${this.header}</slot>
+                    </h1>
+                    ${this.description ? html`<p>${this.description}</p>` : html``}
+                </div>
+            </section>
+            <div class="pf-c-page__header-tools">
+                <div class="pf-c-page__header-tools-group">
+                    <ak-nav-buttons .uiConfig=${this.uiConfig} .me=${this.me}>
+                        <a
+                            class="pf-c-button pf-m-secondary pf-m-small pf-u-display-none pf-u-display-block-on-md"
+                            href="${globalAK().api.base}if/user/"
+                            slot="extra"
+                        >
+                            ${msg("User interface")}
+                        </a>
+                    </ak-nav-buttons>
+                </div>
+            </div>
+        </div>`;
    }
 }

-//#endregion
-
 declare global {
    interface HTMLElementTagNameMap {
-        "ak-page-header": AKPageHeader;
-        "ak-page-navbar": AKPageNavbar;
+        "ak-page-header": PageHeader;
    }
 }
--- a/web/src/elements/cards/AggregateCard.ts
+++ b/web/src/elements/cards/AggregateCard.ts
@ -80,7 +80,6 @@ export class AggregateCard extends AKElement implements IAggregateCard {
                .center-value {
                    font-size: var(--pf-global--icon--FontSize--lg);
                    text-align: center;
-                    place-content: center;
                }
                .subtext {
                    margin-top: var(--pf-global--spacer--sm);
--- a/web/src/elements/charts/Chart.ts
+++ b/web/src/elements/charts/Chart.ts
@ -85,7 +85,6 @@ export abstract class AKChart<T> extends AKElement {
                .container {
                    height: 100%;
                    width: 100%;
-                    aspect-ratio: 1 / 1;

                    display: flex;
                    justify-content: center;
--- a/web/src/elements/sidebar/Sidebar.ts
+++ b/web/src/elements/sidebar/Sidebar.ts
@ -35,7 +35,10 @@ export class Sidebar extends AKElement {
                .pf-c-nav__section + .pf-c-nav__section {
                    --pf-c-nav__section--section--MarginTop: var(--pf-global--spacer--sm);
                }
-
+                .pf-c-nav__list .sidebar-brand {
+                    max-height: 82px;
+                    margin-bottom: -0.5rem;
+                }
                nav {
                    display: flex;
                    flex-direction: column;
@ -67,6 +70,7 @@ export class Sidebar extends AKElement {
            class="pf-c-nav ${this.activeTheme === UiThemeEnum.Light ? "pf-m-light" : ""}"
            aria-label=${msg("Global")}
        >
+            <ak-sidebar-brand></ak-sidebar-brand>
            <ul class="pf-c-nav__list">
                <slot></slot>
            </ul>
--- a/web/src/elements/sidebar/SidebarBrand.ts
+++ b/web/src/elements/sidebar/SidebarBrand.ts
@ -1,3 +1,18 @@
+import { EVENT_SIDEBAR_TOGGLE } from "@goauthentik/common/constants";
+import { globalAK } from "@goauthentik/common/global";
+import { AKElement } from "@goauthentik/elements/Base";
+import { WithBrandConfig } from "@goauthentik/elements/Interface/brandProvider";
+import { themeImage } from "@goauthentik/elements/utils/images";
+
+import { msg } from "@lit/localize";
+import { CSSResult, TemplateResult, css, html, nothing } from "lit";
+import { customElement } from "lit/decorators.js";
+
+import PFButton from "@patternfly/patternfly/components/Button/button.css";
+import PFPage from "@patternfly/patternfly/components/Page/page.css";
+import PFGlobal from "@patternfly/patternfly/patternfly-base.css";
+import PFBase from "@patternfly/patternfly/patternfly-base.css";
+
 import { CurrentBrand, UiThemeEnum } from "@goauthentik/api";

 // If the viewport is wider than MIN_WIDTH, the sidebar
@ -14,3 +29,78 @@ export const DefaultBrand: CurrentBrand = {
    matchedDomain: "",
    defaultLocale: "",
 };
+
+@customElement("ak-sidebar-brand")
+export class SidebarBrand extends WithBrandConfig(AKElement) {
+    static get styles(): CSSResult[] {
+        return [
+            PFBase,
+            PFGlobal,
+            PFPage,
+            PFButton,
+            css`
+                :host {
+                    display: flex;
+                    flex-direction: row;
+                    align-items: center;
+                    height: 114px;
+                    min-height: 114px;
+                    border-bottom: var(--pf-global--BorderWidth--sm);
+                    border-bottom-style: solid;
+                    border-bottom-color: var(--pf-global--BorderColor--100);
+                }
+                .pf-c-brand img {
+                    padding: 0 0.5rem;
+                    height: 42px;
+                }
+                button.pf-c-button.sidebar-trigger {
+                    background-color: transparent;
+                    border-radius: 0px;
+                    height: 100%;
+                    color: var(--ak-dark-foreground);
+                }
+            `,
+        ];
+    }
+
+    constructor() {
+        super();
+        window.addEventListener("resize", () => {
+            this.requestUpdate();
+        });
+    }
+
+    render(): TemplateResult {
+        const logoUrl =
+            globalAK().brand.brandingLogo || this.brand?.brandingLogo || DefaultBrand.brandingLogo;
+
+        return html`${window.innerWidth <= MIN_WIDTH
+                ? html`
+                      <button
+                          class="sidebar-trigger pf-c-button"
+                          @click=${() => {
+                              this.dispatchEvent(
+                                  new CustomEvent(EVENT_SIDEBAR_TOGGLE, {
+                                      bubbles: true,
+                                      composed: true,
+                                  }),
+                              );
+                          }}
+                      >
+                          <i class="fas fa-bars"></i>
+                      </button>
+                  `
+                : nothing}
+            <a href="#/" class="pf-c-page__header-brand-link">
+                <div class="pf-c-brand ak-brand">
+                    <img src=${themeImage(logoUrl)} alt="${msg("authentik Logo")}" loading="lazy" />
+                </div>
+            </a>`;
+    }
+}
+
+declare global {
+    interface HTMLElementTagNameMap {
+        "ak-sidebar-brand": SidebarBrand;
+    }
+}
--- a/web/src/elements/utils/iframe.ts
+++ b/web/src/elements/utils/iframe.ts
@ -1,55 +0,0 @@
-/**
- * @file IFrame Utilities
- */
-
-interface IFrameLoadResult {
-    contentWindow: Window;
-    contentDocument: Document;
-}
-
-export function pluckIFrameContent(iframe: HTMLIFrameElement) {
-    const contentWindow = iframe.contentWindow;
-    const contentDocument = iframe.contentDocument;
-
-    if (!contentWindow) {
-        throw new Error("Iframe contentWindow is not accessible");
-    }
-
-    if (!contentDocument) {
-        throw new Error("Iframe contentDocument is not accessible");
-    }
-
-    return {
-        contentWindow,
-        contentDocument,
-    };
-}
-
-export function resolveIFrameContent(iframe: HTMLIFrameElement): Promise<IFrameLoadResult> {
-    if (iframe.contentDocument?.readyState === "complete") {
-        return Promise.resolve(pluckIFrameContent(iframe));
-    }
-
-    return new Promise((resolve) => {
-        iframe.addEventListener("load", () => resolve(pluckIFrameContent(iframe)), { once: true });
-    });
-}
-
-/**
- * Creates a minimal HTML wrapper for an iframe.
- *
- * @deprecated Use the `contentDocument.body` directly instead.
- */
-export function createIFrameHTMLWrapper(bodyContent: string): string {
-    const html = String.raw;
-
-    return html`<!doctype html>
-        <html>
-            <head>
-                <meta charset="utf-8" />
-            </head>
-            <body style="display:flex;flex-direction:row;justify-content:center;">
-                ${bodyContent}
-            </body>
-        </html>`;
-}
--- a/web/src/flow/components/ak-brand-footer.ts
+++ b/web/src/flow/components/ak-brand-footer.ts
@ -1,4 +1,4 @@
-import { BrandedHTMLPolicy, sanitizeHTML } from "@goauthentik/common/purify";
+import { purify } from "@goauthentik/common/purify";
 import { AKElement } from "@goauthentik/elements/Base.js";

 import { msg } from "@lit/localize";
@ -21,6 +21,8 @@ const styles = css`
    }
 `;

+const poweredBy: FooterLink = { name: msg("Powered by authentik"), href: null };
+
@customElement("ak-brand-links")
 export class BrandLinks extends AKElement {
    static get styles() {
@ -31,21 +33,13 @@ export class BrandLinks extends AKElement {
    links: FooterLink[] = [];

    render() {
-        const links = [...(this.links ?? [])];
-
+        const links = [...(this.links ?? []), poweredBy];
        return html` <ul class="pf-c-list pf-m-inline">
-            ${map(links, (link) => {
-                const children = sanitizeHTML(BrandedHTMLPolicy, link.name);
-
-                if (link.href) {
-                    return html`<li><a href="${link.href}">${children}</a></li>`;
-                }
-
-                return html`<li>
-                    <span> ${children} </span>
-                </li>`;
-            })}
-            <li><span>${msg("Powered by authentik")}</span></li>
+            ${map(links, (link) =>
+                link.href
+                    ? purify(html`<li><a href="${link.href}">${link.name}</a></li>`)
+                    : html`<li><span>${link.name}</span></li>`,
+            )}
        </ul>`;
    }
 }
--- a/web/src/flow/stages/captcha/CaptchaStage.ts
+++ b/web/src/flow/stages/captcha/CaptchaStage.ts
@ -1,16 +1,15 @@
-/// <reference types="@hcaptcha/types"/>
-/// <reference types="turnstile-types"/>
-import { renderStaticHTMLUnsafe } from "@goauthentik/common/purify";
+///<reference types="@hcaptcha/types"/>
+import { renderStatic } from "@goauthentik/common/purify";
 import "@goauthentik/elements/EmptyState";
 import { akEmptyState } from "@goauthentik/elements/EmptyState";
 import { bound } from "@goauthentik/elements/decorators/bound";
 import "@goauthentik/elements/forms/FormElement";
-import { createIFrameHTMLWrapper } from "@goauthentik/elements/utils/iframe";
 import { ListenerController } from "@goauthentik/elements/utils/listenerController.js";
 import { randomId } from "@goauthentik/elements/utils/randomId";
 import "@goauthentik/flow/FormStatic";
 import { BaseStage } from "@goauthentik/flow/stages/base";
 import { P, match } from "ts-pattern";
+import type * as _ from "turnstile-types";

 import { msg } from "@lit/localize";
 import { CSSResult, PropertyValues, TemplateResult, css, html, nothing } from "lit";
@ -57,36 +56,40 @@ type CaptchaHandler = {
 // a resize. Because the Captcha is itself in an iframe, the reported height is often off by some
 // margin, so adding 2rem of height to our container adds padding and prevents scroll bars or hidden
 // rendering.
-function iframeTemplate(children: TemplateResult, challengeURL: string): TemplateResult {
-    return html` ${children}
-        <script>
-            new ResizeObserver((entries) => {
-                const height =
-                    document.body.offsetHeight +
-                    parseFloat(getComputedStyle(document.body).fontSize) * 2;

-                window.parent.postMessage({
-                    message: "resize",
-                    source: "goauthentik.io",
-                    context: "flow-executor",
-                    size: { height },
-                });
-            }).observe(document.querySelector(".ak-captcha-container"));
-        </script>
-
-        <script src=${challengeURL}></script>
-
-        <script>
-            function callback(token) {
-                window.parent.postMessage({
-                    message: "captcha",
-                    source: "goauthentik.io",
-                    context: "flow-executor",
-                    token,
-                });
-            }
-        </script>`;
-}
+const iframeTemplate = (captchaElement: TemplateResult, challengeUrl: string) =>
+    html`<!doctype html>
+        <head>
+            <html>
+                <body style="display:flex;flex-direction:row;justify-content:center;">
+                    ${captchaElement}
+                    <script>
+                        new ResizeObserver((entries) => {
+                            const height =
+                                document.body.offsetHeight +
+                                parseFloat(getComputedStyle(document.body).fontSize) * 2;
+                            window.parent.postMessage({
+                                message: "resize",
+                                source: "goauthentik.io",
+                                context: "flow-executor",
+                                size: { height },
+                            });
+                        }).observe(document.querySelector(".ak-captcha-container"));
+                    </script>
+                    <script src=${challengeUrl}></script>
+                    <script>
+                        function callback(token) {
+                            window.parent.postMessage({
+                                message: "captcha",
+                                source: "goauthentik.io",
+                                context: "flow-executor",
+                                token: token,
+                            });
+                        }
+                    </script>
+                </body>
+            </html>
+        </head>`;

@customElement("ak-stage-captcha")
 export class CaptchaStage extends BaseStage<CaptchaChallenge, CaptchaChallengeResponseRequest> {
@ -302,25 +305,11 @@ export class CaptchaStage extends BaseStage<CaptchaChallenge, CaptchaChallengeRe
    }

    async renderFrame(captchaElement: TemplateResult) {
-        const { contentDocument } = this.captchaFrame || {};
-
-        if (!contentDocument) {
-            console.debug(
-                "authentik/stages/captcha: unable to render captcha frame, no contentDocument",
-            );
-
-            return;
-        }
-
-        contentDocument.open();
-
-        contentDocument.write(
-            createIFrameHTMLWrapper(
-                renderStaticHTMLUnsafe(iframeTemplate(captchaElement, this.challenge.jsUrl)),
-            ),
+        this.captchaFrame.contentWindow?.document.open();
+        this.captchaFrame.contentWindow?.document.write(
+            await renderStatic(iframeTemplate(captchaElement, this.challenge.jsUrl)),
        );
-
-        contentDocument.close();
+        this.captchaFrame.contentWindow?.document.close();
    }

    renderBody() {
--- a/web/xliff/de.xlf
+++ b/web/xliff/de.xlf
@ -1091,7 +1091,7 @@
      </trans-unit>
      <trans-unit id="sd62cfc27ad4aa33b">
        <source>Based on the User's Email</source>
-        <target>Basierend auf der E-Mail Adresse des Benutzers</target>
+        <target>Basierend auf der E-Mail-Adresse des Benutzers</target>
        
      </trans-unit>
      <trans-unit id="s55eb75bedf96be0f">
@ -2361,6 +2361,7 @@
      </trans-unit>
      <trans-unit id="s9307f3dbb07a73b5">
        <source>Only fail the policy, don't invalidate user's password</source>
+        <target>Nur die Richtlinie fehlschlagen lassen, das Passwort des Benutzers nicht ungültig machen.</target>
        
      </trans-unit>
      <trans-unit id="scea1f16238093e35">
@ -2809,6 +2810,7 @@ doesn't pass when either or both of the selected options are equal or above the
      </trans-unit>
      <trans-unit id="sfbc59ff17a73503d">
        <source>User path</source>
+        <target>Nutzerpfad</target>
        
      </trans-unit>
      <trans-unit id="sd18170637295bace">
@ -2878,6 +2880,7 @@ doesn't pass when either or both of the selected options are equal or above the
      </trans-unit>
      <trans-unit id="s995535e7af30d754">
        <source>Use the user's email address, but deny enrollment when the email address already exists</source>
+        <target>Verwende die E-Mail-Adresse des Benutzers, aber verweigere die Registrierung, wenn die E-Mail-Adresse bereits existiert.</target>
        
      </trans-unit>
      <trans-unit id="s542ecb4130f6cea5">
@ -2886,6 +2889,7 @@ doesn't pass when either or both of the selected options are equal or above the
      </trans-unit>
      <trans-unit id="s2a1debf34e5aeba4">
        <source>Use the user's username, but deny enrollment when the username already exists</source>
+        <target>Verwende den Anmeldenamen des Benutzers, aber verweigere die Registrierung von der Anmeldename bereits existiert.</target>
        
      </trans-unit>
      <trans-unit id="s81ce0d54727f42d2">
@ -3740,6 +3744,9 @@ doesn't pass when either or both of the selected options are equal or above the
      </trans-unit>
      <trans-unit id="s14401ff4a0cba208">
        <source>Failed to update <x id="0" equiv-text="${this.objectLabel}"/>: <x id="1" equiv-text="${pluckErrorDetail(parsedError)}"/></source>
+        <target>Aktualisieren von 
+        <x id="0" equiv-text="${this.objectLabel}"/>fehlgeschlagen: 
+        <x id="1" equiv-text="${e.toString()}"/></target>
        
      </trans-unit>
      <trans-unit id="sa95a538bfbb86111">
@ -4951,7 +4958,7 @@ doesn't pass when either or both of the selected options are equal or above the
      </trans-unit>
      <trans-unit id="se50a08ab71bb96ed">
        <source>When a valid username/email has been entered, and this option is enabled, the user's username and avatar will be shown. Otherwise, the text that the user entered will be shown.</source>
-        <target>Sofern eine gültige E-Mailadresse oder Benutzername angegeben wurde und diese Option aktiviert ist, wird das Profilbild und der Benutzername des Benutzers angezeigt. Ansonsten wird der vom Benutzer eingegebene Text angezeigt.</target>
+        <target>Sofern eine gültige E-Mail-Adresse oder Benutzername angegeben wurde und diese Option aktiviert ist, wird das Profilbild und der Benutzername des Benutzers angezeigt. Ansonsten wird der vom Benutzer eingegebene Text angezeigt.</target>
        
      </trans-unit>
      <trans-unit id="s0295ce5d6f635d75">
@ -6245,7 +6252,7 @@ Bindings to groups/users are checked against the user of the event.</source>
      </trans-unit>
      <trans-unit id="s670ad066cc0e50a3">
        <source>Login to continue to <x id="0" equiv-text="${this.challenge.applicationPre}"/>.</source>
-        <target>Anmelden um mit <x id="0" equiv-text="${this.challenge.applicationPre}"/>  fortzufahren.</target>
+        <target>Anmelden, um mit <x id="0" equiv-text="${this.challenge.applicationPre}"/>  fortzufahren.</target>
        
      </trans-unit>
      <trans-unit id="scf5ce91bfba10a61">
@ -7451,6 +7458,7 @@ Bindings to groups/users are checked against the user of the event.</source>
 </trans-unit>
 <trans-unit id="s28b99b59541f54ca">
  <source>Connection failed after <x id="0" equiv-text="${this.connectionAttempt}"/> attempts.</source>
+  <target>Verbindung nach <x id="0" equiv-text="${this.connectionAttempt}"/> Versuch(en) fehlgeschlagen.</target>
 </trans-unit>
 <trans-unit id="s7c7d956418e1c8c8">
  <source>Re-connecting in <x id="0" equiv-text="${Math.max(1, delay / 1000)}"/> second(s).</source>
@ -7572,11 +7580,11 @@ Bindings to groups/users are checked against the user of the event.</source>
 </trans-unit>
 <trans-unit id="s456d88f3679190fd">
  <source>Allow users to change email</source>
-  <target>Benutzer können E-Mail ändern</target>
+  <target>Benutzer können E-Mail-Adresse ändern</target>
 </trans-unit>
 <trans-unit id="s5fc6c14d106f40d3">
  <source>Enable the ability for users to change their email.</source>
-  <target>Benutzer haben die Möglichkeit, ihre E-Mail zu ändern.</target>
+  <target>Benutzer haben die Möglichkeit, ihre E-Mail-Adresse zu ändern.</target>
 </trans-unit>
 <trans-unit id="s628e414bb2367057">
  <source>Allow users to change username</source>
@ -7801,7 +7809,7 @@ Bindings to groups/users are checked against the user of the event.</source>
 </trans-unit>
 <trans-unit id="s8cc0075913c67566">
  <source>Enter the email associated with your account, and we'll send you a link to reset your password.</source>
-  <target>Gib die Email deines Accounts ein und du erhältst einen Link zum zurücksetzen des Passworts.</target>
+  <target>Gib die E-Mail-Adresse deines Accounts ein und du erhältst einen Link zum zurücksetzen des Passworts.</target>
 </trans-unit>
 <trans-unit id="s06bfe45ffef2cf60">
  <source>Stage name: <x id="0" equiv-text="${this.challenge.name}"/></source>
@ -7885,6 +7893,7 @@ Bindings to groups/users are checked against the user of the event.</source>
 </trans-unit>
 <trans-unit id="sc1673c93148583ba">
  <source>Request failed. Please try again later.</source>
+  <target>Anfrage fehlgeschlagen. Bitte versuchen Sie es später erneut.</target>
 </trans-unit>
 <trans-unit id="s85be1f5e7a0fa3b1">
  <source>Available Roles</source>
@ -8277,7 +8286,6 @@ Bindings to groups/users are checked against the user of the event.</source>
 </trans-unit>
 <trans-unit id="s354405ae02cb262d">
  <source>Last seen: <x id="0" equiv-text="${formatElapsedTime(lastSeen)}"/> (<x id="1" equiv-text="${lastSeen.toLocaleTimeString()}"/>)</source>
-  <target>Zuletzt gesehen: <x id="0" equiv-text="${getRelativeTime(lastSeen)}"/> (<x id="1" equiv-text="${lastSeen.toLocaleTimeString()}"/>)</target>
 </trans-unit>
 <trans-unit id="s5aebe06e3ddf6ca9">
  <source>Sign assertions</source>
@ -8849,9 +8857,11 @@ Bindings to groups/users are checked against the user of the event.</source>
 </trans-unit>
 <trans-unit id="s61ffea061fae0af4">
  <source>No notifications found.</source>
+  <target>Keine Benachrichtigungen gefunden.</target>
 </trans-unit>
 <trans-unit id="scf8d5cdc8b434982">
  <source>You don't have any notifications currently.</source>
+  <target>Sie haben zur Zeit keine Benachrichtigungen.</target>
 </trans-unit>
 <trans-unit id="s358e08de4fbebf51">
  <source>Version <x id="0" equiv-text="${this.version?.versionCurrent || &quot;&quot;}"/></source>
--- a/web/xliff/fi.xlf
+++ b/web/xliff/fi.xlf
@ -9602,6 +9602,81 @@ Liitokset käyttäjiin/ryhmiin tarkistetaan tapahtuman käyttäjästä.</target>
 </trans-unit>
 <trans-unit id="s17359123e1f24504">
  <source>Field which contains DNs of groups the user is a member of. This field is used to lookup groups from users, e.g. 'memberOf'. To lookup nested groups in an Active Directory environment use 'memberOf:1.2.840.113556.1.4.1941:'.</source>
+</trans-unit>
+<trans-unit id="s891cd64acabf23bf">
+  <source>Initial Permissions</source>
+</trans-unit>
+<trans-unit id="sedb57bf4b42a8e40">
+  <source>Unknown Initial Permissions mode</source>
+</trans-unit>
+<trans-unit id="s6ea6a64acb45dfdf">
+  <source>Successfully updated initial permissions.</source>
+</trans-unit>
+<trans-unit id="sfddf7896ab5938b6">
+  <source>Successfully created initial permissions.</source>
+</trans-unit>
+<trans-unit id="s5c5f240cbb6d0bae">
+  <source>When a user with the selected Role creates an object, the Initial Permissions will be applied to that object.</source>
+</trans-unit>
+<trans-unit id="sbf27294eef56ac81">
+  <source>The Initial Permissions can either be placed on the User creating the object, or the Role selected in the previous field.</source>
+</trans-unit>
+<trans-unit id="s93f04537efda1b24">
+  <source>Available Permissions</source>
+</trans-unit>
+<trans-unit id="s297bc57f9e494470">
+  <source>Selected Permissions</source>
+</trans-unit>
+<trans-unit id="s0ea71d53764d781c">
+  <source>Permissions to grant when a new object is created.</source>
+</trans-unit>
+<trans-unit id="s06fc21a40f5d7de1">
+  <source>Set initial permissions for newly created objects.</source>
+</trans-unit>
+<trans-unit id="sc7104a4d0fc35c7c">
+  <source>Update Initial Permissions</source>
+</trans-unit>
+<trans-unit id="s83fa005829a65be9">
+  <source>Create Initial Permissions</source>
+</trans-unit>
+<trans-unit id="se37ac6cf9c72f21a">
+  <source>Reputation: lower limit</source>
+</trans-unit>
+<trans-unit id="sa634ffa797037aac">
+  <source>Reputation cannot decrease lower than this value. Zero or negative.</source>
+</trans-unit>
+<trans-unit id="s862986ce8e70edd7">
+  <source>Reputation: upper limit</source>
+</trans-unit>
+<trans-unit id="sdd04913b3b46cf30">
+  <source>Reputation cannot increase higher than this value. Zero or positive.</source>
+</trans-unit>
+<trans-unit id="s4d5cb134999b50df">
+  <source>HTTP Basic Auth</source>
+</trans-unit>
+<trans-unit id="s6927635d1c339cfc">
+  <source>Include the client ID and secret as request parameters</source>
+</trans-unit>
+<trans-unit id="s4fca384c634e1a92">
+  <source>Authorization code authentication method</source>
+</trans-unit>
+<trans-unit id="sdc02c276ed429008">
+  <source>How to perform authentication during an authorization_code token request flow</source>
+</trans-unit>
+<trans-unit id="s844baf19a6c4a9b4">
+  <source>Enable &quot;Remember me on this device&quot;</source>
+</trans-unit>
+<trans-unit id="sfa72bca733f40692">
+  <source>When enabled, the user can save their username in a cookie, allowing them to skip directly to entering their password.</source>
+</trans-unit>
+<trans-unit id="s1c336c2d6cef77b3">
+  <source>Remember me on this device</source>
+</trans-unit>
+<trans-unit id="s86cf007b861152ca">
+  <source>Ensure that the user's new password is different from their previous passwords. The number of past passwords to check is configurable.</source>
+</trans-unit>
+<trans-unit id="s79b3fcd40dd63921">
+  <source>Number of previous passwords to check</source>
 </trans-unit>
    </body>
  </file>
--- a/web/xliff/fr.xlf
+++ b/web/xliff/fr.xlf
@ -9788,18 +9788,23 @@ Les liaisons avec les groupes/utilisateurs sont vérifiées par rapport à l'uti
 </trans-unit>
 <trans-unit id="s844baf19a6c4a9b4">
  <source>Enable "Remember me on this device"</source>
+  <target>Activer "Se souvenir de moi sur cet appareil"</target>
 </trans-unit>
 <trans-unit id="sfa72bca733f40692">
  <source>When enabled, the user can save their username in a cookie, allowing them to skip directly to entering their password.</source>
+  <target>Si cette option est activée, l'utilisateur peut enregistrer son nom d'utilisateur dans un cookie, ce qui lui permet de passer directement à la saisie de son mot de passe.</target>
 </trans-unit>
 <trans-unit id="s1c336c2d6cef77b3">
  <source>Remember me on this device</source>
+  <target>Se souvenir de moi sur cet appareil</target>
 </trans-unit>
 <trans-unit id="s86cf007b861152ca">
  <source>Ensure that the user's new password is different from their previous passwords. The number of past passwords to check is configurable.</source>
+  <target>Vérifiez que le nouveau mot de passe de l'utilisateur est différent de ses mots de passe précédents. Le nombre d'anciens mots de passe à vérifier est configurable.</target>
 </trans-unit>
 <trans-unit id="s79b3fcd40dd63921">
  <source>Number of previous passwords to check</source>
+  <target>Nombre d'anciens mots de passe à vérifier</target>
 </trans-unit>
    </body>
  </file>
--- a/web/xliff/it.xlf
+++ b/web/xliff/it.xlf
@ -9700,6 +9700,7 @@ Bindings to groups/users are checked against the user of the event.</source>
 </trans-unit>
 <trans-unit id="s1d47b4f61ca53e8e">
  <source>Lookup using user attribute</source>
+  <target>Ricerca tramite attributo utente</target>
 </trans-unit>
 <trans-unit id="s17359123e1f24504">
  <source>Field which contains DNs of groups the user is a member of. This field is used to lookup groups from users, e.g. 'memberOf'. To lookup nested groups in an Active Directory environment use 'memberOf:1.2.840.113556.1.4.1941:'.</source>
--- a/web/xliff/tr.xlf
+++ b/web/xliff/tr.xlf
@ -8620,7 +8620,6 @@ Gruplara/kullanıcılara yapılan bağlamalar, etkinliğin kullanıcısına kar
 </trans-unit>
 <trans-unit id="s354405ae02cb262d">
  <source>Last seen: <x id="0" equiv-text="${formatElapsedTime(lastSeen)}"/> (<x id="1" equiv-text="${lastSeen.toLocaleTimeString()}"/>)</source>
-  <target>Son görülme: <x id="0" equiv-text="${getRelativeTime(lastSeen)}"/> (<x id="1" equiv-text="${lastSeen.toLocaleTimeString()}"/>)</target>
 </trans-unit>
 <trans-unit id="s5aebe06e3ddf6ca9">
  <source>Sign assertions</source>
--- a/web/xliff/zh-Hans.xlf
+++ b/web/xliff/zh-Hans.xlf
@ -9801,9 +9801,11 @@ Bindings to groups/users are checked against the user of the event.</source>
 </trans-unit>
 <trans-unit id="s86cf007b861152ca">
  <source>Ensure that the user's new password is different from their previous passwords. The number of past passwords to check is configurable.</source>
+  <target>确保用户的密码与之前使用的不同。可以配置检查多少个历史密码。</target>
 </trans-unit>
 <trans-unit id="s79b3fcd40dd63921">
  <source>Number of previous passwords to check</source>
+  <target>检查历史密码数量</target>
 </trans-unit>
    </body>
  </file>
--- a/web/xliff/zh_CN.xlf
+++ b/web/xliff/zh_CN.xlf
@ -9798,6 +9798,14 @@ Bindings to groups/users are checked against the user of the event.</source>
 <trans-unit id="s1c336c2d6cef77b3">
  <source>Remember me on this device</source>
  <target>在此设备上记住我</target>
+</trans-unit>
+<trans-unit id="s86cf007b861152ca">
+  <source>Ensure that the user's new password is different from their previous passwords. The number of past passwords to check is configurable.</source>
+  <target>确保用户的密码与之前使用的不同。可以配置检查多少个历史密码。</target>
+</trans-unit>
+<trans-unit id="s79b3fcd40dd63921">
+  <source>Number of previous passwords to check</source>
+  <target>检查历史密码数量</target>
 </trans-unit>
    </body>
  </file>
--- a/website/docs/add-secure-apps/flows-stages/flow/examples/default_flows.md
+++ b/website/docs/add-secure-apps/flows-stages/flow/examples/default_flows.md
@ -4,7 +4,7 @@ title: Default flows

 When you create a new provider, you can select certain default flows that will be used with the provider and its associated application. For example, you can [create a custom flow](../index.md#create-a-custom-flow) that override the defaults configured on the brand.

-If no default flow is selected when the provider is created, to determine which flow should be used authentik will first check if there is a default flow configured in the active [**Brand**](../../../../customize/brands.md). If no default is configured there, authentik will go through all flows with the matching designation, sorted by `slug` and evaluate policies bound directly to the flows, and the first flow whose policies allow access will be picked.
+If no default flow is selected when the provider is created, to determine which flow should be used authentik will first check if there is a default flow configured in the active [**Brand**](../../../../sys-mgmt/brands.md). If no default is configured there, authentik will go through all flows with the matching designation, sorted by `slug` and evaluate policies bound directly to the flows, and the first flow whose policies allow access will be picked.

 import DefaultFlowList from "../../flow/flow_list/\_defaultflowlist.mdx";

--- a/website/docs/add-secure-apps/flows-stages/flow/examples/flows.md
+++ b/website/docs/add-secure-apps/flows-stages/flow/examples/flows.md
@ -42,7 +42,7 @@ By default, the captcha test keys are used. You can get a proper key [here](http

 ## Recovery with email verification

-Flow: right-click [here](https://version-2024-12.goauthentik.io/assets/files/flows-recovery-email-verification-408d6afeff2fbf276bf43a949e332ef6.yaml) and save the file.
+Flow: right-click [here](/blueprints/example/flows-recovery-email-verification.yaml) and save the file.

 Recovery flow, the user is sent an email after they've identified themselves. After they click on the link in the email, they are prompted for a new password and immediately logged on.

--- a/website/docs/add-secure-apps/flows-stages/flow/executors/user-settings.md
+++ b/website/docs/add-secure-apps/flows-stages/flow/executors/user-settings.md
@ -6,4 +6,4 @@ The user interface (/if/user/) uses a specialized flow executor to allow individ

 Because the stages in a flow can change during its execution, be aware that configuring this executor to use any stage type other than Prompt or User Write will automatically trigger a redirect to the standard executor.

-An admin can customize which fields can be changed by the user by updating the default-user-settings-flow, or copying it to create a new flow with a Prompt Stage and a User Write Stage. Different variants of your flow can be applied to different [Brands](../../../../customize/brands.md) on the same authentik instance.
+An admin can customize which fields can be changed by the user by updating the default-user-settings-flow, or copying it to create a new flow with a Prompt Stage and a User Write Stage. Different variants of your flow can be applied to different [Brands](../../../../sys-mgmt/brands.md) on the same authentik instance.
--- a/website/docs/add-secure-apps/flows-stages/flow/index.md
+++ b/website/docs/add-secure-apps/flows-stages/flow/index.md
@ -46,7 +46,7 @@ To create a flow, follow these steps:

 After creating the flow, you can then [bind specific stages](../stages/index.md#bind-a-stage-to-a-flow) to the flow and [bind policies](../../../customize/policies/working_with_policies.md) to the flow to further customize the user's log in and authentication process.

-To determine which flow should be used, authentik will first check which default authentication flow is configured in the active [**Brand**](../../../customize/brands.md). If no default is configured there, the policies in all flows with the matching designation are checked, and the first flow with matching policies sorted by `slug` will be used.
+To determine which flow should be used, authentik will first check which default authentication flow is configured in the active [**Brand**](../../../sys-mgmt/brands.md). If no default is configured there, the policies in all flows with the matching designation are checked, and the first flow with matching policies sorted by `slug` will be used.

 ## Flow configuration options

--- a/website/docs/add-secure-apps/outposts/integrations/kubernetes.md
+++ b/website/docs/add-secure-apps/outposts/integrations/kubernetes.md
@ -13,6 +13,7 @@ This integration creates the following objects:
 - Secret to store the token
 - Prometheus ServiceMonitor (if the Prometheus Operator is installed in the target cluster)
 - Ingress (only Proxy outposts)
+- HTTPRoute (only Proxy outposts, when the Gateway API resources are installed in the target cluster, and the `kubernetes_httproute_parent_refs` setting is set, see below)
 - Traefik Middleware (only Proxy outposts with forward auth enabled)

 The following outpost settings are used:
@ -24,6 +25,8 @@ The following outpost settings are used:
 - `kubernetes_ingress_annotations`: Any additional annotations to add to the ingress object, for example cert-manager
 - `kubernetes_ingress_secret_name`: Name of the secret that is used for TLS connections, can be empty to disable TLS config
 - `kubernetes_ingress_class_name`: Optionally set the ingress class used for the generated ingress, requires authentik 2022.11.0
+- `kubernetes_httproute_parent_refs`: Define which Gateways the HTTPRoute wants to be attached to.
+- `kubernetes_httproute_annotations`: Any additional annotations to add to the HTTPRoute object
 - `kubernetes_service_type`: Service kind created, can be set to LoadBalancer for LDAP outposts for example
 - `kubernetes_disabled_components`: Disable any components of the kubernetes integration, can be any of
    - 'secret'
@ -32,6 +35,7 @@ The following outpost settings are used:
    - 'prometheus servicemonitor'
    - 'ingress'
    - 'traefik middleware'
+    - 'httproute'
 - `kubernetes_image_pull_secrets`: If the above docker image is in a private repository, use these secrets to pull. (NOTE: The secret must be created manually in the namespace first.)
 - `kubernetes_json_patches`: Applies an RFC 6902 compliant JSON patch to the Kubernetes objects.

--- a/website/docs/add-secure-apps/providers/oauth2/device_code.md
+++ b/website/docs/add-secure-apps/providers/oauth2/device_code.md
@ -1,18 +1,18 @@
 # Device code flow

-(Also known as device flow and [RFC 8628](https://datatracker.ietf.org/doc/html/rfc8628))
+The device code flow is also known as _device flow_ or _device authorization grant flow_. This type of authentication flow is useful for devices with limited input capabilities and/or devices without browsers. The Request for Comments (RFC) 8628) abstract for this flow states:

-This type of authentication flow is useful for devices with limited input abilities and/or devices without browsers.
+> The OAuth 2.0 device authorization grant is designed for Internet-connected devices that either lack a browser to perform a user-agent-based authorization or are input constrained to the extent that requiring the user to input text in order to authenticate during the authorization flow is impractical. It enables OAuth clients on such devices (like smart TVs, media consoles, digital picture frames, and printers) to obtain user authorization to access protected resources by using a user agent on a separate device.

 ### Requirements

-This device flow is only possible if the active brand has a device code flow setup. This device code flow is run _after_ the user logs in, and before the user authenticates.
+This device flow is only possible if the active [brand](../../../sys-mgmt/brands.md) has a device code flow configured. This flow is run _after_ the user logs in, and before the user authenticates.

-authentik doesn't ship with a default flow for this usecase, so it is recommended to create a new flow for this usecase with the designation of _Stage configuration_
+authentik does not include a default flow for this use case, so it is necessary to create a new one with a **Designation** of `Stage Configuration`.

-### Device-side
+### Device flow initiation

-The flow is initiated by sending a POST request to the device authorization endpoint, `/application/o/device/` with the following contents:
+The flow is initiated by sending a POST request to the device authorization endpoint, `/application/o/device/`, with the following contents:

 ```http
 POST /application/o/device/ HTTP/1.1
@ -32,8 +32,6 @@ The response contains the following fields:
 - `expires_in`: The total seconds after which this token will expire
 - `interval`: The interval in seconds for how often the device should check the token status

---
-
 With this response, the device can start checking the status of the token by sending requests to the token endpoint like this:

 ```http
@ -49,3 +47,17 @@ device_code=device_code_from_above
 If the user has not opened the link above yet, or has not finished the authentication and authorization yet, the response will contain an `error` element set to `authorization_pending`. The device should re-send the request in the interval set above.

 If the user _has_ finished the authentication and authorization, the response will be similar to any other generic OAuth2 Token request, containing `access_token` and `id_token`.
+
+### Create and apply a device code flow
+
+1. Log in to authentik as an admin, and open the authentik Admin interface.
+2. Navigate to **Flows and Stages** > **Flows** and click **Create**.
+3. Set the following required configurations:
+    - **Name**: provide a name (e.g. `default-device-code-flow`)
+    - **Title**: provide a title (e.g. `Device code flow`)
+    - **Slug**: provide a slug (e.g `default-device-code-flow`)
+    - **Designation**: `Stage Configuration`
+    - **Authentication**: `Require authentication`
+4. Click **Create**.
+5. Navigate to **System** > **Brands** and click the **Edit** icon on the default brand.
+6. Set **Default code flow** to the newly created device code flow and click **Update**.
--- a/website/docs/add-secure-apps/providers/oauth2/index.mdx
+++ b/website/docs/add-secure-apps/providers/oauth2/index.mdx
@ -64,7 +64,7 @@ When using an OAuth 2.0 provider in authentik, the OP must validate the provided

 When you create a new OAuth 2.0 provider and app in authentik and you leave the **Redirect URI** field empty, then the first time a user opens that app, authentik uses that URL as the saved redirect URL.

-For advanced use cases, an authentik admin can use regular expressions (regex) instead of a redirect URL. For example, if you want to list 10 diff applications, instead of listing all ten you can create an expression with wildcards. Be aware, when using regex, that authetnik uses a dot as a separator in the URL, but in regex a dot means "one of any character", a wildcard. So you should escape the dot to prevent its interpration as a wildcard.
+For advanced use cases, an authentik admin can use regular expressions (regex) instead of a redirect URL. For example, if you want to list ten different applications, instead of listing them all individually, you can create an expression with wildcards. When using regex, be aware that authentik uses a dot as a separator in the URL, but in regex a dot means "one of any character", a wildcard. You should therefore escape the dot with `\.` to prevent its interpretation as a wildcard.

 ## OAuth 2.0 flows and grant types

--- a/website/docs/customize/branding.md
+++ b/website/docs/customize/branding.md
@ -0,0 +1,10 @@
+---
+title: Branding
+slug: /branding
+---
+
+You can configure several differently "branded" options depending on the associated domain, even though objects such as applications, providers, etc, are still global. This can be handy to use the same authentik instance, but branded differently for different domains.
+
+The main settings that control your instance's appearance and behaviour are the _default flows_ and the _branding settings_.
+
+To create or modify a brand, open the Admin interface and navigate to **System** > **Brands**. For complete instructions refer to our [Brands documentation](../sys-mgmt/brands.md).
--- a/website/docs/customize/brands.md
+++ b/website/docs/customize/brands.md
@ -1,39 +0,0 @@
---
-title: Brands
-slug: /brands
---
-
-You can configure several differently "branded" options depending on the associated domain, even though objects such as applications, providers, etc, are still global. This can be handy to use the same authentik instance, but branded differently for different domains.
-
-The main settings that brands influence are flows and branding.
-
-## Flows
-
-You can explicitly select, in your instance's Brand settings, the _default flows_ to use for the current brand. To do so, log in as an administrator, open the Admin interface, and navigate to **System -> Brands**. There you can optionally configure these default flows:
-
- Authentication flow: the flow used to authenticate users. If left empty, the first applicable flow sorted by the slug is used.
- Invalidation flow: for typical use cases, select the `default-invalidation-flow` (Logout) flow. This flow logs the user out of authentik when the application session ends (user logs out of the app).
- Recovery flow: if set, the user can access an option to recover their login credentials.
- Unenrollment flow: if set, users are able to unenroll themselves using this flow. If no flow is set, option is not shown.
- User settings flow: if set, users are able to configure details of their profile.
- Device code flow: if set, the OAuth Device Code profile can be used, and the selected flow will be used to enter the code.
-
-If a default flow is _not_ set in the brand, then authentik selects any flow that:
-
-    - matches the required designation
-    - comes first sorted by slug
-    - is allowed by policies
-
-This means that if you want to select a default flow based on policy, you can leave the brand default empty. To learn more about default flows, refer to our [documentation](../add-secure-apps/flows-stages/flow/examples/default_flows.md).
-
-## Branding
-
-The brand configuration controls the branding title (shown in website document title and several other places), the sidebar/header logo that appears in the upper left of the product interface, and the favicon on a browser tab.
-
-:::info
-Starting with authentik 2024.6.2, the placeholder `%(theme)s` can be used in the logo configuration option, which will be replaced with the active theme.
-:::
-
-## External user settings
-
-You can configure authentik to redirect external users to a default application when they successfully authenticate (without being sent from a specific application). To do so, use the **Default application** configuration on the **System -> Brands** page of the Admin interface.
--- a/website/docs/customize/index.md
+++ b/website/docs/customize/index.md
@ -0,0 +1,13 @@
+---
+title: Customize your instance
+---
+
+You can customize the behaviour, look, and available resources for your authentik instance. For more information refer to each of the topics below:
+
+- [Policies](./policies/working_with_policies.md)
+- Interfaces:
+    - [Flows](./interfaces/flow/customization.mdx)
+    - [User interface](./interfaces/user/customization.mdx)
+    - [Admin interface](./interfaces/admin/customization.mdx)
+- [Blueprints](./blueprints/index.mdx)
+- [Branding](./branding.md)
--- a/website/docs/customize/policies/index.md
+++ b/website/docs/customize/policies/index.md
@ -66,6 +66,10 @@ Starting with authentik 2022.11.0, the following checks can also be done with th
 - Check the password hash against the database of [Have I Been Pwned](https://haveibeenpwned.com/). Only the first 5 characters of the hashed password are transmitted, the rest is compared in authentik
 - Check the password against the password complexity checker [zxcvbn](https://github.com/dropbox/zxcvbn), which detects weak password on various metrics.

+### Password Uniqueness Policy
+
+This policy prevents users from reusing their previous passwords when setting a new password. For detailed information, see [Password Uniqueness Policy](./unique_password.md).
+
 ### Reputation Policy

 authentik keeps track of failed login attempts by source IP and attempted username. These values are saved as scores. Each failed login decreases the score for the client IP as well as the targeted username by 1 (one).
--- a/website/docs/customize/policies/unique_password.md
+++ b/website/docs/customize/policies/unique_password.md
@ -0,0 +1,46 @@
+---
+title: Password Uniqueness Policy
+sidebar_label: Password Uniqueness Policy
+support_level: authentik
+tags:
+    - policy
+    - password
+    - security
+    - enterprise
+authentik_version: "2025.4.0"
+authentik_enterprise: true
+---
+
+The Password Uniqueness policy prevents users from reusing their previous passwords when setting a new password. To use this feature, you will need to create a Password Uniqueness policy, using the instructions below.
+
+## How it works
+
+This policy maintains a record of previously used passwords for each user. When a new password is created, it is compared against this historical log. If a match is found with any previous password, the policy is not met, and the user is required to choose a different password.
+
+The password history is maintained automatically when this policy is in use. Old password hashes are stored securely in authentik's database.
+
+:::info
+This policy takes effect after the first password change following policy activation. Before that first change, there's no password history data to compare against.
+:::
+
+## Integration with other policies
+
+For comprehensive password security, consider using this policy alongside:
+
+- [Password Policy](./index.md#password-policy) - To enforce password complexity rules
+- [Password-Expiry Policy](./index.md#password-expiry-policy) - To enforce regular password rotation
+
+## Implement a Password Uniqueness policy
+
+To implement a policy that prevents users from reusing their previous passwords, follow these steps:
+
+1. In the Admin interface, navigate to **Customization** > **Policies**.
+2. Click **Create** to define a new Password Uniqueness Policy.
+    - **Name**: provide a descriptive name for the policy.
+    - **Password field**: enter the name of the input field to check for the new password. By default, if no custom flows are used, the field name is `password`. This field name must match the field name used in your Prompt stage.
+    - **Number of previous passwords to check**: enter the number of past passwords that you want to set as the number of previous passwords that are checked and stored for each user, with a default of 1. For instance, if set to 3, users will not be able to reuse any of their last 3 passwords.
+3. Bind the policy to your **password prompt stage**: For example, if you're using the `default-password-change` flow, edit the `default-password-change-prompt` stage and add the policy in the **Validation Policies** section.
+
+:::info
+Password history records are stored securely and cannot be used to reconstruct original passwords.
+:::
--- a/website/docs/developer-docs/docs/style-guide.mdx
+++ b/website/docs/developer-docs/docs/style-guide.mdx
@ -40,7 +40,7 @@ Always include cross-references to related content. If a concept is referenced e

 ### Relative vs. absolute paths

-Use relative paths when linking to other documentation files. This will ensure links are automatically updated if file paths change in the future. If you are linking between our Integration Guides and our regular technical docs, then use an absolute path.
+Use relative paths when linking to other documentation files. This will ensure links are automatically updated if file paths change in the future. If you are linking between another authentik resource that is not in the same repository and our regular technical docs, then use an absolute path.

 ### Markdown file type

@ -52,16 +52,19 @@ Try to write procedural (How To) docs generically enough that it does not endors

 ## Terminology

-### authentik product naming conventions
+### authentik product name and terms

 - The product name **authentik** should always be written with a lowercase "a" and a "k" at the end, even if it begins a sentence. This consistent style should be followed throughout the documentation.
+
 - The company name is **Authentik Security, Inc.**, but for non-legal documentation, you may shorten it to **Authentik Security**.

+- When referring to the authentik Admin interface, capitalize "Admin" like it is in the UI, but do not bold the phrase "Admin interface" unless in a sentence that explicitly says "Click on **Admin interface**". However, if you are referring to a user or role that is an administrator, or has administrative rights, then do not capitalize it and spell out the full word "administrator" or "administrative".
+
 ### Industry terms and technology names

 - When referring to external tools or industry terms, always use the exact capitalization and naming conventions that the product or company uses. Refer to their website or official documentation for the proper formatting. For example, use "OAuth", "SAML", or "Docker" as per the official conventions.
 - Avoid abbreviations unless they are well-known and widely recognized (e.g., SSO, MFA, RBAC).
- If an acronym is used less frequently, spell out its full meaning when first mentioned, followed by the acronym in parentheses. For instance, "Security Assertion Markup Language (SAML)".
+- If an acronym is used less frequently, spell out its full meaning when first mentioned, followed by the acronym in parentheses. For instance, "Security Assertion Markup Language (SAML)". In some cases the acronym can come first, followed by the full term in parentheses.

 ## Writing style

@ -73,10 +76,6 @@ The tone of the authentik documentation should be friendly but professional. It

 The documentation uses **American English** spelling conventions (e.g., "customize" instead of "customise").

-### Punctuation
-
-For Ken's sake, and many others, try to not use too many commas (avoid commaitis). Use a comma when needed to separate clauses, or for "slowing the pace" or clarity. Please **do** use the Oxford comma.
-
 ### Voice

 Use **active voice** and **present tense** for clear, direct communication.
@ -91,6 +90,20 @@ Avoid phrasing that blames the user. Be subjective and polite when providing ins
 - **DON'T:** "Never modify the default file."
 - **DO:** "We recommend that you do not modify the default file, as doing so may result in unexpected issues."

+### Punctuation
+
+For Ken's sake, and many others, try to not use too many commas (avoid commaitis). Use a comma when needed to separate clauses, or for "slowing the pace" or clarity. Please **do** use the Oxford comma.
+
+### Capitalization
+
+#### Titles and headers
+
+Titles and headers (H1, H2, H3, etc.) should follow **sentence case capitalization**, meaning only the first word is capitalized, except for proper nouns or product names.For more information, see [below](#titles-and-headers)
+
+#### Following a colon
+
+Whether to capitalize after a colon depends on the context. Typically, we do not capitalize the first word after a colon _unless_ it's a proper noun or if it is the start of a complete sentence. If the colon introduces a list, do not capitalize the first word unless it's a proper noun. In headings and titles, capitalize the first word after the colon.
+
 ## Word choices

 ### "May" versus "Might" versus "Can"
@ -135,7 +148,7 @@ When writing out steps in a procedural topic, avoid starting with "Once...". Ins

 ### Fonts and font styling

- When referring to internal components in authentik, like the policy engine, or blueprints, do not use any special formatting. Link to the relevant documentation when possible.
+- When referring to internal components in authentik, like the policy engine, or blueprints, do not use any special formatting, and do not capitalize. Link to the relevant documentation when possible.

 - When referring to authentik functionality and features, such as flows, stages, sources, or policies, do not capitalize and do not use bold or italic text. When possible link to the corresponding documentation.

@ -146,7 +159,6 @@ When writing out steps in a procedural topic, avoid starting with "Once...". Ins

 - Use _italic_ for:

-    - Variables or placeholders to indicate that the value should be replaced by the user (e.g., _your-domain.com_). Clearly indicate whether variables in code snippets need to be defined by the user, are system-provided, or generated.
    - Emphasis, but sparingly, to avoid overuse. For example, you can use italics for important terms or concepts on first mention in a section.

 - Use `code formatting` for:
@ -157,11 +169,9 @@ When writing out steps in a procedural topic, avoid starting with "Once...". Ins

 - When handling URLs:

-    - For URLs entered as values or defined in fields _italicize_ any variables within them to emphasize that placeholders require user input.
+    - For URLs entered as values or defined in fields, enclose any variables inside angle brackets (`< >`) to clearly indicate that these are placeholders that require user input.

-        In Markdown, use this syntax: `<kbd>https://<em>company-domain</em>/source/oauth/callback/<em>source-slug</em></kbd>`
-
-        Rendered formatting: <kbd>https://<em>company-domain</em>/source/oauth/callback/<em>source-slug</em></kbd>
+        For example: `https://authentik.company/application/o/<slug>/.well-known/openid-configuration`

    - When mentioning URLs in text or within procedural instructions, omit code formatting. For instance: "In your browser, go to https://example.com."

@ -175,7 +185,7 @@ When writing out steps in a procedural topic, avoid starting with "Once...". Ins

 - Ensure titles and headers are descriptive and clearly convey the purpose of the section. Avoid vague titles like "Overview." Instead, opt for something more specific, like "About authentik policies."

- Use the **imperative verb form** in procedural topics. For example, use "Configure your instance" instead of "Configuring your instance."
+- Use the **imperative verb form** in procedural topics, not gerunds. For example, use "Configure your instance" instead of "Configuring your instance."

 ### Examples

--- a/website/docs/enterprise/manage-enterprise.mdx
+++ b/website/docs/enterprise/manage-enterprise.mdx
@ -115,9 +115,13 @@ The following events occur when a license expires or the internal/external user

 ### About users and licenses

-License usage is calculated based on total user counts that authentik regularly captures. This data is checked against all valid licenses, and the sum total of all users. Internal and external users are counted based on the number of active users of the respective type saved in authentik. Service account users are not counted towards the license.
+License usage is calculated based on total user counts that authentik regularly captures. This data is checked against all valid licenses, and the sum total of all users. Internal and external users are counted based on the total number of users of the respective type saved in authentik.

-An **internal** user is typically a team member, such as a company employee, who has access to the full Enterprise feature set. An **external** user might be an external consultant, a volunteer in a charitable site, or a B2C customer who logged onto your website to shop. External users don't get access to Enterprise features, nor to the **My applications** page in authentik. Instead, external users are authenticated and then redirected to log directly into their [default application](../customize/brands.md#external-user-settings).
+:::info
+Accounts that are disabled, as well as service accounts, are excluded from the license user count.
+:::
+
+An **internal** user is typically a team member, such as a company employee, who has access to the full Enterprise feature set. An **external** user might be an external consultant, a volunteer in a charitable site, or a B2C customer who logged onto your website to shop. External users don't get access to Enterprise features, nor to the **My applications** page in authentik. Instead, external users are authenticated and then redirected to log directly into their [default application](../sys-mgmt/brands.md#external-user-settings).

 ### Upgrade the number of users in a license

--- a/website/docs/install-config/configuration/configuration.mdx
+++ b/website/docs/install-config/configuration/configuration.mdx
@ -70,6 +70,8 @@ To check if your config has been applied correctly, you can run the following co
 - `AUTHENTIK_POSTGRESQL__USER`: Database user
 - `AUTHENTIK_POSTGRESQL__PORT`: Database port, defaults to 5432
 - `AUTHENTIK_POSTGRESQL__PASSWORD`: Database password, defaults to the environment variable `POSTGRES_PASSWORD`
+- `AUTHENTIK_POSTGRESQL__USE_POOL`: Use a [connection pool](https://docs.djangoproject.com/en/stable/ref/databases/#connection-pool) for PostgreSQL connections. Defaults to `false`. :ak-version[2025.4]
+- `AUTHENTIK_POSTGRESQL__POOL_OPTIONS`: Extra configuration to pass to the [ConnectionPool object](https://www.psycopg.org/psycopg3/docs/api/pool.html#psycopg_pool.ConnectionPool) when it is created. Must be a base64-encoded JSON dictionary. Ignored when `USE_POOL` is set to `false`. :ak-version[2025.4]
 - `AUTHENTIK_POSTGRESQL__USE_PGBOUNCER`: Adjust configuration to support connection to PgBouncer. Deprecated, see below
 - `AUTHENTIK_POSTGRESQL__USE_PGPOOL`: Adjust configuration to support connection to Pgpool. Deprecated, see below
 - `AUTHENTIK_POSTGRESQL__SSLMODE`: Strictness of ssl verification. Defaults to `"verify-ca"`
--- a/website/docs/releases/2024/v2024.2.md
+++ b/website/docs/releases/2024/v2024.2.md
@ -25,7 +25,7 @@ slug: /releases/2024.2

    Blueprints using `authentik_tenants.tenant` will need to be changed to use `authentik_brands.brand`.

-    For more information, refer to the [documentation for _brands_](../../customize/brands.md).
+    For more information, refer to the [documentation for _brands_](../../sys-mgmt/brands.md).

    Also, **the event retention settings configured in brands (previously tenants, see above) has been removed and is now a system setting**, managed in the Admin interface or via the API (see below).

--- a/website/docs/releases/2024/v2024.8.md
+++ b/website/docs/releases/2024/v2024.8.md
@ -110,7 +110,7 @@ slug: "/releases/2024.8"

 - **WebFinger support**

-    With the addition of the [default application](../../customize/brands.md#external-user-settings) setting, when the default application uses an OIDC provider, a WebFinger endpoint is available now.
+    With the addition of the [default application](../../sys-mgmt/brands.md#external-user-settings) setting, when the default application uses an OIDC provider, a WebFinger endpoint is available now.

 ## Upgrading

--- a/Show More
+++ b/Show More